/srv/irclogs.ubuntu.com/2017/08/04/#ubuntu-server.txt

naccrbasak: the former, yes00:11
naccrbasak: i think i'd need to do some refactoring, but actually, if you're ok with me pulling the parsing to its own module, i think it will make the changes pretty straightforward00:11
naccrbasak: basically, the issue right now is you need a repo object to parse under00:11
rbasaknacc: making it more module and testable makes sense. I think it's fine to be in its own module then.00:12
rbasaknacc: or at least outside the class but in the same module?00:12
naccrbasak: but I think i can abstract all of that out to gitubuntu/changelog.py and just put tests there (before your series), then your series is just changing that class00:12
naccrbasak: yeah, maybe the latter is sufficient00:12
naccrbasak: just out of GitUbuntuRepository00:12
rbasaknacc: in general I imagine we'll be moving plenty of stuff outside classes in order to make them more easily testable.00:12
naccrbasak: sounds like a plan, thanks! i'll work on that tmrw00:13
naccrbasak: ack00:13
naccrbasak: basically, first commit will create a Changelog class (without using debian's changelog class) and just move our functionality into there, ideally with no changes -- then yours comes in and reworks that class00:14
lordievaderGood morning06:14
=== JanC is now known as Guest77859
=== JanC_ is now known as JanC
Genk1Hello All I have an annoying problem after I replaced my current Thawte certificate with the new letsencrypt free ssl certificate10:34
Genk1in fact https://www.ssllabs.com/  still show me that there are 2 kinds of certificates a valid one which from  letsecnrypt and the expired one from Thawte10:35
Genk1How can I fix this please ?10:35
tomreynGenk1more details needed10:35
tomreynssllabs.com server test will in no situation report two sercer certificates in use in a single report10:36
Genk1tomreyn: I am running an ubuntu server 16.04 with apache, I have verified that there are only one vhost10:36
Genk1tomreyn: in fact he showed me two certificates10:37
tomreynthat is unless you have those setrver certificates in the ssl trust chain10:37
tomreynpost the output on pastebin, replace anything you do not feel comfortable sharing10:38
tomreynyou can produce plain text output using  https://github.com/ssllabs/ssllabs-scan10:39
Genk1tomreyn: OK10:39
Genk1tomreyn: Ok thanks10:39
Genk1but normally those kind of issues is related to the webserver right ? or maybe it's a caching issue ?10:40
tomreynyes it's a configuration issue, not a caching issue10:41
Genk1tomreyn: but I only have two ssl directive pointing to letsecrypt path file10:41
Genk1how it can be possible, I have only vhost and it's in front of me ?10:42
Genk1I don't see any information about thawte10:42
tomreynGenk1: i could not tell, and do not know your server configuration. run "sudo apache2ctl -t -D DUMP_VHOSTS" to check what you have.10:44
Genk1I have done this before don't worry I know what I am saying :)10:45
Genk1tomreyn: I am sure the issue is not on the server side10:45
Genk1because some clients can access the new certificate and some others cannot10:46
tomreynsudo rgrep -Ei 'SSL(CA)?Certificate' /etc/apache2/10:46
Genk1it's clearly a caching issue10:46
tomreyndo you have a proxy in front then?10:46
nav-indeed, sounds like a caching issue10:47
nav-for the ones it's not working, try it in an incognito tab10:47
tomreynssl content should never be cached, this would be a configuration issue10:47
Genk1tomreyn: it shows this10:48
Genk1SSLCertificateFile/etc/letsencrypt/live/*/fullchain.pem10:48
Genk1   SSLCertificateKeyFile /etc/letsencrypt/live/*/privkey.pem10:48
Genk1the other directives are commented10:48
Genk1nav-:10:48
tomreyn<tomreyn> do you have a proxy in front then?10:48
Genk1ok thanks10:48
Genk1tomreyn: no no it's a simple webserver that I have hosted myself in OVH10:49
Genk1tomreyn: I did an installation from scratch10:49
tomreynokay so it can only be browser caching then indeed.10:50
tomreyni always thought it was wrong they introduced that10:50
Genk1tomreyn: voila10:51
tomreynor it's client side proxies, which would be even worse10:51
necrophcodrI'm trying to remove old 3.13 kernels and stuff on my 14.04 installation, however aptitude keeps pulling them back10:59
necrophcodrIs there any way I can avoid this?10:59
lordievaderCheck out the reason why aptitude is pulling them back in.11:00
lordievaderCould you provide some console output? Of removing the (old) kernel and updating, or something.11:01
necrophcodrlordievader: i've removed all the packages11:01
necrophcodr`aptitude remove -yq $(aptitude search --disable-columns '~i^linux-' -F '%p'|awk '/3.(11|13|16|19).0/') >/dev/null`11:01
necrophcodrAfterwards, running `aptitude install` pulls the header files back in11:02
necrophcodrI'm not sure how to check why it's pulling them back in, i wouldn't ask here otherwise.11:02
lordievaderCould you show the 'apt-get update' output after removing them?11:02
necrophcodrupdate? you don't mean upgrade?11:03
lordievaderErm, yes. 'apt-get upgrade'*11:03
necrophcodrhttp://paste.ubuntu.com/25239340/11:04
necrophcodrapt-get isn't as strict as aptitude though.11:04
lordievaderSo it seems, apt tells that it doesn't see a reason to keep those packages around.11:04
necrophcodrthose are different packages11:05
necrophcodrnot the 3.13 ones11:05
necrophcodrit doesn't pull in new packages. but we're using aptitude.11:05
lordievaderWhat is the output of 'apt-cache rdepends linux-header-3.13.0-X' (correct the version)11:07
necrophcodrlordievader: i did that, and some more:11:10
necrophcodrhttp://paste.ubuntu.com/25239357/11:10
necrophcodrbut i think the issue might be that linux-libc-dev is of version 3.1311:10
necrophcodrhmm..no, there doesn't seem to be a direct corelation11:11
lordievaderCould be, but I would expect libc-dev to have a dependency on a header package. Though it could depend on the meta package of the linux-headers.11:12
necrophcodrit depends on linux-kernel-headers11:12
necrophcodror rather, it provides that11:12
lordievaderWhat happens when those headers are removed along with the rdepends? Just to see if apt handles this differently from aptitude, does apt also want to reinstall them?11:13
necrophcodri don't have them installed at all11:13
necrophcodrnot the rdepends either11:13
necrophcodri removed them as stated earlier, and apt doesn't want to install them11:13
necrophcodraptitude does, but it handles things differently.11:14
lordievaderBut aptitude does?11:14
necrophcodryes11:14
lordievaderStrange.11:15
lordievaderThere is not some package among the install list which could pull in the rest as a dependency?11:15
necrophcodrI'm not sure, how do I verify this?11:16
lordievaderWell, I suppose you get a confirmation when running 'aptitude install' (I must admit, I rarely use aptitude).11:16
necrophcodroh that11:17
necrophcodrno, not as far as i can tell11:17
necrophcodrno packages are scheduled for upgrading, and there's a few packages being removed.11:17
necrophcodri can deal with using apt-get for the rest of time, but i'd prefer to use aptitude, as i've heard it should handle dependencies and such more strictly.11:18
lordievaderI thought I read a document somewhere where they recommended Debian users to use apt-get over aptitude.11:18
necrophcodrlordievader: yep, that was especially for upgrading, since it didn't care that not everything was super in order11:19
lordievaderI see. Still, stricter rules should not install packages which are not needed, I'd say.11:20
lordievaderIn the man page I read of a 'why/why-not' command, it says 'explains the reason that a particular package should or cannot be installed on the system'.11:21
lordievaderThat may explain why it wants to install header files.11:21
necrophcodrlordievader: it doesn't really expain anything unfortunately :/11:43
necrophcodrhttp://paste.ubuntu.com/25239552/11:44
necrophcodrThe thing is that aptitude doesn't automatically install suggested packages.11:44
lordievaderHmm, none of those suggested packages are installed?12:02
necrophcodrlordievader: nope, not a single one12:22
lordievaderThen I really don't understand why aptitude wants to install it -.-12:22
necrophcodrlordievader: that's my predicament. i don't understand it either.12:27
lordievaderI don't really want  to say 'use apt-get' but that seems about the sanest option right now.12:28
necrophcodrlordievader: i'll evaluate further options, but you might be right12:47
necrophcodrthanks for your help though!12:48
lordievaderNo problem ;)12:49
genk1tomreyn: how to deal with such problems13:15
genk1https://www.ssllabs.com/ssltest/analyze.html?d=www.myniu.fr&latest13:16
genk12 certificates in the same time13:16
mdeslaurnacc: hi! I'm looking at php security updates....is there a round of 7.0 updates being worked on for xenial/zesty?13:24
ahasenackhi, a packaging question13:34
ahasenackif I have a package that installs a script in /etc/update-motd.d/13:35
ahasenackbecause it's in /etc, it's considered configuration13:35
ahasenackand not removed via "apt remove", just "apt purge"13:35
ahasenackbut it's a script, not a config file, and it's run on login. It might need the package installed in order to work properly13:35
ahasenackhow is this usually sorted?13:35
genk1tomreyn: I fixed the issue13:55
genk1the problem was related to apache, some process child was still running and have the old configuration13:56
genk1service apache2 restart and even service apache2 stop didn't stop apache really13:56
genk1I needed to do a killall13:57
genk1after that everything was working just fine13:57
genk1thank you all13:57
sdezielahasenack: update-notifier-common drops snippets in /etc/update-motd.d where they do "[ -x /usr/lib/... ] && exec /usr/lib/..." and presumably removing the package removes the /usr/lib/... file14:05
ahasenackso the file in /etc remains, but does nothing14:06
ahasenackthis one calls out to a snap, I'm not sure I should hardcode the snap bin path14:06
ahasenackwith the -x check14:07
ahasenackbut I can find another way14:07
sdezielahasenack: that would be my assumption but the update-notifier-common package was the one example I could fine14:07
ahasenackok, thanks14:07
=== ogra_ is now known as ogra
=== drab_ is now known as drab
naccmdeslaur: i noticed that debian had moved up, I can do that early next week (bump to 7.0.20)15:12
mdeslaurhrm, I need 7.0.2215:13
naccmdeslaur: let me check debian again15:13
naccmdeslaur: oh nm! 7.0.22 indeed15:13
naccmdeslaur: should be a straightforward update on my end. Do you want me to send the stuff your way so it goes security -> updates?15:14
mdeslauryeah, stick it somewhere and I'll build it as a security update15:14
naccmdeslaur: and just so i actually remember this time, you want it in the security pocket "before" the updates pocket? Or is that less relevant? (I recall you having to do two pocket copies for a prior upload)15:15
mdeslaurwe have two options: 1- we sru it into -updates and then I rebuild it in -security a week later, or 2- I build it as a security update, and release it to -security15:16
mdeslaurif the update is straightforward without any big packaging changes, I can push it as a security update directly15:16
mdeslaurie: no dependency changes, etc.15:17
mdeslaurnacc: show me the package once you've worked on it and I'll see if it can directly be released as a security update15:17
naccmdeslaur: yeah, i expect no packaging changes, based upon prior uploads, but i'll let you know15:18
mdeslaurok, thanks15:18
=== smoser` is now known as smoser
rbasaknacc: style file pushed.16:58
rbasakI added some more items while I was thinking of them. Feel free to dispute :)16:58
naccrbasak: thanks!17:02
=== JanC_ is now known as JanC
oerheksgabrielc did this happen *after* you got chrome 60 ?18:34
oerheksodd, that new signingkey is not announced ..18:34
naccrbasak: seeing a very strange failure with src:pacemaker (a --no-fetch re-import to test my changes). One specific version of pacemaker orig is showing up with hearbeat_(version).orig.tar.gz in pristine-tar instead of pacemaker_(version).orig.tar.gz. Running `gbp import-orig` manually on the same file (based upon the logs from the importer), it creates the pacemaker orig tarball correctly. I believe20:51
nacc`gbp` only uses the tarball name to determine the srcpkg and I don't see anywhere that would make it see heartbeat...20:51
rbasaknacc: file a bug I guess? I don't see right now what's going on.21:16
naccrbasak: i added a bunch of debugging21:18
naccrbasak: and i see what's happening but not sure why21:18
naccrbasak: looks to be a gbp bug :)21:18
naccgbp:info: Source package is heartbeat21:19
naccrbasak: bug filed21:19
naccrbasak: for the importer that is, i'll communicate with upstream once i undersatnd why :)21:20
cliluwCan I automatically give a user a root shell when they SSH in so that they don't have to preprend "sudo" before their privileged commands or have to run "sudo -s"?21:50
nacccliluw: i don't think you would generally want to do that22:13
sarnoldif you want the user to be root you could set the uid in shadow and passwd to 0, and set the home dir to match22:13
cliluwnacc: Generally, that's correct. In this case, I do want to do this - this is for an automated script.22:13
nacccliluw: note, though, your question isn't exactly coherent22:17
Posterif it's automated, you can set "PermitRootLogin without-password" in your /etc/ssh/sshd_config then use SSH keys to bring the user in22:18
nacccliluw: 'giving a user a root shell' does not only mean "that they don't have to prepend "sudo" before their privileged commands"...22:18
nacccliluw: it means all commands are privileged commands :)22:18
Posterit would be better to use sudo and limit what commands can be used22:18
sarnoldor set authorized_keys restrictions on what can be executed by the program, and optionally enforce that with apparmor and pam_apparmor ..22:19
rbasakIMHO, if the manner in which ssh is used means that people are using unrestricted sudo all the time in practice, then it's fine to log in directly as root. This is against the accepted wisdom though.22:19
rbasakIt's only of value to create independent users for individual admins if sudo is restricted and/or actual auditing really happens of what they do.22:20
rbasakOtherwise the per-admin user is just a hurdle that provides no actual security benefit.22:21
naccright, I think in this case, use ssh keys, allow ssh as root with specific keys, is the best choice22:22
nacc(presuming cliluw's description is accurate)22:22
drabcliluw: cleanest, and simplest/quick) (which for me has been at times very important) solution is to PermitRootLogin without-password, set up a passwordless ssh key on the client and use the "command" to launch a simple bash script that filters what's allowed (and potentially logs things)22:23
drabsecurity is only useful when measured against realistic threats and targeted assets22:23
naccheh22:24
naccdrab: +122:24
drabotherwise it's just stuff that sounds nice to the hears and looks good in a presentation22:24
rbasakRestricting to a simple bash script that filters and logs is a good idea, but be careful about implementation. It's quite easy to leave other channels open, making it pointless if your threat model includes a malicious (or compromised) admin.22:25
drabif I could only get back all the time I wasted on "best practices in a vacuum" I'd enjoy a vacation for the rest of my life :P22:25
drabrbasak: agreed22:25
cliluwnacc: Allowing root login is an option but not ideal. I would prefer that the actions of the script show up as a non-root user for better auditing.22:28
nacccliluw: is the user logging in with a password? or ssh key?22:28
cliluwnacc: Only SSH key, no password22:28
nacccliluw: if the latter, you can give them passwordless sudo, since it seems like your model is trusting that specific user (and their key)?22:28
nacccliluw: again, not recommended, but if you want it for auditing, that would work22:29
nacccliluw: they'd need to type sudo, but they wouldn't be prompted for a password, at least22:29
drabor you can use the command and wrapper and prepend sudo to all of them after confirming the cmd is allowed22:29
nacccliluw: otherwise, i think, you'd need to add the user to the appropriate group or do what sarnold suggested22:29
naccdrab: ah true, yeah, that'd work22:29
cliluwdrab: Seems a bit tricky to write a wrapper script that will be able to filter down to only the commands I want to run since Bash is such a syntactically complex language.22:34
drabcliluw: it depends what you're doing, for CI type of stuff ime it was very simple, sometimes a straight string match with a simple check on special characters like ;22:35
drabbut like I said, I'm not you and I don't have your exact problems, so I don't know22:36
drabI've really come to believe in specificity and constraints, we all make tradeoffs all the time, whichever is best for you I don't know22:36
naccrbasak: what did we decide to do about MPs that already were sponsored? https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/32607322:37
cliluwdrab, nacc: Thanks for your advice. I'll probably go with passwordless sudo option. It sucks to have to prepend "sudo" to every command but it's not the end of the world, I suppose.22:38
drabcliluw: if you do that you might as well have a "blank" wrapped that prepend sudo22:41
drabnothing to lose22:41
drabwrapper*22:41
drabat least it takes the suckiness out of it for you and it requires no additional investment to setup other than one line in the authorized_key file and one line in the bash script22:42
drabwell, two with the header :)22:42
rbasaknacc: I've been pushing upload tags for those regardless, since they can be picked up by 1) any developer who is doing archeology or another merge, even if it wasn't incorporated into the commit graph by the importer; and b) our expected re-imports before we declare commit graph stability22:45
iklahow do you install on an EFI partition23:48
iklathe installer doesn't support it?23:48
drabikla: the installer most definitely supports it23:51
ikla16.04.2 ?23:51
drabyes23:51
iklathere is no option for EFI partition type23:51
iklain manual mode23:51
drabit goes into efi install if it boots as efi23:51
drabare you positive the installed booted from an efi device/as efi?23:51
drabiirc there's no way to manually specify "install in efi mode"23:51
drabit depends upon boot time23:52
iklano23:52
iklayou can create partitions manually23:52
iklabios boot23:52
iklathen efi part23:52
iklathen all the rest23:52
iklashouldn't matter if you booted from efi or legacy23:52
iklaboards support dual mode and could possibly boot non-efi but still have support23:52
iklacan I pass a kernel parameter to force the installer into efi?23:53
iklacause it has no option in manual mode which is b.s.23:53
drabok, maye you're right, all I know is what I experienced, efi installs worked when I booted in efi mode, but I never tried to create an efi install when booting in bios mode23:53
iklaeven tried creating the partitions with fdisk23:53
drabI don't recall of any specific option to the kernel, no23:54
iklaset the correct partition types and the install in manual mode doesn't know how to handle them23:54
drabbut I don't do a lot of efi, only needed it once to boot from a nvme partition23:54
iklayeah - I only have an NVMe device23:54
iklain this system23:55
ikla:)23:55
drabso yeah, in my case all I ddi was to create a usb install key, press f9 at boot and selected the key under the UEFI tree instead of Legacy tree23:57
draband then in manual mode I could create the efi partition and all23:57
drabthat's the best/most I can offer from the little I knwo about it23:57
iklaI'll try that23:58
drabmind you, my plan ultimately failed... but that was a bios problem23:58
drabeven after correctly installing to the nvme device I could not subsequently boto from it23:59
drabin case this info is of any use to you... I spent 4 days going back and forth with SM support about nvme bios to conclude this wasn't possible on X9s23:59
sarnoldaww23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!