/srv/irclogs.ubuntu.com/2017/08/15/#ubuntu-server.txt

nacc	rbasak: i think you forgot to commit your tests/changelogs/test_distribution file. Can you do so and push it to master?	00:02
=== Hirppa is now known as Guest81339
=== Valfor is now known as Guest45971
=== X-Rob is now known as Guest84163
=== giraffe is now known as Guest83487
=== Guest84163 is now known as X-Rob
drab	anybody around that happens to be into voip/asterisk? I'm trying to figure out what to do with the asterisk 11 install we have	00:27
cpaelzer	good morning	04:31
=== Guest69923 is now known as lordievader
lordievader	Good morning	05:30
rbasak	nacc: sorry! Done.	06:14
LaserAllan	hey guys, do yu know of any webmail apckage that is updated by apt that can be added?, i have used squirrelmail until it was unsupported and Rainloop isn't handled by any repo so I am looking for a better solution.	06:23
=== lifeless_ is now known as lifeless
=== G_ is now known as G
=== edwinksl- is now known as edwinksl
gunix	anybody set up galera arbitrator 3 on an ubuntu node?	11:52
=== Guest81339 is now known as Hirppa
devster31	is there a clever one-liner to dump yaml to json?	14:00
devster31	ok, this seems to work -> ruby -rjson -ryaml -e 'puts YAML.load($stdin.read).to_json'	14:08
devster31	with pipes	14:08
runelind_q	Ubuntu server sure likes to push out updates to its kernel	14:31
ahasenack	rbasak: hi, ping	14:43
ahasenack	rbasak: http://pastebin.ubuntu.com/25319275/ these 3 entries in d/changelog are related	14:43
ahasenack	rbasak: would you prefer to see 3 individual commits, or one?	14:44
cpaelzer	devster31: also python -c 'import sys, yaml, json; json.dump(yaml.load(sys.stdin), sys.stdout, indent=4)' < file.yaml > file.json	14:44
cpaelzer	you surely can find more via search engines	14:44
devster31	doesn't that require pyyaml or something?	14:44
cpaelzer	yep	14:44
cpaelzer	was installed for me already	14:45
ahasenack	nacc: are you in yet? What's your opinion wrt my question above?	15:00
cpaelzer	ahasenack: I can tell you what I prefer and usually do in these cases if you want?	15:01
ahasenack	sure, I just asked them first because they are the uploaders	15:01
* cpaelzer feels neglected		15:01
cpaelzer	ahasenack: I'd make one commit each - but with slight adaptions to the commit message to get better changelogs	15:02
ahasenack	heh, imagine how I feel with MPs up for more than a month :)	15:02
cpaelzer	On the first one I make a level 1 entry in this case the use of ldap-auth-config AND in the same commit a level 2 entry what this commit changes in particular	15:03
cpaelzer	Following commits have only level 2 entries as long as they belong to the same thing	15:03
cpaelzer	on auto generated changelog that auto-groups them which I like to carry the "they belong together" meaning	15:03
cpaelzer	I thought I reviewed all that made sense to review from me	15:04
ahasenack	you did	15:04
cpaelzer	all others had other reviewers for a reason	15:04
cpaelzer	I saw your two new merges in the queue but since I started late ...	15:04
cpaelzer	also I plan to add a few on my own today/tmrw as time permits	15:05
nacc	ahasenack: reading	15:10
nacc	ahasenack: it feels like they should be rewritten if they are related (tbh). I don't think it matters much if they are one commit or three, though.	15:11
nacc	ahasenack: what matters is each commit accurately describes teh changes in it	15:11
ahasenack	ok	15:11
nacc	ahasenack: given that we don't want to accidentally cherry-pick only one of the three, though, it seems reasonable to make them one?	15:11
ahasenack	it does	15:11
ahasenack	you can't really just drop one of the 3, for example	15:12
nacc	ahasenack: yep	15:14
pankaj	I am trying to setup ssh connection between my Linux OS and virtual server but during 'ssh-copy-id username@remotehost' I am getting error. Please somebody help.	15:17
tsglove	pankaj, help us help you.	15:22
ahasenack	nacc: this one was sponsored already, what do we do with it from an MP perspective? https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/326073	15:23
nacc	ahasenack: i don't recall, i'll leave it for now until we decide what to do with them	15:24
ahasenack	ok	15:24
dpb1	ahasenack: any open MPs for ubuntu-advantage-tools you need me to look at? I'm starting with the doc	15:24
nacc	so only 4 to review :)	15:24
ahasenack	dpb1: no open mp	15:24
ahasenack	dpb1: we just need to make a release in github, tag, if we are happy with it as is	15:25
dpb1	ahasenack: can I install onto xenial from that ppa?	15:25
ahasenack	dpb1: yes	15:25
dpb1	(and get tip, I mean)	15:25
dpb1	ok	15:25
dpb1	I'll do that	15:25
ahasenack	dpb1: ack had two changes since that build: manpage, and another I forgot	15:25
ahasenack	manpage just had a new section about exit status	15:26
dpb1	oh, it's not a recipe? I'm shocked	15:26
ahasenack	can recipes build from github?	15:26
ahasenack	we might have to mirror	15:26
dpb1	I really don't care	15:26
dpb1	I'll just build the package here	15:26
dpb1	n/w	15:26
dpb1	just giving you a hard time	15:26
dpb1	ahasenack: and, no landscape yet, right?	15:27
ahasenack	right	15:27
dpb1	ahasenack: lint failures!	15:29
dpb1	shocked	15:29
dpb1	again	15:29
ahasenack	what did you run?	15:29
dpb1	dpkg-buildpackage -uc -us	15:29
dpb1	but, more cheaper... make lint	15:29
ahasenack	ah, I blame ack for that. shellcheck in ubuntu is older than in debian	15:29
ahasenack	and github installs the debian one	15:29
ahasenack	which is fixed regarding those failures	15:30
dpb1	should I be on artful for this testing?	15:30
ahasenack	won't help you regarding shellcheck	15:30
dpb1	or it's out of date there too	15:30
dpb1	ok	15:30
ahasenack	but are these run at package build time? Hm	15:30
dpb1	:/	15:31
dpb1	yes	15:31
ahasenack	then we have to drop that	15:31
dpb1	I can quickly fix I think	15:32
dpb1	sec	15:32
ahasenack	ackk: we need to drop shellcheck, it needs to work in plain ubuntu regardless of what we do to make it work in travis	15:33
ahasenack	ah, he is away today	15:34
dpb1	ahasenack: I'm putting up a branch, it's fine	15:34
dannf	cpaelzer: should i just open a new bug for this pflash/apparmor issue?	15:35
dannf	cpaelzer: or maybe discuss via e-mail somewhere? just trying to cleanly separate the issue from the migration one	15:36
cpaelzer	dannf: yes they are separate issues for sure	15:36
cpaelzer	dannf: and the one hitting the image files on all arches is fixed	15:36
dannf	cpaelzer: cool - yeah, just didn't know if you minded a bug for an issue that's not actually in ubunt yet :)	15:36
cpaelzer	dannf: so a new one would be great	15:36
cpaelzer	dannf: I fixed the other one (images) already even it is not a bug yet	15:37
cpaelzer	dannf: for qemu 2.10 prep	15:37
cpaelzer	dannf: so yeah please, just need dmesg and the xml	15:37
cpaelzer	ad I need to drive virt-aa-helper manually from there and see what rules it creates for the flash files	15:37
dannf	cpaelzer: will do	15:39
cpaelzer	dannf: I'm also on the minor one with the s390x packaging - cleaning that up	15:39
cpaelzer	dannf: yet I think with a different fix than what you suggested	15:40
cpaelzer	IMHO there is no reason to have s390 being the only different one	15:40
cpaelzer	so I'd more likely adapt the d/control in a way to match the other architectures	15:40
xnox	hmmm	15:40
dannf	cpaelzer: i was assuming it was the only different one because it didn't have full emulation - e.g. requires hardware acceleration - but i'm not sure about that	15:40
* xnox wonders if there is stuff that I did, that made s390x look odd. It should be just like x86_64.		15:41
* xnox and e.g. should not be in "ports" bucket		15:41
cpaelzer	well ther eis a partial tcg which can be used	15:41
cpaelzer	so why not	15:41
cpaelzer	xnox: yeah it was you :-P	15:41
dpb1	ahasenack: https://github.com/CanonicalLtd/ubuntu-advantage-script/pull/39	15:41
cpaelzer	but long enough ago that it doesn't matter	15:41
cpaelzer	and that is my mindset as well, it should be just like x86, arm, ppc, ...	15:42
cpaelzer	oO it seems gcc7 also makes qemu compiles unhappy	15:42
xnox	cpaelzer, as long as you do not drop qemu-system-s390x i'm fine =)	15:42
cpaelzer	I'd be the last one to do that	15:42
cpaelzer	qemu2.10 is good with ggc-7 so overall all fine for artful	16:01
cpaelzer	wow ggc new compiler, gcc of course	16:01
drab	can anybody confirm that ubuntu-server is and will be using timesyncd?	17:06
drab	it seems that this changed from 14.04 to 16.04, however the same seems to not be true for 16.04 desktop	17:07
drab	I'm seeing ntpd running on a fresh install of desktop	17:07
drab	also I can't see where the default is set and can't tell what timesyncd is actually using	17:07
drab	the conf file has the fallback commented out, ntp.ubuntu.com , which if I had to guess I'd imagine is what is used, but I'd like to confirm that	17:08
drab	yeah, confirmed with tcpdump, it's calling out to alphyn.canonical.com.ntp , guess maybe a patch to set that as deafult in the code	17:11
teward	dpb1: ping	17:12
dpb1	hey teward	17:14
teward	dpb1: got your inquiry on the email of the meeting logs - sorry I was in a server room away from my phone	17:15
teward	i just got the ping for it - my email parser read it and poked. I'll be available, to my knowledge today, for the meeting next week if there's a need for me to be backup	17:15
teward	if something comes up I'll let you all know.	17:15
dpb1	teward: no worries at all, just wanted to give you a heads up you are getting close	17:15
teward	yep, I checked that myself :)	17:16
dpb1	heh	17:16
dpb1	cool	17:16
dpb1	thanks for getting back	17:16
teward	yep	17:16
=== Tohuw is now known as Guest68958
Vladimirski	is there an alternative to proxmox on ubuntu-server(by that I mean is supported by ubuntu)?	17:46
drab	Vladimirski: to do the same thing/everything that proxmox does? what I mean is, it could be easier if you were interest in only particular features	17:48
drab	for example if you were just doing qemu and weren't interested in a web interface you could use libvirt with virsh/virtmanager	17:49
drab	or if you were interested in containers with lxd and new lxc command line	17:49
Vladimirski	drab: Well I need a virtual environment where I can host different operative systems	17:49
drab	ok, does it have to have a nice to use web interface?	17:49
Vladimirski	well it would be nice to have one	17:50
Vladimirski	drab: I was thinking of using KVM, maybe there's a webgui for it	17:53
Vladimirski	drab: Actually oVirt maybe is my solution?	17:54
drab	if you want a bwe based solution the best I know is Ovirt	17:54
drab	yeah, was typing just that	17:54
drab	if you're xen oriented, there's xenserver	17:54
drab	for kvm, if you have a desktop, libvirt + virtmanager is actually really neat	17:55
drab	but I guess it's not as aware of a cluster of libvirt instances and so forth	17:55
drab	it depends how "cloud" you're trying to go	17:55
Vladimirski	thanks	17:55
Vladimirski	gotta think about it	17:55
drab	if you just want to run a bunch of virtual machines on one or two servers, then imho libvirt + virtmanager is probably the easiest	17:55
Vladimirski	it should be to complicated in configuration sense..	17:56
Vladimirski	alright	17:56
drab	if you're trying to do something more advanced, then probably ovirt is a better choice if you don't want to run proxmox (which afaik is one of the best solutions out there)	17:56
drab	but you have to use their own debian isos, which is one of the reason I ddin't go with it	17:56
drab	Vladimirski: fwiw, I don't know what you're doing, but if you have limited capacity containers may be a better choice than full virtualization	17:57
drab	I've pretty much migrated all my instances from kvm to lxd minus a few where kernel space stuff matters or I need further isolation at that level	17:58
RoyK	kvm/libvirt works well alone, but it's not very straight-forward to setup in a multinode setup	17:58
drab	most notable example, nfs-kernel-server	17:58
drab	yeah	17:58
drab	hence the suggestion for ovirt in that case, more similar to proxmox, but also more work to setup and maintain ime as complexity is higher	17:59
drab	libvirt + virtmanager is really straightforward	17:59
drab	https://help.ubuntu.com/lts/serverguide/NTP.html	18:00
drab	stuff on this page seems not true... specifically the interaction between timesyncd and ntp	18:00
drab	anybody familiar with the two?	18:00
RoyK	except for multinode, perhaps, where you'll need corosync and friends, which can be a bit of a hassle	18:00
drab	"If NTP is installed and replaces the activity of timedatectl the line "NTP synchronized" is set to yes."	18:00
RoyK	that is, haven't used it or some time, so it might be easier now	18:00
drab	but that doesn't seem to be the case. I removed ntp and timedatectl still says NTP synchronized is true	18:01
drab	ie nothing seems to change	18:01
RoyK	drab: just wait a while and time will drift	18:01
drab	and I can't really remove it as it's not its own package (timesyncd I mean)	18:01
RoyK	ntp setup is the easy part	18:01
drab	yeah it's all done, but the interaction between the two is very opaque	18:02
drab	I don't see where timesync checks for ntp etc	18:02
drab	or where you'd "deconfigure" timesyncd	18:02
drab	so I have no confidence that this is working correctly and timesycnd is backing out leaving ntp to do the job	18:02
RoyK	simply installing and configuring ntpd with a local-ish ntp server should do the job down to a very small fraction of a second between the hosts	18:03
drab	yeah, that's not what I'm concerned about, what looks dubious is the interaction with systemd-timesyncd	18:04
drab	again look at the official doc I linked, it says something very specific about the interaction of the two	18:06
drab	and that doesn't hold true in my experiment	18:06
hehehe	hi	18:07
hehehe	if I want to checkout a specific stuff from git but its not branch but tree	18:07
hehehe	https://github.com/opencart/opencart/tree/2.3.0.2	18:08
hehehe	how do I clone that?	18:08
hehehe	:D	18:08
drab	it's not a "tree", that's just the web view in github	18:09
drab	there is a tag for 2.3.0.2 release, that's what you clone	18:09
drab	hehehe: https://git-scm.com/docs/git-clone#git-clone--bltnamegt	18:10
drab	as the man page says you can specify a tag with the branch command	18:11
hehehe	cool	18:15
ahasenack	cpaelzer: around still?	18:17
ahasenack	(not urgent)	18:17
hehehe	solved it	18:19
cpaelzer	ahasenack: here	18:20
hehehe	next idea - some app where it simulates icecream :) you have to lick a screen at high speed to eat it lol	18:20
ahasenack	cpaelzer: checking that extra patch in cifs-utils, doing some archeology	18:20
ahasenack	cpaelzer: I think it's not needed, because	18:20
ahasenack	cpaelzer: a) http://pastebin.ubuntu.com/25320452/ 6.2 release notes mentions that that binary is now searched using $PATH (I'm trying to find a diff)	18:20
cpaelzer	thats exactly why I asked, because I often find archeology turns out to be inertesting :-)	18:21
ahasenack	cpaelzer: b) this is the patch: http://pastebin.ubuntu.com/25320448/	18:21
ahasenack	c) http://pastebin.ubuntu.com/25320445/ is the code without the patch	18:21
ahasenack	it seems our check is reduntant, although it would avoid some unecessary calls	18:21
nacc	hrm, that is not the 'canonical' way to check if systemd is running	18:21
ahasenack	but also make it less robust if the binary ever moves to another location	18:21
hehehe	nacc: yes so :))	18:21
nacc	checking for /var/run/systemd is, iirc	18:21
ahasenack	the switch to using popen is from 2013	18:21
ahasenack	(in cifs-utils)	18:22
ahasenack	I searched lp for closed bugs but only found one asking to update cifs-utils	18:22
ahasenack	will try a more thorough d/changelog search now	18:22
cpaelzer	ahasenack: well there could be the case of systemd having the paths above and considers it is_systemd_running	18:22
cpaelzer	ahasenack: but lacks the binary	18:23
nacc	ahasenack: yeah, i'd file an upstream bug that those checks are sort of wrong	18:23
cpaelzer	ahasenack: I thik that is what the check was meant for	18:23
ahasenack	well, nothing is checking that it's running, not even our patch	18:23
nacc	semantically, they clearly are trying to :)	18:23
cpaelzer	which is a sub-optimal upstream	18:23
nacc	but they are using the wrong semantics	18:23
nacc	i believe the /var/run/systemd check is what pitti or xnox told me to use	18:24
cpaelzer	ahasenack: well if the popen fails they will end as if the check would have been wrong	18:24
cpaelzer	so yeah	18:24
nacc	(for puppet upstream)	18:24
cpaelzer	dropping our delta would make it even better	18:24
cpaelzer	as it would work if the path changes	18:24
xnox	nacc, but do forget that /var/run exists.	18:24
xnox	nacc, only ever use /run/systemd/system check; as /run/systemd exists on systems with pid 1 upstart, and logind running.	18:24
nacc	xnox: :) is there a "new" path to check for systemd running? /run/systemd then, i guess you mean?	18:24
nacc	xnox: ah yes, thanks!	18:25
xnox	/run/systemd alone is not sufficient.	18:25
nacc	right	18:25
nacc	sorry, misremembered	18:25
cpaelzer	and here we have an examples how checks like these get to life	18:25
cpaelzer	we are all humans and software changes	18:25
cpaelzer	ahasenack: TL;DR we can make this a sync - right?	18:25
nacc	so i don't think it makes sense to keep this delta	18:25
nacc	and i think it makes sene to file a bug upstream and say fix your check	18:26
xnox	at one point it was /run/systemd, but then pitti fixed it in all the software and upstream to be be more specific.	18:26
nacc	with a suggested patch	18:26
cpaelzer	since we already discussed the other one away	18:26
ahasenack	cpaelzer: possibly, I'd just like to test that is asks for the password correctly	18:26
Vladimirski	drab: thanks, do you know about a good libvirt + virtmanager setup guide?	18:26
ahasenack	cpaelzer: is debian using systemd?	18:26
xnox	nacc, what's the code? because i thought pitti did fix all the things to migrate to the fuller check.	18:26
cpaelzer	ahasenack: yes, but you can switch init systemd if you want to do so badly	18:26
cpaelzer	-d	18:27
nacc	xnox: cifs-utils	18:27
nacc	ahasenack: you checked upstream too?	18:27
xnox	looking at http://pastebin.ubuntu.com/25320448/ it seems wrong	18:27
ahasenack	nacc: fetching their git repo now	18:27
nacc	ahasenack: ack thanks	18:27
xnox	systemd-ask-password is optional, and systemd cgroup exists on upstart+cgmanager+logind and thus without systemd pid1	18:27
ahasenack	nacc: upstream is http://pastebin.ubuntu.com/25320445/	18:27
nacc	xnox: yeah the cgroup check makes little sense	18:28
xnox	yeah the comment in 5 is wrong.	18:28
ahasenack	if any of that fails, it will fallback to getpass()	18:28
Vladimirski	drab: btw, is it possible to connect to the virtmanager via the net, instead of having it locally?	18:28
nacc	ahasenack: ah! it's to know just whether it should use systemd-ask-password?	18:28
nacc	ahasenack: shite code	18:28
mason	Vladimirski: yes	18:28
mason	Vladimirski: Connect via ssh.	18:28
ahasenack	nacc: yes, that is probably a better alternative for fstab entries during boot	18:28
drab	Vladimirski: I don't know of a tutorial off the cuff, I just google all the time. and yes, you can connect over ssh, which is how I sued it	18:28
ahasenack	nacc: I've seen it working, btw	18:29
mason	drab: Did you take all its money?	18:29
cpaelzer	ahasenack: xnox upstream git still is that way as well, not just in debian	18:29
drab	Vladimirski: you install virtmanager on your dekstop and libvirt on the server where you do the virtualization	18:29
ahasenack	it's just like that dmcrypt prompt, it shows up nicely in ubuntu's splash screen	18:29
Vladimirski	drab: conncet via ssh to see the gui?	18:29
drab	mason: ?	18:29
nacc	ahasenack: sure, i mean it "does work", but it works by chance, i think	18:29
Vladimirski	oh I see	18:29
Vladimirski	drab: ALright, thank you :)	18:29
ahasenack	nacc: maybe it would fail on trusty :)	18:29
xnox	nacc, ahasenack: https://github.com/systemd/systemd/blob/master/src/libsystemd/sd-daemon/sd-daemon.c#L628 -> sd_booted is the function to use if one is ok linking libysstemd; or one should mimick the check that /run/systemd/system folder exists.	18:29
mason	Vladimirski: Glad drab could help you out with that.	18:29
nacc	ahasenack: the semantic they want is "if i am on systemd and systemd-ask-password exists (and is executable?)), use it	18:29
cpaelzer	nacc: ahasenack: but a bug and suggestive patch to upstream and making the package atm a sync should be a good way (as actions for now) - right?	18:29
xnox	nacc, ahasenack: feel free to bash upstream with https://github.com/systemd/systemd/blob/master/src/libsystemd/sd-daemon/sd-daemon.c#L628	18:29
nacc	cpaelzer: +1	18:29
ahasenack	nacc: yes	18:30
nacc	ahasenack: their variable name is confusing :)	18:30
nacc	ahasenack: at a minimum	18:30
Vladimirski	mason: sorry, I saw your answer as well. Thanks :)	18:30
drab	afk, bbl	18:30
mason	:P	18:30
Vladimirski	mason: didn't mean to leave you out..:(	18:30
mason	Vladimirski: FWIW, you can either ssh to root (just be very careful) or ssh to a user in the right group, so you have some options.	18:30
mason	Either way, consider using limiters on what the account can do via ssh connection.	18:31
ahasenack	cpaelzer: ok, so let me try the debian code without our patch, make sure it can mount cifs filesystems during boot	18:31
ahasenack	and if yes, i'll comment on the mp, we abandon it, and you sync?	18:31
cpaelzer	ahasenack: yes lets do it that way	18:31
nacc	ahasenack: requestsync if so	18:31
nacc	and/or the MP (but requestsync will file a bug)	18:31
ahasenack	nacc: what's that?	18:31
nacc	ahasenack: yet another tool :)	18:32
mason	Vladimirski: A quick search turns up: https://serverfault.com/questions/407497/how-do-i-configure-sshd-to-permit-a-single-command-without-giving-full-login-ac	18:32
ahasenack	another magical script from ubuntu-dev-scripts? :0	18:32
ahasenack	:)	18:32
cpaelzer	ahasenack: a tool to open a bug to request a sync	18:32
nacc	which we'd want in this case, to track down the logic of syncing it (why the delta can be dropped)	18:32
nacc	(IMO)	18:32
cpaelzer	for documentation at least	18:32
mason	Ah, there it is. man authorized_keys and search for command=	18:32
nacc	as it's not entirely obvious to drop a quilt patch	18:32
cpaelzer	nacc: +1 on explaining on a please sync bug	18:33
ahasenack	ok, I'll do that, coment on the reasoning in the bug,	18:33
cpaelzer	but to admit I never used the tool but opened the bug the "classic" way	18:33
cpaelzer	which there are 3-5 :-)	18:33
Vladimirski	mason: I tend to you private keys when using ssh which seems much more secure	18:33
Vladimirski	to use*	18:33
ahasenack	and maybe file an upstream bug to improve the systemd detection, I have to read more carefully what xnox said above	18:33
cpaelzer	perfect ahasenack	18:33
mason	Vladimirski: If you look at that command section, that works with private keys and provides a bit more protection.	18:33
nacc	ahasenack: yeah, i think that can be a card in our board to do after FF	18:33
Vladimirski	mason: that's great	18:34
ahasenack	cpaelzer: nacc xnox ok, thanks for the feedback	18:34
nacc	ahasenack: yw	18:34
mason	Vladimirski: FWIW, I was using Xen for years, and only in the last year or two am I using libvirt and friends, and I have to say, I quite like it. Very flexible and convenient, and I love virt-manager.	18:34
Vladimirski	mason: thanks again mason :)	18:34
cpaelzer	ahasenack: yw++	18:35
cpaelzer	dannf: did I miss the new extra bug on the pflash lock byte issue - or just no time yet to file?	18:38
cpaelzer	dannf: not that I'd expect to work on it today - just don't want to miss it	18:38
cpaelzer	ahasenack: feel free to drop me a mail with the sync bug eventually	18:39
cpaelzer	ahasenack: in case non picks up today I will tmrw then	18:39
ahasenack	I'll add it to the mp if that's ok	18:40
cpaelzer	yeah fine for me	18:40
ahasenack	cool	18:40
cpaelzer	I wasn't sure which of our portfolio of options you'd take :-)	18:40
dannf	cpaelzer: you haven't, i'll file it now	19:34
hehehe	quick question :) reinstalling php app here, on same box, folders permisson 750 files 640 owner is root:www-data, should work but something is a miss - using nginx	19:35
hehehe	gives 403 :))	19:35
ahasenack	xnox: looking at https://github.com/systemd/systemd/blob/master/src/libsystemd/sd-daemon/sd-daemon.c#L628 finally	19:35
hehehe	I sense I might of omited something I have done before	19:35
ahasenack	xnox: we could use that to decide if systemd is being used, it's my understanding	19:35
ahasenack	and then for this particular use case we would add another check to see if systemd-ask-password is available (since you said it was optional), and only then call it	19:35
ahasenack	these two conditions: systemd being used, systemd-ask-password installed	19:36
ahasenack	righT?	19:36
xnox	ahasenack, in essence drop the cgroups check, use the check that /run/systemd/system folder exists.	19:36
ahasenack	right	19:36
xnox	(because e.g. upstart, cgmanager, cgroups-lite, all face a systemd cgroup for logind integration)	19:37
ahasenack	use that for the "is systemd being used?" check instead of what was in that pastebin	19:37
hehehe	in fact in no one would be wrong no one could of been right :)	19:37
xnox	ack.	19:37
hehehe	*if	19:37
ahasenack	xnox: ok, thx. I'll file an issue with upstream	19:37
xnox	tah.	19:37
ahasenack	mh, looks like a lot of people dropped from irc	19:38
hehehe	yes	19:38
hehehe	they been punished for idling :) by god of action	19:38
hehehe	*have been	19:38
drab	hopefully there's no god of poor questions punishing ppl asking for help without doing research first	19:42
hehehe	:))	19:44
dannf	cpaelzer: LP: #1710960	19:52
ubottu	Launchpad bug 1710960 in libvirt (Ubuntu) "QEMU 2.10 may require AppArmor updates for pflash devices" [Undecided,New] https://launchpad.net/bugs/1710960	19:52
eliam	is this place only for ubuntu-server issues or can you help with other more wtfamidoingarghitsbroke linux server-ish kind of things? specifically mail, stupidly behind NAT which I'd like to correct.	20:14
eliam	oh, and hi :)	20:14
sarnold	we try to be helpful such as we can..	20:15
eliam	ah ok, thanks :) my question is kind of, what's normal. ok, I'll try again. if you have a gateway machine but you don't want to serve mail from the gateway, it appears NAT'ing the SMTP loses a lot of email kind of info that services like postfix need for mail spam blocking (ip mainly)	20:16
eliam	so, do you setup two mail servers? one on each hop? postfix them both? simple sendmail on the gateway with postfix downstream? none of the above?	20:17
hehehe	Package 'php7.0-fpm' has conffile prompt and needs to be upgraded manually	20:17
hehehe	what can it mean?	20:17
eliam	hehehe, I googled it for you :) https://askubuntu.com/questions/921162/how-can-i-automate-a-conffile-prompt-in-unattended-upgrades	20:18
hehehe	ty	20:19
hehehe	so automated updates can rewrite default php config?	20:19
hehehe	going to apply that fix	20:19
eliam	I'll setup mail submission on the submission port but turns out I quickly became an open relay and upstream (google) got a little grumpy	20:20
sdeziel	eliam: DNAT'ing a port from your public gateway to your private SMTP listener shouldn't remove anything useful for Postifx to ID spam	20:20
drab	sdeziel: I don't see the problem with NAT, but in any case, a DMZ with routing would remove the need for NAT'ing if that's a problem	20:21
drab	eeer, eliam	20:21
eliam	So, postfix sees all inbound mail as coming from 'within the network' due to the source ip being the NAT firewall box	20:22
drab	eliam: you need to basically add a subnet on the gw, put postfix on that subnet and route	20:22
sdeziel	eliam: if postfix sees only the firewall's IP that probably means you have a SNAT/MASQUERADE rule that is wrong	20:22
drab	that shouldn't be the case, the gw should only do DNAT, not both SNAT and DNAT	20:23
drab	yeah, what sdeziel said	20:23
eliam	https://pastebin.com/pZpN4Zy0	20:25
sdeziel	eliam: iptables -t nat -nvL POSTROUTING	20:25
sdeziel	or better yet, iptables-save	20:25
eliam	if you want but there appears to be a lot of repeats!	20:28
eliam	http://paste.ubuntu.com/25321152/	20:28
sdeziel	eliam: you shouldn't mix conntrack and state. conntrack replaced the older/obsoleted state module	20:29
sdeziel	eliam: yes, you have quite a few dup	20:30
eliam	ok, I'll look at that. So, I guess it's DNAT and postfix turned me into a relay (as the whole internal subnet was 'allowed')	20:30
sdeziel	"-A POSTROUTING -o eth0 -j MASQUERADE" => could be the faulty one. Can you give the output of "ip ro g 192.168.1.70"	20:31
sdeziel	eliam: yes, if you authorized relying from 10.0.0.0/8 and you wrongly masquerade to an IP in that range when reaching the SMTP box, then yeah, open relay	20:32
eliam	ip ro ... http://paste.ubuntu.com/25321194/	20:33
sdeziel	eliam: so yeah, that confirms the issue. You want to make that "-o eth0 MASQUERADE" rule a tad more specific	20:34
sdeziel	eliam: maybe replace it by "-A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE"	20:35
sdeziel	eliam: your LOGDROP chain doesn't log, it just DROP ;)	20:36
eliam	it's an IMightLogThatSometime chain :) I turn logging on if I'm interested but the logs get filled otherwise so I remove it	20:37
sdeziel	ah	20:38
eliam	so basically I'm a bit confused about iptables then and need to read a little. external traffic can't see the mail server, hence the DNAT. If I limit to internal traffic, mail won't reach the mail server, will it?	20:39
sdeziel	eliam: your DNAT and FORWARD rules are OK	20:40
sdeziel	eliam: the problem is that when your firewall/gateway passes the SMTP traffic over to 192.168.1.70, it goes out eth0 and you have a rule that says:	20:41
sdeziel	when traffic goes out of fw's eth0, make the source 192.168.1.2	20:42
eliam	oh dear :(	20:42
eliam	I didn't mean that!	20:42
sdeziel	most probably not :)	20:42
eliam	maybe the masquerade is not needed at all then? The 'gateway' per se is actually just for inbound DMZ traffic and isn't really the network gateway (which is the router).	20:43
sdeziel	replace "-A POSTROUTING -o eth0 -j MASQUERADE" by "-A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE" and you won't be doing the undesired source rewrite	20:43
sdeziel	ah, then I think I know why you added that MASQUERADE rule ;)	20:44
sdeziel	if you remove the MASQUERADE rule things will stop work	20:44
eliam	urgh!	20:45
sdeziel	if you don't source rewrite, when 192.168.1.70 will respond to 1.2.3.4 (random public IP), it will go via the gateway and no the firewall	20:45
sdeziel	which is asymmetric routing and doesn't work	20:45
sdeziel	can you have the gateway take care of the DNAT itself?	20:46
eliam	as opposed to the firewall dmz box which I called 'gateway' just to confuse myself?	20:46
sdeziel	hehe	20:47
eliam	Yes, I suppose I could. I wanted to route All inbound traffic to the fw_gateway and have it decide what to do. That way, the router gw with the dodgy web interface is avoided, however, sounds like I've tied myself up in knots...	20:48
eliam	at this point, anything to reduce the spam which is literally 96% of all emails I receive! (the rest come from cron)	20:49
sdeziel	what I'd do is put the firewall box "behind" the dodgy router and make the firewall, the network gateway	20:50
sdeziel	this would avoid the asymmetric routing	20:51
hehehe	where are usually systemd service files are located?	20:51
sdeziel	hehehe: systemctl cat <unit_name>, will show you the unit and where all its pieces are coming from	20:52
hehehe	cool thanks!	20:52
sdeziel	np	20:52
sarnold	hehehe: see the list in systemd.unit(5)	20:52
eliam	yes, that makes sense. The crazy thing is, I did most of this for fun and it's not really physical boxes. At some point (once I get the backup space), I'm likely to rebuild and it'll then only be a single box for the services. I just liked the idea of separating out DNS / mail server / fw / web etc...	20:53
eliam	so, until that point, dodgy isp nat routing ftw	20:54
eliam	thanks for debugging and explaining that all for me	20:54
hehehe	well ok so now I have removed installed custom nginx with modsecurity via using find and rm , then I apt-get install ubuntu 16.04 default	20:55
hehehe	when I do nginx -v it cant even do anything	20:55
sdeziel	eliam: depending on what kind of Internet connection you have, you may be able to terminate it on your own machine thus bypassing the dogdy router	20:55
hehehe	nginx -v The program 'nginx' can be found in the following packages:	20:56
hehehe	* nginx-core	20:56
sdeziel	eliam: by "terminating it" I mean have your public IP(s) directly on your own equipment and use the dodgy ISP device just as modem	20:56
hehehe	I presumed apt-get will simply download and place binary where it belongs	20:56
eliam	sdeziel, will it annoy you if I let slip I don't have a static ip? It's uk based fttc with vdsl or something similar	20:57
sdeziel	eliam: with vdsl you have a chance of PPPoE passthrough ;)	20:58
sdeziel	eliam: dynamic IP doesn't matter	20:58
sdeziel	eliam: the idea would be to terminate your PPPoE session on your Linux box, this way, you'd use only the modem part of the ISP device	20:59
eliam	sdeziel, I cheated because I used the dynamic hostname as the dns server (mine local) so everything serves to the same ip. it's bonkers really but hasn't broken the internet yet and the ip leases are pretty long.	20:59
sdeziel	eliam: sure, using dyndns makes sense in your case	21:00
hehehe	:DDD	21:00
eliam	sdeziel, interesting. I'm basically running dhcp, dns, fw and gateway so pretty much have the routing covered.	21:00
eliam	although....wifi devices on the network too	21:01
eliam	anyway, you've helped me understand why something which has annoyed me for sometime is not working (or is working as configured) so many thanks. I even went on the postfix chat a fair while ago but didn't get any the wiser.	21:02
hehehe	:)	21:03
hehehe	this is da top room	21:03
hehehe	+ #linux and #security	21:03
sdeziel	eliam: moving your PPPoE to your Linux machine will let you bring lots of sanity in all this	21:03
sdeziel	hehehe: if you properly cleaned the manual nginx install, then yes, "apt-get install nginx-core" should get you going	21:04
hehehe	sdeziel: whats the diff between core and full?	21:04
sdeziel	hehehe: core is what upstream ships enabled by default (what they trust and are OK with supporting)	21:05
=== ejat_ is now known as ejat
teward	waves	21:05
sdeziel	hehehe: -full has more modules enabled	21:05
teward	not sure why I wasn't pinged on the question ;P	21:05
sdeziel	yeah, teward's the guy ;)	21:05
teward	hehehe: -full has a few extra third-party module	21:05
teward	s	21:05
teward	-core is the same thing minus the third-party modules	21:05
eliam	sdeziel, I believe you, I just don't quite know what that means yet :) so, step 1: remove all dnat from fw_fake_gateway and dnat from real gw. Step 2, learn about PPPoE from linux. Step 3, .... Step 4, PROFIT!	21:05
hehehe	https://askubuntu.com/questions/553937/what-is-the-difference-between-the-core-full-extras-and-light-packages-for-ngi	21:06
hehehe	got it	21:06
teward	hehehe: fun fact: that's my answer on that question :p	21:06
sdeziel	eliam: before diving into PPPoE, you may want to put your ISP device model # into google and check if it supports "bridge mode" or "PPPoE passthrough"	21:06
hehehe	teward: and you can make nginx-monster by adding modsecurity to it :D	21:07
teward	hehehe: never going to happen.	21:07
teward	at least, not in Ubuntu at this time	21:07
hehehe	good	21:07
hehehe	its some kind of monstrosity :)	21:07
teward	you want modsecurity for nginx, you can go compile it for the nginx version you're after	21:08
teward	i'm not gonna support that in Ubuntu - that's why naxsi was dropped post-Trusty	21:08
hehehe	I did and I endup deleting it all	21:08
hehehe	decided to simply focus on php apps code quality instead :)	21:08
teward	indeed.	21:08
teward	if I'm running a WAF, it's probably a Barracuda on the border before the app. Just saying :p	21:09
teward	in any case... if you have any other nginx questions feel free to ping me here :)	21:09
teward	drifts back into the world of mail gateways and setting up mail relays for all his email servers	21:09
eliam	sdeziel, good tip as the answer is no. Wish I never let them back in the house when I had two separate devices previously which they swapped out for a 'combined' one.	21:09
teward	this will sound stupid but is there anything wrong with running an IPSec, OpenConnect, and OpenVPN server on the same machine lol	21:10
eliam	sdeziel, I could always just use it as the 'upstream' and have everything else on a different subnet with the firewall gw in the dmz and as the subnet default route I guess	21:10
hehehe	teward: btw have you looked into japanese open source vpn software?	21:10
hehehe	they also provide many volunyteer run relays for chinese who want to bypass great firewall :)	21:11
teward	hehehe: (1) I'm not chinese.	21:11
teward	(2) I'm an IT Security pro who knows 99% of those VPN softwares contain malware.	21:11
hehehe	volunteer	21:11
hehehe	hmm lets see	21:11
teward	(3) Chinese hackers use those VPNs, and I don't want the Feds to come down on me like a bag of hammers.	21:11
teward	so, no thanks!	21:12
hehehe	https://www.softether.org/	21:12
hehehe	that one	21:12
eliam	sdeziel, now I remember	21:12
sdeziel	eliam: yeah, if you can configure the ISP device to have 2 subnets/VLANs that might be your best bet	21:12
eliam	I think the isp dnat only works for external traffic	21:12
eliam	hmmm, maybe that's ok actually	21:13
sdeziel	eliam: yeah, that would seem OK to me :)	21:13
eliam	but that had something to do with the original decision making somehow	21:13
eliam	maybe before I setup the dns	21:13
eliam	yes, so, external mail traffic hits the dnat to the mail server, internal mail traffic is routed directly. (in real terms, I don't need to change the settings on my phone for my mail app when I walk in / out the door)	21:15
sdeziel	for your internal traffic to be routed directly, you probably need a private DNS entry that says "mail.mydomain.com IN A 192.168.1.70"	21:17
hehehe	so I installed nginx-core from ubuntu repository and now - stat("/var/www/html/index.html", 0x7ffed26685c0) = -1 EACCES (Permission denied)	21:22
hehehe	when I run strace - however I got index.php and php fpm works, 0 errors	21:22
hehehe	I did try to open test php file I made and I get file not found	21:23
eliam	sdeziel, yes, the internal dns zone is configured	21:23
eliam	sdeziel, does iptables-save use something cached?	21:24
sdeziel	eliam: no, iptables-save dumps verbatim what's loaded in the kernel	21:24
eliam	sdeziel, ok, follow on question :) -F -X doesn't actually clear the firewall?	21:25
sdeziel	eliam: you can't use both -F and -X at the same time	21:25
eliam	sdeziel, iptables -L now shows nothing. iptables-save shows a lot	21:25
eliam	sdeziel, sorry, iptables -F && iptables -X (not using the flags together)	21:26
sdeziel	eliam: I personally prefer to do this: iptables-save > ruleset; vim ruleset; iptables-restore ruleset	21:26
hehehe	i use ufw its a bit easier	21:26
eliam	sdeziel, sure but iptables-save is dumping a whole host of stuff when iptables -L shows nada	21:27
eliam	I'll try using restore instead	21:27
sdeziel	eliam: iptables -L, shows you the filter table only while iptables-save gives you all	21:27
hehehe	eliam: talking about bugs there is actual bug on my monitor now :)	21:27
hehehe	attracted by light	21:27
eliam	we had cockroaches in the office. say no more!	21:28
hehehe	lol	21:28
eliam	first I new was an email from another team saying 'serious bug found this morning' with an attached pic	21:28
eliam	knew	21:28
eliam	urgh, think I'm tired now	21:28
hehehe	lol eliam why do you use such complex mail setup?	21:28
hehehe	whats it for?	21:29
eliam	time to go break stuff and try to work out how it all fits back together	21:29
eliam	hehehe, it's not complex, it's just email	21:29
eliam	hehehe, as in, roll your own	21:29
hehehe	well then make a standalone server for it	21:29
hehehe	with own ip	21:29
eliam	hehehe, I don't have any real ip ;)	21:29
hehehe	well ask ISP for one	21:30
eliam	hehehe, lol! what fun would that be!	21:30
eliam	hehehe, this is mail masked dnat gateway confusion. it's a much better setup	21:30
sdeziel	eliam: if you settle on using iptables-save/restore, you may want to install "iptables-persistent" as it will take care of loading up your rulesets on boot	21:31
sdeziel	eliam: removes the need to run a script that loads 1 rule at the time	21:31
ChmEarl	what day was 16.04.3 released?	21:31
eliam	sdeziel, I have a rule somewhere on boot which reads the last iptables-save I did	21:31
hehehe	eliam: I simply pay some guys to maintain email server for me :) even easier	21:31
eliam	hehehe, ease doesn't teach though	21:31
ChmEarl	is it the moddate on /etc/os-release?	21:31
sdeziel	ChmEarl: https://wiki.ubuntu.com/XenialXerus/ReleaseSchedule says August 3rd	21:32
hehehe	eliam: correct and once I become all knowing I will know it anyway :)	21:32
eliam	eliam: How does email work? hehehe: I pay some guy and stuff happens :) I want to know what stuff, when, how etc	21:33
ChmEarl	sdeziel, ty that page is what I need	21:33
hehehe	eliam: well you see if I am to learn and learn and learn - instead I choose to know myself, once I am fully myself I will know all anyway	21:34
eliam	hehehe, let me know if it works ;)	21:34
hehehe	I did run 1 stand alone email server before cant say if it was secure secure but I did setup dkim spf and emails were going to inboxes :)	21:35
hehehe	how I can print out a list of packages I got installed grouped by main universe multiverse and 3rd party?	22:24
dlloyd	apt-cache policy will give you both package name and source	22:28
dlloyd	scratch that	22:28
dlloyd	disregard me	22:28
drab	I don't know of any command, cache, showpkg or policy that will provide that info	22:49
drab	the best I can think of is something that parses the list of pkgs and matches them to the list of pkgs from the mirrors	22:49
drab	something like this:	22:50
drab	dpkg -l \| awk '{print $2}' \| tail -n+6 \| xargs -i grep -o {} /var/lib/apt/lists/_binary \| sort \| uniq	22:50
drab	from the file name that matches you should see the arch, the pool, the mirror, everything basically, since the name is a concatenation of all those info	22:50
sarnold	awk '/^ii/ {print $2}'	22:50
drab	oh, better, yes	22:51
sarnold	oh then you can skip the tail too	22:51
drab	good point	22:51
drab	hehehe: dpkg -l \| awk '/^ii/ {print $2}' \| xargs -i grep -o {} /var/lib/apt/lists/_binary \| sort \| uniq	22:52
hehehe	cool, ty	22:52
=== _liam is now known as eliam
drab	this ntp business leaves me pretty perplexed...	23:08
drab	some clients seem to simply not reconnect, just sit there saying there's a pool and do nothing, have to restart ntp, which isn't really good	23:09
hehehe	in etc/apt when I check sources list I see digital ocean repo however its not a sources.list.d dir and main file is generated on a boot, so from where it comes from?	23:10
hehehe	drab: which ntp biz?	23:10
nacc	hehehe: are you on digital ocean?	23:11
hehehe	no on ovh, just ages ago when installing mariadb I added digital ocean repository - copy pasted tutorial , now I purged it and will install ubuntu one instead	23:13
hehehe	however have to remove that digital ocean entry first	23:13
AdamMc	Does the version of apache that comes built-in on Ubuntu 17.04 Server support Virtual Hosting?	23:42
sarnold	if adammc returns, https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04 looks useful	23:53

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!