[07:31] <lordievader> Good morning
[08:38] <zioproto> hello ubuntu folks
[08:38] <zioproto> my monitoring system is not happy because of these errors in kern.log https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1705447
[08:39] <zioproto> this happens on Bare Metal
[08:39] <zioproto> I guess I can safely ignore them ... is anyone else hitting this stuff ?
[09:57] <jamespage> coreycb: https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1677207 seem familiar to you? I'm not sure our flush cache/upgrade bits are working in the horizon pacakges.
[10:04] <zioproto> good... some Ocata bugs are popping up before I start my upgrade :)
[11:49] <coreycb> jamespage: ah, is it memcache do you think?
[12:17] <hehehe> hey hey
[12:17] <hehehe> if I am making new sftp user - chrooting it to images directory and using strong password is all that I need?
[12:17] <hehehe> :)
[12:18] <hehehe> just a user who can upload images via www :D
[12:18] <jamespage> coreycb: I don't think so
[12:19] <hehehe> Match Group sftp_users - whats that for ?X11Forwarding no   AllowTcpForwarding no ChrootDirectory /images
[12:29] <hehehe> ok I see whats up
[12:29] <hehehe> :)
[12:29] <hehehe> its to catch users to whom following commands apply
[12:29] <hehehe> however in my cases, dirs are owned by root:www-data lol
[12:30] <hehehe> can I use Match user somehow instead of a group?
[12:30] <hehehe> so I add 1 more user to www-data group :)
[13:18] <hehehe> mm anyhow now I see that entire path have to be root:root
[13:18] <hehehe> but my php app required group write read access
[13:18] <hehehe> via group
[13:50] <rbasak> nacc: "debian/changelog must exist in source packages"
[13:50] <rbasak> Looks like that's only just become a requirement.
[13:50] <rbasak> Interesting for us.
[15:12] <nacc> rbasak: where is that?
[15:26] <rbasak> nacc: lastest Debian policy change.
[15:26] <rbasak> Sent to devel-debian-announce
[15:27] <nacc> rbasak: ah
[15:28] <nacc> rbasak: I mean, beyodn perhaps adding it to the linter, what do you expect to chagne?
[15:46] <rbasak> nacc: I mean that we're assuming that it exists when importing historical packages.
[15:46] <rbasak> But I suppose if it did in practice, then we're OK. Hence interesting rather than a problem.
[15:47] <nacc> rbasak: ah ok
[15:47] <nacc> rbasak: yeah, I think we just would't see any versiosn
[15:47] <nacc> rbasak: which would mean orphans
[15:47] <nacc> perhaps we'd fail to tag too
[15:47] <nacc> not sure
[15:48] <nacc> rbasak: is your schedule pretty full today, or do you think you'll be able to get to ay of the reviews?
[15:59] <rbasak> nacc: seems unlikely, sorry. Do you have any small ones you can point out that I can try to tackle when I find a few minutes here and there?
[16:00] <nacc> rbasak: no it's fine, just gauging my own expectations
[16:02] <lol768> https://help.ubuntu.com/community/UFW states that "By default, UFW allows ping requests"
[16:03] <lol768> the minute I do an "ufw enable", I can no longer ping6 the server, or ping6 out from it
[16:22] <nacc> rbasak: the only one that definitively you need to review is the queue change
[17:43] <nacc> rbasak: was cjwatson's suggestion that we add a Git-Ubuntu: field to the DSC?
[17:43] <nacc> rbasak: i see dgit adds a Dgit
[18:12] <drab> hello .o/
[18:12] <sarnold> hey drab :)
[18:13] <drab> I'm considering doing something "different" for our centralized home dirs and hoped to hear some opinions
[18:13] <drab> basically right now we have a standard ldap + nfs shares, users auth against ldap and pam_mount mounts their homedir
[18:14] <drab> however as I've been moving stuff to containers nfs is a pita becuase the userspace version is awfully slow and the kernel version won't run in a container
[18:14] <drab> there's also the problem that a network blip and/or issue with the nfs server freezes up the clients very badly
[18:15] <drab> I've read that may be fixed using soft rather than hard mounts with nfs tho
[18:15] <drab> in any case, as I was trying to help some folks with a samba share, I came across some links wondering if I could use samba for homedirs...
[18:16] <drab> it turns out there's some largish university campuses doing homedirs on samba as it can be interoperated with windows too, but generally I've not seen a lot of setups like that and wondered how crazy of an idea it is
[18:16] <nacc> i mean, i'd expect to see some similar caveats a la network blips
[18:16] <nacc> i'm not sure how resilient samba is to long outages
[18:17] <sarnold> soft mounts definitely help nfs clients
[18:17] <drab> I've no experience with samba so wondering if: a) is it performing alright compared to nfs? (will test of course) 2) is it crazy to put homedirs on it coupled with ldap?
[18:17] <nacc> and/or how it reconciles remote changes onn the server
[18:17] <nacc> drab: +1 on soft, though
[18:18] <drab> tbh the most appealing part of this is avoiding to run kvm so that I can run nfs-kernel-server
[18:18] <drab> right now I'm 99% lxc with the exception of the nfs server, requiring kvm
[18:18] <drab> and that means handing off the infra to people requires them to know how to deal with that too which isn't terribly hard but does add some complications
[18:19] <drab> so if I could be 100% lxc using samba for homedirs that would be, in the larger picture, quite a win
[18:19] <drab> but I don't want of course to ruin it for all the users by making their experience terrible
[18:19] <nacc> drab: in theory, could your VM be a privileged container?
[18:20] <drab> nacc: the thing is, that doesn't really solve the isolation issue... I've had nfs locking up on the server and taking down the whole thing
[18:20] <nacc> drab: ah sure
[18:20] <nacc> drab: yep, i can see that happening :)
[18:20] <drab> so even if I could do a privileged containres, which I guess would solve having kvm
[18:20] <nacc> yeah, if you need isolation, then that's a different issue
[18:20] <drab> I don't quite feel comfortable given everything else going on on that box
[18:20] <nacc> yep
[18:20] <drab> yeah, but you're right, that would solve my kvm issue
[18:20] <sarnold> drab: are you sure the samba mounts _would_ be allowed?
[18:20] <nacc> drab: nfs lockinng up in the kernel?
[18:21] <drab> nacc: yes, basically locking up the machines, doing something bad to the drives, whatever
[18:21] <drab> ending up impacting all the other containers/services on that box
[18:21] <drab> sarnold: based on what I read, it looks like it. this is the best link so far:
[18:21] <drab> https://sites.duke.edu/linux/cifs-nfs-homes/
[18:21] <drab> so it seems the workflow is the same
[18:22] <drab> except it uses pam_cifs
[18:22] <drab> altho right now I'm using autofs to mount the homes, not even pam_mount
[18:22] <drab> but that should also work with samba no prob
[18:22] <drab> except that samba requires user/pwd so maybe pam is required in this workflow
[18:22] <drab> the added benefit to using samba over nfs is auth
[18:22] <sarnold> drab: btw i've had success unsticking nfs mounts by bringing up the IP address of the server on an interface, exporting an identically-named filesystem, and umounting
[18:23] <drab> good to know, thanks for sharing
[18:27] <drab> I guess I'll take it as a good sign that neither of you called me crazy and begin experimenting :)
[18:28] <drab> that will give me a better sense, the general principle seems fairly simple/standard, I just have no clue how well samba is going to handle disconnections or multiple logins (sometimes ppl forget to log out and their home stays mounted)
[18:28] <nacc> ahasenack: --^ has also been doing quite a bit to get samba up to snuff relative to bug reports
[18:28] <nacc> he may have further insights
[18:29] <drab> that's another pretty annoying this I found no good solution to... log people out after inactivity
[18:29] <drab> ok, cool, thanks
[18:29] <drab> always good to be here, you guys are great :)
[18:30] <sarnold> drab: check out systemd-logind for the idle thing.
[18:31] <drab> k, thanks
[18:31] <drab> brb
[18:31] <sarnold> my own experience with samba is decades ago at this point but I recall being massively annoyed at how many bloody authentication types there are. public, share-level security, user auth, etc etc
[18:32] <sarnold> but if you get to run the server and clients and control them yourself you can probably get something happy
[20:49] <coreycb> beisner: hi, can you please promote horizon 3:11.0.3-0ubuntu3~cloud0 to ocata-proposed? it's a high-priority fix for upgrade from newton->ocata.
[20:50] <beisner> hi coreycb - on that ^
[20:51] <coreycb> beisner: cheers, thanks
[22:12] <drab> sarnold: nacc: fwiw found this which seems possibly problematic: https://github.com/lxc/lxd/issues/3442
[22:12] <drab> but stgraber says he has it working so maybe I'm misunderstanding the issue
[22:12] <nacc> drab: do you use zentyal?
[22:12] <drab> I only need to serve files, not even the DC part, altho it'd be nice to do that later
[22:13] <drab> I don't , but it didn't seem zentyal specific, maybe I misread
[22:13] <drab> the problems seemed to be related how samba stores the acls in the security.* namespace
[22:14] <nacc> drab: zentyal sets the --use-xattrs bits
[22:14] <nacc> drab: but not really sure either
[22:14] <nacc> i'd try it and see :)
[22:14] <drab> heh, I'm setting stuff up nowish, had to deal with some broken hardware and building sorting box frames
[22:15] <drab> the "fun" part of being a charity is that we hold on whatever junk we can get our hands on for the rainy days
[22:15] <drab> it's like a flashback 20yrs in my father's garage...
[22:16] <drab> I don't think he ever threw away a single screw, everything had to come off before the boards ended up in the bin
[22:16] <nacc> that's how my dad was too
[22:16] <nacc> i had one of his boxes of screws until it got rained
[22:16] <nacc> somehow he kept it totally organized by type, size, thread, etc. too
[22:16]  * drab nods
[22:17] <drab> I think the first tool I was every introduced to was a labelling machine :P
[22:17] <nacc> heh
[22:18] <drab> now that it's up to me I just write with sharpies on masking tape lol :P
[22:18] <nacc> yeah, that's what we do in our pantry, e.g. :)
[22:18] <stgraber> drab: the xattrs stuff is configurable IIRC and my DC is deployed manually through samba-tool, so I'm simply not passing that particular option
[22:18] <drab> stgraber: sounds good, thanks for chiming in
[22:19] <drab> stgraber: any chance you have an opinion on the craziness of replacing nfs+ldap with samba+ldap for centralized homedirs for a bunch of linux desktops?
[22:20] <stgraber> I haven't done either in a while. I used to do that kind of stuff for school districts in a previous life and I seem to remember both being annoying but in different ways :)
[22:20] <nacc> heh
[22:21] <drab> yep, that's exactly where I am... edu charity/school and being annoyed :P
[22:21] <stgraber> IIRC we'd usually do nfs on trusted networks where no sharing was needed with Windows and cifs for the rest
[22:21] <drab> I guess testing will tell... getting to it
[22:21] <drab> yeah, I'd normally do that if it wasn't that I'm trying to get everything into containers
[22:22] <drab> and nfs-kernel-server won't play nice with it and still be a nuisance to the host if I go with a privileged container
[22:22] <drab> samba would solve that problem, which is quite a plus in this setup
[22:22] <stgraber> yeah, and the old nfs-user-server wasn't exactly fun to use :)
[22:22] <drab> yap
[23:02] <Village> Hello,
[23:03] <Village> what's best SMTP server is on ubuntu 16.04?
[23:03] <Village> Where you can chnge ports?
[23:06] <nacc> Village: 'best' is a really ... vague ... term to use. I would think every SMTP server worth using is configurable as to what port it listens onn.
[23:07] <nacc> Village: which have you looked at?
[23:08] <Village> I want that Internet Site can send emails via SMTP and email addresses sender by not same..
[23:08] <Village> now i looking
[23:08] <Village> postfix
[23:14] <drab> postfix is good
[23:15] <drab> postfix and exim are 2 of the common ones and largely a matter of taste which one you pick
[23:15] <drab> personally exim would drive me bonkers each time I tried to configure it and always stuck with postfix, but really it's just a personal preference thing
[23:15] <drab> Village: ^^
[23:22] <Village> Ok, i have at mind that two of best is postfix and exim
[23:23] <Village> but i wanna know google smtp not allow send user@gov.us ?
[23:27] <drab> why do you think it does not?
[23:29] <Village> i don't know need try
[23:47] <oerheks> make sure you leave a copy on your gov.us server :-D