[00:02] <keithzg> Cool, so the functionality has been removed and I'm out of luck . . . greeeaaat.
[00:03] <keithzg> I always love it when things are fixed by way of removing functionality :P
[00:03]  * keithzg is tempted to give up on this whole "attempt to have at least a modest level of security on network shares" thing, then
[00:05] <keithzg> I suppose that explains why things worked for users on the older server that already had things set up, it must have synced folks' passwords at the time, and just nobody here ever changes their passwords, haha
=== pmatulis_ is now known as pmatulis
[00:39] <rbasak> keithzg: https://bugzilla.samba.org/show_bug.cgi?id=10669
[00:39] <ubottu> bugzilla.samba.org bug 10669 in Other "libpam-smbpass leaks file descriptors when PAM authenticates multiple times in a single process" [Normal,Resolved: wontfix]
[00:40] <rbasak> keithzg: it was fundamentally broken and upstream recommend restructuring to use pam_winbind instead
[00:41] <keithzg> rbasak: Yeah, I noticed that linked to from the debian bug. Unfortunately the Samba docs don't appear to detail any way to use pam_winbind to just let existing users automatically be Samba users, at least not that I can find. And there's zero chance users at my work will go along with having *another* set of credentials.
[00:44] <rbasak> keithzg: either you make your system use AD for its user database and authentiation needs (use winbind), or you don't and you can't reliably have magic password sync.
[00:45] <rbasak> You might be able to use winbind to join the domain and then selectively use pam_winbind for only a few things.
[00:46] <keithzg> I mean, there *is* no domain to be joined, so . . .
[00:46] <rbasak> Where are your extra set of credentials coming from then?
[00:47] <keithzg> Tehre are two classes of user accounts on our *buntu machines, local ones and ones authenticated against our OpenLDAP server.
[00:48] <keithzg> Ideally, whatever users are respected on the actual machine would be respected over SMB, so that local permissions would actually map to remote permissions, yaknow?
[00:49] <keithzg> But if I can't have that without running an AD server of some kind myself then I don't know if it's worth it to even bother with authentication at all.
[00:53] <rbasak> Oh, I see
[00:53] <rbasak> I think you need to set up Samba as a domain server then.
[00:54] <rbasak> You used to be able to do it without a domain, but I think the more recent wire protocols may preclude being able to do anything sensible security-wise without going all the way now.
[00:54] <rbasak> With the older protocols being disabled for security reasons etc.
[00:54] <rbasak> I may be wrong.
[00:55] <rbasak> I think with the current protocols there's no way for the server serving the file shares to see the password itself in plaintext to verify it, which make magic sync essentially impossible.
[00:55] <keithzg> From what I understand that does sound about right. But that's . . . well, I mean, running a big extra heavy service is itself a security risk, yaknow? So I'm more tempted to just try to abandon Samba as much as I can.
[00:56] <rbasak> Only as a domain controller can samba actually see the password itself to be able to sync it
[00:56] <rbasak> Yeah. Fair enough.
[00:57] <rbasak> It's the same in the Windows-only world AIUI. Join a domain, or you don't get useful services.
[00:58] <rbasak> Though I'm not really up to date any more. Especially with the most recent sets of vulnerabilities that caused much stuff to end up being disabled by default for fundamental brokenness reasons (AIUI)
=== ptx0_ is now known as ptx0
[04:19] <blackpawn> i'm updating from ubuntu 14 to 18... in 14 i used sudo start proxyServer for example and had files in /etc/init/proxyServer.conf... start and /etc/init don't seem to be in ubuntu 18?
[04:19] <blackpawn> whats the new way of setting up servers to start at network-services start time
[04:23] <blackpawn> ah i see upstart has been replaced by systemd
[04:25] <blackpawn> can i install upstart on ubuntu 18 to use my old stuff or have to switch over?
=== marcosps_ is now known as marcosps
[08:31] <lordievader> Good morning
[08:31] <lordievader> blackpawn: Systemd should be compatible with upstart scripts.
=== strigazi_ is now known as strigazi
[10:58] <jamespage> coreycb: horizon is making my eye's bleed
=== giraffe is now known as Guest34814
[11:39] <Gobo708_b> Hi all, I am trying to follow instructions here:ttps://kubernetes.io/docs/tasks/tools/install-kubeadm/ to install kubeadm, and hitting the wall on the cat section...
[11:39] <Gobo708_b> cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
[11:39] <Gobo708_b> Probably doing something silly
[11:40] <Gobo708_b> But that section just sits at the prompt >
[11:40] <Gobo708_b> any ideas what I am doing wrong?
[12:03] <ahasenack> good morning
[12:04] <tomreyn> the same t ;)
[12:04] <tomreyn> -t
[12:05] <tomreyn> Gobo708_b: you're supposed to paste all the red lines in one go, including the trailing newline. this is a 'heredoc'
[12:05] <Gobo708_b> tomreyn, Thanks, yeah got it working in the end.. just needed to hit ENTER :p
[12:08] <tomreyn> Gobo708_b: read up on this (this wiki is a great resource to better understand bash) if you're not yet familiar witht his concept: https://mywiki.wooledge.org/HereDocument
[12:08] <Gobo708_b> Thanks, yeah I was confused by the EOF... cheers
[12:13] <Gobo708_b> tomreyn, that confused me a little more.. will have to read that a few times ;)
[12:18] <tomreyn> reading it again may help. practising more so. if, however, you prefer to add to the confusion: https://en.wikipedia.org/wiki/Here_document
[12:18] <Gobo708_b> tomreyn, I get it : https://www.youtube.com/watch?v=a2qecoe3KSk
[12:19] <Gobo708_b> tomreyn, thanks, I wouldn't have known what to look for without your hint
[12:19] <tomreyn> :) welcome
[12:32] <Ussat> Anyone here run cacti on Ubuntu, could use some help here, I have asked in the cacti channel, but any help would be appreciated, as I am getting a headache banging my head against the wall
=== TvL2386_ is now known as TvL2386
[12:44] <Ussat> so it seems rrdtool 1.7.0 may have a bug while in cacti, not displaying graphing correctly, how would I down grade that
[12:50] <Ussat> downgrade rrdtool I mean to say
[12:50] <Ussat> I am on Ububtu 18.04 LTS
[12:52] <rbasak> Ussat: try a 17.10 or 16.04 container? "lxc launch ubuntu:artful"
[12:57] <Ussat> OK, so that would basically launch the older OS version in a container, correct ?
[13:04] <cpaelzer> Ussat: yes
[13:10] <Ussat> UG...
[13:11] <Ussat> I mean doable, but ...I can just as easilly do a fresh 16.04 LTS install
[13:11] <Ussat> shitshit
[13:11] <Ussat> well, descision time
[13:12] <blackflow> Ussat: it means run Cacti in an older ubuntu container. Personally, I'd fork and build a custom dpkg from it.
[13:12] <blackflow> (I'd hate installing the whole OS sans kernel just to run a specific version of rrdtool)
[13:16] <rbasak> Ussat: I suggested that for debugging purposes
[13:16] <rbasak> Ussat: to pin down the details for a bug report.
[13:17] <rbasak> Ussat: if there's a bug in a newer release then let's fix it rather than downgrade.
[13:21] <Ussat> rbasak, Yea I see your point....will do that.
[13:21] <Ussat> Just kinda up against a wall here :)
[13:22] <Ussat> Will leave the debugging for a bit later, need to build something that works for the network team asap :)
[13:22] <Ussat> priorities and all
[13:57] <coreycb> jamespage: i'm sorry to hear that :/ want to sync up on horizon today?
[14:35] <frickler> coreycb: I'd be grateful for new nova pkgs that fix https://bugs.launchpad.net/nova/+bug/1770640 , can you do them based on that bug or would you need a new one? 16.1.4 and 17.0.5 would be needed
[14:35] <ubottu> Launchpad bug 1770640 in OpenStack Compute (nova) queens "live block migration of instance with vfat config drive fails" [High,Fix committed]
[14:37] <frickler> coreycb: note that 16.1.4. ftbfs's for me due to https://bugs.launchpad.net/nova/+bug/1765122 , would need https://review.openstack.org/578058 as local patch applied
[14:37] <ubottu> Launchpad bug 1765122 in nova (Ubuntu) "qemu-img execute not mocked in unit tests" [Low,Triaged]
[14:39] <coreycb> frickler: we can use the existing bugs. i'm working through stable point releases for ocata, pike, and queens now and will look to include these.
[14:40] <frickler> coreycb: great, thx
=== havenstance1 is now known as havenstance
[15:45] <[diablo]> good afternoon guys.. is there a help tooler to convert a running system into a template please?
[15:47] <blackflow> [diablo]: what kind of template?
[15:47] <[diablo]> hi blackflow for Proxmox
[15:47] <[diablo]> just to be able to quickly deploy a new baseline
[15:48] <blackflow> that's a bit specific to Proxmox. I have no idea what they use for templating.
[15:49] <[diablo]> well it's more like reseting MAC, etc etc
[15:49] <[diablo]> so a new instance can be spun up
[15:49] <nacc> the MAC isn't usually stored in software
[15:50] <[diablo]> I mean for the NIC ...
[15:50] <nacc> [diablo]: i know what you meant
[15:50] <[diablo]> right, sorry I have to dash, back in a bit, cheers guys
[15:50] <nacc> [diablo]: sounds like a proxmox request, anyways
=== miguel is now known as Guest59636
[16:15] <[diablo]> back... so nacc not really proxmox request... I'm referring (possibly badly lol) to up'ing a VM , installing Ubuntu, cleaning it up so that the next boot it's treated like configuring a new machine
[16:16] <[diablo]> when it's powered off, it's copied into a template... same principle for VMware, or pretty much any virtualisation platform
[16:17] <nacc> smoser: --^ didn't you have something for that?
[16:17] <nacc> iirc, remove ssh keys, remove machine-id, make sure the iscsi initiator id is generated at boot time (if using).
[16:18] <nacc> [diablo]: using dhcp or static ip?
[16:18] <[diablo]> hi nacc yeah exactly  that type of stuff
[16:18] <[diablo]> DHCP is fine for the template
[16:18] <nacc> [diablo]: ok, then that list is probably all you need to do
[16:19] <nacc> and no, there's not an existent service to do it, afaik
[16:20] <[diablo]> ok nacc cheers
[16:22] <smoser> well, what you need to do very much depends on what you *want* to do.
[16:22] <smoser> maybe you want ssh keys to stay there. maybe you want added users...
[16:23] <nacc> smoser: true, you're right; i read their request as "as close to a blank image as possible"
[16:23] <smoser> but what i suggest for anyone trying to build images is basically to take Ubuntu cloud image and modify it.  ideally without booting it.
[16:23] <smoser> and to do that, what I do is use mount-image-callback (from cloud-image-utils)
[16:24] <smoser> you could also use guestfish or something
=== oerheks_ is now known as oerheks
[18:05] <jak2000> hi all i am under a firewall, is possible wich ips have permit togo to www?
[18:05] <avgtechie> ufw
[18:06] <jak2000> wich command?
[18:10] <jlacroix> I am experiencing a strange issue where every time I reboot my ubuntu server, /etc/resolv.conf is deleted. I think a package might be missing but I'm not sure which one. I have to recreate /etc/resolv.conf every boot
[18:15] <jlacroix> Has anyone seen this before?
[18:18] <xnox> jlacroix, that is weird. what do you recreate it with? it should be a symlink to ../run/systemd/resolve/stub-resolv.conf on bionic and later
[18:18] <xnox> jlacroix, what release are you on?
[18:18] <jlacroix> Ubuntu 18.04. I just ran echo "nameserver 1.1.1.1" > /etc/resolv.conf to create it
[18:18] <jlacroix> The file isn't there before I run that
[18:18] <nacc> jlacroix: is this a fresh install?
[18:19] <jlacroix> No, I've had this install since release day
[18:19] <jlacroix> The problem started today after doing some package cleanup
[18:19] <xnox> jlacroix, please don't, and instead specify your nameserver in /etc/systemd/resolved.conf, unless you can pick it up via DHCP? and symlink /etc/resolv.conf to ../run/systemd/resolve/stub-resolv.conf
[18:19] <jlacroix> The systemd-resolved service is running
[18:19] <jlacroix> ok I will do that now
[18:19] <xnox> jlacroix, what's the output of $ systemd-resolve --status
[18:20] <xnox> jlacroix, if you are comfortable with sharing /var/log/installer/ and /var/log/apt/ it would be interesting to see if anything was done to the system to cause that.
[18:20] <jlacroix> https://pastebin.com/KbxiLseg
[18:21] <jlacroix> The contents of /var/log/apt would probably be huge. I basically accidentally ran my desktop install script against my server, which caused hundreds of unneeded packages to be installed. I removed these packages, and now resolv.conf is deleted every boot
[18:21] <xnox> jlacroix, yeah specify dns in /etc/systemd/resolved.conf (note it is .ini like file - just like any systemd unit/config file, not a resolv.conf like thing)
[18:22] <xnox> jlacroix, networkmanager got installed? it likes to do that..... resolvconf? ifupdown?
[18:22] <xnox> typically these things should not be on server installs
[18:22] <xnox> maybe avahi or some such
[18:22] <xnox> jlacroix, it would be interesting to find out who/what is doing that
[18:23] <jlacroix> The /etc/systemd/resolved.conf has everything commented out. Interestingly, an unrelated (and working) server also has everything in that file commented out
[18:23] <sarnold> auditd file watching may help catch the process responsible if it happens at an awkward time
[18:23] <sarnold> fatrace kind of thing might be easier if it happens at a more convenient time
[18:23] <jlacroix> resolveconf is installed, so is ifupdown
[18:24] <xnox> jlacroix, typically, resolved gets it's dns server over dhcp, and thus only visible in /run/systemd/netif
[18:24] <jlacroix> If it matters, this server is running on Digital Ocean
[18:24] <xnox> jlacroix, your system does not appear to be getting dhcp.... or somebody is eating it away before resolved manages to get its hands on it
[18:24] <jlacroix> I don't know what DO uses for dhcp
[18:24] <xnox> oh, it's a cloud server/droplet.
[18:24] <xnox> jlacroix, if i were you, i would recreate the instance.... if that is easy enough for you to do
[18:25] <jlacroix> I thought about it, but I literally ran this script against a dozen servers, so that will be quite a few to recreate
[18:25] <xnox> jlacroix, i think they do have like an agent, which backdoors things into the instances, including resolv.conf / networking, no?!
[18:25] <xnox> ouch
[18:25] <blackflow> DO uses avahi to set up networking, as incredible as that sounds.
[18:25] <xnox> jlacroix, make new instance, check how it looks and what it has installed, mimic others.
[18:25] <xnox> blackflow, wow ouch.
[18:25] <jlacroix> avahi makes sense actually
[18:25] <jlacroix> one sec
[18:26] <blackflow> "makes sense"? no it doesn't
[18:26] <xnox> jlacroix, cause than it's not setup like a typical "ubuntu server", as I believe DO make their own ubuntu customized images, and I don't know how things work there.
[18:26] <jlacroix> Well, makes sense from a "probably what's wrong" standpoint
[18:26] <xnox> jlacroix, you may have better luck on DO specific support forum. or maybe wait if somebody here uses DO and can help better.
[18:26] <jlacroix> brb
[18:27] <blackflow> ah. also, btw, resolv.conf is volatile on ubuntus since it became a link into /run. any modifications to it will of course be deleted on reboot.
[18:28] <jlacroix> Is there a VPS solution more "pure" for Ubuntu?
[18:29] <sarnold> I use aws lightsail, I intend to look at vultr one of these days, hear good things about packet.net
[18:29] <jlacroix> What about Linode?
[18:30] <blackflow> eeewnode.
[18:30] <jlacroix> lol
[18:30] <sarnold> they're okay if you know exactly what you're getting and why you're getting it
[18:30] <jlacroix> I suppose I could chattr +i /etc/resolv.conf but that's messy
[18:31] <blackflow> Except they tend to ignore security incident reports, and keep on telling you nothing happened, until it hits the media, then they acknowledge, if even then.
[18:31] <blackflow> jlacroix: no. if you want custom resolv.conf, drop systemd-resolved from teh picture.
[18:33] <jlacroix> I really don't want a custom anything, to be honest. I am not sure what I did to break this. I will ask in the digitalocean chatroom, but at this point, I'm tempted to delete everything and start over
[18:33] <jlacroix> Even though that will be weeks worth of work
[18:36] <blackflow> jlacroix: if european VPS is okay, I recommend Hetzner.
[18:36] <jlacroix> I may just host internally on LXD at this point, I've been thinking about it anyway
[18:37] <jlacroix> The only problem is I have a handful of services and one single external IP, so I would probably need to set up a proxy in front of everything
[18:37] <blackflow> they don't do any weird avahi stuff. the VPS images have colorized prompt, dhcp setup, and .... well... if you take the "Cloud" server, then networking is "normal". If you take the CX line, then your IPv4 is 172.31.1.100. always.
[18:43] <blackflow> ooh, firewall maintenance tiem. bbl.
[18:46] <ahasenack> I'm trying to find a way to run new dep8 tests I'm adding to a package
[18:46] <ahasenack> I don't need to have the package built to do that, the package from the archive works for that purpose
[18:46] <ahasenack> I'm using -B, but it's not doing what i want, it just fails saying the test dependencies can't be satisfied
[18:46] <ahasenack> is that because my d/t/control file has "@" in the Depends line?
[18:57] <nacc> ahasenack: does the test specify build-needed?
[18:57] <ahasenack> no
[18:58] <ahasenack> I'm also running it by giving autopkgtest a directory where the package is extracted, and my new dep8 tests are
[19:00] <nacc> ahasenack: can you pastebin the command and output?
[19:00] <ahasenack> sure
[19:01] <ahasenack> the output I don't have now, I ran it again without -B to test a modification
[19:01] <ahasenack> but I'll start again, since it fails it will be quick
[19:01] <nacc> ahasenack: oh ok
[19:06] <ahasenack> nacc: pastebin with some bits: https://pastebin.ubuntu.com/p/gDMKB8PKrC/
[19:07] <ahasenack> nacc: and full dep8 output: http://people.ubuntu.com/~ahasenack/dep8-output-with-B/
[19:55] <ahasenack> we have a synced package (1.16-2), that has a no-change rebuild in ubuntu (1.16-2build1), and I'm adding ubuntu changes to
[19:55] <nacc> ahasenack: reading
[19:55] <ahasenack> what is the ubuntu version now?
[19:55] <nacc> 1.16-2ubuntu1
[19:55] <ahasenack> 1.16-2build1ubuntu1? Or 1.16-2ubuntu1
[19:55] <ahasenack> ok
[19:55] <nacc> ubuntu1 > build1
[19:56] <ahasenack> yep
[19:57] <nacc>   Removing autopkgtest-satdep:amd64 because I can't find libkdb5-8:amd64
[19:57] <nacc> ahasenack: --^
[19:57] <nacc> ahasenack: doesn'te xist in cosmic
[19:57] <ahasenack> I found the error
[19:57] <nacc> ahasenack: :)
[19:57] <ahasenack> my ubuntu/devel branch was outdated
[19:57] <ahasenack> and I based this branch on it
[19:58] <nacc> (as in not fetched?)
[19:58] <ahasenack> not recently fetched
[19:58] <nacc> ah
[19:58] <ahasenack> it was still at krb5 1.15
[19:58] <ahasenack> so it should work now, let me try again
[19:58] <ahasenack> I found it just a few minutes ago
[19:59] <nacc> ahasenack: ack, makes sense
[19:59] <nacc> ahasenack: it's possibl gu-clone is wrong and not setting up your local ubuntu/devel as a tracking branch
[20:00] <ahasenack> I probably wouldn't have thought to try autopkgtest with -B again, had you not pinged me :)
[20:00] <nacc> ahasenack: :)
[20:00] <ahasenack> when you did, all pieces fell into place
[20:09] <ahasenack> nacc: hah!
[20:09] <ahasenack> nacc: down to 2min from 12min
[20:10] <ahasenack> as expected, but still, nice to see it working as expected :)
[20:10] <ahasenack> fast tests make developers happy
[20:19] <nacc> ahasenack: nice!
[22:21] <FishPencil> I have a VPS that will host multiple websites with different domains. I'll be SFTPing data each day into each domain, and each domain will be running PHP FPM and NGINX. How should I secure and organize this?
[22:21] <FishPencil> Should I create a user account for each domain and grant each user ower permissions for each /var/www/domain.com ?