=== inteus_ is now known as inteus [04:12] can you pass a shell script when using exec with LXD? example (doesn't work): "lxc exec container < script". please don't send me to #lxd, there are 10 people there and nobody answers. [04:14] also, please don't tell me to copy the script.sh file to container folder, exec via "lxc exec container /path/to/script.sh", i tried that. i am hoping to get a more elegant way to do this, to keep big scripts clean [04:25] gheorghe_: #lxcontainers are where everyone hangs out. [04:25] I don't know of a way to do exactly what you are asking, no. [04:26] gheorghe_: ah, found it. [04:26] gheorghe_: echo 'ls -l /var' | lxc exec artful-nis bash [04:27] same would work for cat /script | ... [06:24] dpb1: indeed, this works great. how did you find this? search on google and found nothing [07:06] Good morning [08:13] icey: pls can you do the tag work on https://bugs.launchpad.net/ubuntu/+source/nova-lxd/+bug/1692962 and then its eligible for release [08:13] Launchpad bug 1692962 in nova-lxd (Ubuntu Zesty) "incompatible with storage pool support in LXD 2.12" [High,Fix committed] [11:44] any guide for easily setting letsencrypt certs for landscape [11:44] landscape on premises [12:22] ztane: nothing specific. The landscape frontend is apache (when installed via the packages), or haproxy (when installed with juju), so you should look into how to add letsencrypt to those packages === oerheks is now known as niemand === niemand is now known as oerheks === danpawlik_ is now known as danpawlik [14:06] gheorghe_: checked if lxc exec would pass through stdin, and the help implied it would, then I just tried it. :) [14:37] rbasak: hi, could you please import libapache2-mod-auth-pgsql? :) [14:37] ack [14:37] running [14:37] should be quick [14:45] rbasak: did it fail? [14:45] or is it still running [14:48] Still running. [14:48] interesting [14:49] ahasenack: done and pushed [14:52] rbasak: thx [15:18] if I wanted to chair a server team meeting at some point would I just have to add my name to the list of potential chairs or do I need to have that cleared by someone far higher level up than I am :P [15:19] (just curious) === danpawlik is now known as danpawlik_ [15:22] teward: that's basically it :) [15:22] teward: we trust you to do it, i'd say [15:22] teward: chairing is a chore for us. Nobody will object to you chairing :-) [15:22] (also as nacc says you know what you're doing) [15:23] teward: note the post-meeting tasks at the bottom of https://wiki.ubuntu.com/ServerTeam/KnowledgeBase [15:23] The logs we're doing slightly differently now; we should update the wiki about that. [15:25] rbasak: chairing is a chore, except that with a flexible work schedule here and 100Mbit pipe that I'm allowed to jack right into for some of my projects, it's, in my opinion, a "Necessary during-the-day distraction to keep myself sane" instead of having fifty projects that all demand my attention. [15:25] hey we all have to divert ourselves into productive things during the day that may not be 100% work related, no? [15:25] (for me, that's the server team meetings on Tuesdays heh) [15:26] besides, I pull enough off-hours work that i bill for :P [15:26] Chairing is a chore *for us*. If it gives you a break, please do it! :) [15:27] added myself now :) [15:27] teward: nice :) [15:27] rbasak: and a nice 1h block in my schedule is set away so people don't constantly steal me away - indicates Ubuntu Server Team meeting, plus it being non-billable time xD [15:27] so they can't really yell at me xD [15:28] *drifts back to figuring out why his python code is breaking but only on 14.04 systems* [15:35] rbasak: nacc: dpb1: I added myself to the end of the list of chair candidates, do you want me to put me further up in the list, or no? [15:35] teward: i think that's fine [15:37] cool/. === JanC_ is now known as JanC [15:53] teward: should be fine. next week will be ahasenack's first time charing so I don't want to take that privalege away from him :) [16:27] indeed heh [18:01] hey hey [18:01] if robots.txt is 640 will it work? [18:01] permissions 640 [18:02] teward: having schedule is bad sometimes :D too many demands [18:09] 644 is the usual [18:20] Is there a dpkg or apt command to see what a package is a prereq for? [18:20] Epx998: given package X what packages depend on X? [18:20] nacc: yes [18:20] Epx998: reverse-depends [18:21] Epx998: and apt-cache rdepends [18:21] nacc: you're awesome, thank you. === Piper-Off is now known as Monthrect [18:59] hehehe_off: [2017-06-22 14:02:16] <hehehe_off> teward: having schedule is bad sometimes :D too many demands <-- except when you get to set your own schedule. In which case, ***SCORE*** [18:59] anyways [19:51] teward: :) [19:51] whats the danger of having some directories like images set to 755? [19:52] genii: why 644? [19:53] ok so bot can read it [19:53] got it [19:53] ty [19:53] hehehe_off: So it can never be an executable file and only readable otherwise [19:54] And yes, if 640 then you can't get to it from a webpage or bot [19:54] :) [19:55] genii: what is public got read and execute on some folder [19:55] what can it do? [19:56] apart trying to pass some php code to php fmp [19:56] fpm [19:58] Lets say the file is owned by apache and anyone can write and execute that file. They can replace it with a binary and be able to execute that binary file with whatever rights you've given apache. [20:00] but how they can replace it with binary? [20:01] But what someone would usually try instead is to make a binary which has some exploit to escalate priveleges from apache to root [20:01] makes sense [20:01] as apache cant do much [20:01] how do they load it? :D [20:02] there are many free file upload sites, they clearly got some protection from ot [20:02] it [20:04] hehehe_off: Some people make their webfiles priveleges things like 755 or 777 because they can't figure out what's appropriate. So in that case anyone can just overwrite any of their files with whatever they want to [20:05] * genii wanders back to work [20:25] teward: you're pretty active on AU, right? [20:35] hehehe_off: even if apache can't do much, it will still be able to cause a lot of damage. apache usually has write access on DBs and other data, so corruption can happen and if you don't have a backup, you are dead. that, or a fork bomb. a fork bomb is always fun. doesn't to that much damage, but it is fun. :D [20:36] hehehe_off: think about it this way: you get apache writes on a container that is on a hypervisor with other 50 containers, and RAM and CPU have no limits for the container the apache runs on. if you fork bomb, you kill 50 containers. if you plan the fork bomb in the file and keep accessing it, you will fork bomb the server on each reboot. :D [21:06] :)) [21:07] well here nginx dont have access to db [21:07] :) [21:08] gheorghe_: 5 is read and execute [21:08] how they going to plant file? [21:08] am I missing something? [21:52] if you're running php just assume someone's got remote code execution on your server [22:13] nacc: I believe he's a moderator there [22:17] rbasak: ack, there was a user earlier in #ubuntu who was basically trying to answer AU questions by asking in #ubuntu, then c&p our responses to the AU post. [22:17] rbasak: was wondering if that violates their policies :) [22:20] IMHO it's certainly inappropriate misattribution. [22:21] I don't see anything specific in the CoC but it certainly is against the spirit of it, and askubuntu.com applies the Ubuntu CoC. [22:21] Anyway, I'll leave it to teward :) [22:23] rbasak: and they were sort of belligerent about it all... [22:23] rbasak: but yeah, i'll sync up with teward on it [23:02] sarnold: what are u saying [23:02] :D [23:02] anyways [23:02] u just need to ask long island medium [23:02] and she can tell you if server config is ok [23:02] :D