beatzz | I just installed Ubuntu Server 17.10 on a new system, with LAMP & OpenSSH selected for install. | 00:34 |
---|---|---|
beatzz | I ran ufw default settings, and allowed ssh + http | 00:34 |
beatzz | modified /etc/netplan/01-netcfg.yaml for a static ip setup | 00:35 |
beatzz | and I am connected, I am able to apt-get update/upgrade | 00:35 |
beatzz | but I am getting no connection to my server via ssh/http | 00:36 |
beatzz | the router's port mapping is also correct, wide open to the servers ip address. | 00:36 |
beatzz | from my point of view, it looks like it should work. Anyone have any insight on this situation for me? | 00:37 |
sarnold | does netstat or ss show apache listening on the ports and adresses you expect? | 00:39 |
beatzz | yes, both | 00:39 |
beatzz | sudo netstat -anp | grep apache && ssh both return LISTEN | 00:40 |
sarnold | does netcat on localhost work to connect to those services? how about netcat on another host on the LAN? | 00:41 |
beatzz | although it dosent specify the address, just "tcp6 0 0 :::80 :::* LISTEN 892/apache2" | 00:41 |
sarnold | does 'nc ::1 80' work? | 00:42 |
beatzz | I will check | 00:43 |
beatzz | no error, but it's not returning anything | 00:43 |
beatzz | and has not returned my command-prompt | 00:44 |
sarnold | try something like HEAD /<enter> and see if you get a nice error reply from your server | 00:44 |
sarnold | I can't recall enough http by hand.. | 00:44 |
beatzz | "HEAD /" at the command-prompt? | 00:45 |
sarnold | in netcat, to your webserver | 00:45 |
beatzz | ahhhh | 00:45 |
beatzz | that returned some info | 00:45 |
sarnold | good good, okay, ssh next :) what address / port is openssh listening on? | 00:46 |
beatzz | "400 bad request" | 00:46 |
beatzz | 22 | 00:46 |
sarnold | and the address? | 00:46 |
beatzz | local address is 192.168.11.2 | 00:46 |
sarnold | does netstat or ss output show openssh listening on that address? or on 0.0.0.0? | 00:47 |
beatzz | 0.0.0.0 | 00:47 |
sarnold | okay, so something like echo hi | nc localhost 22 ought to spit out the openssh banner | 00:48 |
beatzz | "SSH-2.0-OpenSSH_7.5p1 Ubuntu-10 Protocol mismatch." | 00:49 |
sarnold | okay, cool, so the services do seem to be up and working, one reachable via ipv4, one via ipv6... now try from another host on the LAN and make sure that they can be contacted | 00:50 |
beatzz | aye | 00:50 |
beatzz | Connection timed out on both | 00:52 |
beatzz | I will try ipv6 address in web-browser | 00:52 |
beatzz | that didn't work either. | 00:54 |
sarnold | connection timed out sounds like a firewall configured to DROP packets; can the testing host contact other hosts on the LAN? on the network? | 00:54 |
beatzz | yes | 00:54 |
beatzz | I have a slackware VM that I can connect to, both http & ssh | 00:56 |
sarnold | networking to VMs is funny.. | 00:57 |
beatzz | I'm booting it up now | 00:59 |
beatzz | configuring it's eth0, and I will test it's connection via LAN | 01:00 |
beatzz | just to be sure | 01:00 |
beatzz | okay, roger. I am connected to my slackware server at 192.168.11.7, on both ports 80, and 22 (http/ssh) | 01:02 |
beatzz | from my laptop here | 01:02 |
beatzz | hey I appreciate your help sarnold, I think maybe I need to make an ubuntu forums post, displaying all these results. | 01:04 |
sarnold | beatzz: alright; once you get there be sure to inclde the iptables -L output .. I don't know how to drive iptables real well, so that might not be the exact command.. | 01:05 |
sarnold | just whatever dumps all the rules. | 01:05 |
beatzz | for sure, hey thanks a lot though | 01:07 |
sarnold | good luck, have fun :) | 01:07 |
beatzz | for real, thanks for helpin out :) | 01:07 |
beatzz | this is my first run with ubuntu * | 01:08 |
drab | tcpdump is good too | 01:08 |
drab | to see if packets are getting there at all | 01:08 |
drab | even if they get dumped | 01:08 |
drab | also you can always add a LOG rule to iptables as last | 01:08 |
drab | to figure out if that's what's happening | 01:08 |
drab | beatzz: ^^ | 01:09 |
beatzz | aye, I shall | 01:09 |
beatzz | gana go register at the ubuntu forums | 01:09 |
drab | what for, try the above first :) | 01:11 |
beatzz | tcpdump returned 109 packets captured | 01:11 |
drab | on port 22? | 01:11 |
beatzz | 136 packets recieved by filter | 01:11 |
beatzz | 27 dropped by kerenel | 01:12 |
drab | tcpdump -i $interface port 22 | 01:12 |
beatzz | kernel* | 01:12 |
drab | run 'tcpdump -i $interface port 22' then go to you client and try to ssh in | 01:12 |
drab | see if anything shows | 01:12 |
beatzz | roger, client is attempted to connect.... and nothing | 01:13 |
beatzz | connection timed out on client, tcpdump returns nothing. | 01:13 |
drab | ok | 01:13 |
drab | sudo ufw logging on | 01:14 |
drab | then try again to ssh in | 01:14 |
drab | grep "DST=22" /var/log/syslog after trying to connect/timeout | 01:15 |
drab | if taht shows any output paste on dpaste.com, not here | 01:15 |
beatzz | it outputs a shit ton | 01:16 |
beatzz | but the server is on another system, I don't think I can dpaste it | 01:16 |
beatzz | unless, does ubuntu server have a gui I'm not using? | 01:16 |
beatzz | [UFW BLOCK] looks disturbing... | 01:17 |
drab | grep "DST=22" /var/log/syslog | head | netcat termbin.com 9999 | 01:18 |
drab | run that on the server and paste the resulting output link | 01:19 |
beatzz | oh shit, cool trick | 01:20 |
beatzz | http://termbin.com/nhmj | 01:20 |
sarnold | all those DST packets look like multicast | 01:21 |
drab | oh, I'm an idiot, lol | 01:21 |
drab | I meant DPT | 01:21 |
beatzz | no worries, one sec | 01:21 |
drab | grep "DPT=22" /var/log/syslog | head | netcat termbin.com 9999 | 01:21 |
drab | in fact, just in case | 01:21 |
drab | grep "DPT=22 " /var/log/syslog | head | netcat termbin.com 9999 | 01:21 |
drab | note the space | 01:21 |
beatzz | roger | 01:22 |
beatzz | it returned with no link? | 01:22 |
drab | ok, so there's nothing, run it without the head/netcat, just the grep | 01:22 |
drab | it should show no output, which means there's no ssh pkts (destinated to port 22) ebing dropped | 01:22 |
beatzz | aye, again, nothing | 01:23 |
drab | are you running ssh on a weird port? | 01:23 |
sarnold | no link when there's nothing? that's very handy of them :) | 01:23 |
beatzz | nope, port 22 | 01:23 |
beatzz | i have not edited /etc/ssh/ssh_config | 01:23 |
drab | ok, so ufw is not dropping your ssh connections | 01:23 |
drab | and tcpdump is not showing any ssh traffic | 01:23 |
beatzz | aye | 01:23 |
beatzz | i will show you ufw status | 01:23 |
drab | so your problem is network, nothing to do with ssh or firewall | 01:23 |
drab | pkts are simply not getting there, maybe swallowed by the VM Host's network interface | 01:24 |
sarnold | beatzz: do all hosts involved agree on netmask and network addresses? :) | 01:24 |
beatzz | http://termbin.com/uz65 | 01:24 |
beatzz | this ubuntu server is not a VM | 01:24 |
drab | yeah like I said I don't think your issue is UFW | 01:24 |
beatzz | aye, I agree | 01:24 |
beatzz | so network-ish problem | 01:25 |
drab | so again, what's your network layout? | 01:25 |
drab | what ip/netmask are the client and server on and what's in between them | 01:25 |
beatzz | I have routers port mapping wide open for both TCP/UDP to 192.168.11.2 | 01:25 |
beatzz | I have assigned a static IP of 192.168.11.2 to this ubuntu server | 01:25 |
beatzz | via editing /etc/netplan/01-netcfg.yaml | 01:26 |
drab | on the server, ip addr ls && ip route ls| netcat... | 01:27 |
beatzz | http://termbin.com/el91 | 01:27 |
drab | paste the link | 01:27 |
beatzz | ;) | 01:27 |
drab | no, not useful, that's just a config, I want to see reality | 01:27 |
drab | I mean, good to knwo you have that config, but that doesn't necesasrily imply it's being applied/etc | 01:27 |
drab | so do the above pls | 01:27 |
beatzz | ahh you want ifconfig? | 01:27 |
drab | I want the above, ip addr ls... | 01:28 |
beatzz | sorry, roger | 01:28 |
drab | nothing to be sorry about | 01:28 |
beatzz | http://termbin.com/pi6j | 01:29 |
drab | uhm, I guess && doesn't work, that's only iproute | 01:29 |
drab | can you just do ip addr ls | netcat ... pls | 01:29 |
beatzz | http://termbin.com/3sxw | 01:30 |
beatzz | and just for reference, here is the full 01-netcfg.yaml : http://termbin.com/7mo4 | 01:31 |
drab | ok, where are you trying to ssh from? | 01:32 |
drab | where's the client? | 01:32 |
drab | and please confirm the server is an ubuntu server 16.04 on baremetal, no VM | 01:33 |
drab | and is that connected with a cable to the router and the router to the internet? | 01:33 |
beatzz | Ubuntu Server 17.10, not a VM (192.168.11.2) | 01:34 |
beatzz | and I'm on irc on my laptop (192.168.11.20) | 01:34 |
drab | ok, so both server and client are on the lan, correct? | 01:34 |
beatzz | Ubuntu server is connected via ethernet cable to router, and laptop wifi, siting with both screens in front ofm e | 01:35 |
beatzz | yessir | 01:35 |
drab | ok | 01:35 |
drab | please paste ip addr ls and ip route ls from the laptop | 01:35 |
beatzz | windows :( | 01:35 |
drab | ipconfig /all from cmd, copy paste to dpaste.com | 01:35 |
beatzz | roger | 01:36 |
beatzz | ipconfig /all --> http://dpaste.com/0RZQH89 | 01:36 |
drab | how are you running ssh? | 01:37 |
beatzz | PuTTY on my windows client | 01:38 |
beatzz | I have a successful ssh connection to my slackware-linux VM at 192.168.11.7 | 01:38 |
beatzz | via PuTTY | 01:39 |
drab | ok, from cmd, ping 192.168.11.2 | 01:39 |
beatzz | "request timed out" | 01:39 |
drab | ok | 01:39 |
drab | ping 192.168.11.1 works? | 01:40 |
drab | (it has to, but wth..) | 01:40 |
beatzz | aye, working | 01:41 |
drab | from the slackware VM, ping 192.168.11.1 , works? | 01:41 |
drab | and then ping .2 | 01:41 |
drab | then from 11.2 ping 11.1 and 11.20 | 01:42 |
beatzz | SlackVM > 192.168.11.1 working | 01:42 |
beatzz | SlackVM > Ubuntu Server, not | 01:42 |
beatzz | Ubuntu > 192.168.11.1, working | 01:43 |
drab | do you have a smartphone? | 01:43 |
beatzz | Ubuntu > others, not | 01:43 |
beatzz | yes | 01:43 |
drab | ios/android? | 01:44 |
beatzz | ios | 01:44 |
drab | https://itunes.apple.com/us/app/termius/id549039908?mt=8 | 01:44 |
drab | install that | 01:44 |
drab | it's free | 01:44 |
beatzz | installing | 01:45 |
beatzz | ready to use | 01:45 |
beatzz | new host... ? | 01:45 |
drab | ok, ssh to ur ubuntu server :) | 01:45 |
drab | yeah | 01:45 |
drab | add 192.168.11.2 | 01:45 |
drab | and connect | 01:45 |
drab | also while you're at it, will come handy: https://itunes.apple.com/us/app/ping-network-utility/id576773404?mt=8 | 01:46 |
beatzz | attempting to connect | 01:47 |
drab | I'm assuming phone is on wifi on the same router? | 01:48 |
beatzz | aye | 01:48 |
drab | ok, timed out I assume, if it was working it'd worked by now | 01:48 |
drab | get that ping app, just to confirm | 01:48 |
beatzz | did | 01:49 |
drab | and try to ping it | 01:49 |
beatzz | Request time-out | 01:49 |
drab | yeah, fair enough | 01:49 |
drab | do yuo have access to the web interface of the router? | 01:50 |
beatzz | so strange O_O | 01:50 |
beatzz | yes | 01:50 |
drab | login, look for tools or something, there should be a diagnostic tab that let you run ping | 01:50 |
drab | find it, ping 192.168.1.2 | 01:50 |
beatzz | works | 01:51 |
drab | does it have telnet too by any chance? | 01:52 |
beatzz | negative | 01:52 |
drab | k, np | 01:53 |
drab | can you find a "connected clients" tab on it? | 01:53 |
drab | that shows mac addresses | 01:53 |
drab | it should show your ubuntu server | 01:53 |
drab | mac address | 01:53 |
beatzz | that, it does not have. | 01:53 |
drab | that's weird | 01:53 |
beatzz | I've been lookin for that for a few days now. | 01:53 |
beatzz | i know, but trust me, I've scoured the routers setup, it just dosnt have one | 01:54 |
drab | k | 01:54 |
drab | have you ever used 192.168.11.2 with something else? | 01:54 |
beatzz | yes | 01:54 |
drab | ok, can you change the ip please to something you've not used before, say 222 ? | 01:55 |
beatzz | it was the static address of my SlackVM, prior to setting up the ubuntu server | 01:55 |
beatzz | it is also outside the dhcp block | 01:55 |
beatzz | I will, my wifes demanding I take the trash out though :/ | 01:55 |
beatzz | brb | 01:56 |
drab | happy wife happy life, one thing I try hard not to forget | 01:56 |
beatzz | okay | 02:00 |
beatzz | so, change the IP address of the ubuntu server | 02:00 |
drab | yep | 02:01 |
drab | then try the ping dance again pls, one host is enough + the router | 02:01 |
beatzz | okay | 02:06 |
beatzz | Ubuntu Server is now on 192.168.11.8, dynamically assigned via DHCP | 02:06 |
beatzz | Laptop(20) ping> Unbuntu, request timed out | 02:07 |
beatzz | SlackVM(7) ping> Ubuntu, request timed out | 02:07 |
beatzz | Router(1) ping> Ubuntu, working | 02:08 |
drab | from the phone also no joy? | 02:08 |
drab | I'm kinda wary about the laptop as Vbox can mess up networking | 02:09 |
beatzz | iphone ping> ubuntu, request time out | 02:09 |
beatzz | shouldn't, it's configured properly | 02:09 |
* drab scratches head | 02:10 | |
beatzz | Ubuntu server ping> other machines, not working | 02:10 |
beatzz | Ubuntu server ping> router, working | 02:10 |
beatzz | im just gana turn off ufw and see what happens | 02:11 |
drab | does phone to laptop work? | 02:11 |
drab | if ufw was a problem blocking pings it'd block the router too | 02:11 |
drab | but sure, try that | 02:12 |
beatzz | hmmm... Phone ping> laptop, not working | 02:12 |
drab | bingo | 02:12 |
drab | ok | 02:12 |
drab | should have thought of that earlier | 02:12 |
drab | so it has nothing to do with the ubuntu server | 02:12 |
drab | host to host communication on ur network is screwed up | 02:12 |
drab | nodes can talk to the router they are directly connected to, but not to each host | 02:12 |
drab | laptop to VM obviously work because they r on the same physical host | 02:13 |
beatzz | but I can view my webserver from phone? | 02:13 |
drab | u can? on the slack VM? | 02:13 |
beatzz | yup | 02:13 |
beatzz | you might be able to as well | 02:13 |
drab | ah, holy cow | 02:13 |
drab | ok | 02:13 |
beatzz | http://beatzz.co | 02:13 |
drab | yeah it's up | 02:14 |
beatzz | right, and from within LAN, I can http://192.168.11.7 | 02:14 |
drab | from the ubuntu box | 02:14 |
drab | telnet 192.168.11.7 80 | 02:14 |
beatzz | how so? with lynx? | 02:15 |
drab | telnet :) | 02:15 |
beatzz | "Trying 192.168.11.7..." | 02:15 |
drab | you can basically work through any protocol using telnet if you speak it | 02:15 |
drab | used to send emails with it :P | 02:15 |
drab | argh | 02:16 |
sarnold | I prefer netcat since it's easy to get out of | 02:16 |
drab | true | 02:16 |
sarnold | and telnet treats some chars as magic | 02:16 |
drab | but the phone can see http://192.168.11.7 , correct? | 02:16 |
beatzz | yup | 02:16 |
beatzz | ubuntu box is not doing anything with telnet | 02:16 |
drab | but cannot ping it? | 02:17 |
drab | ok | 02:17 |
drab | phone -> slack, no ping? | 02:17 |
beatzz | roger | 02:17 |
beatzz | phone > slack, no ping | 02:17 |
drab | you're positive yuo did telnet 192.168.11.7 80 yes? including the 80 at the end | 02:18 |
beatzz | yessir | 02:18 |
* drab scratches head | 02:18 | |
beatzz | if finally returned something too | 02:18 |
beatzz | "telnet: Unable to connect to remote host: Connection timed out" | 02:19 |
drab | right, np | 02:19 |
beatzz | so basically, host > host, no ping | 02:19 |
beatzz | only thing that returns a ping, is host > router | 02:20 |
beatzz | and router > host | 02:20 |
drab | if the phone couldn't get to the webserver I'd thought the router somehow was isolating the nodes | 02:20 |
drab | but since it can, that can't be true | 02:20 |
drab | are you running a firewall of sort on slack or blocking ipngs on win? | 02:21 |
drab | can the phone ping the laptop? | 02:21 |
sarnold | < beatzz> hmmm... Phone ping> laptop, not working | 02:21 |
beatzz | nope | 02:21 |
beatzz | no host > host ping | 02:21 |
sarnold | did you double-check the netmask and IPs on all the hosts? | 02:22 |
drab | sarnold: but phone > slack http works | 02:23 |
drab | that's what is so damn weird | 02:23 |
drab | but windows can block pings | 02:23 |
beatzz | and ssh | 02:23 |
drab | so the ping not working may be ok | 02:23 |
sarnold | .. and VM networking software sometimes only ever works for TCP and UDP and drops everything else on the floor | 02:24 |
drab | on the phone you put "http://192.168.11.7" in your browser? | 02:24 |
beatzz | yeah, or just the IP works as well. | 02:24 |
drab | sarnold: true, but telnet 192.168.11.7 80 doesn't work, which is tcp | 02:24 |
drab | what's ip route ls and ip addr ls on the slack VM? | 02:25 |
drab | and how is virtual box network configured? bridge mode? | 02:27 |
beatzz | ip route ls --> 127.0.0.0/8 dev lo scope link 192.168.11.0/24 dev eth0 proto kernel scope link src 192.168.11.7 metric 202 | 02:27 |
beatzz | bridged, yes | 02:27 |
drab | sudo tcpdump -i lxdbr0 icmp on the ubuntu server | 02:30 |
drab | ping it from the phone | 02:30 |
drab | and from the router | 02:30 |
sarnold | lxdbr0? | 02:30 |
drab | eer, sorry | 02:30 |
drab | that was my test | 02:30 |
drab | -i whatever your interface | 02:30 |
sarnold | that's what that smelled like :) hehe | 02:30 |
beatzz | phones ping utility shows request time-out | 02:33 |
beatzz | tcpdump shows nothing | 02:33 |
beatzz | which means the ping request is getting blocked at the router | 02:33 |
beatzz | aye? | 02:33 |
beatzz | which makes sense, why we cant ping host > host | 02:34 |
drab | if you ping from the router do you see the pings? | 02:34 |
beatzz | yes, router > host works | 02:34 |
beatzz | on all hosts | 02:34 |
drab | but yes, it feels like somehow traffic is dying at the router... no idea why | 02:34 |
drab | ufw is stopped? | 02:35 |
drab | sudo iptables -L -v , shows no rules all ACCEPT? | 02:35 |
drab | on the ubuntu server | 02:35 |
sarnold | sometimes routers have buttons to prevent wifi segments frmo communicating with wired segments | 02:36 |
drab | oh, good call sarnold | 02:37 |
drab | beatzz: check that, will ya? | 02:38 |
drab | or otherwise, plug the ethernet cable straight into ur laptop if you have a port | 02:38 |
drab | and try that, I was gonna suggest that anyway because I'm out of guesses... | 02:39 |
beatzz | aye, me too | 02:39 |
beatzz | i think we've beat this horse to death | 02:39 |
drab | poor horse | 02:39 |
beatzz | gana give it a rest | 02:39 |
beatzz | thanks for the support drab & sarnold | 02:40 |
drab | wait, last test! | 02:40 |
drab | check the router :P | 02:40 |
drab | what model is it? | 02:40 |
beatzz | ummm... | 02:40 |
beatzz | buffalo WZR-300HP | 02:40 |
drab | https://superuser.com/questions/856499/buffalo-wzr-1750dhp-cant-reach-the-lan-side-using-wireless | 02:41 |
drab | According to the manual that router supports SSID and Wireless Client isolation | 02:41 |
drab | :........( | 02:41 |
drab | sarnold wins | 02:42 |
drab | maybe | 02:42 |
beatzz | so wait, okay | 02:42 |
beatzz | if thats the case | 02:42 |
beatzz | I should be able to access the http server from another network | 02:42 |
beatzz | http/ssh on the Ubuntu server | 02:42 |
drab | altho that's not quet what it says, it says wireless client isolation, not to lan | 02:42 |
beatzz | from outside my network | 02:42 |
drab | yes | 02:42 |
drab | if you put it back on 2 / the port forwarding on the router matches | 02:43 |
beatzz | port forwarding goes to 8 | 02:43 |
beatzz | its currently open | 02:43 |
drab | doesn't seem to be quite it actually | 02:44 |
drab | If enabled, the Wireless client isolation blocks communication between wireless devices | 02:44 |
drab | connected to the AirStation. Wireless devices will be able to connect to the Internet | 02:44 |
drab | but not with each other. Devices that are connected to the AirStation with wired | 02:44 |
drab | connections will still be able to connect to wireless devices normally | 02:44 |
sarnold | what about connections from wireless to wired? o_O | 02:45 |
drab | didn't work | 02:45 |
beatzz | omfg | 02:45 |
drab | no ping from laptop to ub or phone to ub | 02:45 |
beatzz | it works | 02:45 |
beatzz | you should be connecting to it as well | 02:45 |
drab | ok, so sarnold wins somehow still | 02:45 |
beatzz | from http://beatzz.co | 02:45 |
sarnold | hahaha | 02:45 |
sarnold | beatzz: apache default page! \o/ | 02:46 |
beatzz | refresh ur browser, and it will show the ubuntu | 02:46 |
beatzz | holy nuts | 02:46 |
drab | ever watched office space? | 02:46 |
sarnold | printer scene | 02:46 |
beatzz | yeah | 02:46 |
beatzz | to the buffalo router | 02:46 |
drab | it's almost xmas, get urself another router... le sigh | 02:46 |
beatzz | damn | 02:46 |
beatzz | i was just starting to smell smoke coming out of my ears a minute ago | 02:47 |
beatzz | like, wth, everything is correct | 02:47 |
drab | ok, this is a good time to quit, I'm out | 02:48 |
sarnold | gnight drab :) | 02:48 |
beatzz | thanks so much man | 02:48 |
drab | like I said the other day, trust in sarnold, ignore everybody else | 02:48 |
drab | ttyl | 02:49 |
=== JanC_ is now known as JanC | ||
=== JanC_ is now known as JanC | ||
=== JanC_ is now known as JanC | ||
=== JanC is now known as Guest67213 | ||
=== JanC__ is now known as JanC | ||
=== JanC__ is now known as JanC | ||
beatzz | just another shout out to drab and sarnold ! Server's up and running, nice and safe behind firewalls and stuff. http://www.beatzz.co | 06:28 |
oerheks | now get your free ssl certificate :-) | 06:29 |
cpaelzer | cpaelzer: xnox: yes we enable nested by default on e.g. intel as smb pointed out | 07:13 |
cpaelzer | cpaelzer: I wanted to drop that (an admin can still opt in at any time) but I see that this might be too much of a churn for all of the consumers of qemu | 07:14 |
cpaelzer | xnox: smb: on s390x yeah - I don't vote to make it nestes=1 by default (as it isn't atm), but users should be able to switch it on | 07:14 |
cpaelzer | smb: did I get you right that due to not being a module you can't set the value to 1 ? | 07:15 |
lordievader | Good morning | 07:16 |
cpaelzer | hi lordievader | 07:16 |
lordievader | Hey chamar (IRC) | 07:17 |
lordievader | cpaelzer (IRC)* | 07:17 |
lordievader | How are you doing? | 07:17 |
cpaelzer | oh I got an asterisk :-) | 07:18 |
cpaelzer | doing good | 07:18 |
cpaelzer | skipped the disturbing mails for now :-) | 07:18 |
lordievader | Hahaha | 07:18 |
lordievader | Nice | 07:18 |
stoned | Hello | 07:32 |
stoned | Do you know of any bash scripts someone might have written to quicky deploy services, setup services, etc, on newly created ubuntu server instances or installs? | 07:33 |
lordievader | I use puppet for such things. | 07:38 |
rbasak | cloud-init? | 07:38 |
rbasak | Or yeah: puppet, ansible, chef, etc. | 07:38 |
stoned | Here's how I have things setup | 07:42 |
stoned | I have git repository in /etc/ where I backup my config files | 07:42 |
stoned | All my static sites live in git repositories | 07:42 |
stoned | my nginx vhosts live in git repositories | 07:43 |
stoned | Say I spin a new ubuntu 16 lts server on rackspace | 07:43 |
stoned | I want to clone the server I already have | 07:43 |
stoned | I dunno how | 07:43 |
stoned | :) | 07:43 |
rbasak | Cloning is a poor approach because you end up with an unreproducible machine carrying problems forward over time. Instead, look into codifying your deployments: having the minimal code that can be applied to a fresh server to make it how you want it. Then edit your code rather than the server. | 07:48 |
rbasak | Deploying multiple servers from that state is trivial. | 07:48 |
rbasak | And you can also write automated tests for your deployments. | 07:49 |
stoned | Well, I'm thinking, I could write a bash script intead of depending on config management things. | 07:49 |
rbasak | For basic deployments, supplying cloud-config via cloud-init is the easiest way to do this. | 07:49 |
stoned | a script that basically installs the packages I need, as well as cloning the git repositories I need, and then copying the configs over | 07:49 |
stoned | that sound like a sound approach? | 07:49 |
rbasak | For more complex ones, choose from chef, puppet, ansible, etc. | 07:49 |
rbasak | Sounds like you want ansible. | 07:50 |
stoned | Ok | 07:50 |
rbasak | You could write a bash script by hand, but you'll be reinventing much of what the existing tooling solves. | 07:50 |
rbasak | Though if you just want a learning experience, then sure. | 07:50 |
stoned | I | 07:51 |
stoned | I'll invest time into ansible. | 07:51 |
stoned | Write a playbook I can rely on. | 07:51 |
smb | cpaelzer, xnox, actually when following the git history further it seems that vsie was only added with 4.8 (could have sworn nested was there before but obviously I am wrong). So Xenial showing /dev/kvm seems to be the real bug. As for changing the nested: there are some kernel parameters which can be changed at any time but nested is not changable, so one has to put it on commandline kvm.nested=1. However that | 08:03 |
smb | does not help on its own if the host is not running a kernel that allows this too. So xenial host bad luck z/a/b maybe | 08:03 |
cpaelzer | smb: yeah | 08:06 |
cpaelzer | smb: and there is more | 08:07 |
cpaelzer | not only does the host need kvm.nested=1 | 08:07 |
cpaelzer | it only works with -cpu host (libvirt host-passthrough) or host-model (remember to refresh libvirt capabilities after enabling vsie via the module) | 08:07 |
cpaelzer | it is really meant to be off and an explicit opt-in | 08:07 |
cpaelzer | so I agree, xenial having it on by default is the actual bug | 08:08 |
smb | Yeah, and given that this was never really working, I would no longer worry about more recent releases. MAybe need to "fix" xenial to avoid confusion | 08:09 |
cpaelzer | well the default (no cpu specified) works as well for me but "officially" the sie feature might be missing | 08:10 |
cpaelzer | or taken away for migratability or ... | 08:10 |
cpaelzer | smb: ack | 08:10 |
cpaelzer | smb: btw could I have a bug number on this | 08:10 |
cpaelzer | it didn't subscribe qemu yet | 08:10 |
cpaelzer | so I only work on gossip atm :-) | 08:10 |
smb | cpaelzer, maybe (not sure there was one opened already) | 08:12 |
* smb moves channels | 08:12 | |
=== JanC_ is now known as JanC | ||
jamespage | coreycb: that setuptools issue in gnocchi was python_distutils debhelper not being very clever | 09:57 |
jamespage | coreycb: pybuild appears to deal with py3 only better, so switching buildsystem | 09:57 |
jamespage | coreycb: something in the BD's pulls in python2, which gets detected by debhelpers distutils integration... | 09:59 |
jamespage | and then things explode | 09:59 |
xnox | cpaelzer, smb - somehow i feel odd that in later releases i cannot override this with a module reload. Would it still make sense to make kvm a module; and adjust qemu-system-init to load kvm module, such that one can adjust modprobe settings without rebooting? | 11:31 |
cpaelzer | xnox: I'd try to suggest so in #zkvm - I'd tihnk that is less am ubunut than general upstream change | 11:51 |
jamespage | coreycb: some progress on deps (avoiding os-testr 1.0.0 for now) | 12:19 |
jamespage | coreycb: did heat, keystone in progress but needs pysaml2 version bump (dealing with that ATM) | 12:19 |
jamespage | coreycb: also have patch for dh-python to auto-detect and execute ostestr, testrepository or stestr based unit tests... | 12:20 |
jamespage | coreycb: http://paste.ubuntu.com/25967169/ | 12:21 |
ztane | hi, trying to understand the relation of rsyslog vs journald on 16.04 server default install | 12:48 |
ztane | what would go into rsyslog and what would go into journald and which order? | 12:48 |
ztane | ie do some syslog facilities, or all, get written to journal, or journal written to syslog or... | 12:49 |
BlackDex | win 29 | 12:49 |
ztane | no such window | 12:52 |
coreycb | jamespage: very nice, taking a closer look at dh-python now | 12:55 |
ztane | my goal is to get all of the logs to the papertrail, but if I pipe all of journal from journalctl I find out that most will be duplicates with also those from rsyslog and now trying to find out whether or not I can get everything of importance from just journald | 13:08 |
ztane | ok... it seems that not everything gets into journald | 13:13 |
ztane | also not everything gets into syslog, hmhmh | 13:13 |
smb | cpaelzer, according to this older bug report xnox claims the kvm module (when it was still a module) could not be loaded (https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1532886) hence it became built-in | 13:14 |
ubottu | Launchpad bug 1532886 in linux (Ubuntu Xenial) "s390x kernels are inconsistent for cloud stuff" [Medium,Fix released] | 13:14 |
xnox | smb, cpaelzer - that was true on xenial; on xenial all cloud/kvm instances have /dev/kvm.... despite that being "nested" | 13:16 |
xnox | smb, and by "all" i think it was comparison with amd64 and ppc64el. | 13:16 |
smb | which maybe was the reason for module loading failing (as 4.4 had no nested support on s390x at all) as we believe now. | 13:18 |
smb | there is time to try again module for bionic but then with more than just an irc discussion as background | 13:20 |
xnox | smb, well, there is some nesting support, i thoght. since launching kvm in z/vm on lpar works, launching kvm in a kvm on an lpar should work too. | 13:27 |
smb | xnox, I'd say launching it in zVM is different because there vVM handles the one stage of nesting which for the kvm case the Linux kernel would have to do | 13:30 |
xnox | smb, right. | 13:30 |
xnox | smb, kvm in z/vm is slow | 13:31 |
smb | as would be kvm in kvm if it were working (what was said yesterday iirc) | 13:32 |
cpaelzer | I discussed and speed wise 4 levels are the last sane thing | 14:04 |
cpaelzer | so 2x HW + 2* shadow virt | 14:04 |
cpaelzer | but that is already borderline | 14:04 |
coreycb | jamespage: i've been dropping the drop-openstackdoctheme.patch's and bumping sphinx to >= 1.6.2 as I go | 15:37 |
jamespage | coreycb: ack - I've mostly dropped that patch, but some earlier uploads have not | 15:37 |
coreycb | jamespage: great | 15:37 |
coreycb | jamespage: that was kind of a pain last cycle | 15:38 |
jamespage | coreycb: I can imagine | 15:38 |
jamespage | coreycb: I'm really liking pybuild btw - digging on the code has been revelaing | 15:38 |
jamespage | coreycb: basically it attempts to auto-configure testing based on what deps are in the BD's | 15:38 |
coreycb | jamespage: cool. yeah so basically we can drop our dh_auto_test sections if the simply call ostestr, etc? | 15:38 |
jamespage | so all you have todo is add python-nose/stestr etc... | 15:38 |
jamespage | coreycb: thats the idea | 15:39 |
coreycb | jamespage: that's really nice | 15:39 |
cpaelzer | nacc: wondering about http://paste.ubuntu.com/25968338/ | 16:00 |
cpaelzer | nacc: why would it try to spawn a debian lxd for build-source | 16:00 |
nacc | cpaelzer: head debian/changelog please ? | 16:00 |
cpaelzer | this is identical to your merge last week except the d/rules change | 16:00 |
cpaelzer | nacc: nut (2.7.4-5.1ubuntu2) bionic; urgency=medium | 16:00 |
nacc | cpaelzer: annd edge snap? | 16:01 |
cpaelzer | I didn't even write binonic this time | 16:01 |
cpaelzer | r291 = stable | 16:01 |
cpaelzer | I always cycle edge/edge-fixes as needed | 16:01 |
nacc | cpaelzer: and it happens with edge too? | 16:01 |
* cpaelzer downloading snap | 16:01 | |
nacc | cpaelzer: for right now, tnohting but the importer should use the stable snap | 16:02 |
cpaelzer | nacc: it now took ubuntu-daily:bionic, seems bette ron 333 from edge | 16:03 |
cpaelzer | many (many++) warnings from likely apt being parsed about non stable CLI | 16:03 |
cpaelzer | but that is something else | 16:03 |
cpaelzer | the petname of this is matching the test | 16:04 |
nacc | cpaelzer: ok | 16:04 |
cpaelzer | you better fly :-) | 16:04 |
cpaelzer | /usr/bin/lxc launch -e ubuntu-daily:bionic better-fly | 16:04 |
jamespage | coreycb: neutron is being awkward - some sort of multiprocessing issue during test discovery | 17:32 |
coreycb | jamespage: hmm | 17:34 |
jamespage | coreycb: trying with a minor patch level on evetlnet | 17:34 |
jamespage | coreycb: https://launchpad.net/~james-page/+archive/ubuntu/bionic/+build/13733732 | 17:34 |
coreycb | ok | 17:35 |
coreycb | jamespage: glance unit tests get a bunch of mismatched http status asserts. i'm thinking one of the http deps needs to be bumped, so trying that route now. | 17:40 |
jamespage | coreycb: ack | 17:44 |
jamespage | coreycb: I think kje | 17:44 |
jamespage | coreycb: I think keystone will be OK now | 17:44 |
jamespage | I'll upload that later | 17:44 |
coreycb | jamespage: ok | 17:44 |
jamespage | however might be stuck on neutron for now | 17:44 |
jamespage | coreycb: I think we should probably push what we have into archive tomorrow AM | 17:44 |
coreycb | jamespage: ok | 17:44 |
jamespage | thus avoiding any conflicts with anyone elses work | 17:44 |
jamespage | coreycb: see how far you get with things; I'll publish tomorrow am | 17:45 |
coreycb | jamespage: sounds good | 17:45 |
=== stoned is now known as EnchanterTim | ||
sarnold | drab: thanks for helping out beatzz yesterday :) | 18:38 |
drab | sarnold: hey man, you're the one that figured it out, I just stabbed at the dark for like an hr... :) | 19:33 |
sarnold | drab: hehe, I only got lucky after you did all the grunt work :) | 19:34 |
drab | some call that genius :P | 19:38 |
sarnold | not the first time I stuck my nameo n papers where I did much less of the work.. | 19:40 |
R_P_S | Hi, was told to try this channel as well for juju support | 20:02 |
R_P_S | I created a juju controller from machine that is about to be decommissioned. I'd like to register the controller as admin/superuser from another machine but I have no idea how to find the registration string | 20:03 |
grendal_pure | im loosing my mind here. all of the sudden my kvm virtualhost will not bring up the second bridge | 20:54 |
grendal_pure | looks like some sort of kernel bug. | 20:54 |
grendal_pure | set forward delay failed: Numerical result out of range | 20:55 |
grendal_pure | i cant even add a virtual nic to the one working nic on this machine. its werid. | 20:56 |
powersj | cyphermox: did we ever come to a conclusion on the preseed of bionic? | 20:57 |
powersj | I wasn't clear if it was something missing on my end or something else. | 20:57 |
grendal_pure | has anyone else run into this issue? | 21:09 |
grendal_pure | set forward delay failed: Numerical result out of range | 21:09 |
grendal_pure | I have two nics in this sever, one comes up and bridges eth1 -> br1 but eth0 ->br0 fails and when i manually kick it , it throws that error. | 21:10 |
grendal_pure | looks like i am able to connect a virtual network to the one device. Im having to change the interface on a lot of machines though | 21:14 |
grendal_pure | setting up nat on that virtual device with same ip as the physical hardware that was bridged...what a mess | 21:15 |
cyphermox | powersj: I don't know what's wrong, it works here? | 21:15 |
cyphermox | maybe if you share more of the logs | 21:16 |
powersj | cyphermox: works with a bionic iso? because I could reproduce | 21:16 |
cyphermox | oh, that's right | 21:16 |
cyphermox | but yeah, it did here | 21:16 |
cyphermox | ppc64el | 21:16 |
cyphermox | no reason for architecture to matter to this | 21:16 |
powersj | correct | 21:17 |
powersj | http://cdimage.ubuntu.com/ubuntu-server/daily/pending/ | 21:17 |
cyphermox | could it be because you preseed xkb-keymap? | 21:17 |
powersj | I could pull that out and re-kick them off | 21:18 |
powersj | is that not a valid option? | 21:18 |
cyphermox | I don't really think it would make a difference since I did my test with it too | 21:18 |
cyphermox | but technically we don't really support that | 21:18 |
cyphermox | anything might be different between the /proc/cmdline on bionic and artful? | 21:20 |
necrophcodr | It is possible to have an application that binds to a port, forcibly bind to a unix socket instead? | 21:24 |
necrophcodr | And if not, is it somehow possible to force it to only bind to that port in a specific namespace, and to communicate with that specific namespace on that port? | 21:24 |
cyphermox | powersj: I should already have been prompted for it (I just started a preseeded install again) | 21:24 |
powersj | cyphermox: can I see what pressed you are using? | 21:25 |
cyphermox | sure | 21:25 |
cyphermox | http://people.canonical.com/~mtrudel/preseed/utah-bionic.cfg | 21:25 |
cyphermox | I changed it to comment out xkb-keymap just before starting this install, but with it yesterday it was working well too | 21:26 |
cyphermox | I am getting prompted here and there for things (hostname, which drive to format, etc), but I didn't set priority=critical to give it more chance to prompt. | 21:27 |
powersj | cyphermox: interesting, that pressed locally works for me, which is further than I got before :) | 21:29 |
powersj | only change was commenting out the xkb-keymap? | 21:29 |
cyphermox | well, yeah, and commenting out unrelated things I just didn't want to add that are for utah | 21:31 |
cyphermox | xkb-keymap makes no difference here -- there's clearly a bug in what I'm trying to do, since I'm not getting the us:intl keymap I expect | 21:32 |
cyphermox | but that's different from prompting. | 21:32 |
cyphermox | it could just be that it's not called "intl" | 21:32 |
cyphermox | nah, it really is "intl" | 21:34 |
cyphermox | something looks not right, but it's not the same thing as prompting for something it already has in preseed, so I don't know what to tell you | 21:35 |
powersj | ok let me go play with the tests again then, as it does look like something changed | 21:36 |
cyphermox | ah? | 21:38 |
cyphermox | I'd really be on the lookout for auto=true and priority=critical not being in the command-line, if that's the case then the preseed would not be applied yet, which would explain getting prompted for keyboard | 21:38 |
powersj | cyphermox: I only see debconf/priority=critical | 21:40 |
powersj | auto=true required? | 21:40 |
cyphermox | powersj: not really | 21:40 |
cyphermox | powersj: can you remind me the url to utah? I believe I still have access | 21:47 |
powersj | cyphermox: the project itself or where we run the tests? | 21:47 |
cyphermox | just the url of the jenkins, I can't seem to find it anymore | 21:51 |
powersj | https://platform-qa-jenkins.ubuntu.com/view/server/ | 21:52 |
cyphermox | ah, thanks! | 21:53 |
powersj | The daily xenial test shows keyboard-configuration/layout as "30 question skipped", yet bionic is reporting "0 question will be asked" | 21:56 |
powersj | They use the same preseed | 21:56 |
cyphermox | yeah, but xenial vs. bionic is not a very useful comparison | 21:57 |
cyphermox | would be better to compare very late cycle artful | 21:57 |
srgjames | I could use someone who is smart. So i just reset up an apache web server on Ubuntu and could use the ip address in a url to access the default page. I then went back and created the files in sites-available Im pretty sure correctly but now cant get to the site from url or ipaddress and no errors when i restart apache2.. Anyway I can check if i set up the wrong settings on DigitalOcean or Google Domains ? | 21:57 |
powersj | cyphermox: same with artful, last test was 27 days ago https://platform-qa-jenkins.ubuntu.com/view/smoke-default/job/ubuntu-artful-server-amd64-smoke-default/173/artifact/log/utah-56128-artful-server-amd64/installer/ | 21:58 |
cyphermox | powersj: yeah | 22:00 |
cyphermox | the preseed isn't quite the same though | 22:00 |
powersj | other than adding the xkb-keymap they should be the same | 22:01 |
powersj | which I added because I thought it needed it :\ | 22:01 |
cyphermox | nah | 22:01 |
cyphermox | it might actually be breaking things, as it resets some values | 22:01 |
powersj | ok let me revert that then | 22:01 |
powersj | but it was broken before I added it :\ | 22:02 |
cyphermox | I don't understand though, because I tried with both options | 22:02 |
powersj | cyphermox: Here is what is appending to the cmdline: -append netcfg/get_hostname=utah-6554-bionic-server-ppc64el log_host=192.168.122.1 log_port=0 DEBCONF_DEBUG=developer debconf/priority=critical | 22:12 |
cyphermox | yeah, but that's not anything special, nothing wrong | 22:21 |
powersj | cyphermox: I got an install syslog from a bionic install by pressing enter | 22:51 |
powersj | Comparing it to artful and before it asks me for the keyboard layout I see "Nov 15 21:37:51 debconf: --> GET debconf/priority Nov 15 21:37:51 debconf: <-- 0 high" | 22:52 |
powersj | whereas in artful it says critical | 22:52 |
nacc | rbasak: my branch cuts ipsec-tools full reimport time from 68 to about 40 minutes. Still working on checking the correctness | 22:58 |
powersj | cyphermox: artful: http://paste.ubuntu.com/25970598/ bionic: http://paste.ubuntu.com/25970599/ | 23:00 |
cyphermox | powersj: ack, I'll dig in to that | 23:01 |
powersj | thx | 23:01 |
nacc | rbasak: i'm thinking we should add a 'git repository comarison' function to the integration tests and have that help us assert hash abi breaks. We have the as-imported repository now, and we can see if the hashes change on a reimport at a given commit. | 23:40 |
nacc | powersj: is it possible to make a given pipeline stage a warning, but not a failure, or provide a flag to say "we know this breaks ABI, pass CI ayways"? | 23:40 |
powersj | nacc: I am not sure | 23:41 |
nacc | powersj: ok, np -- it's ok for it to be a failure anyways, in theory, we want that to trigger a manaul examinationn | 23:41 |
nacc | powersj: as developers, we knonw (currently) when to expect a chagne to break hashes and when not | 23:42 |
powersj | nacc: looks like https://issues.jenkins-ci.org/browse/JENKINS-45579 is what we want | 23:42 |
nacc | powersj: ok, thanks | 23:43 |
nacc | rbasak: heh, i'm finally looking at your branch (not final review) a lot of what my branch does as well is prefix -> ref_namespace (aka ref_prefix). | 23:52 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!