/srv/irclogs.ubuntu.com/2018/04/16/#ubuntu-server.txt

ikkuranusI used the nfs export module of webmin to create an nfs4 share and it created  some kind of link in the filesystem. How do I remove that01:02
=== Aztec03 is now known as Aztec03|afk
=== Aztec03|afk is now known as Aztec03
samba35i am on beta 18.04 ,i wan to configure kvm with openvswitch can some one guide me ,i have created openvswitch and kvm configure but i could not see/add ovs to kvm network06:33
olivierb-good morning everyone. I have a situation for which I need your expert help here as digging out how to fix this has been very unproductive for the last couple of days06:46
olivierb-I have a ubuntu 16.04 minimal server image with LVM and xfs which boots perfectly well and was generated using OpenStack DIB (disk image builder)06:47
olivierb-however when I try to add a package which requires init ram disk rebuild (like overlayroot or others)  I end up not beeing able to reboot the machine06:48
olivierb-I have nailed down the issue being the fact that LVM does not seem to be taken into account because tried without LVM on xfs+extX successfully and LVM + any of extX, xfs being a failure06:49
olivierb-of course I have added the modules in /etc/initramfs-tools/modules without more success06:49
olivierb-what is also very strange is that my initial and working initrd file is 9 Mb big and the failing regenerated one is 32 Mb06:50
olivierb-any clue what could be the cause, where to look and how to fix this ?06:50
olivierb-one other thing is that my 1st initrd file in the DIB image has been generated using dracut which is also present in my packages list so may be it somehow also interferes with initramfs-tools ? Just a wild guess06:57
cpaelzerrbasak: I'd like a monhtly, biweekly or even weekly (fast then) server-next bug scrub07:31
mojtabaHello, I have created a service for autossh, http://paste.debian.net/1020536/, but when I reload systemctl daemon and restart the service, I got the following status: received signal to exit (15)  Do you know what could be wrong?11:11
blackflowmojtaba: is anything even wrong? when you restart a (simple) service it gets sent a signal. Does it not start back after service restart?11:22
mojtabablackflow: When I execute the autossh on the terminal it works fine. But using systemd it does not work.11:23
blackflowit does not sart?11:24
blackflow*start11:24
mojtabablackflow: By not working, I mean I can not ssh back from the other system.11:24
blackflowbut is the process active? checked with ps or top?11:24
mojtabablackflow: It says, Starting the service, and then next line, services started, and gave me the ssh child pid. But the next line says received signal to exit (15)11:25
blackflowWell, two things. First, systemd services are default root unless you specify User= under [Service]. That means autossh will start as root and will look into /root/.ssh/ for config, keys, etc...11:26
blackflowso you should put your user's name under User=  in the unit file11:26
blackflowthe second thing was, as I don't know autossh, does it remain in foreground when you start it? or does it fork and exit?11:27
mojtabablackflow: I see. So I have to define user as my current user? Where should I put it?11:27
blackflowI just told you. In the unit file you wrote, under [Service] section. See systemd.exec(5) manpage for more info.11:28
mojtabablackflow: I have used -f flag option, so it is supposed to work in background.11:28
blackflowmojtaba: in that case the service can't be simple, but forking.11:29
mojtabablackflow: what is forking and where should I put it?11:30
blackflowsee systemd.service(5) manpage for Type=11:30
blackflowmojtaba: but ideally, you'd not want that. drop -f and have system manage it directly.11:30
mojtabablackflow: Thank you very much. I added the user and removed -f. It is working now.11:33
blackflowyou're welcome.11:35
mojtabablackflow: should I create another user for the reverse-ssh? I mean do you know how can I make it more secure?11:53
mojtabablackflow: Is there something that I have to consider as a precaution?11:53
=== miguel is now known as Guest36805
blackflowmojtaba: can't hurt to run the tunnel as another user. :)12:08
mojtabablackflow: autossh is making the reverse tunnel as root to the remote machine.12:08
mojtabaIs that Ok, or should I change it?12:08
mojtabaThe other machine is a VPS.12:08
blackflowdepends on the use case. ideally you'd want to not use root account to ssh into, unless you have to.12:17
blackflowof course using pubkey authentication and blocking passwords is a must.12:18
mojtabablackflow: I am using public key to log in, but I am logged in as a root.12:28
mojtabaI have created a reverse ssh from node A to node B, Do you know any command that I can use to connect to node A through node B, using a third system? I am looking for one command, instead of making ssh to node B and then again ssh to node A.12:41
blackflowmojtaba: look into ProxyCommand ssh option12:42
blackflowmojtaba: here's an example use case for ansible, that uses one host as a "trampoline" (so called "bastion" host) to automatically ssh through one machine into another: https://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host/12:43
mojtabablackflow: thanks. To make the reverse ssh from node A to B, I am using pubkey. But from node B to A I prefer to use password. (I think it is more secure, isn't it?)12:44
blackflowyou keep calling it "reverse". Aren't you merely creating an ssh tunnel?12:44
blackflow"reverse ssh" would be if you initiated the connection from the server to your client...12:45
blackflow(reverse from the POV of the client)12:45
mojtabablackflow: No, I am creating reverse ssh using autossh and -R flag.12:45
mojtabablackflow: computer A is behind  the NAT and I am creating the reverse ssh from A to a VPS, and then I use my laptop to ssh to VPS and connect to A.12:45
blackflowthat's forwarding. not sure why you call it "reverse"12:45
mojtabablackflow: form vps I can connect to node A, using ssh -p PORTNUMBER User@localhost12:46
sdezielmojtaba: password auth is always less secure12:47
blackflowmojtaba: @localhost? that just connects to itself, no?12:47
blackflowunless you redefined the IP of "localhost"12:47
sdezielmojtaba: if you want more security require both a public key and a password12:48
blackflowsdeziel: uh.... AND password?12:48
blackflowthen what stops someone from ignoring the pubkey and keep bruteforcing the password?12:48
mojtabasdeziel: I am connecting from a VPS, and I don't have physical access to it. I though may be someone would have access to the VPS and could connect to that machine using the keys.12:48
sdezielblackflow: that is if more security is needed12:48
blackflowunless you meant the key passphrase?12:48
blackflowsdeziel: are you sure? if you allow passwords, then pubkeys can be ignored.12:48
sdezielblackflow: no, I meant both12:48
blackflowthen you're wrong.12:48
mojtabablackflow: What If I put passphrase on the keys?12:49
blackflowpassword auth must be completely disabled. otherwise pubkey can be ignored and just password (attempted) brute forced.12:49
sdezielmojtaba: a passphrase on the key is only to secure the key itself12:49
mojtabablackflow: No, I connect to 127.0.0.1 with the defined port in system A.12:49
sdezielblackflow: ever heard of two factor authentication?12:49
blackflowsdeziel: yes, but ssh password auth ain't it.12:50
blackflow2FA is something different12:50
mojtabasdeziel: Ok, so I can secure the keys using passphrase.12:50
sdezielblackflow: please if you don't know something, don't call me wrong12:50
sdezielblackflow: I've been using TFA with OpenSSH for many years, works well12:50
blackflowsdeziel: that's okay. but that's not what PasswordAuthentication for OpenSSH means.12:51
blackflow2FA != PasswordAuthentication12:51
sdezielblackflow: AuthenticationMethods publickey,password12:51
mojtabablackflow: sdeziel: Can I create pub and private keys somewhere else and then scp them later?12:51
blackflowsdeziel: that's not 2FA12:51
sdezielmojtaba: yes but why not create it on the target instead?12:51
sdezielblackflow: how so?12:52
blackflowThis is 2FA: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication12:52
sdezielthis ^ is another form of TFA12:52
blackflowAuthenticationMethods publickey,password is just a list of allowed methods. meaning the client could ignore pubkey and try password.12:52
mojtabasdeziel: Ok, so I have to send the private key to the source?12:52
sdezielmojtaba: I'd advise to simply create the key pair on the destination instead. This way it has the proper perms and all12:53
sdezielmojtaba: otherwise, yeah, send both the key and the .pub12:53
blackflowonly the pubkey is needed on the server you're connecting to. that's the whole point of "private".12:54
mojtabasdeziel: I want to connect from VPS to node A, which is behind NAT. So I have to create the keys on node A? (just to confirm)12:54
mojtabaor VPS?12:54
blackflowthere is also forwarding of authentication via -A so you can use one keypair for forwarding too.12:54
sdezielmojtaba: if you want node A to ssh to somewhere where you have inbound access, then yes12:55
sdezielso on node A, you'd run ssh nodeB -R9999:127.0.0.1:2212:55
mojtabablackflow: I can connect passwordless to both VPS and node A. Can I use my keys on my laptop? So I don't need to generate extra key for VPS to node A.12:55
sdezielthen from your location you could ssh nodeB -p 999912:56
blackflowmojtaba: yes12:56
sdezieland you'd be poking node A's SSH12:56
blackflowmojtaba: you generate the private-public key pair on your laptop and upload ONLY the pub key to the servers.12:56
blackflowmojtaba: use authentication agent (enabled by default on Ubuntu), and you can use -A for ssh connection to forward the authentication12:56
mojtabablackflow: I have done that before, and I can connect directly from my laptop to both VPS and node A. Now I want to connect from my laptop to node A through VPS. How can I use the keys on my laptop?12:57
mojtabablackflow: Thanks. I will check it.12:57
sdezielmojtaba: but if node A is behind a NAT (without port forward), how why you SSH in for the firts time?12:57
blackflowwith -A for ssh connection12:57
blackflowmojtaba: use the same PUBLIC key on both A and the VPS12:57
mojtabasdeziel: I have configured the router before to do port forwarding. But it might move somewhere else, that is why I am creating the reverse ssh tunnel.12:58
mojtabablackflow: Can I forward  authentication for two different keys?12:59
sdezielmojtaba: the reverse tunnel requires node A to SSH to the VPS (which I assume is the box with stable access for you, right?)12:59
mojtabasdeziel: yes12:59
sdezielmojtaba: OK then yes, ssh -R can do it12:59
mojtabasdeziel: So I have to use flag -A to connect from my laptop to node A?13:00
mojtabasdeziel: Do you know the exact command?13:00
sdezielmojtaba: ssh -A alone13:00
sdezielmojtaba: but that's not related to a SSH reverse tunnel though13:00
sdezielmojtaba: that will simply carry your SSH agent along with where your client goes13:01
mojtabasdeziel: in my laptop I am using config file for ssh, so to connect to VPS I simply type 'ssh vps'13:01
sdezielmojtaba: what's unclear to me though is why would node A be more easily reachable by the VPS than your laptop?13:01
mojtabaand to connect to node A, I type 'ssh nodeA'13:02
mojtabasdeziel: VPS has static IP, but my laptop has dynamic IP.13:02
sdezielmojtaba: add "ForwardAgent yes" to the config stanza13:02
sdezielmojtaba: and node A?13:02
sdezieldoes it has a dynamic IP too?13:03
mojtabasdeziel: That one has dynamic IP address as well.13:03
mojtabaBut when I connect to node A from VPS, I just simply type localhost.13:03
mojtabasdeziel: I have to add ForwardAgent in VPS settings in config file?13:03
sdezielmojtaba: you mean you "ssh localhost -p SOMETHING" ?13:03
mojtabasdeziel: from VPS I type ssh -p PORTnumber localhost13:04
mojtabasdeziel: from VPS I type ssh -p PORTnumber user@localhost13:04
sdezielmojtaba: OK, so you seem to have the reverse tunnel already setup, which is good13:04
mojtabasdeziel: yes13:04
mojtabablackflow: sdeziel: blackflow helped me for that. (Thanks again)13:05
sdezielmojtaba: instead of using the SSH agent forwarding which has some security ramifications, you may want to use something else like ProxyCommand13:05
sdezielmojtaba: on your laptop, you'd use something like that:13:05
mojtabasdeziel: Thanks. I will look in to it.13:05
sdezielHost nodeA13:06
sdeziel  ProxyCommand ssh VPS -W localhost@PORTnumber -l user13:06
blackflowwhat security ramifications? using ProxyCommand, if that command is "ssh" requires authentication again. with -A you just forward your initial one.13:06
blackflowthat's the whole point of keys and -A. it doesn't lessen the security in any way.13:07
sdezielblackflow: http://manpages.ubuntu.com/manpages/bionic/en/man5/ssh_config.5.html13:07
sdeziel"Agent forwarding should be enabled with caution."13:08
blackflowokay, and why?13:08
sdezielblackflow: it's the paragraph right after that in the man page13:09
blackflowsdeziel: I know. I've read it. that also applies to not using -A13:09
blackflow-A merely forwards the auth through the next ssh session. the same "warning" applies regardless of whether you connect to machine A or to B through A13:10
blackflowand has nothing to do with -A but with forwarding X1113:10
sdezielblackflow: suppose you "ssh -A foo" and I also have access (with root) to foo13:11
sdezielblackflow: while you are connected to foo, I can abuse your agent to usurp your identity and connect to other destinations as you13:11
blackflowyou can do it regardless of -A on the first machine as well.13:11
sdezielblackflow: that has nothing to do with X11 forwarding13:12
blackflowthe warning is only for situations where you forward X11 and connect via proxy thinking the proxy offers extra security. it doesn't.13:12
blackflowsdeziel: it does, it also says so in the paragraph which you quoted.13:12
mojtabasdeziel: Is it @ or : before PORTnumber in ProxyCommand ssh VPS -W localhost@PORTnumber -l user13:12
blackflowsdeziel: read the warning for "ForwardX11". If you enable it, then you expose your X11 to any machine you connect to.13:13
blackflowthe warning is there ONLY if someone thinks that using an ssh proxy makes it more secure than connecting to the proxie'd machine directly. it doesn't.13:13
sdezielmojtaba: you are right, it's a ":"13:13
blackflowin this case, mojtaba is in control of both machines and uses proxy to bypass NAT. which in itself does not make -A any less secure than connecting to the third machine directly.13:14
mojtabasdeziel: I added this line to the config file:13:16
sdezielmojtaba: something like that: https://paste.ubuntu.com/p/YxcHkBVW32/13:16
mojtabaHost NodeA13:16
mojtaba      ProxyCommand ssh VPS -W localhost:PortNumber -l UserName13:16
mojtabaBut it is not working as expected, the command line is asking for the password of the NodeAuser@VPS_IP.13:16
sdezielmojtaba: in the proxy command, make sure that "ssh VPS" matches the host entry you already have for the VPS13:17
mojtabasdeziel: Ok, so I have to remove the -l username part?13:18
sdezielmojtaba: sec, I made some errors, I'll send another paste13:19
sdezielhttps://paste.ubuntu.com/p/WHGMJW28mm/13:20
mojtabasdeziel: Ok thanks. I removed the -l part and it is sending my laptop's username @ Hostname13:20
sdezielmojtaba: so from your laptop can you simply type "ssh nodeA"?13:23
mojtabasdeziel: It is asking the password of the NodeA user, although I can directly ssh to node A using private key.13:24
mojtabasdeziel: Do you know what should I do to use that authentication key instead of password?13:25
blackflowmojtaba: the part I fail to understand is opening another ssh connection, but to localhost. that just.... connects it to itself, doesn't it? did you alter the IP for "localhost"?13:25
blackflowor am I misunderstanding what you're trying to do13:26
mojtabablackflow: No, I didn't change it. It is working now with the config sdeziel si suggesting. But it is asking for password instead of using the auth key.13:26
sdezielmojtaba: could you share the output of  "ssh -v"?13:26
mojtabasdeziel: It is generating some output and then asks for the password. How should I grab the output?13:28
mojtabasdeziel: I know pastebinit13:28
sdezielmojtaba: yeah, paste it all (initial command included) and also may your ssh_config?13:29
mojtabasdeziel: How should I paste it? ssh | pastebinit ?13:29
blackflowmojtaba: did you set up the pubkey authentication on the third machine? if yes, then you need to -A on your client side, OR set up another key pair on nodeA to connect to nodeB. you also need to disable PasswordAuthentication if you want keys to be effective.13:29
mojtabablackflow: I can connect from my laptop to both VPS and node A using the keys that I have created before.13:31
mojtabaHow should I use flag -A?13:31
sdezielmojtaba: run ssh on you laptop, let it fail. start pastebinit, copy the SSH output and paste it in pastebinit, then Ctrl-D13:31
blackflowmojtaba: yes, but if you do not *disable* PasswordAuthentication then using keys has no security benefit.13:31
sdezielmojtaba: the proxycommand is to avoid needing "ssh -A"13:31
sdezielmojtaba: so it is kind of orthogonal13:31
mojtabasdeziel: It doesn't fail. It asks for the password and when I type password it connects.13:31
sdezielmojtaba: then Ctrl-C it at the password prompt13:32
mojtabasdeziel: The problem now is how to connect using two different keys. one for vps and another one for nodeA.13:32
sdezielmojtaba: as blackflow said, did you add your laptop's public key to node A's authorized keys?13:32
blackflowmojtaba: why are you using different keys?13:32
sdezielmojtaba: with the proxy command that will work13:32
blackflowyeah.13:33
sdezielmojtaba: with the proxy command, your laptop will ssh to VPS, then SSH to nodeA through the VPS tunnel13:33
mojtabasdeziel: Yes, I have defined those before. I can connect to nodeA using ssh NodeA and to VPS by typing ssh VPS13:34
mojtabaBut they have two different keys.13:34
sdezielmojtaba: https://paste.ubuntu.com/p/4F5GXky9Vb/13:34
mojtabaThis is the output of the ssh13:34
mojtabahttps://paste.ubuntu.com/p/DxmXmbZhKF/13:34
mojtabasdeziel: Thank you very much. It is working now.13:36
mojtabablackflow: thanks a lot.13:36
blackflowbtw did you have to use -A for the ProxyCommand'ed ssh? Or is -A implied with it?13:37
mojtabasdeziel: Do you know how can I make it persistence? I mean the reverse ssh.13:37
sdezielmojtaba: good, you offered 3 keys to homed but none was accepted. Looks like you are missing some in homed's authorized_keys13:37
mojtabablackflow: No, I used ProxyCommand.13:37
blackflowmojtaba: yes, and that just executes a command, in your case ssh. did you have to use -A for it?13:37
mojtabasdeziel: which line?13:38
mojtabablackflow: No I didn't use -A.13:38
sdezielmojtaba: in your paste, the last few line with "Trying private key"13:38
sdezielmojtaba: those are the keys you tried to auth with for homed13:38
ahasenackrbasak: hi13:38
sdezielmojtaba: and none was accepted so you ended up asked for a password13:38
ahasenackrbasak: could you educate me a bit on git tree objects?13:38
ahasenackrbasak: in particular, I'm trying to understand methods like dsc_to_tree_hash() in git-ubuntu13:39
sdezielmojtaba: do you expect on of those key to work or do you use a specially named one?13:39
mojtabasdeziel: that's weird, I don't have those keys in my .ssh directory.13:39
ahasenackis that like used like a simluated import, just to get what hash it would have, but without importing it?13:39
blackflowmojtaba: and on the laptop side? with or without -A ?13:39
mojtabasdeziel: I have nowhere used -A.13:39
blackflowmojtaba: k, thanks.13:40
mojtabablackflow: thank you!13:40
sdezielmojtaba: then how are you using your keys?13:40
mojtabasdeziel: With you latest configuration, it connects using the correct key.13:40
mojtabasdeziel: I define them in the config file.13:41
sdezielmojtaba: please share that config13:41
sdezielor the relevant portions of it13:41
mojtabasdeziel: Ok. Just a sec.13:41
mojtabasdeziel: http://paste.ubuntu.com/p/vWnD2ktPHn/13:44
sdezielmojtaba: line 20 should be identical to line 7, no?13:46
sdezielmojtaba: you are trying to auth to node A with a user named "osmc", is that what you intended?13:47
sdezielmojtaba: that's from your previous paste13:47
mojtabasdeziel: well yes.13:47
mojtabasdeziel: line 20 and 7 are the same13:48
mojtabasdeziel: blackflow: Any suggestion regarding the config file?13:49
sdezielmojtaba: the config looks good13:50
sdezielmojtaba: what logs do you have on node A?13:51
mojtabasdeziel: how can I check it?13:51
sdezielmojtaba: on node A: "tail -f /var/log/auth.log"13:52
sdezielmojtaba: then try to connect again, you should see a bunch of lines printed by sshd13:52
mojtabasdeziel: no such file or directory!13:53
sdezielmojtaba: it seems to be a debian box so that's surprizing13:55
sdezielmojtaba: maybe /var/log/authlog ?13:55
sdezielor /var/log/secure?13:55
rbasakahasenack: sure. What do you want to know?13:56
ahasenackwhat I asked just after? :)13:56
mojtabasdeziel: I have faillog and lastlog13:56
rbasakOh13:56
rbasakSorry13:56
rbasakahasenack: it's not simulated, it's the real thing.13:57
rbasakgit is garbage collected. So you can create objects that have hashes with no reference to them, and in the short term they will continue to exist.13:57
ahasenackwhat does it mean to have a git tree? I originally thought they were branches13:57
ahasenackso a branch is a tree with a name, sort of?13:57
rbasakWe create the tree object first to examine it, and only after examination of the result do we create a commit that uses it.13:57
sdezielmojtaba: grep -sl sshd /var/log/*13:58
rbasakNot quite.13:58
rbasakA blob is a binary...blob. It's hashed to get its...hash.13:58
rbasakA tree is a list of entries.13:58
Neo4Hi13:58
rbasakEntries can be references to blogs or other trees.13:58
rbasakEntries have some other minimal metadata too.13:58
mojtabasdeziel: dpkg.log13:58
ahasenackso this tree is like a temporary scratch area13:59
rbasakA tree is also given a hash based on the hash of the list of its entries.13:59
Neo4I've installed webmin there exists postfix and dovecot but I don't know how configure that all13:59
ahasenackthe way we use it13:59
rbasakA commit contains some metadata and a reference to a tree.13:59
sdezielmojtaba: that's unexpected13:59
Neo4webmin is really nice thing13:59
rbasakA branch is a reference to a commit, as is a tag.13:59
mojtabasdeziel: It is raspberry pi13:59
rbasakWhen a commit is created, first the underlying tree is established. The metadata is added, and then the whole thing is stored and its hash retrieved.14:00
rbasakUsually the branch pointer is updated to point to the new commit.14:00
rbasakAll those steps happen anyway.14:00
mojtabasdeziel: https://paste.ubuntu.com/p/pgvJBGXcdd/14:00
rbasakThe importer performs the first step itself directly so that it can examine the result before it does the rest.14:00
sdezielmojtaba: ah, then I don't know where the authlog would be14:00
mojtabasdeziel: how is that one useful?14:01
ahasenackrbasak: ok, I was thinking "simluated" as in, "if it doesn't work, let's discard it"14:01
sdezielmojtaba: dpkg.log is not useful unfortunately14:01
mojtabasdeziel: No, I mean the auth logs.14:01
rbasakahasenack: we could do that. "Discard" in this case would be just forgetting the hash, because git will garbage collect it itself later. In practice, I'm not sure if we do ever discard it.14:02
ahasenackrbasak: a developer working with a git repo would normally not use trees like this, right?14:02
ahasenackrbasak: right, do nothing, let it be gc'ed14:02
rbasakahasenack: a developer working with a git repo normally never deals with tree objects directly.14:02
rbasakThey get created implicitly when commits are created.14:03
ahasenackok, we have just broken down one of the interim/internal steps when we create this tree to examine it before creating the commit14:03
rbasak(actually that gets optimised and it gets done when "git add" is called, but let's ignore that detail)14:03
rbasakahasenack: right14:03
ahasenackok, thx :)14:03
sdezielmojtaba: the auth.log would have messages from sshd as to why it didn't let osmc in14:03
sdezielmojtaba: looking again at your ssh -v output, I now realize that your client is not proposing to auth with ~/.ssh/nodeA14:05
sdezielmojtaba: as a test, could you copy/move ~/.ssh/nodeA to ~/.ssh/id_rsa? Please make sure you don't have any id_rsa key in the first place14:06
mojtabasdeziel: Ok14:07
mojtabasdeziel: should I change the name of both private and public keys/14:07
mojtaba?14:07
sdezielmojtaba: yes14:07
skinuxI need help troubleshooting file not found errors to see if it's permissions causing it.14:08
skinuxI'm using /var/www/html web root, files are 644 and directories are 75514:08
sdezielskinux: the web server's error log should hint you14:09
teward^ that14:09
tewardsdeziel: stop stealing my words :P14:09
teward(just kidding)14:09
mojtabasdeziel: It says next authentication method: password14:09
sdezielteward: strdup14:10
sdezielmojtaba: could you share another ssh -v ?14:10
mojtabasdeziel: https://paste.ubuntu.com/p/ZTnHZFVVVS/14:12
sdezielmojtaba: it's now trying to use ~/.ssh/shutterPI14:14
mojtabasdeziel: Yes, it is the correct key14:14
skinuxsdeziel: I've seen the log check here https://gist.github.com/skinuxgeek/4d4f86490f87805d1781782670551db914:16
sdezielskinux: doesn't look like a permission error at first glance14:18
sdezielskinux: maybe lower error_log?14:20
sdezielmojtaba: ls -l ~/.ssh/shutterPI14:21
skinuxLike what?14:22
mojtabasdeziel: I have that file. This is the original file, which I renamted.14:22
sdezielskinux: the default severity is "error" so I'd try that14:23
skinuxI just did, same error14:23
skinuxPrimary script unknown. It makes no sense14:23
sdezielskinux: this error seems to be from PHP-FPM14:23
skinuxnginx uses user www-data, which is part of group www-data14:23
skinuxShould that be running as as www-data too?14:24
sdezielskinux: by default, PHP-FPM runs with www-data:www-data too14:25
sdezielmojtaba: I'm still thinking about what it could be14:27
mojtabasdeziel: What do you mean?14:28
sdezielmojtaba: I have not thrown the towel yet ;)14:29
mojtabasdeziel: :)14:29
mojtabasdeziel: It is working fine now.14:29
sdezielmojtaba: oh, how so?14:29
mojtabaWith your last config file.14:30
sdezielskinux: IIRC, PHP-FPM can log errors to syslog or a file, might want to check there14:31
skinuxAll PHP log says is that the log file is re-opened14:38
skinuxTHe log doesn't say anything about any requests, which it did on the 13th. It's got to be an nginx configuration issue then14:39
tewardrbasak: nacc: Final freeze is in a few days, but we're going to have a headache with nginx - it's going to be on a 'development' branch, unless we can convince the release team and the SRU team to let us jump to the 'stable' release branch directly post-release, which *could* have some blocking problems.15:35
dpb1teward: what blocking problems15:36
tewarddpb1: no guarantee of 'no new features'15:36
dpb1teward: doing an MRE to a 'stable' series is usually acceptable15:36
tewardas it stands a new release of NGINX came out since the last merge15:36
dpb1teward: especially for LTSes15:36
tewardand while I *could* do a merge there, it's still in the devleopment branch15:36
dpb1teward: since the one that nacc did?15:36
tewardyep15:37
dpb1ok15:37
tewardso even if I do that merge15:37
dpb1teward: what's the stable target for them?15:37
tewardbetween now and LTS release it could be 3 more dev versions before nginx releases a stable15:37
dpb1(upstream, I mean)15:37
tewarddpb1: pick a date between the 20th and the last day of April15:37
tewardthey don't set any final dates15:37
tewardthey just 'release when ready'15:37
tewardhistorically it's on or around the 24th15:37
dpb1but after, they are going to mark it "stable"?15:37
dpb1in some way?15:37
tewardlet's say that the day they make it stable devel was on 1.13.23 - that becomes 1.14.015:38
tewardthey cut 'stable' from the then-development branch15:38
dpb1OK15:38
tewardin 16.04 this 'worked' because between the version in xenial and post-release there were no changes except a version bump15:38
tewardwhich the release team let in15:38
tewardbut I can't guarantee there won't be more features15:39
dpb1when that time comes, I think an SRU post release would be an option, more painful than not having to do the sru, but probably preferrable.15:39
tewardOK15:39
tewardare bugfix-only things allowed in past FeatureFreeze but before FInalFreeze?15:39
tewardi forget ;)15:39
tewardwow there's been *two* releases15:40
tewarddamn15:40
=== mgagne_ is now known as mgagne
DammitJimcan one control services with: systemctl on Ubuntu 16 w/o using sudo?16:17
tewardnot safely no16:17
DammitJimmeaning, right now I have the unit set for a particular user, but it still asks for authentication16:18
DammitJimI might need to add a NOPASSWD entry in the sudoers file, huh?16:18
=== JanC_ is now known as JanC
sdezielDammitJim: systemd allows having user services16:19
DammitJimthat's what I thought sdeziel but I don't know why it's asking for authentication16:20
sdezielDammitJim: might be useful if the said service doesn't require more privilege than the user you want to interact with16:20
sdezielDammitJim: have you tried "systemctl --user" ?16:20
DammitJimlet me try16:21
DammitJimI was logging on as the user and then just doing: systemctl start <service>16:21
sdezielthe man page says: --user: "Talk to the service manager of the calling user, rather than the service manager of the system."16:21
sdezielDammitJim: by default --system is implied16:21
DammitJimweird... I get an: Failed to connect to bus: No such file or directory16:22
sdezielDammitJim: is the service unit in the per-user config dir? See man systemd.unit for those path16:24
DammitJimlet me look that up... I just  have the service unit defined in /etc/systemd/system16:25
sdezielDammitJim: I haven't use user services to date so all this is based on assumption/man page reading ... in other words potentially wrong/erronous16:25
DammitJimthanks16:26
sdezielnp16:27
arrrghhhHello all.  Is there a certain kernel version required to use losetup?  I am trying to create a loop disk and it does not work... basically I just need to carve out some space on my VPS to keep for SFTP space, and I cannot partition the actual disk17:17
arrrghhhOr is there another way to make a 'virtual' disk without losetup?17:19
naccarrrghhh: and you never plan on rebooting your vps?17:20
arrrghhhnacc, I assume I can set the loop disk via fstab?17:20
naccarrrghhh: i mean, it's not persistent17:20
naccarrrghhh: so every reboot, whatever was in that memory-backed disk is gone17:21
naccarrrghhh: what did you mean by 'SFTP space'?17:21
arrrghhhOh I didn't realize I was creating a ramdisk17:21
blackflownacc: isn't losetup file backed with -j ?17:21
sdezielarrrghhh: you need a device for quota I guess?17:22
arrrghhhnacc, bad term I guess.  I basically just need space for SFTP.  The VPS is doing other tasks, and I need someway to 'reserve' ~30gb of space for SFTP purposes17:22
arrrghhhsdeziel, basically yes17:22
naccblackflow: i did't see them specify -j :)17:22
naccblackflow: by default, it uses a loop device (iirc)17:22
arrrghhhnacc, it would be backed by a .img file17:23
arrrghhhthis is the guide I was (attempting) to follow http://www.linuxandubuntu.com/home/creating-virtual-disks-using-linux-command-line17:23
sdezielarrrghhh: this guide says to create partitions, that's not needed17:24
blackflowah, it's -f, not -j17:24
arrrghhhsdeziel, I was following the 1gb portion of the guide, so single partition...17:24
naccblackflow: i think you were right on -j, -f is for find17:25
arrrghhhbut yea either way it doesn't make a difference to me, I just need some way to 'reserve' ~30gb of space on the VPS17:25
blackflownacc: no it's the other way around, -j shows, -f associates17:25
blackflowhad to look it up, it's been a while since I used something like that. Nowadays I just use ZFS and zvols17:25
naccblackflow: ah confusingly written manpage :)17:25
blackflowindeed.17:25
sdezielarrrghhh: assuming you run a Ubuntu kernel, the kernel part should let you use loop devices17:25
lynorianI think xfs has built in quotas as well17:26
arrrghhhsdeziel, it is Ubuntu but the kernel is ancient.  This VPS is .... cheap.  It's Ubuntu 16.04, but I am on some ancient 2.32 kernel17:26
blackfloweew17:26
sdezielarrrghhh: sounds like an OpenVZ host or something17:26
arrrghhh^^ yep17:27
blackflowxen with host-based kernel17:27
blackflow2.6.32 sounds like RHEL/CentOS 617:28
arrrghhhDescription:    Ubuntu 16.04.4 LTS17:28
arrrghhhLinux server 2.6.32-042stab125.517:28
sdezielarrrghhh: if that's indeed an OpenVZ kernel, then I don't think you can use loop devices as is. See https://www.jamescoyle.net/how-to/2132-mount-a-loop-device-in-an-openvz-container17:28
blackflowstab, yeah, openvz17:28
blackflowCloudLinux actually17:28
sdeziel 2.6.32-openvz-042stab128.2 is current, so your host needs maintenance :)17:29
arrrghhhsdeziel, doesn't surprise me haha.  so is there any other alternative to achieve what I am looking to do?17:29
blackflowget a decent KVM-based VPS service? :)17:30
arrrghhh$$$17:30
blackflowHow much17:30
arrrghhhhow much is my current setup?  dirt cheap.  like stupid cheap.17:30
blackflowyeah, how much17:30
arrrghhhI don't really even need a VPS, but damn this was so cheap.  $8/year17:30
blackflowomg. that really is cheap.17:30
arrrghhhyea I just added 50gb for $5/yr... lol17:31
sdezielarrrghhh: I'm not even sure you are allowed to mount ext4 FS in such containers17:31
arrrghhhhmph17:31
blackflowarrrghhh: maybe you could use nbd with qemu to mount a file as a block device17:32
sdezielarrrghhh: but it's been ages since I touch OpenVZ17:32
arrrghhhyea it is very limited...17:32
blackflowno idea if that's possible under ovz but it's a way to get a block device.17:32
arrrghhhok I'll look into it thx17:32
blackflowarrrghhh: qemu-nbd, but since it needs to create a device under /dev  I doubt it'd be possible under ovz17:33
blackflowbut eh.... going back to your orig requirement, are there user quotas available?17:34
sdezielif basic quota works then yeah, no need for a blockdev17:35
arrrghhhI have an overall quota for the whole VPS, I guess I'm not sure about user quotas17:35
sdezielarrrghhh: can you by any chance attach other mounts or devices to the VPS?17:36
arrrghhhsdeziel, looking at the webUI now, I do not see a way to do that.  When I added the 50gb, it just showed up on /17:37
sdezielarrrghhh: OpenVZ supports multiple quota levels (per VPS and per user/group inside the VPS)17:40
sdezielarrrghhh: https://wiki.openvz.org/User_Guide/Managing_Resources#Turning_On_and_Off_Second-Level_Quotas_for_Container17:40
sdezielmaybe you have it enabled in yours17:40
naccrbasak: you don't happen to be around?17:42
arrrghhhheh.  seems to be disabled, I'm betting this is why "The value for it should be carefully chosen; the bigger value you set, the bigger kernel memory overhead this Container creates."17:44
arrrghhhI'll open a ticket with the VPS provider and see if they have any solutions or if this is enabled... otherwise I might just have to deal with the space getting consumed, maybe I can set a quota on nZEDb17:46
sdezielI don't know how they can offer both a VPS and some support for 8$/year ...17:48
arrrghhhLet's just say their response time leaves some to be desired, and I haven't really attempted any 'support' yet.  For example, they took my whole $5 for the additional 50gb - instead of adding it right when they took my money, I had to wait a few days and open a ticket to prod them into getting ti done...17:54
arrrghhhit*17:55
tewardrbasak: nacc: dpb1: release team accepted 1.13.12 into proposed, so we're getting there.  (No more issues to worry about, for now)18:12
olivierb-Hello everyone, may be you did not see my message early CET time today: I have a situation for which I need your expert help here as digging out how to fix this has been very unproductive for the last couple of days18:13
olivierb-I have a ubuntu 16.04 minimal server image using LVM partitioning and xfs which boots perfectly well and was generated using OpenStack DIB (disk image builder).18:13
olivierb-However when I try to add a package which requires init ram disk rebuild (like overlayroot or others)  I end up not beeing able to reboot the machine18:13
olivierb-I have nailed down the issue to the fact that LVM does not seem to be taken into account because I tried without LVM on xfs+extX successfully and LVM + any of extX, xfs being a failure18:13
olivierb-Of course I have tried adding the modules in /etc/initramfs-tools/modules without any success18:13
olivierb-What is also very strange is that my initial and working initrd file is 9 Mb big and the failing regenerated one is 32 Mb. Trying dep instead of most in the conf file make the size got down to 15 Mb which is still twice the initial working version.18:13
olivierb-Any clue what could be the cause, where to look and how to fix this ?18:13
olivierb-One other thing is that my 1st initrd file in the DIB image has been generated using dracut which is also present in my packages list so may be it somehow also interferes with initramfs-tools ? Just a wild guess18:13
sarnoldolivierb-: do you have the corresponding -extra package for your kernel installed? I've seen that cause boot failures plenty ..18:15
olivierb-sarnold let me check this18:16
olivierb-yes it is installed in the image too18:18
sarnolddang. there goes the easy solution.18:19
sarnoldhow far in the boot does it get?18:19
olivierb-seems like it can not mount rootfs which is in LVM/xfs partition18:19
mecotriLately when I reboot my server several services fail to start with the error cannot bind address in use. I haven't made any configuration changes since everything worked as expected, I've only perform updates.  At first it was just Dovecot that had the issue and today after installing more updates apache and ssh failed to start also because the address was in use.21:58
sarnoldyou can use netstat's -p flag to find out which process already has those sockets bound21:58
mecotrisarnold: thanks. Looks like my problem this time is the interface isn't up for some reason. It was just before rebooting.22:05
sarnoldmecotri: and you got back "address in use" errors for that? o_O22:05
mecotrisarnold: I got that for dovecot and got cannot bind address for apache and ssh. I wrongly lumped them together as part of the same issue.  Any ideas on seeing what's keeping the interface from coming up? My static addresses are set using /etc/netplan/01-netcfg.yaml22:08
sarnoldmecotri: could you file a bug against dovecot? there's a chance its systemd configuration is using the wrong "make sure networking is up" directive22:09
sarnold(for some reason systemd seems to have immense trouble with this. :( )22:09
cyphermoxinterface is not coming up, or some dovecot thing is not binding to it?22:11
mecotrisarnold: Will do.22:14

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!