/srv/irclogs.ubuntu.com/2017/06/13/#ubuntu-server.txt

heheheso nice00:00
hehehecrystal clear text00:00
heheheeverything is logical minimal effective00:00
sarnoldhehehe: you shouldn't use tcp sockets; that again allows all processes on the local machine to run arbitrary php in the context of the FPM process00:03
hehehei use file socket00:04
sarnoldgood keep it that way :D00:04
hehehesarnold:   but where is mistake solution! :D00:04
hehehehaha00:04
heheheand why would tcp sockets allow any proccess to run arb php?00:05
heheheis there a datagram for it?00:05
heheheto visualise00:05
sarnoldthere's no access controls on tcp sockets00:05
sarnoldunix domain sockets do have access controls00:05
heheheok such as file permissions00:06
sarnoldso if you wanted to constrain access to the tcp sockets you'd need to add that yourself via iptables00:06
heheheso user is www:data and nginx user is www:data00:06
hehehebut say if someone hijack local process via bug00:06
hehehecan you explain more00:07
hehehewhat happens then?00:07
hehehehttps://dt-cdn.net/wp-content/uploads/2014/10/FirstFastCGIrequest.png00:08
heheheniceee00:08
sarnoldif a local process is hijacked then the hijacker can perform all operations that the process is allowed to do: read/write to open file descriptors, filesystem access, all syscalls with capabilities of the process, etc..00:08
sarnoldand if that allows connect(localhost, 9000) kinds of operations, then it can send essentuially arbitrary php to the fpm system00:08
heheheemm00:09
hehehewhat kind of local process can do all that00:09
heheheits kinda tricky to hijack such process00:09
hehehell /run/php/ | grep php00:10
hehehe-rw-r--r--  1 root     root       5 Jun 13 01:40 php7.0-fpm.pid00:10
hehehemaybe socket died?00:11
hehehesarnold: issue seems mostly with that dude idea to give file ownership to root:www-data00:14
heheheit then tries to serve html00:14
hehehewhich indicates it cant communicate with php00:15
heheheor lets say nginx www:data sends request to php fpm and then on  a way back something happen00:15
mwhudsoncoreycb: seeing as you Touched It Last: https://launchpad.net/ubuntu/+source/python-pika-pool/0.1.3-1ubuntu200:41
jamespagenacc: thanks for your work on this - much appreciated05:57
jamespagenacc: I'd go with the upstream test suites; the earlier this gets landed into artful, the more general testing it will get05:57
patsTomscan I concat two repositories when using debmirror to make local mirror?07:41
Aisonis there cacti  1.1.10 available for ubuntu xenial?10:10
fricklerjamespage: do you have a PPA with horizon 10.0.4 somewhere (uca newton)? I tried building locally, but seeing issues with the compress jobs when installing12:16
jamespagefrickler: lemme see - I think I deleted my testing ppa once I uploaded for SRU team review12:25
jamespagehmm yeah I did tidy that one up12:26
jamespagefrickler: I can shove it somewhere for you if you need it12:26
jamespagefrickler: ppa:james-page/newton12:28
jamespagefrickler: its a trickier one to build from source due to the multiple orig tarballs thingmy12:28
fricklerjamespage: yeah, I know, its the only package I'm needing sbuild for, but the result still doesn't work for me12:29
hehehehello server gangsters12:34
hehehe:)12:34
coreycbmwhudson: +1 thanks for letting me know12:34
heheheI implemented htst12:36
heheheHSTS12:36
hehehehowever nginx also allows to use  return 301 https://www $request_uri;12:36
heheheto sent all requests to https12:36
heheheso whats the advantage of hsts in such case?12:37
hehehehi zhhuabj  :)12:37
lordievaderhehehe: The advantage is that clients ask themselves for https, instead of the server telling them they should go there.12:38
hehehelordievader:  hmm the dude who helped me with nginx told me to use both?12:39
hehehedoes it make sense?12:39
hehehe*told me to use both12:39
lordievaderhehehe: If you have a man-in-the-middle pretending to be your website, hsts helps, your approach does not help in that case.12:39
lordievaderYes, it makes sense to use both.12:39
heheheok I see - first request is http and then it goes to https unless strict http reject all http right?12:40
heheheand also what are OWASP Secure Headers Project for? :)12:40
lordievaderHow it goes in this scenario, a browser reaches your website, the server tells the client to go to https. Then hsts tells the browser to only reach this website over https in the future.12:42
heheheoki12:44
heheheso if they using site for first time max security comes when site is on distributed preload list12:44
hehehelordievader: any drawbacks with using hsts?12:45
hehehepotential issues? :D12:45
lordievaderYou have to make sure your https works. If it is broken you cannot simply switch back to http.12:46
lordievaderSsllabs has some nice tests for this sort of stuff.12:46
lordievaderhttps://www.ssllabs.com/12:46
hehehecool12:48
heheheyes https works here12:48
heheheI read some nginx howto and its like blank for me :D12:50
heheheeven after re reading12:50
jamespagefrickler: did you see12:52
jamespageCommandError: An error occurred during rendering /usr/share/openstack-dashboard/openstack_dashboard/templates/horizon/_scripts.html: '\"../bower_components/respond/dest/respond.min.js\"' isn't accessible via COMPRESS_URL ('/horizon/static/') and can't be compressed12:52
hehehe$fastcgi_script_name12:55
hehehe    This variable is equal to the URI request or, if if the URI concludes with a forward slash, then the URI request plus the name of the index file given by fastcgi_index - makes sense but what is user wont use concluding slash?12:55
hehehethen site wont server say index.php?12:55
hehehe*serve12:55
fricklerjamespage: exactly12:55
fricklerwhile upgrading from 10.0.3 or on a fresh install with 10.0.4 directly12:56
lordievaderhehehe: I don't understand the question.12:58
heheheok13:00
hehehelordievader: if u read info I pasted it seems fastscgi parama fastcgi_script_name servers  index file in a dir only if directory is /dir/ and not /dir?13:01
hehehe*serves13:01
lordievaderIt does read that way, yes.13:02
jamespagefrickler: looking now but I suspect its some sort of transient dep issue with the way the xstatic bundle is created13:03
hehehelordievader: but that is an issue as many people will type www.xexy.com and not www.xexy.com/13:04
hehehehow to solve it? :)13:04
lordievaderhehehe: Have you verified if this is actually the case? Wouldn't be surprised if the wording is just a tad confusing and no problem actually occuring.13:05
hehehelordievader: well somehow it works without closing / but then its kinda contradicts wording13:06
lordievaderhehehe: Submit a patch ;)13:06
hehehealso I discovered why I failed to generate lets encrypt cert before on 1 box13:06
heheheI had ngix  setting to dissallow access to all . files13:06
hehehe:D13:06
hehehelocation ~ /\. {13:07
hehehedeny all;13:07
heheheand I did not add location ~ /\.well-known\/acme-challenge {13:07
heheheallow all;13:07
hehehe}13:07
hehehe:)))13:07
jamespagefrickler: building a revised version in ppa:james-page/newton213:11
fricklerjamespage: so you did see that error with your package, too? that would imply that my building foo isn't quite as bad as I'm thinking ;)13:13
jamespagefrickler: I did13:19
jamespagefrickler: the refresh-xstatic helper does not limit upper bounds when creating the xstatic tarball.13:19
jamespagefrickler: so I suspect something broke in the xstatic depends versions/deps13:20
Aisonwhy are my lvm volumes not activated after reboot? this is new here since systemd13:24
Aisoni'm not sure how to do it right13:25
Aisonis there some special systemd service I have to enable to use lvm2?13:25
ronatorAison: did you upgrade?13:30
Aisonronator, I just try to upgrade13:33
ronatorusually, an upgrade should convert start scripts to systemd - let me check here ...13:33
ronatorAison: this won't really help but you are not alone: https://serverfault.com/questions/199185/logical-volumes-are-inactive-at-boot-time#20058013:35
jamespagefrickler: the one in newton2 works OK - I basically copied forward the 10.0.3 orig-static.tar.gz13:40
jamespage10.0.4-0ubuntu1 was rejected from the UNAPPROVED queue - will upload with the older renamed tarball to avoid the break13:40
jamespagefrickler: need to update the refresh process to use upper-constraints13:41
ronatorAison: Do you have a "lvm2-monitor.service" anywhere on your system?  I have on ubuntu server 16.04.2 these in /lib/systemd/system: lvm2-lvmetad.service,  lvm2-lvmetad.socket,  lvm2-lvmpolld.service, lvm2-lvmpolld.socket, lvm2-monitor.service, lvm2-pvscan@.service, lvm2.service13:42
ronatorAison: if you dont, this could be a reason but I do not know your whole system history :D13:43
ronatorAison: maybe look also for help in chan #systemd?13:43
=== Tm_K is now known as Tm_T
fricklerjamespage: cool, thx13:47
Aisonronator, just checking...14:01
Aisonronator, lvm2-monitor.service was already enabled14:03
fricklerjamespage: confirmed the newton2 build works fine for me, thx again14:03
ronator"systemd-analyze" is a great command, maybe read about it and see if you can find the problem ?!?14:04
ronator@ Aison14:04
Aisonmaybe the problem is, that /var is on lvm device?14:04
ronatorwell, if thats the case, there should be logs about it, like in "dmesg" or syslog14:05
ronatoris the system booting fast?14:05
ronatorconsiderable?14:06
ronator'systemd-analyze blame' can show you where systemd spends most time on while booting; may be of help ...14:06
Aisonronator, no, it hangs at mounting the lvm devices for 90seconds14:08
Aisonthen I can enter the admin password14:08
Aisonronator, in #systemd they tell me to mount /var in initrd14:10
Aisonhow to do that with ubuntu?!? never changed my initrd14:10
ronatorI read it ...14:11
AisonI thought in initrd it is also done by systemd14:12
ronatorI am not sure how he/she meant it, that's why I kept silent to see if I can also learn sth. :D14:13
ronatorAison: let's see if he gives an example. should be possible to apply that to ubuntu similiarly14:15
fallentreeinitrd is required only to host tools required to mount root. why would you want to mount var in it?14:18
macskayhi guys, im investigating an issue on my server. i have dovecot service running and it kept telling me that a user i created tries to connect every minute at around the same second-value. i therefore did a "netstat -nputw | grep :25" which shows me a TIME_WAIT: "tcp        0      0 127.0.0.1:49190         127.0.0.1:25            TIME_WAIT   -" is there a way to determine what process belonged to 49190 prior to the14:26
macskaytime_WAIT14:26
AisonI also think my ssd is broken....14:29
ronatorfallentree: that was a suggestion from #systemd due to not mounted /var LVM device after reboot14:29
ronatorAison: you should check thta first :)14:29
hehehehehe14:29
fallentreeit's a stupid suggestion (and no wonder it comes from systemd).14:30
fallentreemacskay: probably not, btw dovecot has nothing to do with port 2514:31
=== Guest6511 is now known as med_
hehehehi fallentree  :)14:39
hehehefallentree:  I nearly made your suggestion work, but something is yet to work :) I think it may work soon14:39
hehehefallentree: if I add root to www-data group I also need to change socket ownership right?14:42
heheheor not14:42
hehehenah14:42
heheheI am just figuring out why its yet to work14:42
fallentreewhy would you add root to www-data group?14:45
fallentreeroot is omnipotent you don't need to add it to a group14:45
hehehefallentree: whats what u said yesterday14:45
heheheI was also wondering wtf is that14:45
hehehe:D14:45
fallentreeI never said add root to www-data14:46
fallentreeI may have said you chown root:www-data <dirs>/<files>, so that 750 on dirs and 640 on files can work, assuming nignx runs as www-data.14:48
hehehe the better setup is where the files are owned by root, in group www-data14:48
fallentreeI also may've said if you needed sftp access, you add nginx user and php-fpm user into the sftp user's group14:48
heheheyes I misunderstood14:48
heheheanyway I done chown14:49
heheheand14:49
hehehehttps://paste.ngx.cc/9d14:49
fallentreehehehe: so, is EVERY component in the path /home/op/gd.com/*   readable to the nginx user?14:50
hehehecomponent means file?14:51
fallentreeevery element of the path14:51
fallentreehome, op, gd.com, anything under gd.com14:51
hehehehmm14:52
heheheI dont know14:52
hehehesince  after chown root:www-data www-data dont own da files14:52
heheheaccording to new permissions it would have to be a group member14:53
hehehe:)14:53
hehehegoing to add it to a group14:53
fallentreeright, and that's why g+r is required so g (in this case www-data, for root:www-data owned paths)14:54
fallentreeadding WHAT to WHICH group?14:54
hehehe g +r means?14:54
fallentreereadable to group14:54
fallentree(check chown manpage)14:54
heheheok 1 moment14:54
fallentreebtw is "op" is some user and /home/op is its home dir, then you have a problem there14:55
fallentreefirst, having root:www-data owned files in op's home makes zero sense14:56
heheheits not a user14:56
heheheits a simple directory14:56
fallentreeso what's inside /home/op except gd.com ?14:56
hehehenothing14:56
hehehejust gd.com14:56
hehehein fact I will double check now14:57
heheheyes thats it14:57
fallentreeright, so, chmod 755 /home,    chmod 755 /home/op,     chown -R root:www-data /home/op/gd.com14:57
fallentreeand use whatever method you're comfortable with to set dirs to 750 and files to 640, under (and including) /home/op/gd.com14:58
fallentreelike,    find /home/op/gd.com/ -type f -exec chmod 640 {} \;14:58
heheheyes I done find stuff14:58
fallentreeand find /home/op/gd.com/ -type d -exec chmod 750 {} \;14:58
hehehehowever chmod 755 /home  why?14:59
hehehethere may be other users stuff, its  not  a problem?14:59
fallentreebecause it'd default directory for user accounts and in itself should be accessible to all users14:59
heheheoki14:59
fallentree*it's14:59
fallentree /home should be world accessible, but individual paths in home, assuming user home dirs, should not15:00
fallentreebut since you said op is not a user... well... you're going against standards. better put root owned sites under /var/www15:00
heheheyes later I can do that15:00
hehehemy friend said if I put in home it can fool some crackers15:01
hehehemaking it harder to hack lol15:01
fallentreethat's stupid15:01
heheheyes by now it seems stupid15:01
=== danpawlik is now known as _danpawlik
heheheok nearly there15:03
hehehechown -R root:www-data /home/op/gd.com - this command permits what?15:03
heheheit simply changes ownership15:04
heheheok15:04
fallentreeit recursively sets ownership to root:www-data to all files and folders under (and including) gd.com15:04
fallentreecheck the manpage15:04
fallentree`man chpown`15:04
fallentreethe manuals are you best friends.15:04
heheheok so only thing I did not do before was to set 755 to op dir15:05
heheheI set is to 75015:05
hehehethat caused issue right?15:05
fallentreedepends on who owned it15:05
heheheit was owned by root:www-data15:06
fallentreethat's accessible to www-data group15:06
hehehefallentree: that is clear, but how nginx www-data user is accessing it? he is member of www-data group by default?15:06
heheheI am getting some hackers guide to servers soon :D15:07
hehehealso system/storage/modification/ is not writable. open cart want some directories writeable but by whom?15:08
hehehegroup?15:08
fallentreeuse `id www-data` to check that.   `man id` for more info on the command.15:08
heheheso simple15:08
heheheawesome15:09
hehehe:)15:09
hehehefallentree: also for extra security set config.php to 440?15:14
heheheor no need since if root is hacked it wont do anything anyway15:14
hehehe:)15:14
heheheso 640 is as secure15:14
Ussatif root is hacked, all bets are off15:16
heheheye15:16
hehehedirs that app want to be writeable have to be set to 770?15:17
heheheread write execute15:17
fallentreeit's another layer of security.15:17
hehehefallentree: what is?15:17
fallentreechmod 440 instead 64015:17
fallentreethat is, u-w15:17
hehehefallentree: what makes it extra layer?15:17
fallentreethat root can't write it without chmodding it first15:18
fallentreethere are classes of RCE which can try append/modify a file or mmap, but can't execute a chmod15:18
heheheRCE?15:18
fallentreeso every protection counts, every little detail is important. if you can 440, then do it.15:19
fallentreeRemote code Execution15:19
heheheyes I can do it15:19
hehehefallentree: also open cart wants some dirs writeable by group is that normal safe practise?15:19
heheheI think yes its for cache and images etc15:20
fallentreesure, file uploads for example15:20
fallentreeyeah cache and other stuff generated by php15:20
fallentreebut those paths are most frequently abused to upload and execute PHP code15:20
hehehewell what can be done to null such attemps?15:21
fallentreebest thing would be to be extra sure that the web server won't call the PHP handler from those paths15:21
hehehethat can be done in php config file right?15:23
fallentreeno, in nginx15:23
hehehedo you know how to do it?15:23
fallentreeit depends on the directory structure and many other factors15:24
fallentreeI have no idea what opencart has15:24
hehehecool15:25
heheheI am also installing metasploiter15:25
heheheto check site for common holes15:25
heheheif any15:25
fallentreenice. I have to go now, bbl15:25
hehehecool15:26
heheheoverall folks its better to hire sysadmin from same country and log all stuff on server?15:26
hehehecause some hire remote sysadmins from say bangladesh - if there is arguments etc he can simply screw server15:27
hehehecause who is going to go there to locate him etc :D15:27
naccjamespage: ack, i'll just check the manpages and stuff and then uplod today, probably15:49
ChmEarlany advice to upgrade to pbuilder 0.228.7 on Xenial?15:51
ChmEarlmaybe, backport from Zesty?15:54
smosernacc, ping.15:57
smoserhttp://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html15:57
smosercan you explain to me why open-iscsi would be stuck in proposed ?15:57
naccsmoser: pong15:57
smoseroh... no -udebs. hmmm.15:57
smoserlibisns0 is avialable15:57
smoserat needed version, but no -udeb i guess ?15:57
naccsmoser: there's a MIR filed15:57
naccsmoser: it's c-m15:57
naccsmoser: LP: #168996315:58
ubottuLaunchpad bug 1689963 in open-isns (Ubuntu) "[MIR] open-isns" [Undecided,New] https://launchpad.net/bugs/168996315:58
smosernacc, thanks.16:00
naccsmoser: np16:00
jamespagenacc: great thankyou!16:37
naccjamespage: np16:37
heheheseems nice16:53
hehehewho here used it?16:53
hehehehttps://book.serversforhackers.com/ :)16:53
=== hehehe is now known as hehehe_offline
ChmEarlpbuilder backport for Xenial: https://paste.debian.net/plain/97134717:10
naccChmEarl: wrong channel? ...17:11
=== JanC_ is now known as JanC
zerocool443hi17:25
naccjamespage: the biggest thing from the updated celery that will probably get hit is that many of the commands (celeryd, celerybeat, celeryd-multi) are gone. REplaced by `celery` subcommands (worker, beat and multi respectively) -- not sure if that matters for openstack itself or not17:49
The_TickI'm trying to figure out how in the world to change both the hostname and fqdn on my ubuntu server box18:11
The_TickI'm using 14.04.5 LTS, /etc/hosts modification doesn't seem to do a thing, hostnamectl set-hostname doesn't seem to have a way to set the fqdn18:12
The_TickI'm finding a lot of random on google but nothing else, any help is appreciated18:13
naccThe_Tick: /etc/hosts is used for name resolution, not setting the hostname. (see `man hosts`)18:13
naccThe_Tick: `hostnamectl` (I thought) is a systemd thing18:14
dpb1nacc: having your host wrong there is problematic though. (/etc/hosts)18:14
naccdpb1: absolutely18:14
naccdpb1: but changing values there won't change your hostname18:14
dpb1+118:14
naccThe_Tick: the underlying file is /etc/hostname, iirc18:14
naccThe_Tick: `man 1 hostname` may help18:14
The_Tickoof just got it18:15
The_Tickhostnamectl and /etc/cloud/templates/hosts.debian.tmpl18:15
Aisoni'm still stuck at initramfs that should activate lvm volumes18:23
AisonI dont get it ;(18:24
Aisonsince zesty, no lvm is activated on my machine18:24
AisonI always have to do it manually18:24
Aisonis that a problem of my lvm.conf or initramfs?18:24
naccAison: when you get dropped the shell, are you able to debug why it failed?18:25
nacce.g., systemctl status lvm2 or whatever18:25
Aisonlvm2.service is masked18:25
Aison;)18:25
ChmEarlAison, check for a hook: /usr/share/initramfs-tools/hooks/LVM18:25
naccAison: and how do you activate it?18:26
jamespagenacc: celery is not actually used by openstack; they just share a common dependency in kombu and one blocks the other with proposed migrations18:26
Aisonlvchange -ay alv018:26
naccjamespage: ah ok18:26
Aisonthis way all logical volumes of logical group alv0 are activated18:26
db`Hi nPeople!18:27
db`How do I verify DMARC record for a subdomain?18:27
db`It always fails when I mail from a subdomain. SPF passes, since I added the IP to SPF record already.18:27
db`I also added a dmarc record for the subdomain, still it fails.18:28
naccjamespage: just getting the autopkgtests to pass and i should be able to upload18:31
IShavedForThis_I can't seem to get my vpn tunneled transmission to work anymore and I'm not sure what broke it, could anybody help?18:42
IShavedForThis_https://www.htpcguides.com/force-torrent-traffic-vpn-split-tunnel-debian-8-ubuntu-16-04/18:42
IShavedForThis_that was the guide I used and it worked for a few months up until about last week18:42
Aisonwhen I use auto_activation_volume_list = [ "alv0" ]18:44
Aisonthen the it is auto activated18:44
Aison(though an empty auto_activation_volume_list should auto activate all volumes...)18:44
Aisonbut mounting still doesn't work, since the activation is too late ;)18:45
ChmEarlAison, sudo udevadm info --name=<PV> | grep SYSTEMD_WANTS  <-- I think this ENV var is missing on Zesty18:50
ChmEarl^^ same thing on Stretch18:50
AisonChmEarl, systemd_wants is not defined18:51
ChmEarlthis is an old bug filed in Sid 2 years ago18:52
ChmEarlthe lvm2-pvscan@.service is broken as a result18:52
Aisonan is there a workaround?18:53
ChmEarlyes, you copy the 69*rules to /etc/udev/rules.d/69-lvm-metad.rules and patch it18:54
ahasenacknacc: hi, question18:55
ahasenacknacc: if https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1668940 is sru'ed, it will introduce a libcephs1 dependency into samba-vfs-modules. That's generally frowned upon?18:55
ubottuLaunchpad bug 1668940 in samba (Ubuntu Yakkety) "[FFe] samba-vfs-modules misses ceph vfs module" [Undecided,New]18:55
ahasenackit's a new feature per se. The "bug" is that we included the manpage of the ceph module, just not the module itself. Another way to fix it would be to remove the manpage ;)18:56
AisonChmEarl, where do I get these files?18:56
Aisonand the patch? :P18:56
ChmEarlAison basic idea is to add in the 3 ENV vars: https://paste.debian.net/plain/97135618:57
ChmEarlAison that patch is quite old so the context might be changed18:57
Aisonok18:58
ChmEarlAison test with:  sudo udevadm info --name=<PV> | grep SYSTEMD_WANTS18:58
ChmEarlPV is the physical volume with your VG's18:58
Aisonyes, I already tested18:58
Aisonthere is only SYSTEMD_READY=118:59
ChmEarlAison,  the patch is invisible19:00
ChmEarlpatch it, test again19:00
ChmEarlfind the 69*rules under /usr/lib, copy it to /etc/udev*, patch it19:02
ChmEarlAison I did this in Stretch & Zesty19:02
ChmEarlAison, original bug was found by M Biebl in #debian-systemd on OFTC19:03
ChmEarlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791869#20919:05
ubottuDebian bug 791869 in lvm2 "lvm2: updating src:lvm2 from 2.02.111-2.2 to 2.02.122-1 breaks booting, mounting LVs other than / fails" [Grave,Fixed]19:05
AisonI guess I have to do update-initramfs -u ?19:10
Aisonbug report with some spam at the end19:11
ChmEarlAison, I hesitate to post that BTS since its 2 years ago19:12
Aisonhmm, still not working19:13
Aisonlooks like this udev is simply ignored19:13
ChmEarlAison, lvmetad.socket  enabled,  lvm2-lvmpolld.socket    enabled,  lvm2-monitor enabled19:18
ChmEarl^^ only these are enabled19:19
Aisonwell, I can't even see the env vars with udevadm info19:19
ChmEarlAison, if you add the major/minor for your PV here:  lvm2-pvscan@.service what happends19:22
ChmEarlAison, this patch fixed it for me in 2 very different contexts, so I think it should work19:24
Aisonlvmetad.socket and lvmpolld.socket is present19:25
Aisonwhen I type systemctl, is the order of the services the order they were executed?19:25
Aisonlvm2-monitor is also enabled19:27
AisonChmEarl, the funny thing is, as soon as I type lvchange -ay alv0, everything works is is mounted19:29
Aisonso strange...19:29
dpb1nacc: ok, so where autopkgtest runs, what is the network like.  is there an http_proxy etc?19:33
AisonChmEarl, how do you mount the lvm then? by uuid?19:33
Aisonor by name?19:34
dpb1nacc: I'm assuming it's fine for boto to have network-dependent tests.19:34
db`If I'm wanting to copy all files/folders inside a directory to remote server using rsync, do I need to use option -r ?19:37
db`I just see rsync -avz in tutorials.19:37
AisonChmEarl, and do you use auto_activation_volume_list in lvm.conf?19:37
dpb1db`: read the manpage and look at -a: -a, --archive               archive mode; equals -rlptgoD (no -H,-A,-X)19:37
dpb1db`: go look up what each of those flags means for -a, it's a fun read. :)19:38
db`sure19:39
ChmEarlAison, all defaults19:39
Aisonok19:39
Aisonone thing is very very strange. even when the volumes are activated and visible in /dev/mapper/19:40
Aisonthey are not mounted by systemd19:40
db`dpb1: so if I use rsync -avz, I hope the files in remote which are NOT present in localhost, will NOT get deleted.19:41
dpb1db`: right, --delete is specifically not bundled in the '-a' option19:42
dpb1for just that reason19:42
db`but I would be using -e19:42
db`it shows several 'deletes' in the man19:43
db`I'm sorry if its a really noobish query.19:43
ChmEarlAison, lvm2-pvscan@.service can activate only as its sequenced by systemd19:43
ChmEarlnot mount19:43
dpb1db`: it's ok, have to start somewhere.  not following you about several deletes in the man.19:44
AisonChmEarl, do you use .mount files? or fstab?19:44
ChmEarlAision I use the lvm2-pvscan@.service to sequence activation before Xen starts so my VM can start from LVM219:45
Aisonbut this service is executed automatically, I guess19:45
db`dpb1:http://prntscr.com/fje9ag19:46
db`hows that supposed to be read?19:46
dpb1db`: the '--delete' options, you mean?19:47
db`yes, if you see it says "-e,19:47
db`and then all the delete types19:47
dpb1db`: ah I see your confusion19:47
dpb1db`: '-e, --rsh' are one entry19:47
dpb1--rsync-path the next entry19:47
dpb1basically, each line is separate.19:48
db`oh19:48
dpb1ya, confusing layout.19:48
db`so what if I just use -e and not anything after that?19:48
dpb1yup, -e will just change the remote shell to use, that's it19:48
db`so -option would by default do the first ones, from the list?19:49
dpb1db`: also the most important option to remember to append '-n'  -- that will do a dry-run and just print out what would be done.19:49
db`sure.19:49
db`thanks19:49
dpb1ok19:49
db`so I can start with rsync -nazv ?19:50
dpb1db`: notice also the difference between --longoption and -avz19:50
dpb1two dashes at the front means a long spelled out option, one dash is like specifying -a -v -z19:51
dpb1just shorthand.19:51
db`right, since -n is short for --dry-run, can I use rsync -navz .. ?19:51
dpb1db`: that is a very sensible starting point, yes.19:51
dpb1and correct on --dry-run being equal to -n19:51
db`sure, thanks.19:51
dpb1nacc: have you ever needed to modify the whitelist for squid.internal?20:17
naccdpb1: no :)20:17
naccdpb1: has the test ever succeeded?20:17
dpb1so I'm guessing that's not it20:17
dpb1from the output it looks like it's getting validish data back from AWS20:17
dpb1lmc20:17
dpb1nacc: ... how do I tell?20:18
dpb1:)20:18
dpb1yes20:18
dpb1I think it did20:18
dpb1marked 'regression' on the proposed migration page20:18
naccdpb1: http://autopkgtest.ubuntu.com/20:19
naccdpb1: heh: http://autopkgtest.ubuntu.com/packages/python-boto20:20
dpb1nacc: so 'regression' is more like 'massive fail'20:20
naccdpb1: last succeed in ... 2015?20:20
dpb1rbasak: it's actually the "unit" tests in python-boto that reach out to the network20:21
* dpb1 looks if there is a disable_network_tests env var or something20:21
rbasak"""In general, tests are also allowed to access the internet. As this20:22
rbasakusually makes tests less reliable, this should be kept to a minimum; but20:22
rbasakfor many packages their main purpose is to interact with remote web20:22
rbasakservices and thus their testing should actually cover those too, to20:22
rbasakensure that the distribution package keeps working with their20:22
rbasakcorresponding web service."""20:22
rbasakhttps://anonscm.debian.org/cgit/autopkgtest/autopkgtest.git/plain/doc/README.package-tests.rst20:22
dpb1that seems to fit python-boto20:23
dpb1:)20:23
rbasakYeah.20:23
rbasakI guess that's the official answer.20:23
dpb1ok thx20:23
naccand it looks like, at least, the version that passed on xenial at some point, did get out to the network20:23
dpb1I'll keep digging on it then.  they seem reliable enough run locally20:23
dpb1nacc: 'nother quick q: since this might require some inline debugging, how do I trigger a hand-rolled test *in that environment*20:24
dpb1nacc: or can I *gasp* get access to the host with an interactive shell?20:25
ahasenackthis debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=82096520:25
ubottuDebian bug 820965 in samba-common-bin "[regression]: net usersidlist: Could not malloc sid array Could not get the user/sid list" [Serious,Fixed]20:25
ahasenackmentions that the fix is in http://git.debian.org/?p=pkg-samba/samba.git;a=commitdiff;h=d29a69420:26
ahasenackbut that is a 404 essentially20:26
ahasenackeven with the full hash20:26
ahasenackI also cloned it with git, and can't find references to the bug in debian/changelog, git grep, or git log20:26
ahasenackit's not the first time I've seen this. Any clue what is going on?20:26
naccdpb1: i think this is where jgrimm got stuck :)20:27
naccahasenack: looks like buggy botting, or something, but it's this version, right? https://anonscm.debian.org/cgit/pkg-samba/samba.git/commit/?h=debian/4.2.14%2bdfsg-0%2bdeb8u1&id=2bbf380759b4a03b86ca3b26c8375024924dc2c720:30
ahasenacknacc: I think so, how can I find the code change based on that?20:31
naccahasenack: ideally you can deduce it from: https://anonscm.debian.org/cgit/pkg-samba/samba.git/log/?h=debian/4.2.14%2bdfsg-0%2bdeb8u120:32
naccahasenack: but the 'fix' was grabbing a new upstream20:32
ahasenackI was expecting the "log msg" search by bug number to find it20:32
naccahasenack: only if they committed it with such a log message :)20:33
ahasenacksince the diff in the bug shows the changelog change20:33
naccahasenack: the d/changelong entry is from: https://anonscm.debian.org/cgit/pkg-samba/samba.git/commit/?h=debian/4.2.14%2bdfsg-0%2bdeb8u1&id=d4092f0849e2ec1c92214da90d052c7947913d1920:33
ahasenackcorrect20:33
ahasenackand "UNRELEASED" at that time20:34
naccahasenack: and since the *git* log doesn't contain any bug #s, it won't show up in the 'log msg' search20:34
naccafaict20:34
ahasenackpowersj: I need some context about http://iso.qa.ubuntu.com/qatracker/milestones/359/builds/117343/testcases/1409/results, can you help a bit?20:36
powersjlooking20:36
ahasenackpowersj: that's a manual test case, right?20:36
ahasenackthat someone once upon a time decided to run?20:36
powersjahasenack: these are manual tests cases placed on the ISO tracker that we ask people to run when we publish alpha/beta/release ISOs20:37
powersjwe (server team) run those tests in an automated fashion as well20:38
ahasenackpowersj: where can I find the last time someone ran it?20:38
ahasenackand, the last automated run for that particular one?20:38
powersjahasenack: so that looks like that failure was reported on Xenial final initial release ISO20:39
powersjthe "latest" by my definition would be on the Xenial .2 point release (16.04.2)20:40
ahasenackI'm thinking maybe the installer does something extra, because I can't see how that test would work by just installing the sambe and winbind packages20:40
powersjso I would look at http://iso.qa.ubuntu.com/qatracker/milestones/372/builds/142896/testcases/1409/results which you will see a response from me responding20:40
ahasenackpowersj: was that you going over it manually, or one of the automated runs?20:41
powersjautomated20:41
powersjAt Software selection, choose "Samba server"20:41
powersjthat is choosing the tasksel for samba server20:41
ahasenackwhere can I see the output of that run?20:41
dpb1nacc: btw, any response on my questions? (more rapid debugging, etc)20:42
naccdpb1: sorry, i meant that jgrimm was looking into that becuase I don't know :)20:42
naccdpb1: i don't believe you can login to the runners, but presumably it's reproducible somewhere20:43
powersjahasenack: if you are on the VPN you can see all the test runs for ISOs here: https://platform-qa-jenkins.ubuntu.com/view/server/20:45
powersjfor the purpose of showing the results I've pastebin that run's syslog here (5MB):20:45
dpb1nacc: and to 'retry' this with debugging?20:45
dpb1nacc: can I commit somewhere and it just picks it up?  can I schedule adhoc jobs?20:46
ahasenackpowersj: checking20:46
naccdpb1: i'm not sure if i follow -- the autopkgtest is following what's in the archive. So if you want to retry it there, you'd need to upload a new version. But uploads aren't typically used for debugging :)20:46
powersjahasenack:  https://paste.ubuntu.com/24851571/20:46
powersjthat's a big paste20:46
powersjthat's the installer output20:47
naccdpb1: I'd probably start with asking the release folks how best to reproduce that env (slangasek, infinity)20:47
ahasenackbetter there than here :)20:47
dpb1nacc: But uploads aren't typically used for debugging -- yes, this is what I was assuming. :)20:47
naccdpb1: that's also why we haven't made much (any) progress on it20:47
dpb1done that already20:47
dpb1ok20:47
dpb1email time20:47
powersjahasenack: https://paste.ubuntu.com/24851587/ that's the yaml of the test cases result20:48
powersjwhich says "    /bin/sh: 1: tsetup/setup.sh: Permission denied" *sigh*20:49
ahasenackpowersj: I'm trying to find in the output where "net usersidlist" is run, according to the test case20:49
ahasenackhm, it didn't run then?20:50
* ahasenack branches lp:ubuntu-test-cases/server/testsuites/samba-server/20:52
ahasenackops, enoperm20:52
=== hehehe_offline is now known as hehehe
hehehe:)))20:53
hehehewhat is sticky bit?20:53
heheheif you have write + execute permissions on a directory, you can {delete,rename} items living within even if you don't have write perimission on those items. (use sticky bit to prevent this)20:54
ahasenackhehehe: /tmp is an example of a directory that has the sticky bit set20:55
ahasenackhehehe: everybody can write to it, but only the owner (and root) of a file/directory can remove it from inside /tmp20:55
powersjwell now I get to find out when this test stopped working and why it isn't marked as failed :\20:55
heheheahasenack: and how do you set sticky bit20:57
ahasenackhehehe: with chmod(1)20:58
ahasenackhehehe: chmod +t <directory> sets it, for example (there is also an octal syntax)20:58
hehehecool20:59
heheheand I also noticed while I use say chmod 75520:59
hehehethere is sometimes 0 before?21:00
hehehe075521:00
heheheso whats that very first digit for?21:00
ahasenackthat indicates it's a number in the octal base (base 8)21:00
hehehecool21:00
ahasenacklike when you see 0x0A meaning hexadecimal21:00
ahasenackthe 0x precis means hexadecimal21:00
hehehebut it makes no difference if I use chmod 755 or 0755?21:00
heheheor it does?21:00
naccahasenack: are you sure? I thought leading 0 just means no sticky, setuid or setgid?21:01
ahasenackright, it's a relaxed rule for chmod21:01
naccahasenack: ah ok21:01
ahasenack"Omitted  digits  are  assumed  to  be  leading21:01
ahasenack       zeros"21:01
naccahasenack: right, and numeric parameters to chmod are assumed octal anyways (afaict)21:01
ahasenackyeah21:02
ahasenackit's relaxed21:02
ahasenackleading us to surprises elsewhere where it's not relaxed :)21:02
ahasenacklike yaml21:02
naccheh21:02
ahasenackI banged my head against the table a few times with an yaml file that had something like key: 0921:02
ahasenackand 09 was treated as a string instead of a number21:02
hehehewhat is yaml?21:03
ahasenackit's because it's invalid octal, therefore it must be a string (!)21:03
dpb1nacc: do we ever file bugs for packages stuck in proposed?21:03
dpb1or, is there specifically a bug for this python-boto thing is really what I'm after21:03
powersjahasenack: guess it is glad you brought this up. Looks like that test has been failing to even run for sometime :\ other tests appear operational, so I'll dig into why samba hasn't21:03
ahasenackhehehe: loosely, a file format that is both readable by people (meaning it's visually simple) and computers at the same time21:04
heheheok anyways I run opencart app and it wants to access /cache /images  folders - I am thinking of safest permissions i can get away with21:04
hehehe:)21:04
ahasenackpowersj: ok, just one more question21:04
powersjok21:04
ahasenackpowersj: https://platform-qa-jenkins.ubuntu.com/job/ubuntu-xenial-server-amd64-smoke-samba-server/303/console is this also defined by that yaml?21:04
ahasenack"smoke"tests21:04
heheheI tried 770 and it wont display images inside admin bit sometimes21:04
ahasenackor something different21:04
ahasenackand if it's also a false success21:05
naccdpb1: we have -- let me look21:05
ahasenackbecause I see errors, but RETCODE=021:05
powersjahasenack: those errors are red herrings from utah21:05
dpb1mmmmmm, herrings.21:06
ahasenackhehehe: I'm not familiar with that app, sorry. In general, you start with the error, then figure out what it tried to access (which you did), and as which user, then come up with the right permissions21:06
ahasenackpowersj: ok21:06
heheheahasenack: yes21:06
powersjthe YAML I linked to you are the results of test cases after an install which runs the tests themselves21:06
ahasenackpowersj: and it's not the same as that manual test with which we started this conversation, right?21:06
powersjahasenack: it is suppose to be the same21:06
naccdpb1: not finding any bug filed21:06
naccdpb1: this is intersting, though: LP: #51956721:06
ubottuLaunchpad bug 519567 in python-boto (Ubuntu) "euca2ools does not correctly specify port when $http_proxy is set" [Medium,Incomplete] https://launchpad.net/bugs/51956721:06
ahasenackpowersj: the yaml would have the output of that comment I'm looking for, had the test run?21:07
powersjahasenack: yes21:07
ahasenack"net usersidlist", "step 28"?21:07
ahasenackok21:07
powersjlast fall none of these tests were working really at all21:07
powersjI spent a number of weeks going through them, updating them, and getting them all running for the yakkety release21:07
dpb1nacc: yes, I was suspecting something like that.  after I followed up with #is, my next stop was reproing a general squid proxy and see if it can pass when wide open21:07
powersjthey are great when they work ;)21:07
ahasenack:)21:08
naccdpb1: the eventual conclusion may be that we will need the release team to mark this a 'badtest'21:09
naccdpb1: however, iirc, this test passes on debian -- so it'd be good to be sure about that21:09
* ahasenack -> EOD21:10
ahasenackcya tomorrow21:10
dpb1nacc: how can I check that fact21:10
dpb1(passes on debian)21:11
naccdpb1: https://ci.debian.net/packages/p/python-boto/21:11
naccdpb1: says "OK (SKIP=8)" like the last pass on ubuntu21:11
dpb1and not surprisingly, I see no 'http_proxy' in the captured output anywhere21:17
jgrimmnacc, dpb1: sorry, I wasn't actively watching IRC today.. but yes, I think you are on the right path of what's going on with python-boto; i didn't get chance to track it down to root cause but given I could run tests locally fine, i was assuming it was an issue with the test environment.21:24
naccjgrimm: thanks! :)21:25
dpb1jgrimm: hey there21:25
jgrimmnacc, dpb1: an added fun bit was that I was told (i think by steve?) that the firewall rules are potentially different depending where it ends up getting run and magical that only IS knows what they are21:25
dpb1yup21:25
dpb1that matches21:25
jgrimmthat's as far as i got. :)21:25
dpb1good, glad I'm stuck where you were!21:26
jgrimm\o/ cool. documenting the FW rules would be nice to get done if discovered.21:26
dpb1jgrimm: indeed!!  there is a good place for them: https://wiki.ubuntu.com/ProposedMigration/AutopkgtestInfrastructure21:27
dpb1it just lacks mentioning them21:27
dpb1:)21:27
jgrimm:) have fun!21:27
dpb1always21:27
hehehe:)))22:01
hehehefun is food22:01
hehehegood :D22:01
naccjamespage: celery uploaded -- i think it should even pass it's dep8 tests now :)23:10
naccor at least it does locally23:10
mwhudsonnacc: hooray23:11
mwhudsoni guess i should unblock the kombu migration23:11
mwhudsonnot that it's going to migrate by itself for weeks anyway23:12
naccmwhudson: right, i can do that once it propagates into proposed (it = celery)23:12
naccmwhudson: jamespage: and excellent, all tests passed in the build on python2.7, python3.5 and python3.6: https://launchpadlibrarian.net/323872413/buildlog_ubuntu-artful-amd64.celery_4.0.2-0ubuntu1_BUILDING.txt.gz23:29
mwhudsonnacc: \o/23:29
naccmwhudson: once it migrates to proposed and the dep8 tests pass there, i'll unblock the bug23:29
naccmwhudson: if that's ok by you23:30
mwhudsonnacc: +123:30
naccmwhudson: thanks23:30

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!