[04:42] good morning [05:21] Good morning === stokachu_ is now known as stokachu === cargonza_ is now known as cargonza [06:36] cpaelzer: importing [06:37] thanks rbasak, will you ping me when complete? [06:39] ack [06:49] nacc: interesting. Got an error using your branch [06:49] 07/06/2017 07:37:08 - ERROR:stderr: pristine-tar: Unknown subcommand "verify" [06:49] 07/06/2017 07:37:08 - WARNING:Tarball at %s has already been imported to Debian [06:49] with different contents [06:49] I guess that doesn't exist on Xenial? [06:49] Though my mistake - I thought I was on master. [06:51] * rbasak retries from master [06:54] cpaelzer: done [06:57] thank you rbasak === berglh_ is now known as berglh === frickler_ is now known as frickler === chmurifree is now known as chmuri === thib_ is now known as thib [11:50] coreycb: I was just reviewing my TODO list, I found that this merge request needs some love: https://code.launchpad.net/~zioproto/ubuntu/+source/python-cinderclient/+git/python-cinderclient/+merge/326291 [11:50] or whoever has time to have a look :) [11:50] we are carrying this patch in production [11:50] without it you will not be able to delete a heat stack, where a cinder volume was already deleted manually [11:51] it is a clean cherry-pick from Ocata [12:18] zioproto: i think yakkety is EOL [12:19] zioproto: do we need that on xenial? [12:23] yes for xenial [12:23] coreycb: yes for xenial [12:25] zioproto: ok [12:47] zioproto: that shouldn't be applicable to xenial since xenial is at webob 1.5.1 [12:48] zioproto: newton is still supported though so we need it there [12:49] coreycb: I have python-webob 1.6.1-1~cloud0 [12:49] installed from [12:49] http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/newton/main amd64 Packages [12:50] makes sense ? [12:50] zioproto: yes that makes sense for xenial with the newton cloud archive [12:51] so the python-cinderclient patch for the newton cloud archive makes sense, right ? [12:51] I meant the patch to be merged into the newton cloud archive, not in the upstream xenial. I think xenial has only mitaka packages [13:07] zioproto: i'm going to upload this to xenial and the newton cloud archive. xenial client against newton server would need this. [13:19] coreycb: ok, is there any other push/commit action required on my side ? [13:20] zioproto: nope, but if you wouldn't mind verifying the fixes once they're in proposed and tagging the bug accordingly, that'd be helpful [13:20] OK ! sure I will do that [13:22] zioproto: thanks :) [14:51] nacc: FYI regarding LP: #1658733, I have a fix ready that I'm about to push to Debian, so I took back ownership of the bug [14:51] Launchpad bug 1658733 in makedumpfile (Ubuntu) "Ubuntu 16.04.2KVM:kdump fails to mount root file system on multipath root device" [Undecided,In progress] https://launchpad.net/bugs/1658733 [15:21] caribou: thanks! [15:22] nacc: I thought I had lost the fix when I returned my server but as it happens, I had it in git [15:23] caribou: nice [15:34] jamespage: beisner: hello, python-cinderclient - 1:1.9.0-0ubuntu1~cloud2 is ready to promote to newton-proposed when you have a moment. [15:44] coreycb: gotcha [15:47] jamespage: thanks === oerheks_ is now known as oerheks === dames is now known as thedac [17:00] coreycb - did you push cinder in uca already? lmk if not i can [17:00] beisner_: thanks, i think james got it already. [17:00] ok cool [17:36] rbasak: fyi, got good feedback from guido on gbp, i see how to use it 'correctly' now, i'm adjusting my branch with some follow-on commits [17:45] Sounds good! === JanC is now known as Guest56451 === JanC_ is now known as JanC [20:36] Is there a command to determine a driver version for a module? [20:37] modinfo nvidia [20:39] Epx998, modinfo radeon [20:39] yeah just found that [20:39] having problems with the ixgbe driver [20:39] latest from intel works, but thats not whats being shipped with any kernels ive checked so far [20:42] ixgbe on this kernel (3.13.0-66) is 3.15 latest from into is 5.13 - quite out of date [20:48] Epx998, check the BTS for ixgbe bugs. Might want to use the backport (bpo) kernel for your platform. Is it trusty? [20:49] ChmEarl: .. no im forced to use 12 [20:49] but we are converting slowly to 14 [20:51] Epx998, must admit I'm thinking in Debian terms for this [20:51] ChmEarl: I think I have a WAR, our netboot is using 3.13.0-32, I am going to build the 5.1.3 ixgbe driver for that kernel and see if I can rebuild the initrd.gz with it. === Epx998- is now known as Epx998 [21:31] hmm [21:33] helo [21:34] yup [21:34] is there any sane reason to leave firewall rule all outgoing allowed on? [21:34] I dont see why would it be required [21:34] then you should remove it [21:34] corret [21:35] I require 80 443 ssh and mail port [21:35] thats it [21:35] if it wise to change default ssh port? or no need? cause people can port scan anyway for open ports [21:35] then deny all traffic and only allow those ports explicitly [21:36] changing ports does a whole lot of nothing, in terms of security [21:36] it's a minor annoyance [21:37] qman yep [21:37] same goes for disabling ICMP echo replies [21:37] when I was a DOD contractor, we always used non-standard ssh ports - just cause [21:38] better to be caught with a non-standard port than with 22 being used - that way IT cannot blame you :D [21:38] fck that logic :D [21:38] also couldnt reach the box regardless unless you had a secure vpn tunnel to it directly [21:39] im not with the IT BU, we get audited on crap like ssh ports and all that. buh. [21:40] there is some russian site that offers free site audit :) I tried it - it scans for phpmyadmin [21:40] thats it [21:40] but claims to check a lot [21:40] well unless it checks without leaving traces in access log but how [21:41] https://rescan.pro/ [21:44] so ok I need - incoming ssh - and both incoming and outgoing 80 and 443 right? [21:44] for webserver [21:44] or just incoming 80 and 443? [21:44] just incoming [21:45] outgoing, you need to allow established connections [21:45] (if you don't have an outbound accept policy, anyway) [21:45] I may need it temporarily to update ubuntu right? [21:45] yes, you will need outgoing 80 and 443 to patch using apt [21:45] I plan to set default outgoing to blocked [21:46] allow ubuntu rep IP [21:46] and would also need to allow incoming established connections [21:46] yes I added 22 80 and 443 in incoming [21:47] incoming is a bit confusing since they are downloading data so seems but yes they are coming [21:47] *incoming [21:48] ufw status command dont show if all outgoing are allowed or not? [21:48] so far it displays rules I made [21:49] also does it make sense to chroot jail nginx? [21:49] or not [21:50] I run webserver where all files are owned by root and group can only read files :D [21:50] and php is under www-data which is www-data group member [21:54] some trick with | to auto add all servers from sources list to allowed? :D [21:54] saves typing [22:11] qman__: its important for auto security updates [22:11] :d [22:19] any decent how-to's on creating a .deb from scratch? [22:25] https://askubuntu.com/questions/1345/what-is-the-simplest-debian-packaging-guide [22:29] ufw allow from xxxxx to any port 993 [22:29] what does any stands for? [22:29] from external ip to any server ip? [22:29] on port 993 [22:30] also ubuntu servers that host repositories [22:30] do they change their ip addrresses? [22:30] Epx998: https://www.debian.org/doc/manuals/maint-guide/ [22:30] Epx998: and https://www.debian.org/doc/devel-manuals generally [22:31] from to is same as in anywhere? [22:32] and from anywhere to xxx is same as out anywhere? [22:35] thats beyond me, creating a deb [22:40] Epx998: believe in yourself [22:41] I concur [22:41] I can do it too [22:41] it just time and action [22:41] maybe steal the gnu hello package and start there? there might be simpler packages .. but I can't off-hand think of one [22:41] time*action=result [22:41] sarnold: heya [22:41] sarnold: heya [22:41] good afternoon hehehe :) [22:46] sarnold: https://pastebin.com/tR2FgmgD [22:46] looks right? :D [22:46] allow in http and https and mail out [22:46] and mail in [22:47] plus yes I added 22 for ssh [22:48] hehehe: you'll probably want to allow tcp and udp 53 in and out [22:49] what for? [22:49] dns [22:50] I need dns out to update ubuntu [22:50] but why in? [22:50] just to make sure you get dns replies, heh [22:50] what do u mean? [22:51] usually if I sent say curl or wget I need dns out [22:51] if I dont use ip [22:51] but in ? [22:51] I don't know linux firewalling real well. I don't know if you need to go out of your way to say "dns outgoing requests and the responses" [22:53] they are required [22:53] :) [22:53] else how will it resolve domain name? [22:55] and it seems ufw allows both tcp and udp [22:55] will check soon in iptables [22:57] yep it foes [22:59] ufw will do different things under different circumstances. if you are using an app rule (allow Bind9), it will use the protocols defined in it, if you use the simple syntax (allow 53) it will allow both tcp and udp. you can specify the protocol in the simple syntax (allow 53/udp) [23:00] you can also reference services in /etc/services, and it'll use the protocols there (allow smtp) [23:02] then there is the fuller syntax which has the 'proto' option. it operates like the simple syntax and will allow both tcp and udp if unspecified [23:02] (all this is in man ufw) [23:03] jdstrand: does ufw go to some effort to enable conntrack replies if you e.g. allow dns out does it conntrack dns replies in too? [23:04] sarnold: ufw uses connection tracking, yes. ufw by default does not do egress filtering (configurable) [23:05] you typically don't need to do outbound rules unless you enable egress filtering with 'ufw default deny outgoing' [23:05] jdstrand: I think hehehe's ruleset did have that [23:06] 'ufw status verbose' would say for sure [23:06] so yeah, if you enable egree filtering, you need the out rules [23:06] ufw allow out 53 [23:07] egress* [23:07] connection tracking will be in effect there too [23:07] cool :) definitely uncomplicated :) [23:08] it tries to be :) [23:10] how amazing would it be if netboot also shipped with an all inclusive initrd.gz /sigh [23:10] i did ufw man an all this stuff werent there :D [23:11] also digital ocean tutorial dont mention ot [23:11] it [23:11] also http://rdstash.blogspot.com.ee/2013/09/allow-host-with-dynamic-ip-through.html [23:11] updates domains ip in iptable [23:12] jdstrand: what does egree means? [23:12] typo for 'egress' [23:12] ok :) [23:16] sarnold: I added rule for 53 update all yet to work :) [23:18] also nice $ sudo ufw rule comment 'my cool comment here' [23:19] if only girls on dating sites knew linux [23:19] :) [23:19] is there a trick to adding a compiled driver to a netboot initrd.gz? [23:21] Epx998: guessing here, could you use update-initrd once you've got /etc/modules populated correctly, and then copy the generated initrd back to the pxe tftp machine? [23:22] hmm [23:22] folks - sudo ufw reject 22 comment 'No Hacking Allowed' [23:22] :) [23:22] ufw can serve commens when connection is rejected [23:23] sarnold: when I tried that method before, preseed and other things did not work - havent used update initrd tho, ill give that a try [23:24] hehehe: probably those comments are simply placed into the generated ruleset without any influence on network packets at all [23:24] Epx998: ohhh :( [23:26] they will see them [23:26] sarnold: normally I expand the initrd.gz, add the udeb i need, then i re-create it. I havent tried with the systems initrd [23:27] The deny syntax simply ignores traffic. If you want let the sender know when traffic is being denied, rather than simply ignoring it, use reject syntax: [23:31] do this guys change IP sometimes? [23:31] https://pastebin.com/wZWBev69 [23:31] my plan is to add them each with 80 and 443 out [23:31] or can I set update all to use only https? [23:31] to null any potential mitm [23:36] also is this right? [23:36] │ "origin=Debian,codename=${distro_codename},label=Debian-Security";_____ [23:36] variables for security auto update [23:37] :) [23:37] does not seems like it since it said debian or... [23:38] sudo dpkg-reconfigure -plow unattended-upgrades [23:40] ya'll still talking about firewalls? [23:43] yes [23:43] last bits [23:43] Exec: any ideas? [23:43] thing is once its all working [23:43] even if there is any malicious code [23:43] it can do nothing [23:44] it wont even be able to connect out :D [23:44] hehehe: http for ubuntu mirrors is fine because the sources are all signed and validated with GPG [23:44] tarpman: and how does ubuntu verifies it? [23:45] it verifies signature while applying updates? [23:46] hehehe: man 8 apt-secure [23:46] ty [23:47] tarpman: will those strings catch ubuntu security updates? [23:47] │ "origin=Debian,codename=${distro_codename},label=Debian-Security";_____ [23:47] just want to make sure, since some tutorials arent always right [23:47] hehehe: ubuntu repositories do not use "origin=Debian" [23:48] https://www.howtogeek.com/204796/how-to-enable-automatic-security-updates-on-ubuntu-server/ [23:48] hehehe: the ubuntu-server installer normally sets up a sane unattended-upgrades config for you. maybe dpkg-reconfigure unattended-upgrades would help. not sure, please read its postinst and see [23:48] hehehe: please do not trust random blogposts on the internet. [23:48] yes [23:51] well I run command you suggested [23:51] and its same [23:51] │ Please specify a value for the unattended-upgrades Origins-Pattern. │ [23:51] and then debian blabla [23:52] hm [23:52] I distinctly remember a part in the installer where it asks which (if any) upgrades install automatically [23:53] maybe installer magic [23:54] hehehe: https://help.ubuntu.com/community/AutomaticSecurityUpdates