[00:31] <Aison> i'm running two ubuntu server on two machines. Both systems are NUMA systems
[00:32] <Aison> but on one system, numactl -H shows only one node
[00:32] <Aison> I don't know why....
[00:35] <sarnold> Aison: does your system bios allow disabling it?
[00:37] <Aison> uhm, I have to check....    but I already used the motherboard with the OS that recognizing NUMA. And there it worked
[00:37] <Aison> maybe there was a BIOS reset when I moved the motherboard to the new casing?!?
[00:51] <nacc> Aison: i can try and help you debug if that isn't it, tmrw :)
[00:57] <Aison> nacc, thx, just checking the bios now
[01:19] <Aison> nacc, on boot, the BIOS posts 4 Nodes
[01:19] <Aison> but ubuntu don't detect them
[01:20] <sarnold> Aison: is there anything informative in dmesg output?
[01:23] <Aison> that's all: [    0.000000] NUMA: Initialized distance table, cnt=1
[01:23] <Aison> maybe it is some cpu setting in bios that produce that problem
[01:24] <Aison> I don't understand all options, eg. IOMMU
[01:24] <ezethnesthrown> Client: HexChat 2.12.4 • OS: Microsoft Windows 10 Home Single Language (x64) • CPU: Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz (2.19GHz) • Memory: 7.8 GiB Total (1.8 GiB Free) • Storage: 483.3 GiB / 807.9 GiB (324.6 GiB Free) • VGA: NVIDIA GeForce GTX 950M, Intel(R) HD Graphics 5500 • Uptime: 4d 14h 6m 10s
[01:25] <sarnold> that's interesting; my laptop spits out: [    0.000000] No NUMA configuration found
[01:25] <sarnold> different from count=1...
[01:26] <Aison> maybe it is worth updating the bios?
[01:46] <nacc> Aison: bios updates may help (the numa table is in the firmware on the mobo)
[01:46] <nacc> Aison: what type of hardware?
[01:46] <nacc> Aison: also, there *might* be BIOS settings that turn a NUMA system into a UMA system for compatibility reasons
[01:48] <nacc> Aison: there will be some more info than that normally
[01:48] <nacc> Aison: i'm eod, but if you can pastebin your dmesg on boot, i can try and look
[01:49] <nacc> Aison: the non-x86 arches have numa debug in the kernel
[01:59] <Aison> bios update helped
[01:59] <sarnold> woot? :)
[02:00] <Aison> but now I get this error with grub:
[02:00] <Aison> grub attempt to read or write outside of disk
[02:00] <Aison> hd0
[02:00] <Aison> when I select the first kernel
[02:00] <Aison> the 2nd and 3rd one works
[02:00] <sarnold> eww
[02:01] <Aison> never ever had such a strange error
[05:50] <LarsErikP> coreycb: thanks for updating me on newton 9.3.x for Xenial!
[06:44] <ezethnesthrown> In smb.conf, where does 'auth methods' sit?
[06:46] <lordievader> Good morning
[06:47] <sarnold>        The letter G in parentheses indicates that a parameter is
[06:47] <sarnold>        specific to the [global] section.
[06:51] <ezethnesthrown> Okay thanks.
[06:52] <ezethnesthrown> [[ sudo ldapmodify -x -D 'cn=config' -W -f config_loglevel.ldif ]] > Enter password > Invalid credentials (49)
[06:52] <ezethnesthrown> [[ sudo ldapwhoami -x -D cn=admin,dc=testserver,dc=ord -W ]] > Enter password > Password is correct
[06:56] <ezethnesthrown> Oh wait, it says no such user in the ldap log
[06:58] <ezethnesthrown> Nevermind, found the solution
[06:58] <sarnold> yay?
[07:09] <ezethnesthrown> I'm currently having problem with Samba + LDAP. I can't access to Samba with 'smbclient' after adding user with 'smbldap-useradd' command.
[07:10] <ezethnesthrown> log.openLDAP says > NT_STATUS_ACCESS_DENIED
[08:38] <frickler> could someone take a look at https://bugs.launchpad.net/ubuntu/+source/libguestfs/+bug/1632405 and maybe bump priorities? it's sad to see openstack projects moving from xenial to centos because of this https://review.openstack.org/463677
[10:31] <aaronr> nacc: are you around to help me learn how to create updated packages for Nagios? cpaelzer suggested I pop in here for the bug squashing event
[10:31] <aaronr> bug report is https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768 -- it's patched, I think I just need to get the new packages sorted?
[12:30] <teward> if i need to reach out to landscape support, and all the web methods are dead, how do I go about doing that?
[12:31] <teward> (SalesForce SSO error, or "Connection Reset" to the generic "Contact Canonical" page)
[13:12] <zioproto> coreycb: I guess you are in Boston at the moment
[13:12] <zioproto> coreycb: I rebuild Horizon for stable/newton and I got into this bug again https://bugs.launchpad.net/horizon/+bug/1643964
[13:12] <Bert_2> Hi, I run a very typical PAM+LDAP setup with posixAccount and shadowAccount, we use shadowExpire to expire accounts that haven't renewed (yet), now I can't seem to find how I can check through CLI whether an account has expired without using ldap_search. I presume there should be some regular or PAM command to do this. Can anyone help me out?
[13:52] <coreycb> zioproto: yes i'm at the summit so hard to dig into much but i think that may occur on newton if you generate new xstatic files
[13:53] <zioproto> how could I reset ?
[13:53] <zioproto> I tried deleting completely /usr/lib/python2.7/dist-packages/horizon/
[13:53] <zioproto> and I deleted also /usr/share/openstack-dashboard/
[13:53] <zioproto> but I am never able to reinstall Horzin
[13:53] <zioproto> this is the staging system, dont panic :)
[13:59] <CarlenWhite> Teasing the idea if I can set up rotating tar backups and use archivemount (in read only) to keep files presented to the user.
[14:01] <CarlenWhite> Incremental rotating backups, sorry.
[14:02] <CarlenWhite> Since tar has it built in from what I'm aware.
[14:03] <CarlenWhite> And I think I can use tarcat on archive.0.gz.tar and archive.1.gz.tar to archive.0.gz.tar, then rename archive.n.gz.tar to shift them back a number before creating archive.x.gz.tar.
[14:04] <CarlenWhite> But how successful and stable that will be is up to debate.
[14:07] <ezethnesthrown> Is the 'man slapd.conf' is a little out of date? The example at the bottom of the page looks different to my non-existent slapd.conf
[14:14] <ahasenack> ezethnesthrown: A config file called slapd.conf can still be used, that's why the manpage is still there. Doesn't mean it's the default configuration mechanism
[14:14] <ahasenack> (it's not)
[14:14] <ezethnesthrown> Oh, sorry about that.
[14:15] <ezethnesthrown> Thank you
[14:15] <CarlenWhite> Probably not wise of me to use tarcat on a file that I'll be overwriting with new information?
[14:18] <ezethnesthrown> How do I connect to a Samba server with an smbclient using an LDAP user made by smbldap-useradd command?
[14:20] <ahasenack> ezethnesthrown: a good test is smbclient. Use smbclient -L <server> -U <username>
[14:20] <ahasenack> that will prompt for the password, and list all the shares of <server>
[14:32] <ezethnesthrown> I have added an LDAP group to 'valid users' in smb.conf but I still can't login with a user inside that specific group.
[16:15] <nacc> aaronr: sure! give me a bit (sorry didn't see it in my backlog until just now)
[17:02] <nacc> aaronr: i'm around now, will be out for lunch, but around otherwise
[17:11] <rbasak> smoser: I uploaded the latest uvtool to artful yesterday. It includes the new ssh public key stuff so --insecure is no longer needed. That feature had been siting in the daily builds for a long time.
[17:12] <jrtappers> I'm trying to setup landscape with the free 10 server license, but I seem to have got stuck
[17:12] <jrtappers> From what I can see of the source it is trying to use an SSH public key as a SSL CA, which seems wrong
[17:13] <nacc> dpb1: --^ maybe you can help direct?
[17:14] <jrtappers> The file is /usr/lib/python2.7/dist-packages/landscape/broker/transport.py, and the SSH key reference is in __init__, the SSL usage is in _curl
[17:17] <jrtappers> But it does work on my laptop, so it might be a red herring
[17:17] <dpb1> jrtappers: you probably want to back up a bit and state what problem you are hitting
[17:17] <jrtappers> I am trying to get servers linked to an on-prem instance of landscape
[17:19] <aaronr> nacc: great, thank you! so it was suggested i check in for the bug squashing event and learn how to build the updated packages myself. where should I start with that?
[17:19] <jrtappers> I managed to enroll an ubuntu desktop client, but neither the server that runs landscape nor a secondary server can connect
[17:20] <jrtappers> The log contains this > http://paste.ubuntu.com/24549951/
[17:21] <dpb1> ok, how did you get your desktop to work?  is your key signed by a trusted CA, or is it self-signed
[17:21] <nacc> aaronr:  np! let me take a look at the bug
[17:22] <jrtappers> Trusted CA (LetsEncrypt)
[17:22] <jrtappers> Using curl against the URL from the stack trace works
[17:23] <nacc> aaronr: there are a couple of different approaches
[17:23] <dpb1> jrtappers: the systems are xenial?
[17:23] <nacc> aaronr: we have a git-based workflow for which i'm importing nagios3 rightnow but that will take a while to finish
[17:23] <nacc> aaronr: we can start on the SRUs without it
[17:24] <nacc> aaronr: so what i'd do first, is `pull-lp-source nagios3 xenial` in a place you want to download the source packge to
[17:24] <jrtappers> dpb1, Yeah
[17:24] <nacc> aaronr: (you might need to install ubuntu-dev-tools)
[17:25] <nacc> aaronr: that will result in a directory like nagios3-<version> wherever you ran the command
[17:25] <aaronr> okay sounds good, doing that now
[17:25] <nacc> aaronr: (and we'll do similar for each release out there)
[17:26] <nacc> aaronr: but the process will be repetitive
[17:26] <aaronr> okay that makes sense
[17:27] <nacc> aaronr: once you have the source package pulled down, you're going to cd to that directory
[17:27] <dpb1> jrtappers: my first instinct is that's it's something to do with the CN.  Can you check that the certificate subject CN matches the hostname.  Check landscape.canonical.com for cross reference.
[17:27] <nacc> aaronr: you're going to make whatever changes you need to the srcpkg
[17:28] <nacc> aaronr: then run `dpkg-source --commit`, which will generate a quilt patch and open EDITOR on it
[17:28] <nacc> aaronr: in that file, there will be a header that explains what to do to the patch, but basically, you want to follow the DEP3 specification (http://dep.debian.net/deps/dep3/)
[17:28] <nacc> aaronr: which gives a well-formatted information about the patch (if it's a backport from upstream, e.g., where the upstream commit is)
[17:29] <nacc> aaronr: and who wrote it, etc.
[17:29] <nacc> aaronr: once you're satisfied with the patch, you'll save & quit as appropritae for your editor
[17:29] <dpb1> jrtappers: I used this for checking: openssl s_client -connect landscape.canonical.com:443 2>/dev/null < /dev/null
[17:29] <nacc> aaronr: then you'll use `dep3changelog debian/patches/<patchfilename>` (from devscripts)
[17:30] <nacc> aaronr: (dpkg-source --commit will prompt you to name the patch file)
[17:30] <nacc> aaronr: dep3changelog will insert a changelog entry appropriately
[17:30] <nacc> aaronr: once it finishes, run `dch --edit`
[17:30] <smoser> rbasak, horay!
[17:30] <ahasenack> ezethnesthrown: did you prepend the group name with @ or +?, and is "valid users" in a share context in smb.conf?
[17:30] <jrtappers> dpb1, It returns OK on both servers
[17:30] <nacc> aaronr: verify the changelog entry looks ok, then, update the release from UNRELEASED to xenial (in this case)
[17:31] <ezethnesthrown> ahasenack, with a +
[17:31] <ahasenack> ezethnesthrown: check if "getent group <name>" returns the list of users you expect, on the samba server
[17:31] <nacc> aaronr: dep3changelog should have incremented the version correctly too, but we'll check it before you provide the debdiff
 without the +
[17:32] <dpb1> jrtappers: and the CN...
[17:32] <aaronr> okay, i'll run through that lot now. thanks so much!
[17:32] <nacc> aaronr: in any case, once the changelog is done, you'll run `dpkg-buildpackage -S -nc -d -uc -us` (which builds a new source package, without running clean, ignoring build-depends, and not signing the result)
[17:32] <dpb1> jrtappers: it matches what you are trying to contact?
[17:32] <nacc> aaronr: that will generate a .dsc file in ..
[17:32] <jrtappers> dpb1, It's an exact match
[17:32] <ezethnesthrown> ahasenack, it doesn't
[17:33] <ezethnesthrown> I'm pretty sure I added the user to the group
[17:33] <nacc> aaronr: and then pastebin `debdiff <old dsc> <new dsc>` and we can review it :)
[17:33] <nacc> aaronr: identical process (s/xenial/yakkety/ or s/xenial/zesty/) throughout for the other SRUs
[17:34] <DK2> hmm
[17:34] <DK2> ive had to put the harddrives of a ubuntu system to another server
[17:34] <dpb1> jrtappers: ignore the landscape server itself, focus on the other server.  time is correct there?
[17:34] <DK2> now i need to know the mac adress of the last server
[17:34] <DK2> is there anyway to find out old mac-adress saved somewhere in the ubuntu system?
[17:35] <jrtappers> dpb1, Yep
[17:35] <DK2> or any other way, to identify the origin server ?
[17:36] <nacc> DK2: um, mac address is on the physical device
[17:36] <nacc> DK2: i mean, it depends on if you hardcoded it into /e/n/i, which would be uncommon
[17:36] <nacc> DK2: otherwise the mac is not stored in state
[17:38] <ahasenack> ezethnesthrown: then you may not have nss_ldap configured properly, or the new guy, sssd
[17:38] <dpb1> jrtappers: then I'm not sure.  I would say file a bug on lp:landscape-client
[17:38] <dpb1> so
[17:38] <ahasenack> ezethnesthrown: I'm slowly updating the ubuntu guide about ldap, samba and kerberos, I think I'll get to samba by the end of the week
[17:38] <dpb1> something you can do to workaround
[17:38] <DK2> nacc: im just curious if there is anyway to identify the origin server of the old system the hdd used to be
[17:38] <DK2> such as mac adress or smth like that
[17:39] <nacc> DK2: i guess you could try looking in the logs -- but generally, i don't think so
[17:39] <DK2> all i could think of was the netrules if it hadnt be deleted
[17:39] <dpb1> jrtappers: openssl s_client -connect landscape.canonical.com:443 > /etc/landscape/server.crt 2>/dev/null < /dev/null
[17:39] <DK2> which obviously was deleted
[17:40] <ezethnesthrown> ahasenack, Any way for me to fix that or something? Can I add a user to a group?
[17:40] <dpb1> jrtappers: then use the 'ssl_public_key = /etc/landscape/server.crt' config value in /etc/landscape/client.conf
[17:40] <aaronr> nacc: thanks! crunching away at that now, will let you know how I get on
[17:40] <nacc> aaronr: sure, i'll be headed to lunch in a bit, but i'll be back soon
[17:41] <dpb1> jrtappers: this is what you would have to do if it was self-signed
[17:41] <aaronr> nacc: No problem. I'll tackle Xenial only for now and if that goes well I'll replicate what I've done for the others
[17:41] <dpb1> jrtappers: if that fails, it's also good data for the bug report.
[17:53] <dpb1> jrtappers, ahasenack informs me that the ssl_public_key workaround I gave you wont work on a real cert.
[17:54] <jrtappers> dpb1, Ah, ok
[17:54] <dpb1> if he has other ideas, I'd love to hear them.
[17:54] <dpb1> but, I think a bug report at a minimum is a good start
[17:54] <ahasenack> what is the error?
[17:54] <jrtappers> dpb1, I have added all the parameters to the deepest method, so I can include the parameters that were used
[17:54] <dpb1> http://paste.ubuntu.com/24549951/
[17:54] <jrtappers> *To the exception thrown
[17:55] <dpb1> jrtappers: thx, that would be great data for the bug report.  even if it's not a pure bug in the code, at least that will get the right people looking at it
[17:55] <ahasenack> jrtappers: was that server cert generated in-house? Or purchased from a non-custom CA?
[17:55] <jrtappers> ahasenack, non-custom (LetsEncrypt)
[17:56] <ahasenack> jrtappers: are wget and curl happy with contacting https://<yourserver>?
[17:56] <dpb1> ahasenack: and it works on a desktop machine he has
[17:56] <jrtappers> Yeah
[17:56] <ahasenack> specifically curl, since landscape-client uses libcurl
[17:56] <dpb1> but not on another server machine
[17:56] <ahasenack> jrtappers: so curl https://server/ works without ssl errors on that same machine where landscape-client fails?
[17:57] <jrtappers> ahasenack, Exactly
[17:57] <ahasenack> jrtappers: try that curl as the landscape user, something like sudo -u landscape -H curl https://server/
[17:57] <ahasenack> the landscape user has no shell by default, so "sudo -u landscape -i" and then curl won't work
[17:57] <jrtappers> I have some more data now, 1 moment
[17:57] <jrtappers> ahasenack, That worked
[17:58] <ahasenack> sudo -u landscape -H curl?
[17:58] <ahasenack> ezethnesthrown: can you show an ldif representation of your ldap group?
[18:00] <jrtappers> ahasenack, That worked too
[18:02] <ahasenack> jrtappers: try curl with --cacert /etc/ssl/certs/ca-certificates.crt
[18:02] <jrtappers> ahasenack, Successful
[18:03] <ahasenack> jrtappers: try starting the client interactively to see if it spits out more details about the error: sudo landscape-client
[18:04] <ahasenack> it will not fork into the background in that case
[18:04] <ahasenack> it will take a few seconds to try to contact the server, just hang on
[18:04] <jrtappers> ahasenack, Method params for fetch -> http://paste.ubuntu.com/24550120/
[18:04] <ahasenack> cainfo -> '/root/key.pem' <-- what's that?
[18:04] <ahasenack> do you have a client.conf somewhere in $PWD perhaps?
[18:05] <ezethnesthrown> ahasenack, http://paste.ubuntu.com/24550123/
[18:05] <jrtappers> ahasenack, I used that folder for /etc/landscape/server.crt
[18:05] <jrtappers> I'll try making it 777
[18:06] <ahasenack> do you have ssl_public_key pointing at /root/key.pem in /etc/landscape/client.conf?
[18:06] <jrtappers> Yeah
[18:06] <ahasenack> dop that
[18:06] <ahasenack> drop
[18:06] <ahasenack> I mean, remove ssl_public_key from client.conf
[18:07] <ahasenack> curl worked with /etc/ssl/certs/ca-certificates.crt explicitly, which is the default cafile, so let's let landscape try that too (the default)
[18:07] <ahasenack> and yeah, landscape wouldn't be able to read /root/key.pem
[18:08] <ahasenack> ezethnesthrown: that seems ok, are you using nss_ldap or sssd?
[18:08] <ezethnesthrown> ahasenack, How do I check that?
[18:09] <jrtappers> It seems to be working now, thanks
[18:09] <jrtappers> No idea why it didn't work before I added that to try to fix it though
[18:09] <ahasenack> do you have either packages installed? dpkg -l|grep -E "(libnss-ldap|sssd)"
[18:09] <jrtappers> I think I re-installed ca-certificates
[18:10] <ahasenack> jrtappers: what did you try now, landscape-config?
[18:10] <ahasenack> to register?
[18:10] <jrtappers> Yeah
[18:10] <ahasenack> did it become a pending computer in the UI?
[18:10] <ahasenack> (or even automatically registered, if you are using registration_key)
[18:11] <ahasenack> ezethnesthrown: do you have either packages installed? dpkg -l|grep -E "(libnss-ldap|sssd)"
[18:13] <ezethnesthrown> ahasenack, neither
[18:14] <jrtappers> ahasenack, It added successfully, but adding the server that hosts landscape to landscape crashed the whole system
[18:14] <jrtappers> Is there a way to manage that server from the same UI?
[18:15] <ahasenack> jrtappers: sure, and it's common. What do you mean by "crashed"?
[18:15] <jrtappers> Sent the load on the box to maximum and stopped the web UI working
[18:16] <jrtappers> I get a message saying Sorry for the inconvenience. Please contact your system administrator for more information.
[18:17] <jrtappers> Ok, did it again, the load stayed OK, but the UI was taken offline again
[18:18] <ahasenack> ezethnesthrown: that wil need some work, I won't have ready answers for you now
[18:18] <ahasenack> jrtappers: how much ram do you have in that box?
[18:19] <ahasenack> jrtappers: if the UI is "offline", that means the appserver process isn't running, or not reachable
[18:20] <ahasenack> you can check /var/log/landscape-server/appserver.log
[18:20] <ahasenack> and/or dmesg if you suspect the OOM killer is being triggeed
[18:25] <jrtappers> I think it could be a memory issue
[18:25] <aaronr> nacc: I think I've done that right for Xenial now. debdiff at http://pastebin.ubuntu.com/24550198/
[18:25] <jrtappers> I thought a VM with 1/2 GB per managed host should be ok?
[18:35] <Bert_2> Hi, I run a very typical PAM+LDAP setup with posixAccount and shadowAccount, we use shadowExpire to expire accounts that haven't renewed (yet), now I can't seem to find how I can check through CLI whether an account has expired without using ldap_search. I presume there should be some regular or PAM command to do this. Can anyone help me out?
[18:37] <ahasenack> jrtappers: hm, you mean half a gigabyte of RAM? or do you mean "1 or 2"?
[18:38] <jrtappers> Half per managed server, (1.5 total). Is this too low?
[18:38] <ahasenack> jrtappers: anyway, I would suggest 4Gb to start with landscape server. I assume you are using quickstart? i.e., all-in-one? Database, rabbit, landscape itself, etc?
[18:39] <jrtappers> Ah oh
[18:39] <jrtappers> Yeah
[18:39] <ahasenack> for the clients, that depends what you run on them of course
[18:39] <ahasenack> but the server needs more. Of course that also depends how many clients you have talking to it, i.e., how many registered computers
[18:42] <sarnold> jrtappers: see also https://bugs.launchpad.net/ubuntu/+source/landscape-client/+bug/1685885
[18:46] <ezethnesthrown> ahasenack, Anyhting that could guide me to make it work?
[18:54] <ahasenack> ezethnesthrown: the users and groups need to show up in the output of "getent passwd" and "getent group", respectively
[18:55] <ahasenack> ezethnesthrown: if they are only in ldap, then you need nss_ldap, or a more recent tech like sssd
[18:56] <ezethnesthrown> ahasenack, Should I use nss_ldap or sssd?
[18:56] <ahasenack> libnss-ldap has been dropped from main in favor of sssd
[18:56] <ahasenack> and https://bugs.launchpad.net/serverguide/+bug/1479495 is about recommending sssd instead of nssldap
[18:56] <ahasenack> so sssd is the way forward, but I have no experience with it yet
[18:57] <ahasenack> and my experience with nssldap is that it can be quite buggy and may be unmaintained nowadays
[18:58] <ezethnesthrown> ahasenack, Thank you. I'll try using sssd then. Anything that I need to know of to get started?
[18:58] <ahasenack> ezethnesthrown: just that your end goal is for the ldap users and group to appear in the output of those getent commands
[18:58] <ahasenack> or maybe "getent passwd <user>" and "getent passwd <group>" explicitly (instead of listing all of them)
[19:00] <ezethnesthrown> ahasenack, What kind of results or output should I be expecting? Right now I'm not getting anything.
[19:00] <ahasenack> ezethnesthrown: the same type you get for a local user
[19:01] <ahasenack> ezethnesthrown: which is essentially a single line, just like what is in /etc/passwd for the user (and /etc/group in the group case)
[19:01] <ezethnesthrown> ahasenack, Thank you very much for your time. I'll be moving on then.
[19:01] <ahasenack> good luck
[19:01] <ezethnesthrown> Any problems arise, I'll find myself here
[19:02] <ahasenack> yep
[19:12] <speaker1234> I'm trying to install 16.04 server with raid. It keeps failing when installing grub.  I've googled a bit and have found a few references to the problem but no solutions
[19:33] <drab> speaker1234: what error do you get? I do that routinely and found no problems with it
[19:33] <drab> both on raid1, 6 and 10
[19:34] <drab> s/both//
[19:35] <speaker1234> warning is something about grub not being to be installed on /dev/sda
[19:36] <sarnold> find exact error messages; you can search for those in source code
[19:36] <drab> mmmh, so it doesn't ask you whree to install it? is this a manual install or preseed?
[19:37] <speaker1234> manual install
[19:39] <speaker1234> I tried hte default partitioning then changing hte swap and / partitions to swap.  when I tried to do the same with the second disk, the install hung.
[19:41] <drab> how come that a tcpdump on tun0 shows no traffic but the traffic is going through?
[19:41] <drab> trying to debug a vpn
[19:41] <drab> in a container if that makes a diff
[19:41] <drab> I don't see traffic from the vpn client neither on eth0 nor on tun0
[19:42] <drab> but I see the traffic on the destination host
[19:42] <drab> speaker1234: so you're doing manual partitioning?
[19:42] <drab> or you tried that after default failed?
[19:42] <drab> what happens if you let it just "use the whole volume"
[19:42] <drab> in automatic
[19:43] <speaker1234> drab, it does not let me raid.  I'll try it now
[19:44] <speaker1234> s/it/it again/
[19:44] <speaker1234> drab is tun0 a bridge?
[19:47] <drab> no it's a tun/tap interface created by openvpn
[19:48] <drab> it's strange because even then on eth0 I should see traffic since the traffic does reach destination and that's the physical interface
[19:48] <drab> I think this is something else, I think I'm just not allowed to do tcpdump inside a container
[19:51] <speaker1234> drab, I have experienced sometimes tcpdumping an openvpn connection does not always work
[19:52] <speaker1234> context being a linux based firewall (ipcop/ipfire)
[19:53] <ahasenack> drab: are you using tcpdump inside a lxd container?
[19:53] <drab> this is definitely the container, I just can't tcpdump inside it
[19:53] <drab> ahasenack: yeah
[19:53] <drab> was trying to
[19:53] <ahasenack> drab: there is a bug
[19:53] <ahasenack> drab: tcpdump can't write to stdout/stderr
[19:54] <ahasenack> drab: workaround: use -s 0 -w traffic.pcap
[19:54] <drab> ah, I see
[19:54] <drab> thanks
[19:54] <ahasenack> let it capture, and read it elsewhere
[19:54] <ahasenack> drab: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1667016
[19:55] <ahasenack> it can capture the traffic, just not print to the console :)
[19:56] <ahasenack> I was also hit by that the other day, very annoying
[19:56] <drab> so glad you were here and saw this :)
[19:56] <drab> thanks
[19:57] <ahasenack> welcome :)
[19:57] <speaker1234> ahasenack, great clue :-) I would have also beat my head against that problem for *hours*
[19:58] <ahasenack> one would think that lxd/apparmor would have trouble letting tcpdump capture the traffic, not printing to stdout/stderr :)
[19:58] <speaker1234> drab, guided part worked fine.  I just can't get a raid install to work grrr.
[19:58] <drab> speaker1234: mmmmh, so it worked through the partitions, installed everything adn got to the last step and threw an error?
[19:58] <drab> what's in Alt-f4 log terminal?
[19:58] <drab> any clue what it's failing on?
[19:59] <speaker1234> no. the guided install worked fine.
[19:59] <drab> oh, you mean the whole thing, including writing grub
[19:59] <speaker1234> yes
[19:59] <drab> oh, eeeer, but you want a diff partition layout?
[20:00] <speaker1234> diff partition in that it uses raid
[20:00] <ahasenack> speaker1234: is this the text mode installer?
[20:00] <drab> oh so when you say auto part you don't mean auto on a raid
[20:00] <speaker1234> ahasenack, yes.  16.04.2 server
[20:01] <drab> I guess there's no such thing, I'm just so used to preseed it's all "auto"...
[20:01] <drab> speaker1234: can you specify the steps you take? I think I had to do it once or twice recently and it worked, altho I was on 16.4.1, but I doubt that makes a diff
[20:02] <speaker1234> drab, ok here is what I do as far as I can recall
[20:02] <drab> you said something about the installer freezing as well, when does that happen exactly? and you can't get any terminal at that point?
[20:04] <speaker1234> drab, the freezing symptom first..  I selected manual partitioning,  new partition table, and then  automatic partitioning of the first drive
[20:04] <speaker1234> I did the same thing on the second drive  except when I selected  automatic partitioning,  the system "froze"  and the screen displayed  the usual blue background  without any  text UI  information
[20:05] <nacc> aaronr: back from lunch, reviewing it
[20:05] <speaker1234> what I do when trying to make the install work  with raid at the very beginning,
[20:05] <drab> speaker1234: ok, did you try manual on the first one and second one?
[20:05] <speaker1234> I go to the normal install process,  choose manual partitioning
[20:05] <speaker1234> manually  create  swap, root, and home partitions
[20:05] <speaker1234> label each one first as a  raid partition
[20:06] <nacc> aaronr: it looks good overall -- few nits
[20:06] <nacc> aaronr: the patch Author should be the upstream author
[20:06] <speaker1234> then go and build  the raid MD devices
[20:06] <drab> speaker1234: that all sounds good
[20:06] <speaker1234> after I have MD devices, I format them with EXT4 or swap as appropriate
[20:07] <drab> and mark them to be used as root etc?
[20:07] <speaker1234> then I finish the partitioning step and let the rest of the install continue
[20:07] <drab> and bootable flag
[20:07] <speaker1234> oh yes, I do assignment the appropriate mount points
[20:07] <drab> ok
[20:07] <speaker1234> but I'm not able to set the boot flag
[20:07]  * drab scratches head
[20:07] <drab> that all seems correct
[20:07] <speaker1234> I've seen bug reports for this back with vversion 11 and occasionally version 9
[20:07] <drab> I'm not sure the boot flag is even there, I seem to remember I had to do it, but not 100% sure
[20:08] <nacc> aaronr: i would also not use the #diff suffix for the github URL, even if only backporting that bit
[20:08] <ahasenack> speaker1234: wait, you create the swap, root and home partitions and label them as raid? Then you create the MD device?
[20:09] <drab> I think he just meant he partitions the disks so he gets sda1/b1 etc for swap/root to make up the raid and then makes the raid swap etc
[20:09] <drab> but good point, maybe that's not what he meant and I just read into it
[20:09] <speaker1234> ahasenack, no, I create the partitions that will be used as swap, root and home. Then I label them as raid partitions create the MD device, format the MD devices as appropriate, and assigned to the appropriate mount points
[20:09] <ahasenack> ok
[20:09] <ahasenack> so in the end you have something like /dev/md2 for /home, etc
[20:10] <speaker1234> ahasenack, md126 but yea
[20:10] <drab> speaker1234: what happens if you try something simpler, create only root and swap, in that order? or even just /
[20:10] <drab> are the disks of the same size?
[20:10] <speaker1234> what puzzles me the most is I'm not allowed to set the boot flag and when I do an automatic partitioning, it gives me some sort of a boot dedicated partition eff??
[20:10] <drab> and partitions of same size
[20:11] <drab> oooh, are you booting in efi mode?
[20:11] <speaker1234> discs are the same size, same vendor, within a month of manufacture of each other
[20:11] <drab> booting/installing in efi mode?
[20:11] <speaker1234> I thought I was selecting the not efi mode
[20:11] <drab> well, what's the bios saying?
[20:11] <drab> once the installer starts, if it booted in efi there's no selecting anymore afaik
[20:11] <speaker1234> let me check
[20:12] <drab> both the bios mode and the boot mode must be correct
[20:13] <drab> like you could have bios mode, but then hit f9 or whatever to choose media nd pick an EFI boot mode
[20:13] <drab> or the other way around
[20:13] <speaker1234> UEFI and legacy
[20:13] <drab> can you force to legacy to test?
[20:13] <drab> and make sure that when you press f9 or whatever to choose boot media you don't pick from the EFI subtree
[20:14] <drab> (at least that's how I've normally seen them presented, two sort of trees, oen for efi one for legacy)
[20:17] <speaker1234>  interesting.  when I switched to Legacy boot mode,  the  USB flash boot image is no longer visible.
[20:17] <drab> lol,it works \o/
[20:19] <drab> (I'm connected over vpn to a container inside a desktop that gets me into a byobu session with irc open)
[20:19] <drab> just getting ready for a little trip to censored-internet-land :)
[20:20] <speaker1234> .cn?
[20:20] <speaker1234> or .us
[20:21] <speaker1234> USA, the newest 3ed world country on the planet
[20:21] <speaker1234> (and I live there...)
[20:22] <drab> bybou/tmux are pretty impressive, it even reorients as I put the phone landscape
[20:22] <drab> it's pretty funny to see
[20:22] <speaker1234> I'm out of time for the day.  Thank for the help, I have something to try tomorrow morning
[20:22] <drab> or even when I minimize the phone keyboard it enlarges the console windows
[20:22] <drab> speaker1234: yeah, give legacy only a go
[20:23] <drab> it sounds to me like you're definitely booting in efi
[20:23] <drab> and you have not created an efi partition
[20:23] <drab> which would be mandatory if you were indeed botting efi and doing things manually
[20:23] <speaker1234> effing partition you mean...
[20:23] <speaker1234> ;-)
[20:23] <drab> it's the future!
[20:23] <drab> or so they say
[20:24] <speaker1234> future arrives too soon and in the wrong order
[20:24] <speaker1234> thanks and goodnight!!
[20:24] <drab> nn
[20:25] <jge> hey all, is it possible to have UFW (iptables) be active only for a certain interface? I have two interfaces one facing a public network the other private network, I would like to firewall only one.
[20:27] <bindi> why dont you use iptables-persistent instead of ufw?
[20:28] <nacc> jge: i believe it's in `man ufw` that you can specify the interface
[20:29] <jge> bindi: iptables-persistent as far as I know makes your rules persistent, UFW is just a bunch of wrapper scripts to make administration of iptables easier
[20:29] <DK2> what do you guys think about a software raid5 with 4x 6 TB drives?
[20:29] <DK2> rather awful ?
[20:30] <drab> jge: iirc you specify the interface in the rule
[20:30] <drab> jge: ie ufw allow in on iface to ....
[20:30] <nacc> drab: `man ufw` agrees with you
[20:31] <jge> drab and nacc, I was reading that earlier but UFW has you set up default policies before you start using it.. would those default policies apply to all interfaces?
[20:32] <drab> DK2: awful from which perspective?
[20:32] <DK2> i suppose it will break when recovery is needed
[20:32] <drab> now that the write hole is fixed I think it's relatively ok, but if you are needing better performances than a single disk kind of thing, then yeah, awful
[20:32] <drab> so depends on criteria
[20:32] <dpb1> DK2: I usually shoot for raid10 if I have 4 disks, but really, it depends on the application.
[20:32] <drab> DK2: why?
[20:33] <drab> jge: yes
[20:33] <drab> it's amazing how nasty the hacks can get when you're short on time...
[20:34] <drab> overlapping subnets ftl but openvpn working without firewalling and natting ftw
[20:35] <DK2> drab: because of the high load on the drives when syncing the failed disk
[20:36] <DK2> it can take a long time with 6 TB and this will likely make another fail
[20:36] <jge> drab: how would that work then if you have multiple interfaces and you only want to enable firewall on one? that default policy is effectively turning on the firewall for all no?
[20:36] <DK2> but i need to get atleast ~16TB of storage
[20:36] <jge> unless there's an option to set default policy for a given interface
[20:37]  * jge reads man page
[20:38] <drab> DK2: it depends on MTBF and hrs on the disks but fair enough. that said it is what it is, if there's no budget for more disks etc then that's the best you can do and that's it
[20:39] <drab> I don't think it's evil in any way, maybe not optimal in absolute, but nothing is, it's all about best based on conditions
[20:39] <DK2> i guess so
[20:51] <keithzg> ahasenack: Belated reply from yesterday, yeah, smbstatus gave me enough info to eventually puzzle it out, although it didn't give me actual bandwidth per IP and nethogs just gives teh PID of smbd so I couldn't correlate the two, but looking at smbstatus in the end there was only one likely culprit, heh.
[20:53] <ahasenack> keithzg: cool
[21:24] <qman__> keithzg: you can use lsof to bridge that gap - smbstatus gives you file names, nethogs gives you pids, lsof maps pids to open files
[21:28] <bnoeafkUSA> Is there anyone here who can provide some insight into the FIPS certification that Ubuntu 16 has obtained - or can lead me into a network/channel where I can find out more?
[21:39] <aaronr> nacc: sounds good, making those adjustments now. when adjusting the github url am I okay to truncate the SHA to the first 8 chars or so to shorten it even more?
[21:40] <nacc> aaronr: probably fine, as long as the URL resolves
[21:40] <aaronr> nacc: patch author -- should this be the github committer or the person they attributed the patch to? (I don't have an email address for the latter)
[21:40] <nacc> aaronr: let me look again
[21:41] <aaronr> https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07f if you need a fresh link
[21:41] <nacc> aaronr: a lot of times, you can get an actual address from teh git repository (just not on github, that is clone it locally first and you'll see the correct authorship incl. email address)
[21:42] <aaronr> I can get the committer's email address, but the patch looks like it came in from someone else
[21:42] <nacc> aaronr: for this one, i'm not sure -- i think it's ok to refer to the commiter
[21:42] <aaronr> okay
[21:44] <keithzg> qman__: Hmm, but nethogs only gives a single entry for Samba server traffic, as smbd, unless I'm missing some option somewhere
[21:46] <aaronr> necc: oh, one other thing I kind of guessed at earlier -- many of the non-CVE patches were numbered eg 99_some_description.patch ... is that a standard convention? And should I always use 99 to ensure my changes are applied after most others?
[21:46] <nacc> aaronr: your patch is applied based upon where it is in the series file
[21:46] <aaronr> ah right okay
[21:47] <aaronr> so should i remove the 99_ prefix?
[21:48] <aaronr> (also as this is security-ish issue but doesn't have a CVE should i have targeted this at xenial or xenial-security?)
[21:48] <sarnold> bnoeafkUSA: we're just moving on this.. it may take another day or so to get some information prepared
[21:49] <nacc> aaronr: you should always target xenial, the security team owns publishing to -security
[21:50] <nacc> aaronr: you don't need the 99_ prefix, unless there is a file indicating what the prefix mens
[21:50] <nacc> *means
[21:50] <nacc> some srcpkgs have that
[21:52] <aaronr> gotcha okay
[21:53] <aaronr> nacc: here's an updated debdiff with all those changes: http://pastebin.ubuntu.com/24551178/
[21:55] <nacc> aaronr: looks great, althogh d/changelog now doesn't have a release targeted (change UNRELEASED to xenial)
[21:55] <aaronr> oh whoops, thanks for catching that
[21:56] <nacc> aaronr: i didn't say this before, because i forgot, but `dch` takes the release as an argument (-r)
[21:58] <aaronr> ah nice, i'll add that to my notes, thanks!
[21:58] <aaronr> http://paste.ubuntu.com/24551196/ has that release fixed
[21:59] <nacc> aaronr: looks great, so save that to a file (typcially ending in .patch or .debdiff) and attach it to the bug and subscribe ~ubuntu-sponsors to the bug)
[22:00] <nacc> aaronr: you can do the last part after doing the same fix for Y and Z first
[22:00] <nacc> (and attacching them)
[22:19] <aaronr> okay sounds good. so i'll get them all attached. Just still-supported releases, right? (This issue exists as far back as trusty)
[22:30] <nacc> aaronr: right, so t, x, y, z (unfortunately). y is maybe less pressing, since it's going eol
[22:30] <nacc> soonish