/srv/irclogs.ubuntu.com/2018/06/19/#ubuntu-server.txt

rbasaknacc: FYI: https://github.com/CanonicalLtd/server-jenkins-jobs/pull/100:40
rbasakOnce that lands I'll try retesting https://jenkins.ubuntu.com/server/job/git-ubuntu-ci/17/ to ensure it doesn't break anything.00:40
naccrbasak: +1 seems like a good idea, thanks for the update02:27
RandolfI'm trying to get OpenVPN Server running on Ubuntu Linux 18.04 LTS, but I can't even get it to write output to a log file.  Is there a way to get OpenVPN to display its error output to the screen?  Thanks.02:42
=== miguel is now known as Guest29722
phibsI already have a PXE environment w/ a full ubuntu image, but would like to be able to drop the OS onto the local disks via an image.  I don't need partitioning or anything like that. I don't want to have to boot w/ cloud-init as it is bare metal.  Does Ubuntu have anything like this? Would Curtin work? (was not sure how cloud-init plays into it)04:25
lordievaderGood morning06:25
TvL2386morning06:42
gordonjcpmorning06:57
=== gogbog is now known as Guest69003
moffaHi, I'm trying to use the ubuntu-alternate installer with VMWare ESXi 6.7, When I select the Ubuntu installer, after a few seconds I get a white screen with corrupted graphics.  Anyone have a workaround?11:43
RoyKmoffa: https://www.kernel.org/doc/Documentation/svga.txt <-- read this - perhaps there's an unsupported (by ESXi) vga mode (framebuffer) being used11:50
moffaLike when I boot from the iso I select English, then I select Install Ubuntu Server.  Then you see a black screen with kernel msg then it goes to a white/gray screen11:52
tomreynmoffa: also note there are two different server installers for ubuntu 17.10 and 18.04 (in case you're using this). the (new) default one is called 'live' installer, and uses a graphics mode and installs fast (but is not flexible). the old one, called 'alternative' (debian) installer, uses plain text mode and offers all the choices.12:16
blackflowaren't there... three?  ubiquity, subiquity and debian installer?12:19
tomreynsubiquity is the server 'live' installer, ubiquity is the desktop 'live' installer. debian installer is the 'old' one which is used for alternative server installer and mini.iso.12:25
blackflowah so there's no ubiquity on -server isos?12:26
tomreynafaik not. there are canonical repositories for both on github though if you'd like to take a closer lookat the differences though12:27
tomreynhttps://github.com/CanonicalLtd12:29
tomreynactually just subiquity is there.12:29
RoyKtomreyn: (s)he said (s)he's using the alternate instller12:32
tomreynRoyK: oops, right, it helps when one knows how to read properly.12:34
blackflowtomreyn: oh okay. I must've misunderstood, thinking they're both present.12:41
moffayeah the live installer works but it runs all that cloud.cfg scripts which setup netplan etc, I don't want to use that as I don't really understand how to configure it.13:03
cyphermoxmoffa: you don't have a choice, if you use the live installer, you get netplan. if you want to do otherwise you'll need to change things yourself after the install (install ifupdown, etc.)13:06
cyphermoxthat said, if you run through the configuration in the live installer and you don't need any special network setup, it'll work just the same13:07
moffaoh maybe I'll try that.  I am getting werid dhcp client issues. I get a different IP that expected with netplan. I have to release and renew to get the proper ip.13:09
cyphermoxok13:11
cyphermoxmoffa: you using Windows Server as DHCP?13:12
moffaI think so, it's my IT department so they don't tell me anything.13:12
moffaThey have a lot of things misconfigured - so I wouldn't be surprised if the issue is on their end13:13
v0lksmananyone know what I'm missing out on if I compile my own nginx vs nginx, nginx-common and nginx-extra?13:19
v0lksmanor better yet a reliable source for nginx compiled with pagespeed?13:20
rbasakteward might know ^13:37
v0lksmanI think I'm going to route of recompiling the source package from ubuntu rather than the latest from nginx, that way I just need to add my module and compile rather than gather all the modules the packages provide for me and risk missing something13:47
rbasakThat sounds like a reasonable approach.13:48
tewardrbasak: hm?14:01
tewardv0lksman: FWIW, Pagespeed is pretty much deprecated in favor of HTTP/2 nowadays14:02
tewardyou would do better to deploy HTTP/2 instead of the Pagespeed module.14:02
tewardit's still 'developed' and what not, but HTTP/2 is the faster native solution14:02
tewardrbasak: do you know if HTTP/2 was released for Apache in 18.04?  I don't remember the state of that, last I heard was it's still disabled because of nghttp2 having issues, but I didn't check/follow it.14:04
tewardrbasak: also, Debian had the "Add ngx_pagespeed module" request and rejected it, just as an FYI.  It's nontrivial to maintain (just like modsecurity/NAXSI was)14:04
rbasakteward: https://wiki.ubuntu.com/BionicBeaver/ReleaseNotes#Apache says yes14:05
v0lksmanhuh...so if I have http2 in my listen directive I'm already ahead of the game?  what about all the additional caching that pagespeed does?14:05
blackflowwith a small caveat that http/2 requires ssl14:06
v0lksman(I am using ssl)14:06
tewardblackflow: the spec doesn't require it, but browsers do.14:06
tewardso for all practical purposes, yes, it needs SSL.14:06
blackflowright so... it's required :)14:06
tewardv0lksman: the NGINX team doesn't maintain the Pagespeed module, but HTTP2 is pretty fast on its own14:06
tewardi'm not familiar with the 'caching' part of Pagespeed14:06
tewardso I can't comment specifically on that, but pagespeed was a 1.1 optimization and an SPDY optimization, both are not necessary with HTTP/214:08
teward(relevant: https://www.nginx.com/blog/7-tips-for-faster-http2-performance/)14:08
tewardolder blog post but still relevant from the NGINX upstream blog14:08
v0lksmanteward: thanks will digest. would rather not have to maintain a custom compile so if I can avoid it I will14:09
blackflowv0lksman: the observed and gained improvement comes only with scale at which there's no more just you trying to figure this out, and supposedly plenty of resources available to track custom builds if really needed.14:10
tewardv0lksman: I'd strongly recommend doing this as a side-by-side thing, with separate NGINX deployments (even containerized if you wanted to), one with pagespeed and one with pure NGINX; but HTTP/2+NGINX can cause performance *decreases* instead of performance *increases*14:11
blackflowin other words, the size of ops at which scale you observe improvement, is beyond just one person trying to figure this out.14:11
tewardwhat blackflow said.  HTTP/2 on its own is *speedy* without Pagespeed, so it might be what you need.14:14
tewardI don't roll HTTP/2 right now, but that's because my servers don't have new enough OpenSSL at the moment to have full HTTP/2.14:14
teward(yeah I have a few older servers, don't judge me, i'm working on porting them to 18.04 servers, it just takes *time*)14:14
blackflowewww, still running sslv3?14:15
tewardoh *god* no14:15
blackflowthen what do you mean by too old openssl?14:15
tewardblackflow: ALPN vs. NPN14:15
tewardneeds newer OpenSSL libs to support the ALPN14:15
blackflowoh I keep forgetting about that14:16
blackflowyeah 1.0.2 or newer14:16
tewardand i have a couple servers that are still on 14.04 so14:16
blackflowmh-hm14:16
tewardand as an aside I'm an IT security guy, so if I was rolling SSLv3 intentionally I'd probably need to be shot.14:17
teward(figuratively speaking)14:17
teward*everything* (even my mail servers) are reconfigured to not permit the insecure things14:17
blackflowas it should be:)14:18
sdezielwhile I generally agree that SSLv3 is bad, disabling it on MXes could lead to emails being retransmitted in the clear if the sender doesn't support TLS 1.014:22
blackflowso... basically no loss in security there? :)14:22
sdezielfortunately such senders should be pretty rare nowadays ... or just spammers14:22
sdezielblackflow: I believe that SSLv3 is mostly vulnerable to active attacks which is generally not something that SMTP considers14:23
sdezielthings are changing (especially now with Let's Encrypt) but for a long time, most MX to MX communication used self-signed certs14:24
blackflowsdeziel: and another problem is, for that to have any effect, you need to configure your MTA to _require_ SSL/TLS and not just on submission (port 587).14:24
sdezielblackflow: per the RFC(s), you cannot mandate SSL/TLS on TCP/2514:25
tewardsdeziel: the problem is certain policies (HIPAA compliance, PCI DSS compliance) require certain things to be configured even on mail servers, last I checked.  Including disabling SSLv314:25
blackflowie, for postfix for example, smtpd_tls_security_level at "encrypt"14:25
tewardbut SSLv3 is a problem in and of itself and with various OpenSSL libs and such no longer supporting SSLv3 that's a different issue.14:25
blackflowsdeziel: exactly, so it's a moot point. the MITM can downgrade always.14:25
blackflowone of the reasons why I dislike STARTTLS.14:26
sdezielblackflow: check https://tools.ietf.org/html/draft-ietf-uta-mta-sts-21 and https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt-2314:26
v0lksmanwell that may be my problem. while I have http2 defined in my config when I curl the site and look at the headers it's an http1 response14:27
sdezielteward: yeah, I agree and I did disable SSLv3 on my MXes too :)14:27
blackflowsdeziel: thanks I'll check that out.14:27
blackflowI also run with dh params at 2048. We had some issues with some clients using old Java to interface with out APIs, but.... they managed to upgrade :)14:29
sdezielblackflow: re StartTLS, see https://tools.ietf.org/html/rfc831414:30
tewardsdeziel: I mean, I still have *optional* encryption (preferred if available) on my MXes, but I follow some of the standard practices and require at least what Mozilla calls an Intermediate grade of security on my web servers.14:31
tewards/web servers/mail servers/14:31
blackflowsdeziel: yeah, no kidding.14:31
sdezielfor those using postfix, you can get better than opportunistic TLS on your outgoing SMTP transactions by setting "smtp_tls_security_level = dane"14:32
tewardsdeziel: guess I learned something.  *goes to revise his MXes*14:33
blackflowyeah, DANE is better but... with these things I tend to quote Theo de Raadt. Optional security is no security.14:34
sdezielhttp://www.postfix.org/TLS_README.html#client_tls_dane14:35
rbasakcpaelzer: what are your plans for merging libvirt?14:35
blackflowand funny for ubuntu people to recommend dane.... given that systemd-resolved and all its troubles with DNSSEC being default in Ubuntu   ;)14:36
sdezielblackflow: I'm still wedded to unbound14:38
blackflowI'm to bind, but only because I need authoritative serving and wanna use just one tool.14:39
cpaelzerrbasak: plan is after vacation14:49
cpaelzerI have a set of extra todos around it and a trello card to cover those14:49
cpaelzeralso we want mroe than the current 4.314:49
rbasakOK14:51
phibsI already have a PXE environment w/ a full ubuntu image, but would like to be able to drop the OS onto the local disks via an image.  I don't need partitioning or anything like that. I don't want to have to boot w/ cloud-init as it is bare metal.  Does Ubuntu have anything like this? Would Curtin work? (was not sure how cloud-init plays into it)15:39
compdocjust clone the os to existing partitions? never tried that15:45
dpb1powersj: so, our manpages regeneration thing appears to be working?15:47
dpb1I haven't checked actually15:47
powersjyep!15:47
dpb1that's neat!15:47
powersjall the examples in that bug are fixed now15:47
dpb1my crazy sha1 thing15:48
powersjheh works15:48
qwebirc35817Hello, I've question, does the new ubuntu sevrer 18.04 by default use systemd-resolve, can I turn it of and use the default router or another dns server instead? I'm confused because on 16.04 I never see systemd-resolved listen on port 5317:10
tewardqwebirc35817: it uses systemd-resolve by default.  systemd-resolve behaves like the Desktop's dnsmasq did, it's just a local caching resolver that will send out to the actual DNS nameserver(s) set in either a static config (with netplan) or with the ones it gets from DHCP.  This is 'typical' behavior.17:12
tewardI tried removing systemd-resolve from the equation and it didn't end well.17:12
teward(on a test install)17:12
blackflowqwebirc35817: yup. mask it, unlink /etc/resolv.conf and make it a proper file with whatever nameserver entry you want17:12
tewardbut ^ that17:13
teward(I tried that too, it exploded on my test systems, but that was back right before 18.04 release so YMMV)17:13
blackflowteward: that procedure works for me just fine since 16.1017:13
blackflowthe key being unlinking resolv.conf and MASKING, not just disabling, the resolved service.17:13
tewardblackflow: I believe you.  (But like *every* procedure, YMMV because of various reasons)17:14
blackflowI guess.17:14
tewardI quite like the local caching resolver either way, but that's my opinion :)17:14
blackflowI'm just into deterministic computing and software being bent unto MY will, not the other way around .)17:14
qwebirc35817blackflow: I'm not found any resolv.conf, I only have resolved.conf17:14
tewardblackflow: To each their own, I guess.17:15
tewardnot every sysadmin here at work, though, knows LInux so I have to adapt so they don't have to do poweruser custom changes :P17:15
qwebirc35817blackflow: Any link that could help me or maybe guide me to approach masking or such? I'm new in ubuntu managing17:16
blackflowqwebirc35817: systemctl mask systemd-resolved17:19
blackflowalso stop the service17:19
qwebirc35817blackflow: That mean the systemd-resolved still there right? listen on 53?17:19
blackflowteward: well I don' tknow. computers should serve US, not the othre way around :)17:19
blackflowqwebirc35817: it should not if you stop the service.17:19
qwebirc35817but when I want to solve any domain then it will listen again on port 53 am I right?17:20
blackflowqwebirc35817: also, resolv.conf should be at /etc/resolv.conf, and by default it's a symlink to somewhere under /run/17:20
blackflowqwebirc35817: no. you set up resolv.conf with proper nameserver entries. I mean that's what you wanted, no?17:20
blackflowyou asked if oyu could turn off systemd-resolved and "use another dns server instead2.17:21
blackflows/2\./"./17:21
qwebirc35817blackflow: no luck, no resolv.conf I guarantee you.. I confused ~_~17:23
blackflowqwebirc35817: well create one then. your question seemed to imply that you know what you're doing?17:24
blackflowbecause if you don't, then maybe just leave it as is?17:24
qwebirc35817hmmm, so when I set the nameserver then it's done, I could just disable systemd-resolved right?17:27
blackflowqwebirc35817: no. not disable. mask it. and stop the service.17:28
qwebirc35817so I put name server on resolv.conf and mask the service then reboot?17:29
blackflowyou don't have to reboot.   systemctl stop systemd-resolved; systemctl mask systemd-resolved; unlink /etc/resolv.conf ; <create new /etc/resolv.conf in whatever way you like>17:30
qwebirc35817what it just work like that...?17:32
blackflowyeeeees?17:32
qwebirc35817blackflow: Oh God.. why they make it so complicated... -_- why they plant a software like that... -_-17:33
phibsSo does anyone know how cloud-init fits into 'Curtin' and is it required @ boot or how exactly is it used?17:33
blackflowqwebirc35817: that's a mystery indeed.17:33
phibslooks like it uses cloud-init at first boot, which I spose is fine assuming the metadata is obtained from itself and not a server17:34
qwebirc35817blackflow: okay... how about netplan?17:36
phibswondering if I can just use curtin to drop the image on and run some of my own customizations / install grub17:37
blackflowqwebirc35817: what about it?17:39
qwebirc35817I mean set name server on netplan will also work?17:43
blackflowqwebirc35817: probably yes. I'm not really using netplan.17:44
naccphibs: there are also #cloud-init and #curtin channels17:44
blackflowqwebirc35817: but I think that will just keep on using systemd-resolved, indirectly.17:45
blackflowqwebirc35817: netplan is just configuration abstraction, it doesn't do anything else.17:45
phibsnacc: oo thx17:46
coreycbjamespage: in case you come across something similar, flask in cosmic is not working with sahara running under wsgi: https://storyboard.openstack.org/#!/story/200261718:08
coreycbjamespage: i think that's fixed now. ^ btw nice little addition to dep8 daemon tests (sahara does it) is a curl of the api port. curl --fail http://localhost:838619:17
ahasenacktrying to understand how britney hints work. Why is there one file per user here? https://bazaar.launchpad.net/~ubuntu-release/britney/hints-ubuntu/files19:43
ahasenackare all files just concatenated?19:44
madLyfeso I'm trying to setup a static IP in server 18 during fresh install and it's asking me for subnet? I don't recall using this before when I manually configured static IP after install using a guide. subnet has a trailing slash?21:30
madLyfethe guide I previously used was this: http://www.configserverfirewall.com/ubuntu-linux/ubuntu-set-static-ip-address21:31
madLyfewhat should I put for the subnet?21:31
madLyfehttps://usercontent.irccloud-cdn.com/file/PW8JqOxY/irccloudcapture8578377963037103038.jpg21:31
powersjmadLyfe: yes it is asking for the subnet info all in one line21:32
powersjso if you used to say 192.168.0.10 and netmask 255.255.255.0 you would now say 192.168.0.10/2421:32
naccahasenack: aiui, yes21:33
naccahasenack: i don't fully undersand why that is the layout21:33
ahasenacknacc: it has to do with permissions as far as I gathered21:34
ahasenackthere is a conf file that has entries like HINTS_<who> = <permissions>21:34
naccahasenack: ah could be21:34
madLyfepowersj: I'm not following21:34
ahasenackso the directory has a bunch of <who>-named files, and hints inside them21:34
madLyfewhere does the 24 come from?21:34
powersjmadLyfe: do you know what netmask you previously used?21:35
nacchttps://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing21:35
ahasenackbut let's say I want to suggest a new hints change, which file (which <who>) do I pick?  Any? Go by history or resemblance?21:35
naccahasenack: yeah, i just picked arbitrarily in the past (usually targetting an AA)21:35
powersjand the wiki page nacc linked has a table that shows how it works21:35
powersjunder IPv4 CIDR blocks21:35
madLyfepowersj: 255.255.255.021:36
madLyfeI should just put that in the subnet field?21:39
madLyfe192.168.1.202/24 ?21:45
madLyfealso, what should I enter in the 'search domains' field?21:47
naccmadLyfe: whatever search domains you want to use?21:47
naccmadLyfe: we really don't know your network configuration21:47
madLyfei didn't have to use something other than 255.255.255.0 last time so I don't know what it's talking about.21:49
madLyfesearch domains? like Google? not sure what it's referring to. can I just leave it blank?21:49
naccmadLyfe: search domains are for DNS21:50
madLyfeI didn't need that last time either.21:50
madLyfecan I point to the router?21:50
naccmadLyfe: then don't specify one21:50
naccno, i feel like mabye you should google what  domain name is?21:50
madLyfeI thought name servers were for DNS21:50
naccname servers and search domains are different things21:51
sdezielmadLyfe: a search domain is entirely optional21:51
naccyour router might be a name server, but your search domain(s) are used to convert a non-fqdn to a fqdn21:51
sdezielthat ^21:51
madLyfeI'm standing on this chair trying to fresh install so kind of inconvenient to research from phone atm https://usercontent.irccloud-cdn.com/file/QlIUZzif/irccloudcapture850488677289019516.jpg21:52
madLyfecrossed fingers on the 192.168.1.202/24 front lel21:54
sdezielnice tower ;)21:55
madLyfeguess that won't work. says 'has host bit set' ?21:55
madLyfesuper tower o power21:55
madLyfehttps://usercontent.irccloud-cdn.com/file/xvj3SpTZ/irccloudcapture6736137959835275668.jpg21:56
sdezielmadLyfe: could you capture the screen and share? I never used subuquity21:58
naccmadLyfe: you used an incorrect value21:59
naccmadLyfe: you want 192.168.1.0/2421:59
naccmadLyfe: 192.168.1.202 is ahost IP address not a network address21:59
madLyfehttps://usercontent.irccloud-cdn.com/file/x9My6LbC/irccloudcapture4274224174140271545.jpg22:00
naccmadLyfe: well, i guess it might depend on your actual subnet, but tht's my guess of what you want22:00
sdezielmadLyfe: in subnet, if you tried 255.255.255.0 and got an error, try "24"22:00
naccsdeziel: it's not a separate field22:01
nacciin any case, it's just an invalid subnet specifier22:01
madLyfesubnet at router is 255.255.255.0 iirc22:01
naccit should be network-address/bits22:01
sdezielI don't know why subnet is even a question22:01
sdezieljust putting the address/bits should be enough22:02
naccsdeziel: yes, i'm also not sure why it's a separate field, but given that it is you do have to give it valid input :)22:02
sdezielnacc: indeed, 24 or 255.255.255.0 are netmasks so I was wrong22:02
madLyfeis there something safe to enter to hopefully not bork it and lock me out?22:03
sdezielthe UI doesn't make it clear when a field is optional or required22:03
powersj192.168.1.0/24 I believe is what it is expecting the host bits are the fact that you put in a real host IP22:03
powersjthe 192.168.1.202 goes on the 2nd line22:03
sdezielI'd try to leave subnet blank and put 192.168.1.202/24 in the address line. This feels like the logical way so maybe it works :)22:04
madLyfehttps://usercontent.irccloud-cdn.com/file/503jAmwK/irccloudcapture4490501051520289919.jpg22:05
powersjthere you go22:05
madLyfetyvm guys. *crosses fingers*22:06
madLyfehttps://usercontent.irccloud-cdn.com/file/upHOsHkP/irccloudcapture263967132717131253.jpg22:06
sdezielI don't like that the DHCP lease is reported without "/24" but the statically configure one does...22:09
powersjsdeziel: agreed wanna file a bug? https://bugs.launchpad.net/subiquity/+filebug22:09
sdezielpowersj: guess where my browser is pointed at ;)22:10
powersjhaha22:10
sdezielwill also report the useless "subnet" field22:10
madLyfethis is a different installer than I remember22:11
sdezielmadLyfe: yes, that's the new live installer (subiquity)22:11
madLyfedoes this let me pick the packages to use still?22:12
powersjcurrently it does not. as a part of being lightweight the tasksel options were removed22:13
madLyfehmm22:15
sdezielmadLyfe: could you please review/update https://bugs.launchpad.net/subiquity/+bug/1777729 as I never actually used the live installer so I might have some info wrong22:17
ubottuLaunchpad bug 1777729 in subiquity "DHCP leases missing CIDR notation in network config summary" [Undecided,New]22:17
madLyfeok. once I come down off this chair.22:18
madLyfeI think I may have a hardware problem. system froze again while trying to do fresh install. happened when copying over the files. maybe it's just the flash drive in running the OS on. trying new flash drive now.22:20
madLyfeodd that the servers name can't be uppercase anymore22:23
madLyfesdeziel: im looking over the bug report and it looks good from what i can tell. you are just saying that 192.168.1.86 doesnt have the trailing /24?22:37
sdezielmadLyfe: correct. The subnet thing was reported to https://bugs.launchpad.net/bugs/177773222:37
ubottuLaunchpad bug 1777732 in subiquity "Manual network config uselessly asks for a "Subnet"" [Undecided,New]22:37
madLyfeya i think it should accept both.22:38
sdezielgood, thx22:46
madLyfenot sure whats up with my server hardware. hopefully its just the ram or something.22:47
DirtyCajunWhy does the ubuntu repo tgtd not allow -t to define the number of i/o threads23:57

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!