[00:02] <nacc> rbasak: i think you forgot to commit your tests/changelogs/test_distribution file. Can you do so and push it to master?
=== Hirppa is now known as Guest81339
=== Valfor is now known as Guest45971
=== X-Rob is now known as Guest84163
=== giraffe is now known as Guest83487
=== Guest84163 is now known as X-Rob
[00:27] <drab> anybody around that happens to be into voip/asterisk? I'm trying to figure out what to do with the asterisk 11 install we have
[04:31] <cpaelzer> good morning
=== Guest69923 is now known as lordievader
[05:30] <lordievader> Good morning
[06:14] <rbasak> nacc: sorry! Done.
[06:23] <LaserAllan> hey guys, do yu know of any webmail apckage that is updated by apt that can be added?, i have used squirrelmail until it was unsupported and Rainloop isn't handled by any repo so I am looking for a better solution.
=== lifeless_ is now known as lifeless
=== G_ is now known as G
=== edwinksl- is now known as edwinksl
[11:52] <gunix> anybody set up galera arbitrator 3 on an ubuntu node?
=== Guest81339 is now known as Hirppa
[14:00] <devster31> is there a clever one-liner to dump yaml to json?
[14:08] <devster31> ok, this seems to work -> ruby -rjson -ryaml -e 'puts YAML.load($stdin.read).to_json'
[14:08] <devster31> with pipes
[14:31] <runelind_q> Ubuntu server sure likes to push out updates to its kernel
[14:43] <ahasenack> rbasak: hi, ping
[14:43] <ahasenack> rbasak: http://pastebin.ubuntu.com/25319275/ these 3 entries in d/changelog are related
[14:44] <ahasenack> rbasak: would you prefer to see 3 individual commits, or one?
[14:44] <cpaelzer> devster31: also python -c 'import sys, yaml, json; json.dump(yaml.load(sys.stdin), sys.stdout, indent=4)' < file.yaml > file.json
[14:44] <cpaelzer> you surely can find more via search engines
[14:44] <devster31> doesn't that require pyyaml or something?
[14:44] <cpaelzer> yep
[14:45] <cpaelzer> was installed for me already
[15:00] <ahasenack> nacc: are you in yet? What's your opinion wrt my question above?
[15:01] <cpaelzer> ahasenack: I can tell you what I prefer and usually do in these cases if you want?
[15:01] <ahasenack> sure, I just asked them first because they are the uploaders
[15:01]  * cpaelzer feels neglected
[15:02] <cpaelzer> ahasenack: I'd make one commit each - but with slight adaptions to the commit message to get better changelogs
[15:02] <ahasenack> heh, imagine how I feel with MPs up for more than a month :)
[15:03] <cpaelzer> On the first one I make a level 1 entry in this case the use of ldap-auth-config AND in the same commit a level 2 entry what this commit changes in particular
[15:03] <cpaelzer> Following commits have only level 2 entries as long as they belong to the same thing
[15:03] <cpaelzer> on auto generated changelog that auto-groups them which I like to carry the "they belong together" meaning
[15:04] <cpaelzer> I thought I reviewed all that made sense to review from me
[15:04] <ahasenack> you did
[15:04] <cpaelzer> all others had other reviewers for a reason
[15:04] <cpaelzer> I saw your two new merges in the queue but since I started late ...
[15:05] <cpaelzer> also I plan to add a few on my own today/tmrw as time permits
[15:10] <nacc> ahasenack: reading
[15:11] <nacc> ahasenack: it feels like they should be rewritten if they are related (tbh). I don't think it matters much if they are one commit or three, though.
[15:11] <nacc> ahasenack: what matters is each commit accurately describes teh changes in it
[15:11] <ahasenack> ok
[15:11] <nacc> ahasenack: given that we don't want to accidentally cherry-pick only one of the three, though, it seems reasonable to make them one?
[15:11] <ahasenack> it does
[15:12] <ahasenack> you can't really just drop one of the 3, for example
[15:14] <nacc> ahasenack: yep
[15:17] <pankaj> I am trying to setup ssh connection between my Linux OS and virtual server but during 'ssh-copy-id username@remotehost' I am getting error. Please somebody help.
[15:22] <tsglove> pankaj, help us help you.
[15:23] <ahasenack> nacc: this one was sponsored already, what do we do with it from an MP perspective? https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/326073
[15:24] <nacc> ahasenack: i don't recall, i'll leave it for now until we decide what to do with them
[15:24] <ahasenack> ok
[15:24] <dpb1> ahasenack: any open MPs for ubuntu-advantage-tools you need me to look at?  I'm starting with the doc
[15:24] <nacc> so only 4 to review :)
[15:24] <ahasenack> dpb1: no open mp
[15:25] <ahasenack> dpb1: we just need to make a release in github, tag, if we are happy with it as is
[15:25] <dpb1> ahasenack: can I install onto xenial from that ppa?
[15:25] <ahasenack> dpb1: yes
[15:25] <dpb1> (and get tip, I mean)
[15:25] <dpb1> ok
[15:25] <dpb1> I'll do that
[15:25] <ahasenack> dpb1: ack had two changes since that build: manpage, and another I forgot
[15:26] <ahasenack> manpage just had a new section about exit status
[15:26] <dpb1> oh, it's not a recipe?  I'm shocked
[15:26] <ahasenack> can recipes build from github?
[15:26] <ahasenack> we might have to mirror
[15:26] <dpb1> I really don't care
[15:26] <dpb1> I'll just build the package here
[15:26] <dpb1> n/w
[15:26] <dpb1> just giving you a hard time
[15:27] <dpb1> ahasenack: and, no landscape yet, right?
[15:27] <ahasenack> right
[15:29] <dpb1> ahasenack: lint failures!
[15:29] <dpb1> shocked
[15:29] <dpb1> again
[15:29] <ahasenack> what did you run?
[15:29] <dpb1> dpkg-buildpackage -uc -us
[15:29] <dpb1> but, more cheaper... make lint
[15:29] <ahasenack> ah, I blame ack for that. shellcheck in ubuntu is older than in debian
[15:29] <ahasenack> and github installs the debian one
[15:30] <ahasenack> which is fixed regarding those failures
[15:30] <dpb1> should I be on artful for this testing?
[15:30] <ahasenack> won't help you regarding shellcheck
[15:30] <dpb1> or it's out of date there too
[15:30] <dpb1> ok
[15:30] <ahasenack> but are these run at package build time? Hm
[15:31] <dpb1> :/
[15:31] <dpb1> yes
[15:31] <ahasenack> then we have to drop that
[15:32] <dpb1> I can quickly fix I think
[15:32] <dpb1> sec
[15:33] <ahasenack> ackk: we need to drop shellcheck, it needs to work in plain ubuntu regardless of what we do to make it work in travis
[15:34] <ahasenack> ah, he is away today
[15:34] <dpb1> ahasenack: I'm putting up a branch, it's fine
[15:35] <dannf> cpaelzer: should i just open a new bug for this pflash/apparmor issue?
[15:36] <dannf> cpaelzer: or maybe discuss via e-mail somewhere? just trying to cleanly separate the issue from the migration one
[15:36] <cpaelzer> dannf: yes they are separate issues for sure
[15:36] <cpaelzer> dannf: and the one hitting the image files on all arches is fixed
[15:36] <dannf> cpaelzer: cool - yeah, just didn't know if you minded a bug for an issue that's not actually in ubunt yet :)
[15:36] <cpaelzer> dannf: so a new one would be great
[15:37] <cpaelzer> dannf: I fixed the other one (images) already even it is not a bug yet
[15:37] <cpaelzer> dannf: for qemu 2.10 prep
[15:37] <cpaelzer> dannf: so yeah please, just need dmesg and the xml
[15:37] <cpaelzer> ad I need to drive virt-aa-helper manually from there and see what rules it creates for the flash files
[15:39] <dannf> cpaelzer: will do
[15:39] <cpaelzer> dannf: I'm also on the minor one with the s390x packaging - cleaning that up
[15:40] <cpaelzer> dannf: yet I think with a different fix than what you suggested
[15:40] <cpaelzer> IMHO there is no reason to have s390 being the only different one
[15:40] <cpaelzer> so I'd more likely adapt the d/control in a way to match the other architectures
[15:40] <xnox> hmmm
[15:40] <dannf> cpaelzer: i was assuming it was the only different one because it didn't have full emulation - e.g. requires hardware acceleration - but i'm not sure about that
[15:41]  * xnox wonders if there is stuff that I did, that made s390x look odd. It should be just like x86_64.
[15:41]  * xnox and e.g. should not be in "ports" bucket
[15:41] <cpaelzer> well ther eis a partial tcg which can be used
[15:41] <cpaelzer> so why not
[15:41] <cpaelzer> xnox: yeah it was you :-P
[15:41] <dpb1> ahasenack: https://github.com/CanonicalLtd/ubuntu-advantage-script/pull/39
[15:41] <cpaelzer> but long enough ago that it doesn't matter
[15:42] <cpaelzer> and that is my mindset as well, it should be just like x86, arm, ppc, ...
[15:42] <cpaelzer> oO it seems gcc7 also makes qemu compiles unhappy
[15:42] <xnox> cpaelzer, as long as you do not drop qemu-system-s390x i'm fine =)
[15:42] <cpaelzer> I'd be the last one to do that
[16:01] <cpaelzer> qemu2.10 is good with ggc-7 so overall all fine for artful
[16:01] <cpaelzer> wow ggc new compiler, gcc of course
[17:06] <drab> can anybody confirm that ubuntu-server is and will be using timesyncd?
[17:07] <drab> it seems that this changed from 14.04 to 16.04, however the same seems to not be true for 16.04 desktop
[17:07] <drab> I'm seeing ntpd running on a fresh install of desktop
[17:07] <drab> also I can't see where the default is set and can't tell what timesyncd is actually using
[17:08] <drab> the conf file has the fallback commented out, ntp.ubuntu.com , which if I had to guess I'd imagine is what is used, but I'd like to confirm that
[17:11] <drab> yeah, confirmed with tcpdump, it's calling out to alphyn.canonical.com.ntp , guess maybe a patch to set that as deafult in the code
[17:12] <teward> dpb1: ping
[17:14] <dpb1> hey teward
[17:15] <teward> dpb1: got your inquiry on the email of the meeting logs - sorry I was in a server room away from my phone
[17:15] <teward> i just got the ping for it - my email parser read it and poked.  I'll be available, to my knowledge today, for the meeting next week if there's a need for me to be backup
[17:15] <teward> if something comes up I'll let you all know.
[17:15] <dpb1> teward: no worries at all, just wanted to give you a heads up you are getting close
[17:16] <teward> yep, I checked that myself :)
[17:16] <dpb1> heh
[17:16] <dpb1> cool
[17:16] <dpb1> thanks for getting back
[17:16] <teward> yep
=== Tohuw is now known as Guest68958
[17:46] <Vladimirski> is there an alternative to proxmox on ubuntu-server(by that I mean is supported by ubuntu)?
[17:48] <drab> Vladimirski: to do the same thing/everything that proxmox does? what I mean is, it could be easier if you were interest in only particular features
[17:49] <drab> for example if you were just doing qemu and weren't interested in a web interface you could use libvirt with virsh/virtmanager
[17:49] <drab> or if you were interested in containers with lxd and new lxc command line
[17:49] <Vladimirski> drab: Well I need a virtual environment where I can host different operative systems
[17:49] <drab> ok, does it have to have a nice to use web interface?
[17:50] <Vladimirski> well it would be nice to have one
[17:53] <Vladimirski> drab: I was thinking of using KVM, maybe there's a webgui for it
[17:54] <Vladimirski> drab: Actually oVirt maybe is my solution?
[17:54] <drab> if you want a bwe based solution the best I know is Ovirt
[17:54] <drab> yeah, was typing just that
[17:54] <drab> if you're xen oriented, there's xenserver
[17:55] <drab> for kvm, if you have a desktop, libvirt + virtmanager is actually really neat
[17:55] <drab> but I guess it's not as aware of a cluster of libvirt instances and so forth
[17:55] <drab> it depends how "cloud" you're trying to go
[17:55] <Vladimirski> thanks
[17:55] <Vladimirski> gotta think about it
[17:55] <drab> if you just want to run a bunch of virtual machines on one or two servers, then imho libvirt + virtmanager is probably the easiest
[17:56] <Vladimirski> it should be to complicated in configuration sense..
[17:56] <Vladimirski> alright
[17:56] <drab> if you're trying to do something more advanced, then probably ovirt is a better choice if you don't want to run proxmox (which afaik is one of the best solutions out there)
[17:56] <drab> but you have to use their own debian isos, which is one of the reason I ddin't go with it
[17:57] <drab> Vladimirski: fwiw, I don't know what you're doing, but if you have limited capacity containers may be a better choice than full virtualization
[17:58] <drab> I've pretty much migrated all my instances from kvm to lxd minus a few where kernel space stuff matters or I need further isolation at that level
[17:58] <RoyK> kvm/libvirt works well alone, but it's not very straight-forward to setup in a multinode setup
[17:58] <drab> most notable example, nfs-kernel-server
[17:58] <drab> yeah
[17:59] <drab> hence the suggestion for ovirt in that case, more similar to proxmox, but also more work to setup and maintain ime as complexity is higher
[17:59] <drab> libvirt + virtmanager is *really* straightforward
[18:00] <drab> https://help.ubuntu.com/lts/serverguide/NTP.html
[18:00] <drab> stuff on this page seems not true... specifically the interaction between timesyncd and ntp
[18:00] <drab> anybody familiar with the two?
[18:00] <RoyK> except for multinode, perhaps, where you'll need corosync and friends, which can be a bit of a hassle
[18:00] <drab> "If NTP is installed and replaces the activity of timedatectl the line "NTP synchronized" is set to yes."
[18:00] <RoyK> that is, haven't used it or some time, so it might be easier now
[18:01] <drab> but that doesn't seem to be the case. I removed ntp and timedatectl still says NTP synchronized is true
[18:01] <drab> ie nothing seems to change
[18:01] <RoyK> drab: just wait a while and time will drift
[18:01] <drab> and I can't really remove it as it's not its own package (timesyncd I mean)
[18:01] <RoyK> ntp setup is the easy part
[18:02] <drab> yeah it's all done, but the interaction between the two is very opaque
[18:02] <drab> I don't see where timesync checks for ntp etc
[18:02] <drab> or where you'd "deconfigure" timesyncd
[18:02] <drab> so I have no confidence that this is working correctly and timesycnd is backing out leaving ntp to do the job
[18:03] <RoyK> simply installing and configuring ntpd with a local-ish ntp server should do the job down to a very small fraction of a second between the hosts
[18:04] <drab> yeah, that's not what I'm concerned about, what looks dubious is the interaction with systemd-timesyncd
[18:06] <drab> again look at the official doc I linked, it says something very specific about the interaction of the two
[18:06] <drab> and that doesn't hold true in my experiment
[18:07] <hehehe> hi
[18:07] <hehehe> if I want to checkout a specific stuff from git but its not  branch but tree
[18:08] <hehehe> https://github.com/opencart/opencart/tree/2.3.0.2
[18:08] <hehehe> how do I clone that?
[18:08] <hehehe> :D
[18:09] <drab> it's not a "tree", that's just the web view in github
[18:09] <drab> there is a tag for 2.3.0.2 release, that's what you clone
[18:10] <drab> hehehe: https://git-scm.com/docs/git-clone#git-clone--bltnamegt
[18:11] <drab> as the man page says you can specify a tag with the branch command
[18:15] <hehehe> cool
[18:17] <ahasenack> cpaelzer: around still?
[18:17] <ahasenack> (not urgent)
[18:19] <hehehe> solved it
[18:20] <cpaelzer> ahasenack: here
[18:20] <hehehe> next idea - some app where it simulates icecream :) you have to lick a screen at high speed to eat it lol
[18:20] <ahasenack> cpaelzer: checking that extra patch in cifs-utils, doing some archeology
[18:20] <ahasenack> cpaelzer: I think it's not needed, because
[18:20] <ahasenack> cpaelzer: a) http://pastebin.ubuntu.com/25320452/ 6.2 release notes mentions that that binary is now searched using $PATH (I'm trying to find a diff)
[18:21] <cpaelzer> thats exactly why I asked, because I often find archeology turns out to be inertesting :-)
[18:21] <ahasenack> cpaelzer: b) this is the patch: http://pastebin.ubuntu.com/25320448/
[18:21] <ahasenack> c) http://pastebin.ubuntu.com/25320445/ is the code without the patch
[18:21] <ahasenack> it seems our check is reduntant, although it would avoid some unecessary calls
[18:21] <nacc> hrm, that is not the 'canonical' way to check if systemd is running
[18:21] <ahasenack> but also make it less robust if the binary ever moves to another location
[18:21] <hehehe> nacc: yes so :))
[18:21] <nacc> checking for /var/run/systemd is, iirc
[18:21] <ahasenack> the switch to using popen is from 2013
[18:22] <ahasenack> (in cifs-utils)
[18:22] <ahasenack> I searched lp for closed bugs but only found one asking to update cifs-utils
[18:22] <ahasenack> will try a more thorough d/changelog search now
[18:22] <cpaelzer> ahasenack: well there could be the case of systemd having the paths above and considers it is_systemd_running
[18:23] <cpaelzer> ahasenack: but lacks the binary
[18:23] <nacc> ahasenack: yeah, i'd file an upstream bug that those checks are sort of wrong
[18:23] <cpaelzer> ahasenack: I thik that is what the check was meant for
[18:23] <ahasenack> well, nothing is checking that it's running, not even our patch
[18:23] <nacc> semantically, they clearly are trying to :)
[18:23] <cpaelzer> which is a sub-optimal upstream
[18:23] <nacc> but they are using the wrong semantics
[18:24] <nacc> i believe the /var/run/systemd check is what pitti or xnox told me to use
[18:24] <cpaelzer> ahasenack: well if the popen fails they will end as if the check would have been wrong
[18:24] <cpaelzer> so yeah
[18:24] <nacc> (for puppet upstream)
[18:24] <cpaelzer> dropping our delta would make it even better
[18:24] <cpaelzer> as it would work if the path changes
[18:24] <xnox> nacc, but do forget that /var/run exists.
[18:24] <xnox> nacc, only ever use /run/systemd/system check; as /run/systemd exists on systems with pid 1 upstart, and logind running.
[18:24] <nacc> xnox: :) is there a "new" path to check for systemd running? /run/systemd then, i guess you mean?
[18:25] <nacc> xnox: ah yes, thanks!
[18:25] <xnox> /run/systemd alone is not sufficient.
[18:25] <nacc> right
[18:25] <nacc> sorry, misremembered
[18:25] <cpaelzer> and here we have an examples how checks like these get to life
[18:25] <cpaelzer> we are all humans and software changes
[18:25] <cpaelzer> ahasenack: TL;DR we can make this a sync - right?
[18:25] <nacc> so i don't think it makes sense to keep this delta
[18:26] <nacc> and i think it makes sene to file a bug upstream and say fix your check
[18:26] <xnox> at one point it was /run/systemd, but then pitti fixed it in all the software and upstream to be be more specific.
[18:26] <nacc> with a suggested patch
[18:26] <cpaelzer> since we already discussed the other one away
[18:26] <ahasenack> cpaelzer: possibly, I'd just like to test that is asks for the password correctly
[18:26] <Vladimirski> drab: thanks, do you know about a good libvirt + virtmanager setup guide?
[18:26] <ahasenack> cpaelzer: is debian using systemd?
[18:26] <xnox> nacc, what's the code? because i thought pitti did fix all the things to migrate to the fuller check.
[18:26] <cpaelzer> ahasenack: yes, but you can switch init systemd if you want to do so badly
[18:27] <cpaelzer> -d
[18:27] <nacc> xnox: cifs-utils
[18:27] <nacc> ahasenack: you checked upstream too?
[18:27] <xnox> looking at http://pastebin.ubuntu.com/25320448/ it seems wrong
[18:27] <ahasenack> nacc: fetching their git repo now
[18:27] <nacc> ahasenack: ack thanks
[18:27] <xnox> systemd-ask-password is optional, and systemd cgroup exists on upstart+cgmanager+logind and thus without systemd pid1
[18:27] <ahasenack> nacc: upstream is http://pastebin.ubuntu.com/25320445/
[18:28] <nacc> xnox: yeah the cgroup check makes little sense
[18:28] <xnox> yeah the comment in 5 is wrong.
[18:28] <ahasenack> if any of that fails, it will fallback to getpass()
[18:28] <Vladimirski> drab: btw, is it possible to connect to the virtmanager via the net, instead of having it locally?
[18:28] <nacc> ahasenack: ah! it's to know just whether it should use systemd-ask-password?
[18:28] <nacc> ahasenack: shite code
[18:28] <mason> Vladimirski: yes
[18:28] <mason> Vladimirski: Connect via ssh.
[18:28] <ahasenack> nacc: yes, that is probably a better alternative for fstab entries during boot
[18:28] <drab> Vladimirski: I don't know of a tutorial off the cuff, I just google all the time. and yes, you can connect over ssh, which is how I sued it
[18:29] <ahasenack> nacc: I've seen it working, btw
[18:29] <mason> drab: Did you take all its money?
[18:29] <cpaelzer> ahasenack: xnox upstream git still is that way as well, not just in debian
[18:29] <drab> Vladimirski: you install virtmanager on your dekstop and libvirt on the server where you do the virtualization
[18:29] <ahasenack> it's just like that dmcrypt prompt, it shows up nicely in ubuntu's splash screen
[18:29] <Vladimirski> drab: conncet via ssh to see the gui?
[18:29] <drab> mason: ?
[18:29] <nacc> ahasenack: sure, i mean it "does work", but it works by chance, i think
[18:29] <Vladimirski> oh I see
[18:29] <Vladimirski> drab: ALright, thank you :)
[18:29] <ahasenack> nacc: maybe it would fail on trusty :)
[18:29] <xnox> nacc, ahasenack: https://github.com/systemd/systemd/blob/master/src/libsystemd/sd-daemon/sd-daemon.c#L628 -> sd_booted is the function to use if one is ok linking libysstemd; or one should mimick the check that /run/systemd/system folder exists.
[18:29] <mason> Vladimirski: Glad drab could help you out with that.
[18:29] <nacc> ahasenack: the semantic they want is "if i am on systemd and systemd-ask-password exists (and is executable?)), use it
[18:29] <cpaelzer> nacc: ahasenack: but a bug and suggestive patch to upstream and making the package atm a sync should be a good way (as actions for now) - right?
[18:29] <xnox> nacc, ahasenack: feel free to bash upstream with https://github.com/systemd/systemd/blob/master/src/libsystemd/sd-daemon/sd-daemon.c#L628
[18:29] <nacc> cpaelzer: +1
[18:30] <ahasenack> nacc: yes
[18:30] <nacc> ahasenack: their variable name is confusing :)
[18:30] <nacc> ahasenack: at a minimum
[18:30] <Vladimirski> mason: sorry, I saw your answer as well. Thanks :)
[18:30] <drab> afk, bbl
[18:30] <mason> :P
[18:30] <Vladimirski> mason: didn't mean to leave you out..:(
[18:30] <mason> Vladimirski: FWIW, you can either ssh to root (just be very careful) or ssh to a user in the right group, so you have some options.
[18:31] <mason> Either way, consider using limiters on what the account can do via ssh connection.
[18:31] <ahasenack> cpaelzer: ok, so let me try the debian code without our patch, make sure it can mount cifs filesystems during boot
[18:31] <ahasenack> and if yes, i'll comment on the mp, we abandon it, and you sync?
[18:31] <cpaelzer> ahasenack: yes lets do it that way
[18:31] <nacc> ahasenack: requestsync if so
[18:31] <nacc> and/or the MP (but requestsync will file a bug)
[18:31] <ahasenack> nacc: what's that?
[18:32] <nacc> ahasenack: yet another tool :)
[18:32] <mason> Vladimirski: A quick search turns up: https://serverfault.com/questions/407497/how-do-i-configure-sshd-to-permit-a-single-command-without-giving-full-login-ac
[18:32] <ahasenack> another magical script from ubuntu-dev-scripts? :0
[18:32] <ahasenack> :)
[18:32] <cpaelzer> ahasenack: a tool to open a bug to request a sync
[18:32] <nacc> which we'd want in this case, to track down the logic of syncing it (why the delta can be dropped)
[18:32] <nacc> (IMO)
[18:32] <cpaelzer> for documentation at least
[18:32] <mason> Ah, there it is. man authorized_keys and search for command=
[18:32] <nacc> as it's not entirely obvious to drop a quilt patch
[18:33] <cpaelzer> nacc: +1 on explaining on a please sync bug
[18:33] <ahasenack> ok, I'll do that, coment on the reasoning in the bug,
[18:33] <cpaelzer> but to admit I never used the tool but opened the bug the "classic" way
[18:33] <cpaelzer> which there are 3-5 :-)
[18:33] <Vladimirski> mason:  I tend to you private keys when using ssh which seems much more secure
[18:33] <Vladimirski> to use*
[18:33] <ahasenack> and maybe file an upstream bug to improve the systemd detection, I have to read more carefully what xnox said above
[18:33] <cpaelzer> perfect ahasenack
[18:33] <mason> Vladimirski: If you look at that command section, that works with private keys and provides a bit more protection.
[18:33] <nacc> ahasenack: yeah, i think that can be a card in our board to do after FF
[18:34] <Vladimirski> mason: that's great
[18:34] <ahasenack> cpaelzer: nacc xnox ok, thanks for the feedback
[18:34] <nacc> ahasenack: yw
[18:34] <mason> Vladimirski: FWIW, I was using Xen for years, and only in the last year or two am I using libvirt and friends, and I have to say, I quite like it. Very flexible and convenient, and I love virt-manager.
[18:34] <Vladimirski> mason: thanks again mason :)
[18:35] <cpaelzer> ahasenack: yw++
[18:38] <cpaelzer> dannf: did I miss the new extra bug on the pflash lock byte issue - or just no time yet to file?
[18:38] <cpaelzer> dannf: not that I'd expect to work on it today - just don't want to miss it
[18:39] <cpaelzer> ahasenack: feel free to drop me a mail with the sync bug eventually
[18:39] <cpaelzer> ahasenack: in case non picks up today I will tmrw then
[18:40] <ahasenack> I'll add it to the mp if that's ok
[18:40] <cpaelzer> yeah fine for me
[18:40] <ahasenack> cool
[18:40] <cpaelzer> I wasn't sure which of our portfolio of options you'd take :-)
[19:34] <dannf> cpaelzer: you haven't, i'll file it now
[19:35] <hehehe> quick question :) reinstalling php app here, on same box, folders permisson 750 files 640 owner is root:www-data, should work but something is a miss - using nginx
[19:35] <hehehe> gives 403 :))
[19:35] <ahasenack> xnox: looking at https://github.com/systemd/systemd/blob/master/src/libsystemd/sd-daemon/sd-daemon.c#L628 finally
[19:35] <hehehe> I sense I might of omited something I have done before
[19:35] <ahasenack> xnox: we could use that to decide if systemd is being used, it's my understanding
[19:35] <ahasenack> and then for this particular use case we would add another check to see if systemd-ask-password is available (since you said it was optional), and only then call it
[19:36] <ahasenack> these two conditions: systemd being used, systemd-ask-password installed
[19:36] <ahasenack> righT?
[19:36] <xnox> ahasenack, in essence drop the cgroups check, use the check that /run/systemd/system folder exists.
[19:36] <ahasenack> right
[19:37] <xnox> (because e.g. upstart, cgmanager, cgroups-lite, all face a systemd cgroup for logind integration)
[19:37] <ahasenack> use that for the "is systemd being used?" check instead of what was in that pastebin
[19:37] <hehehe> in fact in no one would be wrong no one could of been right :)
[19:37] <xnox> ack.
[19:37] <hehehe> *if
[19:37] <ahasenack> xnox: ok, thx. I'll file an issue with upstream
[19:37] <xnox> tah.
[19:38] <ahasenack> mh, looks like a lot of people dropped from irc
[19:38] <hehehe> yes
[19:38] <hehehe> they been punished for idling :) by god of action
[19:38] <hehehe> *have been
[19:42] <drab> hopefully there's no god of poor questions punishing ppl asking for help without doing research first
[19:44] <hehehe> :))
[19:52] <dannf> cpaelzer: LP: #1710960
[19:52] <ubottu> Launchpad bug 1710960 in libvirt (Ubuntu) "QEMU 2.10 may require AppArmor updates for pflash devices" [Undecided,New] https://launchpad.net/bugs/1710960
[20:14] <eliam> is this place only for ubuntu-server issues or can you help with other more wtfamidoingarghitsbroke linux server-ish kind of things?  specifically mail, stupidly behind NAT which I'd like to correct.
[20:14] <eliam> oh, and hi :)
[20:15] <sarnold> we try to be helpful such as we can..
[20:16] <eliam> ah ok, thanks :) my question is kind of, what's normal.  ok, I'll try again.  if you have a gateway machine but you don't want to serve mail from the gateway, it appears NAT'ing the SMTP loses a lot of email kind of info that services like postfix need for mail spam blocking (ip mainly)
[20:17] <eliam> so, do you setup two mail servers?  one on each hop?  postfix them both?  simple sendmail on the gateway with postfix downstream?  none of the above?
[20:17] <hehehe> Package 'php7.0-fpm' has conffile prompt and needs to be upgraded manually
[20:17] <hehehe> what can it mean?
[20:18] <eliam> hehehe, I googled it for you :) https://askubuntu.com/questions/921162/how-can-i-automate-a-conffile-prompt-in-unattended-upgrades
[20:19] <hehehe> ty
[20:19] <hehehe> so automated updates can rewrite default php config?
[20:19] <hehehe> going to apply that fix
[20:20] <eliam> I'll setup mail submission on the submission port but turns out I quickly became an open relay and upstream (google) got a little grumpy
[20:20] <sdeziel> eliam: DNAT'ing a port from your public gateway to your private SMTP listener shouldn't remove anything useful for Postifx to ID spam
[20:21] <drab> sdeziel: I don't see the problem with NAT, but in any case, a DMZ with routing would remove the need for NAT'ing if that's a problem
[20:21] <drab> eeer, eliam
[20:22] <eliam> So, postfix sees all inbound mail as coming from 'within the network' due to the source ip being the NAT firewall box
[20:22] <drab> eliam: you need to basically add a subnet on the gw, put postfix on that subnet and route
[20:22] <sdeziel> eliam: if postfix sees only the firewall's IP that probably means you have a SNAT/MASQUERADE rule that is wrong
[20:23] <drab> that shouldn't be the case, the gw should only do DNAT, not both SNAT and DNAT
[20:23] <drab> yeah, what sdeziel said
[20:25] <eliam> https://pastebin.com/pZpN4Zy0
[20:25] <sdeziel> eliam: iptables -t nat -nvL POSTROUTING
[20:25] <sdeziel> or better yet, iptables-save
[20:28] <eliam> if you want but there appears to be *a lot* of repeats!
[20:28] <eliam> http://paste.ubuntu.com/25321152/
[20:29] <sdeziel> eliam: you shouldn't mix conntrack and state. conntrack replaced the older/obsoleted state module
[20:30] <sdeziel> eliam: yes, you have quite a few dup
[20:30] <eliam> ok, I'll look at that.  So, I guess it's DNAT and postfix turned me into a relay (as the whole internal subnet was 'allowed')
[20:31] <sdeziel> "-A POSTROUTING -o eth0 -j MASQUERADE" => could be the faulty one. Can you give the output of "ip ro g 192.168.1.70"
[20:32] <sdeziel> eliam: yes, if you authorized relying from 10.0.0.0/8 and you wrongly masquerade to an IP in that range when reaching the SMTP box, then yeah, open relay
[20:33] <eliam> ip ro ... http://paste.ubuntu.com/25321194/
[20:34] <sdeziel> eliam: so yeah, that confirms the issue. You want to make that "-o eth0 MASQUERADE" rule a tad more specific
[20:35] <sdeziel> eliam: maybe replace it by "-A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE"
[20:36] <sdeziel> eliam: your LOGDROP chain doesn't log, it just DROP ;)
[20:37] <eliam> it's an IMightLogThatSometime chain :)  I turn logging on if I'm interested but the logs get *filled* otherwise so I remove it
[20:38] <sdeziel> ah
[20:39] <eliam> so basically I'm a bit confused about iptables then and need to read a little.  external traffic can't see the mail server, hence the DNAT.  If I limit to internal traffic, mail won't reach the mail server, will it?
[20:40] <sdeziel> eliam: your DNAT and FORWARD rules are OK
[20:41] <sdeziel> eliam: the problem is that when your firewall/gateway passes the SMTP traffic over to 192.168.1.70, it goes out eth0 and you have a rule that says:
[20:42] <sdeziel> when traffic goes out of fw's eth0, make the source 192.168.1.2
[20:42] <eliam> oh dear :(
[20:42] <eliam> I didn't mean that!
[20:42] <sdeziel> most probably not :)
[20:43] <eliam> maybe the masquerade is not needed at all then?  The 'gateway' per se is actually just for inbound DMZ traffic and isn't really the network gateway (which is the router).
[20:43] <sdeziel> replace "-A POSTROUTING -o eth0 -j MASQUERADE" by "-A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE" and you won't be doing the undesired source rewrite
[20:44] <sdeziel> ah, then I think I know why you added that MASQUERADE rule ;)
[20:44] <sdeziel> if you remove the MASQUERADE rule things will stop work
[20:45] <eliam> urgh!
[20:45] <sdeziel> if you don't source rewrite, when 192.168.1.70 will respond to 1.2.3.4 (random public IP), it will go via the gateway and no the firewall
[20:45] <sdeziel> which is asymmetric routing and doesn't work
[20:46] <sdeziel> can you have the gateway take care of the DNAT itself?
[20:46] <eliam> as opposed to the firewall dmz box which I called 'gateway' just to confuse myself?
[20:47] <sdeziel> hehe
[20:48] <eliam> Yes, I suppose I could.  I wanted to route *All* inbound traffic to the fw_gateway and have it decide what to do.  That way, the router gw with the dodgy web interface is avoided, however, sounds like I've tied myself up in knots...
[20:49] <eliam> at this point, anything to reduce the spam which is literally 96% of all emails I receive!  (the rest come from cron)
[20:50] <sdeziel> what I'd do is put the firewall box "behind" the dodgy router and make the firewall, the network gateway
[20:51] <sdeziel> this would avoid the asymmetric routing
[20:51] <hehehe> where are usually systemd service files are located?
[20:52] <sdeziel> hehehe: systemctl cat <unit_name>, will show you the unit and where all its pieces are coming from
[20:52] <hehehe> cool thanks!
[20:52] <sdeziel> np
[20:52] <sarnold> hehehe: see the list in systemd.unit(5)
[20:53] <eliam> yes, that makes sense.  The crazy thing is, I did most of this for fun and it's not really physical boxes.  At some point (once I get the backup space), I'm likely to rebuild and it'll then only be a single box for the services.  I just liked the idea of separating out DNS / mail server / fw / web etc...
[20:54] <eliam> so, until that point, dodgy isp nat routing ftw
[20:54] <eliam> thanks for debugging and explaining that all for me
[20:55] <hehehe> well ok so now I have removed installed custom nginx with modsecurity via using find and rm , then I apt-get install ubuntu 16.04 default
[20:55] <hehehe> when I do nginx -v it cant even do anything
[20:55] <sdeziel> eliam: depending on what kind of Internet connection you have, you may be able to terminate it on your own machine thus bypassing the dogdy router
[20:56] <hehehe> nginx -v The program 'nginx' can be found in the following packages:
[20:56] <hehehe>  * nginx-core
[20:56] <sdeziel> eliam: by "terminating it" I mean have your public IP(s) directly on your own equipment and use the dodgy ISP device just as modem
[20:56] <hehehe> I presumed apt-get will simply download and place binary where it belongs
[20:57] <eliam> sdeziel, will it annoy you if I let slip I don't have a static ip?  It's uk based fttc with vdsl or something similar
[20:58] <sdeziel> eliam: with vdsl you have a chance of PPPoE passthrough ;)
[20:58] <sdeziel> eliam: dynamic IP doesn't matter
[20:59] <sdeziel> eliam: the idea would be to terminate your PPPoE session on your Linux box, this way, you'd use only the modem part of the ISP device
[20:59] <eliam> sdeziel, I cheated because I used the dynamic hostname as the dns server (mine local) so everything serves to the same ip.  it's bonkers really but hasn't broken the internet yet and the ip leases are pretty long.
[21:00] <sdeziel> eliam: sure, using dyndns makes sense in your case
[21:00] <hehehe> :DDD
[21:00] <eliam> sdeziel, interesting.  I'm basically running dhcp, dns, fw and gateway so pretty much have the routing covered.
[21:01] <eliam> although....wifi devices on the network too
[21:02] <eliam> anyway, you've helped me understand why something which has annoyed me for sometime is not working (or is working as configured) so many thanks.  I even went on the postfix chat a fair while ago but didn't get any the wiser.
[21:03] <hehehe> :)
[21:03] <hehehe> this is da top room
[21:03] <hehehe> + #linux and #security
[21:03] <sdeziel> eliam: moving your PPPoE to your Linux machine will let you bring lots of sanity in all this
[21:04] <sdeziel> hehehe: if you properly cleaned the manual nginx install, then yes, "apt-get install nginx-core" should get you going
[21:04] <hehehe> sdeziel: whats the diff between core and full?
[21:05] <sdeziel> hehehe: core is what upstream ships enabled by default (what they trust and are OK with supporting)
=== ejat_ is now known as ejat
[21:05] <teward> *waves*
[21:05] <sdeziel> hehehe: -full has more modules enabled
[21:05] <teward> not sure why I wasn't pinged on the question ;P
[21:05] <sdeziel> yeah, teward's the guy ;)
[21:05] <teward> hehehe: -full has a few extra third-party module
[21:05] <teward> s
[21:05] <teward> -core is the same thing minus the third-party modules
[21:05] <eliam> sdeziel, I believe you, I just don't quite know what that means yet :)  so, step 1: remove all dnat from fw_fake_gateway and dnat from real gw.  Step 2, learn about PPPoE from linux.  Step 3, ....   Step 4, PROFIT!
[21:06] <hehehe> https://askubuntu.com/questions/553937/what-is-the-difference-between-the-core-full-extras-and-light-packages-for-ngi
[21:06] <hehehe> got it
[21:06] <teward> hehehe: fun fact: that's my answer on that question :p
[21:06] <sdeziel> eliam: before diving into PPPoE, you may want to put your ISP device model # into google and check if it supports "bridge mode" or "PPPoE passthrough"
[21:07] <hehehe> teward: and you can make nginx-monster by adding modsecurity to it :D
[21:07] <teward> hehehe: never going to happen.
[21:07] <teward> at least, not in Ubuntu at this time
[21:07] <hehehe> good
[21:07] <hehehe> its some kind of monstrosity :)
[21:08] <teward> you want modsecurity for nginx, you can go compile it for the nginx version you're after
[21:08] <teward> i'm not gonna support that in Ubuntu - that's why naxsi was dropped post-Trusty
[21:08] <hehehe> I did and I endup deleting it all
[21:08] <hehehe> decided to simply focus on php apps code quality instead :)
[21:08] <teward> indeed.
[21:09] <teward> if I'm running a WAF, it's probably a Barracuda on the border before the app.  Just saying :p
[21:09] <teward> in any case... if you have any other nginx questions feel free to ping me here :)
[21:09] <teward> *drifts back into the world of mail gateways and setting up mail relays for all his email servers*
[21:09] <eliam> sdeziel, good tip as the answer is no.  Wish I never let them back in the house when I had two separate devices previously which they swapped out for a 'combined' one.
[21:10] <teward> this will sound stupid but is there anything wrong with running an IPSec, OpenConnect, and OpenVPN server on the same machine lol
[21:10] <eliam> sdeziel, I could always just use it as the 'upstream' and have everything else on a different subnet with the firewall gw in the dmz and as the subnet default route I guess
[21:10] <hehehe> teward: btw have you looked into japanese open source vpn software?
[21:11] <hehehe> they also provide many volunyteer run relays for chinese who want to bypass great firewall :)
[21:11] <teward> hehehe: (1) I'm not chinese.
[21:11] <teward> (2) I'm an IT Security pro who knows 99% of those VPN softwares contain malware.
[21:11] <hehehe> volunteer
[21:11] <hehehe> hmm lets see
[21:11] <teward> (3) Chinese hackers use those VPNs, and I don't want the Feds to come down on me like a bag of hammers.
[21:12] <teward> so, no thanks!
[21:12] <hehehe> https://www.softether.org/
[21:12] <hehehe> that one
[21:12] <eliam> sdeziel, now I remember
[21:12] <sdeziel> eliam: yeah, if you can configure the ISP device to have 2 subnets/VLANs that might be your best bet
[21:12] <eliam> I think the isp dnat only works for external traffic
[21:13] <eliam> hmmm, maybe that's ok actually
[21:13] <sdeziel> eliam: yeah, that would seem OK to me :)
[21:13] <eliam> but that had something to do with the original decision making somehow
[21:13] <eliam> maybe before I setup the dns
[21:15] <eliam> yes, so, external mail traffic hits the dnat to the mail server, internal mail traffic is routed directly.  (in real terms, I don't need to change the settings on my phone for my mail app when I walk in / out the door)
[21:17] <sdeziel> for your internal traffic to be routed directly, you probably need a private DNS entry that says "mail.mydomain.com IN A 192.168.1.70"
[21:22] <hehehe> so I installed nginx-core from ubuntu repository and now - stat("/var/www/html/index.html", 0x7ffed26685c0) = -1 EACCES (Permission denied)
[21:22] <hehehe> when I run strace - however I got index.php and php fpm works, 0 errors
[21:23] <hehehe> I did try to open test php file I made and I get file not found
[21:23] <eliam> sdeziel, yes, the internal dns zone is configured
[21:24] <eliam> sdeziel, does iptables-save use something cached?
[21:24] <sdeziel> eliam: no, iptables-save dumps verbatim what's loaded in the kernel
[21:25] <eliam> sdeziel, ok, follow on question :) -F -X doesn't actually clear the firewall?
[21:25] <sdeziel> eliam: you can't use both -F and -X at the same time
[21:25] <eliam> sdeziel, iptables -L now shows nothing.  iptables-save shows *a lot*
[21:26] <eliam> sdeziel, sorry, iptables -F && iptables -X (not using the flags together)
[21:26] <sdeziel> eliam: I personally prefer to do this: iptables-save > ruleset; vim ruleset; iptables-restore ruleset
[21:26] <hehehe> i use ufw its a bit easier
[21:27] <eliam> sdeziel, sure but iptables-save is dumping a whole host of stuff when iptables -L shows nada
[21:27] <eliam> I'll try using restore instead
[21:27] <sdeziel> eliam: iptables -L, shows you the filter table only while iptables-save gives you all
[21:27] <hehehe> eliam: talking about bugs there is actual bug on my monitor now :)
[21:27] <hehehe> attracted by light
[21:28] <eliam> we had cockroaches in the office.  say no more!
[21:28] <hehehe> lol
[21:28] <eliam> first I new was an email from another team saying 'serious bug found this morning' with an attached pic
[21:28] <eliam> knew
[21:28] <eliam> urgh, think I'm tired now
[21:28] <hehehe> lol eliam why do you use such complex mail setup?
[21:29] <hehehe> whats it for?
[21:29] <eliam> time to go break stuff and try to work out how it all fits back together
[21:29] <eliam> hehehe, it's not complex, it's just email
[21:29] <eliam> hehehe, as in, roll your own
[21:29] <hehehe> well then make a standalone server for it
[21:29] <hehehe> with own ip
[21:29] <eliam> hehehe, I don't have any real ip ;)
[21:30] <hehehe> well ask ISP for one
[21:30] <eliam> hehehe, lol! what fun would that be!
[21:30] <eliam> hehehe, this is mail masked dnat gateway confusion.  it's a much better setup
[21:31] <sdeziel> eliam: if you settle on using iptables-save/restore, you may want to install "iptables-persistent" as it will take care of loading up your rulesets on boot
[21:31] <sdeziel> eliam: removes the need to run a script that loads 1 rule at the time
[21:31] <ChmEarl> what day was 16.04.3 released?
[21:31] <eliam> sdeziel, I have a rule somewhere on boot which reads the last iptables-save I did
[21:31] <hehehe> eliam: I simply pay some guys to maintain email server for me :) even easier
[21:31] <eliam> hehehe, ease doesn't teach though
[21:31] <ChmEarl> is it the moddate on /etc/os-release?
[21:32] <sdeziel> ChmEarl: https://wiki.ubuntu.com/XenialXerus/ReleaseSchedule says August 3rd
[21:32] <hehehe> eliam: correct and once I become all knowing I will know it anyway :)
[21:33] <eliam> eliam: How does email work?  hehehe: I pay some guy and stuff happens :)  I want to know what stuff, when, how etc
[21:33] <ChmEarl> sdeziel, ty that page is what I need
[21:34] <hehehe> eliam: well you see if I am to learn and learn and learn - instead I choose to know myself, once I am fully myself I will know all anyway
[21:34] <eliam> hehehe, let me know if it works ;)
[21:35] <hehehe> I did run 1 stand alone email server before cant say if it was secure secure but I did setup dkim spf and emails were going to inboxes :)
[22:24] <hehehe> how I can print  out a list of packages I got installed grouped by main universe multiverse and 3rd party?
[22:28] <dlloyd> apt-cache policy will give you both package name and source
[22:28] <dlloyd> scratch that
[22:28] <dlloyd> disregard me
[22:49] <drab> I don't know of any command, cache, showpkg or policy that will provide that info
[22:49] <drab> the best I can think of is something that parses the list of pkgs and matches them to the list of pkgs from the mirrors
[22:50] <drab> something like this:
[22:50] <drab> dpkg -l | awk '{print $2}' | tail -n+6 | xargs -i grep -o {} /var/lib/apt/lists/*_binary* | sort | uniq
[22:50] <drab> from the file name that matches you should see the arch, the pool, the mirror, everything basically, since the name is a concatenation of all those info
[22:50] <sarnold> awk '/^ii/ {print $2}'
[22:51] <drab> oh, better, yes
[22:51] <sarnold> oh then you can skip the tail too
[22:51] <drab> good point
[22:52] <drab> hehehe: dpkg -l | awk '/^ii/ {print $2}' | xargs -i grep -o {} /var/lib/apt/lists/*_binary* | sort | uniq
[22:52] <hehehe> cool, ty
=== _liam is now known as eliam
[23:08] <drab> this ntp business leaves me pretty perplexed...
[23:09] <drab> some clients seem to simply not reconnect, just sit there saying there's a pool and do nothing, have to restart ntp, which isn't really good
[23:10] <hehehe> in etc/apt when I check sources list I see digital ocean repo however its not a sources.list.d dir and main file is generated on a boot, so from where it comes from?
[23:10] <hehehe> drab: which ntp biz?
[23:11] <nacc> hehehe: are you on digital ocean?
[23:13] <hehehe> no on ovh, just ages ago when installing mariadb I added digital ocean repository - copy pasted tutorial , now I purged it and will install ubuntu one instead
[23:13] <hehehe> however have to remove that digital ocean entry first
[23:42] <AdamMc> Does the version of apache that comes built-in on Ubuntu 17.04 Server support Virtual Hosting?
[23:53] <sarnold> if adammc returns, https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04 looks useful