=== JanC_ is now known as JanC | ||
vbotka | hehehe, FWIW, https://serverfault.com/questions/702945/rsyslog-local-and-remote-logging | 04:50 |
---|---|---|
cpaelzer | good monring | 05:29 |
cpaelzer | morning even | 05:30 |
lordievader | Good morning | 09:46 |
soahccc | Hey, could someone with iptable knowledge help me out here and tell me what I am supposed to enter in the last line? I can't quite tell what to put in for the placeholders and I don't want to mess this up. https://unix.stackexchange.com/a/211110 | 12:51 |
lordievader | soahccc_: The {{ROUTE_SOURCE}} should be replaced with the NATted network, the interface is the outgoing interface, and the route target the outside/public ip. | 12:57 |
soahccc | lordievader: Thank you :) I was on the wrong track then. But this seems to work. I now have to figure out how to run a process without root :/ | 13:02 |
lordievader | soahccc_: What do you mean? Running it as a user doesn't do the trick? | 13:03 |
soahccc | Well I can't run it as non-root "setting the network namespace "eth0_a_ns" failed: Operation not permitted" | 13:03 |
lordievader | It makes sense to make network config root only. You don't want some random user be able to change the entire network config. | 13:04 |
soahccc | But I tested it with root and I think this solution doesn't even fix my actual problem. The thing is that I try to get a program running and it works on a different server but on mine it has network problems. I assumed it can't handle multiple IPs on eth0 but I guess I was wrong all along | 13:04 |
soahccc | lordievader: yeah makes sense but I just want to use it there no? | 13:05 |
lordievader | What it the error of the program? | 13:05 |
soahccc | lordievader: it's mono so I guess you will just puke here :D https://gist.github.com/2called-chaos/e8d8f5629cad20c0cc43b989933088d3 | 13:06 |
soahccc | I have two ubuntu 16.04 and it works on the one with one IP so I just have to assume thats it right? | 13:06 |
lordievader | `Error -14 EFAULT bad address in system call argument` doesn't sound like the multiple IPs is the problem. | 13:08 |
lordievader | I have no idea what it (probably the kernel) thinks is a bad address though... | 13:08 |
soahccc | The program unfortunately doesn't have an bind option (just port). I compiled mono the same way on both systems and they both run on the same kernel (4.4.0-83) | 13:09 |
soahccc | So my guess is, it tries to magically detect the IP and it fails when I have secondary addresses. I mean I _could_ try to remove the secondaries for a test but that would kill all my services :D | 13:10 |
soahccc | lordievader: okay I tried to ifdown all eth0:* secondaries and it indeed doesn't change a thing. Do you have any other idea? I compared "ip addr show" on both servers and they were the same essentially. The only thing is that I upgraded this one (where it doesn't work) from 12.04 and it's an older installation whereas the other server was recently installed with 16.04. I have no idea what could have broken there | 13:22 |
lordievader | Same size of subnet too? | 13:23 |
soahccc | Oh actually its /26 vs /27 | 13:24 |
lordievader | Not that that should matter... | 13:24 |
Steve[cloud] | good morning folks | 13:54 |
Steve[cloud] | I'm having an issue with a networking bridge, and I'm not seeing much info on the net about it | 13:54 |
Steve[cloud] | basically I'm attempting to run a bridge almost like a "hub" | 13:55 |
Steve[cloud] | all the traffic from the incoming span port is replicated to all of the veths attached to it | 13:55 |
Steve[cloud] | unfortunately, even after setting the ageing on the bridge to 0 (which should turn off mac learning) im still only getting broadcast traffic ont he veth | 13:57 |
Steve[cloud] | I know im getting everything on the interface, as running tcpdump on the bridge or the int directly works as expected, but not when sniffing fromt he veth | 13:58 |
lordievader | Not sure if the bridge module can be forced to work as a hub... | 13:59 |
Steve[cloud] | lordievader: I did get it to initially work | 13:59 |
Steve[cloud] | then it just...stopped | 13:59 |
Steve[cloud] | no config changes | 13:59 |
Steve[cloud] | lordievader: I had followed this: http://ask.xmodulo.com/disable-mac-learning-linux-bridge.html | 14:00 |
lordievader | [1] seems to go a bit more in depth. [1] http://www.programering.com/a/MDN4QzNwATk.html | 14:01 |
Steve[cloud] | lordievader: yeah the 4 steps mentioned in the beginning is what im trying to accomplish | 14:08 |
Steve[cloud] | directionality issues arent a concern as the phys is connected to a mirror on the cisco switch | 14:08 |
lordievader | Did you do the xt_TEE steps too> | 14:11 |
lordievader | ? | 14:11 |
Steve[cloud] | oh man....thats hard to read | 14:19 |
zioproto | coreycb: I got the notification to test the stable package for python-cinderclient https://bugs.launchpad.net/python-novaclient/+bug/1559072 | 14:32 |
ubottu | Launchpad bug 1559072 in Ubuntu Cloud Archive newton "[SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'"" [High,In progress] | 14:32 |
zioproto | coreycb: but this Xenial package is for Mitaka if I understand correctly | 14:33 |
zioproto | Mitaka I cant really test, because I have eveything in newton | 14:33 |
zioproto | Is a Newton package for the Ubuntu Cloud archive for Xenial also going to be released ? | 14:33 |
coreycb | zioproto: yes there's a newton package, and thanks for the reminder needs to be promoted to -proposed. | 14:39 |
coreycb | jamespage: beisner_ : when you have a sec, can you promote python-cinderclient 1:1.9.0-0ubuntu1~cloud2 to newton-proposed? | 14:40 |
jamespage | coreycb: on my list | 15:05 |
coreycb | jamespage: thx | 15:06 |
jamespage | coreycb: done | 15:17 |
coreycb | jamespage: thanks. zioproto: python-cinderclient that should be available shortly in newton-proposed. | 15:18 |
eatingthenight | Quick question, ubuntu 14.04 rsyslog package writes as the user syslog:adm but the logrotate file included with the rsyslog package doesn't set the user properly so after a rotate rsyslog can't write | 15:20 |
eatingthenight | I know I can add the create entry... but this seems like a bug in the package or am I missing something? | 15:20 |
eatingthenight | i purged and reinstalled the package as well to make sure it wasn't some local change I made in the past that messed up the rsyslog confs | 15:21 |
vimart | Hi | 15:47 |
zul | coreycb: btw I added a fix to mistral on Friday thought you should be aware of it | 16:39 |
zul | jamespage: ^^^ | 16:39 |
coreycb | zul: ack thanks | 16:41 |
ahasenack | does anybody know what this error means or what causes it: | 17:48 |
ahasenack | Dpkg: WARNING: Can not find the file name list file for the package update-manager, assuming that the package does not currently have any files installed in the system. | 17:48 |
ahasenack | the actual package doesn't matter, this is being said about basically all of them | 17:48 |
ahasenack | not my system, it's in a bug report | 17:48 |
=== Epx998_ is now known as Epx998 | ||
sarnold | ahasenack: sounds like someone went crazy with rm around /var/lib/dpkg/info/ to try to save space, or their filesystems aren't mounted properly, or btrfs ate their lunch or something | 18:05 |
ahasenack | are these the *.list files in there? | 18:05 |
sarnold | yeah | 18:06 |
DammitJim | so, I have edited my ubuntu servers to NOT automatically do security updates | 20:17 |
DammitJim | one of the reasons I did that was because the /boot partition was getting full (sometimes we don't patch a server for 6 months) | 20:18 |
DammitJim | should I have a larger /boot partition? | 20:18 |
DammitJim | or is it OK to just disable security updates? | 20:18 |
tomreyn | DammitJim: you should just reboot occasionally, and, of course, patch | 20:18 |
tomreyn | once every 6 months is not enough | 20:19 |
tomreyn | daily is sometimes not enough | 20:19 |
DammitJim | oh gosh | 20:19 |
sarnold | DammitJim: how large is that /boot ? I thought newer systems took care of it well for you | 20:20 |
tomreyn | but whether or not you patch and reboot, /boot should not normally store more than 3 kernel images | 20:20 |
DammitJim | 236M | 20:20 |
genii | DammitJim: Might want to read https://help.ubuntu.com/community/RemoveOldKernels#Configure_Unattended_Upgrades_to_Remove_Unneeded_Kernels_Automatically | 20:20 |
tomreyn | doh thats tiny | 20:20 |
sarnold | that's kind of tiny but it ought to be able to handle three, right? | 20:20 |
DammitJim | oh, it can handle 3 | 20:21 |
DammitJim | problem is when we don't patch often | 20:21 |
DammitJim | and it's just not possible to test everything for the amount of servers we would need to patch every month for example | 20:21 |
DammitJim | I don't have those resources | 20:21 |
tomreyn | just install patrches automatically and reboot on kernel updates | 20:22 |
sarnold | DammitJim: btw https://usn.ubuntu.com/usn/usn-3353-2/ | 20:22 |
DammitJim | thanks sarnold I'm patching as we speak | 20:23 |
DammitJim | and have resources allocated to test | 20:23 |
DammitJim | tomreyn, things don't work like that in my company | 20:23 |
DammitJim | it takes a LOT of work to get patching done... all apps have to be tested because of bad expriences they've had in the past | 20:24 |
tomreyn | that's a pity. security patches don't normally break stuff. | 20:24 |
sarnold | while we go to great lengths to test our fixes before releasing them, our tests can't cover everything | 20:24 |
DammitJim | that's what said, but can't change that rule at the moment | 20:24 |
sarnold | regressions are a fact of life :( | 20:24 |
DammitJim | sarnold, agree | 20:24 |
DammitJim | I wish I could let the systems just do their thing and walk away... | 20:26 |
sarnold | normally the places that want to test updates before installing them have infrastructures in place to do so cheaply | 20:26 |
DammitJim | oh, we have virtual labs | 20:26 |
DammitJim | and every time a server is tested, the test team has to spend time there | 20:27 |
sarnold | with tests that the ycan run on the software important to them, so it might take ten minutes to deploy a new system, then install updates, then run for a few horus or day to make sure the applications still work, then they can roll out across the larger infrastructure | 20:27 |
=== Guest85396 is now known as lordievader | ||
=== Epx998_ is now known as Epx998 | ||
hehehe | sarnold: do u use nginx? | 23:04 |
hehehe | I cant compile darn thing with modsecurity - it does not like some flag in compilation | 23:04 |
sarnold | hehehe: I do | 23:04 |
hehehe | sarnold I am getting erro | 23:06 |
hehehe | going to pastebin it | 23:06 |
hehehe | https://pastebin.com/H5895e1E | 23:07 |
sarnold | hehehe: see if this is the issue https://bugs.launchpad.net/nginx/+bug/1657596 | 23:09 |
ubottu | Launchpad bug 1657596 in Nginx stable "[PPA] fPIE/fPIC build problems" [Critical,Fix released] | 23:09 |
hehehe | yes I read it | 23:10 |
hehehe | its fixed in ppa but I compile from scratch | 23:11 |
hehehe | so I need to find tomas fix? | 23:11 |
hehehe | is there easy way to list default cflags? | 23:18 |
hehehe | sarnold: it may well be the issue | 23:25 |
hehehe | but how do I tell compiler where those flags are? | 23:25 |
sarnold | hehehe: you call make with whatever flags you need | 23:27 |
hehehe | yes | 23:27 |
hehehe | I just wonder whats up | 23:28 |
hehehe | sarnold: are you using nginx stable? | 23:28 |
hehehe | and if yes how did you compiled it with modsec? | 23:28 |
hehehe | the configure options | 23:29 |
hehehe | I did compile it with just modsec module it does work | 23:29 |
sarnold | hehehe: 'apt-get install nginx-light" | 23:30 |
sarnold | done and done :) | 23:30 |
hehehe | eee | 23:30 |
hehehe | what is nginx light? | 23:30 |
hehehe | sarnold: why light | 23:31 |
hehehe | it does not have full blown options | 23:31 |
hehehe | and it does not have modsecurity there | 23:32 |
hehehe | or does it? | 23:32 |
sarnold | hehehe: because after reading the sources in the package I asked teward to make it easy to install only things directly from the nginx crew, and then put -that- package in main, and leave the packages with non-nginx-sources in universe. | 23:33 |
hehehe | :) | 23:33 |
hehehe | sarnold: well I am not using nginx from ppa Iam compiling it from scratch | 23:35 |
hehehe | nginx from ppa does not come with modsecurity as you said | 23:35 |
hehehe | so how did you compiled nginx with modsecurity? :) | 23:36 |
hehehe | I compiled ubuntu into mac os :) yep just rewrote kernel on weekend | 23:49 |
hehehe | as if | 23:49 |
Epx998 | boss just asked me to build a centos7 unattended, something is afoot | 23:49 |
sarnold | Epx998: oh so -now- they want to run latest releases..:) | 23:52 |
Epx998 | sarnold: for some other team I think | 23:52 |
Epx998 | netboot failed miserably tho so yeah | 23:52 |
hehehe | :))) | 23:57 |
hehehe | folks how do you use ossec? | 23:57 |
hehehe | some neat active responce rules to be aware of? | 23:57 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!