[00:22] sarnold: I think I actually figured out a few ways of doing it that are cleaner, but none of the is exactly straightforward [00:22] the simplest and not that hard is to use squid with eCAP/ICAP [00:23] squid running on the gw I mean [00:23] but at that point that squid does nothing more than taking the request and passing it on with a protocol that include all the necessary info, including src ip [00:23] and you can cluster that easily [00:23] and cluster the actual content filtering by having multiple backends [00:24] the other option seems to run the gw behind something like LVS, but I'm not sure how that'd work [00:24] man the icap website makes even less sense than the ecap website :) [00:24] lol, tell me about it... [00:25] it was quite surprising to figure out the state of both, yuo'd think they would be fairly "standard", but it seems in OSS land there's little to nothing [00:25] even tho all commercial implementations work on that basis [00:25] generally speaking the OSS CF ecosystem is pretty weak, it [00:25] 's even hard to find which options you have [00:26] the only easily googlable thing is dansguardian, which is deadware [00:26] I found its fork, e2guardian, almost by accident (great project, active devel) [01:27] is there an easy way to keep overview over user access management Samba NFS ….. [01:29] nad usermanagement in generale [06:21] !kernel [06:21] The core of Ubuntu is the Linux kernel: see https://help.ubuntu.com/community/Kernel - You shouldn't have to compile your own, and if you need to troubleshoot issues, you can try a !Mainline kernel instead, but if you insist, see https://help.ubuntu.com/community/Kernel/Compile (see also !Stages) [07:53] Good morning [09:23] anyone here? need some help [10:04] hello, I do I add the tags? https://bugs.launchpad.net/python-novaclient/+bug/1559072 [10:04] Launchpad bug 1559072 in python-cinderclient (Ubuntu Xenial) "[SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'"" [High,Fix committed] [10:05] verification-done ? [10:06] ok I think I have done it [13:29] ahasenack: thought I'd look at some of your pending MPs. [13:29] thx [13:29] rbasak: did you sync cyrus-sasl2? [13:29] ahasenack: is everything you have in https://code.launchpad.net/~canonical-server/+activereviews pending review/upload? [13:29] I saw it's up-to-date now [13:30] I did fire off cyrus-sasl2 last night. Didn't see if it finished. [13:30] I guess it's done then :) [13:30] it worked, thx [13:30] regarding the mps [13:30] there are some nish grabbed that don't show up there anymore [13:31] Can you see what happens if you explicitly request an additional review from ~canonical-server in those MPs now? [13:31] they should come back to the list [13:31] let me see [13:31] OK. I'll start with your squid3 SRUs now. [13:31] ok [13:35] rbasak: this one, for example: https://code.launchpad.net/~ahasenack/ubuntu/+source/libpam-ccreds/+git/libpam-ccreds/+merge/327829 [13:35] rbasak: going to ask for another review now [13:35] rbasak: done, and now it's in the https://code.launchpad.net/~canonical-server/+activereviews list [13:35] rbasak: going to do the same to the others [13:35] I think that's all [13:35] OK. Thanks! [13:36] rbasak: I'm adding test cases to all my MPs now, not just the bug [13:36] rbasak: in the squid one, since the MP is older, I only added the test cases to the bug [13:36] to form the sru template [13:37] Why are you adding test cases to the MPs? [13:37] to help reviewers, in the case it's just an artful upload for example, and not an sru [13:38] I see, OK. [14:18] ahasenack: sorry about the wasted work for Yakkety because of review delay. [14:18] it's experience :) [14:18] ahasenack: https://code.launchpad.net/~ahasenack/ubuntu/+source/squid3/+git/squid3/+merge/326860 looks good to upload, thanks! Let me know if you'd like to take my suggestions or not, and I'll sponsor that now. [14:18] let me check [14:22] hm, I have this in my .quiltrc [14:22] QUILT_DIFF_ARGS="--no-timestamps --no-index -pab" [14:22] QUILT_REFRESH_ARGS="--no-timestamps --no-index -pab" [14:22] maybe I added the patch manually [14:22] Yeah that could be it. [14:23] In that case one quilt refresh after you add it would normalise the patch. I don't usually suggest quilt refreshes, but when adding a patch for the first time it makes sense :) [14:24] rbasak: I see [14:24] that's fine [14:24] rbasak: about the other change, DEP3, since now it's a backport [14:24] rbasak: should we remove my comment about having had to fix a conflict? [14:25] I don't mind if it's there or not. It's certainly more informative than the metadata on its own, and I appreciate that. [14:25] ok then [14:25] Your choice :) [14:25] I got the opposite comment from nish in another mp :) [14:25] Hmm. [14:25] just checking :) [14:25] I guess that'll always happen to some extent :-/ [14:26] it's fine [14:26] rbasak: so I pull your changes in and push again? [14:26] or you upload your branch? What's the usual? [14:26] No need. I can just upload my branch and tag i t. [14:26] please do then, thanks [14:26] ack [14:38] ahasenack: same quilt -pab thing in https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/327718. I can just fix up as I upload if you wish? [14:39] yes please [14:39] OK [14:40] rbasak: so even when taking the patch as-is from upstream, we prefer that refresh? [14:40] I don't recall if this was the case here [14:40] just wondering in general [14:41] That's a fair question. [14:42] I prefer it as I don't see any downsides. But other opinions welcome. [14:42] ok [14:46] ahasenack: I usually try to credit everyone, so when cherry-picking from git, grabbing the commit author into an Author or From dep3 header is usually trivial. [14:46] rbasak: sometimes there are so many authors [14:47] someone sends a patch to a list (author1), then someone else commits with a slight change (author2), and a distribution grabs it for an older version and fixes conflicts (author3) [14:47] Multiple Author fields are permitted in dep3. But upstream need to pick one for the git commit, so we might as well copy that one at a minimum. That needs little thought. [14:52] I am trying to setup "hosting" of my own deb package on my own ubuntu server 16.04 so I can add my server other machines to be able to install them with apt-get. I will do x64 and arm packages. [14:53] Can someone point me to some info/online doc to read what and how it needs to be setup on my server. [14:53] ahasenack: can you check you're happy with https://code.launchpad.net/~racb/ubuntu/+source/rsyslog/+git/rsyslog/+ref/artful-rsyslog-permitnonkernelfacility-1703987 please? [14:53] Thank you [14:53] rbasak: checking [14:53] Guma: look up "reprepro" [14:54] patch refresh ok, [14:54] checking dep3 [14:54] rbasak: Thank you for quick reply :)( [14:55] Guma: you're welcome. "apt-ftparchive" is quicker, but I'm not sure it can do repositories that support multiple architectures. [14:56] rbasak: good thing on the Author, the git commit didn't credit him specifically [14:57] how did you find his email? [14:57] Trent's [14:57] ahasenack: this is a hidden Github feature. [14:57] Start from https://github.com/PascalWithopf/rsyslog/commit/5c35619385bbe50979fa417e6f1b14df531b2a4a which you have. [14:57] aha [14:57] Append .patch [14:58] https://github.com/PascalWithopf/rsyslog/commit/5c35619385bbe50979fa417e6f1b14df531b2a4a.patch [14:58] there you go [14:58] If you look that up, you see the "git format-patch" output. [14:58] Very useful for cherry-picking etc. [14:58] indeed [15:00] rbasak: so +1 for your changes, thanks [15:00] ack [15:04] rbasak: but reprepro does supports multiple arch? [15:05] Guma: IIRC, yes. But I could be wrong - please double check. === PaulW2U_ is now known as PaulW2U [15:11] anybody familiar with openssl and knows what this error is about: http://dpaste.com/1J452JM [15:12] this is the pvt key for a local CA. I did not create it and someone else passed it to me [15:12] the password seems to be right because if I write something random I get an error about decrypt failed [15:12] digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529: [15:13] drab: what command did you use? Maybe the file is in a different format [15:13] the last two lines about PKCS12 and PEM are the same tho [15:14] ahasenack: I was trying t ouse it with e2guardian, which is when I realized I had a problem. right now I'm simply doing: openssl rsa -inform pem -in cakey.pem -check [15:14] or with -text -noout [15:14] just to test that I can read the key [15:15] I don't know how the key was created and that person is now on vacation for 3 weeks... [15:43] drab: sorry, was in a meeting [15:43] drab: so just checking, cakey.pem has ascii content, and a header like BEGIN STUFF HERE and below it a line saying it's encrypted?/ [15:44] and for the love of God, don't paste its contents :) [15:44] np, in the meantime I think I found out how the key was created : openssl genrsa -des3 4096 > key.pem [15:44] ahasenack: :) [15:44] yeah it's ascii so it's pem, not der [15:44] the pkcs12 output was weird [15:45] -----BEGIN ENCRYPTED PRIVATE KEY----- etc [15:45] have you tried "openssl pkcs12" commands? [15:45] I have, couldn't get that to work, but I've never used those before so I might be doing something wrong [15:45] will try again [15:46] iirc pkcs12 has an export password, different than the encryption key [15:50] ahasenack: doesn't matter what pkcs12 cmd I try I get the same format/encoding errors [15:51] per above key was created with openssl genrsa -des3 4096 if that means anything to you [15:51] there doesn't seem to be anything strange in the gen process [15:53] if you create another one like that, can you read it back with openssl rsa? [15:53] good question, trying [15:55] ahasenack: yep it works [15:55] interestingly enough if I typo the password the first two lines of the errors are about the decrypt [15:55] but the file genrsa produced in your test looks just like the cakey.pem one you have? Same headers? [15:55] but there's no second two sets of line about format errors [15:56] yeah, so I think it's decrypting the key, and then trying to parse it [15:56] and it encounters an unexpected structure when trying to parse it [15:57] oh, you're right, no, it's not the same, it's missing two lines after the ----- ... Proc-Type: 4,ENCRYPTED \n DEK-Info: DES-EDE3-CBC,1D80xxxxxxxx [15:58] I wonder what that number after DEK-Info is and how do I get it/if it's diff per key [15:58] * drab tries to gen another key [15:58] yep, diff number, so can't copy it over, looks like some kind of hash [15:59] I don't get how those lines are missing from the key, I doubt the guy edited them out, it makes no sense [15:59] and also he used that key to gen the CA which works fine... mystery [16:01] the header is actually also diff, the one I just regenerated reads "-----BEGIN RSA PRIVATE KEY-----" and then has that metadata above [16:03] the one I have that's not working says -----BEGIN ENCRYPTED PRIVATE KEY----- [16:04] so cakey.pem does not have this under the header? [16:04] Proc-Type: 4,ENCRYPTED [16:04] DEK-Info: DES-EDE3-CBC,DE3423A9DC4700D0 [16:04] (random key I just created) [16:04] if you just have [16:04] -----BEGIN RSA PRIVATE KEY----- [16:04] and then a blob [16:04] then it's not encrypted [16:04] ah, yours is BEGIN ENCRYPTED ... [16:04] interesting [16:05] it's a different header [16:05] yeah [16:06] I googled around a bit earlier and fgound this: https://wiki.openssl.org/index.php/Manual:Rsa(1) [16:06] wrong one [16:06] I found a link that had that header BEGIN ENCRYPTED [16:07] https://serverpilot.io/community/articles/how-to-fix-an-encrypted-ssl-private-key.html [16:07] which seems to suggest both are accepted formats [16:07] drab: it could be pkcs8 [16:07] I just managed to convert a cakey.pem to pkcs8 [16:07] and it has the -----BEGIN ENCRYPTED PRIVATE KEY----- header [16:07] drab: http://pastebin.ubuntu.com/25170678/ try to reverse that then [16:07] man pkcs8 [16:07] sorry, another meeting :) [16:08] could depend on openssl version [16:10] drab: I can read that cakey.p8 file I created with openssl rsa -in [16:10] drab: but I have to provide the password that was given when it was converted to pkcs8 [16:10] not the password given when it was created with openssl genrsa [16:10] k, thanks for your help, will keep prodding [16:10] if I give the original genrsa password, I get an error output like yours [16:11] so you need the new pkcs8 password [16:11] that's my take === FunnyLoo_ is now known as FunnyLookinHat_ [16:25] that makes sense, however if I try to decrypt with pkcs8 I think I can see I have the right pwd and still getting the error [16:25] openssl pkcs8 -in cakey.pem -inform pem [16:25] agreed that the output looks in pkcs8 as it matches the man page [16:26] if I give the wrong pwd I get a decrypt error, if I use the one I think is right, I once again get the format error [16:26] so I'm not sure why the pwd would be wrong [16:26] but it may be, trying to get hold of the guy to confirm... === FunnyLookinHat_ is now known as FunnyLookinHat [16:46] ahasenack: http://dpaste.com/2R68MW1 [16:46] notice how the errors in the case of "right password" are the same, pkcs8 or rsa [16:50] if I try from the beginning, gen'ing a new pem key, then converting to pkcs8 I can't repro the problem [16:50] if I give the wrong password I get the decrypt error [16:51] if I give the right one, even with openssl rsa -in test.p8 -check , it works [16:51] test.p8 being the -----BEGIN ENCRYPTED... [16:51] which is what my non working key looks like [16:52] so I can't repro a case where I don't get the decrypt error, meaning pwd seems correct, but the key still cannot be read [16:54] something is corrupted or different about this file... I've just tried gen'ing a few pems and p8s and they are all of them same lenght (according to wc -l) [16:54] my non woring key has more lines [16:54] which I can't explain [16:55] but might be a redherring [17:01] doesn't GNU file tell what file format it is? maybe it's actually pkcs #5 or #12 encrypted [17:03] tomreyn: cakey.pem: ASCII text :) [17:03] https://www.cryptopp.com/wiki/Keys_and_Formats#Dumping_PKCS_.238_and_X.509_Keys [17:04] for the pkcs8 files, for the pem straight from genrsa it says PEM RSA private key [17:08] mmmh, dumpasn1 breaks, Error: IA5String contains illegal character(s) etc, 4 errors [17:08] but these are test keys I just gen'ed [17:08] and that I can read just fine [17:09] so for whatever reason doesn't seem reliable to use to test, unless I'm misusing it somehow [17:13] hmm i lack experience myself there, sorry for the bad pointer then. [17:14] asn1 == death [17:18] no worries, appreciate chipping in, at this point I'm just throwing pieces of the puzzle on the table to see if anything catches the eye [17:24] maybe sum it up on a pastebin and try asking in ##crypto - they can be resourceful even if it's a bit OT (as it would be here) [17:25] thanks for the tip, might do that [17:27] there is also openssl asn1parse [17:33] hi all :) is logrotate responsible for rotating /var/log/syslog? [17:43] drab: I wonder if that's a text file generated by windows perhaps? Check the line ending with "cat -vet cakey.pem" [18:22] hdon: yes, more specifically /etc/logrotate.d/rsyslog is the config snippet managing /var/log/syslog [18:27] thanks sdeziel [18:28] does ubuntu allows root login through ssh by default? [18:30] no [18:31] ubuntu by default makes the root account very difficult to use, but sudo is very easy [18:31] sarnold, are you familiar with ansible, chef etc..? [18:32] By default it allows it, but not by password authentication. [18:32] great, i have added ssh key to root but i'm unable to ssh [18:32] ice9: not really [18:33] I'd just verify that /etc/ssh/sshd_config has PermitRootLogin set to prohibit-password [18:36] Pici, actually the it's set to 'yes' [18:37] ice9: in older releases that was the default. Since Ubuntu has a locked password for root by default, its pretty much the same thing as prohibit-password... as long as key based auth is enabled, which it is by default. [18:37] anyway i'm still unable to ssh with key for the root [18:38] check logs on client and server? [18:38] keep adding -v to the ssh command until it spits out something useful? :) === JanC_ is now known as JanC [20:00] may not have a shell set either. Ubuntu really locks it down. [20:10] or AllowUsers [20:46] icey: probably wrong permissions for /root/.ssh/authorized_keys [20:54] hi all. looking for a virtualization box ... ubuntu+zfs+docker+kvm+lxd ... can anyone recommend something with similar form factor to the freenas-mini? as in, you've used it and it works well? [21:01] BugeyeD: freenas is based on freebsd, not linux [21:02] RoyK: ya think? [21:02] i'm asking about harware [21:02] hardware, even [21:08] BugeyeD: no idea about the hardware [21:09] mini-itx form factor, 4-8 hot-swap drives, IPMI for remote management, enough ram and cpu to do the requested (ubuntu+zfs+docker+kvm+lxd) [21:10] should do [21:11] poke around https://www.servethehome.com/ I think I've seenthem do reviews of cute little things before [21:28] is sarnold a new dude here? the one who was asking how to install server with gui? :) [21:28] hehe [21:28] how are you ubuntu server people? :) [22:17] I boot /dev/md0, but just noticed - [_U] - an element missing, tried to re-add with mdadm --manage --re-add /dev/sdb2 and it said "... is not possible" - given that its my boot drive, is it because it is mounted? [22:18] will I need to boot to a rescue and do it unmounted or is there something I'm missing (other than a drive!) [22:19] I always thought you could manage raid live, thing is, these fail so seldomly, I don't get lots of practice [22:20] no, it's not because it's mounted [22:20] it should work nevertheless [22:20] so it must be somethign else. [22:20] tomreyn, thoughts on what to look for? [22:20] smartctl reports it fine [22:21] is this a RAID-1? [22:21] What's the proper useradd line to create a system user? [22:21] hashwagon: adduser --system is the preferred approach on ubuntu, i think [22:27] fluvvell: does 'mdadm --detail /dev/md0' actually suggest that /dev/sdb2 is the device that's missing? [22:27] what's its state? [22:28] if you just 'mdadm -A /dev/md0', does that work? [22:29] Raid1 [22:32] i mean 'mdadm -A --scan /dev/md0' (missed the --scan) [22:33] tomreyn, yes /dev/sdb2 is clean, not active [22:33] tomreyn, md0 is already in use [22:34] tomreyn, State : clean, degraded [22:34] Active Devices : 1 [22:34] Working Devices : 1 [22:34] Failed Devices : 0 [22:34] Spare Devices : 0 [22:35] tomreyn, Raid Devices : 2 [22:35] Total Devices : 1 [22:36] please use a pastebin [22:36] tomreyn, sure, just 4 lines - Ok 6, yeah sorry [22:46] tomreyn, any thoughts? [22:57] tomreyn, actually /dev/sdc2 is the missing device, sorry sdb2 is working, but it won't let me add /dev/sdc2 - my checking is accurate, I'm just reporting it to you backward [22:58] tomreyn, I just look stupid, I try not to act that way. mdadm: --re-add for /dev/sdc2 to /dev/md0 is not possible [23:53] question: how come when i logged into my vps that i havent been to in awhile i had 86 packages to upgrade. i thought i already set up unattended packages correctly [23:55] arooni: I think the unattended-upgrades package just does packages from -security and not from -updates [23:55] arooni: .. but I think that as packages are mirrored from -security to -updates that might mean that the unattended-upgrades doesn't notice them