/srv/irclogs.ubuntu.com/2016/11/17/#ubuntu-server.txt

sarnoldengineer-pearl: the Digital Ocean guides are probably a better starting point, see e.g. https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04 or https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-0400:02
sarnoldengineer-pearl: or https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-0400:02
sarnoldetc00:02
sarnoldthey've got a lot of useful things :)00:03
engineer-pearlOoop I thinnk that did it00:08
engineer-pearlThank you, and since I've got you here, may I ask you a question (since I'm on a time crunch unfortunatly, I thought I had til the third, I have til tomorrow)00:09
engineer-pearldo I need to set the servername in the secure connection area or can I leave that be?00:10
engineer-pearlI'd do a proper test and find out but I have to wait for the ports.00:10
sarnoldI don't know details of actual software, but I do know that SNI from clients means servers typically have to know their name, so they can hand out the proper certificate when clients request it00:13
RoyKengineer-pearl: let's encrypt just makes the day :)00:34
engineer-pearl?00:34
RoyKwell, it just works00:34
RoyKand configures apache for you during installation and all00:34
RoyKusually quite worry-free00:35
engineer-pearlI didn't realize that getting an ERROR MESSAGE (the ultimate goal, actually) would be this complicated00:35
engineer-pearlokay so is this "let's encrypt" a command line thing or a gui thing?00:38
tarpmanengineer-pearl: https://letsencrypt.org/getting-started/00:38
engineer-pearloh, just certificates. :/00:39
engineer-pearlnot an accurate face.00:39
sarnoldtheir 'standard client' does a bunch of configuration stuff too, no?00:40
sarnoldhence the huge proliferation of other tools that do fewer things00:40
engineer-pearl@tarpman I think you found a "getting lost" page then...00:42
engineer-pearlI have the certificate ready. At this point I just need to get the port to listen, which will provide me with the information that my certificate is not signed by a trusted third party (my goal. I know that seems odd.)00:44
fyrrilany reason on a fresh install, I get a black screen on a connected display.. but I can SSH into the server just fine?00:44
ikoniaI'm struggling to see where this becomes an ubuntu problem ?00:44
engineer-pearl@ikonia I had a problem and had to guess where to go.00:45
sarnoldfyrril: look around for something like a kernel comman dline parameter "nomodeset", I have a vague feeling that's helped (or hurt) other people...00:45
ikoniaagain - how is this anything to do with ubuntu ?00:45
sarnoldikonia: meh there's nothing wrong with asking how to configure apache to do tls..00:46
sarnoldif you follow any old guide out ther eyou'll wind up re-writing half your apache config for no reason00:46
ikoniasarnold: I don't think there is any problem with asking how to conigured apache in ubuntu, but it seems to have gone beyond that now00:46
fyrrilsarnold, you're referring to google correct?00:46
sarnoldfyrril: or kernel Docuemtnation/ directory, I'm not sure where to suggest first, I've been lucky so far and not seen this :)00:47
fyrriljust making sure you meant the internet before I spent 20 minutes looking through files in the CLI :D00:48
sarnold:)00:48
fyrrilcheers00:48
engineer-pearlOkay, so here's something that's not unusual for me - I have a message saying something is already using 443, yet I can't identify anything that is using it, not with netstat, not with my browser, not at all00:50
engineer-pearlNetstat also doesn't show anything on 80, but I can connect to 80 on my browser.00:51
ikoniaengineer-pearl: what netstat command are you using00:52
ikonia(maybe pastebin the output)00:52
engineer-pearlThis is just "sudo netstat" http://paste.ubuntu.com/23488122/ cause "sudo netstat | grep 80" has no output00:55
ikoniaughh00:55
ikonia80 won't show up anything00:55
sarnoldnetstat without arugments doesn't show listening sockets, just connected sockets00:55
ikoniatry netstat -a | grep LIST for example00:56
sarnoldtry netstat -an00:56
ikoniaI'd strongly suggest you read man pages on commands before blindly typing them, and before using them to evaluate situations00:56
ikonia(unless you know the flags to use)00:56
tarpmanand keeping in mind that netstat on linux is different from netstat on e.g. windows or bsd00:57
engineer-pearlwell it being different from windows would explain why itdidn't work even though I tookI it right off the internet (00:57
ikonia"took it right off the internet" ?00:58
engineer-pearl((to be fair I've tried to use it before but))00:58
tarpmanthe internet is, as a rule, untrustworthy00:58
ikoniaman netstat00:58
tarpman^00:58
ikoniashows you all the flags and what it does00:58
ikoniarather than just typing in blind00:58
engineer-pearlI've tried to use that but I find the helps more helpful00:59
ikonia"the helps" ?00:59
sarnold?00:59
engineer-pearllike help [command] or command --help00:59
ikoniabut that gives you incomplete info01:00
ikoniaas you can see with netstat01:00
ikoniait's a useful tool if you know how to use the command01:00
engineer-pearl"sudo netstat -pa | grep 80" and "sudo netstat -pal | grep 80" still don't show it???01:01
ikoniaengineer-pearl: why are you doing "pa"01:02
ikoniayou where given 2 examples01:02
engineer-pearlI tried those too01:02
ikoniaand 80 won't show up if you're using service name mapping01:02
ikoniaengineer-pearl: pastebin netstat -a | grep LIST01:02
fyrrilsarnold, all squared thanks. GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" to ""01:02
sarnoldfyrril: -that- fixed it?? odd.01:02
sarnoldfyrril: thanks for reporting back :) it's always nice to know what works01:02
fyrrilfirst thing I found said to add nomodeset to the quiet splash, but same problem.. second thing I found said to remove it all /shrug01:02
fyrrilno sweat, it's a thankless job I'm sure.01:02
sarnold'quiet splash' is a funny setting on a s erver anyway, hehe01:02
* tarpman likes 'netstat -nltp'01:02
tarpmansarnold: not sure if it's still the case, but wasn't 'splash' necessary in the past to get plymouth activated?01:03
engineer-pearlhttp://paste.ubuntu.com/23488146/01:03
sarnoldtarpman: yeah but why bother with that either? heh01:03
tarpmansarnold: message demultiplexing, of course :)01:03
ikoniaengineer-pearl: grep git /etc/services01:04
tarpmansarnold: don't tell me you haven't read http://web.dodds.net/~vorlon/wiki/blog/Plymouth_is_not_a_bootsplash/ years ago ;)01:05
sarnoldtarpman: never seen that :)01:05
engineer-pearlHere's just with "netstat -a | grep git" http://paste.ubuntu.com/23488154/01:07
ikoniaengineer-pearl: what is the point in that ?01:07
engineer-pearlI can also grab ls /etc/services if that was what you were after01:07
engineer-pearlI don't know you asked for something weird01:07
ikoniaI asked clearly for "grep git /etc/services"01:07
sarnoldengineer-pearl: the point of ikonia's question was to find out what _number_ "ssh" means :)01:07
ikonia(what git actually meant if it was really the git service or if it was git omnibus installer updating /etc/services for git to have the web server running)01:08
sarnoldengineer-pearl: maybe it means 80, in which case you find out wh you can't bind a web server :) maybe it means 443 which would explain why your web server couldn't offer https....01:08
ikoniathere is a ton of docs about using the obnibus installer ONLY on a machine, nothing else01:08
engineer-pearlhttp://paste.ubuntu.com/23488162/01:09
ikoniaso according to that, port 9418 should be open01:09
ikoniaI bet it's not01:09
engineer-pearlHere's the thing though - I CAN access my server from my machine (ethernet only atm but that should get fixed tonight)01:09
ikoniaget that fixed ?01:10
engineer-pearloh wait I missed the second part sorry01:10
ikoniawhat's the problem with that, that sounds like a good thing01:10
engineer-pearl9418?01:10
engineer-pearlI thought I was supposed to be binding it to 443?01:11
ikoniaengineer-pearl: have you installed git via the omnibus installer01:11
engineer-pearluhhhhhhhh I installed git a long time ago if it wasn't installed by default01:12
sarnoldtarpman: thanks, that was fun reading01:12
ikoniawhy would it be installed by default ?01:12
ikoniano OS installs git by default01:12
engineer-pearlI don't remember! I've had the machine for a while01:12
ikoniadefine a while01:12
ikoniamonths, years, 10 years,01:12
engineer-pearlsoftware? Somewhere between months and a couple of years01:12
ikoniawhat is your machines local IP address01:13
engineer-pearl.3001:13
tarpmansarnold: great, this has been my https://xkcd.com/1053/ moment for today :)01:13
ikoniaengineer-pearl: .30 is not an IP address01:13
ikoniawhat is your machines local ip address01:13
engineer-pearl192.168.1.30 I think is the one you are asking for01:14
ikoniais there more than 1 ?01:14
ikoniaone even01:14
sarnoldtarpman: haha, that's great. I've also not seen -that- one before today either. heh.01:14
tarpman!!01:14
sarnoldtarpman: twice in one day :) not bad01:14
engineer-pearlThere should only be one with that IP, but there are several devices on the network01:14
tarpmanI can basically just go to bed now01:14
ikoniaengineer-pearl: ??? do you understand basic networking ?01:15
sarnoldtarpman: hehehe :D I endorse this idea!01:15
ikonia(please be honest)01:15
engineer-pearl"is there more than 1" leaves me to guess what you are asking for01:15
ikoniaI'm asking if that devices has more than one IP address01:15
ikoniaI'm asking if you understand network as you seem to think it's possible for more than one machine to have the same IP01:15
ikoniaas you said "I think 192.168.1.30 is the one you want"01:16
ikoniasuggesting there is more than one on that machine01:16
engineer-pearlmore than one IP address maybe? whenever I type in IP addr I seem to get a lot more info than the tutorials suggest I should.01:16
ikoniado you understand basic networking ?01:16
ikoniaagain please be honest01:16
engineer-pearlI don't understand your question so probably not too well?01:17
ikoniawhat IP address is this host running git on the network with01:18
engineer-pearlnothing should be running git. It should be there but not anything else?01:18
ikoniawhat ???01:19
ikoniayou've just shown me a box running git01:19
ikoniayou said you installed it a long time ago01:19
sarnoldfor what it's worth this "what port is :git" and "what IP address is the service bound to" are the reasons why I use netstat's -n flag -- names get in the way, but you know where you stand with IP addresses and port numbers.01:19
ikoniaI ask which box is running git and you say "nothing should be running git"01:19
ikoniasarnold: agreed01:19
engineer-pearlwell here's the thing, I have only ever used git to connect out, never connect in01:19
engineer-pearlgithub hosts some good minetest mods01:19
ikoniaengineer-pearl: ok - so you have not actually installed  agit service01:20
ikoniayou've just installed the git client01:20
ikoniaso what is the IP of the host you are having the problem with01:20
engineer-pearlI may have installed all of git trying to get the parts that I want but I don't really rember, hold on I think I have something holding the record01:21
ikoniait doesn't matter01:21
engineer-pearlokay01:21
ikoniajust run "telnet $host_ip 80" from your work station01:21
ikoniawhat do you get back01:21
engineer-pearldoes doing it from ssh provide expected behavior? I got an error01:22
ikoniawhat do you mean, doing it from ssh01:22
engineer-pearlTrying 0.0.0.80...01:22
engineer-pearltelnet: Unable to connect to remote host: Invalid argument01:22
engineer-pearlwell that looks like an IP address01:22
ikoniawhat is that IP ?01:23
ikoniait's not even valid01:23
ikoniaand if you think that's a valid IP address, stop what you are doing now01:23
engineer-pearlThat's the output of the command you sent me!01:23
ikoniano it's not01:23
engineer-pearlI know it wasn't alid01:23
ikoniayou can't really think your hosts IP is 0.0.001:23
engineer-pearl*valid01:23
engineer-pearlJust that it followed the form01:23
ikoniafollowed the form ?01:23
ikoniawhat are you talking about01:23
ikoniawhat was the EXACT command you typed01:23
ikoniaand I do mean exact01:23
engineer-pearlnumber.numbur.number.number01:23
engineer-pearlyeah, I copied and pasted it.01:24
ikoniawhat was the EXACT command you typed01:24
tarpmanengineer-pearl: you can't just make up random numbers and expect the result to be useful...01:24
sarnolddid you replace $host_ip with the host's IP? or .. include the variable as-is? :)01:24
tarpmansarnold: great point -- 'telnet 80' does exactly that01:25
engineer-pearlyou know like 192.168.1.1,  192.168.1.30, 127.0.0.1, all of them follow the same format. So did 0.0.0.80, even if it was nothing.01:25
ikoniawhat was the EXACT command you typed01:25
sarnold$ telnet 8001:25
sarnoldTrying 0.0.0.80...01:25
sarnoldW.T.F.01:25
engineer-pearl"telnet $host_ip 80"01:25
ikoniaok01:25
tarpmanit's a standard - if obscure-  shorthand01:25
ikoniaso I'm sad to say I think you are running before walking01:26
sarnoldit's a -stupid- shorthand :)01:26
ikoniawhat you are trying to do is outside of your skill level at this time01:26
tarpmansarnold: telnet 127.101:26
tarpman:)01:26
ikoniaand I don't believe you are at a level where you can actually provide debugging01:26
engineer-pearlwell the alternative is to try to find a safe site with an invalid certificate01:26
sarnoldtarpman: #301:26
engineer-pearlwhich uh... I doubht I'm going to find01:26
sarnoldtarpman: seriously. I've been doing tcp/ip networking for >20 years and never seen this.01:27
ikoniaengineer-pearl: what are you actually trying to achieve01:27
engineer-pearlYou know the message you get when you go to a bad site and your browser alerts you that something is wrong?01:29
engineer-pearland it even gives more information if you tell it to?01:29
engineer-pearlWell I have a presentation tomorrow on internet safety, and I figured that would be an EXELENT thing to use01:29
engineer-pearlThing is, you have to actually get one.01:29
engineer-pearlWell I got a tip that if the certificate is self-signed, then you get that message. This means I could get it and explain it without attempting to navigate to a site that isn't okay01:29
engineer-pearlI've got the certificate ready01:29
ikoniaengineer-pearl: do you understand the irony01:29
ikoniayou don't really understand how this works but you're giving a presentation01:29
engineer-pearlwell I don't need to explain the server side01:30
engineer-pearlI was just trying to simulate the user side01:30
ikoniahttps://badssl.com01:30
ikoniafirst hit on google01:30
ikoniashows all the examples of bad SSL configs01:30
sarnoldheck if all you wanted was a self-signed certificate you could grab any old consumer router, they all fire up a server on 192.168.0.1 or 192.168.1.1 with a self-signed certificate ....01:30
sarnoldikonia: how come I can never remember this site when I want it?? I spent five minutes googling for it.01:31
ikoniasarnold: I always forget it too01:31
sarnoldthe closest I could find is https://revoked.grc.com/ which is .. half-way there. but not.01:32
engineer-pearlnooo that's not the one noooooo ah poop.01:34
engineer-pearlso that wasn't going to get me theone I'm after01:34
sarnoldit's got a self-signed cert right here: https://self-signed.badssl.com/01:35
ikoniaso you don't really even know what you're after01:35
ikoniaI think this is now well outside the scope of this channel01:35
engineer-pearlyes but that wasn't the message I was after, I got a bad tip01:35
ikoniaI think you are looking for an untrusted site01:35
ikoniathat has been flagged in the common database as "untrusted"01:35
ikonianot an untrusted SSL01:35
engineer-pearlOh. That would have been good info this morning, but that sounds exactly what I am looking for!01:36
sarnoldaha; try searching for "adobe photoshop" or "microsoft office" and click the first thing that looks like a malware installation page that pretends to be a download page. That'll either exploit your browser or show you the dialog you want. :D01:37
NOVAtechiesexit02:18
=== iberezovskiy|off is now known as iberezovskiy
=== amoralej|off is now known as amoralej
ws2k3nice ubuntu 12.04 mini install is still broken11:31
ikoniain what way broken ?11:40
jonahhi is anyone any good with samba? I can't connect anymore to my samba share with a desktop client. It previously worked but now the client just gives timeout on server... any help appreciated. I've tried with firewall off and the IP is in my hosts allow list in the smb.cnf but still not working...11:51
ikoniacan you telnet to the port12:07
ikoniatest the port is actually open and responding for you12:07
DK2ive a failed software raid1 with two disk where the first hdd is broken12:17
DK2but the system cant boot via the second disk12:18
DK2does a simple grub install on sdb solve the problem?12:18
ikoniadefine cannot boot12:33
ikoniahas no grub - or has grub but won't boot12:33
=== amoralej is now known as amoralej|lunch
=== JanC_ is now known as JanC
=== slick is now known as ande
ddellavzul coreycb working on heat b114:01
=== amoralej|lunch is now known as amoralej
zulpk14:02
ddellavzul coreycb neutron-fwaas and heat done: lp:~ddellav/ubuntu/+source/neutron-fwaas lp:~ddellav/ubuntu/+source/heat14:18
ddellavzul coreycb taking keystone b114:18
=== Slick is now known as shoup
zulack14:21
zulddellav: ill take nova when im done with this14:22
ddellavzul ack14:22
=== cpaelzer_ is now known as cpaelzer
jgrimmcaribou, is 1614052 still on your radar?14:33
caribouLP: #161405214:34
ubottuLaunchpad bug 1614052 in sosreport (Ubuntu Xenial) "SOSREPORT need to collect OPAL msglog" [High,Confirmed] https://launchpad.net/bugs/161405214:34
cariboujgrimm: this is fixed in the latest sosreport as far as I remember14:34
jgrimmcaribou, that's my read, justs needs SRUing14:34
ddellavzul coreycb neutron-lbaas and keystone done lp:~ddellav/ubuntu/+source/keystone lp:~ddellav/ubuntu/+source/neutron-lbaas14:34
cariboujgrimm: I'm working on pushing the latest sosreport as we speak but just found a last-minute bug while runningn autopkgtest14:35
cariboujgrimm: so I just pushed a fix upstream & hopefully will be able to SRU soon14:35
cariboujgrimm: I'll update the bug14:35
ddellavzul coreycb i'll take neutron-dynamic-routing14:35
jgrimmcaribou, thanks! would be nice to get that one off the books14:35
ddellavzul whats the best practice for updating debian packages now that the repo's aren't on alioth?14:41
zulcoreycb: ^^^14:41
zulddellav: but https://github.com/coreycb/pkg-scripts14:41
coreycbddellav, most of the openstack deps are now on ubuntu-server-dev.  if there's one missing let me know and I can create it.14:42
ddellavcoreycb zul ok thanks14:43
coreycbddellav, we still want to submit patches back to debian to minimize our delta though.  you can use submittodebian or you can submit patches using openstack gerritt.14:43
ddellavcoreycb ok14:43
jgehey all good morning, anyone know why when I run something like 'find / -name file.name' i get a bunch of permission denied messages for a multitude of files when running as root in 16.04?14:43
jgefresh install14:43
zulcoreycb: it doesnt help that there is no ocata branches yet14:43
coreycbzul, ddellav, right, i agree.  so maybe just use submittodebian until zigo has branches set up for ocata.14:46
coreycbddellav, neutron-lbaas and neutron-fwaas pushed/uploaded15:03
ddellavcoreycb ack15:05
coreycbddellav, zul, i wonder if we can just drop keystone.conf.dist and setup-keystone-config.sh and just install the default generated keystone.conf15:27
ddellavcoreycb the keystone.conf in the debian directory is the apache config fyi. The sample that gets installed is in etc/keystone.sample.conf15:28
coreycbddellav, right, so debian/keystone.conf is different15:28
ddellavright15:28
coreycbddellav, but the defaults that are generated by the above 2 files, are they neeed?15:29
coreycbneeded15:29
zulcoreycb: we should probbably rename it so we dont get confused15:29
ddellavcoreycb i don't know if they are needed. I just took the directives from the sample config and put them in the dist. I imagine it makes it easier to handle config file format changes from upstream to insert the directive values on build15:30
coreycbddellav, i think if the service starts with the default config then we don't need to modify it.15:36
coreycbddellav, we can probably also drop debian/logging.conf and install etc/logging.conf.sample instead15:37
coreycbzul, yeah might make sense to rename that15:37
jgehey all, anyone know where the tomcat8.service file is on ubuntu 16.04 ? nothing inside of /etc/systemd/system/16:02
Seveasjge: there seems to be no such file (though I checked on 16.10 instead of 16.04)16:07
Seveasit has an oldfashioned initscript :)16:07
andolA more general answer: systemctl cat tomcat8.service16:08
=== JanC is now known as Guest90855
=== JanC_ is now known as JanC
jgeOh ok, I see the init script16:10
jgethanks guys16:12
jgeSeveas and andol: how could I make it so a variable say, JAVA_OPT  inside an init script points to a file instead of putting it there16:16
=== EnchanterTim is now known as stoned
Seveasjge: most initscripts source a file from /etc/default, where you can put such things16:41
Seveasdisclaimer: I didn't check the tomcat initscript if it supports this :)16:41
zulcoreycb: ping16:51
zulcoreycb: so we dont have senlin/watcher in ci, maybe we should?16:51
zulcoreycb: just to make sure this is buildable16:51
=== iberezovskiy is now known as iberezovskiy|off
coreycbzul, they are just synced from debian17:23
zulcoreycb: ok im just concerned that debian is behind again17:23
coreycbzul, in that regard yes, let's just focus on the core packages for b1 and sync anything from debian once it's available17:26
zulok17:26
zulcoreycb: my ocd was kickiing in but meh17:26
zulcoreycb: i havent gotten to package installs yet ;)18:18
=== amoralej is now known as amoralej|off
=== alexisb is now known as alexisb-afk
=== alexisb-afk is now known as alexisb
coreycbddellav, forgot about keystone for a bit there.. it's pushed/uploaded.  i dropped those couple of files I mentioned earlier and installed logging.conf.sample.22:03
docmurI have a program I wrote, here is a sample: http://pastebin.com/rQYyCxVX which bootstraps 16.04.1 into a server and then runs an install script to get applications + kernel and then installs grub.  If I run the scripts myself, then chroot into the direct /mnt/destination and execute ./install.sh again, myself, and reboot, it works.  If I just run this program, when I reboot I get a kernel panaic22:41
docmurthat it can't find init=, why would this program fail, yet when I run it manually it works :S22:41
sarnolddocmur: yikes, does C# -really- let you pass multiple arguments to a program in one string like that?22:43
docmuryep22:43
docmurI'm assuming the problem has to be with chroot /mnt/destination bash install.sh22:44
rattkingdocmur: I do things in a very similar way.. but I call it like "chroot /mnt/target /path/to/script.sh"22:48
rattkingscript.sh is +x and has bash in the #!22:48
docmurso does mine, I'm going to remove bash and try it again22:49
sarnoldis there a bash in your chroot?22:49
sarnolddoes it have all the libraries it needs to function in the chroot? devices?22:49
rattkingor maybe you need more quoting like "/mnt/destination 'bash install.sh'"22:50
docmurI can see install.sh execute, it does what I need it to do, so it's running it22:51
rattkingmaybe you can make that #! bash -x and send the output to a log22:52
docmurgood idea :)22:53
rattkingI have to take off. good luck22:57
docmurkk thanks!22:58

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!