[02:15] <nacc> jgrimm: https://bazaar.launchpad.net/~ubuntu-release/britney/hints-ubuntu/view/head:/pitti#L164
[02:16] <nacc> jgrimm: i don't actually know the context of that file, beyond I believe it's what the AA's use
[02:41] <adrian_1908> On a fresh server installation with OpenSSH selected, do the host keys in  /etc/ssh  already exist, or do they have to be created manually by the admin?
[02:42] <sarnold> I believe they are created at the first boot
[02:48] <nacc> or whenever sshd first runs?
[02:49] <sarnold> yeah
[02:55] <adrian_1908> i haven't found a clear answer online, but i think most texts hint at what you're suggesting.
[06:56] <lordievader> Good morning.
[09:05] <freakynl> Hi, how do I add Ubuntu Trusty to the list on launchpad here? https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1605494
[11:17] <ronator> Hi. I am learning systemd unit files. I have a 'stupid' php process I need to stop. Only way is with kill. On CMD it works really fast: "kill -15 $(pidof php)". But if I do this with systemctl (ExecStop) it takes almost exactly 1:30 minutes to stop/kill the process. Is that a systemd problem? What am I doing wrong?
[11:26] <ronator> Any systemd pro may help me? This is the (edited) service unit file http://paste.ubuntu.com/24151186/ ; I checked with "watch + ps" that the service is really stopping only after 90 seconds (so its not systemd waiting for a timeout or so I guess)
[11:30] <ronator> I may have found the error: -> Mar 10 12:22:48 HOSTNAME systemd[1]: someproxy.service: State 'stop-sigterm' timed out. Killing.
[11:32] <Doow> What exactly is it that triggers apache on boot (16.10)? I see no indications in the logs of it even trying to start on my server.
[11:35] <ronator> there shoud be a apache.service file somewhere on your system - or not (/lib/systemd or /etc/systemd)
[11:35] <ronator> or apache2.service
[11:36] <ronator> "service" now also uses systemctl so what does "sude service apache status" or similiar say?
[11:36] <Doow> ronator, is that what actually triggers it? because "sudo systemctl enable apache2.service" says that it can't be enabled via systemd (gimme a sec and I'll pastebin it)
[11:37] <ronator> I think I read that apache still does not offer unit files for systemd ...
[11:37] <ronator> no sure
[11:37] <Doow> http://paste.ubuntu.com/24151223/
[11:39] <ronator> well you could get a basic apache systemd unit file and drop it into /etc/systemd/system - or you could use nginx (different syntax but some like it more than apache - and it has systemd unit files)
[11:39] <ronator> Doow: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798430
[11:40] <ronator> exactly
[11:41] <Doow> ronator, it *can* start automatically, it's just that something went broke on my system
[11:41] <Doow> and I can't figure out what
[11:41] <ronator> check /var/log/syslog?
[11:42] <ronator> and dmesg - if something went broke you need to find out what - or windows-style re-install
[11:42] <Doow> nothing, I can't find any trace of it in any logs (which is I wanted to know what exactly is supposed to trigger it)
[11:42] <ronator> well from my understanding it cant start automatically because no systemd unit file is there and system cant for some reason create it on the fly
[11:43] <Doow> I'm not even sure it tries to start
[11:43] <ronator> did you upgrade from 15.10 or 14.10 or so?
[11:43] <Doow> no, clean install
[11:43] <ronator> that's a shame, apache ...
[11:44] <ronator> clean install should not have messed up your system ;-)
[11:44] <Doow> I of course have done things on the system, but after the install =)
[11:45] <ronator> so i think it is still the case of the missing systemd file
[11:45] <ronator> suggestion: quick install of nginx, see how that behaves on your system
[11:45] <ronator> if that behaves better, blame apache
[11:46] <Doow> that isn't really helpful though I'm trying to solve the problem, not find someone/something to blame =P
[11:46] <ronator> well but to solve it you must find the reason that is to blame
[11:47] <ronator> and i guess it is a huge problem that apache ships without systemd file (if that is still true)
[11:48] <ronator> I can only tell you, I assume it is missing system files for apache. so with nginx you could somehow prove that (if nginx has no issues). And if yiou then decide to try a systemd unit file for apache, you may well take the nginx one, modify it and boom
[11:49] <ronator> make sure you work in /etc/systemd/system path for such experiments
[11:49] <Doow> it ships with a systemd file, it just don't have an [install] section. So you can't set it to automatically start from there.
[11:49] <ronator> mokay let me think a sec
[11:50] <Doow> there's a setup of glue scripts to let systemd work with it (as mentioned in the bug you linked)
[11:50] <ronator> [Install] WantedBy=multi-user.target
[11:50] <ronator> if the install section is missing, systemd does not know at what "runlevel" to start apache!
[11:51] <ronator> this is the minimum config for that
[11:52] <ronator> afk 10 minutes - let me know how it goes
[11:55] <zioproto> hello, if I have to build a container for Horizon Ocata, that is the best Ubuntu distro version ? Should I use Xenial ?
[12:00] <ronator> zioproto: not sure because ubuntu has a habit of not using bleeding edge software so maybe check what container version (docker.io?) you get there. If you want to use Xenial you should know a bit about systemd I guess.
[12:12] <Genk1> Hello
[12:13] <Genk1> I have just generated a new SSL certificate
[12:13] <Genk1> with default options
[12:14] <Genk1> but I am wondering what was the CSR that was used to generate this certificate ?
[12:14] <Genk1> I need to inform Dovecot about the CA dir
[12:15] <Genk1> But I don't know where it is
[12:15] <ronator> you are not forced to create a csr e.g. for self-signed certificates - the csr would be needed to let a CA create the certificate, usually you would only create the key
[12:15] <ronator> (and the CSR for the CA)
[12:17] <ronator> Genk1: create the KEY:  openssl genrsa -out www.someserver.com.key 4096
[12:17] <ronator> Genk1: create the CSR:  openssl req -new -key ./www.someserver.com.key -sha256 -out www.someserver.com.csr
[12:17] <Genk1> ronator, it's already done  but Dovecot is asking me the ca dir in the parameter : ssl_client_ca_dir
[12:19] <ronator> Genk1: wouldnt that bee sth like /etc/ssl ?
[12:19] <ronator>   ssl_client_ca_dir = (''your distribution's trusted TLS CA store (Fedora / CentOS / Redhat uses /etc/pki/tls/ ))
[12:20] <Genk1> I have already  gave it ssl_client_ca_dir = /etc/ssl/certs
[12:21] <ronator> could you post the error message? (i guess you reloaded dovecot)
[12:22] <Genk1> ronator, OK
[12:22] <Genk1> doveadm(email1@ki.localdomain): Fatal: Disconnected from remote: Received invalid SSL certificate: self signed certificate: /C=MA/ST=Casablanca/L=Casablanca/O=KI/OU=IT
[12:23] <ronator> is that really _your_ certificate?
[12:23] <ronator> either it does not like the self signed or it complains about the file itsself : invalid certificate
[12:24] <Genk1> ronator, Yes it a local certificate
[12:24] <Genk1> I will use it in prod also
[12:24] <ronator> should be not a problem if you can roll out this cert
[12:25] <ronator> where is the common name of the server? CN?
[12:25] <ronator> you should enter the CN in the certificate, it should match the hostname
[12:25] <ronator> i cant see it from here
[12:26] <ronator> not sure if this causes a disconnect in general
[12:26] <Genk1> ronator, you're right, but is it mandatory to have to have this ?
[12:27] <ronator> well, in terms of webservers, no: if the CN does not match the DNS name, most browsers will complain. not sure about dovecot. i use postfix with no "internal" ssl certificate.
[12:28] <ronator> but I would try that direction because "invalid ceritificate" sound ambitious
[12:28] <ronator> you could try to open the certificate with a desktop application - this should quickly tell you if the format is broken
[12:31] <Genk1> ronator, I am doing the same thing for postfix and it works like a charm
[12:31] <ronator> wow
[12:31] <Genk1> the problem is with dovecot
[12:32] <Genk1> especially dovecot replication
[12:32] <ronator> the I cannot really help you but doing the same as you would, searching the internet :D
[12:33] <ronator> maybe there is a dovecot option to allow self signed? I am totally guessing right now.
[12:34] <Genk1> ronator, usually I don't came here frist when I have an issue
[12:34] <Genk1> I always start by the official documentation
[12:34] <Genk1> then google
[12:34] <Genk1> then IRC :P
[12:35] <ronator> no offense, just making my point why I cant help you effectively :)
[12:36] <Genk1> ronator, no problem, thank you so much
[12:36] <ronator> you are welcome
[13:22] <ronator> @systemd: I found out, if you set KillMode= and KillSignal= , you do not need ExecStop --> http://man7.org/linux/man-pages/man5/systemd.kill.5.html
[13:22] <ronator> [solved]
[14:12] <jgrimm> thanks nacc!
[15:01] <DirtyCajun>  /msg NickServ identify matthew1
[15:01] <DirtyCajun> thank god that was the wrong pass
[15:12] <jge> hey all good morning, I'm about to start building some Ubuntu 16.04 LTS servers that are not connected to the internet (intended), my network guys tell me I need to let them know what IP:port I need to reach to allow access.. I'm thinking access to http://us.archive.ubuntu.com is all I need for initial install, packages, security updates etc
[15:13] <jge> any other URL I'm missing?
[15:52] <ronator> jge: http/https should be enough - just check /etc/apt/sources.list for default URLs ...
[15:53] <ronator> or /etc/apr/sources.list.d/* in case ...
[15:59] <Genk1> is there a way to log root activity in syslog ?
[16:14] <scottjl> like the commands root does? just check their history.
[16:15] <scottjl> anything root does, they could erase out of syslog, unless you're using an external server
[16:15] <Genk1> scottjl, hmm
[16:15] <Genk1> well I need such thing in a centralized log server
[16:15] <scottjl> syslog can be centralized.
[16:15] <scottjl> but it doesn't log shell commands
[16:16] <Genk1> where I check who has executed root commands
[16:16] <scottjl> http://backdrift.org/logging-bash-history-to-syslog-using-traps
[16:17] <scottjl> but. if someone is root. they could slip out of things like this. spawning subshells, scripting, etc.
[16:17] <scottjl> if someone has root access, there are too many ways for them to mask what they are doing
[16:18] <Genk1> I see
[16:18] <scottjl> might be better to have them work thru sudo
[16:18] <scottjl> and have sudo log everything
[16:18] <Genk1> thanks for the link
[16:18] <scottjl> no problem
[16:18] <Genk1> scottjl, that's what I suggested, but you can't change the mind of a whole team
[16:19] <scottjl> well. if i have root access to your server, i don't care what kind of logging is going on, i can easily mask what i'm doing.
[16:20] <Genk1> scottjl,  I understand what do you say
[16:20] <scottjl> so your team has to decide if they really want security, or just the illusion
[16:20] <Genk1> it's useless to log root activity
[16:22] <scottjl> right. i could easily copy in some command i shouldn't be doing to the name of 'ls' or something and run that. reviewing root logs wouldn't show anything strange. or write a script. name it whatever. again. logging doesn't show anything strange.
[16:23] <scottjl> you can't do that thru sudo. well not as easily.
[16:24] <scottjl> logging bash commands to an external server will give you some more protection, but doesn't prevent masquerading
[16:28] <genii> bash log is of no use because a space before any command will prevent it from being logged but still executes
[16:31] <nacc> jgrimm: yw
[18:41] <drab> Genk1: at a job I worked at we used a modified shell for that
[18:41] <drab> Genk1: a common one is "rootsh"
[18:41] <drab> the other common tool for that is "snoopy"
[18:41] <drab> and "sniffy"
[18:42] <drab> it was a while back tho, dunno if those projects are still active/working
[18:43] <drab> the more modern and possible "correct" way of doing it is using "auditd", which can be configured to track all exec syscalls
[18:43] <drab> https://www.scip.ch/en/?labs.20150604 has some examples
[18:44] <drab> and http://blog.ptsecurity.com/2010/11/requirement-10-track-and-monitor-all.html
[18:44] <drab> altho examples are on RH it should work just fine on ubuntu
[20:45] <ThiagoCMC> Hey guys! With QEmu 2.5 and Libvirt 1.3.1 (Ubuntu 16.04 plus Newton Cloud Archive, just to get new DPDK and new OVS), I was able to run KVM with hugepages and numa placement, like this:
[20:45] <ThiagoCMC> "<cell id='0' cpus='0-3' memory='8388608' unit='KiB' memAccess='shared'/>"
[20:45] <ThiagoCMC> Works great!
[20:45] <ThiagoCMC> However, now, I upgraded it to QEmu 2.8 and Libvirt 2.5 (Ocata Cloud Archive), and my VM is not booting anymore, with the following error: "Error starting domain: unsupported configuration: Shared memory mapping is supported only with hugepages"
[20:45] <ThiagoCMC> What is happening?
[20:46] <ThiagoCMC> I had to remove the "memAccess", like this: "<cell id='0' cpus='0-3' memory='8388608' unit='KiB'/>"
[20:46] <ThiagoCMC>  So, the VM booted but, why?
[20:46] <ThiagoCMC> hugepages are enabled and I don't get why facing that error...   :-(
[20:46] <ThiagoCMC>    Any clue?
[21:06] <nacc> ThiagoCMC: memAccess=shared does not refer to hugepages
[21:06] <nacc> ThiagoCMC: it just indicates the memory map is shared and not private
[21:06] <nacc> ThiagoCMC: it sounds like you are missing a <memoryBacking> stanza maybe?
[22:03] <ThiagoCMC> nacc, here is my Libvirt XML (simple Jinja2) that was working until Ocata Cloud Archive: https://github.com/tmartinx/svauto/blob/dev/ansible/roles/libvirt/templates/virtual-machines/stack-1-pts-1.xml.j2
[22:04] <ThiagoCMC> memoryBacking is there... Otherwise, it would not work with previous OVS+DPDK / Libvirt / QEmu...
[22:05] <ThiagoCMC> If it does not refer to hugepages, why it is complaining that it needs hugepages?
[23:10] <nacc> ThiagoCMC: i meant, shared on its own does not imply hugepages
[23:10] <nacc> the memorybacking does
[23:10] <nacc> ThiagoCMC: is your guest using hugepages (in practice0?
[23:43] <ThiagoCMC> Previously, yes, for sure, now, I just starting playing with new versions, I'm not 100% yet...
[23:46] <nacc> ThiagoCMC: ok, well, memAccess=shared only works with hugepages -- so if for some reason your guest isn't bakced by hugepages and you request shared, i think it's an error
[23:48] <ThiagoCMC> I see, I'll double check that... Thank you!
[23:49] <nacc> ThiagoCMC: that's just my reading of the libvirt XML spec :)
[23:49] <nacc> ThiagoCMC: but yeah, why it's not backed by hugepages would be the first thing to check