=== JanC_ is now known as JanC [04:50] hehehe, FWIW, https://serverfault.com/questions/702945/rsyslog-local-and-remote-logging [05:29] good monring [05:30] morning even [09:46] Good morning [12:51] Hey, could someone with iptable knowledge help me out here and tell me what I am supposed to enter in the last line? I can't quite tell what to put in for the placeholders and I don't want to mess this up. https://unix.stackexchange.com/a/211110 [12:57] soahccc_: The {{ROUTE_SOURCE}} should be replaced with the NATted network, the interface is the outgoing interface, and the route target the outside/public ip. [13:02] lordievader: Thank you :) I was on the wrong track then. But this seems to work. I now have to figure out how to run a process without root :/ [13:03] soahccc_: What do you mean? Running it as a user doesn't do the trick? [13:03] Well I can't run it as non-root "setting the network namespace "eth0_a_ns" failed: Operation not permitted" [13:04] It makes sense to make network config root only. You don't want some random user be able to change the entire network config. [13:04] But I tested it with root and I think this solution doesn't even fix my actual problem. The thing is that I try to get a program running and it works on a different server but on mine it has network problems. I assumed it can't handle multiple IPs on eth0 but I guess I was wrong all along [13:05] lordievader: yeah makes sense but I just want to use it there no? [13:05] What it the error of the program? [13:06] lordievader: it's mono so I guess you will just puke here :D https://gist.github.com/2called-chaos/e8d8f5629cad20c0cc43b989933088d3 [13:06] I have two ubuntu 16.04 and it works on the one with one IP so I just have to assume thats it right? [13:08] `Error -14 EFAULT bad address in system call argument` doesn't sound like the multiple IPs is the problem. [13:08] I have no idea what it (probably the kernel) thinks is a bad address though... [13:09] The program unfortunately doesn't have an bind option (just port). I compiled mono the same way on both systems and they both run on the same kernel (4.4.0-83) [13:10] So my guess is, it tries to magically detect the IP and it fails when I have secondary addresses. I mean I _could_ try to remove the secondaries for a test but that would kill all my services :D [13:22] lordievader: okay I tried to ifdown all eth0:* secondaries and it indeed doesn't change a thing. Do you have any other idea? I compared "ip addr show" on both servers and they were the same essentially. The only thing is that I upgraded this one (where it doesn't work) from 12.04 and it's an older installation whereas the other server was recently installed with 16.04. I have no idea what could have broken there [13:23] Same size of subnet too? [13:24] Oh actually its /26 vs /27 [13:24] Not that that should matter... [13:54] good morning folks [13:54] I'm having an issue with a networking bridge, and I'm not seeing much info on the net about it [13:55] basically I'm attempting to run a bridge almost like a "hub" [13:55] all the traffic from the incoming span port is replicated to all of the veths attached to it [13:57] unfortunately, even after setting the ageing on the bridge to 0 (which should turn off mac learning) im still only getting broadcast traffic ont he veth [13:58] I know im getting everything on the interface, as running tcpdump on the bridge or the int directly works as expected, but not when sniffing fromt he veth [13:59] Not sure if the bridge module can be forced to work as a hub... [13:59] lordievader: I did get it to initially work [13:59] then it just...stopped [13:59] no config changes [14:00] lordievader: I had followed this: http://ask.xmodulo.com/disable-mac-learning-linux-bridge.html [14:01] [1] seems to go a bit more in depth. [1] http://www.programering.com/a/MDN4QzNwATk.html [14:08] lordievader: yeah the 4 steps mentioned in the beginning is what im trying to accomplish [14:08] directionality issues arent a concern as the phys is connected to a mirror on the cisco switch [14:11] Did you do the xt_TEE steps too> [14:11] ? [14:19] oh man....thats hard to read [14:32] coreycb: I got the notification to test the stable package for python-cinderclient https://bugs.launchpad.net/python-novaclient/+bug/1559072 [14:32] Launchpad bug 1559072 in Ubuntu Cloud Archive newton "[SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'"" [High,In progress] [14:33] coreycb: but this Xenial package is for Mitaka if I understand correctly [14:33] Mitaka I cant really test, because I have eveything in newton [14:33] Is a Newton package for the Ubuntu Cloud archive for Xenial also going to be released ? [14:39] zioproto: yes there's a newton package, and thanks for the reminder needs to be promoted to -proposed. [14:40] jamespage: beisner_ : when you have a sec, can you promote python-cinderclient 1:1.9.0-0ubuntu1~cloud2 to newton-proposed? [15:05] coreycb: on my list [15:06] jamespage: thx [15:17] coreycb: done [15:18] jamespage: thanks. zioproto: python-cinderclient that should be available shortly in newton-proposed. [15:20] Quick question, ubuntu 14.04 rsyslog package writes as the user syslog:adm but the logrotate file included with the rsyslog package doesn't set the user properly so after a rotate rsyslog can't write [15:20] I know I can add the create entry... but this seems like a bug in the package or am I missing something? [15:21] i purged and reinstalled the package as well to make sure it wasn't some local change I made in the past that messed up the rsyslog confs [15:47] Hi [16:39] coreycb: btw I added a fix to mistral on Friday thought you should be aware of it [16:39] jamespage: ^^^ [16:41] zul: ack thanks [17:48] does anybody know what this error means or what causes it: [17:48] Dpkg: WARNING: Can not find the file name list file for the package update-manager, assuming that the package does not currently have any files installed in the system. [17:48] the actual package doesn't matter, this is being said about basically all of them [17:48] not my system, it's in a bug report === Epx998_ is now known as Epx998 [18:05] ahasenack: sounds like someone went crazy with rm around /var/lib/dpkg/info/ to try to save space, or their filesystems aren't mounted properly, or btrfs ate their lunch or something [18:05] are these the *.list files in there? [18:06] yeah [20:17] so, I have edited my ubuntu servers to NOT automatically do security updates [20:18] one of the reasons I did that was because the /boot partition was getting full (sometimes we don't patch a server for 6 months) [20:18] should I have a larger /boot partition? [20:18] or is it OK to just disable security updates? [20:18] DammitJim: you should just reboot occasionally, and, of course, patch [20:19] once every 6 months is not enough [20:19] daily is sometimes not enough [20:19] oh gosh [20:20] DammitJim: how large is that /boot ? I thought newer systems took care of it well for you [20:20] but whether or not you patch and reboot, /boot should not normally store more than 3 kernel images [20:20] 236M [20:20] DammitJim: Might want to read https://help.ubuntu.com/community/RemoveOldKernels#Configure_Unattended_Upgrades_to_Remove_Unneeded_Kernels_Automatically [20:20] doh thats tiny [20:20] that's kind of tiny but it ought to be able to handle three, right? [20:21] oh, it can handle 3 [20:21] problem is when we don't patch often [20:21] and it's just not possible to test everything for the amount of servers we would need to patch every month for example [20:21] I don't have those resources [20:22] just install patrches automatically and reboot on kernel updates [20:22] DammitJim: btw https://usn.ubuntu.com/usn/usn-3353-2/ [20:23] thanks sarnold I'm patching as we speak [20:23] and have resources allocated to test [20:23] tomreyn, things don't work like that in my company [20:24] it takes a LOT of work to get patching done... all apps have to be tested because of bad expriences they've had in the past [20:24] that's a pity. security patches don't normally break stuff. [20:24] while we go to great lengths to test our fixes before releasing them, our tests can't cover everything [20:24] that's what said, but can't change that rule at the moment [20:24] regressions are a fact of life :( [20:24] sarnold, agree [20:26] I wish I could let the systems just do their thing and walk away... [20:26] normally the places that want to test updates before installing them have infrastructures in place to do so cheaply [20:26] oh, we have virtual labs [20:27] and every time a server is tested, the test team has to spend time there [20:27] with tests that the ycan run on the software important to them, so it might take ten minutes to deploy a new system, then install updates, then run for a few horus or day to make sure the applications still work, then they can roll out across the larger infrastructure === Guest85396 is now known as lordievader === Epx998_ is now known as Epx998 [23:04] sarnold: do u use nginx? [23:04] I cant compile darn thing with modsecurity - it does not like some flag in compilation [23:04] hehehe: I do [23:06] sarnold I am getting erro [23:06] going to pastebin it [23:07] https://pastebin.com/H5895e1E [23:09] hehehe: see if this is the issue https://bugs.launchpad.net/nginx/+bug/1657596 [23:09] Launchpad bug 1657596 in Nginx stable "[PPA] fPIE/fPIC build problems" [Critical,Fix released] [23:10] yes I read it [23:11] its fixed in ppa but I compile from scratch [23:11] so I need to find tomas fix? [23:18] is there easy way to list default cflags? [23:25] sarnold: it may well be the issue [23:25] but how do I tell compiler where those flags are? [23:27] hehehe: you call make with whatever flags you need [23:27] yes [23:28] I just wonder whats up [23:28] sarnold: are you using nginx stable? [23:28] and if yes how did you compiled it with modsec? [23:29] the configure options [23:29] I did compile it with just modsec module it does work [23:30] hehehe: 'apt-get install nginx-light" [23:30] done and done :) [23:30] eee [23:30] what is nginx light? [23:31] sarnold: why light [23:31] it does not have full blown options [23:32] and it does not have modsecurity there [23:32] or does it? [23:33] hehehe: because after reading the sources in the package I asked teward to make it easy to install only things directly from the nginx crew, and then put -that- package in main, and leave the packages with non-nginx-sources in universe. [23:33] :) [23:35] sarnold: well I am not using nginx from ppa Iam compiling it from scratch [23:35] nginx from ppa does not come with modsecurity as you said [23:36] so how did you compiled nginx with modsecurity? :) [23:49] I compiled ubuntu into mac os :) yep just rewrote kernel on weekend [23:49] as if [23:49] boss just asked me to build a centos7 unattended, something is afoot [23:52] Epx998: oh so -now- they want to run latest releases..:) [23:52] sarnold: for some other team I think [23:52] netboot failed miserably tho so yeah [23:57] :))) [23:57] folks how do you use ossec? [23:57] some neat active responce rules to be aware of?