[00:09] <kneeki> I cannot get Apache2.4 to list the contents of a directory... I've tried .htaccess and modifying the <VirtualHost> <Directory> with no luck. What's another reason that Apache would prevent directory browsing?
[00:13] <patdk-lap> with that amount of info? no
[00:13] <patdk-lap> installing the directoryindex module
[00:13] <patdk-lap> and activating it
[00:13] <patdk-lap> make sure that option is turned on
[00:17] <sarnold> I once spent five or six hours learning that apache <Directory> directives MUST NOT END with a /
[00:21] <patdk-lap> :)
[00:50] <kneeki> sudo a2enmod autoindex && sudo service apache2 restart ... With my other VirtualHost options got 'er working. Thanks patdk-lap
[01:44] <k_sze> How do I find the path of a systemd unit file?
[01:47] <ChmEarl>  lib/systemd/system/<unit>.service
[01:59] <k_sze> I can't get iptables-persistent to work.
[01:59] <k_sze> I have rules saved in /etc/iptables/rules.v4.
[02:00] <k_sze> The netfilter-persistent.service starts at boot time.
[02:00] <k_sze> But I just don't see the rules added.
[02:07] <k_sze> (This is using Ubuntu Server 64-bit 16.04)
[02:09] <ChmEarl> k_sze, check /etc/default/iptables* for settings
[02:10] <k_sze> ChmEarl: No such file(s).
[06:13] <k_sze[work]> Does ufw automatically persist rules and load them on reboot?
[06:59] <lordievader> Good morning
[07:03] <k_sze[work]> If I look at the output of `iptables -4 -L`, I see there's already a rule for sshd to allow incoming NEW connections.
[07:03] <k_sze[work]> But how does that rule get added?
[07:04] <k_sze[work]> It seems that I never had iptables-persistent before, so it just have come from somewhere else.
[07:04] <lordievader> k_sze[work]: You didn't set that up in ufw?
[07:04] <k_sze[work]> I never had ufw active either.
[07:05] <lordievader> That's a bit odd.
[07:07] <k_sze[work]> Does systemd have the power to automatically add firewall rules?
[07:08] <k_sze[work]> I see /lib/systemd/system/ssh.socket has ListenStream=22 Accept=yes
[09:47] <tobasco> jamespage: is gnocchi py2 something that can be squeezed into queens release, milestone 3 now and release is closing in. tried to find if gnocchi even supports py2 still but no compat list on gnocchi.xyz page or their docs
[09:51] <jamespage> tobasco: we think so yes
[10:10] <k_sze[work]> what the...
[10:10] <k_sze[work]> my /etc/network/interfaces gets overwritten on reboot.
[10:11] <k_sze[work]> How does that even work?
[10:13] <tobasco> jamespage: cool, thanks!
[10:20] <Odd_Bloke> smoser: What does CRSN in streams data actually stand for?
[11:19] <k_sze[work]> Seriously, I can't figure out, for the life of me, how iptables works in Ubuntu 16.04.
[11:19] <k_sze[work]> Where do the rules for http, smtp, pop3, imap, and ssh even come from? I never added those rules myself.
[11:20] <rbasak> Do you have ufw installed and enabled?
[11:20] <rbasak> If so, that's what's doing it.
[11:20] <k_sze[work]> rbasak: I specifically tried disabling ufw and rebooting
[11:20] <k_sze[work]> the rules are still there.
[11:20] <rbasak> It's not normal. I'm not aware of anything that does this by default.
[11:21] <rbasak> I'm not sure it's Ubuntu that's doing it then. Have you installed anything else on your system?
[11:21] <k_sze[work]> Well, they are all packages from the official repo
[11:22] <k_sze[work]> Sure, I have nginx and openssh installed and their services are running, but I never added the iptables rules myself.
[11:23] <k_sze[work]> The firewall landscape is a mess.
[11:24] <k_sze[work]> I wish there's a way to trace where the firewall rules came from.
[11:27] <k_sze[work]> I also have postfix service running, so maybe that's contributing to the rules for smtp, pop3, imap.
[11:27] <rbasak> I think there is infrastructure to do that, but there's no direct tooling since it's a pretty uncommon problem you have there.
[11:27] <k_sze[work]> But still, what mechanism?
[11:27] <k_sze[work]> rbasak: that's not even my main problem.
[11:27] <k_sze[work]> rbasak: my main problem is that I can't get my own custom rules to persist.
[11:28] <k_sze[work]> I have iptables-persistent and netfilter-persistent installed.
[11:28] <k_sze[work]> journalctl says netfilter-persistent started succesfully at boot time.
[11:28] <k_sze[work]> but I just don't see my custom rule.
[11:28] <k_sze[work]> And it's not like my rule has a syntax error, otherwise I would see a complaint in journalctl.
[11:30] <k_sze[work]> (and of course, my rule is in the usual /etc/iptables/rules.v4)
[11:31] <TJ-> k_sze[work]: does the system have firewalld installed? That supports rules added dynamically by services via Dbus for example, which would explain what you're seeing
[11:31] <k_sze[work]> let me check
[11:32] <k_sze[work]> `systemctl status firewalld.service` says no such file or directory
[11:32] <k_sze[work]> `dpkg -l firewalld` also says it's not installed.
[11:37] <TJ-> k_sze[work]: how about "sudo grep -rn 'INPUT' /etc/ /var/lib/" - if they're defined and saved that should pick them up
[11:38] <k_sze[work]> Hmm, I see /etc/iptables.firewall.rules has the rules.
[11:39] <k_sze[work]> But it's dated April 26th, 2015.
[11:40] <k_sze[work]> That's *very* old. Seems like a file left to its default content to me.
[11:40] <k_sze[work]> Because that date is even before the release of 16.04.
[11:42] <k_sze[work]> Or did I write that file while on 14.04 and then I upgraded to 16.04?
[11:42] <k_sze[work]> I can't remember if I ever upgraded that server.
[11:42] <k_sze[work]> Is there a way I can tell?
[11:42] <k_sze[work]> I mean, if I can tell whether the server was upgraded from a previous release.
[11:43] <TJ-> k_sze[work]: how about "sudo grep -rn 'iptables\.firewall\.rules' /etc/"
[11:44] <rbasak> k_sze[work]: sudo cat /var/log/installer/version
[11:44] <rbasak> or media-info
[11:44] <rbasak> media-info is probably better
[11:45] <k_sze[work]> no version file, and media-info is empty.
[11:46] <rbasak> Don't know then. Perhaps the timestamp of media-info is a clue
[11:46] <k_sze[work]> April 23, 2015
[11:46] <k_sze[work]> So maybe I *did* write that iptables.firewall.rules file a few days after installing the OS.
[11:48] <k_sze[work]> Right... /etc/network/if-pre-up.d/firewall restores the rules from that file.
[11:49] <TJ-> also "ls -l /var/log/dist-upgrade/"
[11:50] <k_sze[work]> So maybe I followed some "old-style" instructions before iptables-persistent became the recommended way.
[11:52] <rbasak> I'm not sure iptables-persistent is the recommended way.
[11:52] <rbasak> It's just _a_ way.
[11:52] <rbasak> Looks like it's in universe.
[11:53] <k_sze[work]> I says recommended because newer tutorials seem to mostly mention iptables-persistent.
[11:54] <k_sze[work]> Anyway, home time. (It's almost 20:00 and I'm still in the office...)
[11:55] <k_sze[work]> Thanks for the help.
[13:34] <smoser> Odd_Bloke: cloud region short name
[13:35] <smoser> which clearly has evolved to not mean anything :-(
[13:37] <smoser> i think i probably had intended to keep them unique. i think we could probably re-work it. so that we had more consistent things.
[13:37] <smoser>  aws-us-east-1
[13:40] <smoser> the real value of it is that it is used as compression via the 'alias' stuff.  then each item can have endpoint anad region but be represented in compressed form by just the 'crsn'
[13:47] <Odd_Bloke> Right.
[13:47] <Odd_Bloke> Well, it does do that, just per-cloud.
[14:26] <smoser> Odd_Bloke: i saw i think in gce a 'None' in part of the sting
[14:26] <smoser> string
[14:26] <smoser> Nonesomething
[19:09] <boxrick> Hello!
[19:09] <boxrick> I wish to use gpg2 and alias over the gpg command
[19:09] <boxrick> Is this is going to have implications on the core Ubuntu workings with apt and such?
[19:11] <nacc> boxrick: what version of ubuntu?
[19:12] <boxrick> 16.04
[19:13] <nacc> boxrick: so install gnupg2 ? why do you need to change the gpg default?
[19:13] <boxrick> So I have installed gnupg2 and it works fine.
[19:13] <boxrick> However I wish for anyone using the system to default to version 2 over 1
[19:13] <nacc> boxrick: why?
[19:14] <nacc> boxrick: i dont think you actually want that, without some further thought -- folks can just invoke gpg2, no?
[19:15] <boxrick> This is more of a simple ease of use
[19:15] <boxrick> People type 'gpg' rather than gpg2 for example as habit. I just want to catch that
[19:18] <nacc> boxrick: they are, iirc, not compatible with each other ...
[19:18] <nacc> so i think once they move, they won't be able to go back, but i'm not 100%
[19:18] <nacc> it doesn't seem like something you want to do transparently
[19:19] <nacc> boxrick: but if you insist, just add an alias, or an alternative
[19:19] <boxrick> Id rather just remove gpg1
[19:19] <boxrick> But thats rather essential to the workings of Ubuntu
[19:20] <boxrick> The intent here is to just set people up going with v2 and not need to worry about 1.
[19:28] <TJ-> boxrick: so you want te system to have access to gpg (v1) but users gpg (v2) - could you do it via /etc/profile so logins see an "alias gpg=/usr/bin/gpg2" ?
[19:29] <nacc> that's what i meant by add an alias above :)
[19:30] <TJ-> nacc: sorry, I didn't see it... my vision has literally blurred from tracing/reporting so many bugs today
[19:31] <nacc> TJ-: np :)
[19:31] <nacc> yours was more detailed anyways
[19:59] <sarnold> boxrick: you may consider doing a symlink from ~/bin/gpg to /usr/bin/gpg2 so it only affects your user account and not system tools
[20:22] <Neo4> what is root@localhost?
[20:26] <Neo4> I want to get all my errors form VPS to my mail on google, how to do it?
[20:28] <nacc> sarnold: good point
[20:28] <nacc> sarnold: my impression was a multi-user system
[20:29] <nacc> Neo4: it is a user @ a hostname
[20:29] <Neo4> nacc: all apps on linux send errors to this root @ localhost on default?
[20:30] <nacc> Neo4: no, some just log them
[20:30] <Neo4> nacc: and others what to do?
[20:30] <Neo4> say default linux apps log on that mail errors, I need to get it
[20:30] <Neo4> what I shall to do?
[20:31] <nacc> Neo4: I don't understand your question
[20:31] <Neo4> I've already installed postfix
[20:31] <Neo4> nacc: see root@localhost I want change it on neovichnn@gmail on my real mail
[20:31] <nacc> I believe that's just an envelope setting
[20:32] <Neo4> nacc: how do you get errors on mail?
[20:32] <nacc> Neo4: you have two completely different questions
[20:32] <sarnold> Neo4: if I've understood you correctly, look at the msmtp-mta package
[20:32] <Neo4> I something read it possilbe redirect them on your real mail and if something will wrong with VPS you'll get message and react fast
[20:33] <nacc> 1 is just what the user is that's receiving error/admin mails
[20:33] <nacc> 2 is how to forward local error/admin mails to a remote server
[20:33] <Neo4> sarnold: I have postfix
[20:33] <Neo4> and I don't know how there something change for get what I want
[20:34] <Neo4> nacc: no, first you can omit
[20:34] <Neo4> nacc: apps that exists in linux send message to root@loalhost but it's not exaclty and I want get this messages
[20:34] <Neo4> root@localhost it's not real mail
[20:34] <nacc> sure it is
[20:34] <nacc> on localhost it is
[20:35] <nacc> i think you are misunderstanding something
[20:35] <nacc> as root on localhost, you run `mail` and read that just fine
[20:37] <Neo4> nacc: if will apahe send message it will www-data @ name of my computer if it will use postfix it will www-data @ kselax.ru . I changed myorigin = kselax.ru
[20:38] <Neo4> nacc: in linux mail send message?
[20:39] <Neo4> mail --help
[20:39] <nacc> Neo4: it's really hard to understand what you are asking, possibly due to a language barrier.
[20:39] <Neo4> it's utility
[20:39] <nacc> Neo4: are you asking if the command mail can send a message?
[20:40] <Neo4> nacc: yes, this too
[20:40] <nacc> Neo4: yes, `mail` can send and receive mail
[20:40] <Neo4> nacc: default how it occur? assume mysql has error and it prepared data for send message, what will happen next?
[20:41] <Neo4> nacc: where it send mail?
[20:41] <Neo4> nacc: what is mail MUA?
[20:41] <Neo4> mail might be use my postfix?
[20:42] <nacc> Neo4: i believe by default, admin mail is delivered to /var/mail/root
[20:42] <Neo4> mail -> postfix -> google MDA -> my thunderbird
[20:43] <Neo4> I'll look what is there
[20:43] <nacc> Neo4: I don't understand what you mean by 'what is mail MUA'? Do you mean the command `mail` ?
[20:44] <Neo4> there empty root file
[20:44] <nacc> Neo4: that implies no admin mails have been received (iiuc)
[20:45] <Neo4> nacc: I mean what is mail MUA for linux when we use mail, mail function is MUA
[20:45] <Neo4> nacc: admin mail with errors?
[20:45] <nacc> Neo4: ... did you just answer your own question?
[20:46] <Neo4> that means all worked without error for a while
[20:46] <Neo4> nacc: what the own question? What do you mean?
[20:47] <Neo4> nacc: where do you see errors?
[20:49] <Neo4> nacc: see, https://serverfault.com/questions/485505/get-postfix-to-forward-roots-mail
[20:55] <Neo4> what is it postmaster:    root in /etc/aliases?
[20:56] <Neo4> according to that sources we see there mail function and we can send message to any mail. I want to send to root@localhost
[20:56] <Neo4> echo test | mail -s test root
[20:57] <Neo4>  *      /var/mail/root is empty
[21:30] <gQuigs> some bionic images not building since the 3rd?  - http://cdimage.ubuntu.com/ubuntu-server/
[21:30] <gQuigs> anyway to check why?
[21:35] <nacc> powersj: --^
[21:35] <nacc> gQuigs: i think we know why, but not 100%
[21:36] <sarnold> looks like xenial too http://cdimage.ubuntu.com/ubuntu-server/xenial/daily/current/
[21:36] <nacc> yeah i've been getting e-mails on them
[21:37] <nacc> but powersj usually handles that side
[21:38] <powersj> hmm I get the emails, but don't build them :)
[21:38] <powersj> slangasek would be who I'd ping, but probably won't see him till later
[21:42] <gQuigs> just curious.. what''s the current theory?
[21:50] <powersj> gQuigs: looks like both xenial and bionic are having issues running requestBuild against Launchpad during the live filesystem
[21:51] <powersj> the error is "An identical build of this live filesystem image is already pending."
[21:51] <powersj> so some timing must be off
[21:53] <nacc> powersj: i wonder if an olld build is wedged
[21:53] <gQuigs> powersj: well that makes the 3rd more interesting - https://twitter.com/launchpadstatus/status/948688233029881856
[21:53] <nacc> because i think they all have been like that since then
[21:54] <powersj> nacc: agreed or due to taking the farm down for patching we need to kick something
[21:54]  * TJ- kicks the nearest cow
[22:10] <tomreyn> in other farming news: echo 'cowsay --help is broken on Xenial' | cowsay
[22:10] <tomreyn> it just sits there. but then, it's a cow.
[22:11] <sarnold> poor cow :(
[22:11] <TJ-> That's just like our cows :)
[22:12] <TJ-> it's chewing it's cudd and thinking about it
[22:16] <mason> tomreyn: Sure enough.
[22:22] <gQuigs> ty!
[22:52] <blackflow> Hm, turns out postgresql server dev package is in universe, while the main server is in main repo. How come? This is rather... suprising.
[22:52] <blackflow> been meaning to minimize the number of packages installed from universe, or at least watch them carefully, as some are in very bad shape.
[22:53] <nacc> blackflow: specific package name?
[22:53] <blackflow> nacc: for what?
[22:53] <mason> blackflow: I could be confused, but that might be worth a ticket asking for it to be pulled in.
[22:53] <mason> blackflow: The dev package.
[22:53] <nacc> blackflow: any example for what you just said?
[22:54] <blackflow> nacc: you mean package in universe thats' in bad shape? roundcube for example, on xenial. it's "beta" and never patched for at least five vulns, some REMOTE, that occurred in 2017 (I know because I helped patch the package in FreeBSD)
[22:56] <mason> blackflow: Open bugs on launchpad.
[22:57] <mason> In in your case, submit patches in them. :P
[22:59] <blackflow> somoene already file bug reports about that, but that got nowhere. meanwhile, my problem is not roundcube itself, I'm using upstream code directly. it's just that knowing how bad packages can get in universe, I was surprised to see postgres dev in there
[23:00] <blackflow> it's basically all coming from the same source pacakge, no? the server, the client, the headers for -dev ....
[23:00] <nacc> blackflow: what package!?
[23:00] <nacc> blackflow: you keep saying 'postgres dev' package
[23:01] <nacc> blackflow: please just actually say the name of the package so i don't have to grep for it
[23:01] <blackflow> postgresql-server-dev-9.6
[23:01] <blackflow> it's headers for postgresql server, so libs can be built for it
[23:02] <nacc> blackflow: the source is in main
[23:02] <nacc> blackflow: we don't keep all binaries in main from a given package
[23:02] <nacc> only those that have deps in main or are seeded
[23:04] <blackflow> how is it ensured that they're kept in sync?
[23:05] <nacc> blackflow: how what is kept in sync?
[23:07] <blackflow> nvm, I obviously misunderstood the purpose of "universe" and it being community maintained, as opposed to "main" which is Canonical maintained.
[23:07] <blackflow> or at least, what happens to postgresql-server-dev-*, despite it being in universe.
[23:07] <nacc> blackflow: the relevant part here is the source package is in main
[23:08] <nacc> (afaict)
[23:08] <blackflow> makes sense, yeah.
[23:12] <rbasak> Theoretically, if there's a vulnerability that impacts only the users of the binary postgresql-server-dev-9.6 and none of the other packages, Canonical staff may ignore it.
[23:13] <nacc> also, it's probably only a build-dep of pacakges in main, so it can be in universe
[23:13] <nacc> just a guess
[23:14] <rbasak> In pratice it's unlikely though. And we generally push through point releases for Postgres.
[23:15] <nacc> yeah
[23:18] <blackflow> I see. yeah.