/srv/irclogs.ubuntu.com/2017/09/08/#ubuntu-server.txt

lordievaderGood morning07:22
wretchedspirithi!07:35
lordievadero/07:44
oskaressAnyone with any knowledge about setting up vsftpd on an ubuntu 16.04 server?08:58
andoloskaress: https://help.ubuntu.com/lts/serverguide/ftp-server.html might be a good place to start.09:03
andolSee also http://mywiki.wooledge.org/FtpMustDie09:03
oskaressThe thing is, I've set up vsftpd by following a guide found on Digital Ocean where they enable TTL/SSL to provide encryption. Once I created the certificate filezilla wouldn't connect. I get a 500 command not understood error on both the AUTH TLS and AUTH SSL command. Read through the config file several times and everything should be set up correct. Any ideas what can cause the issue?09:07
wretchedspiritwhich protocol are you trying to connect with on filezilla?09:08
oskaressFTP with the Explicit FTP over TLS encryption09:09
oskaressCan it be something with the transfer mode? Currently it's only set as default09:10
wretchedspirithave you tested with implicit?09:10
oskaressYes, conection refused by the server09:11
wretchedspiritOK09:12
wretchedspiritport 22?09:12
wretchedspiritor, at least, are you sure you're using the right port & that it's open09:12
tomreynwhat do the server logs tell you about it?09:13
oskaressI've tried both port 21, 22 and 990, all of them are open. FTPS uses port 990 by default, right? I'll check the server logs09:15
tomreynlsof -i :99009:17
tomreynthe port you configured when configuring the server is the one the server listens on09:17
oskaressI didn't configue what port the server should listen to, I just opened up the necessary ports. Where should I configure what port the server listens on?09:36
=== disposable3 is now known as disposable2
=== ashleyd is now known as ashd
oskaresstomreyn Which logs do you mean by server logs?11:12
tomreynoskaress: i'm not sure where vsftpd logs to, probably either /var/log/vsftpd* or /var/log/syslog11:15
tomreynblindly following an outdated how-to is a recipe for desaster.11:15
_rubenmeh, this is annoying: the squid init script returns 0 when it fails to (re)start .. even status returns 0 in that case :/11:18
oskaressThe vsftpd log contains no error. The tutorial I'm following is from September 2, 2016 and made for Ubuntu 16.04 which I am using, so I don't know about the outdated part...11:19
tomreynoh, well the only tutorial i found when googling (you did not provide its location) for "Digital Ocean vsftpd tutorial" was one from 201311:29
tomreynstill, like previously opinted out here, unless you have a very specific use case, dont set up ftp servers in 201711:31
oskaressSorry, my bad. The tutorial I'm following is this one https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-0411:31
oskaressThe case is indeed very specific, I've noticed that you shouldn't set up ftp server unless you really have to, and in this case I unfortunately have to11:32
tomreynmaybe there's a better alternative, feel free to discuss your needs11:32
oskaressI need a scanner to send the scanned image to a server, and what I know, the scanners that are used can only send by FTP11:33
tomreynso that's a flatbed scanner which creates imagery from paper / physical objects? do those scanners actually support ftps then?11:35
tomreynwhat's the scanner model?11:36
tomreyni assume those scanners are not directly connected to the internet?11:36
oskaressIt's a MFP (Multi Functional Printer) from Toshiba, and they are connected directly to the internet11:37
tomreynthat's usually not a good idea, those devices are usually full of exploitable software bugs.11:38
oskaressWell yeah, unfortunately it's not my call. I pretty much just have to solve the ftp connection between them11:39
tomreynit'd be better to do the ftp transfer to a hardened system that is local to the router and has an internet upstream and can copy the imagery elsehwere over the internet.11:39
tomreyna 30 usd computer running linux is good enough there.11:40
tomreynso do those toshibas actually support ftp over ssl / tls?11:41
tomreynotherwise setting it up on the server doesn't seem to make much sense.11:41
tomreynif you'd still like to test the vsftpd servers' TLS you could: openssl s_client -startls ftp -debug -connect hostname:port11:42
oskaressThe problem right now is that I can't even use filezille to FTP into my FTP server via vsftpd11:43
tomreyni just provided a command to debug that.11:47
tomreynthere is also the debug_ssl option to vsftpd, which would ensure more logging on ssl sessions.11:48
oskaressThe command you provided says "no peer certificate available" and "No client certificate CA names sent"11:52
tomreyndid you replace hostname:port by the hostname and port your ftp server listens on?11:53
tomreynwell you probably did. but there's no startssl support at the hostname:port you pointed it to.11:55
oskaressYes, I mean it connects and gets the same error, it says 500 Command not understood, but further down in the respone it says what I wrote above11:55
tomreynmaybe try without the '-starttls ftp' option then11:55
oskaressHmm looks like it worked without the -starttls ftp option.11:56
tomreyntry to have a quick ftp chat then11:57
tomreynhttps://www.webdigi.co.uk/blog/2009/ftp-using-raw-commands-and-telnet/11:58
tomreynno need to telnet, you're already connected with openssl11:58
tomreynjust type "USER anonymous" and press enter and see what the server responds11:59
oskaressI got a 'write:errno=10054' before, didn't see that.12:01
tomreynthats connection refused, i.e. the destination tcp port isnt accepting connections.12:19
oskaressHmm wierd, I connected to port 21 and in the firewall it allows connections12:20
tomreynmaybe you need to read the man page about implicit_ssl12:22
=== jelly-home is now known as jelly
fishcookerdo-release-upgrade -d output is Checking for a new Ubuntu release ... Upgrades to the development release are only ... available from the latest supported release. what should i do if i want 17.10 from 17.0412:51
TJ-fishcooker: if /etc/update-manager-release-upgrades has "Prompt-nornal" then you shouldn't need the "-d" flag, it should offer 17.10 from 17.0412:54
Pici17.10 hasn't been released yet...12:57
TJ-that's a good point... for some reason I am thinking we're in 2018 already :D12:57
TJ-maybe it's set to LTS only12:58
fishcookerthanks Pici13:00
fishcookerwhat if TJ-13:00
fishcookerwith gnome as default TJ- :D13:01
sobukusAnyone successfully running Ubuntu 16.04 on server hardware with Intel Matrix RAID? I apparently got this issue Red Hat fixed 5 years ago: https://bugzilla.redhat.com/show_bug.cgi?id=78573913:39
ubottubugzilla.redhat.com bug 785739 in mdadm "update mdadm/mdmon to work with systemd unrolling mounts to initramfs mount on shutdown" [Unspecified,Closed: rawhide]13:39
sobukusUbuntu bug report is https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/158714213:39
ubottuLaunchpad bug 1587142 in systemd (Ubuntu) "Shutdown hangs in md kworker after "Reached target Shutdown."" [Critical,Confirmed]13:39
sobukusThis is a rather nasty showstopper for me, after having invested time to adapt a provisioning set up to put the system on a RAID1.13:40
sobukusAnd didn't the RedHat people not tell anyone? It's a bit disturbing that this bug lurks for 5 years. My CentOS 7 systems on similar hardware boot and reboot nicely.13:41
ahasenacksobukus: that's sad :/ Can you add the rh bug link to the ubuntu report, if it's not there already?13:45
gunixguys, any ideea where would be the best place to publish this: http://gunix.cloud/blog/wordpresscluster.html13:58
gunix?13:58
gunixi was thinking about creating a blog and publishing it, because more similar articles will follow. any ideea?13:58
gunixeverything was done on ubuntu server14:04
=== trippeh is now known as tripwire
=== tripwire is now known as trippeh
PCatineanhey all15:22
PCatineanI'm having an issue with vsftpd that I cannot change directory after I'm logged in15:22
PCatineanand I cannot see any errors in the logs, confusing15:22
rbasaknacc: I don't think you were planning on it anyway, but please don't push anything new to git-ubuntu stable until after my talk tomorrow :)15:48
naccrbasak: ack, it'll all be in edge, if anywhere15:49
naccrbasak: do you incl. bugfixes in that request?15:49
naccrbasak: i've found a handful of edge-case syntax errors. They can wait til Monday, though15:50
rbasaknacc: easiest if we can defer the fixes too, please.15:50
rbasakThen I don't have to re-verify anything15:50
naccrbasak: +115:50
rbasakThanks!15:50
rbasaknacc: interesting. I just used my artful laptop with the stable snap to do an import, and I got my hang on push again.16:12
rbasakSo it's not Xenial-specific16:12
naccrbasak: is it your laptop specific? :)16:12
rbasakNo it's a different machine entirely.16:12
rbasakThe only commonality is my username and my Internet connection.16:12
naccrbasak: i genuinely don't know how to debug it. We haven't seen it a single time from either my system (at home) or the bastion.16:13
rbasaknacc: unrelated: seen this before? http://paste.ubuntu.com/25491004/16:14
rbasakPerhaps an issue with snapcraft vs. quilt?16:15
rbasakOn the hanging issue, I accept I'm the only one in a position to debug it.16:15
rbasakI wonder if it is because I have a ~20ms RTT to git.launchpad.net (being in the UK).16:16
powersjrbasak: is git-ubuntu import hanging for you?16:16
rbasakpowersj: on occasion. Always at the same point.16:16
powersjcurrently stuck here: 09/08/2017 16:15:10 - INFO:Importing patches-unapplied 1:0.7.1-1.2 to debian/lenny16:16
rbasakpowersj: only on push.16:17
powersjah16:17
rbasakpowersj: your issue is different I think.16:17
naccrbasak: powersj saw the same in their jenkins job16:17
powersjI assumed it was proxy or network access related, but wanted to check16:17
naccrbasak: as the backtrace16:17
naccrbasak: but i have no idea why16:17
rbasakpowersj: could you have a firewall issue in downloading sources?16:17
naccrbasak: and the bastion, again, doesn't reproduce it16:17
powersjrbasak: that could also be it16:17
rbasakpowersj: does "pull-lp-source <package>" work? That's pretty close to what it's trying to do there I think.16:18
naccrbasak: it's technically identical, i think (the same underlying path)16:18
rbasakAdmittedly perhaps a pain to check if you don't have ubuntu-dev-tools installed.16:18
naccrbasak: what's weird with the quilt error is that it seems to think that `quilt push` is invalid16:18
naccrbasak: i don't see how that's possible16:18
coreycbbeisner: the ocata point release packages are ready to promote to ocata-updates for https://bugs.launchpad.net/ubuntu/+source/nova/+bug/170629716:18
ubottuLaunchpad bug 1706297 in nova (Ubuntu Zesty) "[SRU] ocata stable releases" [Undecided,Fix committed]16:18
rbasaknacc: note an empty line 4.16:18
naccrbasak: ooooh16:19
naccrbasak: one sec16:19
rbasaknacc: I think that looks like a botched installation of quilt, which is why I suspected a snapcraft interaction.16:19
naccrbasak: +116:19
naccrbasak: and probably the bastion has quilte installed16:19
rbasaknacc: BTW, I don't need this fixed. I just noticed it.16:19
naccrbasak: it's probably a path-ish thing16:19
naccrbasak: how should we interlock this? i think we need it fixed for the jenkins job, which we can't run unless it's fixed, but you don't want changes to master :)16:19
nacci guess i can leave it in my branch16:19
naccand then the jenkins job will build a snap from that branch16:20
naccpowersj: --^ ?16:20
naccah ha16:20
rbasaknacc: I don't mind changes to master; I just don't want changes to stable :-P16:20
nacc : ${QUILT_DIR=/usr/share/quilt}16:20
naccrbasak: oh right, just not the snap?16:20
rbasaknacc: right - just not the stable snap. Anything else is fine.16:20
naccpowersj: ok, i see the fix for the quilt issue you and rbasak hit, i'll push it to my branch for now, and we can use that to test?16:21
powersjnacc: sure, I need to figure out this hang though as well16:21
naccactually, i can push it to master, along with the bugfixes16:21
naccpowersj: is it the proxy issue?16:21
naccpowersj: if i don't set http_proxy on my bastion, it just sits there forever16:21
powersjnacc: you set it via bash env variable and not via git config?16:22
powersjI tried both16:22
rbasakgit config won't be sufficient I don't think.16:22
powersjok16:22
rbasak"git ubuntu" internals won't see it.16:22
naccpowersj: export it in the bash wrapper that calls git ubuntu16:23
naccpowersj: that's how i do it the bastion16:23
naccpowersj: let me hop back on vpn and copy out my script16:23
powersjnacc: thx let me try that again16:25
powersjI did do http_proxy=http://squid.internal:3128/ git-ubuntu -v --reimport --no-push ipsec-tools16:25
powersjand saw a hang so wondering16:25
naccpowersj: i think you need to export it16:26
naccpowersj: as you get weird interactions with snaps otherwise16:27
naccpowersj: as they exec and exec and exec :)16:27
powersjhm ok16:27
rbasaknacc: I think the two mechanisms are equivalent in this case.16:31
rbasakexport foo=bar; baz === foo=bar baz16:31
rbasakAs far as baz is concerned.16:31
naccrbasak: i would like to think that as well16:31
naccrbasak: i don't know enough about the voodoo that is snaps16:31
naccrbasak: and i know my method works :)16:31
rbasakI don't know much about snaps, but I am pretty confident that it's impossible for baz to be able to tell the difference.16:32
naccrbasak: again, i agree :)16:32
rbasakVariables being exported is a shell thing. As far as the kernel is concerned, shell variables don't exist and the only thing it sees is the environment. And shell variables can't be passed in to random programs because there's no interface for that.16:33
beisnerhi coreycb: fyi, ocata srus pushed to uca updates16:34
naccrbasak: yes, i understand16:34
naccrbasak: if you would like to debug powersj's problem, you're welcome to16:34
naccrbasak: i would rather suggest he mimic a known-working setup first16:35
* powersj just tried exporting versus putting it in front of the command, exporting works, other doesn't16:35
naccpowersj: so at least we have a workaround16:36
* powersj just has to get that in a format uvt-kvm ssh likes16:36
naccpowersj: yeah, something like `uvt-kvm ssh bash -c 'export ...; git ubuntu ...' ?16:36
naccpowersj: not 100% on the quoting, but i think you can just use semicolons to the bash command16:36
naccrbasak: sorry if that came across rude, just pretty deep down this rabbit hole already :)16:37
rbasaknacc: sorry. I appreciate that you're just trying to get a known working thing going by eliminating all other possibilities however unlikely.16:37
naccrbasak: i get the impressions snapd symlinking may do something funky too16:37
naccrbasak: because the snap application is actually a symlink to snapd always, and i wonder if snapd does something to the environment before exec'ing the underlying snapped application16:38
rbasakI was just trying to indicate my opinion on likelyhood of that being an issue, rather than suggesting a different approach.16:38
naccrbasak: yep16:38
coreycbbeisner: ty!16:41
rbasaknacc: "git ubuntu lint" seems to detach head and then complain about my head being detached :-/16:44
rbasakIs this a known issue?16:44
rbasakI suspect this is the type of thing you're going to tell me is already fixed in master :-/16:45
naccrbasak: LP: #171003516:46
ubottuLaunchpad bug 1710035 in usd-importer "git ubuntu lint leaves you in a detached head state" [Undecided,New] https://launchpad.net/bugs/171003516:46
rbasakThanks!16:46
naccrbasak: proposed workaround is there, need to submit it as a MP still16:46
* rbasak should really have gone over this earlier in the week :-/16:46
wretchedspirit"leaves you in a detached headless state"16:46
wretchedspiritsounds painful16:46
naccrbasak: i think the above is an ok approach (the pastebin there) until we fix lint correctly (by adding a common API) to use a copy of the repo16:46
naccrbasak: but i was hesitant to commit it if we could do that API quickly16:47
naccrbasak: thoughts?16:47
naccrbasak: the last hunk in that patch i'm pushing to master shortly (it's a bugfix)16:47
rbasaknacc: I'd like to defer going in to this right now please. I need to get my demo sorted still :-/16:48
naccrbasak: ack16:48
naccpowersj: i've got a set of fixes for master, that should make pylint-3 clean and the snap should be correct -- let me know if the jenkins job is ready to go and i'll propose it17:40
powersjnacc: it is ready to go17:40
naccpowersj: ok, thanks17:40
powersjpushed a few minutes ago17:40
=== DropItLikeItsHot is now known as AfroThundr54230
profallStock UFW makes DNS and everything else not work.18:53
lordcirth_workprofall, I have never gotten ufw to do anything useful.  I like shorewall18:57
sdezielprofall: care to pastebin iptables-save for further investigation?18:59
profallhttps://bpaste.net/show/7c6f1338dc2519:02
sdezielprofall: nowhere the UFW chains are jumped to so UFW seems to do nothing on your machine19:05
profalldig and ping work with ufw disabled, and do not work with it enabled.19:07
sdezielprofall: and your INPUT chain doesn't accept ESTABLISHED connections which probably explains why DNS isn't working19:07
sdezielsomething must have remove rules from the INPUT chain19:08
sdezielcould be fail2ban, Docker or something else19:09
sdezielcan you share an iptables-save from the working case?19:09
profallSure, one moment19:09
profallhttps://bpaste.net/show/74969382955819:10
sdezielso no wonder it works, because now INPUT has an ACCEPT policy19:10
sdezielwhen UFW starts, it probably turns it to DROP19:11
sdezielyou'll have to find what deleted the INPUT rules that makes UFW work19:11
profallhttps://bpaste.net/show/f5807cd7a35419:12
sdezielI'd be tempted to try "MANAGE_BUILTINS=yes" and see what gets added to the INPUT chain19:14
profallOk19:14
sdezielthis will probably blow away the docker/f2b stuff but you can always restore those back19:15
profallI have IPMI of the server so not worried about getting locked out.19:15
profallok19:15
sdezielplease share the iptables-save after setting MANAGE_BUILTINS=yes19:15
sdezielthis way, we'll be able to assemble something working even with UFW enabled (or at least try)19:16
profallhttps://bpaste.net/show/7e83bb10ad3419:17
profallI originally wanted to use UFW because I didn't want a complicated firewall :-)19:17
profallIf there is something else you recommend I will use it.19:17
profallDocker containers work as long as I open the port now on UFW. Which is how it should be anyway.19:20
sdezielprofall: this ruleset should work: https://paste.ubuntu.com/25492062/19:26
sdezielprofall: and you can set MANAGE_BUILTINS to no19:27
profallOk! thank you sdeziel19:32
sdezielif that works, I don't know if it will survive a reboot though19:32
nheathhi, i19:48
nheathi'm trying to set up an automated install, by editing a seed file in an iso.. ive also been playing with kickstart files.. from what i can tell, my preseed file isnt being applied at all19:50
nheathi have an isolinux.cfg menu entry with the following append line19:51
nheathappend file=/cdrom/preseed/ubuntu-server-attendless.seed debian-installer/locale=en_US console-setup/ask_detect=false console-setup/layoutcode=us noprompt vga=788 initrd=/install/initrd.gz quiet ---19:51
nheathnone of those parameters, nor the stuff in my preseed are applying.. am i missing something? i can also pastebin the seed file, if this is the right channel19:52
powersjnheath: I've always found the initrd method of injecting a preseed more reliable. In either case, seeing what /var/log/syslog in the installer is saying is helpful to see if it found a preseed or not.19:58
powersjThere is also this doc on preseeding https://help.ubuntu.com/lts/installation-guide/amd64/apbs02.html19:58
maxbIt's been a long time since I last worked with this, but I vaguely recall the preseeding parameters being separated from the rest of the kernel parameters?19:58
powersjCan check out https://wiki.debian.org/DebianInstaller/Preseed/EditIso about hacking the initrd19:58
maxbActually, never mind about what I said, I was thinking of the marker to control which ones get copied into the installed bootloader config20:03
nheathpowersj: thanks, ive been reading those docs.. i think im starting to understand the ven of ubuntu vs debian vs kickstart support etc..20:20
nheathi can look into editing initrd, though it looks a little messier.20:22
nheathhow do you see the syslog when youre in the installer? i can hit f6 and see the boot options are at least applied correctly on the menu20:23
=== CodeMouse92 is now known as CodeMouse92__
powersjnheath: change over to one of the consoles, activate it (hit enter) and look at /var/log/syslog20:41
=== AfroThundr54230 is now known as PityDaFool

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!