[00:58] can someone point me to a bash script that will ping a given ip address (eg. google.com for instance) and IF it is unreachable, run another script? [00:59] for instance: https://unix.stackexchange.com/questions/190513/shell-scripting-proper-way-to-check-for-internet-connectivity [01:00] ping -w1 -c1 www.google.com 2>&1 > /dev/null && echo hi [01:01] what if it is unreachable though [01:02] i only want it to echo hi if destination unreachable [01:02] if you care about the specific reason why the ping failed then you may have to write your own tool [01:03] if you just care that it did fail, then replace the && with || [01:04] ping -w1 -c1 www.google.com 2>&1 > /dev/null ||sudp sudo ./home/catalase/mysupercoolscripts/testscript.sh [01:04] could i do something like that [01:04] ping -w1 -c1 www.google.com 2>&1 > /dev/null || sudo ./home/catalase/mysupercoolscripts/testscript.sh [01:04] rather [01:05] programmatic use of 'sudo' is often a sign of trouble.. [01:06] what should i use instead [01:07] what starts this process? [01:08] i do [01:13] aha, then I'd suggest running the script with sudo manually [01:13] lol [04:05] what'd be the best thing to attempt to have a server securely send me near realtime updates of any changes to /var/log/auth.log? [04:11] like, rsyslog? [04:21] SmokinGrunts: rsyslog + tls [04:22] aye something happened to my fail2ban on one of the work servers... I'm being bruteforced atm, brb [04:23] turn off pw auth, problem solved [04:23] I am still very much learning [04:23] * drab never understood the point of fail2ban [04:25] anyway, bbl [04:38] bah [04:39] when you get an app that doesn't come from the package manager, how do you know where to install it? [04:40] okay, if fail2ban is up, and the server has been restarted, and I'm still getting log-updates from a 'tail'ed /var/log/auth.log of connection attempts, then what is going on?? [04:41] I can block the offender from the firewall, but I'd rather have them block automatically from the server itself [04:42] blocked* [04:48] oh, so fail2ban will ban me, when I test it [04:48] :( [04:52] fail2ban will allow a certain number of attempts, which are logged, before blocking the address, and his happens per address attempting to connect, so if you're being attacked from many IPs, there will be many attempts in the log [04:53] it also clears out the list of banned IPs when fail2ban is restarted [05:02] there be one ip, but it's not thru ssh I guess? [05:12] oh lol I had added telnet earlier. removed, no more probs. [05:12] xinetd and telnetd [05:16] lol my noob is showing [05:22] so TIL; don't have a telnet daemon available if you don't need it. [05:29] 2scary4me [05:46] damn. So TIL about the necessity of all things security for a public-facing server, no matter what it's for, or how big it is. [05:47] I had a telnet daemon up for 3 days [05:47] damn near a few dozen minutes after, I started getting root login attempts through it [05:48] all for a server that's only hosted very basic nodejs development shit [05:49] better late than never for learning [06:33] good morning [06:36] to install kde in ubuntu, do you install kubuntu-desktop? [06:36] according to help.ubuntu.com that is the case ( https://help.ubuntu.com/community/InstallingKDE ) [06:38] ReedK2: kubuntu-desktop ? [06:38] yeah [06:38] that is what I have [06:38] although I installed from a kubuntu ISO back then, but I think that is the central package thatpulls everything else in [06:39] ReedK2: one might argue on a desktop UI on server, but it worked for me on my NAS when I refurbished it to a backup desktop [06:53] i wonder if it matters because if you install the other DE, the old DE packages will be ignored [06:53] ReedK2: while a bit of package overload, you can install multiple DE and select on the login manager [06:53] which one to start on login [06:54] cpaelzer, I think you need a desktop unless the server is remote. but it's crazy to try to develop without a desktop, if only due to text-only web browser problems [06:55] ReedK2: I'm not trying to convince you not to do so :-) [06:55] as I mentioned above, my NAS has KDE as well [06:55] cpaelzer, anyway I wonder if kde is botnet. [06:55] ReedK2: kubuntu-desktop is the full Kubuntu experience, with associated programs. there's other meta-packages if you want only the DE itself [06:56] yeah kubuntu-desktop is supposed to be the 'recommended lightweight installer'. there's kde-plasma-desktop which is supposed to be core-only. [06:56] I thought it would be nice to have some extra tools becasue they might help to customize it [06:57] I dont see any reason not to use kubuntu-desktop unless you are low on storage space [07:01] beacuse someoen told me to use kde [07:01] oh you mean use the full version? [07:02] this ws a bad idea [07:13] Good morning [07:21] hiho lordievader [07:22] Hey cpaelzer [07:22] How are you? [07:23] good, I hope you too [07:23] Jup, doing good here :) [07:51] does anyone know where kaccounts-providers_4%3a15.12.3-0ubuntu1_amd64.debis supposed to reside? [08:15] does anyone know how to stop recovery mode from timing out and freezing? [08:29] Why does it enter recovery mode? [08:30] lordievader, i installed kubuntu-desktop on ubuntu 16.04, and it destroyed the computer [08:30] the "work-arounds" didn't work. [08:30] now recovery mode actually doesn't time out but rather just closes after about 2 minutes. [08:30] Kubuntu desktop on a server? [08:30] What work-arounds? [08:31] the way "it destroyed the computer" might be important as well [08:31] https://askubuntu.com/questions/804968/apt-get-install-kubuntu-desktop-failed-trying-to-overwrite first answer and [08:31] https://bugs.launchpad.net/ubuntu/+source/kaccounts-providers/+bug/1573787 comment #5 [08:31] Launchpad bug 1565772 in gnome-control-center-signon (Ubuntu Xenial) "duplicate for #1573787 [SRU] Allow plugins to decide which username to set on new accounts" [Critical,Fix committed] [08:32] Hmm. Could you answer cpaelzer 's question? [08:32] when prompted to install sddm or lightdm, I selected "sddm", and the installer closed. it said: "Locked." and "your system has errors". [08:32] because while these are issues, overwriting these files does not render your computer unusable [08:32] I asked at #kde, and they said to restart and re-run the installer or to use apt to do --fix-installed [08:33] Installing sddm should not break anything. [08:33] Did you run 'apt-get install -f'? [08:33] sddm did not successfully install [08:33] oh I see, you have an unrelated issue with these packages to install properly but you need to resolve that to continue the install [08:33] yes, I did. it gives the same error: "you should try apt-get install -f" [08:33] of sddm [08:33] I also get that with apt remove, apt-get everything and apt --fix-packages [08:34] Could you pastebin the full output of that command? [08:34] !pastebin [08:34] For posting multi-line texts into the channel, please use https://paste.ubuntu.com | To post !screenshots use https://imgur.com/ !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic. [08:34] it's a different computer [08:34] it only has the 2-minute recovery mode [08:34] No shell access (tty, ssh, etc)? [08:35] why's the server getting a desktop? [08:36] SmokinGrunts, we talked about that like an hour ago [08:36] lordievader, only the 2-minute shell in recovery mode [08:36] I'm late to the ballgame [08:36] ReedK0: What happens after those two minutes? [08:36] a bunch of [stuff here] appears, and then it returns to the recovery menu, but the PC is frozen. [08:37] lordievader, i'd be happy to rip the desktop environment out if it meant i could boot to CLI. But I can't boot t CLI, either. [08:38] ReedK0: Do you get more of a shell when you boot with the kernel parameter `systemd.unit=rescue.target`? [08:38] i don't know how to do that [08:39] lt me see [08:39] probably grub [08:39] In grub you edit the kernel line, after the `splash` you add the above. [08:39] can someone get me up to speed? [08:40] ReedK0: https://wiki.ubuntu.com/Kernel/KernelBootParameters [08:40] ReedK0: I don't see how you got into a boot/rescue issue with that - some packages conflicted about some account pluging files, so what [08:40] SmokinGrunts: https://irclogs.ubuntu.com/2017/11/07/%23ubuntu-server.html [08:41] ReedK0: shouldn't the system just work as-is and you can resolve the issue via ssh or whatever you usually use [08:41] that's not what #kde says [08:41] SmokinGrunts: He tried to install kubuntu-desktop and now it doesn't boot. [08:41] they said 'it's a deeper issue' [08:41] If it goes into the rescue mode... it seems like it is a deeper issue. [08:41] Which is quite strange. [08:42] I think sddm not installing properly, or kubuntu-desktop only partially installing (but thinking it's fully installed when you try to install over it)... [08:42] what is output of 'lsb_release -a' [08:42] I went to rescue mode because normal mode does something else [08:42] on the server, that is [08:42] normal mode says my graphics card isn't configured properl [08:42] or it stops at [blocks] in CLI mode [08:43] it gives me the option to choose between two video drivers, and neither of them work. [08:44] It stops in CLI mode? So, you do have a shell? [08:44] lordievader, you want me to set systemd.unit=rescue.target still? [08:44] In rescue mode, I can open the recovery shell. yess [08:44] If that gives you a shell, yes. [08:44] and then the PC freezes after 2 minutes after returning to the menu screen. [08:44] I have a shell. It's just a 2-minute shell. [08:44] How new is the install? [08:45] * ReedK0 sigh [08:45] a few weeks [08:45] i just want to get my shell logs and [08:45] maybe my browser history [08:45] figure out how to partition it once again [08:45] heartbreaking. like my dog died [08:46] You do your web browsing on a server O.o [08:46] Does adding the systemd.unit parameter give you a 'real' shell? [08:49] very rarely. [08:49] only when it's necessary [08:49] or when it's a huge time saver. [08:50] hold on that's not easy to do let me do it [08:51] do i put it after splash or after $vt_handoff ? [08:52] after the splash [08:52] system [08:52] so I just add systemd.unit right after that? [08:52] no systemd.unit=rescue.target [08:53] Yes, that last one. [08:54] no [08:54] it does not [08:54] i get the 'low graphics mode' screen [08:54] That is fine [08:54] What happens further? [08:55] try running with default graphics mode; reconfigure graphics; troubleshoot an error; exit to concsole login [08:55] all of these result in nothing, either a restart or a [blocks] screen [08:55] Next to the systemd.target line add `nomodeset`. [08:57] it's getting worse, honestly [08:57] now i can't turn on the network [08:58] seems kde is a fat virus [08:58] Did you get a shell or not? [08:59] yes, i'm in one [08:59] i'll persist to shell , even if it restarts after 2 minutes [09:00] Allright, good. [09:00] How did you setup your network? [09:00] all default [09:01] Do you have a connection now? [09:03] i'm probably gonna find my USB drive ;-< [11:55] * Jenshae crawls in and collapses in a corner. [11:56] Still got the time out problems after reaching Shutdown. [11:58] is it true that there's a version of Linux that can be built from the ground up? [11:59] Damn Small Linux is very raw. Debian can be installed with a gui I guess. [11:59] Can maybe get an old copy of gnome or knoppix [12:00] Why would you want to do it though, ReedK0 ? [12:00] nah it's a specific release of linux.... [12:00] like there's gentoo, and it's not gentoo [12:00] Do you mean Arch? [12:00] it's literally something like 'build-linux' [12:00] like it teaches you how to build an operating system [12:01] while you install linux [12:01] takes 2-3 days [12:01] Arch is very raw, have to add everything you need onto it, apparently. [12:01] ReedK0: Are you refering to LFS (Linux From Scratch)? [12:02] Personally I'd go for Gentoo over LFS. A package manager is useful. [12:03] yes i am [12:04] but isn't it probably better to just install ubuntu rather than gentoo because gentoo is very complicated? [12:05] Ubuntu is less complicated than Gentoo, yes. But if you know what you are doing Gentoo can be blessing and Ubuntu a pain. [12:05] Each has its merits. [12:07] What are you wanting to use your OS for ReedK0 and what hardware specs? [12:09] Jenshae, learning C, C++, and some other languages. [12:09] I want to do some mathcad type stuff. [12:09] or screw around in some kind of 3d programming language [12:10] Unless you want to learn how Linux works, get Ubuntu. [12:10] I want to learn how it works. I don't know if I need to know how it works in-depth right now, though. I think I should learn bash and C before I do that. [12:10] but i'm not sure, honestly. maybe it's better to learn how linux works before learning bash and C and C++ [12:11] Ubuntu + Unity3D is probably the easiest setup for C++ and 3D development [12:11] I thought I could install ubuntu and then install a virtual box on my windows box and build gentoo there [12:12] You can install Ubuntu and VM Gentoo and Windows. I play games via Win7 and VMware, not worth dual booting, very few games I can't run on Linux (mostly just DirectX 11 ones) [12:13] i don't play games [12:13] except a motorcycle game on my phone, but i spend like 10 minutes a day on that [12:15] Games being the toughest thing to VM due to DirectX problems. Viva la vulkan [12:15] Point being that you should be able to VM pretty much anything you want and if you use Lubuntu-Desktop on Ubuntu then you will have loads of hardware resources to pick what Virtual Machine you want to run on top of that. [12:16] I prefer lubuntu desktop slapped onto Ubuntu rather than a direct Lubuntu install. [12:17] the thing I've had the most trouble with is wechat. [12:20] I am unfamiliar with that. What protocol does it use? [12:20] There are native clients for IRC, Google chat, Yahoo chat, Slack chat, Discord, Team Speak, Mumble and Skype to run on Ubuntu. [12:21] it's a windows program [12:22] Anyway, I just need to wait for a release to be made for ubuntu [12:22] okay i did the backups. i couldn't find my web browsing history for firefox, but I guess that's okay. [12:22] Try Wine + PlayOnLinux, despite the name PoL, is really good at managing windows programs. [12:23] Also see if your WeChat shows requirements, such as "ms fonts tahoma" or anything else like that. [12:23] you might fine WeChat on winehq.org with a guide on running it. [12:23] i'm goig to try those sometim [12:24] so you can install unity3d from apt? wow [12:25] i remember 2008 when unity was getting started and bitcoins were cheap, and i didn't have any money. [12:47] I got Unity3D from their website. [12:47] PoL has a list of things you can install and you can do virtual drives in either 32 bit or 64 bit depending on what you want and as long as the host is 64 biy [12:47] bit* [12:51] these are the partiions i used [12:51] I have /srv /home / and /windows (which is fat32) [12:51] and swap [12:51] someone told me /srv is not something i should have on a separate partition, and he is also very smart [12:56] Personally, I just have /boot_grub or /EFI " / " /home and swap area. [12:57] i'm confused [12:57] are /boot_grub /EFI and / all the same thing? [12:57] I do /efi, " / " and swap as primary partitions with /home as a logical one off the / [12:57] In order from start of drive, I go /efi swap / and /home [12:58] The /boot_grub is legacy and /efi is for uefi machines. [12:59] what sizes should I make them? [12:59] would I use /efi ? [12:59] I generally run with a 1.5x swap unless I know it will double its RAM and suspend / hibernate will be used. [12:59] there is no such file system as /efi [12:59] efi hangs off /boot [12:59] you're making my head hurt really bad haha [12:59] so /efi isn't something [12:59] Does your BIOS have UEFI? [12:59] and this channel is for ubuntu server discussion - please try to stick to that topic [13:00] no idea what uefi is [13:00] brb i will look [13:01] The /efi is an option during Something Else installation . It also runs it as a change when you do the default wipe the whole drives and install. [13:01] I will private mssage you ReedK0 [13:01] fantastic, thanks Jenshae [13:01] Yes, it uses uefi [15:05] lol, just came out of a near-UEFI disaster post Dell BIOS upgrade.. decided to not revert back fwupdater and get stuck in a 'boot device not found' loop- [15:06] had to readd the entry manually, pointing to the shim for secure boot to work [15:06] so the stuff in /boot is used to shim /efi for sb afaiu [15:07] you can add an entry directly to the grub efi *if* you're not using sb [15:07] TIL... :) [16:27] Now write the guide on that because ... I only have a very vague idea of what you are talking about. :P [16:28] I have successfully rebuilt the RAID with a new drive, got Nvidia drivers working and a Lubuntu desktop going on this server (the server built out of spares) [16:29] ah yeam recall [16:32] I don't suppose there is a GUI config of Samba that tests things, like if it successfully joined the domain diagnosing as it sets up in stages? :P [16:32] * joelio doesn't use samba (even then it was cli too) [16:35] You have a pure Nix office? Mine is mostly Windohs. Trying to show the worth of nix by making this archive server (just a raw file server) [16:37] yep, we do cloud stuff [16:37] (our dept is pure linux anyway) [16:37] bean counters etc are windows :) [16:37] but no need for smb as we do the whole cloud crap [16:38] Jenshae: to some extent you can use smbclient to test things as you go, that's what I did, but for some things like joining AD it's a little trickier [16:38] Jenshae: it was too much for our needs, but something that may be worth considering if FreeIPA if you haven't looked at it [16:39] if it's SMB, perhaps - https://help.ubuntu.com/lts/serverguide/zentyal.html [16:39] oh that too, yes [16:40] Thank you [16:44] has some shiny too http://www.zentyal.org/server/ [16:49] That is my homework. See you tomorrow / another day o7 [16:50] laters [16:50] nearly hometime myself [17:33] joelio: for safety reasons it's probably even more important to move bean counters to something more sane ASAP ;) [17:35] I'm no MS hater, not anymore [17:36] plus realised it's better to chose battles wisely or you get to support them [17:36] there's Chromebooks aplenty too, it's not that bad tbh [17:36] joelio: MS has a ton of cool ubuntu projects going on, fwiw. the windows subsystem for linux thing is amazing [17:36] yup, I know :) [17:36] still, there probably is no reason why bean counters would need MS Windows nowadays [17:36] just not something will personally use [17:37] joelio: I'm in the same boat, mostly just for games here [17:46] Anyone been in the mud with NFS and 10GBe ? [17:47] no mud, but we do run it [17:49] throughput ? [17:49] I cant seem to get it to do more than 50ish MB/s [17:49] which linearly decline with more transfers [17:53] http://www.acc.umu.se/technical/statistics/ftp/monitordata/backend [17:53] that's all nfs traffic [17:54] so peaks at roughly line rate [17:56] right but anything can fluke flux to line [17:57] my graphs have that as well. but its where yours is for average [17:57] which is <50 [17:57] yeah, but there isn't more demand than that most of the time [17:57] hm. [17:57] im moving 35TB of data [17:57] we've seen that sustained for 5-10 minutes [17:58] so it would stay sustained for about 3 days if i could get it higher [17:58] but its crapping the bed. [17:59] seems to be no weird stuff, ro,no_subtree_check in exports [17:59] proc/mounts gives us: nfs4 ro,nosuid,nodev,noatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=194.71.11.138,local_lock=none,addr=194.71.11.160 [17:59] you have low latency networking without packet drops? [18:00] yeah. single L1 hop [18:00] reasonably low, I mean. not tens of ms or higher RTT [18:00] ack [18:00] so almost identical [18:00] 10.0.10.211:/tv4 on /mover/tv4 type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=10.0.10.100,local_lock=none,addr=10.0.10.211) [18:00] are you reading or writing over nfs? [18:00] all writes. [18:00] since its a move job [18:01] HDD are all capable of about 120MB/s ea [18:01] so its not throttled there. and i can do an Rsync at HDD speed [18:01] well, that's a bit different than ours, ours is most read [18:01] but our updating node can at least to line rate gigE [18:01] Hm. [18:01] So frustrating. and NFS is faster than SMB [18:02] no traffic shaping going on? [18:02] nope [18:02] s/smb/cifs [18:02] you know what i meant :P [18:06] the target filesystem is not badly fragmented? [18:07] no. Fresh drives with fresh fs/partitions [18:10] BTW: why not just use rsync if that works faster? :) [18:14] JanC, I actually am using it for the bulk transfer currently [18:15] but this will not fix the issue after the files are moved as more than 50MB/s of files are moved/accessed at a time [18:15] right [18:15] so i am temporarily working around it and during the next 3 days im trying to resolve the issue on the backend [18:16] when moving them over NFS, were you using 'cp' or something else for that? [18:16] ive tried literally everything. [18:16] ive tested: cp, mv, rsync, dd [18:17] to see if its tool problems [18:17] its not. [18:17] its stupid stupid nfs. [18:45] dpb1: sent you a reply to your PM, sorry about the time delay. Been busy dealing with FCC coordinators :P [18:47] jamespage: it looks like we'll be able to drop pandas from the queens UCA soon. gnocchi dropped use of it in recent commits. [18:47] jamespage: which is good, because it pulls in a lot of new dependencies [18:48] or, would have pulled [19:06] Do they have livecd for ubuntu-server? [19:06] without gui? [19:09] jonfatino: no. there is no server livecd [19:09] there, is [19:09] http://cdimage.ubuntu.com/ubuntu-server/daily-live/current/ [19:10] rharper: there's actually a *livecd* version of Server, not just a daily built installer image? [19:10] i've never seen "try ubuntu" on the Server ISOs [19:10] teward: well, it's a liverootfs [19:10] Ty rharper [19:11] rharper: is the ISO updated? [19:11] it's live and it's the server image; I'm not sure it includes a drop to shell directly at this time [19:11] teward: in what way ? [19:11] rharper: between the final daily version there and the final release version what's the difference at the core [19:11] or is there none [19:11] because I forget how final freeze worked :P [19:11] (E: NOCOFFEE, NOMONEY) [19:12] teward: it's got a 10/18 pub date; so I don't think it's being updated; but as soon as bionic has an image, then that'll be fresher [19:14] teward: I'm not sure about the frequency of the updates to cdimage for released stuff; it's possible that those aren't generated until the dot releases except for the devel release images [19:14] the other server image, has the same pub dates as the daily-live image [19:23] jamespage: we may also be able to drop python-docker from queens CA since xenial has 1.9.0 now. [21:40] coreycb: sounds like a plan [21:41] coreycb: yes agreed - pandas is large and awkward [21:41] jamespage: yes [21:41] coreycb: we need a good way of actually getting those removed from the UCA - reprepro does not automatically cleanup things we remove from the source PPA's [21:41] coreycb: I think its just some commands we can generate [21:41] short of rebooting [21:41] Cannot establish tunnel [21:41] 11:37 PM com.jcraft.jsch.JSchException: SSH_MSG_DISCONNECT: 2 Too many authentication failures [21:41] 11:37 PM how to reset it? [21:41] how to reset it? [21:41] :D [21:42] jamespage: ok [21:42] I was trying to login to a sql via ssh tunnel, ssh tunnel part did work, sql nope [21:42] and now this error [21:42] :D [21:42] I will just reboot [21:42] it is quicker [21:43] oo same error again [21:43] wtf is this [21:44] hehehe: do you have a customized sshd_config server-side? [21:46] no [21:48] any ideas how to check what is wrong [21:52] is there a recommended setup these days for ldirectord-like setup on ubuntu? [21:52] drab: in what respect ? [21:52] I'm trying to load balance a bunch of different services, mostly all tcp [21:52] (nice to see an unusual question) [21:52] altho the primary reason i'm wanting this is for maintenance, not standard load balancing [21:53] maintanance/fail over [21:55] I have two specific use cases i'm trying to work through: 1) a content filter 2) an asterisk server [21:56] in both cases I'm upgrading software and I'd like to be able to move clients to the new upgraded servers slowly [21:56] but in both cases to change ips or play with dns isn't possible/advisable [21:56] you won't be able to "drain" with a pbx [21:56] as you can't drain an in use call [21:56] you can drain against logged in users that are idle - it will just blip as it fails over [21:57] yeah, that's ok/the plan, move a bunch of phones overnight when they ar enot in use [21:57] the content filter should be fine as these are normally just a http service so just swap over between requests [21:57] but I don't have to have to reconfigure the phone because provisioning isn't very smooth [21:58] so basically I'd like to take the ips now assigned at the current machines and move them to some ldirectd sort of master [21:58] and there decide which clients go to which real server based on src ip for example [21:58] that shouldn't be fine - just setup polling or manual fail over [21:58] drab: you could use keepalived to have a VIP moved between 2 asterisk instances [21:58] ahh you want to do source based routing [21:58] yeah, keepalived would be better for that sort of thing, it has rules [21:59] but there's only one ip, now? if I move it to the new machine all clients will move [21:59] one IP ? [21:59] s/now/no/ [21:59] one VIP [21:59] where is there only 1 IP [21:59] you can setup however many vips you want [21:59] you could have one per service [22:00] one per geographic location [22:00] whatever you want [22:00] sdeziel: maybe disable strict mode? [22:00] what its for? [22:00] strict mode ? [22:00] what has strict mode / [22:00] I guess I don't get it... say current asterisk is 10.0.0.6 , if I make that into a VIP and share it between the old asterisk (which would move to a physical ip of say 10.0.0.2) and a new one on 10.0.0.3 [22:01] sshd config [22:01] 10.0.0.6 VIP would be assigned to only one of tyhose machine at a time, no? [22:01] I need to access sql via ssh tunnel [22:01] yet to work [22:01] at which point any client configured to connect to 10.0.0.6 would go to the machine with that VIP [22:01] drab: no, it's assigned to the servive, you can tell the pass through to go where you want - depending on the routing rules [22:01] oh [22:01] I thought that was what ldirectd was [22:02] not keepalived, I thought that was just VRRP [22:02] anyway, if that's a standard/recommended way to implement it I'll just go read the docs [22:02] keepalived is dumber, but has rule based managemtn [22:02] I was mostly trying to figure out how ppl where normally implementing this sort of thing [22:03] ldirectd is more advanced, but less configuration [22:03] drab: front a service with a "distributor" of some sort, then put multiple services behind them [22:03] ikonia: any ideas what can it be? [22:03] it's that simple, the "distributor" is the thing that controls the rules [22:03] hehehe: I was more thinking about MaxAuthTries that you can trip when offering multiple keys [22:03] ikonia: yeah I get the principle, I was looking for recommendations in terms of implementation. I will look at keepalived, thanks. [22:03] right [22:03] thank you [22:04] hehehe: I have no idea of your problem description as I've not been following, but I'm not keen to help you based on the abuse you've sent me in pm in the past [22:04] drab: there is another software one, something monkey that's a bit dated but actually very light and easy [22:04] sdeziel: yep me too! but there is not MaxAuth in the sshd config :D [22:04] ikonia: emmm :P [22:04] hehehe: the default is 6 [22:04] yep [22:04] ikonia: yeah, http://www.ultramonkey.org/3/lvs.html [22:04] Iw as looking at that too [22:05] there's actually a few more , some more "modern" too, but none of them seems really tested/having a large user base [22:05] hence coming to ask [22:05] to try and get a sense of what was going to be a well maintained/stable/support way to implement this [22:05] drab: you can also use keepalived alone without LVS [22:05] drab: thats it ! [22:05] sdeziel: ubuntu 16.04 server no MaxAuth in the config file of sshd :D [22:06] or maybe there is a command to reset failed counter [22:06] sdeziel: yeah, I'm kind of confused about that, I haven't yet figured out how they all work together [22:06] drab: with keepalived alone, you'd be simply moving the VIP [22:06] some howtoes seem to use them in combo, some don't, some use pacemaker, some recommend HA [22:06] sdeziel: right, that's what I thought, and not what I want [22:06] drab: I've used (in the past) ultramonkey with keepalived with good results [22:07] drab: so using combos together can give a good result, but it does make it more complex [22:07] I don't understand why I need keepalived with ldirectord/ultramonkey, those alone seem to do what I need [22:08] cavia of course the director going down [22:08] drab: you have 2 different problems. The content filter is apparently simple to deal with a HTTP reverse proxy [22:08] maybe that's what keepalived is for, moving the VIP of the director [22:08] drab: and the asterisk problem could be dealt with just keepalived if your use case is to just simplify maintenance [22:09] ok whatever [22:09] I don't konw ldirectord/ultramonkey so I cannot comment on that, sorry [22:09] sdeziel: well the problem is rollout, I need to verify that asterisk 13 works well before moving everybody to it [22:09] so I was hoping to be able to tell a bunch of clients, go use this other server first [22:09] transparently [22:09] without having to reconfigure the phones [22:10] drab: you need routing rules [22:10] and pick a subnet at a time to migrate on [22:10] drab: with keepalived, you'd use a check script that would tell you if a node is healthy enough to become primary (the VIP holder) [22:11] drab: I'm proposing all at once failover while ikonia proposes staged rollout [22:12] just to be clear - I'm not proposing anything, I'm trying to meet your requirement, sdeziel's suggestion is just as valid [22:12] so maybe ikonia's way would be less risky [22:12] sdeziel: but more complex [22:12] it's the trade off [22:13] hehehe: maybe if you paste a "ssh -vvv" output we'd learn more about the problem? [22:13] I am connecting from a gui client [22:13] Dbeaver [22:14] based on what he's posted in ##linux the problem appears quite clear, [22:14] I think it is max tries [22:14] now that I've read the scroll back [22:14] have to see where to reset it [22:15] or maybe ciphers mismatch? [22:16] I don't think so :D [22:16] hehehe: the maxauthtries is a per connection thing, nothing to reset AFAIK [22:16] hehehe: cipher mismatch produces a different error [22:16] I can increase a value of it [22:16] it does work if I boot in a resue mode and then reboot [22:17] somehow this resets this lock [22:17] I can ssh in just fine but not from DBeaver atm [22:19] sdeziel: ikonia: ok thanks, I think I get it at least... going forward I definitely need to be able to stage rollouts so I'll look into ldirectord/ultramonkey and see where that gets me [22:19] drab: for me, the key is policy based routing for your needs [22:19] but as sdeziel said, there are more black/white options, it's all a trade off [22:20] ikonia: if I understand your approach, no ldirectory/ultramonkey would be needed, just policy routing, right? [22:20] ikonia: when you say policy based routing you don't mean iproute,do you? we're still talking about LB software [22:20] because I don't see how pb would work at all here [22:20] since clients expect to be served as they connnect to x.x.x.x [22:20] a response from a different ip would break the connection [22:21] sdeziel: correct [22:21] ok, mind elaborating? I don't understand how that would work [22:22] drab: no, I mean something like src=subneta dest=destA, src=sebnetb dest=stabledestination [22:22] so that you can pick which clients go to which destination to allow you to test your new stuff, or stage the roll out / roll back / fail over [22:22] policy could be anything, subnet, client identifier, first 100 connections whatever, but a policy of some sort [22:23] urm, I do pb on the gateway to balance 2 upstream connections and I don't see how I'm gonna be able to do it in this case [22:23] with pb the destination servers would be on diff ip [22:23] if the phone is configured to connect to asterisk 1.1.1.1 I can't route it to 2.2.2.2 [22:24] drab: right, the destination IP is behind the load balancer [22:24] so all clients hit 1.1.1.1 [22:24] then you could have first 100 to hit 1.1.1.1 gets forwarded to 1.1.1.2, [22:24] everyone else hitting 1.1.1.1 get forwarded to 1.1.1.3 [22:24] (for example) [22:24] so everyone hits 1.1.1.1 - but the destination behind 1.1.1.1 is controlled by a policy [22:25] think of it as controlled reverse proxying, but proxying at a tcp level, [22:25] wouldn't it need to operate on UDP for SIP/IAX? [22:26] sdeziel: I don't....know......I thought UDP was just the "advertisment" service [22:26] the comms was all tcp [22:26] I guess drab would have to verify that [22:26] still do able though, [22:28] ikonia: is there a LB that you'd recommend? [22:29] sdeziel: not off the top of my head, I'm sure keepalived can do policy routing (as thats how it's floating vip works with ipvsadm) [22:29] sdeziel: you could do it with squid, haproxy, or even just iptables if you wanted, but thats a bit more than "load balancing" thats actual routing [22:30] squid/haproxy is for TCP only but iptables might cut it though [22:30] there is one called "guardian" that I think works quite well, and there is an ubuntu package for it [22:30] (haproxy is supposed to get UDP support in dev version IIRC) [22:31] sdeziel: I thought it already had it, [22:31] I was actually just looking at haproxy, I thought it used to be for web servers only like nginx [22:31] but it seems to be more general purpose [22:31] but I don't use it enough to be current [22:31] drab: no, it's much more [22:31] I'd have to check/refresh my memory [22:31] drab: nginx can proxy udp [22:33] drab: a quick an dirty way would be to put 1.1.1.1 on a machine with iptables DNAT'ing traffic to the current master asterisk [22:33] sdeziel: so maybe it is Dbeaver fault? [22:33] drab: whenever you need to swap the master you'd update the DNAT target [22:34] hehehe: could be anything, really [22:36] sdeziel: I don't think that'd work, answers would be coming from 2.2.2.2 or whatever the current master is, and connections would break [22:37] to make replies come from 1.1.1.1 you'd need full masquerade, at which point src ip is lost and stuff like auth wouldn't work [22:37] sdeziel: but I can't debug everything [22:37] how to narrow it down? [22:37] (not to mention that logging and accounting would be completely skewed) [22:37] drab: does the response actually matter, as in the source of the response, as long as it's a valid response [22:37] drab: don't nat then - forward [22:38] it does, that's the linux kernel [22:38] drab: with a DNAT, the response would get to the client with src set to 1.1.1.1 [22:38] there's a sysctl to allow for responses from diff src ips, but then I'd have to apply that to all clients, which I can't [22:38] drab: this rewrite is stateful [22:39] sdeziel: why? pkt comes is, dst ip is changed, src ip stays the same , when it hits 2.2.2.2 responses are sent to the src ip, not 1.1.1.1 [22:39] so the client will see a response from 2.2.2.2 even tho it sent its pkts to 1.1.1.1 [22:39] drab:this ^ is indeed not gonna work because of the asymmetry introduced [22:40] drab: you need to have 2.2.2.2 route via the DNAT box when trying to reach the client [22:41] mmmh, unless I misunderstand something even that wouldn't work, routing wouldn't change the src ip of the response, which would still be 2.2.2.2 / different than the client contacted [22:41] drab: if your mangling box does just a DNAT, indeed the client IP remains the same [22:42] so the asterisk sees it unaltered and you need to make sure that when it replies it goes through the mangling box again [22:42] otherwise you have asymmetric routing and that won't work [22:47] drab: thank you for an interesting question for a change [22:51] altho not mainteined for the last 2 yrs, I just googled this out which seems pretty simple and maybe worth a try: http://www.inlab.de/balance.html [22:52] it's shipped in ubuntu [22:52] may be good as a quick solution during transition or at least for some of the container stuff I'm trying [22:52] always good to try something new [22:52] drab: I don't feel I had the chance to explain/address your questions properly, maybe tomorrow [22:52] (even if it's old) [22:53] sdeziel: don't worry man, appreciate the conversation [22:53] ttl [22:53] tbh irc has its limits when it gets to a certain point, diagramming on a whiteboard helps a lot to work through an example [22:53] I've found it useful/interesting too [22:53] sdeziel: ttyl [22:54] drab: balance looks neat, thanks [22:55] I like the, at least apparent, simplicity and command line orientation, I can see how you could quickly put it in some kind of hook script for testing stuff at the very least [22:56] lxd is proving to be more and more handy and while the proxy stuff is done it's gonna be even more fun [22:56] https://github.com/lxc/lxd/issues/2504 [22:56] even tho that's not gonna work across LXD hosts, will still need some external director of sort [22:57] but it'll open a whole bunch of possibilities to secure things while exposing them from the host in transparent way [23:14] and this is pretty much the entire solution implemented with nginx: https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/ [23:14] preserving src ip etc [23:14] is that nginx "plus" or nginx? [23:15] well, at the top ti says "The information in this post apply to both the open source NGINX software and NGINX Plus. For the sake of brevity, we’ll refer only to NGINX Plus." [23:15] aha :) [23:16] I've been holding off from figuring out nginx as it's, at least for me, more complex then straight apache [23:16] but most tutorials for web stuff these days seem to point to nginx + wsgi, especially for python apps, which I do use quite a bit [23:16] with flask for apis and stuff [23:17] so I may just have to invest the time to learn it, especially if it can also take care of all this "directing" thing for phased rollouts [23:17] altho right now I've yet to see how to assign specific clients to an upstream, but i'm guessing it's possible [23:17] nothing wrong with using tools you already know how to use.. I always found nginx easier to configure than apache though :) [23:17] haproxy does that with acls apparently [23:18] https://serverfault.com/questions/502487/haproxy-load-balancing-based-on-source-ip-ip-subnet [23:18] which is nice and clean [23:18] sarnold: well I'm old :), when I used to do this stuff nginx was just the new kid on the block and I never quite got to use it [23:19] drab: yeah, back in the early days nginx code quality sounded iffy [23:19] you just a friendly coder friend [23:19] who can teach you [23:20] it is a rare thing of freenode but can happen [23:20] nginx is easy [23:20] btw I did fix the issue [23:21] fuck all those read the manual people [23:21] if I see some of them hit by a car and asking something - my reply may be read a manual [23:21] LOL [23:42] is there a wiki page or something with details on the official way to upgrade between Openstack releases using the cloud archive? so far all I've seen is 'update the packages', which while strictly true, I'd appreciate more detail.. [23:53] is there a WAR for the d-i netboot installer not being able to auto select offboard nics?