Re: mlocate - what is it good for?
On 5/22/19 12:59 PM, Brian Murray wrote: > The Ubuntu Foundations team was recently looking at an issue with > mlocate[1] and the effect it has on all users of Ubuntu. While that > specific issue is fixable there are also issues[2,3] with keeping > PRUNEFS and PRUNEPATHS current in updatedb.conf. So we ended up > questioning the usefulness of installing mlocate by default on systems > at all. We believe that find is an adequate replacement for mlocate but > want to hear from you about use cases where it may not be. I'll start > with a personal example: > > "I don't remember (because I need to know so infrequently) where the > meta-release file is cached on disk by update-manager and use locate to > find it. The find command itself is inadequate because the cached file > exists in both /home and /var." > > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880507 > [2] http://launchpad.net/bugs/827841 > [3] http://launchpad.net/bugs/1823518 > > Thanks, > -- > Brian Murray > Couldn't resist obligatory late reply to the "vi vs emacs" style discussion :) I'm older so I use find. The find habit is ingrained from a need for cross platform compatibility when managing pre-linux and early linux systems. In my experience locate is more cumbersome as my typical need is to search a subtree for file(s), and sometimes a file is not yet in the mlocate database. Another use case is the running of commands on sets of files by names, dates, etc., find is often sufficient, if not then xargs. My colleagues and I prefer the minimal approach for servers installing items as needed from a small base install. In the recent past using cloud images our config management removed packages to achieve the desired state. Items such as snap, lxc, and even some cloud config features were not wanted on our base VMs. At present we use Ubuntu minimal and build up from there. Is the mlocate system used for any housekeeping scripts other than building the mlocate database? If not we could live without it on default installs. Thanks, - cameron -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Netplan and high availability
On 11/28/18 3:56 PM, Mathieu Trudel-Lapierre wrote: > On Wed, Nov 28, 2018 at 1:12 PM Leroy Tennison wrote: >> >> Reading all this, it looks like reverting to ifupdown is the alternative >> until something changes. However, when I tried to do that using a post on >> the web things appeared to work (no error messages) but networking got >> really weird - ping loss in the 20-50% range (and this was to my gateway on >> the same physical cable as my NIC). Can someone point me to information on >> how to do this reliably? >> > > Have you considered using the NetworkManager backend instead of > networkd? That might be another option. As for handling the foreign > addresses, please make sure you file a bug in Launchpad about this. > Then it's easier to see about scheduling time to do the work. > > There is nothing more to switching to ifupdown than installing the > "ifupdown" package. Then, remove your config from /etc/netplan, and > replace it with the appropriate lines in /etc/network/interfaces. > > If you're having issues like packet loss, then I would check whether > networkd still attempts to manage things -- this might happen if you > haven't removed the files in /run/systemd/network ... or easier, > rebooted since you switched to ifupdown. > > Regards, > > Mathieu Trudel-Lapierre > Freenode: cyphermox, Jabber: mathieu...@gmail.com > 4096R/65B58DA1 818A D123 0992 275B 23C2 CF89 C67B B4D6 65B5 8DA1 > A side note related to using something other than systemd-networkd we have a pair of 18.04 routers using keepalived, quagga, and bgpd. We've disabled systemd-networkd entirely because it breaks with full BGP routing tables: https://github.com/systemd/systemd/issues/11575 We also observed if systemd-networkd restarts successfully with a full table in place, it uses ~1.2GB RSS RAM, until the process is killed. Workaround is to use quagga for the static IP assignments and keepalived for the floating IPs and local routes. Is there any plan to support ifupdown or quagga as a netplan "renderer"? Thanks, -- - cameron miller - Manager, Network and Systems Administration - http://staff.adams.edu/~cdmiller -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Netplan and high availability
Hello, Thanks for all the responses, sorry for replying so late. We utilize puppet so our current work around is to subscribe an exec of keepalived to the exec for netplan. A change in the netplan config triggers cascading reloads, putting back the virtual IP. We considered going back to ifupdown but we like the netplan yaml syntax and try to minimize our deviations from baseline installs. Not surprised systemd-networkd is the culprit. IMO systemd treats many server expectations as corner cases. While sometimes annoying it might delay the eventual AI take over of all sysadmin functions :) Thanks, - cameron On 10/30/18 3:38 PM, James Hebden wrote: > On Tue, Oct 30, 2018 at 09:17:58PM +0100, Harald Weidner wrote: >> Hello, >> >> On Wed, Oct 17, 2018 at 11:09:07AM +1100, James Hebden wrote: >> >>> Do you get the same behaviour if you use an alias interface in your >>> keepalived configuration? This configured keepalived to behave in a >>> similar way to pacemaker/crm, in that it will create an secondary >>> interface attached to the configured interface, which will be configured >>> with the VIP. >>> >>> For example, if your interface is eth0, and you provide an alias of >>> eth0:1, eth0:1 will be configured with the virtual IP, and eth0 will >>> retain whichever IP is configured in your netplan if ifupdown >>> configuration. >> >> I have tried this now, and it didn't help. After "netplan apply", all >> of keepalived's virtual IP addresses are dropped, regardless of having a >> label or not. > > Unfortunate - this means that netplan is also likely to clobber VIPs > configured by other software too, for example, keepalived. > >> >> Best regards, >> Harald >> >> -- >> ubuntu-server mailing list >> ubuntu-server@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server >> More info: https://wiki.ubuntu.com/ServerTeam > -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Netplan and high availability
Replying to myself :) Looks like newer versions of keepalived actively put back floating VIPs if something else rudely removes them: https://answers.launchpad.net/ubuntu/+question/670475 https://launchpad.net/~hnakamur/+archive/ubuntu/keepalived Any plans on a newer version of keepalived to appear in backports or some such? Thanks, - cameron On 10/16/2018 03:46 PM, cdmiller wrote: > Hello, > > We have some systems still using keepalived or corosync/pacemaker > for high availability with IP fail over. Easiest case would be a > haproxy or nginx fail over pair. > > Currently netplan removes interfaces it does not manage on any > change (netplan apply). > > Please point me to some recommendations for implementing a high > availability cluster or pair in Bionic with IP fail over. > > Thanks, > > - cameron > -- - cameron miller - Manager, Network and Systems Administration - http://staff.adams.edu/~cdmiller -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Netplan and high availability
Hello, We have some systems still using keepalived or corosync/pacemaker for high availability with IP fail over. Easiest case would be a haproxy or nginx fail over pair. Currently netplan removes interfaces it does not manage on any change (netplan apply). Please point me to some recommendations for implementing a high availability cluster or pair in Bionic with IP fail over. Thanks, - cameron -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: vm-builder
On 12/10/2013 10:13 AM, Serge Hallyn wrote: Hi, Years ago it was decided that vm-builder would be deprecated in favor of alternatives (cloud images, live-build, and some others). This was dicussed at at least two separate physical UDSes. However, it was never actually dropped from the archive. As a result people kept using it despite it being considered deprecated and no longer maintained. This is resulting in people losing data and time, i.e. https://bugs.launchpad.net/ubuntu/+source/vm-builder/+bug/1090223 I intend to open a bug to ask that it be removed from the archive for trusty. If anyone objects, please reply here. thanks, -serge Could you please provide any more alternatives to explore alongside the cloud images and live-build mentioned for us behind the times vmbuilder users. Another I can think of immediately is cobbler, anything else to consider? Thanks, - cameron -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: vm-builder
On 12/13/2013 02:17 PM, Scott Moser wrote: On Fri, 13 Dec 2013, Serge Hallyn wrote: Quoting cdmiller (cdmil...@adams.edu): On 12/10/2013 10:13 AM, Serge Hallyn wrote: Hi, Years ago it was decided that vm-builder would be deprecated in favor of alternatives (cloud images, live-build, and some others). This was dicussed at at least two separate physical UDSes. However, it was never actually dropped from the archive. As a result people kept using it despite it being considered deprecated and no longer maintained. This is resulting in people losing data and time, i.e. https://bugs.launchpad.net/ubuntu/+source/vm-builder/+bug/1090223 I intend to open a bug to ask that it be removed from the archive for trusty. If anyone objects, please reply here. thanks, -serge Could you please provide any more alternatives to explore alongside the cloud images and live-build mentioned for us behind the times vmbuilder users. Another I can think of immediately is cobbler, anything else to consider? At UDS Copenhagen, oz was mentioned as a promising alternative which wraps the Ubuntu installer. See https://blueprints.launchpad.net/ubuntu/+spec/servercloud-r-vmbuilder and http://summit.ubuntu.com/uds-r/meeting/21093/servercloud-r-vmbuilder/ I've personally not used it, and doesn't even seem to be packaged. IIRC Scott was the one who had mentioned it. Scott have you used oz at all? oz is at https://github.com/clalancette/oz/wiki I've not used it personally. I really like the way that it is designed, and there is even support for driving oz installs through openstack at http://imgfac.org/ Generally, I don't think people should build images of operating systems. We do that for them. RH and fedora do that for them too. I view ubuntu image build similar to how I view building eglibc, python, or the linux kernel. You can do it if you want to, but unless you're interested in just learning or *really* know what you're doing, I think you're probably wasting your time. Don't flame me. I agree there are people who have perfectly valid reasons for doing each of the things listed above. But I think thats significantly fewer people than those who do them. Thanks for all the great info. We'll be taking a look at cloud-utils, uvtool etc.. Currently we run ubuntu-vm-builder via a wrapper which sets up initial IP, installs and configures puppet, places an initial puppet run in a firstboot script, and generates a libvirt config. If we can get close to that with any of the above we'll be happy. After all we still have to manually fix the libvirt xml after moving the disk images into ceph. - cameron -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Re #120 (adam-stokes) The best workable solution for me would be working official packages for Lucid and Pangolin. Working LDAP authn/z over TLS is baseline functionality for us (servers and academic computer labs). I've had no problems with the patch from #73 thus far on our Lucid servers. Most traffic is Apache php/suexec. Day to day use is sudo/su for sysadmins. Have not noticed any side effects. We've been running this way since 2011-04-11. Currently planning to test nutznbotz #113 gnutls using nettle and adejong #119 nss-pam-ldapd, but not until summer when we test Pangolin for production. Thanks canonical folks and patch contributors for all the great work on this. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Just a follow up to #106. We have been running with the libgcrypt11 patch from #73 with a couple thousand openldap and AD users using Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no troubles. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Oneiric-Topic] Puppet Integration
On 04/06/2011 09:36 AM, Mark Foster wrote: On 03/31/2011 05:05 PM, Mathias Gug wrote: Could you clarify what behavior are you referring to? The fact that puppet doesn't start after the package is installed? Bingo! It requires manual intervention (editing the /etc/default/puppet file). The irony is that it could be fixed via puppet if it puppet was actually running. We ended up using a --exec from vmbuilder to change the option to YES in /etc/default/puppet. Also turned on auto signing of keys on the puppet master. Fire up a new VM and puppet kicks off to complete configuration. So the use case exists for autostart of the puppet agent, auto provisioning of newly created VM's, potential for elastic cloud expansion. Sorry for the old thread reply. - cameron -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
I just tried Howard's patch from #73 this morning, using the libgcrypt11_1.4.4-5ubuntu2_amd64.deb source files to roll a new libgcrypt11 package. I can now su to root from accounts not in the local password file database, before I could not. That was on a Lucid 10.04.2 LTS vm. Next week sometime we might be able to test Apache2/phpsuexec for a larger base of user accounts. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
RE: Changes in booting with ubuntu-server 10.04
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hopefully this will be helpful to folks wanting familiar server console behavior for Lucid 10.04. First we killed the frame buffer, took out the splash screen and turned kernel messages back on: http://staff.adams.edu/~cdmiller/posts/Ubuntu-Lucid-server-text-console/ It is possible to get a fast frame buffer, vesafb with vga=0x314 for example, but for some reason it kills kernel boot messages. So we stuck with text. On finding we could not remove Plymouth in a nice way, we disabled it: http://staff.adams.edu/~cdmiller/posts/Ubuntu-Lucid-server-disable-plymouth/ I wouldn't be so hard on Plymouth if it were not for the ludicrous package dependencies set up to guard it's existence. Probably a good reason for that, just not explained clearly anywhere I looked. Finally, we enabled more verbosity for Upstart to get useful console and boot logging: http://staff.adams.edu/~cdmiller/posts/Ubuntu-Lucid-server-upstart/ In the end we worked around the default console configuration issues with our Lucid server KVM guests and have a nice text console. - - cameron - -- - - cameron miller - - Server Team Lead - - outhouse attendant, bricoleur - - http://staff.adams.edu/~cdmiller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFMO57xJ62kxkSCtLARArXaAKDBWWCMcBXQXyM8y5NwtMtPtFEzmACg2G9Y xlU9HvsufKgKqPlN2d7btM8= =YSZy -END PGP SIGNATURE- -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Finally got a chance to revisit this after post #29 above. For that servers config I still had a local /etc/passwd entry for the affected account and so was not triggering the described su and sudo symptoms. On Karmic with: libnss-ldap 261-2.1ubuntu4 sudo 1.7.0-1ubuntu2.1 login 1:4.1.4.1-1ubuntu2 Without an /etc/passwd entry and an otherwise working libnss-ldap setup sudo returns sudo: setreuid(ROOT_UID, user_uid): Operation not permitted and su fails with su: Authentication failure Tests: With libnss-ldap, su and sudo fail. With nscd and libnss-ldap, su and sudo work. With libnss-ldapd, with or without nscd, su and sudo work. As root, getent returns passwd entries correctly for all the above cases. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs