/srv/irclogs.ubuntu.com/2017/10/23/#ubuntu-server.txt

lordievaderGood morning06:03
cpaelzergood morning lordievader06:58
=== JanC is now known as Guest95859
=== JanC_ is now known as JanC
lordievaderHey cpaelzer , how are you doing?07:35
cpaelzerpretty well for a monday07:37
necrophcodrI've got a server where my users do not have a /run/user/$UID directory07:45
necrophcodrDoes that need manual creation now?07:45
andreas...and here it goes :) http://reqorts.qa.ubuntu.com/reports/ubuntu-server/merges.html11:15
cpaelzerandreas: well no BB yet to start right?12:16
andreascpaelzer: right, I was just curious about what was piling up12:16
andreassince I got some emails about bugs being fixed in debian12:16
cpaelzeras usual, everything :-)12:16
cpaelzerhonestly early in the cycle we likely pick the few extra complex ones we know to do the transitions right12:17
cpaelzerthose that "just" need a bump will come trice or only later12:17
cpaelzer(opinion)12:17
necrophcodrIs it possible to tell dpkg not to run any of the {pre,post}inst scripts?12:17
necrophcodrThat is, when installing packages using apt12:18
cpaelzernecrophcodr: I don't know a good way to globally disable them, but you could modify (exit 0 in line 1) them in /var/lib/dpkg/info as needed12:21
cpaelzerfor dpkg install that should be fine, as it only unpacks them again if not there (so I thought)12:22
necrophcodrcpaelzer: are all package scripts in /var/lib/dpkg/info before packages are downloaded and installed?12:22
cpaelzernot sure if apt refreshes the files in any case12:22
cpaelzernecrophcodr: no they are part of the download12:22
cpaelzernecrophcodr: you could run apt until it fails12:22
cpaelzernecrophcodr: then modify the file as needed12:22
cpaelzernecrophcodr: and then dpkg install those that you modified12:22
cpaelzerto continue with apt afterwards12:23
necrophcodrit doesn't have to be a good way either, i'm okay with hacky bullshit. i guess i'll have to do multi stage, so one downloading the packages and "fixing" the scripts, and one actually installing it12:23
necrophcodrunless the downloading of it doesn't install the script which is probably the case12:23
cpaelzernecrophcodr: apt is meant to do all-in-one nicely, maybe not the thing for your special case12:29
cpaelzernecrophcodr: but dpkg being the lower level tool certainly can help you12:30
cpaelzernecrophcodr: you can even set up --pre-invoke=command and such to do (whatever you need to do) regularly12:30
=== jstevewhite is now known as stwhite
=== stwhite is now known as jstevewhite
MacroManCan I get a sanity check? These UFW rules should block port 3000 right?: https://paste.ngx.cc/504bdbc1f51f149514:54
TJ-MacroMan: the default deny on INPUT will14:55
MacroManWeird. I'm running grafana and I can access the mini-http server over port 3000, when clearly I shouldn't be able to14:56
MacroManAre there any other ways through the firewall that aren't covered by my ufw status output?14:57
TJ-MacroMan: is UFW appling those rules to *all* interfaces? I prefer using iptables/ip6tables to inspect rules rather than some reduced front-end15:44
MacroManTJ-: I only have one interface on this machine15:49
TJ-MacroMaare the connections coming in over IPv4 or IPv6?15:56
TJ-Where are testing it *from*? not the same machine?15:56
rh10guys, which way better to send email notify using smtp AUTH and TLS through external mail service? i need it for script's notifications.16:58
rh10from scripts actually17:01
Seveasrh10: local exim with a smarthost transport that's configured properly.17:01
rh10Seveas, thanks but dont suitable in my case. already use mail server for another purposes.17:02
sdezielrh10: a sendmail provider like msmtp-mta or ssmtp would do then17:02
Seveasrh10: well, then configure that mailserver to do the relaying properly :)17:02
sdezielrh10: with those, you configure your relay host, username/password and that's it17:03
sdezielit's similar to running exim or postfix minus the permanently running daemons17:04
rh10sdeziel, got it. seems exactly what i need https://wiki.archlinux.org/index.php/Msmtp17:04
rh10sdeziel, thanks!17:04
sdezielrh10: np17:05
sdezielrh10: one word of caution though, if msmtp/ssmtp cannot relay your email right away, this email will be lost for good (no delivery retry). With msmtp, I think you get an error code on submission failure at least. That's why exim/postfix have daemons running17:08
rh10sdeziel, got it, thanks for warning17:10
rh10sdeziel, maybe is it real to handle, was mail send correctly, in script itself? like exit status of command or so on?17:11
sdezielthe sendmail command should return non 0 on relaying failure17:16
rh10sdeziel, nope. i mean in msmtp17:17
rh10to prevent lost of letters17:17
rh10smth like that17:18
sdezielrh10: well, many MTA provide a sendmail command implementation for compat with existing software. Installing msmtp-mta will povide you msmtp's sendmail compat shim17:19
rh10sdeziel, got it, thanks!17:19
sdezielrh10: that said, with msmtp (or it's sendmail compat shim), you will only know if the email was relayed (return 0) or not (non 0)17:19
rh10sdeziel, got it17:20
=== jstevewhite is now known as stwhite
=== JanC_ is now known as JanC
andreashi, can someone please accept the trusty nomination I just made in this bug: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/171967117:57
ubottuLaunchpad bug 1719671 in ubuntu-advantage-tools (Ubuntu Zesty) "[SRU] include recent version containing fips and livepatch" [Undecided,New]17:57
sarnoldandreas: done17:59
andreasthanks17:59
=== stwhite is now known as jstevewhite
gunixany way to download a ca cert so that curl doesn't need --insecure flag any more? https://bpaste.net/show/b9dd2760748718:56
gunixcurl is run from a python framework and i am trying to bypass that error at linux level, making it somehow ignore the cert18:57
sarnoldgunix: --cacert if there's a single CA you want to trust; --capath if there's several18:59
gunixsarnold: will --cacert accept the cert per user or per system?19:00
sarnoldgunix: I don't understand.. what do you mean?19:00
gunixsarnold: if i run with user david "curl --cacert link", and after that run with user martin "curl link", will it also work for martin?19:01
sarnoldgunix: note that both --cacert and --capath take an argument that is a pathname to a certificate or a directory of hashed certificates19:02
sarnoldgunix: so if martin and david want to trust the same certificate, they both need read access to the file19:02
gunixsarnold: do you have some examples with this? like a blog or something?19:02
sarnoldgunix: no, but the curl manpage has good details19:03
gunixsarnold: is there public log to this chat?19:03
sarnoldgunix: yes https://irclogs.ubuntu.com/2017/19:04
gunixsarnold: oh, only from yesterday. got it. thank you19:04
gunixhmm it's from today too19:05
sarnoldgunix: logs are written every half hour or hour or something19:05
andreasnacc: I believe I'm done with the ubuntu-advantage sru bug and it's ready for sponsoring20:13
andreashttps://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/171967120:13
ubottuLaunchpad bug 1719671 in ubuntu-advantage-tools (Ubuntu Zesty) "[SRU] include recent version containing fips and livepatch" [Undecided,In progress]20:13
naccandreas: thank you for letting me know, i'll take a look shortly20:18
andreasnacc: the bug description is huge I'm afraid. I kept the same structure that joy started and added livepatch. Since it's for 3 releases of ubuntu, it got big20:18
naccnp, i've been reading the updates as they come inn20:18
andreasnacc: the more interesting bits are in the beginning, and at the very end (other info, regression potential)20:19
naccandreas: ok20:21
jgehey all, curious any of you here ever configured a reverse proxy to talk to backend over SSL ? so Client > (HTTPS) > Reverse proxy > (HTTPS) > Backend Server21:48
jgeusing apache21:49
jgeas the reverse proxy21:49
jgeis this all that will suffice for the config: https://paste.ee/p/LqHSo21:51
jge^^ does not include first leg https connections from clients21:52
sarnoldjge: I think I hear of more people using nginx as a proxy/frontend, so if this doesn't work out keep in mind that you've got options22:04
sarnoldhaproxy links against libssl, it might do the job too22:05
jgethat's true sarnold, thank you22:07
drabsarnold: ftr I ended up ditching everything and figuring out a reasonable way to put nfs in a container22:12
drabthat samba setup was a never ending world of pain even after I figured out all the pam cifs stuff22:12
sarnolddrab: damn :/ what a journey22:13
drabit boggles my mind how complicated it is the whole password management business... need to add new schemas to ldap, change the way you manage pwds... really not worth it unless you have to and need to support MS stuff22:13
sarnolddrab: what's the config like now?22:13
drabsarnold: well I don't think I could have known until I tried... even with all the upfront research it wasn't obvious22:13
sarnoldright22:13
drabsarnold: privileged container on a locked down host with zvol formatted as ext422:14
drabthis allows the use of quota and all other things without having to touch the host and it's all considered relatively safe22:14
sarnolddrab: aha22:14
drabI still have the problem I wanted to avoid of getting a container to muck with the host's kernel, but that could not be avoided at this point22:14
drabsince samba was not an option and neither is nfs userspace22:14
drabbut truth to be told it's mostly the clients that have had bad times with nfs on some accasions so we should be ok and it's still all relatively containerized and isolated from the host22:15
drabplus that system offers no services other than nfs, so no logins or shells on it from anybody except IT team22:15
drabso I'm ok to live with that22:15
drabbrb22:16

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!