/srv/irclogs.ubuntu.com/2017/06/12/#ubuntu-server.txt

=== Jalen_ is now known as Jalen
supercoolHow do I load a command with high priority on ubuntu server?00:49
supercoolCould someone help me please?00:49
dpb1supercool: look at the 'nice' command.   'man nice' for more info.02:26
supercooldpb1: I got high sd from top02:26
supercoolguess it is not a inside issue but a server restriction of usage02:27
supercoolI use renice -n -20 -p # but didn't solve nothing02:27
JanCalso look at schedutil03:08
JanC*schedtool03:09
=== JanC_ is now known as JanC
DirtyCajuncan someone talk to me about snaps on ubuntu server ... am i seriously going to need to manage packages from 2 separate sources now?05:18
lynorianDirtyCajun, you do not really need to need snaps if you do not want to you can still use all .deb05:22
DirtyCajunlynorian, filebot (A wonderful program) has apparently moved completely to snaps.05:23
lynorianI have not heard of filebot05:23
DirtyCajunlynorian, its a great file/folder automation tool for media05:23
lynorianDirtyCajun, I cannot find it in the repos05:25
lynorianin trusty even05:25
DirtyCajunlynorian, sudo snap find filebot05:25
DirtyCajunim on 16.04.205:25
lynorianwell if you used it without snaps you were already getting them from a seperate place05:26
DirtyCajunlynorian, it was originally directly a .deb file from their site.05:26
lynorianDirtyCajun, yes that is another source so I do not understand your question05:27
jushurdidnt subtitles get labeled eligal some court in EU a few months back?08:19
jushurby some*08:19
TafThornejushur: Fan made sub-titles according to a Dutch court.  So that is a court within the EU but not an EU level court.  For those of you playing in the US think like a county (I do not think this was a big Dutch court yet) making a rulling.  There are probably bigger national courts for the Dutch (so like a State level court) that could weigh in and then after that someone might take it to an EU (federal) level court.08:51
TafThorneLooks like that was going on at the end of April this year.08:52
=== hehehe is now known as Guest50630
=== Guest50630 is now known as hehehe
jonfatinoDoes anyone here work with Dell or HP servers a lot? I remember dell or hp used to have a tool that you could install on a massive amount of servers and it would collect all the stats for those servers. So when migrating to new servers you know how much resources you need etc14:53
jonfatinoI just can't remember the name of the utility.14:53
PosterDell is Open Manage iirc15:05
jonfatinoThis is just a standalone application you can install on any server (virtual / etc)15:05
jonfatinoJust collects stats / resource usages / etc for 7 days then emails you15:06
mwhahahajamespage, coreycb: did you guys ever get the fix for sqlalchemy issues pushed to updates? http://logs.openstack.org/68/473268/1/check/gate-puppet-magnum-puppet-beaker-rspec-ubuntu-xenial/a1745a6/logs/magnum/magnum-conductor.txt.gz#_2017-06-12_08_07_37_62615:49
jamespagemwhahaha: lemme check - I've had alot of plates spinning in the last week or so15:49
jamespagemwhahaha: ah right - we pushed through updates to make magnum install; but that would appear to be an incompatibility with sqla 1.1.x15:50
mwhahahajamespage: ok, not a huge pressing issue but the magnum beaker jobs are blocked15:51
coreycbjamespage, mwhahaha: i uploaded a new version of python-oslo.db in an attempt to fix that.  i wasn't positive that was the right fix but seemed relevant.15:51
=== hehehe is now known as hehehe_offline
macskayhi guys trying to setup snort on my remote server running xenial. my ip ends with 111 and has a netmask of /27, so i set the home_net to 97/27 but when trying a port scan on my server the ids is not sending an alert. what could that be?16:50
=== Ussat-1 is now known as Ussat
rbasakmacskay: I'm not sure you've provided enough for a diagnosis, but you may find the "ipcalc" tool useful if you don't know about it.16:54
geniiDo you have broadcast ip set to .127 ?16:55
blizzowRHEL offers a couple packages to manage virtualization tuning called tuned and tuned-adm. Is there an equivalent for ubuntu?17:12
=== hehehe_offline is now known as hehehe
hehehehi17:42
heheheI am running web app file permissions set to 660 and dirs to 770, now I moved from 14.4 to 16.4 appamor disabled, 403 yet to go17:43
hehehewhat else can i check?17:43
hehehebtc 240017:47
hehehethats still above 190017:47
hehehewhy btc is overloaded?17:47
hehehelol wrong channel17:49
dpb1hehehe: you were confusing me to no end17:50
hehehedont mind last lines17:51
hehehethe question is about file permissions17:51
heheheI run a web app on 14,04 and 16.0417:51
heheheusing 660 and 770 as permissions17:52
hehehebut on 16,04 its yet to work17:52
Postermake sure www-data is either the owner and/or group17:52
hehehethat is done17:52
Posteris it owned by www-data:www-data or something else?17:53
hehehenr117:54
hehehewww-data17:54
Posterok it sounds like you may have a path issue, can you pastebin the relevant configuration files?17:54
hehehepath issue?17:55
heheheyou mean nginx home path?17:55
Posteryes, either the path to the files is incorrect or the www-data user cannot access it17:55
hehehewell if I change permissions it does work17:56
Posterchange to what?17:56
sarnoldbtw the 'namei -l /path/to/file' tool is superb. It saves a bunch of repetitive ls -l17:57
hehehejust a moment18:00
hehehegoing to check something18:00
hehehePoster: I dont know18:09
hehehePoster: I guess permissions were inherited from 14.4 tar archive18:10
hehehecant be sure18:10
hehehesomething went wrong18:14
macskaygenii: Yes18:14
dpb1sarnold: til, thx18:15
macskayrbasak: Well basically this: https://unix.stackexchange.com/questions/370709/snort-not-firing-alerts?s=1|2.613418:15
sarnolddpb1: yeah isn't that nice? :) I'm surprised it's not more widely used18:16
hehehePoster: 755 644 works18:17
rbasakmacskay: I don't know snort, but what cutrightjm said. 176.9.103.97/27 is unusual. I'd expect .96 unless snort is special somehow.18:17
fallentreehehehe: that means the web server is not running as www-data or the dirs/files that have g+r (regardless of o+r) are not in the group www-data18:25
heheher the dirs/files that have g+r (regardless of o+r) are not in the group www-data how I can check if they are in a group18:26
heheheor not?18:26
sarnoldhehehe: namei -l is wonderful.18:27
hehehecool18:27
hehehesarnold: but whats it for?  I use ls all18:28
heheheto see who owns files and dirs18:28
sarnoldhehehe: ls -l is nice but it doesn't show you parent directories, only the specific thing you ask for. but the permission denied messages may be coming from directories higher up.18:29
sarnoldhehehe: you need to know the user:group and permissions of all directories and the target file in a pathname when a program reports 'permission denied'.18:30
hehehesarnold: fair point I did issue chown -r from the top dir, one above html root18:30
hehehei see18:30
hehehehandy tool18:31
hehehewww-data www-data index.php18:32
heheheand above same18:32
heheheits some kinda of small thing but I am yet to recall what is it18:32
hehehebrb I may fix it now18:35
fallentreehehehe: how are you running php? unless apache with php DSO, it's not the webserver that reads index.php18:35
hehehei use nginx and php fpm 718:35
fallentreeif it's fastcgi, then it's the fastcgi daemon (eg. php-fpm) and user it runs under, not www-data (unless you configured it to run as www-data)18:35
hehehe:)18:35
hehehefallentree: yes could be that also18:36
hehehegoing to recheck18:36
fallentreewith fastcgi, the web server sends a fastcgi request to php process, it doesn't check or touch the php files18:36
hehehei see18:38
hehehethanks for explaining18:38
hehehekinda common sense18:38
sarnoldonce you understand how simple the unix access controls are you'll have trouble remembering that you used to find them difficult :)18:43
hehehe:))))))))))))18:43
hehehelol18:43
hehehewell so yes fallentree u were right18:43
heheheI checked box1 setup -where friend helped me18:44
heheheand box n218:44
hehehelisten.owner = www-data18:44
hehehelisten.group = www-data18:44
hehehe;listen.mode = 066018:44
hehehein box nr 1 listen mode is uncommented and set to 066618:44
heheheI have changed listen mode to 0666 yet to work18:49
fallentree666 is not good, why world rw?18:49
fallentreeset up proper groups and permissions instead18:49
hehehefallentree: what is listen mode for anyway?18:50
fallentreeit's the owner of the socket file18:50
tewardit sets the permissions on the listener socket on the system.  You should probably *not* be messing with it.18:50
fallentreeexample setup: you have multiple pools each running under different user, so you set the socket ownership to thatuser:www-data and 0660 mode18:50
fallentreeso nginx can rw to the socket18:51
tewardbut unless you have such a setup, you should leave it alone.18:51
fallentreeteward: it was designed exactly to be messed with18:51
hehehecorrect18:51
hehehemessing is good, and you learn :D18:51
fallentreeno, the proper answer is: learn what it does and decide how to set it up18:51
tewardfallentree: you're right, but i mean for a basic setup :p18:51
fallentreeall else is black magick18:51
tewardlike a 'bare minimum'18:51
fallentreeno18:51
teward(the rest is blackmagicks)18:51
* teward yawns18:51
fallentreeservers are not for users who don't understand how it works18:52
heheheits very easy to understand18:52
fallentreeof course.18:52
heheheonc explained18:52
heheheonce18:52
sarnoldhehehe: if you set that mode 666 then you allow all users on the system to execute code with the privileges of the fpm service18:52
hehehethats not good18:53
sarnoldit's no big deal if it's a single-user machine and you don't care what happens; it's terrible if you've got multiple untrusted services or users on the system18:53
heheheso to sum up so far - I got 1 socket running owner is www:data group www:data, I want to use 660 and 770 permissions18:54
fallentreehehehe: the socket must reflect ownership/mode so that BOTH nginx and php-fpm user can read and write to it. if both run as www-data, then yes, that's okay18:55
heheheyes they both run as such18:55
heheheidea is that dirs and files can be accessed only by owner and or group18:55
hehehewhich seems secure :)18:55
hehehewell I meant modified18:55
fallentreehehehe: if you want secure, also don't have the files owned and writable by the user running the php process.18:56
fallentreeonly readable, but not writeable18:56
fallentreethat's why owning files to www-data is a bit insecure. the better setup is where the files are owned by root, in group www-data. 750 on dirs and 640 on files. fpm socket www-data:www-data, 0660.18:57
fallentreehowever, only root can change those files (which is why it's secure). if you want sftp access, then it requires a different, a bit more complex setup.18:58
hehehefallentree: why would sftp nessesiate a bit more complex setup if I sftp as root?18:59
heheheI can then change files via chown18:59
fallentreebecause you shouldn't sftp as root18:59
heheheits stfp so password cant be stolen19:00
heheheso whats the risks?19:00
heheheor  maybe use pem?19:00
fallentreesftp requries ssh access as root and that should be avoided19:00
fallentree(sftp as root requires....)19:00
hehehefallentree: but I use 70+ random char passwd19:00
hehehe:)19:00
heheheso yes ok some can try and guess it and get tired19:01
fallentreehehehe: history lesson: few years ago a debian maintainer fskced up and weakened ssh keys security, reducing the possible combinations to only 65k19:01
heheheoooo19:02
fallentreethat's why you should never allow root to log in19:02
heheheoki I can create some other user to login19:02
fallentreein such a case, an attacker breaking through 65k combinations would still have to sudo things so there's additional layer of security19:02
hehehe65K is alot19:02
hehehebut not really19:02
heheheif they ssh from say 50,000 ips19:03
fallentreeit's a few minutes to try all on a system that doesn't ban failed attempts19:03
heheheits fast19:03
hehehefallentree: but since then it was fixed right?19:03
fallentreeif they try from 65k ips, it'd be broken through in a fraction of a second :)19:03
fallentreeit was fixed. the lesson here is to NEVER trust things.19:03
hehehelol19:03
fallentreethe principle of least privilege should be your guide, if you want secure.19:04
fallentreeyou don't need to log in as root, so reduce that privilege.19:04
heheheI do need sftp access19:06
heheheso setup some ordinary user and login as him?19:06
fallentreeyes19:09
heheheok19:09
fallentreebut you can't chown/chmod php files to www-dat, those would have to be owned by the sftp user (if you want to manipulate the files over sftp), which is insecure as php can write own files.19:10
fallentreethat's where you use apparmor to fine tune what php-fpm can read or write.19:10
fallentreeOR19:11
fallentreerun php-fpm as another unprivileged user, and put that user into the sftp user group.19:11
fallentreethat way you can have files 640 (and dirs 750). sftp user can read/write, php process can only read. also put nginx (user www-data) into that sftp user group so it can read static files.19:12
fallentreeif php needs to write (uploads), have a specific directory for that, owned by the user running php-fpm, but then the sftp user won't be able to change those.19:12
fallentreeit's a trade-off any way you look at it. either it's easy but insecure, or secure but inconvenient.19:13
fallentreeconvenient (sftp can rw, php+nginx can read) but secure requires complex (apparmor)19:13
heheheok changing conf19:15
hehehefirst i will implement . the better setup is where the files are owned by root, in group www-data. 750 on dirs and 640 on files. fpm socket www-data:www-data, 0660.19:16
heheheto see  how that works :)19:16
hehehedrwxr-x--- 8 root www-data added root to group www-data changed permissions19:18
heheheyet to work19:18
hehehenow for some reason it gives nginx error index.html is foiden19:25
heheheforbiden19:25
hehehebut its index.php ...19:25
heheheI am going to to shop to buy food19:25
fallentreehehehe: do you have the "index" directive for the server{} ? if you want index.php to respond to example.com/  (without index.php explicitly stated), you need to set the "index" directive to index.php19:31
hehehehome again20:32
heheheand yes I have index directive  think20:45
hehehe    index index.html index.htm index.php;20:46
heheheit does work with less rescrtictive permissoions20:46
tomreynhehehe: are you mixing up 'index' and 'DirectoryIndex'?20:47
tomreynignore this remark if this is nginx ratehr than apache httpd20:48
heheheit is nginx20:49
tomreynhehehe: if it says 'access forbidden' for index.html when you requested / then it means the web server thinks that the /index.html location exists and it should handle it somehow. this could be, for example, because you pass all requests (not just those for paths ending in .php) to php-fpm20:56
hehehetomreyn: I am planing to run open cart app on more secure permissions21:06
heheheits nearly ready21:06
hehehetomreyn: well nginx setup passed only php to php fpm21:06
hehehemaybe its something to do with app code?21:07
zxliuI'd there some way to install server packages from an ISO on a desktop system looking at virtual machine host group.21:21
nacczxliu: can you rephrase your question? you are on a desktop system and want to install server packages?21:22
sarnoldzxliu: apt-get install whatever21:22
nacczxliu: just install them, server and desktop use the same packages21:22
sarnoldskip the iso, the packages are liable to be out of date anyway21:22
naccsarnold: +121:22
zxliuin the past apt hasn't allowed adding ISO sources for installing21:22
sarnoldeh? apt-cdrom has been there for ever, and it's always been confusing to me why anyone would bother with it :)21:23
zxliunacc that is about right21:23
zxliusarnold why should it be confusing?21:23
nacczxliu: are you in an offline mode?21:23
zxliuyes for building the base layer21:24
sarnoldzxliu: because in the time it takes to spin up a cd-rom you can often have downloaded the package entirely over the network..21:24
zxliuahem21:24
zxliuwe have reasons21:24
zxliuthe question does specify "from an iso21:25
nacczxliu: have you tried to use apt-cdrom? -- or you mean you are inthe installer and want to add more ISOs from there?21:25
zxliuthe desktop is installing now the server is laid down and U want to lift it into the desktop on a virtual machine21:26
zxliunacc so in the past yes apt-cdrom was tried21:27
nacczxliu: i'm unable to follow that sentence. desktop is installing *then* server is laid down? "want to lift it"?21:27
zxliuand I expect the same thing to happen when this is installed the solution was to run a local web server to serve the apt packages21:27
zxliubut the package database needs rebuilt is that so?21:28
sarnoldthat's not a bad option, apt-ftparchive, aptly, among other tools, can make that process reasonable enough21:28
zxliulaid down the n the disk21:28
zxliuthen it can be copied into a VM "lifted21:28
zxliuftp?21:29
sarnoldI rsync the entire archive to a local machine and used NFS mounts for a while; I stopped doing that because NFS mounts with a portable laptop were more annoying than they could have been..21:29
sarnoldyeah, don't worry about the ftp too much, we use the output of apt-ftparchive with apache or nginx as part of the workflow on the security team21:30
zxliuso specify ftp::localhost/packagedir in the a apt config21:30
zxliuso what needs be done then an extra script package for building an apt repo?21:32
zxliuthe server has an httpd installed21:32
sarnoldor 'deb http://192.168.122.14/ubuntu main' or whatever..21:33
zxliuthis can't be done until the server is up and running for the are installed on the same disk21:35
zxliuso what command can be found for checking the deps of package group virtual machine host looks like the quickest route is to issue dpkg install commands singly21:36
sarnoldcan you rephrase that question?21:37
nacczxliu: do you mean the virt-host task?21:37
naccisn't it something like21:37
naccapt install virt-host^21:37
zxliuhow can the packages and package dependencies for package group virtual machine host be resolved to a list for manual install with dpkg21:38
nacczxliu: well, you'd need all the packages in the tasks, all their dependencies, all their dependencies, ... until it stops growing, right?21:39
nacczxliu: why not just set up a repo?21:39
zxliurepo requires a repo21:39
zxliuI went through the possible routes in this chat21:40
heheheI set up server as following now - php fpm user and group www data , files owned by root who is in a www data group and I get following error - 2017/06/12  [error] 269#269: *4 FastCGI sent in stderr: "Unable to open primary script: /home/op/gd.com/index.php (No such file or directory)" while reading response header from upstream, client: xx.xxx.xxx.xxx, server: www.gd.com, request: "GET /index.php HTTP/2.0", upstream:21:40
hehehe"fastcgi://unix:/run/php/op.sock:", host: "www.gd.com"21:40
zxliuI can download a small script package if needed over cellular data.21:41
zxliuI don't want to be download packages ges located on the install ISO.21:41
zxliuWhat package is needed from the repo to setup a repo?21:41
zxliuI can run the httpd in a chroot.21:42
zxliufrom the other part while on the desktop then do apt http://127.0.0.1/Ubuntu main21:43
zxliuso I copy the packages over too var/www/ubuntu21:44
zxliuis there something which scans and builds the package database for apt21:44
naccjamespage: mwhudson: do you happen to know if celery 4.0.2 is compatible woth python3.6? i'm getting pretty close, but the tests seem to be pegging my cpu and not making any progress with 3.6 :)21:44
zxliu..well there's worse things to lose21:45
zxliualthough wadya know looks like desktop doesn't boot after install21:46
sarnoldzxliu: if all the files are local just read them off the filesystem; I've got a line like this in my apt.sources on my archive mirror: deb file:///srv/mirror/ubuntu/ xenial main restricted21:46
zxliu so it accepts file://21:47
zxliufine21:47
zxliugreat answer21:47
sarnoldyeah way better than running a web server just for apt for local use :)21:48
hehehe:))21:48
zxliusarnold not way better but the right start21:48
hehehesarnold: any idea what is my mistake21:48
hehehe:)21:49
zxliuso the servers in the VM need to access it o er http21:49
nacc'servers in the VM'?21:49
zxliuoverheating again , possibly why it didn't boot21:49
sarnoldhehehe: sorry, no, I'm not very familiar with php21:50
heheheif all files owned by root can www data user who owns php fpm sock send them via nginx? based on same group ownership21:50
zxliua laptop with a couple about as powerful as towers with radiators21:50
sarnoldhehehe: the error you pasted was "no such file or directory" -- no amount of permissions fiddling will fix that :) figure out why the file isn't there: is fastcgi looking in the wrong place? looking for the wrong thing? etc21:51
hehehefile is there21:51
hehehenginx root dir is correct21:51
sarnoldhrm maybe that means the socket doesn't exist?21:52
hehehesocket exist21:52
heheheit was all working 100% but with new more secure conf  yet to work21:52
hehehemaybe problem is - socket is owned by www-data and files by root? although they are in same group21:52
zxliuwhy not play?21:52
hehehezxliu: what do u want to do? :)21:53
zxliuhave some private property21:53
hehehe...21:53
mwhudsonnacc: no idea sorry21:54
zxliumaybe a fingernail clipping that the public can't touch21:54
naccmwhudson: np, just figured i'd ping to see :)21:54
mwhudsonnacc: i had to backport a patch for kombu to get the tests to pass21:54
nacczxliu: at this point, you're spamming the channel, please stop21:54
hehehegetent group www-data - www-data:x:33:root21:54
heheheroot is da group21:54
mwhudsonso it might be worth checking celery upstream too?21:55
naccmwhudson: ack, will look on celery's github. They say it's supposedly working, but possibly only on master.21:55
zxliua crescent fingernail clipping and then from there security can expand possibly too a wife21:55
hehehesarnold: all I did - I changed file owner to root21:55
heheheI will change it back to www data and see whats up21:55
mwhudsonnacc: https://github.com/celery/celery/issues/4000 <- implies it works, i guess you've seen that too?21:55
zxliucelery is down21:55
naccmwhudson: yeah that's where i started, not much progress from that :)21:55
zxliuwhere are youns that you think your working on my hardware which is disassembled21:56
zxliuthe only thing up is an overheating laptop21:58
hehehesarnold: now it does not give cant open index.php error just 40321:58
hehehesarnold: could it be that open cart code does not make it easy to make it work with most secure settings?21:59
sarnoldhehehe: it's possible, most shopping carts are terrible rubbish21:59
sarnoldhehehe: but I'd hope you could make this work21:59
zxliuI put some foam earplugs in a plastic tube and sealed it with wax. sure enough home was raided and the earplugs touched21:59
hehehesarnold: where do u think potential issue would b?22:00
heheheI think I just have to identify area of conflict and fix it22:00
sarnoldhehehe: i'm not sure. when it doubt follow the log files ..22:00
zxliuWhen angels deserve to diiiiiiiiiiiiiiiiiiiiie22:00
zxliuborn of electeicity22:00
zxliuwhile I born in the flesh22:01
zxliuwhen angels deserve to diiiiiiiiiiiiiiiiiiiiie22:01
zxliuthe virtual machine can bridge me into the ram22:02
nacczxliu: please stop.22:02
zxliuwhere the egos of angels go22:02
zxliuwhat do you want to do lay my brain down on an arctic icecap22:03
zxliutalk about health problems22:03
zxliuthis little CPU overheats22:04
zxliuand your running ram frogs that say "werk" "werk"22:05
zxliuwhile the entire GOD damned town takes turns on every aspect of your soul22:06
zxliunot foresaken but earned22:06
zxliuof course in the end foresaken is seen that way22:06
zxliuhow bout a fingernail clipping?22:08
zxliucan me own a fingernail clipping22:08
zxliuor da police come and strip all posessions22:08
zxliuhold the door open for the town to continue to pilliage almost the lowest class home on earth22:09
zxliuwaiting for the CPU to cool down22:11
randymarsh9hello22:11
zxliuhello randymarsh9 can you go pay exorbitant prices for some fake plant food gmo and bring it over for tricking the body into thinking itbis not hungry22:12
zxliuwhile DNA degenerates22:13
hehehehi22:13
zxliulight purple need kidney beans22:13
zxliu"red"22:13
compdoczxliu, just say NO! to drugs plz. tyvm22:14
zxliuif it were that easy22:14
zxliuhaven't you seen the population dropping dead from illicit drugs?22:15
zxliugrowing and hunting food requires a community and I don't mean of drug users22:15
naccgenii: thanks22:16
sarnoldgenii: <322:16
geniinp22:16
genii@comment 77064 Spam22:17
ubottuComment added.22:17
hehehesarnold: I think biggest mistake listen to someone advice and implementing it asap22:17
heheheas then stuff just hangs in da air half way :D22:17
sarnoldhehehe: aye that can be an issue. in the end we're all responsible for our own systems.. it's on us to know as much as we need to run the systems..22:18
heheheys22:18
heheheI say main reason many people dont code  other people dont have time desire to explain22:20
heheheif say 99% of people were to become good at coding we need social coding clubs offlines enmasse22:20
hehehebut that will bring existing people salaries to the ground22:20
hehehe:)22:20
heheheso maybe thats also a demotivator for soe22:20
hehehesome22:21
heheheand security can be never ending hole22:21
hehehelol22:21
sarnoldthe better developers will always have more opportunities and more interesting problems to solve; doubled incentives to keep progressing onwards and upwards :)22:22
hehehedude most coders are $$%^& and some are cool :D22:22
heheheI do agree with you22:23
heheheits better to share what you know22:23
heheheso all can progress and you will also enjoy more22:23
naccmwhudson: found it, buried in a semi-unrelated AWS change :)22:38
mwhudsonnacc: haha22:39
nacctop-level commit message: "AWS DynamoDB result backend (#3736)"22:39
naccrelevant line: "* Fix endless loop in logger_isa (Python 3.6)"22:39
mwhudsonnice22:40
heheheis it a security risk if file own by a root?23:02
heheheI dont think so23:02
hehehelike web app files owned by root23:02
dpb1everything is owned by root anyway23:13
dpb1i.e., root can chown root:root on any file23:13
dpb1having a file user permission as root is just saying that it's a "default" owner, or a system file.  something like that.23:15
tarpmanthe downside is that only root can modify files owned by root. that means your process deploying/updating those files, or any process that needs to write to them, has to run as root, which _could_ be a massive security hole if the code isn't extremely trustworthy23:17
tarpmanfor files deployed from a deb package, owned and updated by the package manager, never written to by anything else - root ownership makes sense23:18
tarpmanfor web app files deployed by an automated script or something, I'd prefer a non-root deploy user that the script can run under23:18
naccjamespage: re: celery, upstream (4.0+) has removed celeryd, celerybeat, celeryd-multi. Does it make sense for our package to still be called celeryd? Or should we switch to  binpkg called 'celery'?23:23
hehehe:)23:27
hehehetrue23:27
hehehedpb1: do u know nginx and php?23:28
heheheI seems to be experiencing some simple issue but yet to nail it23:28
hehehe:D23:28
nacchehehe: teward is not around, but maintains nginx in ubuntu -- i'd just wait til he's around for help, he's quite fast to fix/explain :)23:28
hehehehehe o well I may as well read a bit23:31
hehehenacc: is there some cool video that explains all nginx and php fpm?23:31
nacchehehe: i'm not sure23:33
heheheso far I understood - when visitor comes to site 1) nginx serves html 2) php-fpm serves php via nginx23:33
heheheright?23:33
hehehejust to understand entire server mechanics23:34
naccjamespage: finally, do you have testcases or otherwise that would help verify/vet my changes to celery are good? beyond the upstream test suite itself23:35
hehehehttps://serversforhackers.com/video/php-fpm-configuration-the-listen-directive23:36
hehehethis one is pretty good for php :D23:36
naccjamespage: woot, celery 4.0.2 built :)23:52
hehehewhat is celery!!!23:54
hehehe"23:54
sarnoldhehehe: http://www.celeryproject.org/23:55
naccsarnold: thanks :)23:55
nacchehehe: i'm just trying to unblock the new openstack in 17.1023:56
sarnoldI just hope there's no follow-up questions :) "uh distributed job runner hey lookit the time!"23:56
sarnoldnacc: sheesh good luck23:56
naccmwhudson: jamespage: i've added my debdiffs to the bug, i would like to spend some time testing it in practice, but both build and pass their tests23:56
sarnoldnacc: every round another two dozen dependencies23:56
hehehefollow up questions are good23:56
naccwhere both = celery + billiard23:56
heheheto archieve 100% clarity23:56
naccsarnold: yeah, I'm just helping with this bit :)23:56
hehehesarnold: dont  love it when all is crystal clear23:57
hehehemmmm23:57
naccsarnold: kombu needs a newer celery, which pulls in some new upstream versions of deps23:57
hehehedont you )23:57
sarnoldnacc: do I want to know what kombu is? :)23:57
hehehenacc:  I have tried open stack a bit heat and ceilometer23:57
hehehebut I dont know how to scale apps with it yet23:58
naccsarnold: nah, and tbh, i barely do, but i know how to deal with uscan/uupdate and package interdeps/rebuilds/etc23:58
sarnoldnacc: :)23:58
hehehesarnold: lol php bitch wants to load index html for some reason23:59
heheheI triple checked all configs23:59
hehehenowhere its said to load html :D23:59
hehehecheck this out https://www.dynatrace.com/blog/proper-configuration-running-php-nginx/23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!