[06:33] <cpaelzer> good morning
[06:47] <lordievader> Good morning
[07:08] <cpaelzer> hi lordievader, welcome to a new week
[07:40] <lordievader> Hey cpaelzer , how are you doing.
[07:40] <lordievader> ?
[07:41] <cpaelzer> trying to deflect cybper-whatever ad-mails this week :-)
[08:03] <lordievader> Good luck 😉
[11:32] <jamespage> coreycb: I pushed a patch to stestr for the os-testr autpkgtest failure
[11:32] <jamespage> coreycb: also raised PR upstream
[12:09] <rbasak> cpaelzer: thank you for the review!
[12:10] <cpaelzer> rbasak: yw++
[12:10] <cpaelzer> rbasak: the tests were really good
[12:10] <cpaelzer> no additional issue found (on these tests :-) )
[12:11] <rbasak> Thanks!
[12:17] <cpaelzer> rbasak: if you could have a quick look (just to confirm if it hit sonly me) on bug 1734657 mabye?
[12:37] <rbasak> Looking
[12:38] <rbasak> cpaelzer: based on the code I think that's a valid bug
[12:39] <rbasak> It needs an rmtree in debian/ if it already exists first
[12:39] <rbasak> I can't remember why we aren't using dpkg-source -x already but IIRC there's a good reason
[12:51] <cpaelzer> rbasak: for now knowing it is valid is good enough
[12:51] <cpaelzer> rbasak: I can get around in that case with dpkg-buildpkg for now
[13:48] <cpaelzer> rbasak: FYI the old thing I remembered in regard to that mysql could you keep my chown/chmod was dpkg-statoverride
[16:57] <ahasenack> rbasak: ubuntu/devel in the bind9 tree is still pointing at xenial. If you run the importer on bind9 again, will that be fixed?
[16:57] <ahasenack> or does it need an actual new upload?
[16:58] <rbasak> ahasenack: I need to rerun the importer against it.
[16:58] <ahasenack> can you do that, or have you transitioned fully to mysql already? :)
[18:04] <danrik> `/dev/vdb1       655360 655360       0  100% /var` I cant create any directories because my inode usage is apparently above 655k.... why?
[18:05] <danrik> why cant I just have a lot of files on FS? I dont remember running into this inodes issue before
[18:10] <sdeziel> danrik: the amount of inodes is usually determined at the time of the mkfs and is based on the size of the FS. If you need more, I think you'll need to create a fresh FS and tell mkfs to allocate more inodes
[18:11] <danrik> sdeziel: is inodes some new thing? I dont remember ever having to worry about number of files ahead of time  - just the space available...
[18:12] <sdeziel> danrik: not new, no. Since it usually depends on the size of the FS, maybe you used bigger ones before?
[18:16] <danrik> well - learn something every day. thx. Ill makes ure to max out inode numbers next time
[18:16] <Nafallo> or less files ;-)
[18:18] <danrik> it's our deployment system. we deploy entire project, which is only ~7mb comporessed, but has a lot of files. When we deploy we just copy & symlink to new version. So many files accamulated in dev - never thought this would be an issue :)
[18:54] <ikla> how do I list/remove startup scripts in 16.04?
[18:55] <ikla> it looks like 1/2 is systemd and others are upstart
[19:25] <mike-zal2> I have a problem with network configuration during installation. automatic one fails and I want to configure it manually but installer asks for host name and jumps to the next steps, always. even when I go back, I can't set network manually.
[21:41] <mike-zal2> during install I was asked about user and its password, this will become sudo user. but what about root? how can I log in directly as root?
[21:42] <sarnold> mike-zal2: I believe it's enough to use sudo passwd root to set a password and unlock the account
[21:43] <mike-zal2> ok, thanks sarnold. I am used to have option to root password on other systems.
[21:57] <mike-zal2> sarnold: I chaned root password and it seems to be ok, but I can't log in with it via ssh. it says that password is incorrect, but I paste the same so it cannot be wrong
[21:58] <Sling> mike-zal2: you shouldn't log in directly as root
[21:58] <Sling> bad security practice
[21:58] <sarnold> mike-zal2: my /etc/ssh/sshd_config has PermitRootLogin prohibit-password
[21:58] <sarnold> mike-zal2: probably yours is similar
[21:58] <mike-zal2> Sling: I know. it's not the point. I want to firt HAVE a root passowrd and then I will block it and estabilish a key
[21:59] <Sling> just 'sudo passwd' then
[21:59] <sarnold> mike-zal2: there may be additional mechanisms prevening root login over ssh, either via password or key, possibly also in PAM configurations. root password bruteforcing is a popular hobby of botnets, so it's probably not easy to enable.
[21:59] <mike-zal2> sarnold: that's weird, because usually when root is blocked it gives different output
[21:59] <Sling> also you can add a pubkey without actually logging in as root, if you have sudo
[21:59] <mike-zal2> I know how to secure server, I just need to do few things first
[22:00] <sarnold> mike-zal2: well, I'd expect the error given to the ssh _client_ to be very useless, but the error message in the _logs_ to be very much more helpful
[22:00] <Sling> just put it in /root/.ssh/authorized_keys
[22:00] <mike-zal2> Permission denied, please try again.
[22:00] <mike-zal2> maybe you're right, will check if root login is permitted
[22:00] <mike-zal2> usually it was permitted by default, at least on my previous instals
[22:04] <mike-zal2> I don't see root login prohibition in ssh_config
[22:06] <mike-zal2> but new root passowed seems to work when I swicth from user to root. but not when newly connecting
[22:07] <mike-zal2> screw it then ;). installing virtualmin. I can set everything from there.
[22:07] <sdeziel> PermitRootLogin is probably what's preventing you from using a password
[22:08] <sarnold> is virtualmin one of those terrifying web-based management consoles?
[22:08] <sarnold> if so, pleae firewall the living hell out of it. those are normally disasters.
[22:08] <sarnold> way worse than just using root password=password123 or something.
[22:09] <Sling> yeah virtualmin is like turning your smooth fortress walls into a climbing wall with hooks and nooks for anybody to climb into your server
[22:09] <Sling> so much attack surface :)
[23:01] <drab> is there a vpn that's easier to get going and manage than openvpn?
[23:01] <drab> I mean, if it worked on a phone, I'd totally just use ssh creating a SOCKS5, that does everything that's needed, tunnelling both dns and traffic over ssh
[23:02] <drab> but you can't do it on a phone (at least a non rooted one, android rooted actually can setup ssh tunnel + proxy everything)
[23:05] <sdeziel> drab: strongswan is pretty nice and let you use the phone/client's OS builtin client. It's not exactly easy to get going though
[23:05] <drab> sdeziel: thanks. also iirc some of those vpns solutions weren't playing well with NAT
[23:06] <sdeziel> drab: with strongswan, you should not have problems with NAT, IPsec can deal with NAT relatively well
[23:06] <drab> ok
[23:07] <drab> I'll take a look
[23:07] <drab> I don't quite understand why the vpn biz can't be as simple as ssh... probably not understanding the complexity behind it
[23:08] <drab> ssh with key based auth seems pretty good, can get in only if you have the pvt part and know the pwd to unlock the key... and if you the fingerprint to identify the server
[23:12] <drab> s/if you/you have/
[23:36] <sarnold> Sling: haha, 'climbing wall' :)
[23:36] <drab> sdeziel: actually it seems to end up the way if you wanna setup mobile clients, ie generating a whole bunch of certs
[23:37] <drab> altho maybe there's no generating the .ovpn file for the clients
[23:37] <sarnold> drab: strongswan looks good, wireguard looks good but has had WAY less scrutiny. There's also a hell of a lot less code to wireguard.
[23:37] <drab> sarnold: what pains me is the management of the thing, which I guess is why ppl pay for openvpn server connect
[23:38] <drab> configuring the whole shebang and managing all the clients is sort of annoying, you're basically maintaing a whole CA
[23:38] <sarnold> drab: yeah. Probably no real way around that though. it's either shared keys (eww) or certs and the like (eww)
[23:38] <sdeziel> drab: with openvpn or strongswan, you can have client authenticated with username/password
[23:39] <drab> like I said above, ssh seems plenty good as long as you have the fingerprint printed with you to verify it
[23:39] <drab> sdeziel: oh, the pre shared key seemed to be only for static ips, but maybe it was just the couple tutorials I saw
[23:39] <sdeziel> strongswan supports a similar authentication scheme where you don't need X.509 certs but can use bare pub/private keys
[23:40] <drab> most seemed to go back to x509 aith
[23:40] <drab> ah
[23:40] <drab> I missed that
[23:40] <drab> I'll google again
[23:40] <drab> thanks
[23:40] <sdeziel> drab: you usually want to use a X.509 cert on the server as most client require that. Then with IKEv2, you can use username/password for the client auth
[23:41] <sdeziel> drab: the oldest client that doesn't support IKEv2 is the Android builtin client (but you can install the Strongswan app). This builtin client does support IKEv1 with XAUTH mode which is essentially provides what you'd get from IKEv2 in roadwarrior setups
[23:42] <sdeziel> drab: don't trust random guides, they will burn you ;) https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 is a very good starting point
[23:43] <drab> yeah, that's why I ask here :P
[23:43] <drab> #ubuntu-server is my non-random guide ;)
[23:44] <sdeziel> alright, good night then