/srv/irclogs.ubuntu.com/2016/10/06/#ubuntu-server.txt

ndboosthey anyone on to help with a iptables /aws s3 question?02:16
ndboosthttp://serverfault.com/questions/807122/what-rules-am-i-missing-for-aws-s3-allow-via-iptables?noredirect=1#comment1024903_80712202:16
sarnoldndboost: are you confident your AWS security groups are configured correctly?02:18
ndboostyes02:18
ndboostwithout the iptables enabled i get straight in02:18
ndboostwithout, i dont02:18
ndbooster with i dont02:19
sarnoldaha02:19
sarnoldcan you add relevant -jLOG or something entries to your iptables?02:19
ndboostsure02:19
ndboostone sec02:20
ndboostviovim for whioch rulese?02:21
sarnoldhehe, I wsa thinking nearly everything :)02:25
ndboostlol waht does LOG do?02:26
ndboosttells me its invalid02:26
sarnoldI'm hoping it'd tell you what you still need to allow..02:26
ndboostiptables-restore v1.6.0: Bad ctstate "LOG,NEW,ESTABLISHED"02:26
ndboostError occurred at line: 3602:26
ndboosti think its DNS02:26
ndboosthoping thats it02:27
patdk-lapdns?02:27
patdk-lapdns should have nothing to do with iptables02:27
ndboostyeah cant resolve the DNS02:27
ndboostso s3 bombs out02:27
ndboosti noticed with the rules in place i cant dig some domains02:27
ndboostbut wget wworks for google.com02:27
patdk-lapyou have no rules to allow dns02:28
patdk-lapthat is a crazy ruleset02:28
ndboostlol i know it is02:28
ndboostwho needs DNS :P02:28
sarnoldthere's not even four billion IPs to remember, all shorter than 32 bits. piece of cake. :)02:29
patdk-lapI totally don't understand the -A OUTPUT --sport -m conntrack rules02:29
ndboostallowing 80/443/2202:30
ndboostweb server running02:30
patdk-lapthose don't allow that02:30
patdk-lapthat is what the INPUT rules did02:30
ndboostpoh derp lol02:30
ndboosti put those in late last night for a hope02:31
ndboostlol02:31
patdk-lappersonally, I would highly recommend you don't do iptables raw like that02:31
patdk-lapuse ufw, shorewall, ....02:31
patdk-lapto build a sane ruleset02:31
patdk-lapactually, this is on aws02:33
patdk-lapwhy bother with iptables at all?02:33
patdk-lapthe security groups do a much better job02:33
ndboostno its not aws02:33
ndboosts3 is02:33
ndboostthis is on DigitalOcean02:33
ndboost:P02:33
patdk-lapah02:33
patdk-lapyou only need port 443 tcp for s302:34
patdk-lapand working dns02:34
patdk-lapand those fun, -A INPUT --sport xxxx rules are a huge security hole02:35
ndboostill use ufw lol02:35
patdk-lapthose two rules will let me completely bypass your whole firewall, except for mysql access02:35
ndboostlol02:37
sarnoldpatdk-lap: how's that work?02:37
patdk-lapheh?02:37
patdk-lapI make a tcp connection from my port 10011, and to any dport I want on his side02:38
ndboostufw is a lot easier02:38
sarnoldpatdk-lap: but why 'except for mysql'?02:38
patdk-lapit's excepted, except for port 3306 that is reject above02:38
patdk-lapcause there is only one reject rule before it02:38
sarnoldthanks :)02:38
patdk-lapthat ruleset so wants to be stateful, but isn't02:41
ndboostmoving to ufw fixed my issyue03:10
ndboostthanks03:10
sarnoldexcellent :)03:11
ndboosttoo many damn stupid rules lol03:14
ndboostufw was way simpler03:15
=== Mobutils_ is now known as Mobutils
northcodeHey guys05:29
northcodehas anyone had problems installing/upgrading mariadb-server on ubuntu 16.04 lately?05:30
northcodeI just upgraded my packages today and mariadb-server-10 "fails" to install, in that it still runs fine but the post-install script fails, so apt thinks its broken05:30
northcodeand there also seems to be a dep-error with mariadb-server and mariadb-server-1005:31
=== Tarius- is now known as Tarius
sarnoldnorthcode: please file bugs, the community maintainer for mariadb cares :)06:56
cpaelzerjamespage: hi, the current openvswitch upload is blocked by a fail in the neutron autopkgtest which can't be due to the changes that got uploaded07:11
cpaelzerjamespage: yesterday coreycb mentioned a timing based issue on autopkgtests which could be just that07:11
cpaelzerjamespage: coreycb: the log is this https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-yakkety/yakkety/s390x/n/neutron/20161006_055450@/log.gz07:12
cpaelzerjamespage: coreycb: I already retried it once, but I don't want to buzz the retry button over and over07:12
cpaelzerjamespage: coreycb: could one of you confirm this is the same issue and in case yes let me know how you resolved it on your end?07:12
jamespagecpaelzer, did I just see ovs pass to updates?07:47
cpaelzerjamespage: checking ...07:52
cpaelzerjamespage: well yes, somthing/somebody changed it to ignored failure07:53
jamespagecpaelzer, hmm07:53
cpaelzerit is still visible in http://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html07:53
jamespagetbh that's not one that's raced in the past07:53
jamespageso a bit worried about that07:53
cpaelzerthat is why I'm asking around07:53
cpaelzerI downloaded the artifacts but they are totally useless07:54
cpaelzera full journalctl output as artifact might have helped07:54
cpaelzerjamespage: but you must admit that changing a readme and a conffile comment can't trigger a failure :-)07:55
cpaelzerjamespage: so I wonder what caused this now07:55
jamespagecpaelzer, somehting s390x ish07:57
cpaelzerjamespage: I'll run it on my lpar just to see if I could find more of its status with a shell-fail on the autopkgtest07:58
cpaelzerjamespage: any more steps that would help reestablishing a good feeling?07:58
* cpaelzer urges lpar down? ...07:59
* cpaelzer realizes that all the recabling killed the vpn dialin *facepalm*08:00
jamespagecpaelzer, don't worry to much08:08
cpaelzernow it is already running :-)08:09
cpaelzerwell my adt does seem to need some special care to take off, so I stop worrying a bit in case that turns out to be too much to get it running08:11
coreycbjamespage, cpaelzer: the nova autopkgtest s390 error that was surfacing on s390x is fixed by adding sqlite connection strings to nova.conf.  maybe it's a similar issue for neutron.11:41
jamespagecoreycb, neutron uses mysql for autopkgtest so not sure11:46
jamespagecoreycb, anyway - I just tripped on a new neutron problem11:47
jamespagecoreycb, https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/163096811:49
ubottuLaunchpad bug 1630968 in neutron (Ubuntu) "neutron-openvswitch-agent - error on startup" [Undecided,New]11:49
cpaelzerI failed to recreate on s390 driving to autopkg issues with pitti11:50
cpaelzercoreycb: what did you use to recreate yesterday instead?11:50
coreycbcpaelzer, I used an s390x instance and noticed the service was flopping up and down due to the config error11:52
cpaelzers/to/two/11:52
cpaelzercoreycb: ah ok, so you just ran it as-is and not within a adt environment?11:52
coreycbcpaelzer, I've also been using this to test autopkgtest fixes in PPAs: https://bileto.ubuntu.com11:52
cpaelzerI don't have the bileto superpower yet, at least I didn't a few weeks ago11:53
coreycbcpaelzer, do you have upload rights?11:54
cpaelzercoreycb: only server-deve11:54
coreycbcpaelzer, I wonder if xnox can change the perms to allow you to use it11:54
xnoxyo11:56
coreycbxnox, any chance per package uploaders can get perms to use bilto?11:57
xnoxjamespage, coreycb, cpaelzer: what I have noticed is that upon package installation, the following happens:11:57
xnoxpostinst running11:57
xnox-> service starting, crashing, restarting11:57
xnoxdpkg ends11:57
xnoxcheck that service is running fails11:57
xnox-> service manages to start without crashing11:58
xnoxautopkgtest has failed by now11:58
xnox-> service running fine11:58
xnoxand i changed autopkgtests to loop with a sleep/wait/timeout waiting for things to /eventually/ come up fine. However, imho, dpkg postinst should not return until service is started.11:59
xnox(as in permamemently fails, or after restarts manages to start fully)11:59
* xnox wishes openstack service used systemd notify protocol to fully state "yeah, READY=1 for realz now"11:59
coreycbxnox, thanks for the insight, I was curious more about bileto permissions for per package uploaders. :)12:00
xnoxcoreycb, right. I am core-dev and I can do anything in bileto. No idea about others. I think anybody can create ticket, but e.g. a core-dev is still needed if you want to upload raw source packages, rather than use the crazy "release from upstream branch thing"12:00
xnoxcoreycb, i'm happy to sponsor any source packages into biletos targetting the archive for you.12:01
xnoxjamespage, coreycb - looking at the bug, note that s390x autopkgtests are done in an LXD container, thus one cannot modprobe packages =/12:01
coreycbxnox, interesting..12:02
coreycbxnox, I'm hitting a new nova failure with kvm, I wonder if it's similar and can't modprobe12:02
coreycbon armh ^12:02
xnoxas in one should probably use $ ! systemd-detect-virt --container && exit 012:03
xnoxcoreycb, i believe autopkgtest runners on armhf & s390x are LXD containers, everything else is KVM virtual machines, and we have no infra for powerpc (old 32 bit big endian)12:03
coreycbxnox, ok that explains one of my failures!  thanks.12:04
coreycbxnox, any idea who's in charge of acls for bileto.ubuntu.com?  it'd be useful if per package uploaders like cpaelzer could get full access to debug failures and test fixes in PPAS.12:05
xnoxcoreycb, talk to <sil2100> or <robru> or <slangasek> on #ubuntu-devel or some such12:06
coreycbxnox, will do, thanks12:06
EmilienMcoreycb, jamespage: hello - fyi, neutron/linuxbridge is still broken since last time I reported to you, we're using latest newton, you can see logs if you want to look https://review.openstack.org/#/c/382661/12:20
jamespageEmilienM, it would appear to be broken in a different way now12:23
jamespageEmilienM, hmm12:23
cpaelzercoreycb: thanks for kicking that discussion12:24
BioKeyHello, I'm currently trying to manage Windows accounts via Ubuntu Server. What are my options here ? Do I have to go with Samba and an AD or is there any other alternatives ? Thanks !12:49
rbasakYou mean you want to manage Windows desktops without a Windows server? Or something else?12:54
BioKeyAbsolutely !12:55
BioKeySomething similar to Novell Groupewise. Is this even possible ?12:56
rbasakI used to do this kind of thing for a living. IMHO, it stopped being worth it. I would consider using (and managing and supporting) a real Windows server as part of the cost of running Windows desktops and do it that way.12:56
rbasakSamba is the only other thing that I know about that can do it. It's an excellent project and has a very high quality codebase.12:57
rbasakBut for actually running a domain, I'm not sure it's worth it any more. Certainly you'll find it much more of a struggle, and with loss of functionality, compared to just using a Windows server.12:57
BioKeyThank you for your answer, that's what I feared seeing all the abandoned projects.12:59
BioKeyI'm really new to all this but even file sharing with Samba looks like a pain13:01
rbasakPlain file sharing is fine with Samba once auth is sorted out.13:05
rbasakThe last time I looked (it's been a while), Samba still integrated with a Windows domain really well, eg. as a domain member, file sharing, even ACLs.13:06
rbasakThere is an impedence mismatch of course, which Samba tackles admirably. But it does necessitate quite some understanding. It is well documented, but expect to do a lot of reading.13:07
rbasak(understanding of both Unix and Windows models of things)13:08
_Wise_hi *13:08
BioKeyIndeed ! I think I understimated that part ;)13:08
_Wise_I have an armada of Ubuntu Server 14.04 LTS instantiated on Azure, I thought about upgrading them to 16.04 LTS next year13:09
_Wise_but when I look at this page: https://assets.ubuntu.com/v1/65d114f8-release-chart-desktop.png?w=80013:09
_Wise_it turns out that 14.04 LTS *HARDWARE* updates stops soon13:09
_Wise_am I in danger ?13:09
=== catalase- is now known as catalase
rbasak_Wise_: where was that linked from please, so I have some context?13:10
_Wise_rbasak: from there: http://www.ubuntu.com/info/release-end-of-life13:10
rbasakWhat they mean is new kernels, essentially (X.org stack doesn't matter for server).13:11
_Wise_for me it's quite obscure what Hardware Update is13:11
rbasakSee https://wiki.ubuntu.com/Kernel/LTSEnablementStack for details, but for cloud instances on Azure, it won't matter.13:13
UssatSo, ubuntu 16.04 LTS comes with gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.2) , I have a package that ewquires 4.7 to compile. How backward compatiable is gcc5 ?13:14
Ussatnext question would it be possible to install the gcc 4.7 along side 5.0 if I need ?13:18
tewardUssat: how is the requirement defined?  Exactly 4.7, or 4.7 or higher?13:19
UssatTo build bcl2fastq2 Conversion Software v2.17, you need the following software.13:19
UssatVersions listed are tested and supported; newer versions are untested.13:19
Ussat} gcc 4.7 (with support for c++11)13:19
UssatI wish was higher....13:19
ikoniadoes it actually say it will not work with 5.013:20
UssatNo, it does not13:20
teward^ that (ninja'd)13:20
tewardUssat: 5.0 might work, I would suggest starting with that first13:20
Ussatit says untested13:20
tewardbefore trying to coinstall multiple compilers13:20
ikoniahave you tried it with 5 ?13:20
Ussatnot yet13:20
UssatI might just spin up a test VM and test this shit13:21
UssatI just hate the way these docs are written13:24
Ussatmy day just got more complicated13:24
ikoniaplease don't swear13:24
ikoniathere isn't a need for it13:24
ikoniayou'll find it a lower risk to build with 5 than maintain multiple compilers and linker objects on the same box13:24
UssatOh I totally agree13:25
ikoniamore so when the chances are there is not a 4.7 gcc install package for your ubuntu version13:25
ikoniaso no idea where you expect to get it13:25
UssatI =am waiting for a tech contact at the company to call me back to ask them some questions13:25
ikoniawhy not just try it ?13:25
UssatThere is a gcc4.7 actually13:25
ikoniasee what happens13:25
ikoniaahhh so where is 5 coming from then ?13:25
Ussaton my ubuntu system, but I can get a 4.7 for it also, was just wondering if I could side by side install, just exploring options13:26
UssatI like to lay out all my options before jumping into a test13:26
ikoniahow can you get 4.7 for it13:27
ikoniawhat version of ubuntu is this ?13:27
Ussat16.04 LTS13:28
_Wise_rbasak: thanks13:29
ikoniais there a 4.7 package in the 16.04 repo ?13:29
Ussatyes13:29
UssatLike I said, I just like to lay out all my options13:30
Ussatbefore I decide which to test13:30
coreycbEmilienM, I see a lot of ACCESS_REFUSED amqp errors in your logs, do you also get those with ovs?13:31
EmilienMcoreycb: no13:32
zulcoreycb: its out13:34
coreycbzul, cool want to get started?  let's not release neutron quite yet.13:34
zulcoreycb: sure13:35
coreycbzul, did you bump tooz yesterday?13:35
zulcoreycb: i didnt...its not bumped in debian13:35
coreycbzul, yeah they're mostly behind us. I think we should try to get to 1.43.0 since that's what upper constraints is at.13:36
zulcoreycb: ack...13:37
coreycbEmilienM, seems that your rmq logs also have invalid credentials errors: http://logs.openstack.org/61/382661/1/check/gate-puppet-openstack-integration-4-scenario003-tempest-ubuntu-xenial/1f52421/logs/rabbitmq/rabbit@ubuntu-xenial-osic-cloud1-s3700-4770556.txt.gz13:41
coreycbnot sure if that's a red herring or not13:42
zulcoreycb: taking aodh13:45
coreycbzul, also hold off on nova. I'm sorting out dep8 failures.13:46
zulyes master13:46
coreycbzul, taking cinder13:49
coreycbzul, taking barbican13:59
epinkyis senderid needed to be configure to send to hotmail? I've got my messages bouncing from hotmail domain14:00
zulcoreycb: aodh uploaded14:17
zulcoreycb: taking glance14:17
coreycbzul, ack, cinder and barbican uploaded.  want me to grab tooz?14:19
zulcoreycb:yeah go ahead14:20
coreycbzul, on it14:20
jamespagefrickler, you should get neutron-dynamic-routing for newton14:25
jamespagefrickler, zigo packaged it for Debian (not in freeze) so we should be able to sync it14:25
jamespagethanks zigo ;)14:25
fricklerjamespage: yep, I'm already testing it, thanks for the headsup. sometimes it is useful to be upstream and operator at the same time ;)14:29
jamespagefrickler, lol14:29
jamespagefrickler, ppa:james-page/newton14:29
zulcoreycb: glance uploaded14:34
zulcoreycb: taking heat...not literally14:35
coreycbzul, hah, what a comedian14:36
coreycbzul, taking designate14:38
coreycbzul, tooz and designate uploaded.  taking horizon.14:45
coreycbzul, horizon uploaded, taking keystone14:59
zulcoreycb: trying to speed myself up15:00
zulcoreycb: heat uploaded15:03
zulcoreycb: getting manila15:04
coreycbzul, ack, getting networking-ovn.  keystone uploaded.15:06
fricklerjamespage: I had built my own already, just tested on an allinone deployment, works pretty well.15:13
zulcoreycb:manila uploaded15:28
zulcoreycb: i think we should skip neturon-* since neutron isnt uploaded yet15:29
coreycbzul, agreed15:29
coreycbzul, networking-ovn uploaded15:30
zulcoreycb: grabbing trove15:30
zulcoreycb: trove uploaded15:47
zulcoreycb: do you want to handle nova and neutron?16:03
coreycbzul, sure, thanks for the help!16:08
=== alexisb is now known as alexisb-afk
=== degorenko is now known as _degorenko|afk
apb1963Ubuntu 16.01 My printer is only printing magenta and black.  Any ideas?  HP 1010 inkjet.  hp-toolbox reports ink levels are OK.18:02
PCdudeapb1963: I guess u mean 16.04? I would advice u to go to the "ubuntu" channel18:08
ws2k3is the network install of ubuntu 12.04 broken?18:25
ws2k3it refuses to continue after i thosen the repository18:26
sarnoldws2k3: what error messages do you get?18:33
naccws2k3: i don't think it's 'known broken'18:34
sarnoldapb1963: some advice on debugging printers is at https://wiki.ubuntu.com/DebuggingPrintingProblems18:34
apb1963sarnold, ty18:34
apb1963sarnold, sadly... there's only 1 mention of color and it's not the problem I have.  I'm tempted to go get some more ink since it's low to the eye even though it reports OK.  But I hate to spend the money if I'm just going to get more of the same behavior :/18:40
naccapb1963: i take it the printer doesn't have a non-OS driven test page mode?18:41
sarnoldbe aware that it's easy to spend more on ink debugging an hp printer than it costs to buy a new printer froma different vendor18:43
naccheh18:47
apb1963nacc, I didn't think to look... let me check.18:47
ws2k3nacc no error message it just hangs after chosing the repository18:51
torakare private chats logged in freenode? And are they publicly visible?19:16
Picitorak: If you mean private messages, no. If you mean channels, then its on a channel by channel basis, but its not something that freenode itself provides.19:18
Pici!logs19:18
ubottuOfficial channel logs can be found at https://irclogs.ubuntu.com/ . LoCo channels are now logged there too. Meeting logs from meetingology at http://ubottu.com/meetingology/logs/19:18
sarnoldfreenode does not maintain logs of private chats, but you should be aware that contents of chats are available unencrypted in ircd memory, so if you don't trust the network operators or server admins then you should use another layer like OTR or gpg on top to provide end-to-end encryption19:18
Picitorak: if you need more info, ask #freenode19:18
toraksarnold: you mean freenode admins by server admins right? Not channel admins?19:20
torakPici: thank you i will check that out.19:20
=== alexisb-afk is now known as alexisb
blizzowCan anyone here explain the reasoning behind setting VHOST_NET_ENABLED=0 in the default kvm virtualization settings?  This article says it's a bad default setting, but I'm assuming ubuntu-server devs have a reason for setting it that way. https://blog.codecentric.de/en/2014/09/openstack-crime-story-solved-tcpdump-sysdig-iostat-episode-3/19:28
sarnoldtorak: correct, server admins19:30
rbasakjgrimm: ^19:44
lunaphytehi.  i have a 16.04 computer that includes an nfs mount in fstab.  sometimes, the network sucks, and during boot, the share fails to mount.  there is a long, long, timeout when this happens.  how can i change this timeout?19:46
jgrimmrbasak:  rharper, cpaelzer possibly19:50
PCdudehi all :)20:24
=== rcj` is now known as rcj
=== rcj is now known as Guest46240
=== Guest46240 is now known as rcj
shamuraiIs Conjure-up the preferred method for deploying single node openstack?20:49
stokachushamurai: yes20:53
shamuraistokachu: Thanks, so many different methods...20:54
stokachushamurai: well it's conjure-up for xenial and above from here on out20:55
stokachushamurai: trusty is still openstack-installer20:55
stokachushamurai: and trusty only allows installing autopilot20:55
shamuraistokachu: Hardware requirements are still a bit steep. Does conjure-up allow for deploying just swift?20:56
stokachushamurai: no20:56
stokachuyou are deploying OpenStack to a single machine, the hardware requirements are pretty reasonable for that20:56
shamuraistokachu: Well I'm really just trying to test swift, was thinking about using it with Backup Exec S3 Cloud Connector and the swift3 api20:58
stokachushamurai: feel free to fork and modify https://github.com/conjure-up/spells/tree/master/openstack-novalxd20:59
stokachuyou can update the bundle and deploy with conjure-up20:59
shamuraistokachu: thanks21:02
PCdudehi all21:04
PCdudeI have a couple of questions about openstack on ubuntu21:05
PCdudeI have put them in a askubuntu question21:05
PCdudehttp://askubuntu.com/questions/832736/openstack-with-autopilot-some-networking-clear-up21:05
stokachuPCdude: add the autopilot tag so the landscape guys will see it21:05
stokachuPCdude: sorry openstack-autopilot21:07
PCdudestokachu: done21:07
stokachuPCdude: to answer your first question you can do 'JUJU_BOOTSTRAP_TO=host.maas sudo -E openstack-install'21:08
PCdudestokachu: thanks awesome, I think the best way is to add an answer and slowly add the pieces in there when all are answered?21:10
blizzowI am setting an ubuntu-server and I want to do some disk modifications before the partitioner starts up.  Is there a way to use parted from the console that activates if I press ctrl+alt+f2?21:17
naccblizzow: what kind of modifications?21:40
tarpmanblizzow: anna-install parted-udeb21:51

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!