/srv/irclogs.ubuntu.com/2017/07/25/#ubuntu-server.txt

drabsarnold: I think I actually figured out a few ways of doing it that are cleaner, but none of the is exactly straightforward00:22
drabthe simplest and not that hard is to use squid with eCAP/ICAP00:22
drabsquid running on the gw I mean00:23
drabbut at that point that squid does nothing more than taking the request and passing it on with a protocol that include all the necessary info, including src ip00:23
draband you can cluster that easily00:23
draband cluster the actual content filtering by having multiple backends00:23
drabthe other option seems to run the gw behind something like LVS, but I'm not sure how that'd work00:24
sarnoldman the icap website makes even less sense than the ecap website :)00:24
drablol, tell me about it...00:24
drabit was quite surprising to figure out the state of both, yuo'd think they would be fairly "standard", but it seems in OSS land there's little to nothing00:25
drabeven tho all commercial implementations work on that basis00:25
drabgenerally speaking the OSS CF ecosystem is pretty weak, it00:25
drab's even hard to find which options you have00:25
drabthe only easily googlable thing is dansguardian, which is deadware00:26
drabI found its fork, e2guardian, almost by accident (great project, active devel)00:26
stationis there an easy way to keep overview over user access management Samba NFS …..01:27
stationnad usermanagement in generale01:29
android!kernel06:21
ubottuThe core of Ubuntu is the Linux kernel: see https://help.ubuntu.com/community/Kernel - You shouldn't have to compile your own, and if you need to troubleshoot issues, you can try a !Mainline kernel instead, but if you insist, see https://help.ubuntu.com/community/Kernel/Compile (see also !Stages)06:21
lordievaderGood morning07:53
jamboanyone here? need some help09:23
zioprotohello, I do I add the tags? https://bugs.launchpad.net/python-novaclient/+bug/155907210:04
ubottuLaunchpad bug 1559072 in python-cinderclient (Ubuntu Xenial) "[SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'"" [High,Fix committed]10:04
zioprotoverification-done ?10:05
zioprotook I think I have done it10:06
rbasakahasenack: thought I'd look at some of your pending MPs.13:29
ahasenackthx13:29
ahasenackrbasak: did you sync cyrus-sasl2?13:29
rbasakahasenack: is everything you have in https://code.launchpad.net/~canonical-server/+activereviews pending review/upload?13:29
ahasenackI saw it's up-to-date now13:29
rbasakI did fire off cyrus-sasl2 last night.  Didn't see if it finished.13:30
rbasakI guess it's done then :)13:30
ahasenackit worked, thx13:30
ahasenackregarding the mps13:30
ahasenackthere are some nish grabbed that don't show up there anymore13:30
rbasakCan you see what happens if you explicitly request an additional review from ~canonical-server in those MPs now?13:31
ahasenackthey should come back to the list13:31
ahasenacklet me see13:31
rbasakOK. I'll start with your squid3 SRUs now.13:31
ahasenackok13:31
ahasenackrbasak: this one, for example: https://code.launchpad.net/~ahasenack/ubuntu/+source/libpam-ccreds/+git/libpam-ccreds/+merge/32782913:35
ahasenackrbasak: going to ask for another review now13:35
ahasenackrbasak: done, and now it's in the https://code.launchpad.net/~canonical-server/+activereviews list13:35
ahasenackrbasak: going to do the same to the others13:35
ahasenackI think that's all13:35
rbasakOK. Thanks!13:35
ahasenackrbasak: I'm adding test cases to all my MPs now, not just the bug13:36
ahasenackrbasak: in the squid one, since the MP is older, I only added the test cases to the bug13:36
ahasenackto form the sru template13:36
rbasakWhy are you adding test cases to the MPs?13:37
ahasenackto help reviewers, in the case it's just an artful upload for example, and not an sru13:37
rbasakI see, OK.13:38
rbasakahasenack: sorry about the wasted work for Yakkety because of review delay.14:18
ahasenackit's experience :)14:18
rbasakahasenack: https://code.launchpad.net/~ahasenack/ubuntu/+source/squid3/+git/squid3/+merge/326860 looks good to upload, thanks! Let me know if you'd like to take my suggestions or not, and I'll sponsor that now.14:18
ahasenacklet me check14:18
ahasenackhm, I have this in my .quiltrc14:22
ahasenackQUILT_DIFF_ARGS="--no-timestamps --no-index -pab"14:22
ahasenackQUILT_REFRESH_ARGS="--no-timestamps --no-index -pab"14:22
ahasenackmaybe I added the patch manually14:22
rbasakYeah that could be it.14:22
rbasakIn that case one quilt refresh after you add it would normalise the patch. I don't usually suggest quilt refreshes, but when adding a patch for the first time it makes sense :)14:23
ahasenackrbasak: I see14:24
ahasenackthat's fine14:24
ahasenackrbasak: about the other change, DEP3, since now it's a backport14:24
ahasenackrbasak: should we remove my comment about having had to fix a conflict?14:24
rbasakI don't mind if it's there or not. It's certainly more informative than the metadata on its own, and I appreciate that.14:25
ahasenackok then14:25
rbasakYour choice :)14:25
ahasenackI got the opposite comment from nish in another mp :)14:25
rbasakHmm.14:25
ahasenackjust checking :)14:25
rbasakI guess that'll always happen to some extent :-/14:25
ahasenackit's fine14:26
ahasenackrbasak: so I pull your changes in and push again?14:26
ahasenackor you upload your branch? What's the usual?14:26
rbasakNo need. I can just upload my branch and tag i t.14:26
ahasenackplease do then, thanks14:26
rbasakack14:26
rbasakahasenack: same quilt -pab thing in https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/327718. I can just fix up as I upload if you wish?14:38
ahasenackyes please14:39
rbasakOK14:39
ahasenackrbasak: so even when taking the patch as-is from upstream, we prefer that refresh?14:40
ahasenackI don't recall if this was the case here14:40
ahasenackjust wondering in general14:40
rbasakThat's a fair question.14:41
rbasakI prefer it as I don't see any downsides. But other opinions welcome.14:42
ahasenackok14:42
rbasakahasenack: I usually try to credit everyone, so when cherry-picking from git, grabbing the commit author into an Author or From dep3 header is usually trivial.14:46
ahasenackrbasak: sometimes there are so many authors14:46
ahasenacksomeone sends a patch to a list (author1), then someone else commits with a slight change (author2), and a distribution grabs it for an older version and fixes conflicts (author3)14:47
rbasakMultiple Author fields are permitted in dep3. But upstream need to pick one for the git commit, so we might as well copy that one at a minimum. That needs little thought.14:47
GumaI am trying to setup "hosting" of my own deb package on my own ubuntu server 16.04 so I can add my server other machines to be able to install them with apt-get. I will do x64 and arm packages.14:52
GumaCan someone point me to some info/online doc to read what and how it needs to be setup on my server.14:53
rbasakahasenack: can you check you're happy with https://code.launchpad.net/~racb/ubuntu/+source/rsyslog/+git/rsyslog/+ref/artful-rsyslog-permitnonkernelfacility-1703987 please?14:53
GumaThank you14:53
ahasenackrbasak: checking14:53
rbasakGuma: look up "reprepro"14:53
ahasenackpatch refresh ok,14:54
ahasenackchecking dep314:54
Gumarbasak: Thank you for quick reply :)(14:54
rbasakGuma: you're welcome. "apt-ftparchive" is quicker, but I'm not sure it can do repositories that support multiple architectures.14:55
ahasenackrbasak: good thing on the Author, the git commit didn't credit him specifically14:56
ahasenackhow did you find his email?14:57
ahasenackTrent's14:57
rbasakahasenack: this is a hidden Github feature.14:57
rbasakStart from https://github.com/PascalWithopf/rsyslog/commit/5c35619385bbe50979fa417e6f1b14df531b2a4a which you have.14:57
ahasenackaha14:57
rbasakAppend .patch14:57
rbasakhttps://github.com/PascalWithopf/rsyslog/commit/5c35619385bbe50979fa417e6f1b14df531b2a4a.patch14:58
ahasenackthere you go14:58
rbasakIf you look that up, you see the "git format-patch" output.14:58
rbasakVery useful for cherry-picking etc.14:58
ahasenackindeed14:58
ahasenackrbasak: so +1 for your changes, thanks15:00
rbasakack15:00
Gumarbasak: but reprepro does supports multiple arch?15:04
rbasakGuma: IIRC, yes. But I could be wrong - please double check.15:05
=== PaulW2U_ is now known as PaulW2U
drabanybody familiar with openssl and knows what this error is about: http://dpaste.com/1J452JM15:11
drabthis is the pvt key for a local CA. I did not create it and someone else passed it to me15:12
drabthe password seems to be right because if I write something random I get an error about decrypt failed15:12
drabdigital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:15:12
ahasenackdrab: what command did you use? Maybe the file is in a different format15:13
drabthe last two lines about PKCS12 and PEM are the same tho15:13
drabahasenack: I was trying t ouse it with e2guardian, which is when I realized I had a problem. right now I'm simply doing: openssl rsa -inform pem -in cakey.pem -check15:14
drabor with -text -noout15:14
drabjust to test that I can read the key15:14
drabI don't know how the key was created and that person is now on vacation for 3 weeks...15:15
ahasenackdrab: sorry, was in a meeting15:43
ahasenackdrab: so just checking, cakey.pem has ascii content, and a header like BEGIN STUFF HERE and below it a line saying it's encrypted?/15:43
ahasenackand for the love of God, don't paste its contents :)15:44
drabnp, in the meantime I think I found out how the key was created : openssl genrsa -des3 4096 > key.pem15:44
drabahasenack: :)15:44
drabyeah it's ascii so it's pem, not der15:44
ahasenackthe pkcs12 output was weird15:44
drab-----BEGIN ENCRYPTED PRIVATE KEY----- etc15:45
ahasenackhave you tried "openssl pkcs12" commands?15:45
drabI have, couldn't get that to work, but I've never used those before so I might be doing something wrong15:45
drabwill try again15:45
ahasenackiirc pkcs12 has an export password, different than the encryption key15:46
drabahasenack: doesn't matter what pkcs12 cmd I try I get the same format/encoding errors15:50
drabper above key was created with openssl genrsa -des3 4096 if that means anything to you15:51
drabthere doesn't seem to be anything strange in the gen process15:51
ahasenackif you create another one like that, can you read it back with openssl rsa?15:53
drabgood question, trying15:53
drabahasenack: yep it works15:55
drabinterestingly enough if I typo the password the first two lines of the errors are about the decrypt15:55
ahasenackbut the file genrsa produced in your test looks just like the cakey.pem one you have? Same headers?15:55
drabbut there's no second two sets of line about format errors15:55
ahasenackyeah, so I think it's decrypting the key, and then trying to parse it15:56
ahasenackand it encounters an unexpected structure when trying to parse it15:56
draboh, you're right, no, it's not the same, it's missing two lines after the ----- ... Proc-Type: 4,ENCRYPTED \n DEK-Info: DES-EDE3-CBC,1D80xxxxxxxx15:57
drabI wonder what that number after DEK-Info is and how do I get it/if it's diff per key15:58
* drab tries to gen another key15:58
drabyep, diff number, so can't copy it over, looks like some kind of hash15:58
drabI don't get how those lines are missing from the key, I doubt the guy edited them out, it makes no sense15:59
draband also he used that key to gen the CA which works fine... mystery15:59
drabthe header is actually also diff, the one I just regenerated reads "-----BEGIN RSA PRIVATE KEY-----" and then has that metadata above16:01
drabthe one I have that's not working says -----BEGIN ENCRYPTED PRIVATE KEY-----16:03
ahasenackso cakey.pem does not have this under the header?16:04
ahasenackProc-Type: 4,ENCRYPTED16:04
ahasenackDEK-Info: DES-EDE3-CBC,DE3423A9DC4700D016:04
ahasenack(random key I just created)16:04
ahasenackif you just have16:04
ahasenack-----BEGIN RSA PRIVATE KEY-----16:04
ahasenackand then a blob16:04
ahasenackthen it's not encrypted16:04
ahasenackah, yours is BEGIN ENCRYPTED ...16:04
ahasenackinteresting16:04
ahasenackit's a different header16:05
drabyeah16:05
drabI googled around a bit earlier and fgound this: https://wiki.openssl.org/index.php/Manual:Rsa(1)16:06
drabwrong one16:06
drabI found a link that had that header BEGIN ENCRYPTED16:06
drabhttps://serverpilot.io/community/articles/how-to-fix-an-encrypted-ssl-private-key.html16:07
drabwhich seems to suggest both are accepted formats16:07
ahasenackdrab: it could be pkcs816:07
ahasenackI just managed to convert a cakey.pem to pkcs816:07
ahasenackand it has the -----BEGIN ENCRYPTED PRIVATE KEY----- header16:07
ahasenackdrab: http://pastebin.ubuntu.com/25170678/ try to reverse that then16:07
ahasenackman pkcs816:07
ahasenacksorry, another meeting :)16:07
ahasenackcould depend on openssl version16:08
ahasenackdrab: I can read that cakey.p8 file I created with openssl rsa -in16:10
ahasenackdrab: but I have to provide the password that was given when it was converted to pkcs816:10
ahasenacknot the password given when it was created with openssl genrsa16:10
drabk, thanks for your help, will keep prodding16:10
ahasenackif I give the original genrsa password, I get an error output like yours16:10
ahasenackso you need the new pkcs8 password16:11
ahasenackthat's my take16:11
=== FunnyLoo_ is now known as FunnyLookinHat_
drabthat makes sense, however if I try to decrypt with pkcs8 I think I can see I have the right pwd and still getting the error16:25
drabopenssl pkcs8 -in cakey.pem -inform pem16:25
drabagreed that the output looks in pkcs8 as it matches the man page16:25
drabif I give the wrong pwd I get a decrypt error, if I use the one I think is right, I once again get the format error16:26
drabso I'm not sure why the pwd would be wrong16:26
drabbut it may be, trying to get hold of the guy to confirm...16:26
=== FunnyLookinHat_ is now known as FunnyLookinHat
drabahasenack: http://dpaste.com/2R68MW116:46
drabnotice how the errors in the case of "right password" are the same, pkcs8 or rsa16:46
drabif I try from the beginning, gen'ing a new pem key, then converting to pkcs8 I can't repro the problem16:50
drabif I give the wrong password I get the decrypt error16:50
drabif I give the right one, even with openssl rsa -in test.p8 -check , it works16:51
drabtest.p8 being the -----BEGIN ENCRYPTED...16:51
drabwhich is what my non working key looks like16:51
drabso I can't repro a case where I don't get the decrypt error, meaning pwd seems correct, but the key still cannot be read16:52
drabsomething is corrupted or different about this file... I've just tried gen'ing a few pems and p8s and they are all of them same lenght (according to wc -l)16:54
drabmy non woring key has more lines16:54
drabwhich I can't explain16:54
drabbut might be a redherring16:55
tomreyndoesn't GNU file tell what file format it is? maybe it's actually pkcs #5 or #12 encrypted17:01
drabtomreyn: cakey.pem: ASCII text :)17:03
tomreynhttps://www.cryptopp.com/wiki/Keys_and_Formats#Dumping_PKCS_.238_and_X.509_Keys17:03
drabfor the pkcs8 files, for the pem straight from genrsa it says PEM RSA private key17:04
drabmmmh, dumpasn1 breaks, Error: IA5String contains illegal character(s) etc, 4 errors17:08
drabbut these are test keys I just gen'ed17:08
draband that I can read just fine17:08
drabso for whatever reason doesn't seem reliable to use to test, unless I'm misusing it somehow17:09
tomreynhmm i lack experience myself there, sorry for the bad pointer then.17:13
tomreynasn1 == death17:14
drabno worries, appreciate chipping in, at this point I'm just throwing pieces of the puzzle on the table to see if anything catches the eye17:18
tomreynmaybe sum it up on a pastebin and try asking in ##crypto - they can be resourceful even if it's a bit OT (as it would be here)17:24
drabthanks for the tip, might do that17:25
tomreynthere is also openssl asn1parse17:27
hdonhi all :) is logrotate responsible for rotating /var/log/syslog?17:33
ahasenackdrab: I wonder if that's a text file generated by windows perhaps? Check the line ending with "cat -vet cakey.pem"17:43
sdezielhdon: yes, more specifically /etc/logrotate.d/rsyslog is the config snippet managing /var/log/syslog18:22
hdonthanks sdeziel18:27
ice9does ubuntu allows root login through ssh by default?18:28
sarnoldno18:30
sarnoldubuntu by default makes the root account very difficult to use, but sudo is very easy18:31
ice9sarnold, are you familiar with ansible, chef etc..?18:31
PiciBy default it allows it, but not by password authentication.18:32
ice9great, i have added ssh key to root but i'm unable to ssh18:32
sarnoldice9: not really18:32
PiciI'd just verify that /etc/ssh/sshd_config has PermitRootLogin set to prohibit-password18:33
ice9Pici, actually the it's set to 'yes'18:36
Piciice9: in older releases that was the default. Since Ubuntu has a locked password for root by default, its pretty much the same thing as prohibit-password... as long as key based auth is enabled, which it is by default.18:37
ice9anyway i'm still unable to ssh with key for the root18:37
sarnoldcheck logs on client and server?18:38
sarnoldkeep adding -v to the ssh command until it spits out something useful? :)18:38
=== JanC_ is now known as JanC
thebwtmay not have a shell set either. Ubuntu really locks it down.20:00
tomreynor AllowUsers20:10
RoyKicey: probably wrong permissions for /root/.ssh/authorized_keys20:46
BugeyeDhi all. looking for a virtualization box ... ubuntu+zfs+docker+kvm+lxd ... can anyone recommend something with similar form factor to the freenas-mini? as in, you've used it and it works well?20:54
RoyKBugeyeD: freenas is based on freebsd, not linux21:01
BugeyeDRoyK: ya think?21:02
BugeyeDi'm asking about harware21:02
BugeyeDhardware, even21:02
RoyKBugeyeD: no idea about the hardware21:08
BugeyeDmini-itx form factor, 4-8 hot-swap drives, IPMI for remote management, enough ram and cpu to do the requested (ubuntu+zfs+docker+kvm+lxd)21:09
RoyKshould do21:10
sarnoldpoke around https://www.servethehome.com/ I think I've seenthem do reviews of cute little things before21:11
heheheis sarnold a new dude here? the one who was asking how to install server with gui? :)21:28
hehehehehe21:28
hehehehow are you ubuntu server people? :)21:28
fluvvellI boot /dev/md0, but just noticed - [_U] - an element missing, tried to re-add with    mdadm --manage --re-add /dev/sdb2 and it said    "... is not possible"   - given that its my boot drive, is it because it is mounted?22:17
fluvvellwill I need to boot to a rescue and do it unmounted or is there something I'm missing (other than a drive!)22:18
fluvvellI always thought you could manage raid live, thing is, these fail so seldomly, I don't get lots of practice22:19
tomreynno, it's not because it's mounted22:20
tomreynit should work nevertheless22:20
tomreynso it must be somethign else.22:20
fluvvelltomreyn, thoughts on what to look for?22:20
fluvvellsmartctl reports it fine22:20
tomreynis this a RAID-1?22:21
hashwagonWhat's the proper useradd line to create a system user?22:21
tomreynhashwagon: adduser --system is the preferred approach on ubuntu, i think22:21
tomreynfluvvell: does 'mdadm --detail /dev/md0' actually suggest that /dev/sdb2 is the device that's missing?22:27
tomreynwhat's its state?22:27
tomreynif you just 'mdadm -A /dev/md0', does that work?22:28
fluvvellRaid122:29
tomreyni mean 'mdadm -A --scan /dev/md0' (missed the --scan)22:32
fluvvelltomreyn, yes /dev/sdb2 is clean, not active22:33
fluvvelltomreyn, md0 is already in use22:33
fluvvelltomreyn,          State : clean, degraded22:34
fluvvell Active Devices : 122:34
fluvvellWorking Devices : 122:34
fluvvell Failed Devices : 022:34
fluvvell  Spare Devices : 022:34
fluvvelltomreyn,    Raid Devices : 222:35
fluvvell  Total Devices : 122:35
tomreynplease use a pastebin22:36
fluvvelltomreyn, sure, just 4 lines - Ok 6, yeah sorry22:36
fluvvelltomreyn, any thoughts?22:46
fluvvelltomreyn, actually /dev/sdc2 is the missing device, sorry sdb2 is working, but it won't let me add /dev/sdc2   - my checking is accurate, I'm just reporting it to you backward22:57
fluvvelltomreyn, I just look stupid, I  try not to act that way.  mdadm: --re-add for /dev/sdc2 to /dev/md0 is not possible22:58
arooniquestion:  how come when i logged into my vps that i havent been to in awhile i had 86 packages to upgrade.  i thought i already set up unattended packages correctly23:53
sarnoldarooni: I think the unattended-upgrades package just does packages from -security and not from -updates23:55
sarnoldarooni: .. but I think that as packages are mirrored from -security to -updates that might mean that the unattended-upgrades doesn't notice them23:55

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!