lawhey all, is there a way to chroot bind9 under Ubuntu 16.04 LTS?02:14
lawI'm running into this upstream Debian bug - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=82097402:14
ubottuDebian bug 820974 in bind9 "does not start chrooted, ENGINE_by_id failed (crypto failure)" [Serious,Fixed]02:14
lawit seems to be fixed in Debian Unstable with 1:9.11.2+dfsg-5, but Ubuntu Xenial has 1:9.10.3.dfsg.P4-8ubuntu1.902:15
blackflowlaw: you can achieve the same effect with systemd's ProtectSystem directive. Bind also has a working AppArmor profile you can use additionally.02:19
blackflowin addition you can run it as non-root, giving it CAP_NET_BIND_SERVICE capability (needed to bind ports < 1000) for extra security02:22
laweeeexcellent, thank you02:23
lawgot any docs for setting bind up with ProtectSystem?02:23
blackflowit's not bind specific, but systemd specific. see systemd.exec(5) manpage02:24
lawdo I need to prep a chroot-like directory, or does systemd take care of all that for me?02:25
blackflowWith ProtectSystem=strict, you run the service in a fs namespace which has the entire fs readonly. So you need to add ReadWritePaths, to allow bind to write the log and various cache and temporary files.02:25
blackflowiirc, it requires /var/run/named, which means if you set RuntimeDirectory=named, systemd will mount /run/named  (symlinked from /var/run/named) as RW with ProtectSystem=strict02:26
blackflowI haven't yet got to hardening Bind like this, but I can give you my nginx service file, so you can adapt from it.02:26
lawsounds like I can remove the '-t /var/bind9/chroot' option from /etc/default/bind9, then?02:26
lawthat'd be super, actually02:26
blackflowconsult the systemd manpages for those directives you're not familiar with, they're explained quite well02:28
blackflowah yes, /var/cache/bind, you'll need that for ReadWritePaths02:29
lawschweet, thank you!02:33
lawis there a way to verify ProtectSystems is working /active?04:21
law'ReadWritePaths=/var/cache/bind,/var/run/named,/var/log/bind9' seems to at least let the daemon start04:21
pankajHello, please anyone reply.08:55
* tomreyn replies08:55
pankajtomreyn: Hello08:55
tomreynpankaj: Hello08:55
tomreyn!ask | pankaj08:55
ubottupankaj: Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience08:55
tomreynpankaj: do you have a question then?08:58
pankajtomreyn: I am just using irssi for first time so I was testing it. I have to do more with it.08:58
pankajJust if you know about how to use irssi and more about some other important commands.08:58
tomreyni see, not really an #ubuntu-server question, i guess08:59
tomreynif you develop concrete questions on irssi and those other commands you deem important, you are welcome to /joion #ubuntu and ask them there (assuming they are ubuntu related). there should also be #irssi or ##irssi.09:01
tomreyn* /join #ubuntu09:01
soahcccMy googlefu is failing me. What specifies which kernel a given release is going to use? We just got 2 new machines and after installation they end up with a different kernel than our other machines on xenial (4.4 vs 4.13).11:28
blackflowsoahccc: https://wiki.ubuntu.com/Kernel/LTSEnablementStack11:30
soahcccblackflow: thanks :) that's it11:31
blackflowWhile on the subject of kernels, I'm really interested to know what kind of effort it is to maintain a Ubuntu kernel. 18.04 is opting for 4.15 which is not an LTS kernel, meaning after a few years stuff will have to be backported without any support from upstream.11:47
blackflowuh... months, not years.11:47
TJ-blackflow: I suspect the workload will be worse for 4.15 since we've got a lot of Spectre patches to come and backporting some may be very invasive, but generally, it's not too burdensome12:14
blackflowbut why not 4.14. It would make so many things easier, and the next one is only 6 months later, for 18.10 and 18.04.112:17
blackflowI really don't understand the decision to go with 4.15. What is gained with not using LTS for LTS....12:18
masonblackflow: How much overlap will there be between 4.15's LTS and 18.04's LTS?16:17
masonHalf a year. Hrm.16:18
masonYeah, 4.14 would have been a bunch less work.16:18
FingerlessGlovesHi guys, I got a bridge setup in my /etc/network/interfaces , it wont come up at boot have to do ifup16:46
FingerlessGlovesAny idea why?16:46
jellyblackflow: upstream won't support 4.14 for very long really, often longterm are 2-3 years but a distro with a 5 year LTS has to do all the work from that point on and figure out all the security issues that upstream forgot to backport as well16:49
jellyFingerlessGloves: care to show your interfaces to see if there's anything obvious?16:51
FingerlessGlovessurely the auto makes it come up at boot?16:51
ChmEarla private bridge needs a static config16:54
ChmEarlyours says manual, not dhcp or static16:55
FingerlessGlovestried that too16:55
jellymanual is "here are some up and down command lines", sadly there's no syntax checker to stop you from doing what you did16:56
FingerlessGloveshmm still no luck when its set to static.16:57
jellydoes the boot log say anything16:57
FingerlessGloveschanged interface name to br_vianet17:00
FingerlessGlovesjust so you know17:00
jellyline 15 onwards is last reboot?17:01
FingerlessGlovesshould of done dmesg instead of syslog17:02
jellyit _looks_ like it's up17:02
FingerlessGlovesyet ip a, says it not17:02
jellywhat does "brctl show" say?17:02
jellyand "ip a" or "ip l"17:03
FingerlessGlovesno bridges expect the one lxc creates lxcbr017:03
FingerlessGlovesip l , doesnt show it either.17:03
=== dtscode is now known as nchambers
FingerlessGloves /run/network/ifstate.br_vianet doesnt exist.17:16
FingerlessGlovesso could something be bring down the interface?17:16
blackflowjelly: 2-3 years is still better than months.17:50
jellyblackflow: I suspect distro people have to track security and stability issues on their own anyway, so it's not as much extra work as one might expect17:52
jellyI mean Canonical is already supporting what, 3.13, 3.16 (this one they share with Debian), 4.4 (WAS upstream longterm, is not any more), 4.9?, 4.13, so what's one more?17:56
jellyhonestly I half expected some distros to throw their hands in the air and go "everyone move to 4.14, upstream is crazy and we can't keep up"17:57
masonjelly: They've changed the upstream LTS to five years.18:00
masonOoh. Six years. I was wrong. 4.14 would be supported upstream for just as long as 18.04.18:01
FingerlessGlovesjelly, still no luck, how odd :S18:02
masonjelly: And... At least according to kernel.org, 4.4 is still LTS.18:05
jellymason: I'll believe that when I see latest KPTI in it18:12
masonjelly: http://news.softpedia.com/news/linux-kernels-4-14-11-4-9-74-4-4-109-3-16-52-and-3-2-97-patch-meltdown-flaw-519215.shtml  ?18:13
masonI guess that's only half.18:14
jellyyeah, and then a kernel dev goes on record on reddit saying "patches for < 4.14 are based on older KAISER releases, with known bugs in them, we're not going to care"18:15
masonThat goes along with the whole thing being an abominable mess I guess. :/18:15
jellyok, not reddit, but a similar site https://news.ycombinator.com/item?id=1608773618:20
jellysix years would indeed be very very nice, I guess someone is trying to make android devices supported for a little bit longer, before someone like EU enforces it in law?18:24
masonThat would be a huge boon.18:24
jellyand makes a decision not to skip it... actually rather weird18:24
jellys/not //18:24
sudormrfnope didn't work18:43
blackflowhuh, that spinics.net ml post, linked from the HN link above, about slowdowns on RedHat is bad news. I do suppose all of the pre 4.14 kernels are going to have hard time due to no PCID support, unless their distros backport that too.19:06
blackflowmess, indeed.19:06
blackflowand knowing the upstream stance on running latest kernels, indeed tracking HWE kernels in Ubuntu would be the best thing to do, so it doesn't matter if 18.04 does 4.14 or 4.15. as soon as 18.10's kernel is up in HWE, upgrade time.19:07
masonHWE can be hit or miss.19:11
sudormrfcan anyone help me with using openSSL as a root CA? chrome is being a jerk about recognizing the cert I am generating and I don't know what I am missing from the configuration file. I am using SANs but Chrome says it doesn't have any19:55
sudormrfsafari recognizes it just fine19:55
=== fyxim_ is now known as fyxim

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!