[00:01] <drab> different question, is there a way to see what altered a file from apt?
[00:01] <drab> an automatic upgrade seems to have undone some of our customizations
[00:01] <drab> but I can't tell if that's really the case and what exactly
[00:02] <drab> however it happened on multiple machines at the same time so it definitely points to an update, a security update specifically since that's the only thing we install automatically
[00:02] <drab> but that seems at the same time strange so I'd like to verify
[00:05] <sarnold> drab: fatrace may help
[00:05] <sarnold> drab: or you could install auditctl file watch rules
[00:05] <drab> well it
[00:06] <drab> 's happened already
[00:06] <drab> I was thinking something along the lines of /var/log/apt/history.log
[00:07] <sarnold> you could try reading the /var/lib/dpkg/info/ files for the filename in question
[00:07] <sarnold> if you suspect a package maintainer script..
[00:08] <drab> well I'm just guessing, but it's peculiar that they all started having a problem at the same time and the link we manually created was gone
[00:08] <drab> I guess we're doing something "non standard", so there's a chance we collided with something else
[00:08] <drab> (it's surprisingly difficult to get browsers to respect your own CA it turns out...)
[00:09] <drab> shokingly difficult I should say... they basically all ship with their own thing and don't respect the OS certs, which I could understand in a way, but then it'd make sense to support some way to do so without having to mess with pki libs links
[00:11] <sarnold> I'm a bit surprised, there's mention of windows registry keys that cause firefox to use the system registry, but nothing similar for linux
[00:13] <drab> there's literally *1* post on the entire web that I could find that figured it out
[00:14] <drab> which I guess is all I needed since I couldn't figure it out myself... but even finding that took a looong time
[00:14] <drab> and it basically involves installing a "standard" pki lib and relinking the browsers to use that
[00:14] <drab> and that will check the OS's CAs repo in /etc/ssl
[00:15] <drab> the one that update-ca-certificates generates I mean
[00:16] <sarnold> what pki lib is that?
[00:16] <drab> there's bugs dating back to 2000 I found about this behavior
[00:18] <drab> sec, I forgot the name, lemme look at ansible
[00:20] <drab> sarnold: p11-kit-modules + libp11-kit0
[00:21] <drab> and then you need to change the symlinks to repoint to p11-kit-trust.so
[00:21] <sarnold> drab: eww.
[00:21] <drab> instead of libnssckbi.so , of which multiple copies are shipped... crazy stuff
[00:21] <sarnold> drab: i'm surprised it worked at all.
[00:22] <sarnold> someone went to a huge amount of effort for absolutely no one to know about this :)
[00:22] <drab> lol
[00:22] <drab> well without is basically impossible for an organization to have a self signed CA
[00:22] <drab> working through all desktops
[00:22] <drab> independently on the browser ppl choose to use
[00:22] <drab> unless you force each person to manually install the cert on their own
[00:23] <drab> but we wanted to be able to distribute the cert with ansible to all hosts and have them all working right off the bat with no user action
[00:23] <drab> and that was the *only* way
[00:23] <drab> https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285
[00:25] <sarnold> I love dwmw2's bug reports
[00:28] <drab> fwiw experiment with samba homes shares for workstations was a semi-success
[00:28] <sarnold> yeah?
[00:29] <drab> good enough to replace nfs so that we can have evreything in containers
[00:29] <drab> but crappy enough that I'd be somewhat ashamed of talking about it in public
[00:29] <sarnold> nice
[00:29] <drab> :P
[00:29] <sarnold> hahah
[00:29] <drab> basically pam_mount is broken
[00:29] <drab> so you can't have the cake and eat it
[00:30] <sarnold> oh? what's broken about it?
[00:30] <drab> and actually even if that worked ssh key based auth breaks that setup and there's really no way around it
[00:30] <drab> other than doing it "the right way" with kerberos tix
[00:31] <drab> sarnold: share is not unmounted on logout. general consensous seems that pam in ubuntu drops privs after login is sucessful
[00:31] <drab> so by the time you log out and it tries to unmount it tha fails
[00:31] <sarnold> drab: you could probably use AuthorizedKeysFile to set a non-smb-path to the user files and have some way to copy over authorized_keys to the other file on logout or on demand or something
[00:31] <drab> what's more, the code is broken in so far as not checking if a mount already exists, so when you log back in it mounts stuff on top of the previous mounts
[00:31] <sarnold> ew.
[00:32] <sarnold> how about autofs?
[00:32] <drab> sarnold: that's one thing, but you also have the issue of pam auth, when you use keys there's no pam auth invoked
[00:32] <drab> yes, that's what I'm suing (which I was also using with nfs)
[00:32] <drab> which is the ok but not really good solution...
[00:33] <drab> reason being, samba shares are authenticated and by the time you're logged in and cd'ed into the dir, your pwd is nowhere...
[00:33] <drab> so you can't pass it to autofs
[00:33] <drab> that's why ppl normally do it with pam_mount
[00:33] <drab> so what ppl do, in a moment of desperation i guess... they put ppl's passwords in clear in a file...
[00:33] <drab> yay
[00:34] <drab> I did not do that...
[00:34] <sarnold> can you pre-mount all the homedirs?
[00:34] <sarnold> hrm that'd probably have the same problem wouldn't
[00:34] <drab> yep, well, sorta
[00:34] <drab> what I ended up doing si something in between...
[00:34] <drab> becasue samab has its own user db, which normally is the source of a lot of pain keeping things in sync
[00:34] <drab> in this case it saved the day
[00:35] <drab> since I could set all samba's users pwd to a shared secret and have that only with autofs
[00:35] <drab> and file permissions pervent somebody from cd'ing into someone else's dif, so that part still works
[00:36] <drab> it's not very nice because if the day comes that users want to access their own share on their own computer or something their normal login password won't work, they'll need the shared secret
[00:36] <sarnold> alright, that sounds workable
[00:36] <drab> but like a wise man said, why solving a problem today when someone else can solve it tomorrow
[00:36] <drab> so I left a note for whoever will be asked to do this one day :P
[00:37] <sarnold> "I'M SO SORRY #YOLO ur pal drab"
[00:37] <drab> pretty much
[00:37] <drab> in a sense is a step forward from nfs actually, even a couple
[00:37] <sarnold> I remember having hopes of plan9fs being able to do some of this stuff better. I wonder what came of that.
[00:37] <drab> with nfs you can't prevent listing, so in theory something on the lan could just scan all hosts for shares and find it
[00:37] <drab> and then mount it
[00:38] <drab> with samba you can set browsing to no, so the share's path are not reveabled
[00:38] <drab> and you still need the secret to access them
[00:39] <drab> so overall, coupled with the fact that we can be 100% lxc and nobody has to learn about kvm, it's a big win
[00:39] <sarnold> :)
[00:56] <mdeslaur> nacc: oh! I missed that. Could you do artful, yes?
[01:01] <nacc> mdeslaur: yeah, artful will need 7.1.10 (i think)
[01:01] <nacc> mdeslaur: i can do them tmrw
[01:16] <nacc> rbasak: hrm, so must_build=True for all of our search entries
[01:16] <nacc> can it be dropped?
[01:17] <nacc> rbasak: or what is the logic to allow a failing build
[01:20] <rbasak> nacc: IIRC, it was for the first and almost noop entries. For example "does an orig tarball exist in the parent directory". If the search finds an orig tarball in the parent directory, I assumed it must be must_build=True, since even if it doesn't build we don't want to overwrite it. IIRC.
[03:47] <ShellcatZero> Does anyone here use serial console connections?  I don't have any of those 9-pin serial ports, but I've seen serial console cables sold online which use USB ports and I'm curious if this works.  This would be great for admin'ing my headless Ubuntu servers.
[03:48] <sarnold> I bought one years ago when I thought I might need it to install ubuntu on a pandaboard es (arm dev board), but the installer worked no trouble, so I returned the thing unopened :)
[03:49] <sarnold> for me the usb was going to be plugged into the laptop, and the serial end into the dev board, so I expect it would have worked pretty well
[03:49] <sarnold> I'm less sure about the usb being plugged into the headless end
[03:50] <sarnold> note that there's no standardized usb/serial interface, microsoft wanted serial DEAD way back when and stopped the usb group from standardizing one, so it's probably worth trying to find a known-good cable if you're going to try
[03:53] <ShellcatZero> Hmm, ok, I have to do some more research on this but the setup I imagined was having the console cable plugged into my router for general access to the headless system on the LAN
[04:11] <ShellcatZero> The IPMI serial-over-LAN might be what I've been looking for, still unsure about the USB cable though: http://manpages.ubuntu.com/manpages/xenial/man8/isol.8.html
[04:12] <ShellcatZero> Does anyone else here use serial-over-LAN?
[05:36] <lordievader> Good morning
[12:33] <Village> Hello,
[12:33] <Village> ... can't find package json
[12:34] <Village> So maybe someone knows what package i need?
[12:38] <oerheks> "JSON support comes pre-compiled with current php versions" you can check with php -m >> https://askubuntu.com/a/919921
[12:43] <mdeslaur> nacc: I can't see any actual security issues in the php changelogs
[12:44] <mdeslaur> nacc: nothing is tagged as security
[12:44] <mdeslaur> nacc: are you sure the cisecurity.org text isn't just placeholder?
[12:46] <Village> i try install now php-json
[12:46] <Village> bus error same
[12:46] <Village> i try run eggdrop and get error:
[12:46] <Village> [15:45:08] can't find package json
[12:46] <Village>     while executing
[12:46] <Village> "package require json"
[12:46] <Village> ...
[12:46] <Village> ...
[12:47] <Village> so what package i exactlly need? Maybe someone knows?
[13:03] <Village> guys, i found json.tcl and need one more tdom found and it and now working, thank you
[13:25] <Jenshae> Salutations
[13:37] <coreycb> jamespage: beisner: the pike stable releases for bug 1719728 are ready to release to pike-updates
[13:40] <coreycb> jamespage: beisner: also can you promote python-k8sclient 0.4.0-0ubuntu1~cloud0 to pike-proposed please? that's for bug 1659420 and mr wolsen.
[14:02] <ahasenack> does anybody have a working tip in "converting" a bootable iso file into something I can dd into a pendrive?
[14:02] <ahasenack> I tried a few tricks already (dd into device, or into a partition of the device, or using geteltorito to extract bits), none worked
[14:02] <ahasenack> I'm about to try unetbootin (http://unetbootin.github.io/)
[14:03] <ahasenack> it's an iso from intel to update/scan/check their SSDs
[14:03] <dpb1> I downloaded something similiar from samsung
[14:03] <ahasenack> and it's actually linux (I checked by booting it with kvm)
[14:03] <ahasenack> has a boot menu, starts X even
[14:04] <dpb1> ahasenack: do they give instructions for what to do?
[14:04] <ahasenack> why they keep providing iso images I don't know. They provide an iso image, and alongside it a tool to record it into a pendrive :) But windows only (the tool)
[14:04] <joelio> if it's el torrito, you can *just* dd it (I like to use pv in a pipe too)
[14:04] <Jenshae> I use guidus and haven't had a problem with any boot image yet.
[14:04] <ahasenack> dpb1: they tell to use the windows tool to save it into a pendrive and boot from that :)
[14:04] <joelio> alternatively if it's not supported, you can convert it with genisoimage fu
[14:05] <ahasenack> joelio: I don't think it's eltorito. geteltorito extracts just about 2kbytes from it
[14:05] <ahasenack> I used geteltorito with lenovo's bios update iso, there it worked
[14:05] <joelio> what is the media? can you say?
[14:05] <Jenshae> Tried Wine on the tool?
[14:05] <ahasenack> $ file issdfut_2.2.3.iso
[14:05] <ahasenack> issdfut_2.2.3.iso: DOS/MBR boot sector; partition 1 : ID=0x17, active, start-CHS (0x0,0,1), end-CHS (0x37,63,32), startsector 0, 114688 sectors
[14:05] <ahasenack> Jenshae: guidus?
[14:05]  * ahasenack searches
[14:06] <joelio> I'm not sure unetbootin will work there tbh, it's more geared to making linux iso's bootable
[14:06] <joelio> might do though, so try if you can
[14:06] <Jenshae> I think there is a dus that guidus has been slapped onto.
[14:06] <ahasenack> hm, I can fdisk -l that iso file
[14:07] <ahasenack> issdfut_2.2.3.iso1 *        0 114687  114688  56M 17 Hidden HPFS/NTFS
[14:07] <ahasenack> is what it shows
[14:07] <joelio> yea, I'm not sure that'll work in unetbootin - have you tried the Dell BIOS -> linux conversion method
[14:07] <dpb1> ahasenack: not to dissuade you, but... msft makes vm test images available free of charge for virtualbox. :)
[14:08] <ahasenack> dpb1: I know, but this is a knowledge hole I have and I get annoyed by it
[14:08] <dpb1> yes
[14:08] <ahasenack> so many times I had an iso and no way to "convert" it into a bootable pendrive
[14:08] <dpb1> I understand that part, heh
[14:08] <ahasenack> sounds like it should be simpler
[14:08] <joelio> http://taint.org/2007/04/23/153737a.html kinda thing
[14:09] <ahasenack> intel suggested pendrivelinux.com (!)
[14:10] <joelio> otherwise go down the rabbit hole https://wiki.archlinux.org/index.php/Flashing_BIOS_from_Linux
[14:10] <joelio> look for bootable disk emulation at the end perhaps
[14:10] <dpb1> ahasenack: smh
[14:10] <joelio> or syslinux lol
[14:21] <ahasenack> got it
[14:21] <ahasenack> dd was enough
[14:21] <ahasenack> I had the bios on that laptop set to uefi only, that was the problem
[14:21] <ahasenack> switched it to "both" (uefi and legacy) and now the pendrive boots
[14:25] <coreycb> jamespage, beisner: the ocata point releases for bug 1718730 are also ready to promote to ocata-updates
[14:54] <joelio> ahasenack: lol, glad you cracked it
[14:54] <joelio> also, etcher.io is a nice gui tool (fwiw)
[14:54] <ahasenack> interesting
[14:55] <joelio> ahasenack: yea, comes from resin.io guys doing docker on arm
[14:55] <ahasenack> I see they have their own dep repo
[14:56] <joelio> used it on osx quite a bit, really neat.. (although gimme `pv {file} | dd of={blah} bs=64k` any day :D
[15:00] <nacc> mdeslaur: i'm not 100% myself -- i'll check up on it today
[15:02] <drab> lol, js to burn an iso...
[15:05] <drab> sarnold: I actually figured out a decent way to solve the shared pwd thing
[15:05] <drab> felt too bad for the next guy :)
[15:06] <drab> sarnold: I'm gonna add a second ip to that host and run another samba instance on that different interface/ip pointing to the same share but auth'ing against ldap
[15:07] <drab> that way workstations can mount with the shared pwd while if ppl want to mount their own homedir elsewhere can access it with their normal account pwd (even from their windows laptop)
[15:07] <drab> seems clean enough
[15:21] <joelio> drab: yea, it's not designed for admins who know how to dd, more for people who don't :)
[15:22] <joelio> it's kinda cute though, does verification and some other stuff dd doesn't necessarily
[16:14] <nacc> rbasak: around?
[16:14] <rbasak> o/
[16:14] <nacc> rbasak: could you hop on the standup HO?
[16:14] <nacc> rbasak: as you have time, not necessarily right away
[16:14] <rbasak> nacc: just got a snack. Can you give me ten minutes?
[16:14] <nacc> rbasak: yep
[16:28] <rbasak> o/
[16:28] <rbasak> nacc: in the hangout
[17:28] <beisner> hi coreycb jamespage - promoted nova (2:15.0.7-0ubuntu1) to uca ocata-updates re: bug 1718730
[17:28] <sarnold> drab: oy :) sounds a bit .. fragile?
[17:29] <coreycb> thanks beisner
[17:30] <coreycb> beisner: that whole slew of packages can be promoted for 1718730
[17:33] <beisner> coreycb: they only other one I see in ocata-staging for that is neutron - does that jive with your view?
[17:35] <coreycb> beisner: the stable releases is ready to go from proposed->updates for ocata
[17:36] <coreycb> beisner: but yes, staging should all be ready to promte after that though
[17:38] <coreycb> beisner: ah looks like nova missed the original promotion
[17:38] <beisner> coreycb yeah, crap
[17:38] <coreycb> beisner: well, everything else that is in proposed is ready to go to updates
[17:39] <coreycb> beisner: i'll sort out what's left-over
[17:39] <coreycb> beisner: ie. re-test
[17:39] <beisner> yeah, sorry about that coreycb & thanks
[17:40] <coreycb> beisner: np, thanks for promotions
[17:41] <beisner> coreycb: so nova 15.0.6-0ubuntu1.1 from proposed didn't go to updates in uca ocata.  do we need to redo that one in proposed?
[17:44] <coreycb> beisner: i think it can stay in proposed a little longer if 15.0.7 is on it's way to proposed
[17:44] <beisner> ok cool thx coreycb
[17:56] <drab> sarnold: I got hold of the original dev for pam-cifs, maybe we can manage to fix that
[17:56] <drab> if that turns out to work, then we have a clean viable path forward
[17:56] <drab> and mounts can be mounted at login time as it should and no need for any hacks
[17:56] <sarnold> drab: ooh! :D
[17:56] <drab> I'd like to package that for xenial if it works
[17:57] <drab> then we can have it, apparently they use it actively on archs in his lab (he's some professor at a uny in .de)
[17:57] <drab> and it's much much simpler than pam_mount so codebase should be easy to review and maintain
[17:58] <drab> it's 3K LOC including test utilities
[18:00] <sarnold> sounds promising
[18:01] <drab> also fwiw big stuff is happening in E2guardian, which means linux content filter for schools might finally become viable
[18:01] <drab> event tho schools right now are all being sold in cloud content filtering...
[18:01] <genii> dansguardian was ok
[18:02] <drab> I'll have to disagree with that, but I'm ok with disagreeing with people :)
[18:03] <drab> dg didn't do any ssl filtering, which basically rendered it useless as 99% of the http proxy sites have moved to https and you can't block https blanket
[18:05] <sarnold> hows the e2guardian ssl filtering work?
[18:05] <sarnold> or is taht the horrible CA thing you were deal;ing with?
[18:05] <drab> it works in the only possible way it could work, MITM
[18:06] <drab> you give it your CA, install it on all clients and it gens new certs on the fly with that
[18:06] <drab> while using the dst's cert and standard CAs for the upstream connection
[18:07] <drab> it'sa ctually not that bad once you figure out the CA distribution
[18:07] <drab> the server side part is pretty painless
[18:08] <drab> the existing gotcha with v4 is that it had to be explicit proxying, so not only you have to ge the CA everywhere, but you hvae to convince all the browsers to use the proxy
[18:08] <drab> and tha's another world of pain as there's no standard way... WPAD is broken and firefox won't expect /etc/environment
[18:09] <drab> and fundamentally you just need to start your own process unsetting the vars to work around it, so then ports need to be blocked on the fw, which I guess it's ok
[18:09] <drab> the problem is with phones and whatnot, mobile devices are a pita. luckily v5 solves that adding suppor for transparent ssl proxying
[18:18] <sarnold> _transparent_ ssl proxying? that's a pretty good trick
[21:05] <disposable> can somebody please share their /etc/network/interfaces file with bond+bridge+vlan config? every single piece of docs i've read does it differently. the only thing they've in common is that nothing works for me (on 16.04).
[22:42] <sarnold> disposable: hah, nice to know that at least there's something in common among them all :) sorry, I haven't done this myself thoguh :(
[23:53] <nacc> rbasak: annoying, `dpkg-source --commit` unconditionally fires off an editor
[23:53] <nacc> rbasak: we can patch our snap's version