/srv/irclogs.ubuntu.com/2017/10/05/#ubuntu-server.txt

drabdifferent question, is there a way to see what altered a file from apt?00:01
draban automatic upgrade seems to have undone some of our customizations00:01
drabbut I can't tell if that's really the case and what exactly00:01
drabhowever it happened on multiple machines at the same time so it definitely points to an update, a security update specifically since that's the only thing we install automatically00:02
drabbut that seems at the same time strange so I'd like to verify00:02
sarnolddrab: fatrace may help00:05
sarnolddrab: or you could install auditctl file watch rules00:05
drabwell it00:05
drab's happened already00:06
drabI was thinking something along the lines of /var/log/apt/history.log00:06
sarnoldyou could try reading the /var/lib/dpkg/info/ files for the filename in question00:07
sarnoldif you suspect a package maintainer script..00:07
drabwell I'm just guessing, but it's peculiar that they all started having a problem at the same time and the link we manually created was gone00:08
drabI guess we're doing something "non standard", so there's a chance we collided with something else00:08
drab(it's surprisingly difficult to get browsers to respect your own CA it turns out...)00:08
drabshokingly difficult I should say... they basically all ship with their own thing and don't respect the OS certs, which I could understand in a way, but then it'd make sense to support some way to do so without having to mess with pki libs links00:09
sarnoldI'm a bit surprised, there's mention of windows registry keys that cause firefox to use the system registry, but nothing similar for linux00:11
drabthere's literally *1* post on the entire web that I could find that figured it out00:13
drabwhich I guess is all I needed since I couldn't figure it out myself... but even finding that took a looong time00:14
draband it basically involves installing a "standard" pki lib and relinking the browsers to use that00:14
draband that will check the OS's CAs repo in /etc/ssl00:14
drabthe one that update-ca-certificates generates I mean00:15
sarnoldwhat pki lib is that?00:16
drabthere's bugs dating back to 2000 I found about this behavior00:16
drabsec, I forgot the name, lemme look at ansible00:18
drabsarnold: p11-kit-modules + libp11-kit000:20
draband then you need to change the symlinks to repoint to p11-kit-trust.so00:21
sarnolddrab: eww.00:21
drabinstead of libnssckbi.so , of which multiple copies are shipped... crazy stuff00:21
sarnolddrab: i'm surprised it worked at all.00:21
sarnoldsomeone went to a huge amount of effort for absolutely no one to know about this :)00:22
drablol00:22
drabwell without is basically impossible for an organization to have a self signed CA00:22
drabworking through all desktops00:22
drabindependently on the browser ppl choose to use00:22
drabunless you force each person to manually install the cert on their own00:22
drabbut we wanted to be able to distribute the cert with ansible to all hosts and have them all working right off the bat with no user action00:23
draband that was the *only* way00:23
drabhttps://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/164728500:23
ubottuLaunchpad bug 1647285 in nss (Ubuntu) "SSL trust not system-wide" [Wishlist,Confirmed]00:23
sarnoldI love dwmw2's bug reports00:25
drabfwiw experiment with samba homes shares for workstations was a semi-success00:28
sarnoldyeah?00:28
drabgood enough to replace nfs so that we can have evreything in containers00:29
drabbut crappy enough that I'd be somewhat ashamed of talking about it in public00:29
sarnoldnice00:29
drab:P00:29
sarnoldhahah00:29
drabbasically pam_mount is broken00:29
drabso you can't have the cake and eat it00:29
sarnoldoh? what's broken about it?00:30
draband actually even if that worked ssh key based auth breaks that setup and there's really no way around it00:30
drabother than doing it "the right way" with kerberos tix00:30
drabsarnold: share is not unmounted on logout. general consensous seems that pam in ubuntu drops privs after login is sucessful00:31
drabso by the time you log out and it tries to unmount it tha fails00:31
sarnolddrab: you could probably use AuthorizedKeysFile to set a non-smb-path to the user files and have some way to copy over authorized_keys to the other file on logout or on demand or something00:31
drabwhat's more, the code is broken in so far as not checking if a mount already exists, so when you log back in it mounts stuff on top of the previous mounts00:31
sarnoldew.00:31
sarnoldhow about autofs?00:32
drabsarnold: that's one thing, but you also have the issue of pam auth, when you use keys there's no pam auth invoked00:32
drabyes, that's what I'm suing (which I was also using with nfs)00:32
drabwhich is the ok but not really good solution...00:32
drabreason being, samba shares are authenticated and by the time you're logged in and cd'ed into the dir, your pwd is nowhere...00:33
drabso you can't pass it to autofs00:33
drabthat's why ppl normally do it with pam_mount00:33
drabso what ppl do, in a moment of desperation i guess... they put ppl's passwords in clear in a file...00:33
drabyay00:33
drabI did not do that...00:34
sarnoldcan you pre-mount all the homedirs?00:34
sarnoldhrm that'd probably have the same problem wouldn't00:34
drabyep, well, sorta00:34
drabwhat I ended up doing si something in between...00:34
drabbecasue samab has its own user db, which normally is the source of a lot of pain keeping things in sync00:34
drabin this case it saved the day00:34
drabsince I could set all samba's users pwd to a shared secret and have that only with autofs00:35
draband file permissions pervent somebody from cd'ing into someone else's dif, so that part still works00:35
drabit's not very nice because if the day comes that users want to access their own share on their own computer or something their normal login password won't work, they'll need the shared secret00:36
sarnoldalright, that sounds workable00:36
drabbut like a wise man said, why solving a problem today when someone else can solve it tomorrow00:36
drabso I left a note for whoever will be asked to do this one day :P00:36
sarnold"I'M SO SORRY #YOLO ur pal drab"00:37
drabpretty much00:37
drabin a sense is a step forward from nfs actually, even a couple00:37
sarnoldI remember having hopes of plan9fs being able to do some of this stuff better. I wonder what came of that.00:37
drabwith nfs you can't prevent listing, so in theory something on the lan could just scan all hosts for shares and find it00:37
draband then mount it00:37
drabwith samba you can set browsing to no, so the share's path are not reveabled00:38
draband you still need the secret to access them00:38
drabso overall, coupled with the fact that we can be 100% lxc and nobody has to learn about kvm, it's a big win00:39
sarnold:)00:39
mdeslaurnacc: oh! I missed that. Could you do artful, yes?00:56
naccmdeslaur: yeah, artful will need 7.1.10 (i think)01:01
naccmdeslaur: i can do them tmrw01:01
naccrbasak: hrm, so must_build=True for all of our search entries01:16
nacccan it be dropped?01:16
naccrbasak: or what is the logic to allow a failing build01:17
rbasaknacc: IIRC, it was for the first and almost noop entries. For example "does an orig tarball exist in the parent directory". If the search finds an orig tarball in the parent directory, I assumed it must be must_build=True, since even if it doesn't build we don't want to overwrite it. IIRC.01:20
ShellcatZeroDoes anyone here use serial console connections?  I don't have any of those 9-pin serial ports, but I've seen serial console cables sold online which use USB ports and I'm curious if this works.  This would be great for admin'ing my headless Ubuntu servers.03:47
sarnoldI bought one years ago when I thought I might need it to install ubuntu on a pandaboard es (arm dev board), but the installer worked no trouble, so I returned the thing unopened :)03:48
sarnoldfor me the usb was going to be plugged into the laptop, and the serial end into the dev board, so I expect it would have worked pretty well03:49
sarnoldI'm less sure about the usb being plugged into the headless end03:49
sarnoldnote that there's no standardized usb/serial interface, microsoft wanted serial DEAD way back when and stopped the usb group from standardizing one, so it's probably worth trying to find a known-good cable if you're going to try03:50
ShellcatZeroHmm, ok, I have to do some more research on this but the setup I imagined was having the console cable plugged into my router for general access to the headless system on the LAN03:53
ShellcatZeroThe IPMI serial-over-LAN might be what I've been looking for, still unsure about the USB cable though: http://manpages.ubuntu.com/manpages/xenial/man8/isol.8.html04:11
ShellcatZeroDoes anyone else here use serial-over-LAN?04:12
lordievaderGood morning05:36
=== JanC is now known as Guest53841
=== JanC_ is now known as JanC
=== jelly-home is now known as jelly
=== oerheks_ is now known as oerheks
VillageHello,12:33
Village... can't find package json12:33
VillageSo maybe someone knows what package i need?12:34
oerheks"JSON support comes pre-compiled with current php versions" you can check with php -m >> https://askubuntu.com/a/91992112:38
mdeslaurnacc: I can't see any actual security issues in the php changelogs12:43
mdeslaurnacc: nothing is tagged as security12:44
mdeslaurnacc: are you sure the cisecurity.org text isn't just placeholder?12:44
Villagei try install now php-json12:46
Villagebus error same12:46
Villagei try run eggdrop and get error:12:46
Village[15:45:08] can't find package json12:46
Village    while executing12:46
Village"package require json"12:46
Village...12:46
Village...12:46
Villageso what package i exactlly need? Maybe someone knows?12:47
=== Ussat-1 is now known as Ussat
Villageguys, i found json.tcl and need one more tdom found and it and now working, thank you13:03
JenshaeSalutations13:25
coreycbjamespage: beisner: the pike stable releases for bug 1719728 are ready to release to pike-updates13:37
ubottubug 1719728 in Ubuntu Cloud Archive pike "[SRU] pike stable releases" [Undecided,Fix committed] https://launchpad.net/bugs/171972813:37
coreycbjamespage: beisner: also can you promote python-k8sclient 0.4.0-0ubuntu1~cloud0 to pike-proposed please? that's for bug 1659420 and mr wolsen.13:40
ubottubug 1659420 in Ubuntu Cloud Archive pike "Traceback when getting capacity in k8s_monitor" [High,Triaged] https://launchpad.net/bugs/165942013:40
ahasenackdoes anybody have a working tip in "converting" a bootable iso file into something I can dd into a pendrive?14:02
ahasenackI tried a few tricks already (dd into device, or into a partition of the device, or using geteltorito to extract bits), none worked14:02
ahasenackI'm about to try unetbootin (http://unetbootin.github.io/)14:02
ahasenackit's an iso from intel to update/scan/check their SSDs14:03
dpb1I downloaded something similiar from samsung14:03
ahasenackand it's actually linux (I checked by booting it with kvm)14:03
ahasenackhas a boot menu, starts X even14:03
dpb1ahasenack: do they give instructions for what to do?14:04
ahasenackwhy they keep providing iso images I don't know. They provide an iso image, and alongside it a tool to record it into a pendrive :) But windows only (the tool)14:04
joelioif it's el torrito, you can *just* dd it (I like to use pv in a pipe too)14:04
JenshaeI use guidus and haven't had a problem with any boot image yet.14:04
ahasenackdpb1: they tell to use the windows tool to save it into a pendrive and boot from that :)14:04
joelioalternatively if it's not supported, you can convert it with genisoimage fu14:04
ahasenackjoelio: I don't think it's eltorito. geteltorito extracts just about 2kbytes from it14:05
ahasenackI used geteltorito with lenovo's bios update iso, there it worked14:05
joeliowhat is the media? can you say?14:05
JenshaeTried Wine on the tool?14:05
ahasenack$ file issdfut_2.2.3.iso14:05
ahasenackissdfut_2.2.3.iso: DOS/MBR boot sector; partition 1 : ID=0x17, active, start-CHS (0x0,0,1), end-CHS (0x37,63,32), startsector 0, 114688 sectors14:05
ahasenackJenshae: guidus?14:05
* ahasenack searches14:05
joelioI'm not sure unetbootin will work there tbh, it's more geared to making linux iso's bootable14:06
joeliomight do though, so try if you can14:06
JenshaeI think there is a dus that guidus has been slapped onto.14:06
ahasenackhm, I can fdisk -l that iso file14:06
ahasenackissdfut_2.2.3.iso1 *        0 114687  114688  56M 17 Hidden HPFS/NTFS14:07
ahasenackis what it shows14:07
joelioyea, I'm not sure that'll work in unetbootin - have you tried the Dell BIOS -> linux conversion method14:07
dpb1ahasenack: not to dissuade you, but... msft makes vm test images available free of charge for virtualbox. :)14:07
ahasenackdpb1: I know, but this is a knowledge hole I have and I get annoyed by it14:08
dpb1yes14:08
ahasenackso many times I had an iso and no way to "convert" it into a bootable pendrive14:08
dpb1I understand that part, heh14:08
ahasenacksounds like it should be simpler14:08
joeliohttp://taint.org/2007/04/23/153737a.html kinda thing14:08
ahasenackintel suggested pendrivelinux.com (!)14:09
joeliootherwise go down the rabbit hole https://wiki.archlinux.org/index.php/Flashing_BIOS_from_Linux14:10
joeliolook for bootable disk emulation at the end perhaps14:10
dpb1ahasenack: smh14:10
joelioor syslinux lol14:10
ahasenackgot it14:21
ahasenackdd was enough14:21
ahasenackI had the bios on that laptop set to uefi only, that was the problem14:21
ahasenackswitched it to "both" (uefi and legacy) and now the pendrive boots14:21
coreycbjamespage, beisner: the ocata point releases for bug 1718730 are also ready to promote to ocata-updates14:25
ubottubug 1718730 in Ubuntu Cloud Archive ocata "[SRU] ocata stable releases" [Undecided,Fix committed] https://launchpad.net/bugs/171873014:25
=== Village is now known as Magadan
joelioahasenack: lol, glad you cracked it14:54
joelioalso, etcher.io is a nice gui tool (fwiw)14:54
ahasenackinteresting14:54
joelioahasenack: yea, comes from resin.io guys doing docker on arm14:55
ahasenackI see they have their own dep repo14:55
joelioused it on osx quite a bit, really neat.. (although gimme `pv {file} | dd of={blah} bs=64k` any day :D14:56
naccmdeslaur: i'm not 100% myself -- i'll check up on it today15:00
drablol, js to burn an iso...15:02
drabsarnold: I actually figured out a decent way to solve the shared pwd thing15:05
drabfelt too bad for the next guy :)15:05
drabsarnold: I'm gonna add a second ip to that host and run another samba instance on that different interface/ip pointing to the same share but auth'ing against ldap15:06
drabthat way workstations can mount with the shared pwd while if ppl want to mount their own homedir elsewhere can access it with their normal account pwd (even from their windows laptop)15:07
drabseems clean enough15:07
joeliodrab: yea, it's not designed for admins who know how to dd, more for people who don't :)15:21
joelioit's kinda cute though, does verification and some other stuff dd doesn't necessarily15:22
naccrbasak: around?16:14
rbasako/16:14
naccrbasak: could you hop on the standup HO?16:14
naccrbasak: as you have time, not necessarily right away16:14
rbasaknacc: just got a snack. Can you give me ten minutes?16:14
naccrbasak: yep16:14
=== achiang` is now known as achiang
rbasako/16:28
rbasaknacc: in the hangout16:28
beisnerhi coreycb jamespage - promoted nova (2:15.0.7-0ubuntu1) to uca ocata-updates re: bug 171873017:28
ubottubug 1718730 in Ubuntu Cloud Archive ocata "[SRU] ocata stable releases" [Undecided,Fix committed] https://launchpad.net/bugs/171873017:28
sarnolddrab: oy :) sounds a bit .. fragile?17:28
coreycbthanks beisner17:29
coreycbbeisner: that whole slew of packages can be promoted for 171873017:30
beisnercoreycb: they only other one I see in ocata-staging for that is neutron - does that jive with your view?17:33
coreycbbeisner: the stable releases is ready to go from proposed->updates for ocata17:35
coreycbbeisner: but yes, staging should all be ready to promte after that though17:36
coreycbbeisner: ah looks like nova missed the original promotion17:38
beisnercoreycb yeah, crap17:38
coreycbbeisner: well, everything else that is in proposed is ready to go to updates17:38
coreycbbeisner: i'll sort out what's left-over17:39
coreycbbeisner: ie. re-test17:39
beisneryeah, sorry about that coreycb & thanks17:39
coreycbbeisner: np, thanks for promotions17:40
beisnercoreycb: so nova 15.0.6-0ubuntu1.1 from proposed didn't go to updates in uca ocata.  do we need to redo that one in proposed?17:41
coreycbbeisner: i think it can stay in proposed a little longer if 15.0.7 is on it's way to proposed17:44
beisnerok cool thx coreycb17:44
drabsarnold: I got hold of the original dev for pam-cifs, maybe we can manage to fix that17:56
drabif that turns out to work, then we have a clean viable path forward17:56
draband mounts can be mounted at login time as it should and no need for any hacks17:56
sarnolddrab: ooh! :D17:56
drabI'd like to package that for xenial if it works17:56
drabthen we can have it, apparently they use it actively on archs in his lab (he's some professor at a uny in .de)17:57
draband it's much much simpler than pam_mount so codebase should be easy to review and maintain17:57
drabit's 3K LOC including test utilities17:58
sarnoldsounds promising18:00
drabalso fwiw big stuff is happening in E2guardian, which means linux content filter for schools might finally become viable18:01
drabevent tho schools right now are all being sold in cloud content filtering...18:01
geniidansguardian was ok18:01
drabI'll have to disagree with that, but I'm ok with disagreeing with people :)18:02
drabdg didn't do any ssl filtering, which basically rendered it useless as 99% of the http proxy sites have moved to https and you can't block https blanket18:03
sarnoldhows the e2guardian ssl filtering work?18:05
sarnoldor is taht the horrible CA thing you were deal;ing with?18:05
drabit works in the only possible way it could work, MITM18:05
drabyou give it your CA, install it on all clients and it gens new certs on the fly with that18:06
drabwhile using the dst's cert and standard CAs for the upstream connection18:06
drabit'sa ctually not that bad once you figure out the CA distribution18:07
drabthe server side part is pretty painless18:07
drabthe existing gotcha with v4 is that it had to be explicit proxying, so not only you have to ge the CA everywhere, but you hvae to convince all the browsers to use the proxy18:08
draband tha's another world of pain as there's no standard way... WPAD is broken and firefox won't expect /etc/environment18:08
draband fundamentally you just need to start your own process unsetting the vars to work around it, so then ports need to be blocked on the fw, which I guess it's ok18:09
drabthe problem is with phones and whatnot, mobile devices are a pita. luckily v5 solves that adding suppor for transparent ssl proxying18:09
sarnold_transparent_ ssl proxying? that's a pretty good trick18:18
disposablecan somebody please share their /etc/network/interfaces file with bond+bridge+vlan config? every single piece of docs i've read does it differently. the only thing they've in common is that nothing works for me (on 16.04).21:05
sarnolddisposable: hah, nice to know that at least there's something in common among them all :) sorry, I haven't done this myself thoguh :(22:42
naccrbasak: annoying, `dpkg-source --commit` unconditionally fires off an editor23:53
naccrbasak: we can patch our snap's version23:53

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!