drab | sarnold: I think I actually figured out a few ways of doing it that are cleaner, but none of the is exactly straightforward | 00:22 |
---|---|---|
drab | the simplest and not that hard is to use squid with eCAP/ICAP | 00:22 |
drab | squid running on the gw I mean | 00:23 |
drab | but at that point that squid does nothing more than taking the request and passing it on with a protocol that include all the necessary info, including src ip | 00:23 |
drab | and you can cluster that easily | 00:23 |
drab | and cluster the actual content filtering by having multiple backends | 00:23 |
drab | the other option seems to run the gw behind something like LVS, but I'm not sure how that'd work | 00:24 |
sarnold | man the icap website makes even less sense than the ecap website :) | 00:24 |
drab | lol, tell me about it... | 00:24 |
drab | it was quite surprising to figure out the state of both, yuo'd think they would be fairly "standard", but it seems in OSS land there's little to nothing | 00:25 |
drab | even tho all commercial implementations work on that basis | 00:25 |
drab | generally speaking the OSS CF ecosystem is pretty weak, it | 00:25 |
drab | 's even hard to find which options you have | 00:25 |
drab | the only easily googlable thing is dansguardian, which is deadware | 00:26 |
drab | I found its fork, e2guardian, almost by accident (great project, active devel) | 00:26 |
station | is there an easy way to keep overview over user access management Samba NFS ….. | 01:27 |
station | nad usermanagement in generale | 01:29 |
android | !kernel | 06:21 |
ubottu | The core of Ubuntu is the Linux kernel: see https://help.ubuntu.com/community/Kernel - You shouldn't have to compile your own, and if you need to troubleshoot issues, you can try a !Mainline kernel instead, but if you insist, see https://help.ubuntu.com/community/Kernel/Compile (see also !Stages) | 06:21 |
lordievader | Good morning | 07:53 |
jambo | anyone here? need some help | 09:23 |
zioproto | hello, I do I add the tags? https://bugs.launchpad.net/python-novaclient/+bug/1559072 | 10:04 |
ubottu | Launchpad bug 1559072 in python-cinderclient (Ubuntu Xenial) "[SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'"" [High,Fix committed] | 10:04 |
zioproto | verification-done ? | 10:05 |
zioproto | ok I think I have done it | 10:06 |
rbasak | ahasenack: thought I'd look at some of your pending MPs. | 13:29 |
ahasenack | thx | 13:29 |
ahasenack | rbasak: did you sync cyrus-sasl2? | 13:29 |
rbasak | ahasenack: is everything you have in https://code.launchpad.net/~canonical-server/+activereviews pending review/upload? | 13:29 |
ahasenack | I saw it's up-to-date now | 13:29 |
rbasak | I did fire off cyrus-sasl2 last night. Didn't see if it finished. | 13:30 |
rbasak | I guess it's done then :) | 13:30 |
ahasenack | it worked, thx | 13:30 |
ahasenack | regarding the mps | 13:30 |
ahasenack | there are some nish grabbed that don't show up there anymore | 13:30 |
rbasak | Can you see what happens if you explicitly request an additional review from ~canonical-server in those MPs now? | 13:31 |
ahasenack | they should come back to the list | 13:31 |
ahasenack | let me see | 13:31 |
rbasak | OK. I'll start with your squid3 SRUs now. | 13:31 |
ahasenack | ok | 13:31 |
ahasenack | rbasak: this one, for example: https://code.launchpad.net/~ahasenack/ubuntu/+source/libpam-ccreds/+git/libpam-ccreds/+merge/327829 | 13:35 |
ahasenack | rbasak: going to ask for another review now | 13:35 |
ahasenack | rbasak: done, and now it's in the https://code.launchpad.net/~canonical-server/+activereviews list | 13:35 |
ahasenack | rbasak: going to do the same to the others | 13:35 |
ahasenack | I think that's all | 13:35 |
rbasak | OK. Thanks! | 13:35 |
ahasenack | rbasak: I'm adding test cases to all my MPs now, not just the bug | 13:36 |
ahasenack | rbasak: in the squid one, since the MP is older, I only added the test cases to the bug | 13:36 |
ahasenack | to form the sru template | 13:36 |
rbasak | Why are you adding test cases to the MPs? | 13:37 |
ahasenack | to help reviewers, in the case it's just an artful upload for example, and not an sru | 13:37 |
rbasak | I see, OK. | 13:38 |
rbasak | ahasenack: sorry about the wasted work for Yakkety because of review delay. | 14:18 |
ahasenack | it's experience :) | 14:18 |
rbasak | ahasenack: https://code.launchpad.net/~ahasenack/ubuntu/+source/squid3/+git/squid3/+merge/326860 looks good to upload, thanks! Let me know if you'd like to take my suggestions or not, and I'll sponsor that now. | 14:18 |
ahasenack | let me check | 14:18 |
ahasenack | hm, I have this in my .quiltrc | 14:22 |
ahasenack | QUILT_DIFF_ARGS="--no-timestamps --no-index -pab" | 14:22 |
ahasenack | QUILT_REFRESH_ARGS="--no-timestamps --no-index -pab" | 14:22 |
ahasenack | maybe I added the patch manually | 14:22 |
rbasak | Yeah that could be it. | 14:22 |
rbasak | In that case one quilt refresh after you add it would normalise the patch. I don't usually suggest quilt refreshes, but when adding a patch for the first time it makes sense :) | 14:23 |
ahasenack | rbasak: I see | 14:24 |
ahasenack | that's fine | 14:24 |
ahasenack | rbasak: about the other change, DEP3, since now it's a backport | 14:24 |
ahasenack | rbasak: should we remove my comment about having had to fix a conflict? | 14:24 |
rbasak | I don't mind if it's there or not. It's certainly more informative than the metadata on its own, and I appreciate that. | 14:25 |
ahasenack | ok then | 14:25 |
rbasak | Your choice :) | 14:25 |
ahasenack | I got the opposite comment from nish in another mp :) | 14:25 |
rbasak | Hmm. | 14:25 |
ahasenack | just checking :) | 14:25 |
rbasak | I guess that'll always happen to some extent :-/ | 14:25 |
ahasenack | it's fine | 14:26 |
ahasenack | rbasak: so I pull your changes in and push again? | 14:26 |
ahasenack | or you upload your branch? What's the usual? | 14:26 |
rbasak | No need. I can just upload my branch and tag i t. | 14:26 |
ahasenack | please do then, thanks | 14:26 |
rbasak | ack | 14:26 |
rbasak | ahasenack: same quilt -pab thing in https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/327718. I can just fix up as I upload if you wish? | 14:38 |
ahasenack | yes please | 14:39 |
rbasak | OK | 14:39 |
ahasenack | rbasak: so even when taking the patch as-is from upstream, we prefer that refresh? | 14:40 |
ahasenack | I don't recall if this was the case here | 14:40 |
ahasenack | just wondering in general | 14:40 |
rbasak | That's a fair question. | 14:41 |
rbasak | I prefer it as I don't see any downsides. But other opinions welcome. | 14:42 |
ahasenack | ok | 14:42 |
rbasak | ahasenack: I usually try to credit everyone, so when cherry-picking from git, grabbing the commit author into an Author or From dep3 header is usually trivial. | 14:46 |
ahasenack | rbasak: sometimes there are so many authors | 14:46 |
ahasenack | someone sends a patch to a list (author1), then someone else commits with a slight change (author2), and a distribution grabs it for an older version and fixes conflicts (author3) | 14:47 |
rbasak | Multiple Author fields are permitted in dep3. But upstream need to pick one for the git commit, so we might as well copy that one at a minimum. That needs little thought. | 14:47 |
Guma | I am trying to setup "hosting" of my own deb package on my own ubuntu server 16.04 so I can add my server other machines to be able to install them with apt-get. I will do x64 and arm packages. | 14:52 |
Guma | Can someone point me to some info/online doc to read what and how it needs to be setup on my server. | 14:53 |
rbasak | ahasenack: can you check you're happy with https://code.launchpad.net/~racb/ubuntu/+source/rsyslog/+git/rsyslog/+ref/artful-rsyslog-permitnonkernelfacility-1703987 please? | 14:53 |
Guma | Thank you | 14:53 |
ahasenack | rbasak: checking | 14:53 |
rbasak | Guma: look up "reprepro" | 14:53 |
ahasenack | patch refresh ok, | 14:54 |
ahasenack | checking dep3 | 14:54 |
Guma | rbasak: Thank you for quick reply :)( | 14:54 |
rbasak | Guma: you're welcome. "apt-ftparchive" is quicker, but I'm not sure it can do repositories that support multiple architectures. | 14:55 |
ahasenack | rbasak: good thing on the Author, the git commit didn't credit him specifically | 14:56 |
ahasenack | how did you find his email? | 14:57 |
ahasenack | Trent's | 14:57 |
rbasak | ahasenack: this is a hidden Github feature. | 14:57 |
rbasak | Start from https://github.com/PascalWithopf/rsyslog/commit/5c35619385bbe50979fa417e6f1b14df531b2a4a which you have. | 14:57 |
ahasenack | aha | 14:57 |
rbasak | Append .patch | 14:57 |
rbasak | https://github.com/PascalWithopf/rsyslog/commit/5c35619385bbe50979fa417e6f1b14df531b2a4a.patch | 14:58 |
ahasenack | there you go | 14:58 |
rbasak | If you look that up, you see the "git format-patch" output. | 14:58 |
rbasak | Very useful for cherry-picking etc. | 14:58 |
ahasenack | indeed | 14:58 |
ahasenack | rbasak: so +1 for your changes, thanks | 15:00 |
rbasak | ack | 15:00 |
Guma | rbasak: but reprepro does supports multiple arch? | 15:04 |
rbasak | Guma: IIRC, yes. But I could be wrong - please double check. | 15:05 |
=== PaulW2U_ is now known as PaulW2U | ||
drab | anybody familiar with openssl and knows what this error is about: http://dpaste.com/1J452JM | 15:11 |
drab | this is the pvt key for a local CA. I did not create it and someone else passed it to me | 15:12 |
drab | the password seems to be right because if I write something random I get an error about decrypt failed | 15:12 |
drab | digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529: | 15:12 |
ahasenack | drab: what command did you use? Maybe the file is in a different format | 15:13 |
drab | the last two lines about PKCS12 and PEM are the same tho | 15:13 |
drab | ahasenack: I was trying t ouse it with e2guardian, which is when I realized I had a problem. right now I'm simply doing: openssl rsa -inform pem -in cakey.pem -check | 15:14 |
drab | or with -text -noout | 15:14 |
drab | just to test that I can read the key | 15:14 |
drab | I don't know how the key was created and that person is now on vacation for 3 weeks... | 15:15 |
ahasenack | drab: sorry, was in a meeting | 15:43 |
ahasenack | drab: so just checking, cakey.pem has ascii content, and a header like BEGIN STUFF HERE and below it a line saying it's encrypted?/ | 15:43 |
ahasenack | and for the love of God, don't paste its contents :) | 15:44 |
drab | np, in the meantime I think I found out how the key was created : openssl genrsa -des3 4096 > key.pem | 15:44 |
drab | ahasenack: :) | 15:44 |
drab | yeah it's ascii so it's pem, not der | 15:44 |
ahasenack | the pkcs12 output was weird | 15:44 |
drab | -----BEGIN ENCRYPTED PRIVATE KEY----- etc | 15:45 |
ahasenack | have you tried "openssl pkcs12" commands? | 15:45 |
drab | I have, couldn't get that to work, but I've never used those before so I might be doing something wrong | 15:45 |
drab | will try again | 15:45 |
ahasenack | iirc pkcs12 has an export password, different than the encryption key | 15:46 |
drab | ahasenack: doesn't matter what pkcs12 cmd I try I get the same format/encoding errors | 15:50 |
drab | per above key was created with openssl genrsa -des3 4096 if that means anything to you | 15:51 |
drab | there doesn't seem to be anything strange in the gen process | 15:51 |
ahasenack | if you create another one like that, can you read it back with openssl rsa? | 15:53 |
drab | good question, trying | 15:53 |
drab | ahasenack: yep it works | 15:55 |
drab | interestingly enough if I typo the password the first two lines of the errors are about the decrypt | 15:55 |
ahasenack | but the file genrsa produced in your test looks just like the cakey.pem one you have? Same headers? | 15:55 |
drab | but there's no second two sets of line about format errors | 15:55 |
ahasenack | yeah, so I think it's decrypting the key, and then trying to parse it | 15:56 |
ahasenack | and it encounters an unexpected structure when trying to parse it | 15:56 |
drab | oh, you're right, no, it's not the same, it's missing two lines after the ----- ... Proc-Type: 4,ENCRYPTED \n DEK-Info: DES-EDE3-CBC,1D80xxxxxxxx | 15:57 |
drab | I wonder what that number after DEK-Info is and how do I get it/if it's diff per key | 15:58 |
* drab tries to gen another key | 15:58 | |
drab | yep, diff number, so can't copy it over, looks like some kind of hash | 15:58 |
drab | I don't get how those lines are missing from the key, I doubt the guy edited them out, it makes no sense | 15:59 |
drab | and also he used that key to gen the CA which works fine... mystery | 15:59 |
drab | the header is actually also diff, the one I just regenerated reads "-----BEGIN RSA PRIVATE KEY-----" and then has that metadata above | 16:01 |
drab | the one I have that's not working says -----BEGIN ENCRYPTED PRIVATE KEY----- | 16:03 |
ahasenack | so cakey.pem does not have this under the header? | 16:04 |
ahasenack | Proc-Type: 4,ENCRYPTED | 16:04 |
ahasenack | DEK-Info: DES-EDE3-CBC,DE3423A9DC4700D0 | 16:04 |
ahasenack | (random key I just created) | 16:04 |
ahasenack | if you just have | 16:04 |
ahasenack | -----BEGIN RSA PRIVATE KEY----- | 16:04 |
ahasenack | and then a blob | 16:04 |
ahasenack | then it's not encrypted | 16:04 |
ahasenack | ah, yours is BEGIN ENCRYPTED ... | 16:04 |
ahasenack | interesting | 16:04 |
ahasenack | it's a different header | 16:05 |
drab | yeah | 16:05 |
drab | I googled around a bit earlier and fgound this: https://wiki.openssl.org/index.php/Manual:Rsa(1) | 16:06 |
drab | wrong one | 16:06 |
drab | I found a link that had that header BEGIN ENCRYPTED | 16:06 |
drab | https://serverpilot.io/community/articles/how-to-fix-an-encrypted-ssl-private-key.html | 16:07 |
drab | which seems to suggest both are accepted formats | 16:07 |
ahasenack | drab: it could be pkcs8 | 16:07 |
ahasenack | I just managed to convert a cakey.pem to pkcs8 | 16:07 |
ahasenack | and it has the -----BEGIN ENCRYPTED PRIVATE KEY----- header | 16:07 |
ahasenack | drab: http://pastebin.ubuntu.com/25170678/ try to reverse that then | 16:07 |
ahasenack | man pkcs8 | 16:07 |
ahasenack | sorry, another meeting :) | 16:07 |
ahasenack | could depend on openssl version | 16:08 |
ahasenack | drab: I can read that cakey.p8 file I created with openssl rsa -in | 16:10 |
ahasenack | drab: but I have to provide the password that was given when it was converted to pkcs8 | 16:10 |
ahasenack | not the password given when it was created with openssl genrsa | 16:10 |
drab | k, thanks for your help, will keep prodding | 16:10 |
ahasenack | if I give the original genrsa password, I get an error output like yours | 16:10 |
ahasenack | so you need the new pkcs8 password | 16:11 |
ahasenack | that's my take | 16:11 |
=== FunnyLoo_ is now known as FunnyLookinHat_ | ||
drab | that makes sense, however if I try to decrypt with pkcs8 I think I can see I have the right pwd and still getting the error | 16:25 |
drab | openssl pkcs8 -in cakey.pem -inform pem | 16:25 |
drab | agreed that the output looks in pkcs8 as it matches the man page | 16:25 |
drab | if I give the wrong pwd I get a decrypt error, if I use the one I think is right, I once again get the format error | 16:26 |
drab | so I'm not sure why the pwd would be wrong | 16:26 |
drab | but it may be, trying to get hold of the guy to confirm... | 16:26 |
=== FunnyLookinHat_ is now known as FunnyLookinHat | ||
drab | ahasenack: http://dpaste.com/2R68MW1 | 16:46 |
drab | notice how the errors in the case of "right password" are the same, pkcs8 or rsa | 16:46 |
drab | if I try from the beginning, gen'ing a new pem key, then converting to pkcs8 I can't repro the problem | 16:50 |
drab | if I give the wrong password I get the decrypt error | 16:50 |
drab | if I give the right one, even with openssl rsa -in test.p8 -check , it works | 16:51 |
drab | test.p8 being the -----BEGIN ENCRYPTED... | 16:51 |
drab | which is what my non working key looks like | 16:51 |
drab | so I can't repro a case where I don't get the decrypt error, meaning pwd seems correct, but the key still cannot be read | 16:52 |
drab | something is corrupted or different about this file... I've just tried gen'ing a few pems and p8s and they are all of them same lenght (according to wc -l) | 16:54 |
drab | my non woring key has more lines | 16:54 |
drab | which I can't explain | 16:54 |
drab | but might be a redherring | 16:55 |
tomreyn | doesn't GNU file tell what file format it is? maybe it's actually pkcs #5 or #12 encrypted | 17:01 |
drab | tomreyn: cakey.pem: ASCII text :) | 17:03 |
tomreyn | https://www.cryptopp.com/wiki/Keys_and_Formats#Dumping_PKCS_.238_and_X.509_Keys | 17:03 |
drab | for the pkcs8 files, for the pem straight from genrsa it says PEM RSA private key | 17:04 |
drab | mmmh, dumpasn1 breaks, Error: IA5String contains illegal character(s) etc, 4 errors | 17:08 |
drab | but these are test keys I just gen'ed | 17:08 |
drab | and that I can read just fine | 17:08 |
drab | so for whatever reason doesn't seem reliable to use to test, unless I'm misusing it somehow | 17:09 |
tomreyn | hmm i lack experience myself there, sorry for the bad pointer then. | 17:13 |
tomreyn | asn1 == death | 17:14 |
drab | no worries, appreciate chipping in, at this point I'm just throwing pieces of the puzzle on the table to see if anything catches the eye | 17:18 |
tomreyn | maybe sum it up on a pastebin and try asking in ##crypto - they can be resourceful even if it's a bit OT (as it would be here) | 17:24 |
drab | thanks for the tip, might do that | 17:25 |
tomreyn | there is also openssl asn1parse | 17:27 |
hdon | hi all :) is logrotate responsible for rotating /var/log/syslog? | 17:33 |
ahasenack | drab: I wonder if that's a text file generated by windows perhaps? Check the line ending with "cat -vet cakey.pem" | 17:43 |
sdeziel | hdon: yes, more specifically /etc/logrotate.d/rsyslog is the config snippet managing /var/log/syslog | 18:22 |
hdon | thanks sdeziel | 18:27 |
ice9 | does ubuntu allows root login through ssh by default? | 18:28 |
sarnold | no | 18:30 |
sarnold | ubuntu by default makes the root account very difficult to use, but sudo is very easy | 18:31 |
ice9 | sarnold, are you familiar with ansible, chef etc..? | 18:31 |
Pici | By default it allows it, but not by password authentication. | 18:32 |
ice9 | great, i have added ssh key to root but i'm unable to ssh | 18:32 |
sarnold | ice9: not really | 18:32 |
Pici | I'd just verify that /etc/ssh/sshd_config has PermitRootLogin set to prohibit-password | 18:33 |
ice9 | Pici, actually the it's set to 'yes' | 18:36 |
Pici | ice9: in older releases that was the default. Since Ubuntu has a locked password for root by default, its pretty much the same thing as prohibit-password... as long as key based auth is enabled, which it is by default. | 18:37 |
ice9 | anyway i'm still unable to ssh with key for the root | 18:37 |
sarnold | check logs on client and server? | 18:38 |
sarnold | keep adding -v to the ssh command until it spits out something useful? :) | 18:38 |
=== JanC_ is now known as JanC | ||
thebwt | may not have a shell set either. Ubuntu really locks it down. | 20:00 |
tomreyn | or AllowUsers | 20:10 |
RoyK | icey: probably wrong permissions for /root/.ssh/authorized_keys | 20:46 |
BugeyeD | hi all. looking for a virtualization box ... ubuntu+zfs+docker+kvm+lxd ... can anyone recommend something with similar form factor to the freenas-mini? as in, you've used it and it works well? | 20:54 |
RoyK | BugeyeD: freenas is based on freebsd, not linux | 21:01 |
BugeyeD | RoyK: ya think? | 21:02 |
BugeyeD | i'm asking about harware | 21:02 |
BugeyeD | hardware, even | 21:02 |
RoyK | BugeyeD: no idea about the hardware | 21:08 |
BugeyeD | mini-itx form factor, 4-8 hot-swap drives, IPMI for remote management, enough ram and cpu to do the requested (ubuntu+zfs+docker+kvm+lxd) | 21:09 |
RoyK | should do | 21:10 |
sarnold | poke around https://www.servethehome.com/ I think I've seenthem do reviews of cute little things before | 21:11 |
hehehe | is sarnold a new dude here? the one who was asking how to install server with gui? :) | 21:28 |
hehehe | hehe | 21:28 |
hehehe | how are you ubuntu server people? :) | 21:28 |
fluvvell | I boot /dev/md0, but just noticed - [_U] - an element missing, tried to re-add with mdadm --manage --re-add /dev/sdb2 and it said "... is not possible" - given that its my boot drive, is it because it is mounted? | 22:17 |
fluvvell | will I need to boot to a rescue and do it unmounted or is there something I'm missing (other than a drive!) | 22:18 |
fluvvell | I always thought you could manage raid live, thing is, these fail so seldomly, I don't get lots of practice | 22:19 |
tomreyn | no, it's not because it's mounted | 22:20 |
tomreyn | it should work nevertheless | 22:20 |
tomreyn | so it must be somethign else. | 22:20 |
fluvvell | tomreyn, thoughts on what to look for? | 22:20 |
fluvvell | smartctl reports it fine | 22:20 |
tomreyn | is this a RAID-1? | 22:21 |
hashwagon | What's the proper useradd line to create a system user? | 22:21 |
tomreyn | hashwagon: adduser --system is the preferred approach on ubuntu, i think | 22:21 |
tomreyn | fluvvell: does 'mdadm --detail /dev/md0' actually suggest that /dev/sdb2 is the device that's missing? | 22:27 |
tomreyn | what's its state? | 22:27 |
tomreyn | if you just 'mdadm -A /dev/md0', does that work? | 22:28 |
fluvvell | Raid1 | 22:29 |
tomreyn | i mean 'mdadm -A --scan /dev/md0' (missed the --scan) | 22:32 |
fluvvell | tomreyn, yes /dev/sdb2 is clean, not active | 22:33 |
fluvvell | tomreyn, md0 is already in use | 22:33 |
fluvvell | tomreyn, State : clean, degraded | 22:34 |
fluvvell | Active Devices : 1 | 22:34 |
fluvvell | Working Devices : 1 | 22:34 |
fluvvell | Failed Devices : 0 | 22:34 |
fluvvell | Spare Devices : 0 | 22:34 |
fluvvell | tomreyn, Raid Devices : 2 | 22:35 |
fluvvell | Total Devices : 1 | 22:35 |
tomreyn | please use a pastebin | 22:36 |
fluvvell | tomreyn, sure, just 4 lines - Ok 6, yeah sorry | 22:36 |
fluvvell | tomreyn, any thoughts? | 22:46 |
fluvvell | tomreyn, actually /dev/sdc2 is the missing device, sorry sdb2 is working, but it won't let me add /dev/sdc2 - my checking is accurate, I'm just reporting it to you backward | 22:57 |
fluvvell | tomreyn, I just look stupid, I try not to act that way. mdadm: --re-add for /dev/sdc2 to /dev/md0 is not possible | 22:58 |
arooni | question: how come when i logged into my vps that i havent been to in awhile i had 86 packages to upgrade. i thought i already set up unattended packages correctly | 23:53 |
sarnold | arooni: I think the unattended-upgrades package just does packages from -security and not from -updates | 23:55 |
sarnold | arooni: .. but I think that as packages are mirrored from -security to -updates that might mean that the unattended-upgrades doesn't notice them | 23:55 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!