/srv/irclogs.ubuntu.com/2017/11/07/#ubuntu-server.txt

catalasecan someone point me to a bash script that will ping a given ip address (eg. google.com for instance) and IF it is unreachable, run another script?00:58
catalasefor instance: https://unix.stackexchange.com/questions/190513/shell-scripting-proper-way-to-check-for-internet-connectivity00:59
sarnoldping -w1 -c1 www.google.com 2>&1 > /dev/null && echo hi01:00
catalasewhat if it is unreachable though01:01
catalasei only want it to echo hi if destination unreachable01:02
sarnoldif you care about the specific reason why the ping failed then you may have to write your own tool01:02
sarnoldif you just care that it did fail, then replace the && with ||01:03
catalaseping -w1 -c1 www.google.com 2>&1 > /dev/null ||sudp sudo ./home/catalase/mysupercoolscripts/testscript.sh01:04
catalasecould i do something like that01:04
catalaseping -w1 -c1 www.google.com 2>&1 > /dev/null || sudo ./home/catalase/mysupercoolscripts/testscript.sh01:04
catalaserather01:04
sarnoldprogrammatic use of 'sudo' is often a sign of trouble..01:05
catalasewhat should i use instead01:06
sarnoldwhat starts this process?01:07
catalasei do01:08
sarnoldaha, then I'd suggest running the script with sudo manually01:13
catalaselol01:13
SmokinGruntswhat'd be the best thing to attempt to have a server securely send me near realtime updates of any changes to /var/log/auth.log?04:05
pwnguinlike, rsyslog?04:11
drabSmokinGrunts: rsyslog + tls04:21
SmokinGruntsaye something happened to my fail2ban on one of the work servers... I'm being bruteforced atm, brb04:22
pwnguinturn off pw auth, problem solved04:23
SmokinGruntsI am still very much learning04:23
* drab never understood the point of fail2ban04:23
drabanyway, bbl04:25
SmokinGruntsbah04:38
ReedK2when you get an app that doesn't come from the package manager, how do you know where to install it?04:39
SmokinGruntsokay, if fail2ban is up, and the server has been restarted, and I'm still getting log-updates from a 'tail'ed /var/log/auth.log of connection attempts, then what is going on??04:40
SmokinGruntsI can block the offender from the firewall, but I'd rather have them block automatically from the server itself04:41
SmokinGruntsblocked*04:42
SmokinGruntsoh, so fail2ban will ban me, when I test it04:48
SmokinGrunts:(04:48
qman__fail2ban will allow a certain number of attempts, which are logged, before blocking the address, and his happens per address attempting to connect, so if you're being attacked from many IPs, there will be many attempts in the log04:52
qman__it also clears out the list of banned IPs when fail2ban is restarted04:53
SmokinGruntsthere be one ip, but it's not thru ssh I guess?05:02
SmokinGruntsoh lol I had added telnet earlier. removed, no more probs.05:12
SmokinGruntsxinetd and telnetd05:12
SmokinGruntslol my noob is showing05:16
SmokinGruntsso TIL; don't have a telnet daemon available if you don't need it.05:22
SmokinGrunts2scary4me05:29
SmokinGruntsdamn. So TIL about the necessity of all things security for a public-facing server, no matter what it's for, or how big it is.05:46
SmokinGruntsI had a telnet daemon up for 3 days05:47
SmokinGruntsdamn near a few dozen minutes after, I started getting root login attempts through it05:47
SmokinGruntsall for a server that's only hosted very basic nodejs development shit05:48
SmokinGruntsbetter late than never for learning05:49
cpaelzergood morning06:33
ReedK2to install kde in ubuntu, do you install kubuntu-desktop?06:36
ReedK2according to help.ubuntu.com that is the case ( https://help.ubuntu.com/community/InstallingKDE )06:36
cpaelzerReedK2: kubuntu-desktop ?06:38
cpaelzeryeah06:38
cpaelzerthat is what I have06:38
cpaelzeralthough I installed from a kubuntu ISO back then, but I think that is the central package thatpulls everything else in06:38
cpaelzerReedK2: one might argue on a desktop UI on server, but it worked for me on my NAS when I refurbished it to a backup desktop06:39
ReedK2i wonder if it matters because if you install the other DE, the old DE packages will be ignored06:53
cpaelzerReedK2: while a bit of package overload, you can install multiple DE and select on the login manager06:53
cpaelzerwhich one to start on login06:53
ReedK2cpaelzer, I think you need a desktop unless the server is remote.  but it's crazy to try to develop without a desktop, if only due to text-only web browser problems06:54
cpaelzerReedK2: I'm not trying to convince you not to do so :-)06:55
cpaelzeras I mentioned above, my NAS has KDE as well06:55
ReedK2cpaelzer, anyway I wonder if kde is botnet.06:55
hateballReedK2: kubuntu-desktop is the full Kubuntu experience, with associated programs. there's other meta-packages if you want only the DE itself06:55
ReedK2yeah kubuntu-desktop is supposed to be the 'recommended lightweight installer'.  there's kde-plasma-desktop which is supposed to be core-only.06:56
ReedK2I thought it would be nice to have some extra tools becasue they might help to customize it06:56
hateballI dont see any reason not to use kubuntu-desktop unless you are low on storage space06:57
ReedK2beacuse someoen told me to use kde07:01
ReedK2oh you mean use the full version?07:01
ReedK2this ws a bad idea07:02
lordievaderGood morning07:13
cpaelzerhiho lordievader07:21
lordievaderHey cpaelzer07:22
lordievaderHow are you?07:22
cpaelzergood, I hope you too07:23
lordievaderJup, doing good here :)07:23
ReedK0does anyone know where kaccounts-providers_4%3a15.12.3-0ubuntu1_amd64.debis supposed to reside?07:51
ReedK0does anyone know how to stop recovery mode from timing out and freezing?08:15
lordievaderWhy does it enter recovery mode?08:29
ReedK0lordievader, i installed kubuntu-desktop on ubuntu 16.04, and it destroyed the computer08:30
ReedK0the "work-arounds" didn't work.08:30
ReedK0now recovery mode actually doesn't time out but rather just closes after about 2 minutes.08:30
lordievaderKubuntu desktop on a server?08:30
lordievaderWhat work-arounds?08:30
cpaelzerthe way "it destroyed the computer" might be important as well08:31
ReedK0https://askubuntu.com/questions/804968/apt-get-install-kubuntu-desktop-failed-trying-to-overwrite first answer and08:31
ReedK0https://bugs.launchpad.net/ubuntu/+source/kaccounts-providers/+bug/1573787 comment #508:31
ubottuLaunchpad bug 1565772 in gnome-control-center-signon (Ubuntu Xenial) "duplicate for #1573787 [SRU] Allow plugins to decide which username to set on new accounts" [Critical,Fix committed]08:31
lordievaderHmm. Could you answer cpaelzer 's question?08:32
ReedK0when prompted to install sddm or lightdm, I selected "sddm", and the installer closed.  it said: "Locked." and  "your system has errors".08:32
cpaelzerbecause while these are issues, overwriting these files does not render your computer unusable08:32
ReedK0I asked at #kde, and they said to restart and re-run the installer or to use apt to do --fix-installed08:32
lordievaderInstalling sddm should not break anything.08:33
lordievaderDid you run 'apt-get install -f'?08:33
ReedK0sddm did not successfully install08:33
cpaelzeroh I see, you have an unrelated issue with these packages to install properly but you need to resolve that to continue the install08:33
ReedK0yes, I did.  it gives the same error: "you should try apt-get install -f"08:33
cpaelzerof sddm08:33
ReedK0I also get that with apt remove, apt-get everything and apt --fix-packages08:33
lordievaderCould you pastebin the full output of that command?08:34
lordievader!pastebin08:34
ubottuFor posting multi-line texts into the channel, please use https://paste.ubuntu.com | To post !screenshots use https://imgur.com/ !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic.08:34
ReedK0it's a different computer08:34
ReedK0it only has the 2-minute recovery mode08:34
lordievaderNo shell access (tty, ssh, etc)?08:34
SmokinGruntswhy's the server getting a desktop?08:35
ReedK0SmokinGrunts, we talked about that like an hour ago08:36
ReedK0lordievader, only the 2-minute shell in recovery mode08:36
SmokinGruntsI'm late to the ballgame08:36
lordievaderReedK0: What happens after those two minutes?08:36
ReedK0a bunch of [stuff here] appears, and then it returns to the recovery menu, but the PC is frozen.08:36
ReedK0lordievader, i'd be happy to rip the desktop environment out if it meant i could boot to CLI.  But I can't boot t CLI, either.08:37
lordievaderReedK0: Do you get more of a shell when you boot with the kernel parameter `systemd.unit=rescue.target`?08:38
ReedK0i don't know how to do that08:38
ReedK0lt me see08:39
ReedK0probably grub08:39
lordievaderIn grub you edit the kernel line, after the `splash` you add the above.08:39
SmokinGruntscan someone get me up to speed?08:39
lordievaderReedK0: https://wiki.ubuntu.com/Kernel/KernelBootParameters08:40
cpaelzerReedK0: I don't see how you got into a boot/rescue issue with that - some packages conflicted about some account pluging files, so what08:40
lordievaderSmokinGrunts: https://irclogs.ubuntu.com/2017/11/07/%23ubuntu-server.html08:40
cpaelzerReedK0: shouldn't the system just work as-is and you can resolve the issue via ssh or whatever you usually use08:41
ReedK0that's not what #kde says08:41
lordievaderSmokinGrunts: He tried to install kubuntu-desktop and now it doesn't boot.08:41
ReedK0they said 'it's a deeper issue'08:41
lordievaderIf it goes into the rescue mode... it seems like it is a deeper issue.08:41
lordievaderWhich is quite strange.08:41
ReedK0I think sddm not installing properly, or kubuntu-desktop only partially installing (but thinking it's fully installed when you try to install over it)...08:42
SmokinGruntswhat is output of 'lsb_release -a'08:42
ReedK0I went to rescue mode because normal mode does something else08:42
SmokinGruntson the server, that is08:42
ReedK0normal mode says my graphics card isn't configured properl08:42
ReedK0or it stops at [blocks] in CLI mode08:42
ReedK0it gives me the option to choose between two video drivers, and neither of them work.08:43
lordievaderIt stops in CLI mode? So, you do have a shell?08:44
ReedK0lordievader, you want me to set systemd.unit=rescue.target still?08:44
ReedK0In rescue mode, I can open the recovery shell.  yess08:44
lordievaderIf that gives you a shell, yes.08:44
ReedK0and then the PC freezes after 2 minutes after returning to the menu screen.08:44
ReedK0I have a shell.  It's just a 2-minute shell.08:44
lordievaderHow new is the install?08:44
* ReedK0 sigh08:45
ReedK0a few weeks08:45
ReedK0i just want to get my shell logs and08:45
ReedK0maybe my browser history08:45
ReedK0figure out how to partition it once again08:45
ReedK0heartbreaking. like my dog died08:45
lordievaderYou do your web browsing on a server O.o08:46
lordievaderDoes adding the systemd.unit parameter give you a 'real' shell?08:46
ReedK0very rarely.08:49
ReedK0only when it's necessary08:49
ReedK0or when it's a huge time saver.08:49
ReedK0hold on that's not easy to do let me do it08:50
ReedK0do i put it after splash or after $vt_handoff ?08:51
lordievaderafter the splash08:52
ReedK0system08:52
ReedK0so I just add systemd.unit right after that?08:52
ReedK0no systemd.unit=rescue.target08:52
lordievaderYes, that last one.08:53
ReedK0no08:54
ReedK0it does not08:54
ReedK0i get the 'low graphics mode' screen08:54
lordievaderThat is fine08:54
lordievaderWhat happens further?08:54
ReedK0try running with default graphics mode; reconfigure graphics; troubleshoot an error; exit to concsole login08:55
ReedK0all of these result in nothing, either a restart or a [blocks] screen08:55
lordievaderNext to the systemd.target line add `nomodeset`.08:55
ReedK0it's getting worse, honestly08:57
ReedK0now i can't turn on the network08:57
ReedK0seems kde is a fat virus08:58
lordievaderDid you get a shell or not?08:58
ReedK0yes, i'm in one08:59
ReedK0i'll persist to shell , even if it restarts after 2 minutes08:59
lordievaderAllright, good.09:00
lordievaderHow did you setup your network?09:00
ReedK0all default09:00
lordievaderDo you have a connection now?09:01
ReedK0i'm probably gonna find my USB drive ;-<09:03
* Jenshae crawls in and collapses in a corner.11:55
JenshaeStill got the time out problems after reaching Shutdown.11:56
ReedK0is it true that there's a version of Linux that can be built from the ground up?11:58
JenshaeDamn Small Linux is very raw. Debian can be installed with a gui I guess.11:59
JenshaeCan maybe get an old copy of gnome or knoppix11:59
JenshaeWhy would you want to do it though, ReedK0 ?12:00
ReedK0nah it's a specific release of linux....12:00
ReedK0like there's gentoo, and it's not gentoo12:00
JenshaeDo you mean Arch?12:00
ReedK0it's literally something like 'build-linux'12:00
ReedK0like it teaches you how to build an operating system12:00
ReedK0while you install linux12:01
ReedK0takes 2-3 days12:01
JenshaeArch is very raw, have to add everything you need onto it, apparently.12:01
lordievaderReedK0: Are you refering to LFS (Linux From Scratch)?12:01
lordievaderPersonally I'd go for Gentoo over LFS. A package manager is useful.12:02
ReedK0yes i am12:03
ReedK0but isn't it probably better to just install ubuntu rather than gentoo because gentoo is very complicated?12:04
lordievaderUbuntu is less complicated than Gentoo, yes. But if you know what you are doing Gentoo can be blessing and Ubuntu a pain.12:05
lordievaderEach has its merits.12:05
JenshaeWhat are you wanting to use your OS for ReedK0 and what hardware specs?12:07
ReedK0Jenshae, learning C, C++, and some other languages.12:09
ReedK0I want to do some mathcad type stuff.12:09
ReedK0or screw around in some kind of 3d programming language12:09
lordievaderUnless you want to learn how Linux works, get Ubuntu.12:10
ReedK0I want to learn how it works.  I don't know if I need to know how it works in-depth right now, though.  I think I should learn bash and C before I do that.12:10
ReedK0but i'm not sure, honestly.  maybe it's better to learn how linux works before learning bash and C and C++12:10
JenshaeUbuntu + Unity3D is probably the easiest setup for C++ and 3D development12:11
ReedK0I thought I could install ubuntu and then install a virtual box on my windows box and build gentoo there12:11
JenshaeYou can install Ubuntu and VM Gentoo and Windows. I play games via Win7 and VMware, not worth dual booting, very few games I can't run on Linux (mostly just DirectX 11 ones)12:12
ReedK0i don't play games12:13
ReedK0except a motorcycle game on my phone, but i spend like 10 minutes a day on that12:13
JenshaeGames being the toughest thing to VM due to DirectX problems. Viva la vulkan12:15
JenshaePoint being that you should be able to VM pretty much anything you want and if you use Lubuntu-Desktop on Ubuntu then you will have loads of hardware resources to pick what Virtual Machine you want to run on top of that.12:15
JenshaeI prefer lubuntu desktop slapped onto Ubuntu rather than a direct Lubuntu install.12:16
ReedK0the thing I've had the most trouble with is wechat.12:17
JenshaeI am unfamiliar with that. What protocol does it use?12:20
JenshaeThere are native clients for IRC, Google chat, Yahoo chat, Slack chat, Discord, Team Speak, Mumble and Skype to run on Ubuntu.12:20
ReedK0it's a windows program12:21
ReedK0Anyway, I just need to wait for a release to be made for ubuntu12:22
ReedK0okay i did the backups. i couldn't find my web browsing history for firefox, but I guess that's okay.12:22
JenshaeTry Wine + PlayOnLinux, despite the name PoL, is really good at managing windows programs.12:22
JenshaeAlso see if your WeChat shows requirements, such as "ms fonts tahoma" or anything else like that.12:23
Jenshaeyou might fine WeChat on winehq.org with a guide on running it.12:23
ReedK0i'm goig to try those sometim12:23
ReedK0so you can install unity3d from apt?  wow12:24
ReedK0i remember 2008 when unity was getting started and bitcoins were cheap, and i didn't have any money.12:25
JenshaeI got Unity3D from their website.12:47
JenshaePoL has a list of things you can install and you can do virtual drives in either 32 bit or 64 bit depending on what you want and as long as the host is 64 biy12:47
Jenshaebit*12:47
ReedK0these are the partiions i used12:51
ReedK0I have /srv /home / and /windows (which is fat32)12:51
ReedK0and swap12:51
ReedK0someone told me /srv is not something i should have on a separate partition, and he is also very smart12:51
JenshaePersonally, I just have /boot_grub or /EFI " / " /home and swap area.12:56
ReedK0i'm confused12:57
ReedK0are /boot_grub /EFI and / all the same thing?12:57
JenshaeI do /efi, " / " and swap as primary partitions with /home as a logical one off the /12:57
JenshaeIn order from start of drive, I go /efi swap / and /home12:57
JenshaeThe /boot_grub is legacy and /efi is for uefi machines.12:58
ReedK0what sizes should I make them?12:59
ReedK0would I use /efi ?12:59
JenshaeI generally run with a 1.5x swap unless I know it will double its RAM and suspend / hibernate will be used.12:59
ikoniathere is no such file system as /efi12:59
ikoniaefi hangs off /boot12:59
ReedK0you're making my head hurt really bad haha12:59
ReedK0so /efi isn't something12:59
JenshaeDoes your BIOS have UEFI?12:59
ikoniaand this channel is for ubuntu server discussion - please try to stick to that topic12:59
ReedK0no idea what uefi is13:00
ReedK0brb i will look13:00
JenshaeThe /efi is an option during Something Else installation . It also runs it as a change when you do the default wipe the whole drives and install.13:01
JenshaeI will private mssage you ReedK013:01
ikoniafantastic, thanks Jenshae13:01
ReedK0Yes, it uses uefi13:01
joeliolol, just came out of a near-UEFI disaster post Dell BIOS upgrade.. decided to not revert back fwupdater and get stuck in a 'boot device not found' loop-15:05
joeliohad to readd the entry manually, pointing to the shim for secure boot to work15:06
joelioso the stuff in /boot is used to shim /efi for sb afaiu15:06
joelioyou can add an entry directly to the grub efi *if* you're not using sb15:07
joelioTIL... :)15:07
JenshaeNow write the guide on that because ... I only have a very vague idea of what you are talking about. :P16:27
JenshaeI have successfully rebuilt the RAID with a new drive, got Nvidia drivers working and a Lubuntu desktop going on this server (the server built out of spares)16:28
joelioah yeam recall16:29
JenshaeI don't suppose there is a GUI config of Samba that tests things, like if it successfully joined the domain diagnosing as it sets up in stages? :P16:32
* joelio doesn't use samba (even then it was cli too)16:32
JenshaeYou have a pure Nix office? Mine is mostly Windohs. Trying to show the worth of nix by making this archive server (just a raw file server)16:35
joelioyep, we do cloud stuff16:37
joelio(our dept is pure linux anyway)16:37
joeliobean counters etc are windows :)16:37
joeliobut no need for smb as we do the whole cloud crap16:37
drabJenshae: to some extent you can use smbclient to test things as you go, that's what I did, but for some things like joining AD it's a little trickier16:38
drabJenshae: it was too much for our needs, but something that may be worth considering if FreeIPA if you haven't looked at it16:38
joelioif it's SMB, perhaps - https://help.ubuntu.com/lts/serverguide/zentyal.html16:39
draboh that too, yes16:39
JenshaeThank you16:40
joeliohas some shiny too http://www.zentyal.org/server/16:44
JenshaeThat is my homework. See you tomorrow / another day o716:49
joeliolaters16:50
joelionearly hometime myself16:50
JanCjoelio: for safety reasons it's probably even more important to move bean counters to something more sane ASAP  ;)17:33
joelioI'm no MS hater, not anymore17:35
joelioplus realised it's better to chose battles wisely or you get to support them17:36
joeliothere's Chromebooks aplenty too, it's not that bad tbh17:36
dpb1joelio: MS has a ton of cool ubuntu projects going on, fwiw.  the windows subsystem for linux thing is amazing17:36
joelioyup, I know :)17:36
JanCstill, there probably is no reason why bean counters would need MS Windows nowadays17:36
joeliojust not something will personally use17:36
dpb1joelio: I'm in the same boat, mostly just for games here17:37
dirtycajunriceAnyone been in the mud with NFS and 10GBe ?17:46
maswanno mud, but we do run it17:47
dirtycajunricethroughput ?17:49
dirtycajunriceI cant seem to get it to do more than 50ish MB/s17:49
dirtycajunricewhich linearly decline with more transfers17:49
maswanhttp://www.acc.umu.se/technical/statistics/ftp/monitordata/backend17:53
maswanthat's all nfs traffic17:53
maswanso peaks at roughly line rate17:54
dirtycajunriceright but anything can fluke flux to line17:56
dirtycajunricemy graphs have that as well. but its where yours is for average17:57
dirtycajunricewhich is <5017:57
maswanyeah, but there isn't more demand than that most of the time17:57
dirtycajunricehm.17:57
dirtycajunriceim moving 35TB of data17:57
maswanwe've seen that sustained for 5-10 minutes17:57
dirtycajunriceso it would stay sustained for about 3 days if i could get it higher17:58
dirtycajunricebut its crapping the bed.17:58
maswanseems to be no weird stuff, ro,no_subtree_check in exports17:59
maswanproc/mounts gives us: nfs4 ro,nosuid,nodev,noatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=194.71.11.138,local_lock=none,addr=194.71.11.16017:59
maswanyou have low latency networking without packet drops?17:59
dirtycajunriceyeah. single L1 hop18:00
maswanreasonably low, I mean. not tens of ms or higher RTT18:00
maswanack18:00
dirtycajunriceso almost identical18:00
dirtycajunrice10.0.10.211:/tv4 on /mover/tv4 type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.0.10.100,local_lock=none,addr=10.0.10.211)18:00
maswanare you reading or writing over nfs?18:00
dirtycajunriceall writes.18:00
dirtycajunricesince its a move job18:00
dirtycajunriceHDD are all capable of about 120MB/s ea18:01
dirtycajunriceso its not throttled there. and i can do an Rsync at HDD speed18:01
maswanwell, that's a bit different than ours, ours is most read18:01
maswanbut our updating node can at least to line rate gigE18:01
dirtycajunriceHm.18:01
dirtycajunriceSo frustrating. and NFS is faster than SMB18:01
JanCno traffic shaping going on?18:02
dirtycajunricenope18:02
dirtycajunrices/smb/cifs18:02
dirtycajunriceyou know what i meant :P18:02
JanCthe target filesystem is not badly fragmented?18:06
dirtycajunriceno. Fresh drives with fresh fs/partitions18:07
JanCBTW: why not just use rsync if that works faster?  :)18:10
dirtycajunriceJanC, I actually am using it for the bulk transfer currently18:14
dirtycajunricebut this will not fix the issue after the files are moved as more than 50MB/s of files are moved/accessed at a time18:15
JanCright18:15
dirtycajunriceso i am temporarily working around it and during the next 3 days im trying to resolve the issue on the backend18:15
JanCwhen moving them over NFS, were you using 'cp' or something else for that?18:16
dirtycajunriceive tried literally everything.18:16
dirtycajunriceive tested: cp, mv, rsync, dd18:16
dirtycajunriceto see if its tool problems18:17
dirtycajunriceits not.18:17
dirtycajunriceits stupid stupid nfs.18:17
tewarddpb1: sent you a reply to your PM, sorry about the time delay.  Been busy dealing with FCC coordinators :P18:45
coreycbjamespage: it looks like we'll be able to drop pandas from the queens UCA soon. gnocchi dropped use of it in recent commits.18:47
coreycbjamespage: which is good, because it pulls in a lot of new dependencies18:47
coreycbor, would have pulled18:48
jonfatinoDo they have livecd for ubuntu-server?19:06
jonfatinowithout gui?19:06
tewardjonfatino: no.  there is no server livecd19:09
rharperthere, is19:09
rharperhttp://cdimage.ubuntu.com/ubuntu-server/daily-live/current/19:09
tewardrharper: there's actually a *livecd* version of Server, not just a daily built installer image?19:10
tewardi've never seen "try ubuntu" on the Server ISOs19:10
rharperteward: well, it's a liverootfs19:10
jonfatinoTy rharper19:10
tewardrharper: is the ISO updated?19:11
rharperit's live and it's the server image;  I'm not sure it includes a drop to shell directly at this time19:11
rharperteward: in what way ?19:11
tewardrharper: between the final daily version there and the final release version what's the difference at the core19:11
tewardor is there none19:11
tewardbecause I forget how final freeze worked :P19:11
teward(E: NOCOFFEE, NOMONEY)19:11
rharperteward: it's got a 10/18 pub date;  so I don't think it's being updated; but as soon as bionic has an image, then that'll be fresher19:12
rharperteward: I'm not sure about the frequency of the updates to cdimage for released stuff;  it's possible that those aren't generated until the dot releases except for the devel release images19:14
rharperthe other server image, has the same pub dates as the daily-live image19:14
coreycbjamespage: we may also be able to drop python-docker from queens CA since xenial has 1.9.0 now.19:23
jamespagecoreycb: sounds like a plan21:40
jamespagecoreycb: yes agreed - pandas is large and awkward21:41
coreycbjamespage: yes21:41
jamespagecoreycb: we need a good way of actually getting those removed from the UCA - reprepro does not automatically cleanup things we remove from the source PPA's21:41
jamespagecoreycb: I think its just some commands we can generate21:41
heheheshort of rebooting21:41
heheheCannot establish tunnel21:41
hehehe11:37 PM     com.jcraft.jsch.JSchException: SSH_MSG_DISCONNECT: 2 Too many authentication failures21:41
hehehe11:37 PM how to reset it?21:41
hehehehow to reset it?21:41
hehehe:D21:41
coreycbjamespage: ok21:42
heheheI was trying to login to a sql via ssh tunnel, ssh tunnel part did work, sql nope21:42
heheheand now this error21:42
hehehe:D21:42
heheheI will just reboot21:42
heheheit is quicker21:42
heheheoo same error again21:43
hehehewtf is this21:43
sdezielhehehe: do you have a customized sshd_config server-side?21:44
heheheno21:46
heheheany ideas how to check what is wrong21:48
drabis there a recommended setup these days for ldirectord-like setup on ubuntu?21:52
ikoniadrab: in what respect ?21:52
drabI'm trying to load balance a bunch of different services, mostly all tcp21:52
ikonia(nice to see an unusual question)21:52
drabaltho the primary reason i'm wanting this is for maintenance, not standard load balancing21:52
drabmaintanance/fail over21:53
drabI have two specific use cases i'm trying to work through: 1) a content filter 2) an asterisk server21:55
drabin both cases I'm upgrading software and I'd like to be able to move clients to the new upgraded servers slowly21:56
drabbut in both cases to change ips or play with dns isn't possible/advisable21:56
ikoniayou won't be able to "drain" with a pbx21:56
ikoniaas you can't drain an in use call21:56
ikoniayou can drain against logged in users that are idle - it will just blip as it fails over21:56
drabyeah, that's ok/the plan, move a bunch of phones overnight when they ar enot in use21:57
ikoniathe content filter should be fine as these are normally just a http service so just swap over between requests21:57
drabbut I don't have to have to reconfigure the phone because provisioning isn't very smooth21:57
drabso basically I'd like to take the ips now assigned at the current machines and move them to some ldirectd sort of master21:58
draband there decide which clients go to which real server based on src ip for example21:58
ikoniathat shouldn't be fine - just setup polling or manual fail over21:58
sdezieldrab: you could use keepalived to have a VIP moved between 2 asterisk instances21:58
ikoniaahh you want to do source based routing21:58
ikoniayeah, keepalived would be better for that sort of thing, it has rules21:58
drabbut there's only one ip, now? if I move it to the new machine all clients will move21:59
ikoniaone IP ?21:59
drabs/now/no/21:59
drabone VIP21:59
ikoniawhere is there only 1 IP21:59
ikoniayou can setup however many vips you want21:59
ikoniayou could have one per service21:59
ikoniaone per geographic location22:00
ikoniawhatever you want22:00
hehehesdeziel: maybe disable strict mode?22:00
hehehewhat its for?22:00
ikoniastrict mode ?22:00
ikoniawhat has strict mode /22:00
drabI guess I don't get it... say current asterisk is 10.0.0.6 , if I make that into a VIP and share it between the old asterisk (which would move to a physical ip of say 10.0.0.2) and a new one on 10.0.0.322:00
hehehesshd config22:01
drab10.0.0.6 VIP would be assigned to only one of tyhose machine at a time, no?22:01
heheheI need to access sql via ssh tunnel22:01
heheheyet to work22:01
drabat which point any client configured to connect to 10.0.0.6 would go to the machine with that VIP22:01
ikoniadrab: no, it's assigned to the servive, you can tell the pass through to go where you want - depending on the routing rules22:01
draboh22:01
drabI thought that was what ldirectd was22:01
drabnot keepalived, I thought that was just VRRP22:02
drabanyway, if that's a standard/recommended way to implement it I'll just go read the docs22:02
ikoniakeepalived is dumber, but has rule based managemtn22:02
drabI was mostly trying to figure out how ppl where normally implementing this sort of thing22:02
ikonialdirectd is more advanced, but less configuration22:03
ikoniadrab: front a service with a "distributor" of some sort, then put multiple services behind them22:03
heheheikonia: any ideas what can it be?22:03
ikoniait's that simple, the "distributor" is the thing that controls the rules22:03
sdezielhehehe: I was more thinking about MaxAuthTries that you can trip when offering multiple keys22:03
drabikonia: yeah I get the principle, I was looking for recommendations in terms of implementation. I will look at keepalived, thanks.22:03
drabright22:03
drabthank you22:03
ikoniahehehe: I have no idea of your problem description as I've not been following, but I'm not keen to help you based on the abuse you've sent me in pm in the past22:04
ikoniadrab: there is another software one, something monkey that's a bit dated but actually very light and easy22:04
hehehesdeziel: yep me too! but there is not MaxAuth in the sshd config :D22:04
heheheikonia: emmm :P22:04
sdezielhehehe: the default is 622:04
heheheyep22:04
drabikonia: yeah, http://www.ultramonkey.org/3/lvs.html22:04
drabIw as looking at that too22:04
drabthere's actually a few more , some more "modern" too, but none of them seems really tested/having a large user base22:05
drabhence coming to ask22:05
drabto try and get a sense of what was going to be a well maintained/stable/support way to implement this22:05
sdezieldrab: you can also use keepalived alone without LVS22:05
ikoniadrab: thats it !22:05
hehehesdeziel:  ubuntu 16.04 server no MaxAuth in the config file of sshd :D22:05
heheheor maybe there is a command to reset failed counter22:06
drabsdeziel: yeah, I'm kind of confused about that, I haven't yet figured out how they all work together22:06
sdezieldrab: with keepalived alone, you'd be simply moving the VIP22:06
drabsome howtoes seem to use them in combo, some don't, some use pacemaker, some recommend HA22:06
drabsdeziel: right, that's what I thought, and not what I want22:06
ikoniadrab: I've used (in the past) ultramonkey with keepalived with good results22:06
ikoniadrab: so using combos together can give a good result, but it does make it more complex22:07
drabI don't understand why I need keepalived with ldirectord/ultramonkey, those alone seem to do what I need22:07
drabcavia of course the director going down22:08
sdezieldrab: you have 2 different problems. The content filter is apparently simple to deal with a HTTP reverse proxy22:08
drabmaybe that's what keepalived is for, moving the VIP of the director22:08
sdezieldrab: and the asterisk problem could be dealt with just keepalived if your use case is to just simplify maintenance22:08
heheheok whatever22:09
sdezielI don't konw ldirectord/ultramonkey so I cannot comment on that, sorry22:09
drabsdeziel: well the problem is rollout, I need to verify that asterisk 13 works well before moving everybody to it22:09
drabso I was hoping to be able to tell a bunch of clients, go use this other server first22:09
drabtransparently22:09
drabwithout having to reconfigure the phones22:09
ikoniadrab: you need routing rules22:10
ikoniaand pick a subnet at a time to migrate on22:10
sdezieldrab: with keepalived, you'd use a check script that would tell you if a node is healthy enough to become primary (the VIP holder)22:10
sdezieldrab: I'm proposing all at once failover while ikonia proposes staged rollout22:11
ikoniajust to be clear - I'm not proposing anything, I'm trying to meet your requirement, sdeziel's suggestion is just as valid22:12
sdezielso maybe ikonia's way would be less risky22:12
ikoniasdeziel: but more complex22:12
ikoniait's the trade off22:12
sdezielhehehe: maybe if you paste a "ssh -vvv" output we'd learn more about the problem?22:13
heheheI am connecting from a gui client22:13
heheheDbeaver22:13
ikoniabased on what he's posted in ##linux the problem appears quite clear,22:14
heheheI think it is max tries22:14
ikonianow that I've read the scroll back22:14
hehehehave to see where to reset it22:14
heheheor maybe ciphers mismatch?22:15
heheheI don't think so :D22:16
sdezielhehehe: the maxauthtries is a per connection thing, nothing to reset AFAIK22:16
sdezielhehehe: cipher mismatch produces a different error22:16
heheheI can increase a value of it22:16
heheheit does work if I boot in a resue mode and then reboot22:16
hehehesomehow this resets this lock22:17
heheheI can ssh in just fine but not from  DBeaver atm22:17
drabsdeziel: ikonia: ok thanks, I think I get it at least... going forward I definitely need to be able to stage rollouts so I'll look into ldirectord/ultramonkey and see where that gets me22:19
ikoniadrab: for me, the key is policy based routing for your needs22:19
ikoniabut as sdeziel said, there are more black/white options, it's all a trade off22:19
sdezielikonia: if I understand your approach, no ldirectory/ultramonkey would be needed, just policy routing, right?22:20
drabikonia: when you say policy based routing you don't mean iproute,do you? we're still talking about LB software22:20
drabbecause I don't see how pb would work at all here22:20
drabsince clients expect to be served as they connnect to x.x.x.x22:20
draba response from a different ip would break the connection22:20
ikoniasdeziel: correct22:21
drabok, mind elaborating? I don't understand how that would work22:21
ikoniadrab: no, I mean something like src=subneta dest=destA, src=sebnetb dest=stabledestination22:22
ikoniaso that you can pick which clients go to which destination to allow you to test your new stuff, or stage the roll out / roll back / fail over22:22
ikoniapolicy could be anything, subnet, client identifier, first 100 connections whatever, but a policy of some sort22:22
draburm, I do pb on the gateway to balance 2 upstream connections and I don't see how I'm gonna be able to do it in this case22:23
drabwith pb the destination servers would be on diff ip22:23
drabif the phone is configured to connect to asterisk 1.1.1.1 I can't route it to 2.2.2.222:23
ikoniadrab: right, the destination IP is behind the load balancer22:24
ikoniaso all clients hit 1.1.1.122:24
ikoniathen you could have first 100 to hit 1.1.1.1 gets forwarded to 1.1.1.2,22:24
ikoniaeveryone else hitting 1.1.1.1 get forwarded to 1.1.1.322:24
ikonia(for example)22:24
ikoniaso everyone hits 1.1.1.1 - but the destination behind 1.1.1.1 is controlled by a policy22:24
ikoniathink of it as controlled reverse proxying, but proxying at a tcp level,22:25
sdezielwouldn't it need to operate on UDP for SIP/IAX?22:25
ikoniasdeziel: I don't....know......I thought UDP was just the "advertisment" service22:26
ikoniathe comms was all tcp22:26
ikoniaI guess drab would have to verify that22:26
ikoniastill do able though,22:26
sdezielikonia: is there a LB that you'd recommend?22:28
ikoniasdeziel: not off the top of my head, I'm sure keepalived can do policy routing (as thats how it's floating vip works with ipvsadm)22:29
ikoniasdeziel: you could do it with squid, haproxy, or even just iptables if you wanted, but thats a bit more than "load balancing" thats actual routing22:29
sdezielsquid/haproxy is for TCP only but iptables might cut it though22:30
ikoniathere is one called "guardian" that I think works quite well, and there is an ubuntu package for it22:30
sdeziel(haproxy is supposed to get UDP support in dev version IIRC)22:30
ikoniasdeziel: I thought it already had it,22:31
drabI was actually just looking at haproxy, I thought it used to be for web servers only like nginx22:31
drabbut it seems to be more general purpose22:31
ikoniabut I don't use it enough to be current22:31
ikoniadrab: no, it's much more22:31
sdezielI'd have to check/refresh my memory22:31
sdezieldrab: nginx can proxy udp22:31
sdezieldrab: a quick an dirty way would be to put 1.1.1.1 on a machine with iptables DNAT'ing traffic to the current master asterisk22:33
hehehesdeziel: so maybe it is  Dbeaver fault?22:33
sdezieldrab: whenever you need to swap the master you'd update the DNAT target22:33
sdezielhehehe: could be anything, really22:34
drabsdeziel: I don't think that'd work, answers would be coming from 2.2.2.2 or whatever the current master is, and connections would break22:36
drabto make replies come from 1.1.1.1 you'd need full masquerade, at which point src ip is lost and stuff like auth wouldn't work22:37
hehehesdeziel: but I can't debug everything22:37
hehehehow to narrow it down?22:37
drab(not to mention that logging and accounting would be completely skewed)22:37
ikoniadrab: does the response actually matter, as in the source of the response, as long as it's a valid response22:37
ikoniadrab: don't nat then - forward22:37
drabit does, that's the linux kernel22:38
sdezieldrab: with a DNAT, the response would get to the client with src set to 1.1.1.122:38
drabthere's a sysctl to allow for responses from diff src ips, but then I'd have to apply that to all clients, which I can't22:38
sdezieldrab: this rewrite is stateful22:38
drabsdeziel: why? pkt comes is, dst ip is changed, src ip stays the same , when it hits 2.2.2.2 responses are sent to the src ip, not 1.1.1.122:39
drabso the client will see a response from 2.2.2.2 even tho it sent its pkts to 1.1.1.122:39
sdezieldrab:this ^ is indeed not gonna work because of the asymmetry introduced22:39
sdezieldrab: you need to have 2.2.2.2 route via the DNAT box when trying to reach the client22:40
drabmmmh, unless I misunderstand something even that wouldn't work, routing wouldn't change the src ip of the response, which would still be 2.2.2.2 / different than the client contacted22:41
sdezieldrab: if your mangling box does just a DNAT, indeed the client IP remains the same22:41
sdezielso the asterisk sees it unaltered and you need to make sure that when it replies it goes through the mangling box again22:42
sdezielotherwise you have asymmetric routing and that won't work22:42
ikoniadrab: thank you for an interesting question for a change22:47
drabaltho not mainteined for the last 2 yrs, I just googled this out which seems pretty simple and maybe worth a try: http://www.inlab.de/balance.html22:51
drabit's shipped in ubuntu22:52
drabmay be good as a quick solution during transition or at least for some of the container stuff I'm trying22:52
ikoniaalways good to try something new22:52
sdezieldrab: I don't feel I had the chance to explain/address your questions properly, maybe tomorrow22:52
ikonia(even if it's old)22:52
drabsdeziel: don't worry man, appreciate the conversation22:53
sdezielttl22:53
drabtbh irc has its limits when it gets to a certain point, diagramming on a whiteboard helps a lot to work through an example22:53
ikoniaI've found it useful/interesting too22:53
drabsdeziel: ttyl22:53
sarnolddrab: balance looks neat, thanks22:54
drabI like the, at least apparent, simplicity and command line orientation, I can see how you could quickly put it in some kind of hook script for testing stuff at the very least22:55
drablxd is proving to be more and more handy and while the proxy stuff is done it's gonna be even more fun22:56
drabhttps://github.com/lxc/lxd/issues/250422:56
drabeven tho that's not gonna work across LXD hosts, will still need some external director of sort22:56
drabbut it'll open a whole bunch of possibilities to secure things while exposing them from the host in transparent way22:57
draband this is pretty much the entire solution implemented with nginx: https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/23:14
drabpreserving src ip etc23:14
sarnoldis that nginx "plus" or nginx?23:14
drabwell, at the top ti says "The information in this post apply to both the open source NGINX software and NGINX Plus. For the sake of brevity, we’ll refer only to NGINX Plus."23:15
sarnoldaha :)23:15
drabI've been holding off from figuring out nginx as it's, at least for me, more complex then straight apache23:16
drabbut most tutorials for web stuff these days seem to point to nginx + wsgi, especially for python apps, which I do use quite a bit23:16
drabwith flask for apis and stuff23:16
drabso I may just have to invest the time to learn it, especially if it can also take care of all this "directing" thing for phased rollouts23:17
drabaltho right now I've yet to see how to assign specific clients to an upstream, but i'm guessing it's possible23:17
sarnoldnothing wrong with using tools you already know how to use.. I always found nginx easier to configure than apache though :)23:17
drabhaproxy does that with acls apparently23:17
drabhttps://serverfault.com/questions/502487/haproxy-load-balancing-based-on-source-ip-ip-subnet23:18
drabwhich is nice and clean23:18
drabsarnold: well I'm old :), when I used to do this stuff nginx was just the new kid on the block and I never quite got to use it23:18
sarnolddrab: yeah, back in the early days nginx code quality sounded iffy23:19
heheheyou just a friendly coder friend23:19
hehehewho can teach you23:19
heheheit is a rare thing of freenode but can happen23:20
hehehenginx is easy23:20
hehehebtw I did fix the issue23:20
hehehefuck all those read the manual people23:21
heheheif I see some of them hit by a car and asking something - my reply may be read a manual23:21
heheheLOL23:21
bradmis there a wiki page or something with details on the official way to upgrade between Openstack releases using the cloud archive?  so far all I've seen is 'update the packages', which while strictly true, I'd appreciate more detail..23:42
Epx998is there a WAR for the d-i netboot installer not being able to auto select offboard nics?23:53

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!