[00:22] <drab> sarnold: I think I actually figured out a few ways of doing it that are cleaner, but none of the is exactly straightforward
[00:22] <drab> the simplest and not that hard is to use squid with eCAP/ICAP
[00:23] <drab> squid running on the gw I mean
[00:23] <drab> but at that point that squid does nothing more than taking the request and passing it on with a protocol that include all the necessary info, including src ip
[00:23] <drab> and you can cluster that easily
[00:23] <drab> and cluster the actual content filtering by having multiple backends
[00:24] <drab> the other option seems to run the gw behind something like LVS, but I'm not sure how that'd work
[00:24] <sarnold> man the icap website makes even less sense than the ecap website :)
[00:24] <drab> lol, tell me about it...
[00:25] <drab> it was quite surprising to figure out the state of both, yuo'd think they would be fairly "standard", but it seems in OSS land there's little to nothing
[00:25] <drab> even tho all commercial implementations work on that basis
[00:25] <drab> generally speaking the OSS CF ecosystem is pretty weak, it
[00:25] <drab> 's even hard to find which options you have
[00:26] <drab> the only easily googlable thing is dansguardian, which is deadware
[00:26] <drab> I found its fork, e2guardian, almost by accident (great project, active devel)
[01:27] <station> is there an easy way to keep overview over user access management Samba NFS …..
[01:29] <station> nad usermanagement in generale
[06:21] <android> !kernel
[07:53] <lordievader> Good morning
[09:23] <jambo> anyone here? need some help
[10:04] <zioproto> hello, I do I add the tags? https://bugs.launchpad.net/python-novaclient/+bug/1559072
[10:05] <zioproto> verification-done ?
[10:06] <zioproto> ok I think I have done it
[13:29] <rbasak> ahasenack: thought I'd look at some of your pending MPs.
[13:29] <ahasenack> thx
[13:29] <ahasenack> rbasak: did you sync cyrus-sasl2?
[13:29] <rbasak> ahasenack: is everything you have in https://code.launchpad.net/~canonical-server/+activereviews pending review/upload?
[13:29] <ahasenack> I saw it's up-to-date now
[13:30] <rbasak> I did fire off cyrus-sasl2 last night.  Didn't see if it finished.
[13:30] <rbasak> I guess it's done then :)
[13:30] <ahasenack> it worked, thx
[13:30] <ahasenack> regarding the mps
[13:30] <ahasenack> there are some nish grabbed that don't show up there anymore
[13:31] <rbasak> Can you see what happens if you explicitly request an additional review from ~canonical-server in those MPs now?
[13:31] <ahasenack> they should come back to the list
[13:31] <ahasenack> let me see
[13:31] <rbasak> OK. I'll start with your squid3 SRUs now.
[13:31] <ahasenack> ok
[13:35] <ahasenack> rbasak: this one, for example: https://code.launchpad.net/~ahasenack/ubuntu/+source/libpam-ccreds/+git/libpam-ccreds/+merge/327829
[13:35] <ahasenack> rbasak: going to ask for another review now
[13:35] <ahasenack> rbasak: done, and now it's in the https://code.launchpad.net/~canonical-server/+activereviews list
[13:35] <ahasenack> rbasak: going to do the same to the others
[13:35] <ahasenack> I think that's all
[13:35] <rbasak> OK. Thanks!
[13:36] <ahasenack> rbasak: I'm adding test cases to all my MPs now, not just the bug
[13:36] <ahasenack> rbasak: in the squid one, since the MP is older, I only added the test cases to the bug
[13:36] <ahasenack> to form the sru template
[13:37] <rbasak> Why are you adding test cases to the MPs?
[13:37] <ahasenack> to help reviewers, in the case it's just an artful upload for example, and not an sru
[13:38] <rbasak> I see, OK.
[14:18] <rbasak> ahasenack: sorry about the wasted work for Yakkety because of review delay.
[14:18] <ahasenack> it's experience :)
[14:18] <rbasak> ahasenack: https://code.launchpad.net/~ahasenack/ubuntu/+source/squid3/+git/squid3/+merge/326860 looks good to upload, thanks! Let me know if you'd like to take my suggestions or not, and I'll sponsor that now.
[14:18] <ahasenack> let me check
[14:22] <ahasenack> hm, I have this in my .quiltrc
[14:22] <ahasenack> QUILT_DIFF_ARGS="--no-timestamps --no-index -pab"
[14:22] <ahasenack> QUILT_REFRESH_ARGS="--no-timestamps --no-index -pab"
[14:22] <ahasenack> maybe I added the patch manually
[14:22] <rbasak> Yeah that could be it.
[14:23] <rbasak> In that case one quilt refresh after you add it would normalise the patch. I don't usually suggest quilt refreshes, but when adding a patch for the first time it makes sense :)
[14:24] <ahasenack> rbasak: I see
[14:24] <ahasenack> that's fine
[14:24] <ahasenack> rbasak: about the other change, DEP3, since now it's a backport
[14:24] <ahasenack> rbasak: should we remove my comment about having had to fix a conflict?
[14:25] <rbasak> I don't mind if it's there or not. It's certainly more informative than the metadata on its own, and I appreciate that.
[14:25] <ahasenack> ok then
[14:25] <rbasak> Your choice :)
[14:25] <ahasenack> I got the opposite comment from nish in another mp :)
[14:25] <rbasak> Hmm.
[14:25] <ahasenack> just checking :)
[14:25] <rbasak> I guess that'll always happen to some extent :-/
[14:26] <ahasenack> it's fine
[14:26] <ahasenack> rbasak: so I pull your changes in and push again?
[14:26] <ahasenack> or you upload your branch? What's the usual?
[14:26] <rbasak> No need. I can just upload my branch and tag i t.
[14:26] <ahasenack> please do then, thanks
[14:26] <rbasak> ack
[14:38] <rbasak> ahasenack: same quilt -pab thing in https://code.launchpad.net/~ahasenack/ubuntu/+source/rsyslog/+git/rsyslog/+merge/327718. I can just fix up as I upload if you wish?
[14:39] <ahasenack> yes please
[14:39] <rbasak> OK
[14:40] <ahasenack> rbasak: so even when taking the patch as-is from upstream, we prefer that refresh?
[14:40] <ahasenack> I don't recall if this was the case here
[14:40] <ahasenack> just wondering in general
[14:41] <rbasak> That's a fair question.
[14:42] <rbasak> I prefer it as I don't see any downsides. But other opinions welcome.
[14:42] <ahasenack> ok
[14:46] <rbasak> ahasenack: I usually try to credit everyone, so when cherry-picking from git, grabbing the commit author into an Author or From dep3 header is usually trivial.
[14:46] <ahasenack> rbasak: sometimes there are so many authors
[14:47] <ahasenack> someone sends a patch to a list (author1), then someone else commits with a slight change (author2), and a distribution grabs it for an older version and fixes conflicts (author3)
[14:47] <rbasak> Multiple Author fields are permitted in dep3. But upstream need to pick one for the git commit, so we might as well copy that one at a minimum. That needs little thought.
[14:52] <Guma> I am trying to setup "hosting" of my own deb package on my own ubuntu server 16.04 so I can add my server other machines to be able to install them with apt-get. I will do x64 and arm packages.
[14:53] <Guma> Can someone point me to some info/online doc to read what and how it needs to be setup on my server.
[14:53] <rbasak> ahasenack: can you check you're happy with https://code.launchpad.net/~racb/ubuntu/+source/rsyslog/+git/rsyslog/+ref/artful-rsyslog-permitnonkernelfacility-1703987 please?
[14:53] <Guma> Thank you
[14:53] <ahasenack> rbasak: checking
[14:53] <rbasak> Guma: look up "reprepro"
[14:54] <ahasenack> patch refresh ok,
[14:54] <ahasenack> checking dep3
[14:54] <Guma> rbasak: Thank you for quick reply :)(
[14:55] <rbasak> Guma: you're welcome. "apt-ftparchive" is quicker, but I'm not sure it can do repositories that support multiple architectures.
[14:56] <ahasenack> rbasak: good thing on the Author, the git commit didn't credit him specifically
[14:57] <ahasenack> how did you find his email?
[14:57] <ahasenack> Trent's
[14:57] <rbasak> ahasenack: this is a hidden Github feature.
[14:57] <rbasak> Start from https://github.com/PascalWithopf/rsyslog/commit/5c35619385bbe50979fa417e6f1b14df531b2a4a which you have.
[14:57] <ahasenack> aha
[14:57] <rbasak> Append .patch
[14:58] <rbasak> https://github.com/PascalWithopf/rsyslog/commit/5c35619385bbe50979fa417e6f1b14df531b2a4a.patch
[14:58] <ahasenack> there you go
[14:58] <rbasak> If you look that up, you see the "git format-patch" output.
[14:58] <rbasak> Very useful for cherry-picking etc.
[14:58] <ahasenack> indeed
[15:00] <ahasenack> rbasak: so +1 for your changes, thanks
[15:00] <rbasak> ack
[15:04] <Guma> rbasak: but reprepro does supports multiple arch?
[15:05] <rbasak> Guma: IIRC, yes. But I could be wrong - please double check.
[15:11] <drab> anybody familiar with openssl and knows what this error is about: http://dpaste.com/1J452JM
[15:12] <drab> this is the pvt key for a local CA. I did not create it and someone else passed it to me
[15:12] <drab> the password seems to be right because if I write something random I get an error about decrypt failed
[15:12] <drab> digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
[15:13] <ahasenack> drab: what command did you use? Maybe the file is in a different format
[15:13] <drab> the last two lines about PKCS12 and PEM are the same tho
[15:14] <drab> ahasenack: I was trying t ouse it with e2guardian, which is when I realized I had a problem. right now I'm simply doing: openssl rsa -inform pem -in cakey.pem -check
[15:14] <drab> or with -text -noout
[15:14] <drab> just to test that I can read the key
[15:15] <drab> I don't know how the key was created and that person is now on vacation for 3 weeks...
[15:43] <ahasenack> drab: sorry, was in a meeting
[15:43] <ahasenack> drab: so just checking, cakey.pem has ascii content, and a header like BEGIN STUFF HERE and below it a line saying it's encrypted?/
[15:44] <ahasenack> and for the love of God, don't paste its contents :)
[15:44] <drab> np, in the meantime I think I found out how the key was created : openssl genrsa -des3 4096 > key.pem
[15:44] <drab> ahasenack: :)
[15:44] <drab> yeah it's ascii so it's pem, not der
[15:44] <ahasenack> the pkcs12 output was weird
[15:45] <drab> -----BEGIN ENCRYPTED PRIVATE KEY----- etc
[15:45] <ahasenack> have you tried "openssl pkcs12" commands?
[15:45] <drab> I have, couldn't get that to work, but I've never used those before so I might be doing something wrong
[15:45] <drab> will try again
[15:46] <ahasenack> iirc pkcs12 has an export password, different than the encryption key
[15:50] <drab> ahasenack: doesn't matter what pkcs12 cmd I try I get the same format/encoding errors
[15:51] <drab> per above key was created with openssl genrsa -des3 4096 if that means anything to you
[15:51] <drab> there doesn't seem to be anything strange in the gen process
[15:53] <ahasenack> if you create another one like that, can you read it back with openssl rsa?
[15:53] <drab> good question, trying
[15:55] <drab> ahasenack: yep it works
[15:55] <drab> interestingly enough if I typo the password the first two lines of the errors are about the decrypt
[15:55] <ahasenack> but the file genrsa produced in your test looks just like the cakey.pem one you have? Same headers?
[15:55] <drab> but there's no second two sets of line about format errors
[15:56] <ahasenack> yeah, so I think it's decrypting the key, and then trying to parse it
[15:56] <ahasenack> and it encounters an unexpected structure when trying to parse it
[15:57] <drab> oh, you're right, no, it's not the same, it's missing two lines after the ----- ... Proc-Type: 4,ENCRYPTED \n DEK-Info: DES-EDE3-CBC,1D80xxxxxxxx
[15:58] <drab> I wonder what that number after DEK-Info is and how do I get it/if it's diff per key
[15:58]  * drab tries to gen another key
[15:58] <drab> yep, diff number, so can't copy it over, looks like some kind of hash
[15:59] <drab> I don't get how those lines are missing from the key, I doubt the guy edited them out, it makes no sense
[15:59] <drab> and also he used that key to gen the CA which works fine... mystery
[16:01] <drab> the header is actually also diff, the one I just regenerated reads "-----BEGIN RSA PRIVATE KEY-----" and then has that metadata above
[16:03] <drab> the one I have that's not working says -----BEGIN ENCRYPTED PRIVATE KEY-----
[16:04] <ahasenack> so cakey.pem does not have this under the header?
[16:04] <ahasenack> Proc-Type: 4,ENCRYPTED
[16:04] <ahasenack> DEK-Info: DES-EDE3-CBC,DE3423A9DC4700D0
[16:04] <ahasenack> (random key I just created)
[16:04] <ahasenack> if you just have
[16:04] <ahasenack> -----BEGIN RSA PRIVATE KEY-----
[16:04] <ahasenack> and then a blob
[16:04] <ahasenack> then it's not encrypted
[16:04] <ahasenack> ah, yours is BEGIN ENCRYPTED ...
[16:04] <ahasenack> interesting
[16:05] <ahasenack> it's a different header
[16:05] <drab> yeah
[16:06] <drab> I googled around a bit earlier and fgound this: https://wiki.openssl.org/index.php/Manual:Rsa(1)
[16:06] <drab> wrong one
[16:06] <drab> I found a link that had that header BEGIN ENCRYPTED
[16:07] <drab> https://serverpilot.io/community/articles/how-to-fix-an-encrypted-ssl-private-key.html
[16:07] <drab> which seems to suggest both are accepted formats
[16:07] <ahasenack> drab: it could be pkcs8
[16:07] <ahasenack> I just managed to convert a cakey.pem to pkcs8
[16:07] <ahasenack> and it has the -----BEGIN ENCRYPTED PRIVATE KEY----- header
[16:07] <ahasenack> drab: http://pastebin.ubuntu.com/25170678/ try to reverse that then
[16:07] <ahasenack> man pkcs8
[16:07] <ahasenack> sorry, another meeting :)
[16:08] <ahasenack> could depend on openssl version
[16:10] <ahasenack> drab: I can read that cakey.p8 file I created with openssl rsa -in
[16:10] <ahasenack> drab: but I have to provide the password that was given when it was converted to pkcs8
[16:10] <ahasenack> not the password given when it was created with openssl genrsa
[16:10] <drab> k, thanks for your help, will keep prodding
[16:10] <ahasenack> if I give the original genrsa password, I get an error output like yours
[16:11] <ahasenack> so you need the new pkcs8 password
[16:11] <ahasenack> that's my take
[16:25] <drab> that makes sense, however if I try to decrypt with pkcs8 I think I can see I have the right pwd and still getting the error
[16:25] <drab> openssl pkcs8 -in cakey.pem -inform pem
[16:25] <drab> agreed that the output looks in pkcs8 as it matches the man page
[16:26] <drab> if I give the wrong pwd I get a decrypt error, if I use the one I think is right, I once again get the format error
[16:26] <drab> so I'm not sure why the pwd would be wrong
[16:26] <drab> but it may be, trying to get hold of the guy to confirm...
[16:46] <drab> ahasenack: http://dpaste.com/2R68MW1
[16:46] <drab> notice how the errors in the case of "right password" are the same, pkcs8 or rsa
[16:50] <drab> if I try from the beginning, gen'ing a new pem key, then converting to pkcs8 I can't repro the problem
[16:50] <drab> if I give the wrong password I get the decrypt error
[16:51] <drab> if I give the right one, even with openssl rsa -in test.p8 -check , it works
[16:51] <drab> test.p8 being the -----BEGIN ENCRYPTED...
[16:51] <drab> which is what my non working key looks like
[16:52] <drab> so I can't repro a case where I don't get the decrypt error, meaning pwd seems correct, but the key still cannot be read
[16:54] <drab> something is corrupted or different about this file... I've just tried gen'ing a few pems and p8s and they are all of them same lenght (according to wc -l)
[16:54] <drab> my non woring key has more lines
[16:54] <drab> which I can't explain
[16:55] <drab> but might be a redherring
[17:01] <tomreyn> doesn't GNU file tell what file format it is? maybe it's actually pkcs #5 or #12 encrypted
[17:03] <drab> tomreyn: cakey.pem: ASCII text :)
[17:03] <tomreyn> https://www.cryptopp.com/wiki/Keys_and_Formats#Dumping_PKCS_.238_and_X.509_Keys
[17:04] <drab> for the pkcs8 files, for the pem straight from genrsa it says PEM RSA private key
[17:08] <drab> mmmh, dumpasn1 breaks, Error: IA5String contains illegal character(s) etc, 4 errors
[17:08] <drab> but these are test keys I just gen'ed
[17:08] <drab> and that I can read just fine
[17:09] <drab> so for whatever reason doesn't seem reliable to use to test, unless I'm misusing it somehow
[17:13] <tomreyn> hmm i lack experience myself there, sorry for the bad pointer then.
[17:14] <tomreyn> asn1 == death
[17:18] <drab> no worries, appreciate chipping in, at this point I'm just throwing pieces of the puzzle on the table to see if anything catches the eye
[17:24] <tomreyn> maybe sum it up on a pastebin and try asking in ##crypto - they can be resourceful even if it's a bit OT (as it would be here)
[17:25] <drab> thanks for the tip, might do that
[17:27] <tomreyn> there is also openssl asn1parse
[17:33] <hdon> hi all :) is logrotate responsible for rotating /var/log/syslog?
[17:43] <ahasenack> drab: I wonder if that's a text file generated by windows perhaps? Check the line ending with "cat -vet cakey.pem"
[18:22] <sdeziel> hdon: yes, more specifically /etc/logrotate.d/rsyslog is the config snippet managing /var/log/syslog
[18:27] <hdon> thanks sdeziel
[18:28] <ice9> does ubuntu allows root login through ssh by default?
[18:30] <sarnold> no
[18:31] <sarnold> ubuntu by default makes the root account very difficult to use, but sudo is very easy
[18:31] <ice9> sarnold, are you familiar with ansible, chef etc..?
[18:32] <Pici> By default it allows it, but not by password authentication.
[18:32] <ice9> great, i have added ssh key to root but i'm unable to ssh
[18:32] <sarnold> ice9: not really
[18:33] <Pici> I'd just verify that /etc/ssh/sshd_config has PermitRootLogin set to prohibit-password
[18:36] <ice9> Pici, actually the it's set to 'yes'
[18:37] <Pici> ice9: in older releases that was the default. Since Ubuntu has a locked password for root by default, its pretty much the same thing as prohibit-password... as long as key based auth is enabled, which it is by default.
[18:37] <ice9> anyway i'm still unable to ssh with key for the root
[18:38] <sarnold> check logs on client and server?
[18:38] <sarnold> keep adding -v to the ssh command until it spits out something useful? :)
[20:00] <thebwt> may not have a shell set either. Ubuntu really locks it down.
[20:10] <tomreyn> or AllowUsers
[20:46] <RoyK> icey: probably wrong permissions for /root/.ssh/authorized_keys
[20:54] <BugeyeD> hi all. looking for a virtualization box ... ubuntu+zfs+docker+kvm+lxd ... can anyone recommend something with similar form factor to the freenas-mini? as in, you've used it and it works well?
[21:01] <RoyK> BugeyeD: freenas is based on freebsd, not linux
[21:02] <BugeyeD> RoyK: ya think?
[21:02] <BugeyeD> i'm asking about harware
[21:02] <BugeyeD> hardware, even
[21:08] <RoyK> BugeyeD: no idea about the hardware
[21:09] <BugeyeD> mini-itx form factor, 4-8 hot-swap drives, IPMI for remote management, enough ram and cpu to do the requested (ubuntu+zfs+docker+kvm+lxd)
[21:10] <RoyK> should do
[21:11] <sarnold> poke around https://www.servethehome.com/ I think I've seenthem do reviews of cute little things before
[21:28] <hehehe> is sarnold a new dude here? the one who was asking how to install server with gui? :)
[21:28] <hehehe> hehe
[21:28] <hehehe> how are you ubuntu server people? :)
[22:17] <fluvvell> I boot /dev/md0, but just noticed - [_U] - an element missing, tried to re-add with    mdadm --manage --re-add /dev/sdb2 and it said    "... is not possible"   - given that its my boot drive, is it because it is mounted?
[22:18] <fluvvell> will I need to boot to a rescue and do it unmounted or is there something I'm missing (other than a drive!)
[22:19] <fluvvell> I always thought you could manage raid live, thing is, these fail so seldomly, I don't get lots of practice
[22:20] <tomreyn> no, it's not because it's mounted
[22:20] <tomreyn> it should work nevertheless
[22:20] <tomreyn> so it must be somethign else.
[22:20] <fluvvell> tomreyn, thoughts on what to look for?
[22:20] <fluvvell> smartctl reports it fine
[22:21] <tomreyn> is this a RAID-1?
[22:21] <hashwagon> What's the proper useradd line to create a system user?
[22:21] <tomreyn> hashwagon: adduser --system is the preferred approach on ubuntu, i think
[22:27] <tomreyn> fluvvell: does 'mdadm --detail /dev/md0' actually suggest that /dev/sdb2 is the device that's missing?
[22:27] <tomreyn> what's its state?
[22:28] <tomreyn> if you just 'mdadm -A /dev/md0', does that work?
[22:29] <fluvvell> Raid1
[22:32] <tomreyn> i mean 'mdadm -A --scan /dev/md0' (missed the --scan)
[22:33] <fluvvell> tomreyn, yes /dev/sdb2 is clean, not active
[22:33] <fluvvell> tomreyn, md0 is already in use
[22:34] <fluvvell> tomreyn,          State : clean, degraded
[22:34] <fluvvell>  Active Devices : 1
[22:34] <fluvvell> Working Devices : 1
[22:34] <fluvvell>  Failed Devices : 0
[22:34] <fluvvell>   Spare Devices : 0
[22:35] <fluvvell> tomreyn,    Raid Devices : 2
[22:35] <fluvvell>   Total Devices : 1
[22:36] <tomreyn> please use a pastebin
[22:36] <fluvvell> tomreyn, sure, just 4 lines - Ok 6, yeah sorry
[22:46] <fluvvell> tomreyn, any thoughts?
[22:57] <fluvvell> tomreyn, actually /dev/sdc2 is the missing device, sorry sdb2 is working, but it won't let me add /dev/sdc2   - my checking is accurate, I'm just reporting it to you backward
[22:58] <fluvvell> tomreyn, I just look stupid, I  try not to act that way.  mdadm: --re-add for /dev/sdc2 to /dev/md0 is not possible
[23:53] <arooni> question:  how come when i logged into my vps that i havent been to in awhile i had 86 packages to upgrade.  i thought i already set up unattended packages correctly
[23:55] <sarnold> arooni: I think the unattended-upgrades package just does packages from -security and not from -updates
[23:55] <sarnold> arooni: .. but I think that as packages are mirrored from -security to -updates that might mean that the unattended-upgrades doesn't notice them