/srv/irclogs.ubuntu.com/2018/01/04/#ubuntu-server.txt

masbergood afternoon, I have an ubuntu vm and I can't make the network to work... this is the error message I see in journalctl -xe --> Failed to start Raise network interfaces.03:35
masberfailed with result 'exit-code'.03:36
masberthe story is I created a new vm and installed ubuntu in it but I make a mistake selecting the primary nic to setup the server ip03:37
masberso after installation I went to the /etc/network/interfaces and changed the interface name to the right one03:37
masberthen I rebooted the networking server and I am getting this error since then03:37
masberI am running ubuntu 16.0403:38
masberany idea?03:38
allquixoticWill the Canonical Livepatch Service be able to implement LPTI on running kernels or will a reboot be required?06:59
lordievaderGood morning07:01
cpaelzergood morning07:03
lordievaderHey cpaelzer how are you doing?07:05
cpaelzerignoring my habit to see things worse than they are, actually good :-)07:06
cpaelzerhow about you lordievader07:06
cpaelzerhad a good start?07:06
lordievaderDoing good here, got tea for a change07:07
lotuspsychjefor the users that might ask about kpti, !kpti has been updated07:26
trippeh!kpti07:31
ubottuSpectre and Meltdown are security issues that affect most processors, mitigated by a set of Linux kernel patches named KPTI. | General info: https://spectreattack.com/ | Ubuntu (and flavors) info: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | An Ubuntu Security Notice will be released when updates are available, subscribe at https://usn.ubuntu.com/usn/07:31
cpaelzerthanks lotuspsychje10:00
cpaelzerahasenack: ovfs2-tools is good now13:49
cpaelzerahasenack: do you want me to sponsor it as it is now?13:49
ahasenacksaw your reply, just replied to that13:49
ahasenackrunning the dep8 tests locally13:49
cpaelzerahasenack: ok - give me (or another uploader) a ping when you tihnk it is ready13:50
ahasenackok13:50
ahasenackI can actually upload that one, just not push the upload tag13:50
cpaelzerahasenack: well we can revise the tag if needed14:33
cpaelzerahasenack: so I could push the tag as-is14:33
cpaelzerwhich means you can upload if you are happy after some time14:33
cpaelzerand if not we can change the upload tag to whatever is the truth then14:33
ahasenacklet's wait a bit, I'm getting a silly dep8 test error14:33
ahasenackwhich works if I run it interactively in a vm14:33
cpaelzerok, waiting for you14:33
ahasenackbasic                FAIL stderr: yes: standard output: Broken pipe14:34
ahasenackthat's just a "yes | fsck.ocfs2 -f -y -F $DISK 2>&1"14:34
cpaelzerahasenack: I have seen such issues14:36
cpaelzerbeing part of a "when does what die" problem14:36
cpaelzerin my case I had an unlimited read from /dev/urandom piped to something else14:37
cpaelzeryes is an endless-til-killed stream14:37
cpaelzerso it might be the same issue14:37
cpaelzerif you can run with a limited amount of "y" try that ahasenack14:37
ahasenackwhat do you mean limited amount of "y"?14:38
cpaelzerlike 4 times "y" instead of infinited14:38
rbasakI thought a pipeline was supposed to return the result of the final command?14:38
ahasenackoh14:38
cpaelzerrbasak: that is mostly just a warning14:38
cpaelzerin my cases it didn't even affect RCs14:38
cpaelzerahasenack: does it for you?14:38
ahasenackI'll try after lunch14:38
cpaelzeraffect RCs?14:38
rbasakOh14:38
rbasakHold on14:38
rbasakYou need allow-stderr in your Restrictions14:39
rbasakIMHO, that's a wart with dep8 tests.14:39
ahasenackrbasak: the test passed in the past14:39
ahasenackand I don't get this error when I run it in a vm14:39
rbasakOK, so that's a race that cpaelzer is describing.14:39
cpaelzeryeah if that goes out on stderr then rbasak is right, the allow is needed then14:39
ahasenackso yes, allow-stder would work around it14:39
ahasenackbut I will try a bit more some other tricks before14:40
rbasakIf you're going to use a yes | pipe, then I think an allow-stderr is required.14:40
rbasakAnd would be the correct fix.14:40
cpaelzerOTOH if you can easily do the same with limited number of "y" do that14:40
* ahasenack -> lunch14:40
cpaelzerexpect might the the best but also most complex solution14:40
tewardi think i asked this but didn't get a response, who do I have to bother about the cloud-images.ubuntu.com linux images for lxc/lxd, because there's a small issue with them...14:40
tewardminor but annoying ultimately :P14:40
cpaelzerstgraber: ^^14:40
cpaelzeroh sorry14:41
rbasakteward: ask the actual issue please :)14:41
cpaelzerare lxc/lxd even on cloud-images?14:41
rbasakubuntu:xenial comes from somewhere. No idea where :)14:41
tewardcpaelzer: the disk images for {INSERT_UBUNTU_RELEASE_HERE} are.  https://paste.ubuntu.com/26319708/ for `lxc remote list` output14:42
tewardrbasak: the cloud images, when spun up by LXC/LXD, don't get the hostname added to /etc/hosts14:42
tewardwhich can in some cases cause issues with `sudo` and such14:42
tewardDebian's cloud images have no problem with this14:42
cpaelzerok, then they are pushed there14:42
cpaelzerstill I think the hightlight to stgraber ^^ still is the right one for you14:42
rbasakteward: http://cloudinit.readthedocs.io/en/latest/topics/modules.html#update-etc-hosts14:43
rbasak"If this is set to false, cloud-init will not manage /etc/hosts at all. This is the default behavior."14:43
tewardrbasak: so, then, where does one make that change14:43
rbasaklxc profile edit default14:44
rbasakconfig:14:44
rbasak  user.user-data: |14:44
rbasak    #cloud-config14:44
rbasak    manage_etc_hosts: localhost14:44
teward*throws the !pastebin factoid at rbasak*14:44
tewardjust saying :P14:44
tewardi'll update that14:44
* rbasak throws the manual back at teward :-P14:45
tewardrbasak: *very* odd though that that only happens for the Ubuntu images14:45
rbasakUbuntu images from ubuntu:xenial etc. uses cloud-init by default14:45
rbasakimages:debian/sid/amd64 etc. do not.14:45
tewardah, makes senses.14:45
tewardsense*14:45
rbasakI'm not sure what images:ubuntu/... does. Presumably they don't use cloud-init. But I normally want cloud-init, so I never use those ones.14:45
tewardnor I ;P14:46
tewardwell now I"ve updated all my LXC/LXD systems accordingly heh14:53
rbasaksmoser: any thoughts on moving the manage_etc_hosts default? When do people _want_ it to be false, except to avoid breaking existing setups?14:57
Odd_Bloketeward: rbasak: cpaelzer: ubuntu:* and ubuntu-daily:* come from cloud-images.u.c.; images:* come from stgraber.  The cloud-images project would be the appropriate place on LP to file a bug. :)15:00
stgraberthough in this case, whether it's a bug is debetable, I've always found it weird that cloud-init doesn't generate the /etc/hosts entry, but based on its documentation, it's clearly deliberate15:01
* rbasak files bug 174127715:05
ubottubug 1741277 in cloud-init (Ubuntu) "manage_etc_hosts default is unhelpful" [Undecided,New] https://launchpad.net/bugs/174127715:05
tewardstgraber: could we not override that on our side of things?15:11
tewardbecause in 99% of cases you are probably going to *expect* it to not cause `sudo` to explode in the lxc/lxd container with an 'unable to find hostname HOSTNAMEGOESHERE' error15:11
tewardit still works, but...15:11
stgraberteward: the eaiest would be to have a different default in cloud-init when dealing with a container, though I'd expect the sudo issue to be just as true inside a cloud instance, so not sure why this is lxd-specific15:12
tewardstgraber: so far i've only noticed it in lxd.15:12
smoserrbasak: well, in cases where dns works, a sane cloud that provides dns entry in its dhcp (or otherwise) provided dns servers15:13
tewardbut since i don't have any non-lxd cloud-init-initiated instances... :P15:13
smoserin such an environment, the cloud knows the right result for looking up hostname, and if you put an entry in /etc/hosts for localhost, you break what would have worked.15:14
smoserthe issue is not "lxd specific", its "broken cloud specific".15:14
smoserwhy should the platform not provide an answer for the hostname that it gave the instance from the dns server that it provided to the instance.15:15
rbasakIs it sane for the local hostname to result in a round trip around the network via DNS?15:15
smosermaybe15:15
smoseri honestly think that the sane fix is to stop sudo from doing that nonsense.15:15
smoserno one uses sudo like that anymore15:15
smoserwith one sudo config spread across multiple hosts15:16
rbasakI think it's reasonable for a system to expect to always get a result from looking up itself.15:16
rbasakOn lxd, we're in a position to make that happen.15:16
smoserwhere the hostname of the system is looked up via dns15:16
rbasakThe question is just about which component should manage that.15:16
smoserreally, i think the solution for "get rid of that warning from sudo" is to *get rid of that warning from sudo*15:16
rbasakIt's not just sudo.15:17
rbasakOther stuff breaks too.15:17
smoserlike ?15:17
rbasakI don't recall.15:17
rbasakI don't see it often, because I consider a system not being able to look up its own name as broken and always fix that first.15:17
smoserand anything that *does* depend on it is honestly probably broken.15:17
smoserin some way, its overly simplistic solution to "whats my IP address" or something like that.15:18
rbasakPerhaps15:18
rbasakBut it's still broken for a system to not be able to look up its own ame15:18
smoseryeah.15:18
TJ-There was a bug recently affecting sudo causing hangs when the system was offline, when mdns was installed for nsswitch, too15:18
smoseri do think we should look at doing this better, and have a solution for bionic that does the best thing.15:19
smosercan anyone actually  justify sudo doing a hostname lookup?15:19
rbasakI don't object to fixing sudo. I just don't think that resolves the issue from the user's perspective.15:19
smoserin a year > 2000 ?15:19
TJ-nacc and I were debugging it, bug 129522915:19
ubottubug 1295229 in nss-mdns (Ubuntu) "With 'hosts: mdns4' in nsswitch.conf, getaddrinfo() returns -5 (EAI_NODATA) when network interface is down" [Undecided,Confirmed] https://launchpad.net/bugs/129522915:19
rbasakThe problem with sudo is that the file format specification will continue to permit hostnames even if nobody uses that facility.15:20
rbasakChanging that is extremely difficult.15:20
rbasakSo then it becomes a request to optimise sudo to not do a lookup unless it needs it.15:20
TJ-could the solution be in nsswitch instead ?15:20
rbasakTJ-: then it wouldn't (easily) be configurable though.15:21
rbasakOTOH, the solution in /etc/hosts is fine and is configurable.15:21
smoserTJ-: i think that is in the realm of 'myhostname' plugin or something15:21
smoserhttps://www.freedesktop.org/software/systemd/man/nss-myhostname.html15:21
TJ-smoser: yeah, thanks for jogging my memory on that one... we found that a recent addition15:21
rbasakThat's interesting15:22
smoserTJ-: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/173074415:23
ubottuLaunchpad bug 1730744 in systemd (Ubuntu) "sudo is slow (10 seconds) when hostname is not resolvable" [Undecided,New]15:23
smoserthat is related15:23
smoseri came to the party late15:24
smoseris that the bug that was originally being raised.15:24
rbasakI suppose the real intention of my bug is "not all platforms running cloud-init make the system hostname resolveable by default"15:25
rbasakI'd consider it resolved as soon as that is true.15:26
TJ-smoser: in the case that nacc and I investigated, we found the nsswitch.conf "hosts: ..." entries didn't seem to be processed in the order, or according to the rules, as documented15:26
smoserwell, all this is part of why i leave it untouched.15:27
TJ-right, the case was a default 17.10 install too.15:28
ahasenackhi, can someone please import ubuntu-fan into the ubuntu server git repo?16:02
ahasenackrbasak: cpaelzer ^16:02
cpaelzerahasenack: I'll do so16:03
ahasenackthanks16:04
cpaelzerrunning16:04
cpaelzerbut I think it had a native git16:04
cpaelzercheck d/control maybe?16:04
ahasenackhm16:04
ahasenacknothing in there16:05
ahasenacknot even a single url16:05
ahasenackreadme points at http://www.ubuntu.com/fan and that's it16:06
ahasenackthe other url is for iana.org16:06
ahasenackthat /fan one is a 404, btw16:06
ahasenackcpaelzer: beware the launchpad login oauth token prompt, it's easily missed16:09
nacccpaelzer: please also add to whitellist16:12
cpaelzernacc: what would happen if we don't other than getting out of sny?16:14
cpaelzersync16:14
nacccpaelzer: it breaks the assumption that all of the existinng repos keep up with the publisher16:15
nacccpaelzer: but htat's it :)16:15
cpaelzerahasenack: imported16:19
cpaelzernacc: added to whitelist16:19
nacccpaelzer: thx16:19
cpaelzerrbasak: I didn't realize what you meant with a fetch being needed along that16:20
cpaelzeranything I should do?16:20
ahasenack!kpti16:23
ubottuSpectre and Meltdown are security issues that affect most processors, mitigated by a set of Linux kernel patches named KPTI. | General info: https://spectreattack.com/ | Ubuntu (and flavors) info: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown | An Ubuntu Security Notice will be released when updates are available, subscribe at https://usn.ubuntu.com/usn/16:23
rbasakcpaelzer: we mean the bastion gets the whitelist straight out of the git tree rather than the snap. So the bastion needs the updated whitelist fetching with git before it'll take effect.16:27
rbasak(also the loop restarting I think)16:27
rbasakI don't think you need to do anything.16:28
rbasakBut probably useful to know that.16:28
cpaelzerthanks rbasak16:28
Neo4I'm going to make user root owner apache, put in pache2.conf root instead www-data?16:39
Neo4it can solve permission problem?16:39
Neo4now I need always pug www-data to growp of my user16:39
Neo4???16:40
Neo4in ubuntu-server guide I've read it is possible16:40
Neo4but not recommended, why?16:40
naccNeo4: you want root to own your website?16:42
naccNeo4: then if there is an exploit of apache2, the exploiter has root on your system, potentially16:42
Neo4nacc: yes, for apach2 can be able write files always16:42
naccNeo4: that's not a reasonable thing for a webserver16:43
Neo4nacc: do you think it's possible? Exploit can be if I install some module?16:43
Neo4nacc: ok, I'll train comond chmode and find than16:43
Neo4nacc: always should after install site put rights 775 and 66416:44
Neo4if would apache is root I right would be 755 and 64416:44
Neo4nacc: or I should just change owner of files from my user to www-data16:45
Neo4but I put root and neo is my current user to www-data goup and www-data to group neo and root16:45
Neo4and rights 77516:45
tewardNEVER add anything to the `root` group16:46
tewardNEVER add yourself to the `www-data` group16:46
tewardNEVER add the webserver www-data user to your own user group16:46
tewarduse actual permissions to control things instead16:46
Neo4teward: why?16:46
tewardor ACLs for 'customized' rules.16:46
tewardNeo4: permissions and security16:46
Neo4teward: if filewill have ownerchip www-data and froup www-data I can't copy this file ?16:46
tewardyou *never* want to give `www-data` or non-root system accounts access to `root`16:46
tewardNeo4: I think you need to get an understanding of how file permissions work16:47
tewardand how the underlying system permissions structures on LInux work16:47
Neo4teward: I know16:47
tewardBEFORE continuing.  my two cents.16:47
Neo4teward: see www-data create his own files and owner will be www-data : www-data16:47
tewardi know this - i'm very fluent in filesystem permissions.16:48
tewardthe problem is16:48
tewardyou want someone *else* to access the data16:48
Neo4I'll connect to my server and can't edit this files, because apache creates it with 755 rules and my user is not in group16:48
tewardwell, the `root` user has god access to everything that doesn't have specialized access permissions16:48
Neo4teward: yes, for edit files16:48
tewardwant to know another method?16:48
Neo4teward: if my user neo in www-data group I put right 775 or 664 and can do it16:49
tewardNeo4: alternativelyt16:49
tewardyou can give your user ownership of the files16:49
tewardwww-data as group access16:49
tewardand set the setgid bit for all directories16:49
tewardand set the setgid bit for all directories within the document root*16:49
tewardthereby giving both you and `www-data` read/write/edit permissions.16:49
tewardwhich is the ***proper*** way to do this.16:50
teward... well one of them anyways.16:50
Neo4teward: I don't know what is setgid bit16:50
tewardhttps://askubuntu.com/questions/767504/permissions-problems-with-var-www-html-and-my-own-home-directory-for-a-website/767534#76753416:50
tewardsteps 1, 2, and 3.16:50
tewardreplace `/var/www/html` with the actual directory for your document root16:50
tewardand stop messing with who has group access to whichever account16:50
tewardthen go research how filesystem permissions work in Linuxl16:50
tewardbecause if you don't understand the basic permissions structure, IMO you should probably be hiring someone to do this stuff for you instead :P16:51
teward(yes i'm salty and grumpy today, i've been staring at code all day so my eyes hurt and i have a massive headache)16:51
teward(and four servers explodified so i'm busy rebuilding those... what a horrible day for me >.>)16:51
Neo4:)16:52
Neo4ok16:52
Neo4thanks, will try16:53
tewardstep 3, the setgid bit, just basically says "Any file created in this directory with default permission settings will get the group set to the same group-ownership as the folder it's created in" in a nutshell16:53
tewardit's far more complex than just that16:53
tewardbut it's the brief explanation16:53
tewardnow i need coffee16:53
* genii slides one on over to teward, ASAP16:53
ahasenackI'm trying to debug a dns resolution problem in an lxd container (artful),19:22
ahasenack /etc/resolv.conf has nameserver as 127.0.0.5319:22
ahasenackthat's systemd-resolved19:22
ahasenackand it's not working: dig @127.0.0.53 just times out19:23
ahasenackbut dig @some-external-dns works just fine19:23
ahasenackso where do I find out which forwarders systemd-resolved is using?19:23
ahasenacktcpdump -i any port 53 shows nada when I use dig against @127.0.0.53, just dig's requests, but no reply19:23
ahasenack /etc/systemd/resolved.conf has everything commented (#)19:24
tewardahasenack: did you *specify* any DNS servers in the network config or in the host for the LXD bridge/dhcp to assign?19:24
ahasenackit's an lxd deployed via juju into that host, which is deployed via maas19:25
ahasenackthe host is fine19:25
ahasenackthe host also has 127.0.0.53 in resolv.conf,19:25
ahasenackand its /etc/systemd/resolved.conf is also default19:25
ahasenackso I also don't know where the host is getting the upstream dns from19:25
ahasenackbut host is bionic, netplan all the way19:26
ahasenackhm19:26
ahasenackjuju also used netplan for this xenial container...?19:27
ahasenackit just created the netplan config, but netplan is not even installed in this container, so that's a no-op19:27
ahasenackbut yeah, /etc/network/interfaces has no dns-nameserver config19:28
ahasenackjust the domain19:28
ahasenackand the loopback interface does have a dns-nameserver, and that's 127.0.0.5319:28
ahasenackwhich is what ended up in /etc/resolv.conf19:28
ahasenackbut why would 127.0.0.53 not even try the root servers19:30
ahasenackI think it's in a loop19:35
sarnoldI don't think systemd-resolved is a recursor, is it? I thought it just forwarded queries to another server20:08
sarnoldI wouldn't expect it to check roots itself20:08
tewardsarnold: last i checked it isn't20:09
tewardbut if systemd-resolved has no upstream DNS set for forwarding it just implodes20:09
tewardsame issue I had with dnsmasq ;)20:09
patdk-lapodd, everyone has released patches now, except ubuntu :(22:40
daxto be fair, Debian only *just* released22:55
masonhttps://security-tracker.debian.org/tracker/CVE-2017-5753 doesn't reflect a release yet23:13
masonnor https://www.debian.org/security/23:13
masonAh, but https://lists.debian.org/debian-security-announce/2018/msg00000.html23:16
oerhekshttps://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/23:21
oerheks"everyone has released patches now" ???23:21
TJ-patches are great, what we need is built and published binaries :D23:34

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!