[00:10] <apb1963> Firefox has detected that the server is redirecting the request for this address in a way that will never complete.  mxtoolbox.com says "The remote server returned an error: (404) Not Found. (http://greetonix.com) "  redirect-checker.org thinks its essentially ok.  Config file: https://hastebin.com/rarowejito.py
[00:20] <axisys> is there a parameter in F6 during ubunut install to say "Do not configure network right now" ?
[00:21] <axisys> I put the CD in and wait all night and then see it is waiting on to respond to that
[00:21] <axisys> (I know I can fix all those by extracting the ISO and then fix the preseed)
[00:22] <sarnold> axisys: iirc I once heard you can unplug the network cable to get past hung networking config
[00:22] <axisys> but we are building tons of those from the vendor ISO (built on top of ubuntu ISO with their pkgs) and like to just provision the ISO and make a comment in the boot option and let it make build
[00:23] <axisys> sarnold: except these servers at all over the world..
[00:23] <sarnold> axisys: ah. the 'f6' gave me the impression you just wanted to move past something immediately. :)
[00:23] <axisys> sarnold: I provision the ISO over iLO (HP proliant gen 9) and let it build
[00:24] <axisys> sarnold: that is the only question I need to repond.. I also add the console=ttyS0,115200n8 console=tty0 after the --
[00:24] <axisys> but I wish there is a parameter to tell it to skip the network
[00:25] <axisys> it builds just fine without the network except wait for an answer..
[00:26] <axisys> extracting ISO and fix it would be fine.. but we continuosly get new version ISO which get pushed to certain location.. so somewhat hands free on receiving new ISO from the Vendor
[00:27] <axisys> and then we just point to it over iLO.. so somewhat automated.. but this last question is kind of annoying manual process
[00:28] <axisys> I could not find any answer in google yet.. most matches to answer fixing or disabling network from the OS.. that is not what I am looking for
[00:29] <sarnold> axisys: which installer are you using? debian installer? ubiquity? subiquity? something else?
[00:29] <sarnold> like those google results, I really only know things once an OS is up and running, heh
[00:31] <axisys> ubuntu 14.02 ISO default
[00:32] <axisys> so probly debian installer?
[00:40] <apb1963> axisys,  is there a parameter in F6 during ubunut install to say "Do not configure network right now" ? <<<<< Possibly netcfg/disable_autoconfig=true will do what you need.  From https://help.ubuntu.com/lts/installation-guide/i386/ch05s03.html for details.
[00:40] <dpb1> ... 14.04?
[00:44] <axisys> dpb1: yes
[00:44] <axisys> apb1963: hmm.. need to test with that parameter for next install
[07:52] <Neo4> hi
[07:52] <mike-zal> hi
[07:52] <Neo4> what is scheme link dovecot + postfix + mysq + postfixadmin + squirrelmail?
[07:53] <Neo4> I installed postfix, it works, send and accept mails, I'd tried with all other apps and couldn't have done
[07:54] <Neo4> postfixadmin creates your own table in mysql, In postfixadmin I can create virtual domain and mailboxes, What is this I don't know
[07:54] <Neo4> real postfix doesn't linked to postfixadmin
[07:55] <Neo4> what database should be for dovcot postfix squirrelmail?
[07:55] <Neo4> they all should use one database?
[07:56] <Neo4> and for support mysql we must install postfix-mysql
[07:56] <Neo4> and for link something database, there we have to learn how works postfix table lookup?
[07:57] <Neo4> These is all what I know for a while...
[07:58] <Neo4> I can't do this :(
[08:00] <Neo4> guys is it really even set up mail server so difficult?
[08:00] <Neo4> not everybody could do it...
[08:02] <Neo4> What I think, Let's little thinking?
[08:03] <Neo4> squirrelmail it's ordinary MUA (web) for web they called webmail
[08:03] <Neo4> it means it must have his own separated database?
[08:04] <Neo4> yes, probably, and then using IMAP mails will delivers there, but there nothing works, one page with login and password, Not understandable where database
[09:38] <_ruben> as stated several times before, setting up a mailserver without knowing what you're doing is a recipe for disaster
[12:40] <ahasenack> rbasak: hi, good morning. dep3 question
[12:40] <ahasenack> rbasak: I have an upstream patch that was formatted by git, and it looks like this: https://attachments.samba.org/attachment.cgi?id=14159
[12:40] <ahasenack> dep3 has other headers, a different formatting
[12:40] <ahasenack> yet dep3changelog (my go-to tool to check dep3 syntax) doesn't complain about it
[12:41] <ahasenack> should I a) reformat the entire header into what we normally use in our dep3 patches?; b) just add some missing bits, like "Bug-Ubuntu"
[12:41] <ahasenack> c) leave it as is, and mention the ubuntu bug in d/changelog?
[12:48] <ahasenack> cpaelzer: do you have a preference about the above? ^
[12:56] <cpaelzer> ahasenack: I'm reading ...
[12:57] <ahasenack> my adapted patch looks like https://pastebin.ubuntu.com/p/8N5PZnfBgF/
[12:57] <ahasenack> I added a couple of headers
[12:57] <cpaelzer> I usually take b) of your options
[12:57] <ahasenack> so like https://pastebin.ubuntu.com/p/8N5PZnfBgF/ that I just did
[12:57] <ahasenack> where I added Bug-Ubuntu and Origin
[12:57] <cpaelzer> take the patch as is and right above the --- to diffstat I add the lines that I tinhk match of http://paste.ubuntu.com/p/23hR56TXJb/
[12:58] <ahasenack> ah, hm, I added them as additional headers, since that whole thing looks like an email
[12:58] <cpaelzer> yeah, I usually group them at other lines, but content wise this is fine
[12:58] <ahasenack> ok, thx
[12:58] <cpaelzer> I like to separate them down there to be obvious that this is the part not coming out of the git export
[12:58] <cpaelzer> but you are fine either way IMHO
[12:59] <cpaelzer> the git export has most already anyway
[12:59] <cpaelzer> and enriching with some extras just helps on maintenance
[12:59] <ahasenack> cpaelzer: yours would look like this then? https://pastebin.ubuntu.com/p/tfPJBvYZB9/
[13:03] <cpaelzer> ahasenack: yes
[13:03] <cpaelzer> except I once started to list Author (me) and Original-Author (the above) as well
[13:03] <cpaelzer> but I realized that is unreasonable overkill
[13:03] <cpaelzer> and I'm gonna drop that soon
[13:03] <cpaelzer> my name is in the upload
[13:03] <cpaelzer> his in the git export
[13:04] <cpaelzer> I think that is good in terms of correct attribution
[13:04] <cpaelzer> only if I backport it reasonably (modification) I still do that
[13:04] <ahasenack> yeah, I would only put my name in there if the patch needed significant changes in order to apply
[13:04] <cpaelzer> see- we are the same :-)
[13:23] <ahasenack> hm, trying to understand why the diff in https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/343606 is bogus
[13:25]  * ahasenack makes a fresh clone elsewhere
[13:54] <Neo4> I've installed dovecot and try check
[13:54] <Neo4> telnet localhost 143
[13:54] <Neo4> and got error connection closed
[13:54] <Neo4> in firewal it allowed
[13:55] <sdeziel> Neo4: is there a process listening to that port?
[13:55] <Neo4> connection closed by foreign host, what does it means?
[13:56] <Neo4> it seems works, only closed for unknown host
[13:56] <Neo4> sdeziel: https://paste.ubuntu.com/p/m7fwWYRqNt/
[13:57] <Neo4> continue read
[13:57] <Neo4> do you know there maybe need to create IMAP server?
[13:58] <Neo4> MX or something similar?
[13:58] <Neo4> join #dovecot
[13:59] <sdeziel> looks like you are trying to connect to a port where nothing listens
[15:10] <Neo4> I put to rsyslog.conf other data, and remove old, how to get new rsyslog.conf?
[15:10] <Neo4> if I reboot server what happane?
[15:31] <Chryzo> Good morning, I am having issues with apparmor and slapd. I put my certs in a custom folder (usr/var/openldap-data). Added /usr/var/, /usr/var/openldap-data and /usr/var/openldap-data/* to the apparmor usr.sbin.slapd file with read permission.
[15:31] <Chryzo> but when I try to use a cert configured in that folder, apparmor denies the access
[15:34] <jdstrand> Chryzo: can you paste the denial?
[15:35] <Chryzo>  apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/usr/var/openldap-data/cacert.pem" pid=55921 comm="slapd" requested_mask="r" denied_mask="r" fsuid=112 ouid=0
[15:38] <Chryzo> Ok, i restarted the whole stack and it is now working. Sorry about that
[15:41] <Neo4> who know how to regenerate new /etc/rsyslog.conf?
[15:44] <Neo4> well, I copy to rsyslog.conf data from my local computer
[15:45] <Neo4> seems it can't generate after remove, there not file at all
[15:45] <samba35> how to configure hostdev ,by editing virsh edit guestname and hostdev section and change        <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
[15:45] <samba35>  ????
[15:46] <nacc> samba35: are you asking if that is how you edit hostdev?
[15:46] <samba35> when i edit it give error with  error: XML error: Invalid PCI address 0000:01:00.0. slot must be >= 1
[15:47] <samba35> yes
[15:47] <nacc> samba35: there is also a libvirt channel, i expect and #ubuntu-server is probalby more appropriate
[15:47] <samba35> ic
[15:47] <samba35> thanks
[20:21] <ProCycle> I'm having a strange bug where I can't chmod on a file that I have write access to via the group permissions
[20:22] <ProCycle> Perms on the file is -rw-rw-r-- and www-data is set as both owner and group
[20:22] <ProCycle> user account I'm trying to chmod with is in the group www-data
[20:23] <ProCycle> Parent directory is drwxrwx--- and owned by the user account
[20:23] <teward> just because your user is in the www-data group, doesn't mean that you can chmod the file to change its permissions
[20:23] <teward> normally that's an owner user priv, or something you need superuser to do
[20:23] <dpb1> +1
[20:24] <ProCycle> Oh I see...
[20:25] <ProCycle> I've always used sudo but now I'm trying to work with a limited account
[20:25] <teward> ProCycle: at this point you're starting to delve into "Who should own the files"
[20:25] <ProCycle> Guess I need to muck with the nginx server
[20:25] <teward> I have a setup where my own user account has user-level ownership of the files, www-data has group level ownership/access, and nobody else does
[20:25] <teward> and it works fine with NGINX
[20:25] <teward> because www-data has read/write privs where it needs them.
[20:26] <ProCycle> But these files are being written by NGINX (well php-fpm)
[20:26] <teward> (unrelated but probably good to know, as dpb1 knows, I'm one of the primary NGINX people on the Server team)
[20:26] <teward> ProCycle: so give the *group* read/write
[20:26] <teward> let's say my user is 'foo'
[20:26] <teward> ownership is set to foo:www-data
[20:26] <teward> chmod for directories is 770
[20:26] <teward> chmod for files is 660
[20:26] <teward> your user has access, www-data for the web server has access, nobody else has access
[20:27] <teward> (except superuser of course)
[20:27] <teward> NGINX runs as `www-data:www-data` by default in Ubuntu, so it will have access via the group-level permissions
[20:27] <teward> if any other user needs access, then, you're starting to delve into the realm of file ACLs
[20:27] <ProCycle> aye that's how it's setup, except the server isn't creating files that way
[20:27] <teward> "except the server isn't creating files that way" <-- explain this
[20:28] <teward> ambiguous statements are ambiguous
[20:28] <teward> and make me cringe horribly.
[20:28] <dpb1> teward: :)
[20:29] <ProCycle> As in, most of the site files are read only to the server and owned by my user, except it has write access in one subdirectory (web/files/) where php is writing various files
[20:29] <ProCycle> By server I mean nginx
[20:29] <teward> no, you mean PHP
[20:29] <teward> not NGINX
[20:30] <teward> since PHP is run by php-fpm and not as part of nginx.
[20:30] <teward> normally.
[20:30] <ProCycle> So nginx is proxying requests to php-fpm then?
[20:30] <teward> depends on your nginx setup.. give me the output of `nginx -T` and i'll tell you :P
[20:30] <teward> (use a pastebin though!)
[20:31] <teward> ProCycle: in a 'normal' LEMP setup with PHP, you're most likely going to have `php-fpm` running on a local UNIX socket
[20:31] <teward> and NGINX hands off any PHP-related requests to that local socket for processing
[20:31] <teward> so PHP is the one writing files at that point
[20:31] <ProCycle> Yes it's using the socket in the nginx config
[20:32] <teward> so php-fpm is creating the files.
[20:32] <sdeziel> the default PHP-FPM pool config has it running as www-data:www-data too though
[20:32] <teward> sdeziel: more importantly is deciding what "except the server isn't creating files that way" means.
[20:32] <sdeziel> teward: absolutely ;)
[20:33] <teward> ProCycle: what is the server *trying* to do when it creates a file?  Is it trying to create something *outside* of `web/files/`?
[20:33] <teward> if it is, then your site either has system-level permissions not set up properly for it to access things, or your site is infested with malware trying to do things it's not supposed to
[20:34] <teward> ProCycle: how do you *expect* the server/PHP to be creating files?  With what permission(s)?
[20:34] <ProCycle> No it's writing files inside web/files/. The issue is that the management account cannot change the permissions (because they're world readable and shouldn't be)
[20:34] <ProCycle> So I need to fix the permissions so it writes files with the correct umask
[20:36] <teward> and behold, *now* we know what the core issue is.
[20:36] <teward> ProCycle: the 'management' account - I presume this is *not* your user, and is www-data.
[20:36] <teward> insomuch as the files are created as www-data:www-data
[20:37] <teward> or rather, the way the files are 'created' that is.
[20:39] <ProCycle> The management account (lets call it manager) is the one with write access to the entire site directory tree
[20:39] <ProCycle> And the site is updated by pulling from a git repo
[20:39] <teward> ProCycle: your web server is creating files, correct?  Is it creating them as `www-data` user and www-data group as the owner?
[20:39] <ProCycle> Yes, it is creating files in web/files/ as www-data:www-data
[20:40] <ProCycle> https://pastebin.com/jsn27Gkc
[20:41] <teward> that's because of how PHP is run and how file permissions are.  You state that manager can't change the permissions, and that things can't be world-readale
[20:42] <teward> you have two solutions: the first is to *not* let non-manager and non-www-data users traverse into the directory (chmod o-rwx web/files)
[20:42] <sdeziel> ProCycle: if you want to PHP-FPM's umask, I think you'll need a systemd snippet. This way, you could make the umask to make the created files inaccessible for others
[20:42] <teward> sdeziel: in theory he can use a filesystem level default ACL
[20:42] <teward> `setfacl -d -m o::000 web/files/`
[20:43] <teward> sdeziel: the tricky part is to make the umask that way might break other things in the fpm pool which might *need* that level of 'readability'
[20:43] <teward> (I have a thing about messing with systemd services' runtime umask settings in that they can get 'reset' on an upgrade if the new data clobbers the customized snippet)
[20:43] <sdeziel> ProCycle: "systemctl edit php7.0-fpm" then put "[Service] UMask=0002" on 2 lines
[20:43] <teward> ^ that would work
[20:44] <sdeziel> teward: yeah, I never touch package provided units ;)
[20:44] <teward> sdeziel: which you'd be doing right there, I think.
[20:44] <teward> because php7.0-fpm is touched by the system IIRC
[20:44] <sdeziel> teward: no
[20:44] <teward> s/system/packages/
[20:44] <teward> it's *not*?  *new info added*
[20:45] <sdeziel> teward: systemctl edit creates a local delta stored under /etc/systemd/...
[20:45] <teward> ahhh, new SystemD info learned.
[20:45] <teward> sdeziel: they could prevent 'world readability' by denying all 'other' people access to the folder itself
[20:45] <ProCycle> Hmm that's a good point. If others don't have read access to the web/files directory then they can't access the files under it regardless of their permisions
[20:45] <teward> and while the perms on the files might still have 'read' for 'other' users, they wouldn't have access to the directory to go into or traverse it then
[20:46] <teward> and they don't have to mess with umasks
[20:46] <sdeziel> teward: that might be the most brilliant way to solve this one
[20:46] <teward> and simple
[20:46] <ProCycle> I'm going to go with that solution
[20:46] <teward> ProCycle: I'd consider just doing a `sudo chmod o-rwx` on the web/files dir
[20:46] <sdeziel> teward: re systemd delta, I use them all the time for "hardening" purposes like here https://paste.ubuntu.com/p/MSJcyxZwPR/
[20:46] <ProCycle> Rather not mess with php umasks if I can help it
[20:47] <teward> sdeziel: ah, nice.
[20:47] <teward> I"ve learned something today xD
[20:47] <ProCycle> Yeah systemd overrides are useful
[20:47] <teward> ProCycle: once you make the chmod, though, you might need to 'store' the permissions change if that directory is indexed in git as well.  Just a thought.
[20:47] <teward> because git *can* change permissions...
[20:47] <ProCycle> I created a timer template for database backups, then make an override to change the timing for each instance
[20:48] <ProCycle> git would be running as the manager user, and I'd hope be preserving file perms but I'll keep an eye out on it
[20:49] <teward> well git *can* remember permissions masks, which is why I said you might have to commit those permission changes on the web/files/ directory in the git repo as well, depending on the type of setup and whether that folder is included in git or not
[20:49] <teward> (it's done stupid things like that for some of my projects before...)
[20:50] <ProCycle> Haven't actually created the repo yet so I'll make sure that happens
[20:50] <teward> but yeah simply denying other users access to the directory in question would solve the 'world readable' problem.
[20:50] <teward> the other way that doesn't involve SystemD overrides and umask messing with is to do it at the file ACL level, but that's a little evil too.
[20:51] <ProCycle> I haven't delved into ACL yet but I suspect that's something valuable to learn
[20:52] <sdeziel> the parent dir chmod is best IMHO, but another way would be to set an env variable in the FPM pool config
[20:53] <teward> ^ that too
[20:53] <teward> but yeah, parent dir chmod to prevent traversal any further into the dir tree is the best and most simple solution
[20:59] <ProCycle> Now if only I could make composer not be stupid and set perms correctly from the beginning
[21:06] <sudosmurf> I've generated an SSH key using ssh-keygen, used ssh-copy-id to copy it over to the target, set the ssh config to no use passwords for auth, but when I try to SSH in it fails with "Permission denied (publickey)". Adding the -v flag shows that the public key is being offered, but for some reason the server is rejecting it. I've compared the values on the remote host and the local host and they match. what am I missing.
[21:07] <ProCycle> check the contents of ~/.ssh/authorized_keys
[21:07] <ProCycle> Your public key should be in there
[21:08] <sudosmurf> it is
[21:10] <ProCycle> You could check /var/log/syslog for an error from sshd
[21:10] <ProCycle> Might have more information
[21:11] <sudosmurf> nothing that jumps out at me
[21:13] <ProCycle> Maybe try ssh -i ~/.ssh/keyname -o IdentitiesOnly=yes account@host
[21:13] <ProCycle> to connect
[21:14] <sdeziel> sudosmurf: grep sshd /var/log/auth.log
[21:14] <sudosmurf> ProCycle, I've specified the file in the ssh config
[21:14] <sudosmurf> the identity file
[21:14] <sudosmurf> can the -o
[21:14] <sdeziel> sudosmurf: could you paste your sshd_config if auth.log?
[21:34] <sudosmurf> yeah, in a bit