| 06:11.11 | *** join/#gllug sabinef72 (n=sabinef7@ns.popipo.fr) |
| 07:06.02 | ChoHag | My arrow keys have become print, super, alt and pause. |
| 08:19.58 | Mohan | morning |
| 08:23.19 | *** join/#gllug zeroXten (n=zeroXten@80.83.157.42) |
| 08:45.03 | *** join/#gllug zeroXten (n=zeroXten@80.83.157.42) |
| 08:45.57 | zeroXten | lo |
| 09:12.29 | ChoHag | Suse's superior logging strikes again! |
| 09:12.48 | ChoHag | 2009-04-20 10:11:47 (17445): Error: Cannot get files. |
| 09:32.51 | ChoHag | I have to take a money laundering test. |
| 09:33.44 | ChoHag | Last time I did this it basically told you to be careful not to let customers lie to you and who to tell if they do. The fact that I never speak to or deal with customers notwithstanding. |
| 10:38.03 | AndyMillar | heh |
| 10:42.52 | *** join/#gllug kjs_ (i=kjs@emil.morsing.cc) |
| 10:45.06 | *** join/#gllug Leeds (n=richardc@n219079213112.netvigator.com) |
| 11:05.23 | ChoHag | "The technician dealing with your case is OOO today, he should be back tomorrow." |
| 11:05.29 | ChoHag | Well tell him happy birthday. |
| 11:12.57 | antiphase | Do they take turns in being an open-source office suite? |
| 11:29.05 | ChoHag | Oh it's an O not a 0. |
| 11:49.45 | *** join/#gllug dick_turpin (n=dick_tur@217.34.163.30) |
| 11:55.26 | dick_turpin | bilarh: Heard the news? Seems you'll get every penny back you invested in them Icelandic banks! Hows that work then? either you have the money or you don't? Credit Crunch my arse its all a global conspiracy I tell ya |
| 12:48.22 | *** join/#gllug sabinef72_ (n=sabinef7@ns.popipo.fr) |
| 13:09.29 | *** part/#gllug dick_turpin (n=dick_tur@217.34.163.30) |
| 13:30.06 | *** join/#gllug Bob_Plonker (n=bob@hopper.bobsbasement.co.uk) |
| 13:30.20 | Bob_Plonker | Hello all |
| 13:30.57 | Dan | Anyone about? |
| 13:31.24 | boudiccas | no |
| 13:31.36 | boudiccas | he left half an hour ago, you just missed him |
| 13:33.56 | *** join/#gllug sabinef72 (n=sabinef7@ns.popipo.fr) |
| 13:34.12 | Dan | Hello sabinef73 |
| 13:37.57 | Dan | msg ibot /help |
| 13:41.16 | wethrin | Your slash is in the wrong place |
| 13:42.15 | Leeds | hey, leave Dan's slash out of this |
| 13:43.32 | wethrin | hi Leeds - safely back home? |
| 13:43.53 | Dan | How's it going? I'm thinking of attending the next meet on the 7th. |
| 13:44.02 | Leeds | yup... except that my power went out on Friday... so fridge/freezer is full of not-cold food |
| 13:44.16 | wethrin | There's a meeting on the 7th? |
| 13:44.26 | wethrin | Leeds: Oops |
| 13:46.12 | Dan | Leeds: You mean your bear is getting warm. |
| 13:46.15 | Dan | shudders. |
| 13:46.22 | Dan | brb |
| 13:46.36 | Leeds | my bear is always warm, and furry |
| 13:47.43 | Dan | Not good. |
| 13:47.45 | Dan | brb |
| 13:59.14 | *** join/#gllug sabinef72 (n=sabinef7@ns.popipo.fr) |
| 14:00.05 | *** join/#gllug zeroXten (n=zeroXten@80.83.157.42) |
| 14:09.40 | Dan | I'm back |
| 14:10.14 | Dan | So what's the deal with Lonix do they still meet up? |
| 14:12.00 | *** join/#gllug DiscordianUK (n=ch@62.49.7.135) |
| 14:12.34 | wethrin | Lonix do occasionally still have meetings |
| 14:14.59 | DiscordianUK | urrgle oracle are buying sun |
| 14:15.30 | Dan | DiscordianUK: You got a link for that? |
| 14:16.04 | DiscordianUK | http://finance.yahoo.com/news/Oracle-Buys-prnews-14969049.html |
| 14:16.32 | Dan | http://developers.slashdot.org/article.pl?sid=09/04/20/128246&from=rss |
| 14:17.33 | Dan | Do the Lonix ppl also go to the GLLUG? |
| 14:18.26 | Dan | Begin MySQL fork now. |
| 14:19.34 | Leeds | Lonix is an illusion |
| 14:19.37 | Leeds | so is MySQL |
| 14:19.47 | DiscordianUK | So farewell then OpenSolaris |
| 14:20.48 | Dan | Leeds: Are you an illusion? |
| 14:21.08 | Leeds | doubly so |
| 14:21.13 | Dan | DiscordianUK: I don't think so, there'll just be a fork. |
| 14:21.26 | ChoHag | That sounds like bad news. |
| 14:21.42 | ChoHag | Hadn't Sun fallen far enough already. |
| 14:21.43 | ChoHag | ? |
| 14:26.03 | DiscordianUK | Well Oracle is pretty much in bed with RedHat so it'll be interesting to see what transpires# |
| 14:30.30 | Dan | I've joined your mailing list and sent out a post titled "New Member" has anyone seen it? |
| 14:31.07 | Leeds | erm, isn't Oracle pretty much in *competition* with Redhat? |
| 14:31.53 | ChoHag | Only after they rebranded their OS. |
| 14:32.50 | ChoHag | <PROTECTED> |
| 14:32.51 | ChoHag | They've switch to Solaris already??? |
| 14:36.42 | Dan | It's up and down, try again. |
| 14:39.50 | boudiccas | Dan, yes, i've seen and read it |
| 14:41.28 | DiscordianUK | has just read the job advert |
| 14:41.45 | Dan | boudiccas: Great, as I was on I thought I'd check. |
| 14:51.12 | *** join/#gllug pdr (n=pdr@103.75.2.81.in-addr.arpa) |
| 14:52.36 | ChoHag | DiscordianUK: Another one? |
| 14:53.07 | DiscordianUK | The Tonbridge/London job |
| 14:54.44 | boudiccas | DiscordianUK, i think that is only on the #klug mailing list, but i could be wrong |
| 14:55.21 | DiscordianUK | Ah yes it is, I got confused both posters are called Dan |
| 14:55.40 | Dan | lol |
| 14:55.42 | boudiccas | theres too many dans in klug, we have a surfeit of them :( |
| 14:56.23 | DiscordianUK | It's certainly a job I could do |
| 14:56.52 | boudiccas | then apply for it :) |
| 14:57.33 | DiscordianUK | I'll ask the other Dan about it later |
| 15:01.37 | Ginger_Dan | How's that. |
| 15:02.52 | Ginger_Dan | Do you guys meet up between meets much? |
| 15:02.57 | boudiccas | not out |
| 15:04.10 | boudiccas | do you want the fourth official to comment? |
| 15:12.42 | ChoHag | Something in the local Chinese gives me terrible wind. |
| 15:12.52 | ChoHag | That's probably why nobody is sitting near me right now. |
| 15:13.00 | ChoHag | Not that either upsets me any. |
| 15:14.23 | boudiccas | keep all naked flames away, we dont want your noxious gases ignited |
| 15:14.30 | boudiccas | :) |
| 15:19.04 | ChoHag | Woah. It just struck me. |
| 15:19.09 | ChoHag | I've spent all this day doing work. |
| 15:19.18 | boudiccas | congratulations |
| 15:24.25 | wethrin | It was bound to happen eventually |
| 15:26.32 | Ginger_Dan | Anyway, nice meeting you folks. I'm off will catcha later. |
| 15:27.02 | boudiccas | is that anew type of coffee an 'catcha later'??? |
| 15:47.14 | ChoHag | Gah! He's muttering again! |
| 15:47.42 | ChoHag | drowns him out with Beethoven. |
| 16:31.00 | zeroXten | hmmm, whats the "in thing" at the moment with regards to linux centralised user management? Is it still custom hacked stuff, or is there decent LDAP-based "solution" i'm not aware of? I'm thinking about something mostly for admin rather than general users but wan't to avoid peeps logging in as root. Also, ssh keys is a must. |
| 16:31.52 | ChoHag | ldap is good. |
| 16:32.04 | ChoHag | apt-get install lib{nss,pam}-ldap |
| 16:32.37 | ChoHag | Unfortunately /etc/nsswitch and possibly /etc/pam.d/* are not configured automatically. |
| 16:36.38 | zeroXten | hmm, but that isn't going to cover ssh key deployment |
| 16:38.50 | ChoHag | Not in and of itself. |
| 16:39.40 | zeroXten | hmm |
| 16:42.42 | DiscordianUK | Zero: you might find http://code.google.com/p/openssh-lpk/ interesting |
| 16:46.30 | zeroXten | yeah, i've seen that before. Didn't notice the debian docs though, i shall take a look. Patching all the systems could be a ball ache but hey, might be the best option |
| 16:46.37 | ChoHag | puppet's authors seem to have implemented file-transfer over RPC over HTTP. |
| 16:46.59 | ChoHag | Not to mention downloading files with a POST request. |
| 16:48.50 | z00dax | he's in london today I think, so if you want - feel free to buy him a beer |
| 16:48.52 | zeroXten | puppet could be cool, but probably OTT for us |
| 16:48.53 | ChoHag | Oh well at least I've got data moving around unencrypted. Should be able to wireshark it to see what its doing and work around its braindeadedness. |
| 16:48.53 | z00dax | ChoHag: ^ |
| 16:49.10 | ChoHag | Who's in London today? |
| 16:49.18 | z00dax | the guy who wrote / writes most of puppet |
| 16:49.26 | z00dax | also, its data isnt unencrypted |
| 16:49.31 | ChoHag | It is now. |
| 16:49.42 | z00dax | why would you want to do that ? |
| 16:50.01 | ChoHag | I set up an apache reverse proxy in the hope that I could intercept download requests and process them with a CGI. |
| 16:50.13 | ChoHag | It's only unencrypted to localhost. |
| 16:50.31 | z00dax | you are running a puppetmaster on each node ? |
| 16:50.35 | ChoHag | No. |
| 16:50.57 | ChoHag | puppet -[SSL]-> apache -> localhost puppetmaster |
| 16:51.33 | z00dax | what do you want to do with cgi that you cant do natively within puppet ? |
| 16:51.43 | ChoHag | Restrict who gets what. |
| 16:52.01 | z00dax | and puppet cant do this natively because ? |
| 16:52.04 | ChoHag | As it stands a runaway puppet client could download whatever data it pleases if the puppetmaster serves it. |
| 16:52.24 | ChoHag | Because the puppetmaster appears to implicitely trust the client. |
| 16:52.47 | ChoHag | If that's not the case, I've seen no evidence to prove it. |
| 16:52.47 | z00dax | yes, because there is a ssl transport under it - and you can easily remove a cert to deny a cient access |
| 16:53.07 | ChoHag | But that might be too late. |
| 16:53.22 | z00dax | also, a node can only get manifests defined on the puppetmaster. |
| 16:53.48 | ChoHag | $badguy gains root on webserver-001. Runs script to cycle through webserver-* downloading each server's private key, password, etc. |
| 16:54.01 | ChoHag | z00dax: A well behaving node, yes. |
| 16:54.01 | z00dax | although, if you want ACL's - you could just park your manifests in a svn repo, then have a local checkout on each machine |
| 16:54.31 | ChoHag | But if a misbehaving node foo says to the server "I am bar", the server will apparently believe it. |
| 16:54.48 | ChoHag | Despite the request having been initiated with foo's private key. |
| 16:54.51 | z00dax | no it wont |
| 16:55.07 | z00dax | it needs to not only call itself bar, it needs to also provide the ssl client cert for ar |
| 16:55.11 | z00dax | s/ar/bar/ |
| 16:55.18 | z00dax | err |
| 16:55.44 | z00dax | and there is no way to do wildcards on file source=> |
| 16:56.30 | ChoHag | So if the manifest says 'secure.file.$fqdn', and facter is subverted so that $fqdn is set to something else, what will the server do? |
| 16:56.57 | ChoHag | According to #puppet, the server will trust the rogue puppet client. |
| 16:57.37 | ChoHag | I've not tested that, but only part of this whole apache proxy thing was to get around that. The other half was morbid curiosity about the protocol. |
| 16:57.41 | ChoHag | And to see how to do it. |
| 16:57.43 | z00dax | what will your cgi layer do ? |
| 16:57.54 | z00dax | you are, imho, solving the wrong problem |
| 16:58.04 | ChoHag | Yes. |
| 16:58.38 | ChoHag | The right problem to solve would be to somehow trust the ssl certificate, but it seems that information isn't accessible. |
| 16:59.22 | z00dax | its just openssl's stuff, puppet will quite happily share certs with things like func |
| 16:59.23 | ChoHag | Anyway, I'll mess around with wireshark when I get home. Once I can see the protocol maybe I can work out what to change to fix the real problem. |
| 16:59.28 | ChoHag | And see if there actually is one. |
| 17:00.18 | ChoHag | out |
| 17:14.31 | antiphase | The answer is to not put distribute private keys with puppet |
| 17:14.35 | antiphase | s/put// |
| 17:14.58 | antiphase | Just because it's your config manager doesn't mean it has to do everything |
| 17:15.26 | antiphase | We run about 300 servers here with puppet, and server certs and keys are manged by hand |
| 17:16.06 | antiphase | Since they have to be issued by hand, and private keys are never stored except where they are used unless you're stupid, the extra work in copying them into the right place is negligible |
| 18:19.29 | *** join/#gllug dick_turpin (n=peter@static-87-243-206-72.adsl.hotchilli.net) |
| 18:21.32 | *** part/#gllug dick_turpin (n=peter@static-87-243-206-72.adsl.hotchilli.net) |
| 18:29.55 | z00dax | antiphase: I agree. |
| 18:30.40 | z00dax | most of the time, the work involved in getting puppet setup V/s puppet +keys setup is only slightly more |
| 18:41.48 | *** join/#gllug boudiccas (n=boudicca@88-108-29-137.dynamic.dsl.as9105.com) |
| 18:55.02 | *** join/#gllug DiscordianUK (n=ch@chills.demon.co.uk) |
| 22:15.24 | *** join/#gllug kinko (i=kinko@null.routed.be) |
| 22:17.54 | *** join/#gllug Nafallo_ (n=nafallo@ubuntu/member/nafallo) |
| 22:20.11 | *** join/#gllug Mohan (i=roughele@the-master.org) [NETSPLIT VICTIM] |
| 22:20.11 | *** join/#gllug AndyMillar (n=andy-fre@caffeine.andymillar.co.uk) [NETSPLIT VICTIM] |
| 22:20.12 | *** join/#gllug antiphase (n=ant@plasma.ossified.net) [NETSPLIT VICTIM] |
| 23:46.00 | *** join/#gllug Leeds (n=richardc@n219079213112.netvigator.com) |