[07:22] <lordievader> Good morning
[07:35] <wretchedspirit> hi!
[07:44] <lordievader> o/
[08:58] <oskaress> Anyone with any knowledge about setting up vsftpd on an ubuntu 16.04 server?
[09:03] <andol> oskaress: https://help.ubuntu.com/lts/serverguide/ftp-server.html might be a good place to start.
[09:03] <andol> See also http://mywiki.wooledge.org/FtpMustDie
[09:07] <oskaress> The thing is, I've set up vsftpd by following a guide found on Digital Ocean where they enable TTL/SSL to provide encryption. Once I created the certificate filezilla wouldn't connect. I get a 500 command not understood error on both the AUTH TLS and AUTH SSL command. Read through the config file several times and everything should be set up correct. Any ideas what can cause the issue?
[09:08] <wretchedspirit> which protocol are you trying to connect with on filezilla?
[09:09] <oskaress> FTP with the Explicit FTP over TLS encryption
[09:10] <oskaress> Can it be something with the transfer mode? Currently it's only set as default
[09:10] <wretchedspirit> have you tested with implicit?
[09:11] <oskaress> Yes, conection refused by the server
[09:12] <wretchedspirit> OK
[09:12] <wretchedspirit> port 22?
[09:12] <wretchedspirit> or, at least, are you sure you're using the right port & that it's open
[09:13] <tomreyn> what do the server logs tell you about it?
[09:15] <oskaress> I've tried both port 21, 22 and 990, all of them are open. FTPS uses port 990 by default, right? I'll check the server logs
[09:17] <tomreyn> lsof -i :990
[09:17] <tomreyn> the port you configured when configuring the server is the one the server listens on
[09:36] <oskaress> I didn't configue what port the server should listen to, I just opened up the necessary ports. Where should I configure what port the server listens on?
[11:12] <oskaress> tomreyn Which logs do you mean by server logs?
[11:15] <tomreyn> oskaress: i'm not sure where vsftpd logs to, probably either /var/log/vsftpd* or /var/log/syslog
[11:15] <tomreyn> blindly following an outdated how-to is a recipe for desaster.
[11:18] <_ruben> meh, this is annoying: the squid init script returns 0 when it fails to (re)start .. even status returns 0 in that case :/
[11:19] <oskaress> The vsftpd log contains no error. The tutorial I'm following is from September 2, 2016 and made for Ubuntu 16.04 which I am using, so I don't know about the outdated part...
[11:29] <tomreyn> oh, well the only tutorial i found when googling (you did not provide its location) for "Digital Ocean vsftpd tutorial" was one from 2013
[11:31] <tomreyn> still, like previously opinted out here, unless you have a very specific use case, dont set up ftp servers in 2017
[11:31] <oskaress> Sorry, my bad. The tutorial I'm following is this one https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04
[11:32] <oskaress> The case is indeed very specific, I've noticed that you shouldn't set up ftp server unless you really have to, and in this case I unfortunately have to
[11:32] <tomreyn> maybe there's a better alternative, feel free to discuss your needs
[11:33] <oskaress> I need a scanner to send the scanned image to a server, and what I know, the scanners that are used can only send by FTP
[11:35] <tomreyn> so that's a flatbed scanner which creates imagery from paper / physical objects? do those scanners actually support ftps then?
[11:36] <tomreyn> what's the scanner model?
[11:36] <tomreyn> i assume those scanners are not directly connected to the internet?
[11:37] <oskaress> It's a MFP (Multi Functional Printer) from Toshiba, and they are connected directly to the internet
[11:38] <tomreyn> that's usually not a good idea, those devices are usually full of exploitable software bugs.
[11:39] <oskaress> Well yeah, unfortunately it's not my call. I pretty much just have to solve the ftp connection between them
[11:39] <tomreyn> it'd be better to do the ftp transfer to a hardened system that is local to the router and has an internet upstream and can copy the imagery elsehwere over the internet.
[11:40] <tomreyn> a 30 usd computer running linux is good enough there.
[11:41] <tomreyn> so do those toshibas actually support ftp over ssl / tls?
[11:41] <tomreyn> otherwise setting it up on the server doesn't seem to make much sense.
[11:42] <tomreyn> if you'd still like to test the vsftpd servers' TLS you could: openssl s_client -startls ftp -debug -connect hostname:port
[11:43] <oskaress> The problem right now is that I can't even use filezille to FTP into my FTP server via vsftpd
[11:47] <tomreyn> i just provided a command to debug that.
[11:48] <tomreyn> there is also the debug_ssl option to vsftpd, which would ensure more logging on ssl sessions.
[11:52] <oskaress> The command you provided says "no peer certificate available" and "No client certificate CA names sent"
[11:53] <tomreyn> did you replace hostname:port by the hostname and port your ftp server listens on?
[11:55] <tomreyn> well you probably did. but there's no startssl support at the hostname:port you pointed it to.
[11:55] <oskaress> Yes, I mean it connects and gets the same error, it says 500 Command not understood, but further down in the respone it says what I wrote above
[11:55] <tomreyn> maybe try without the '-starttls ftp' option then
[11:56] <oskaress> Hmm looks like it worked without the -starttls ftp option.
[11:57] <tomreyn> try to have a quick ftp chat then
[11:58] <tomreyn> https://www.webdigi.co.uk/blog/2009/ftp-using-raw-commands-and-telnet/
[11:58] <tomreyn> no need to telnet, you're already connected with openssl
[11:59] <tomreyn> just type "USER anonymous" and press enter and see what the server responds
[12:01] <oskaress> I got a 'write:errno=10054' before, didn't see that.
[12:19] <tomreyn> thats connection refused, i.e. the destination tcp port isnt accepting connections.
[12:20] <oskaress> Hmm wierd, I connected to port 21 and in the firewall it allows connections
[12:22] <tomreyn> maybe you need to read the man page about implicit_ssl
[12:51] <fishcooker> do-release-upgrade -d output is Checking for a new Ubuntu release ... Upgrades to the development release are only ... available from the latest supported release. what should i do if i want 17.10 from 17.04
[12:54] <TJ-> fishcooker: if /etc/update-manager-release-upgrades has "Prompt-nornal" then you shouldn't need the "-d" flag, it should offer 17.10 from 17.04
[12:57] <Pici> 17.10 hasn't been released yet...
[12:57] <TJ-> that's a good point... for some reason I am thinking we're in 2018 already :D
[12:58] <TJ-> maybe it's set to LTS only
[13:00] <fishcooker> thanks Pici
[13:00] <fishcooker> what if TJ-
[13:01] <fishcooker> with gnome as default TJ- :D
[13:39] <sobukus> Anyone successfully running Ubuntu 16.04 on server hardware with Intel Matrix RAID? I apparently got this issue Red Hat fixed 5 years ago: https://bugzilla.redhat.com/show_bug.cgi?id=785739
[13:39] <sobukus> Ubuntu bug report is https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1587142
[13:40] <sobukus> This is a rather nasty showstopper for me, after having invested time to adapt a provisioning set up to put the system on a RAID1.
[13:41] <sobukus> And didn't the RedHat people not tell anyone? It's a bit disturbing that this bug lurks for 5 years. My CentOS 7 systems on similar hardware boot and reboot nicely.
[13:45] <ahasenack> sobukus: that's sad :/ Can you add the rh bug link to the ubuntu report, if it's not there already?
[13:58] <gunix> guys, any ideea where would be the best place to publish this: http://gunix.cloud/blog/wordpresscluster.html
[13:58] <gunix> ?
[13:58] <gunix> i was thinking about creating a blog and publishing it, because more similar articles will follow. any ideea?
[14:04] <gunix> everything was done on ubuntu server
[15:22] <PCatinean> hey all
[15:22] <PCatinean> I'm having an issue with vsftpd that I cannot change directory after I'm logged in
[15:22] <PCatinean> and I cannot see any errors in the logs, confusing
[15:48] <rbasak> nacc: I don't think you were planning on it anyway, but please don't push anything new to git-ubuntu stable until after my talk tomorrow :)
[15:49] <nacc> rbasak: ack, it'll all be in edge, if anywhere
[15:49] <nacc> rbasak: do you incl. bugfixes in that request?
[15:50] <nacc> rbasak: i've found a handful of edge-case syntax errors. They can wait til Monday, though
[15:50] <rbasak> nacc: easiest if we can defer the fixes too, please.
[15:50] <rbasak> Then I don't have to re-verify anything
[15:50] <nacc> rbasak: +1
[15:50] <rbasak> Thanks!
[16:12] <rbasak> nacc: interesting. I just used my artful laptop with the stable snap to do an import, and I got my hang on push again.
[16:12] <rbasak> So it's not Xenial-specific
[16:12] <nacc> rbasak: is it your laptop specific? :)
[16:12] <rbasak> No it's a different machine entirely.
[16:12] <rbasak> The only commonality is my username and my Internet connection.
[16:13] <nacc> rbasak: i genuinely don't know how to debug it. We haven't seen it a single time from either my system (at home) or the bastion.
[16:14] <rbasak> nacc: unrelated: seen this before? http://paste.ubuntu.com/25491004/
[16:15] <rbasak> Perhaps an issue with snapcraft vs. quilt?
[16:15] <rbasak> On the hanging issue, I accept I'm the only one in a position to debug it.
[16:16] <rbasak> I wonder if it is because I have a ~20ms RTT to git.launchpad.net (being in the UK).
[16:16] <powersj> rbasak: is git-ubuntu import hanging for you?
[16:16] <rbasak> powersj: on occasion. Always at the same point.
[16:16] <powersj> currently stuck here: 09/08/2017 16:15:10 - INFO:Importing patches-unapplied 1:0.7.1-1.2 to debian/lenny
[16:17] <rbasak> powersj: only on push.
[16:17] <powersj> ah
[16:17] <rbasak> powersj: your issue is different I think.
[16:17] <nacc> rbasak: powersj saw the same in their jenkins job
[16:17] <powersj> I assumed it was proxy or network access related, but wanted to check
[16:17] <nacc> rbasak: as the backtrace
[16:17] <nacc> rbasak: but i have no idea why
[16:17] <rbasak> powersj: could you have a firewall issue in downloading sources?
[16:17] <nacc> rbasak: and the bastion, again, doesn't reproduce it
[16:17] <powersj> rbasak: that could also be it
[16:18] <rbasak> powersj: does "pull-lp-source <package>" work? That's pretty close to what it's trying to do there I think.
[16:18] <nacc> rbasak: it's technically identical, i think (the same underlying path)
[16:18] <rbasak> Admittedly perhaps a pain to check if you don't have ubuntu-dev-tools installed.
[16:18] <nacc> rbasak: what's weird with the quilt error is that it seems to think that `quilt push` is invalid
[16:18] <nacc> rbasak: i don't see how that's possible
[16:18] <coreycb> beisner: the ocata point release packages are ready to promote to ocata-updates for https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1706297
[16:18] <rbasak> nacc: note an empty line 4.
[16:19] <nacc> rbasak: ooooh
[16:19] <nacc> rbasak: one sec
[16:19] <rbasak> nacc: I think that looks like a botched installation of quilt, which is why I suspected a snapcraft interaction.
[16:19] <nacc> rbasak: +1
[16:19] <nacc> rbasak: and probably the bastion has quilte installed
[16:19] <rbasak> nacc: BTW, I don't need this fixed. I just noticed it.
[16:19] <nacc> rbasak: it's probably a path-ish thing
[16:19] <nacc> rbasak: how should we interlock this? i think we need it fixed for the jenkins job, which we can't run unless it's fixed, but you don't want changes to master :)
[16:19] <nacc> i guess i can leave it in my branch
[16:20] <nacc> and then the jenkins job will build a snap from that branch
[16:20] <nacc> powersj: --^ ?
[16:20] <nacc> ah ha
[16:20] <rbasak> nacc: I don't mind changes to master; I just don't want changes to stable :-P
[16:20] <nacc>  : ${QUILT_DIR=/usr/share/quilt}
[16:20] <nacc> rbasak: oh right, just not the snap?
[16:20] <rbasak> nacc: right - just not the stable snap. Anything else is fine.
[16:21] <nacc> powersj: ok, i see the fix for the quilt issue you and rbasak hit, i'll push it to my branch for now, and we can use that to test?
[16:21] <powersj> nacc: sure, I need to figure out this hang though as well
[16:21] <nacc> actually, i can push it to master, along with the bugfixes
[16:21] <nacc> powersj: is it the proxy issue?
[16:21] <nacc> powersj: if i don't set http_proxy on my bastion, it just sits there forever
[16:22] <powersj> nacc: you set it via bash env variable and not via git config?
[16:22] <powersj> I tried both
[16:22] <rbasak> git config won't be sufficient I don't think.
[16:22] <powersj> ok
[16:22] <rbasak> "git ubuntu" internals won't see it.
[16:23] <nacc> powersj: export it in the bash wrapper that calls git ubuntu
[16:23] <nacc> powersj: that's how i do it the bastion
[16:23] <nacc> powersj: let me hop back on vpn and copy out my script
[16:25] <powersj> nacc: thx let me try that again
[16:25] <powersj> I did do http_proxy=http://squid.internal:3128/ git-ubuntu -v --reimport --no-push ipsec-tools
[16:25] <powersj> and saw a hang so wondering
[16:26] <nacc> powersj: i think you need to export it
[16:27] <nacc> powersj: as you get weird interactions with snaps otherwise
[16:27] <nacc> powersj: as they exec and exec and exec :)
[16:27] <powersj> hm ok
[16:31] <rbasak> nacc: I think the two mechanisms are equivalent in this case.
[16:31] <rbasak> export foo=bar; baz [16:31] <rbasak> As far as baz is concerned.
[16:31] <nacc> rbasak: i would like to think that as well
[16:31] <nacc> rbasak: i don't know enough about the voodoo that is snaps
[16:31] <nacc> rbasak: and i know my method works :)
[16:32] <rbasak> I don't know much about snaps, but I am pretty confident that it's impossible for baz to be able to tell the difference.
[16:32] <nacc> rbasak: again, i agree :)
[16:33] <rbasak> Variables being exported is a shell thing. As far as the kernel is concerned, shell variables don't exist and the only thing it sees is the environment. And shell variables can't be passed in to random programs because there's no interface for that.
[16:34] <beisner> hi coreycb: fyi, ocata srus pushed to uca updates
[16:34] <nacc> rbasak: yes, i understand
[16:34] <nacc> rbasak: if you would like to debug powersj's problem, you're welcome to
[16:35] <nacc> rbasak: i would rather suggest he mimic a known-working setup first
[16:35]  * powersj just tried exporting versus putting it in front of the command, exporting works, other doesn't
[16:36] <nacc> powersj: so at least we have a workaround
[16:36]  * powersj just has to get that in a format uvt-kvm ssh likes
[16:36] <nacc> powersj: yeah, something like `uvt-kvm ssh bash -c 'export ...; git ubuntu ...' ?
[16:36] <nacc> powersj: not 100% on the quoting, but i think you can just use semicolons to the bash command
[16:37] <nacc> rbasak: sorry if that came across rude, just pretty deep down this rabbit hole already :)
[16:37] <rbasak> nacc: sorry. I appreciate that you're just trying to get a known working thing going by eliminating all other possibilities however unlikely.
[16:37] <nacc> rbasak: i get the impressions snapd symlinking may do something funky too
[16:38] <nacc> rbasak: because the snap application is actually a symlink to snapd always, and i wonder if snapd does something to the environment before exec'ing the underlying snapped application
[16:38] <rbasak> I was just trying to indicate my opinion on likelyhood of that being an issue, rather than suggesting a different approach.
[16:38] <nacc> rbasak: yep
[16:41] <coreycb> beisner: ty!
[16:44] <rbasak> nacc: "git ubuntu lint" seems to detach head and then complain about my head being detached :-/
[16:44] <rbasak> Is this a known issue?
[16:45] <rbasak> I suspect this is the type of thing you're going to tell me is already fixed in master :-/
[16:46] <nacc> rbasak: LP: #1710035
[16:46] <rbasak> Thanks!
[16:46] <nacc> rbasak: proposed workaround is there, need to submit it as a MP still
[16:46]  * rbasak should really have gone over this earlier in the week :-/
[16:46] <wretchedspirit> "leaves you in a detached headless state"
[16:46] <wretchedspirit> sounds painful
[16:46] <nacc> rbasak: i think the above is an ok approach (the pastebin there) until we fix lint correctly (by adding a common API) to use a copy of the repo
[16:47] <nacc> rbasak: but i was hesitant to commit it if we could do that API quickly
[16:47] <nacc> rbasak: thoughts?
[16:47] <nacc> rbasak: the last hunk in that patch i'm pushing to master shortly (it's a bugfix)
[16:48] <rbasak> nacc: I'd like to defer going in to this right now please. I need to get my demo sorted still :-/
[16:48] <nacc> rbasak: ack
[17:40] <nacc> powersj: i've got a set of fixes for master, that should make pylint-3 clean and the snap should be correct -- let me know if the jenkins job is ready to go and i'll propose it
[17:40] <powersj> nacc: it is ready to go
[17:40] <nacc> powersj: ok, thanks
[17:40] <powersj> pushed a few minutes ago
[18:53] <profall> Stock UFW makes DNS and everything else not work.
[18:57] <lordcirth_work> profall, I have never gotten ufw to do anything useful.  I like shorewall
[18:59] <sdeziel> profall: care to pastebin iptables-save for further investigation?
[19:02] <profall> https://bpaste.net/show/7c6f1338dc25
[19:05] <sdeziel> profall: nowhere the UFW chains are jumped to so UFW seems to do nothing on your machine
[19:07] <profall> dig and ping work with ufw disabled, and do not work with it enabled.
[19:07] <sdeziel> profall: and your INPUT chain doesn't accept ESTABLISHED connections which probably explains why DNS isn't working
[19:08] <sdeziel> something must have remove rules from the INPUT chain
[19:09] <sdeziel> could be fail2ban, Docker or something else
[19:09] <sdeziel> can you share an iptables-save from the working case?
[19:09] <profall> Sure, one moment
[19:10] <profall> https://bpaste.net/show/749693829558
[19:10] <sdeziel> so no wonder it works, because now INPUT has an ACCEPT policy
[19:11] <sdeziel> when UFW starts, it probably turns it to DROP
[19:11] <sdeziel> you'll have to find what deleted the INPUT rules that makes UFW work
[19:12] <profall> https://bpaste.net/show/f5807cd7a354
[19:14] <sdeziel> I'd be tempted to try "MANAGE_BUILTINS=yes" and see what gets added to the INPUT chain
[19:14] <profall> Ok
[19:15] <sdeziel> this will probably blow away the docker/f2b stuff but you can always restore those back
[19:15] <profall> I have IPMI of the server so not worried about getting locked out.
[19:15] <profall> ok
[19:15] <sdeziel> please share the iptables-save after setting MANAGE_BUILTINS=yes
[19:16] <sdeziel> this way, we'll be able to assemble something working even with UFW enabled (or at least try)
[19:17] <profall> https://bpaste.net/show/7e83bb10ad34
[19:17] <profall> I originally wanted to use UFW because I didn't want a complicated firewall :-)
[19:17] <profall> If there is something else you recommend I will use it.
[19:20] <profall> Docker containers work as long as I open the port now on UFW. Which is how it should be anyway.
[19:26] <sdeziel> profall: this ruleset should work: https://paste.ubuntu.com/25492062/
[19:27] <sdeziel> profall: and you can set MANAGE_BUILTINS to no
[19:32] <profall> Ok! thank you sdeziel
[19:32] <sdeziel> if that works, I don't know if it will survive a reboot though
[19:48] <nheath> hi, i
[19:50] <nheath> i'm trying to set up an automated install, by editing a seed file in an iso.. ive also been playing with kickstart files.. from what i can tell, my preseed file isnt being applied at all
[19:51] <nheath> i have an isolinux.cfg menu entry with the following append line
[19:51] <nheath> append file=/cdrom/preseed/ubuntu-server-attendless.seed debian-installer/locale=en_US console-setup/ask_detect=false console-setup/layoutcode=us noprompt vga=788 initrd=/install/initrd.gz quiet ---
[19:52] <nheath> none of those parameters, nor the stuff in my preseed are applying.. am i missing something? i can also pastebin the seed file, if this is the right channel
[19:58] <powersj> nheath: I've always found the initrd method of injecting a preseed more reliable. In either case, seeing what /var/log/syslog in the installer is saying is helpful to see if it found a preseed or not.
[19:58] <powersj> There is also this doc on preseeding https://help.ubuntu.com/lts/installation-guide/amd64/apbs02.html
[19:58] <maxb> It's been a long time since I last worked with this, but I vaguely recall the preseeding parameters being separated from the rest of the kernel parameters?
[19:58] <powersj> Can check out https://wiki.debian.org/DebianInstaller/Preseed/EditIso about hacking the initrd
[20:03] <maxb> Actually, never mind about what I said, I was thinking of the marker to control which ones get copied into the installed bootloader config
[20:20] <nheath> powersj: thanks, ive been reading those docs.. i think im starting to understand the ven of ubuntu vs debian vs kickstart support etc..
[20:22] <nheath> i can look into editing initrd, though it looks a little messier.
[20:23] <nheath> how do you see the syslog when youre in the installer? i can hit f6 and see the boot options are at least applied correctly on the menu
[20:41] <powersj> nheath: change over to one of the consoles, activate it (hit enter) and look at /var/log/syslog