/srv/irclogs.ubuntu.com/2016/05/18/#ubuntu-server.txt

caliculkDoes anyone here use an inventory management solution in the workplace that is compatible with Linux, OS X, and Windows and can perform SNMP scanning/polling, agent and agentless based information, has an API, and can pull serial numbers for all hard drives.03:10
=== devil is now known as Guest24582
=== huttan_ is now known as huttan
=== swat30_ is now known as swat30
=== yokel_ is now known as yokel
=== inaddy is now known as tinoco
=== Azelphur_ is now known as Azelphur
vbotkacaliculk, you might want to take a look at ansible.com05:47
=== vtapia_ is now known as vtapia
=== madwizar1 is now known as madwizard
=== TJ_Remix is now known as TJ-
=== ideopathic_ is now known as ideopathic
=== cydizen_ is now known as cydizen
=== cargonza_ is now known as cargonza
=== xnox_ is now known as xnox
=== BigGun4Hire_ is now known as BigGun4Hire
=== jamietech- is now known as jamietech
=== fidothe_ is now known as fidothe
=== Ursinha_ is now known as Ursinha
EmilienMjamespage: hey, we're trying to deploy Mitaka on Xenial, we're having an issue with OVS09:44
EmilienMdegorenko: can you past your logs here?09:44
degorenkoyep09:44
degorenkohttp://paste.openstack.org/show/497463/09:44
degorenkohttp://paste.openstack.org/show/497467/09:45
EmilienMit sounds similar to https://bugs.launchpad.net/networking-ovs-dpdk/+bug/151270109:45
ubottuLaunchpad bug 1512701 in networking-ovs-dpdk "Database connection failed on ubuntu when running ovs-dpdk init" [Undecided,Invalid]09:45
EmilienMmaybe do we need openvswitch-switch-dpdk ?09:47
EmilienMdegorenko: can you run "dpkg -l | grep openvswitch" ?09:47
degorenkoEmilienM, http://paste.openstack.org/show/497469/09:48
=== a1berto_ is now known as a1berto
EmilienMjamespage: do we need something else when deploying openvswitch-switch package?09:49
jamespageEmilienM: nope09:51
jamespageEmilienM: status looks ok09:51
EmilienMjamespage: we also have an issuel with SSL deployment. The same Puppet manifests to deploy SSL certs on Trusty does not work on Xenial, see https://etherpad.openstack.org/p/puppet-openstack-xenial09:53
EmilienMwe have a lot of [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)09:53
EmilienMsomething changed in Xenial for SSL certs?09:53
EmilienMdegorenko: I'm adding the Horizon failure in the etherpad, you missed it09:56
degorenkoare you about failed tempest tests?09:56
EmilienMyes09:57
EmilienMjamespage: we're trying to deploy Mitaka on Xenial, we have some issues09:57
EmilienMdegorenko: I'm going to enable SSL again so we can have the failures available in logs09:58
degorenkoEmilienM, what we should to do with openvswitch? :)09:58
EmilienMdegorenko: I have no idea09:59
degorenko:(09:59
EmilienMjamespage: if you can help us that would be awesome, please let us know what you think about our issues in the etherpad. Thanks10:03
jamespageEmilienM: sorry juggling a few things todo so will be a bit async on responses10:24
jamespageEmilienM, degorenko: OK lets look at ovs first...10:24
jamespageyou should not need the -dpdk binary for general use10:25
jamespageand the path looks just fine for the database.10:25
jamespagethings to look at:10:29
jamespagecheck perms on /var/run/openvswitch/db.sock10:29
jamespagelook in /var/log/openvswitch/*10:30
jamespagemight give some further clues...10:30
EmilienMjamespage: thx for looking, I'm a bit afk for lunch, with reply in async10:36
degorenkojamespage, root@de-xenial:~/puppet-openstack-integration# ll /var/run/openvswitch/db.sock10:42
degorenkosrwxr-x--- 1 root root 0 May 17 15:06 /var/run/openvswitch/db.sock=10:42
degorenkocat: /var/run/openvswitch/db.sock: No such device or address10:42
jamespagedegorenko, is the trailing '=' a typo or actually whats in the directory?10:43
degorenkojamespage, http://paste.openstack.org/show/497480/10:44
=== ptx0_ is now known as ptx0
degorenkoi don't know why was added =10:44
degorenko:)10:44
jamespagedegorenko, ok have one running as well - my /var/run/openvswitch looks comparable to yours10:46
jamespageand cat /var/run/openvswitch/db.sock does the same thing10:46
jamespagebut10:46
jamespageI can add a bridge to the configuration10:46
jamespagehttp://paste.ubuntu.com/16487891/10:46
jamespagedegorenko, anything useful in /var/log/openvswitch?10:47
degorenkojamespage, nothing, but let me look one more time10:47
degorenkojamespage, ovsdb-server has: 2016-05-18T10:46:51.182Z|01882|ovsdb_jsonrpc_server|WARN|Dropped 11 log messages in last 56 seconds (most recently, 6 seconds ago) due to excessive rate10:47
degorenko2016-05-18T10:46:51.182Z|01883|ovsdb_jsonrpc_server|WARN|punix:/var/run/openvswitch/db.sock: connection exceeded maximum (330)10:47
degorenkoand nothing interesting in ovs-vswitchd log10:48
jamespagedegorenko, anything in syslog?10:48
degorenkojamespage, i see several neutron errors, but it is related to already posted error during creating bridge - and same error i see in syslog10:49
* jamespage scratches his head10:50
jamespagedegorenko, can you do a ovs-vsctl show?10:50
jamespagejust wondering what is working and what's not10:51
jamespagealso anything in /etc/default/openvswitch-switch ?10:51
jamespageother than the stock installed file10:51
degorenkojamespage, i found this in syslog http://paste.openstack.org/show/497480/10:52
EmilienMdegorenko: do you have enough memory on the VM?10:52
jamespagedegorenko, I think thats a previous pastebin10:52
degorenko2 gb more free, 5.6 from 7.810:53
degorenkoEmilienM, ^10:53
degorenkojamespage, file /etc/default/openvswitch-switch is empty10:54
jamespagethat's ok10:54
degorenkoonly comment lines10:54
jamespageon the deployment I have running we run it in a 1.5G instance for network nodes - and thats working fine...10:56
degorenkojamespage, show command also failed with same error10:57
jamespagedegorenko, its related to 2016-05-18T10:46:51.182Z|01883|ovsdb_jsonrpc_server|WARN|punix:/var/run/openvswitch/db.sock: connection exceeded maximum (330)10:58
jamespagethe socket is full - are both ovs processes still running?10:58
degorenkojamespage, http://paste.openstack.org/show/497483/ - yes10:59
jamespagedegorenko, can I access your instance/11:01
jamespage?11:01
degorenkono :( it is under private network11:01
degorenkojamespage, ^11:02
jamespagedegorenko, what was the syslog thing you found?11:03
degorenkojamespage, well, i see a lot of request for creation bridges and then11:04
degorenkojamespage, http://paste.openstack.org/show/497484/11:04
degorenkoafter that i have database connection error11:04
jamespagedegorenko, hmm11:05
jamespagedegorenko, something is getting wedged, but I've not seen this before11:05
jamespagedegorenko, can you try a restart of openvswitch-switch pls11:05
degorenkojamespage, full log for ovs commands: http://paste.openstack.org/show/497485/11:06
degorenkothat's all i have from syslog related only ovs11:06
jamespageovs was functional11:06
degorenkoyes, it was11:06
jamespageand then after a few hours borked in some way11:06
degorenkoi can redeploy it again11:07
degorenkoand we will have fresh logs11:07
degorenkobut anyway11:07
degorenkowe have issue, that during second puppet run for idempotency - service was restarted11:07
jamespagedegorenko, before you do "netstat -an | grep openvswitch" would be useful11:07
degorenkoyeah11:08
degorenkoto many connections11:08
degorenkohttp://paste.openstack.org/show/497486/11:08
degorenkojamespage, ^ that's not a full output11:08
degorenkoi have 404 lines after this command11:09
jamespagedegorenko, ok so we need to figure out what's holding those connections open11:09
jamespagesudo lsof | grep /var/run/openvswitch11:09
jamespagedegorenko, I see this sort of thing:11:10
jamespagehttp://paste.ubuntu.com/16488179/11:10
degorenkojamespage, yep, http://paste.openstack.org/show/497487/11:11
degorenkoi have a lot of db.sock11:11
jamespagefrom which processes?11:11
degorenkojamespage, root     17422  0.0  0.0  24732  2036 ?        S<s  May17   0:00 ovs-vswitchd: monitoring pid 17423 (healthy)11:13
degorenkoroot     17423  0.1  0.6 394188 50404 ?        S<Ll May17   1:37  \_ ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach --monitor11:13
degorenkoso, both processes which i posted above11:13
degorenkoall db.sock from ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor11:14
jamespagedegorenko, might seem like an odd question but is self host resolution ok?11:17
jamespagedegorenko, any spurious output on sudo XX comands?11:17
degorenkojamespage, he he, yes, it is11:18
degorenkoubuntu@de-xenial:~$ sudo -i11:18
degorenkosudo: unable to resolve host de-xenial11:18
jamespagedegorenko, can you pastebin /var/log/openvswitch/ovsdb-server.log pls11:18
jamespagedegorenko, hmm11:18
degorenkobut i 'm not sure that we have same error on our infra slaves11:18
jamespagedegorenko, are there alot of ovs-vsctl processes hanging around?11:19
jamespageor ovs-* processes - might be other cli tools11:19
degorenkojamespage, http://paste.openstack.org/show/497488/ - yes11:19
degorenko~20011:20
jamespagedegorenko, this is your problem11:20
jamespagedegorenko, when there is spurious output on the sudo command, neutron-openvswitch just spins loads of those monitor processes and everything collapses...11:20
jamespagethat's consuming all of the socket connections, resulting in what you see now...11:21
jamespagedegorenko, EmilienM: this might be a diff in the  xenial image vs trusty image...11:21
degorenkojamespage, hmmm, ok, thank you for help, i'll rebuild my vm, then will add my host name to /etc/hosts and try to redeploy11:22
jamespagedegorenko, np11:22
jamespagecoreycb, hey - I switch the newton neutron builds to using ostestr - build speed picked up alot in the PPA's11:24
jamespageand seems more reliable...11:24
jamespagesort alot of sqlite racey things before - which I think is the cause of the FTBFS in yakkety for the mitaka point relase uploads...11:25
jamespagecoreycb, also backported git-buildpackage for trusty for liberty and mitaka - should be able to switch --merge-mode=replace on soon11:25
jamespagecoreycb, replace mode re-enabled...11:35
coreycbjamespage, awesome thanks11:40
jamespagecoreycb, I also switched over keystone for newton11:47
jamespageappears to test alot faster now11:47
jamespage19 mins vs 1hr11:47
coreycbjamespage, wow, that's a huge improvement11:47
=== degorenko is now known as _degorenko|afk
=== Pici` is now known as Pici
jamespagecoreycb, keystone in ppa is now 16 mins vs 5212:34
coreycbjamespage, that is really awesome.  my laptop is burning up here running neutron tests. :)12:35
coreycbbeisner, these packages are ready for promotion to kilo-updates.  they've tested successfully and have aged 7 days in kilo-proposed.  http://paste.ubuntu.com/16490018/12:46
beisnercoreycb, are there any pre-requisite charm upgrades tied to those package revs?12:47
coreycbbeisner, no not for these12:47
coreycbbeisner, while you mention it, I'm going to make a card to generalize that charm-helpers minor point release versioning so we don't have to deal with that.12:48
beisnercoreycb, yes that'd be really nice.  it seems like an easy win to not potentially break folks, and ... peace of mind :-)12:49
coreycbbeisner, definitely12:49
beisnercoreycb, jamespage - kilo-proposed has libvirt-python and qemu.  are those needing to go as well?12:50
coreycbbeisner, not yet for qemu, that's new12:51
beisnercoreycb, ack12:51
coreycbbeisner, not sure about libvirt-python12:51
=== _degorenko|afk is now known as degorenko
jamespagecoreycb, beisner: libvirt-python ++ yes please13:01
=== jml_ is now known as jml
jamespagehttps://bugs.launchpad.net/ubuntu/+source/nova/+bug/153950613:02
jamespagefor reference13:02
ubottuLaunchpad bug 1539506 in Ubuntu Cloud Archive liberty "AttributeError: 'virDomain' object has no attribute 'fsFreeze" [Medium,Fix committed]13:02
jamespagecoreycb, reverted merge-mode again13:02
jamespageapparently my backported package was foobar.13:02
coreycbjamespage, doh13:02
coreycbjamespage, need anything?13:03
jamespagecoreycb, nah - back in now - testing atm13:10
jamespagecoreycb, hows microversion-parse?13:11
coreycbjamespage, oh sorry, I'll work on it, I thought you said it was done13:11
=== caribou_ is now known as caribou
jamespagecoreycb, nope13:18
EmilienMjamespage: for the SSL errors, everything works fine on Trusty, but same manifests fail on Xenial, I have some logs13:31
EmilienMError: Could not prefetch keystone_service provider 'openstack': Execution of '/usr/bin/openstack service list --quiet --format csv --long' returned 1: SSL exception connecting to https://127.0.0.1:35357/v3/services: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)13:31
EmilienMhttp://logs.openstack.org/30/308530/16/experimental/gate-puppet-openstack-integration-3-scenario003-tempest-ubuntu-xenial/cd44c41/console.html#_2016-05-18_10_16_38_72713:32
EmilienMapache logs: http://logs.openstack.org/30/308530/16/experimental/gate-puppet-openstack-integration-3-scenario003-tempest-ubuntu-xenial/cd44c41/logs/apache/13:32
jamespageEmilienM: deploying now to see if I can reproduce13:36
EmilienMjamespage: thanks for your help13:36
jamespageEmilienM: np13:36
jamespagewant to see you unblocked so you can start testing out newton packages :-)13:36
EmilienMso here's how we deploy SSL :13:36
jamespageEmilienM: oh I have a way to deploy SSL :-)13:37
EmilienM1) we drop /etc/ssl/certs/puppet_openstack.pem file13:37
EmilienMI mean, we put the file at this place13:37
jamespagesure13:37
EmilienM2) we run /usr/sbin/update-ca-certificates -f13:37
EmilienM3) we put the cert in /etc/keystone/ssl/private/cert.pem (etc for every project)13:38
EmilienMthat's all I think13:38
EmilienMit used to work fine with Trusty13:38
jamespageEmilienM: is that for the CA cert?13:39
EmilienMthe CA cert is put in /etc/ssl/certs/puppet_openstack.pem13:40
jamespageEmilienM: hmm ok13:40
EmilienMwell13:40
EmilienMin fact we use the same cert for both13:40
EmilienMhttps://github.com/openstack/puppet-openstack-integration/tree/master/files13:40
EmilienMwe have a crt & key for ipv4 & ipv6 (because we deploy apache and use ::1 or 127.0.0.1)13:41
jamespageEmilienM: any way you can turn up and capture the output of update-ca-certificates?13:41
jamespage-v would be useful13:41
EmilienMjamespage: yes! we can do it13:42
EmilienMdegorenko: I'm going to update the patch ^13:42
jamespageEmilienM: awesome13:43
jamespageEmilienM: looking at the log I think you're writing it to /usr/local/share/ca-certificates/puppet_openstack.crt13:43
jamespageand then running update-ca-certifcates13:43
EmilienMyeah13:43
EmilienMjamespage: can I run it afterwards the puppet run?13:45
jamespageyup13:45
EmilienMok let's try13:47
=== xibalba_ is now known as xibalba
jamespageEmilienM: testing out my Juju deployed SSL openstack xenial mitaka foo now13:54
EmilienMexcellent13:54
EmilienMjamespage: how do you deploy SSL?13:54
EmilienMcan you point me to the charms?13:54
EmilienM(see how good is my vocabulary)13:54
jamespageEmilienM: kinda the same way you do  - the keystone charm acts as a CA for everything else, and provides signed certs back to related services13:55
EmilienMok same yeah13:55
jamespagewhich then use them and update their endpoint entries todo https13:55
jamespageEmilienM: OK so I'm looking functional with https enabled...13:56
jamespageEmilienM: that's from a xenial client to a xenial cloud13:56
EmilienMok, let's see13:56
jamespageEmilienM: that's good because it broadly means we're not looking at a code fault somewhere in the stack on installed things...13:57
jamespageEmilienM: how do you generate your CA and cert? I wonder whether its something about them that xenial does not like13:57
EmilienMjamespage: on http://www.selfsignedcertificate.com/13:58
EmilienMI'm very lazy, I know.13:58
EmilienMbut it just works13:58
jamespageEmilienM: so how does the chain of trusty work with those?13:59
jamespagepuppet_openstack.crt is the cert for the signing CA?13:59
EmilienMjamespage: yes13:59
EmilienMour certs are here: https://github.com/openstack/puppet-openstack-integration/tree/master/files14:00
EmilienMwe have a pair of cert/key for ipv4 & ipv614:00
jamespagehmm this rings a bell for some reason...14:01
jamespageEmilienM: I suppose those match to localhost right?14:01
EmilienMjamespage: 127.0.0.1 and ::114:02
EmilienMwe don't match on localhost because we want to test ipv4 & ipv6 endpoints14:02
EmilienMjamespage: but ipv6 tests don't run on ubuntu, so consider 127.0.0.1 only.14:02
jamespageok14:02
jamespageEmilienM: verbose output of that update-ca-certifcates looks like it might help14:03
jamespageEmilienM: I'd like to check that your cert is getting into /etc/ssl/cert/ca-certificates.crt14:03
EmilienMyeah, CI is currently running14:03
jamespageyou can grep for a line or so in that file to match14:03
jamespageEmilienM: might be relevant14:08
jamespagehttp://www.python.org/dev/peps/pep-0476/14:08
jamespagetrusty has a pre 2.7.9 python 2.7 version14:08
EmilienMok I have logs14:09
EmilienMa sec14:09
jamespageEmilienM: OK my SSL cloud appears completely functional, so it must be something todo with the way you're doing cert and building the trusty chain14:10
jamespagejust a hunch14:10
jamespagetrust chain14:10
jamespagenot trusty...14:10
EmilienMok14:10
EmilienMI'm trying to get the logs14:10
EmilienMjob is still running, will show output in a few min14:11
jamespageok stepping away for a bit...14:12
jamespagebiab14:12
=== not_phunyguy is now known as phunyguy
jak2000my network card not bringup at the start/boot, i need do a ifdown eth0 and then ifup eth0 how to fix it?15:03
naccrbasak: i assume you're gone already, but if not o/; and if so, can we sync up tmrw AM?15:29
smbhallyn, somehow your 1.3.4 libvirt merge did upgrade without issues and it even seems to boot Xen PV and HVM guests... I wonder what I am doing wrong... ;) nice job15:42
hallynsmb: did you get a systemctl preset error on upgrade?15:54
hallynonce i finish testing my kernel patch i was going to try and reproduce that with a minimal empty pkg set15:54
=== ShaRose_ is now known as ShaRose
smbhallyn, hm, not that I remember. I might have missed it if it did not cause a upgrade failure. But systemctl status on libvirtd was ok. Not sure whether one would now expect libvirt-bin to be the alias (or whether that actually is possible)15:57
hallynsmb: it is now the alias, and on clean installs that works15:58
EmilienMjamespage: http://logs.openstack.org/30/308530/18/experimental/gate-puppet-openstack-integration-3-scenario002-tempest-ubuntu-xenial/e17a5b4/console.html#_2016-05-18_15_26_02_28315:59
smbhallyn, ah ok. so that would be the only odd thing "systemctl status libvirt-bin" reports it as not running. Even after reboot...15:59
EmilienMjamespage: and http://logs.openstack.org/30/308530/18/experimental/gate-puppet-openstack-integration-3-scenario002-tempest-ubuntu-xenial/e17a5b4/console.html#_2016-05-18_15_26_13_16116:00
hallynsmb: yeah i think that may even be the whol eproblem - maybe systemd is trying to set up the symlink for the Alias and that fails bc something already exists16:00
smbhallyn, I believe that is what is done. But I don't know how one is supposed to cleanly do that switch-over16:02
hallyn:)  I can tell you that it worked before an init-system-helpers update in yakkety16:02
hallynso it still may really be a bug there16:02
hallynor, i was always doing something wrong and the old code just let it fly16:03
smbhallyn, :) I would not want to claim I knew what is right or wrong when it comes to systemd... one thing I just noticed is that status reports active running and then "bad" whatever that means16:05
jeeves_mossis the pagkage PuppetMaster still broken for 16.04?  I'm trying to install it through apt-get, and it fails16:14
naccjeeves_moss: fails how?16:15
jeeves_mossnacc: "Job for puppetmaster.service failed because a timeout was exceeded. See "systemctl status puppetmaster.service" and "journalctl -xe" for details."16:15
jeeves_mossnacc: full error  --->  http://pastebin.com/3KNDZ4Nx16:16
naccjeeves_moss: anything in the referred to logs (feel free to pastebin them too)16:17
jeeves_mossone sec.  I'll have a look once this wget is done16:17
xnoxsmoser, is it possible to do "xnox hates cloud-init networking" via cloud config drive and/or via user data and/or vendor data?16:19
jeeves_mossugh, I miss having a box in the datacenter.  Trying to do a setup at home takes forever!16:22
jeeves_mossnacc: lol.  looks like it couldn't make the .pid file.  <rolls eyes>16:27
naccjeeves_moss: permissions?16:29
jeeves_mossnope.16:29
jeeves_mossnacc: "puppetmaster.service: Failed to read PID from file /run/puppet/master.pid: Invalid argument"16:30
naccjeeves_moss: does said file exist? and have valid contents?16:30
jeeves_mossthe file didn't exist.  so I tried touching the file, and re-running the installer16:31
naccjeeves_moss: it probably needs a pid in it16:33
naccjeeves_moss: but i might be wrong16:33
jeeves_mossnacc: http://pastebin.com/WWWw7Hny16:33
naccjeeves_moss: that still happens you mean? or was the original error?16:34
jeeves_mossnacc: orignial error.  new server, new install16:35
naccjeeves_moss: and after `touch` it gets further?16:35
naccjeeves_moss: just fyi, it would be good to file a bug (or see if one si filed) for puppetmaster that it fails to install due to the above16:35
jeeves_mossI had a look through the service file, and it should be "master.pid"16:36
jeeves_mossI'm going to see if it fails again.16:37
jeeves_mosswould be nice if I can fil a bug.  would be the first one I've ever filed16:37
nacc!bug | jeeves_moss16:37
ubottujeeves_moss: If you find a bug in Ubuntu or any of its derivatives, please file a bug using the command « ubuntu-bug <package> » - See https://help.ubuntu.com/community/ReportingBugs for other ways to report bugs.16:37
nacc:)16:38
=== jgrimm is now known as jgrimm-afk
jeeves_mosstypical.  most things I want are always broken16:39
naccjeeves_moss: fwiw, the version in 16.04 (and yakkety) is the same as in debian, so it's probably a debian bug, really -- would be good to verify if it happens there too16:40
naccnot strictly necessary, but it will probably get asked in teh bug :)16:41
jeeves_mossnacc: lol.  no body's got time for 'dat.   -->  http://s2.quickmeme.com/img/a0/a0ed68c2b414e58e131e7fa1c7ac66e4df4a14d30df577734812cdb95d9aaa99.jpg16:41
jeeves_mossohhhh, new error!!!  java ins't installed.  might be a dep problem here guys16:43
jeeves_moss<rolls eyes>  all of this to manage 8 machines16:43
naccjeeves_moss: puppet shouldn't need java? it's a ruby tool16:45
nacci thought16:45
jeeves_mosshummm, we shall see.  I tried intstalling the latest snapshot from puppetlabs, and that's what I got.  so, we shall see16:46
naccjeeves_moss: hrm? so not the ubuntu pacakge?16:46
jeeves_mossno, I grabbed the latest from their site.  if it installs, then the one oin the repo is suspect16:46
jeeves_mossnacc: it says puppetserver requires java16:48
naccjeeves_moss: "it" being their version?16:49
nacctheir being puppetlabs?16:49
jeeves_mossyes.  the latest from puppetlabs.  if that package works, then there is something wrong with the package in the ubuntu repo16:50
naccwell, they are different versions clearly16:50
sdezieljeeves_moss: puppetmaster (ruby based) is not to be confused with puppetserver (java based)16:51
naccsdeziel: thanks16:51
sdezielnacc: np16:51
jeeves_mosssdeziel: any ideas on how to fix this install issue?16:53
sdezieljeeves_moss: the puppetserver or the puppetmaster on?16:54
sdeziels/on/one/16:54
jeeves_mosssdeziel: puppetmaster16:54
jeeves_mosssdeziel: this is the error we are getting.  http://pastebin.com/3KNDZ4Nx16:55
sdezieljeeves_moss: I don't have any experience with puppetmaster directly. I've only used "puppetmaster-passenger" on Trusty16:56
sdezieljeeves_moss: if you pastebin "systemctl status puppetmaster.service" and "journalctl -xe" I could look at them though16:57
jeeves_mosssdeziel: the outputs are in http://pastebin.com/3KNDZ4Nx16:57
sdezieljeeves_moss: I only see the apt install failure log16:58
jeeves_mosshummm.  one sec.  it looks like even the latest pagakge from puppetlabs suffers the same issue17:00
sdezieljeeves_moss: upstream focus seems to be on the Java based daemons (puppetserver and puppetdb) so it's possible they legacy version isn't in top shape17:01
jeeves_mosshummmm17:01
jeeves_mossat this rate, I should just abandon this mess17:02
sdezieljeeves_moss: but for those you will get better support in their own channel17:02
jeeves_mossI've asked in there,  it's a ghost town!17:03
sdezieljeeves_moss: hmm OK. If you want a puppetmaster/server and want to use the upstream apt repo, you are better off using Trusty because they don't yet officially support Xenial as the server role17:04
jeeves_mosssdeziel: fun.  how do I get the previous release if I'm installing with Apt-get?17:06
sdezieljeeves_moss: apt-get install foo=<version>17:07
jeeves_mosshummm, google!!17:07
coreycbjamespage, https://git.launchpad.net/~corey.bryant/ubuntu/+source/python-microversion-parse17:22
davethenoobhi there everyone17:59
davethenoobI wonder if I could get a little advice please?17:59
davethenoobabout me running my home server with Ubuntu Server installed18:00
jak2000my network card not bringup at the start/boot, i need do a ifdown eth0 and then ifup eth0 how to fix it?18:00
geniidavethenoob: A more specific question might be more useful for someone to give an answer to :)18:01
patdk-wk!ask18:01
ubottuPlease don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience18:01
patdk-wk!poll18:02
patdk-wk!best18:02
patdk-wkdamn bot18:02
TJ-!giveupwhilstyoureahead18:02
davethenoobhah. fair point. So I have my server installed and have had owncloud running on it and all good. Except that it started running slow and would upload photos to owncloud, which made me think it could have been a ddos attack. My question is can you recommend some good steps to do tonight to help minimize that risk?18:02
jak2000patdk-lap any advice?18:02
davethenoobthanks in advance18:03
davethenoobits 14.0418:03
beisnercoreycb, oh i forgot to confirm that i pushed kilo-proposed to updates, except for qemu earlier.18:03
=== wendar_ is now known as wendar
coreycbbeisner, cool thanks18:06
geniidavethenoob: Move ssh from port 22 to something more obscure, above 1024. Use key based authentication and not password based. Install and configure fail2ban18:06
patdk-wkgenii, how does any of that help?18:08
patdk-wkhe wants ddos protection18:08
patdk-wkyou cannot protect yourself against a ddos unles you have enough bandwidth to handle it, or you hide behind someone that does18:08
patdk-wkyou could completely firewall port 22 and not evne have ssh or any other service open18:08
davethenoobi have a home server that I want to access from outside home with owncloud and subsconic18:08
patdk-wkbut your still vaunerable to a ddos18:08
davethenoobI have pasted an iptables rule into terminal18:09
davethenoobiptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT18:09
davethenoobthat one18:09
patdk-wkdavethenoob, what is the goal?18:09
patdk-wkcause nothing you do on that server will help protect you from a ddos18:09
patdk-wkthat limits http connects, not ddos18:09
geniipatdk-wk: When someone is trying to bruteforce ssh passwords, it effectively chews up all the bandwidth and can cause outages18:09
davethenooband used iptables persistent for it18:09
patdk-wkgenii, yes, but that is hardly ddos protection18:10
patdk-wkhe asked for ddos18:10
patdk-wknow to do more, stop bad/unwanted things from using your bandwidth, there are millions of things yo ucan do18:11
patdk-wkbut you should find out what is using your bandwidth to find out what you should attempt in what order18:11
patdk-wkbut no matter what you do, it is a simple job for someone to ddos you, just by flooding too much traffic to you18:12
patdk-wkit doesn't matter if you have an iptables rule that says DROP all incoming18:12
davethenoobthanks for advice guys.18:25
davethenoobAfter thinking, I think im gonna just make it a local server and not accessible outside18:25
davethenoobfor safety18:25
davethenoobor start off local then maybe make it web-facing when I have some more knowledge / confidence18:26
roaksoax_~/win 818:44
fellayaboycan someone help me on how a thinclient connects to a vm on either xenserver or vsphere esxi?  how do i setup a thinclient to connect to a vm on a server?19:07
patdk-wkwhat is this *thinclient*?19:09
fellayaboywhat protocol does the thinclient use to boot into a vm?  what server serves the thinclient19:09
fellayaboya thin client machine - no cd/dvd, no hard drive.  just boots a VDI off the network.19:09
fellayaboyvery small and minimal machine19:10
patdk-wkok, but what does that have to do with a vm at all?19:10
fellayaboyi assumed a thin client connects to a vm19:10
fellayaboyhow does it work then19:10
patdk-wkI guess this is more a question to your thinclient seller19:11
fellayaboysomeone give me the basics pooo lease19:11
patdk-wkyou need to know what your thinclient supports, what it can do19:11
patdk-wkI dunno what you mean by connects to a vm19:11
fellayaboyhave u ever worked/setup a thinclient before patdk-wk19:11
patdk-wkthe *standard* definition of a thin client is a basic monitor/keyboard has no, or very little programs installed19:12
patdk-wkfellayaboy, around 15years19:12
fellayaboyi thought a thin client machine boots an operating system off a server somewhere19:12
patdk-wkit might, it might not19:12
patdk-wkthat depends on the thin client19:12
fellayaboyi see19:12
fellayaboywell in this case lets say it does19:12
patdk-wkit might have a 1gig cf card or something19:12
fellayaboywhats cf?19:13
patdk-wkyes, but I don't know what one oyu have, what it wants to do, does it do iscsi? nfs? http? how does it boot, what image does it expect?19:13
patdk-wkis it pxe? dhcp?19:13
=== moonligh- is now known as moonlight
fellayaboyso thin clients can boot straight to iscsi, nfs, http, pxe19:14
patdk-wkthinclients is a generic term that means nothing19:14
fellayaboyi see ok makes sense19:14
patdk-wkit is a catchall for any simple, reimagable bare-minimal workstation19:14
patdk-wka thinclient could be custom hardware, that runs customfirmware19:15
patdk-wkit could be normal computers19:15
patdk-wkit could be normal computers that boot remotely, centrally19:15
patdk-wkbut generally they are stripped down graphics, minimal ram, ...19:15
fellayaboywell, i want to create a system where i can use cheap inexpensive thin clients that connect to a centralized server, where they can run an operating system.19:16
patdk-wknormally only powerful enough generally to remote into something else, like using rdp/vnc19:16
fellayaboythrough the network19:16
patdk-wksounds like yo uwant to recreate vmware view with desktop hardware19:17
patdk-wkyour going end up running a full blown desktop os on the clients, in order to run vnc, if you roll this yourself19:17
fellayaboyi guess that would be it.. ihavent used vmware view, ive used esxi server and client and rdp to connect to vm19:17
fellayaboybut never used a thin client to connect to one19:18
fellayaboyi want to have inexpensive thin clients connect to server. have the server do all the work etc.  and so that i can expand it all i want of course.  add more vm's, more endpoints. put all the load on the server.19:19
fellayaboyusing 10gbps network card if have to with heavy duty switch/router etc19:20
patdk-wkyou cannot put all the load on the server19:20
patdk-wkyou can only put the cpu/ram load onto the server19:20
patdk-wkall graphics load will be on the client19:20
patdk-wkand on the server19:20
fellayaboywell not all, just want to have inexpensive endpoints thus thin clients19:21
patdk-wkand the vnc/rdp/... protocol processsing on the client19:21
fellayaboythat part is fine19:21
fellayaboyso theres  some thinclients that have in there bios a vnc/rdp protocol running already? or some kind of embedded os ?19:21
patdk-wkyes19:21
fellayaboyoh i see that makes sense19:22
fellayaboyand some have to option to boot off iscsi and nfs right19:22
fellayaboywhat i want to do is create a Point of Sales network system.  say for a store.  using all open source technology19:23
patdk-wkmaybe, those are getting not as thin then19:23
fellayaboyi see19:23
fellayaboywell now i know that some thinclients use vnc rdp in there embedded os19:23
fellayaboythat gives mea little headstart and some clarity19:23
fellayaboythank you patdk-wk19:23
mikedep333So the Vagrant Xenial cloud images are currently broken. In the past, ultlemming fixed a Vagrant cloud image issue ASAP. Is he or someone else able to fix this?19:41
mikedep333https://bugs.launchpad.net/cloud-images/+bug/156598519:41
ubottuLaunchpad bug 1565985 in cloud-images "vagrant vb ubuntu/xenial64 cannot mount synced folders" [Undecided,New]19:42
OerHeksmikedep333, interesting.19:49
OerHeksdpkg -s virtualbox-guest-utils  is missing.. and post #7 about standard ssh keys missing..19:50
OerHeksi am glad about that last part, security wise19:50
mikedep333Yeah. Empirically, the ssh solution is working, but the shared folders is not.19:51
OerHeksnot even after manual install, like post #5?19:52
mikedep333it looks like someone builds the virtualbox kernel modules without the package being installed19:52
OerHeksjups19:52
OerHekscorporate19:52
mikedep333the other virtualbox packages are not installed either19:52
OerHeksis it fixed v20160518.0.0 (last release 2 hours ago) ?? https://atlas.hashicorp.com/ubuntu/19:53
mikedep333So I should use those images rather than the ones on http://cloud-images.ubuntu.com/ ?19:53
OerHeksthose are the same, see the last comment.19:54
mikedep333ok19:54
mikedep333I'll try them out, thanks19:55
=== Boltermor is now known as Guest13746
davethenoobhello again. thanks for help earlier22:00
davethenoobI have opted for local home server with computer running ubuntu server. I know just have a pptp port open so i can vpn into home network and upload any new photos to my owncloud22:02
davethenoobare there any security measures to put in place when taking this route at all please?22:02
sdezieldavethenoob: pptp is known insecure22:03
sdezieldavethenoob: for alternatives you could check out OpenVPN or some IPsec implementations22:03
davethenoobumm. is it easy to swap?22:04
davethenoobI am complete noob to server stuff. Im just learning the ropes. Im php dev by trade22:04
davethenoobwhich do you suggest between the two?22:04
sdezieldavethenoob: OpenVPN as you'll be able to reuse the pptp port (TCP/1723)22:05
Slingdavethenoob: why not just use SSH to manage the server?22:05
sdezieldavethenoob: this will save you a trip to your router's config22:05
davethenooball i need it for is to access music on my subsonic, or photos on owncloud, both through android apps pointing to 192.168.x.x22:06
davethenoobI just want a vpn to access it outside22:06
sdezieldavethenoob: OpenVPN is available on Android as well22:07
davethenoobsdeziel so i just apt-get install the openvpn, disable pptp and enable openvpn?22:07
sdezieldavethenoob: that's a good starting point. Then you'll want to head to https://openvpn.net/index.php/open-source/documentation/howto.html for the configuration22:09
sdezieldavethenoob: you can also take a look at https://help.ubuntu.com/community/OpenVPN but I'd recommend to avoid bridged VPN (tap), prefer the tun/routed style22:10
davethenoobhttps://help.ubuntu.com/16.04/serverguide/openvpn.html22:12
davethenoob?22:12
sdezieldavethenoob: that's actually an excellent guide22:13
davethenoobdarn it22:14
davethenoobjust realized im using my raspberry pi as vpn server22:14
sdezieldavethenoob: I have to go. Good luck with the VPN22:17
Baeanyone here good with the apparmor?22:45
sarnoldhi Bae, what's up?22:45
Baehey sarnold. glad i found someone who uses the project. i have a question about it. when i installed it and set it enabled what i saw was that it creates profiels for every bin/ binary out there. that means it creates some for ping etc. all that jazz. my question was about the default state of such bin files in the context of apparmors. as in, are they all set BY DEFAULT to inherit permissions/rules from its parent (calling process?) ?22:49
sarnoldBae: it depends upon the profile of the calling process. If the calling process is unconfined, then the "attachment specification" at the start of the profile says which programs to confine and with which profile22:50
Baean example of this would be. say i made a nodejs file that calls the ping binary. would the ping binary BY DEFAULT (right after installing apparmor) be set to inherit apparmor permissions from the parent? as in if the parent is not allowed to access the network the ping service would be denied by apparmor?22:50
sarnoldBae: does your nodejs program run confined or unconfined?22:51
Baesarnold, confined. and that will be enforced22:51
sarnoldBae: if you want to allow ping to run as expected, you could use /bin/ping Px,   rules in the nodejs program's profile22:52
Baesarnold, a better example i thought up right now would be something like say, if my nodejs profile is not allowed to edit a file in directory say /home/someone/blockedDir/. i would add deny rules in the nodejs profile. cool. but what if nodejs calls another process to run (another binary) that is set to access that very folder? i want to make sure that that child process binary cannot also access that particular folder ONLY if nodejs calls it22:53
sarnoldBae: if you want to forbid ping's networking but still let it be run (for whatever reason...) you could use /bin/ping Cx -> ping,  rule, then add a "child profile", something like "profile ping { ... }"  to your nodejs profile..22:54
sarnoldBae: if you want to forbid ping's networking but still let it be run (for whatever reason...) you could use /bin/ping Cx -> ping,  rule, then add a "child profile", something like "profile ping { ... }"  to your nodejs profile..22:55
BaeOH i see what you mean sarnold. so that means i could leave the ping binary as is. and then in the node js {} i add a nest that shows the binary for ping {} that disallows it. cool.22:55
Baeshows the rules for ping {}*22:56
sarnoldBae: you could also use 'ix' rules instead of 'cx' -- then they'd run with the same privileges. But I like to encourage Cx where practical, since it can often be a drastic reduction in what privileges are allowed where22:56
Baei should say22:56
Baesarnold, if i were to use ix (inherit right? ) i would have to set ix in the ping binaries profile right ? not in the branched profile of the nodejs one22:57
sarnoldBae: btw, even though apparmor does all you to write e.g. "allow /home/** r, deny /home/sarnold/** r," it's really best to stick to _whitelisting_ as much as you can. It's often possible to construct attacks that get at data that is denied via a "deny" rule22:58
Baeyeah thats the plan. the deny thing was an example. my idea is to only whitelist certain directories and functions22:58
sarnoldBae: the nodejs' program's profile would use "/bin/ping ix," -- and the global /bin/ping profile is left alone completely22:58
sarnoldBae: okay, good, good :)22:58
Baesarnold, the /bin/ping ix in the nodejs programs profile is not saying "inherit rules from ping" ?22:59
Baebecause i want the ping to inherit from node. not node to inherit from ping22:59
sarnoldBae: correct; it is saying "when executing ping, it inherits this current profile"22:59
Baeok let me do a quick clarification example if u dont mind23:00
sarnoldor, rather, "when a program executing in this profile executes ping, ping inherits this current profile"23:00
BaeAH Yes23:01
Baeok23:01
Baeso in here: http://pastebin.com/ArQFSCeF this is saying. when ping is born from nodejs app. ping inherits from nodejs app. right?23:01
sarnoldBae: ahh, skip the "-> child1," bit when using ix rules23:02
Baethats from the site lol23:02
Baesorry23:02
sarnoldBae: it is? can you link me? :)23:02
Baemaybe they did it for clarifications but here: so sarnold to ensure maximum security23:03
Baeugh23:03
Baehttp://wiki.apparmor.net/index.php/QuickProfileLanguage23:03
Baeso sarnold to ensure maximum security what i could do then is in the nodejs app i could put all the names of binaries that are profiled and tell them all to inherit rules from the nodejs app. in this way, any sort of exploit into the nodejs children processes would be thwarted. what do you think about it ?23:05
sarnoldBae: you should only need to add 'ix' rules for programs that your nodejs program actually executes23:05
Baesarnold, so what is best way to see what programs nodejs executes? or rather, apparmor detects that the nodejs program executes ?23:06
sarnoldBae: if it only ever calls awk and sed, for example, you could just add /usr/bin/awk ix, /bin/sed ix, and be done :)23:06
sarnoldBae: aa-logprof should prompt you for them, but.. that family of tools is cranky. please file bugs as you find them. :)23:06
Baeoh ok23:06
Baeyeah i was thinking of something like valgrind that shows all the processes as you run it23:07
Baebut in apparmor :p23:07
sarnoldBae: you'll find them in the logs: apparmor="DENIED" operation="exec" profile="/tmp/bash" name="/tmp/ls" pid=21726 comm="bash" requested_mask="x" denied_mask="x" fsuid=0 ouid=023:07
sarnoldor apparmor="ALLOWED" if you're running the profile in learning mode, of course23:08
Baeso the best way for me to proceed right now to ID these processes first would be to run it in permissive mode and generate logs and unit test the full app23:09
Baethen grep those logs for all the processes generated. then add those in the nodejs app profile in apparmor with the ix23:09
sarnoldyou ought to be able to get apparmor to report all execs using something like (UNTESTED): "/tmp/bash { file, audit /** ix, }"   :)23:09
Baeto make sure that all the processes nodejs can ever generate, will be inheriting rules from the original one :)23:09
Baeah thank you so much sarnold you are very helpful :D23:10
sarnoldBae: the aa-genprof tool should step you through those steps :)23:10
Baeyeah i did that lol. it just generates a boilerplate23:10
Baei want something i can look through. that i can see those logs and see exactly what file is called and where23:11
sarnoldaha then you sound like you -do- want to do things by hand. :)23:11
stonedHello, I'm having trouble finding the xdebug config file in ubuntu server23:11
Baei do yes sarnold23:11
Baeanyway i will be saving this conversation23:11
Baei dont mind getting my hands dirty23:11
sarnoldBae: there's also #apparmor on irc.oftc.net in case there's no one around here who can help23:13
Baeoh i did not know that! thanks so much :)23:15
sarnoldsure thing :) have fun :)23:15
Baeyeah sarnold thank you so much for all your help23:15

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!