[02:44] <oerheks> find timezone
[05:32] <cpaelzer> good morning
[06:10] <lordievader> Good morning
[06:21] <cpaelzer> hi lordievader
[06:25] <lordievader> Hey cpaelzer , quiet day at the office?
[06:28] <cpaelzer> lordievader: well office=home anyway, and it seems it will never be quiet :-)
[06:29] <lordievader> Oeh, nice. Perhaps I should have said quiet-er ;)
[06:34] <cpaelzer> :-)
[06:37] <rolandw_> Apparmor, KVM: I am getting issues showing up in the logs such as audit: type=1400 audit(1530081081.080:109): apparmor="DENIED" operation="mknod" profile="libvirt-91a15215-7b56-437b-8634-48d2760a63ff" name="/kvm/libvirt/qemu/domain-OSX_KVM/monitor.sock" pid=28252 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=64055 ouid=64055. In order to allow requested_mask "c" what should I be adding in the apparmour prof
[06:39] <cpaelzer> rolandw_: cat /etc/apparmor.d/libvirt/libvirt-91a15215-7b56-437b-8634-48d2760a63ff.files should actually have an entry for it
[06:39] <cpaelzer> like
[06:39] <cpaelzer> "/var/lib/libvirt/qemu/domain-OSX_KVM/monitor.sock" rw
[06:39] <cpaelzer> oh I see
[06:39] <cpaelzer> your base Dir is different
[06:40] <cpaelzer> you are using a non default path /kvm instead of /var/lib/
[06:40] <rolandw_> Indeed I am.
[06:41] <rolandw_> I ended up with too many KVM instances and had to move libvirt out of /var...
[06:41] <cpaelzer> If libvirt knows about the changed path it would generate different rules, but for some you might need to add extra rules
[06:41] <cpaelzer> let me check what it uses as base dir for the generated rules
[06:41] <rolandw_> I can manually edit each libvirt-XX.files but that is a cludge and not a fix...
[06:41] <cpaelzer> would not help
[06:41] <cpaelzer> those are dynamically generated
[06:42] <cpaelzer> we either need to find why virt-aa-helper doesn't follow your new path OR add a few simple rules to the base profile
[06:42] <cpaelzer> let me check for the first option before we try the second
[06:43] <rolandw_> In virt-aa-helper I've copied all the /var/lib/libvirt rules and added /kvm/libvirt rules. Doesn't seem to make any difference...
[06:44] <rolandw_> Annoyingly, I'm being called for a meeting. Will be back! cpaelzer thanks for looking into this...
[06:44] <cpaelzer> %s/lib/libvirt/qemu/domain-%s/monitor.sock with the %s being LOCALSTATEDIR
[06:45] <cpaelzer> that is a config time variable
[06:45] <cpaelzer> so you have two options to check after your meeting I'd think
[06:46] <cpaelzer> 1. consider instead of using /kvm for it to mount your extra disk to /var or /var/lib - that way paths would persist and this error would not occur (nor any other similar one later on)
[06:46] <cpaelzer> 2. add an exception to allow access there (this will be in the base profile, so no cross guest protection as the generated rules would have)
[06:46] <cpaelzer> the file /etc/apparmor.d/abstractions/libvirt-qemu holds what all of them are allowed to access
[06:47] <cpaelzer> rolandw_: I hope that helps, and permission "w" corvers c=create as well
[06:48] <cpaelzer> rolandw_: my preference is instead of switching all to /kvm just mount /var/lib/libvirt to your extra disk
[06:48] <cpaelzer> that way just this part of /var will be used for the guests and no other change is needed
[06:49] <cpaelzer> otherwsie you also might need to change /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper to allow it to read that
[06:49] <cpaelzer> to be able to e.g. find backing device chains and so on
[08:05] <danlii> I'm having some trouble with a fresh install of bionic via FAI (don't know if that's related) - it refuses to boot from the disk UUID, I have to specify /dev/vg0/root in grub. The UUID in the grub config is correct though, blkid says so. What could I try?
[09:44] <rolandw_> cpaelzer_: sadly it hasn't helped me really understand apparmor which I need to learn! Thanks for your help.
[09:46] <rolandw_> cpaelzer_: You might be interested in the SELinux tutorial one of my colleages wrote. I guess I need to do the same for apparmor! https://github.com/jamesfreeman959/selinux-hands-on-labs
[09:47] <cpaelzer> wb rolandw_
[09:48] <cpaelzer> rolandw_: https://medium.com/information-and-technology/so-what-is-apparmor-64d7ae211ed ?
[09:49] <cpaelzer> and for an extra bit of the integration in libvirt/kvm https://wiki.ubuntu.com/LibvirtApparmor
[09:49] <cpaelzer> you are common case #3 on the latter
=== chmurifree is now known as chmuri
[12:00] <l4m8d4> Hello there, installed ubuntu 18.04 with the new installer, and I saw that about 1 MiB of space gets left free at the end of the disk, even if I choose to use the full disk. Why is that?
[12:01] <ogra_> GPT puts a backup of the partition table at the end of the disk ... whilenot knowing if thats the reason my guess would be it is :)
[12:09] <l4m8d4> ogra_: I think your are wrong, according to this (https://superuser.com/questions/663795/small-unallocated-space-left-when-partitioning-harddrive-what-is-is-meant-for)
[12:09] <ogra_> as i said, only guessing
[12:09] <l4m8d4> There the author of fdisk says that this is not the reason for the free space at the end. I just found that
[12:09] <l4m8d4> I guess then the free space is unneeded
[12:09] <ogra_> fdisk doesnt handle GPT
[12:10] <l4m8d4> ogra_: What do you mean?
[12:10] <ogra_> fdisk does not manager GPT partition tables
[12:10] <ogra_> *manage
[12:10] <ogra_> only msdos type ones
[12:11] <l4m8d4> Don't know what you mean with "manage" but I used fdisk without problems on countless GPT-disks and also used fdisk to create GPT tables on empty disks
[12:11] <ogra_> interesting ... to my knowledge you need to use gdisk/sgdisk or parted for that
[12:11] <l4m8d4> well, your knowledge is wrong then
[12:12] <l4m8d4> Probably this applies for some older version of fdisk, but the version with ubuntu 18.04 does GPT just fine
[12:12] <diddledan> I was under that impression, too
[12:13] <ogra_> well, i'm still on 16.04
[12:13] <ogra_> and there it definitely doesnt manager GPT
[12:13] <ogra_> *manage
[12:13]  * diddledan removes ogra_'s R key
[12:13] <ogra_> thanks :)
[12:14] <l4m8d4> You can try it out for yourself, fdisk can handle GPT just fine
[12:14] <ogra_> well, i did, i maintain several ubuntu images :)
[12:14] <diddledan> "several"
[12:14] <diddledan> s/several/many/ ??
[12:14] <ogra_> and for the GPT variations i have to use sgdisk or parted (and even parted is still flaky with GPT in 16.04)
[12:15] <ogra_> diddledan, i didnt want to exaggerate ;)
[12:15] <diddledan> :-p
[12:15] <l4m8d4> I think I know where your guess came from though: On the wikipedia it states that the original fdisk shipping with MS-DOS could only handle MBR formatted drives
[12:15] <l4m8d4> Okay, probably the GPT "extension" of fdisk is kind of new then
[12:16] <blackflow> according to the manpage, fdisk can do gpt. I've always been using parted, tho', and sgdisk for scripted partitioning
[12:16] <ogra_> i think it can do it now, but still in a limited way ... (not managing GUIDs and such)
[12:18] <tomreyn> https://blog.stgolabs.net/2012/09/fdisk-updates-and-gpt-support.html
[12:19] <l4m8d4> ogra_: On my system, if I create a GPT table on an empty device and use "blkid" it will show me the device with 'PTUUID="..." PTTYPE="gpt"'
[12:21] <l4m8d4> ogra_: Ah you mean the handling of partition types, right? It does that as well.
[12:23] <ogra_> it doesnt in the 16.04 version
[12:24] <ogra_> neither GUID nor GTYPE
[12:25] <ogra_> anyway ... i'm probably wrong about the free space at the end of your disk ... which was the initial question :)
[12:26] <l4m8d4> So, a GPT backup is stored at the end of the disk in any case, right? So the last partition needs to end before that?
[12:27] <ogra_> yes, though 1MB seems a bit much
[12:27] <ogra_> but perhaps thats the smallest possible block size
[12:27] <diddledan> a partitioning tool won't show the backup block or any space related to it - it will just reduce the size of available space for partitions and tell you that's the size of your disk
[12:28] <ogra_> right
[12:28] <l4m8d4> Yes, after creating GPT on my disk, the nvme command only shows 50kb or something allocated LBAs
[12:28] <diddledan> a gap when partitioning automatically is usually a result of alignment conformance
[12:29] <ogra_> yeah
[12:29] <l4m8d4> Okay, that seems reasonable. So on a modern disk, like an nvme SSD, there should be no reason to leave anything empty right? Since everything is automatically aligned
[12:30] <blackflow> pretty much same alignment rules apply. the sector sizes might be different tho
[12:31] <l4m8d4> blackflow: My SSD has LBAs of size 512 bytes. Which alignment rules apply then? I would just allocate any LBA the partitioning tool lets me
[12:33] <l4m8d4> Or maybe to say it in a better way, the local blocks are 512 bytes, don't know about the length of an address
[12:35] <blackflow> l4m8d4: same rules as with hdd. ssds also read/write in blocks, and if your partitions are not aligned in factors of that block size, it's also misaligned.
[12:36] <blackflow> to be on the safe side, 1M alignment should be sufficient. I've read somewhere that SSDs actually internally work with block sizes much bigger than the standard 512b or 4k, but I can't find definitive info on that.
[12:38] <l4m8d4> blackflow: Okay, but the SSD says it adresses each block 512B size. Now I say the partitioning tool should use all blocks. Now where could misalignment come from? The fact the SSD might internally work with bigger chunks, and then end of the partition could be a block that is "too small"?
[12:39] <blackflow> l4m8d4: misalignment could come from having partition sizes that aren't factors of 512 bytes
[12:41] <blackflow> (in this case, if 512b is really the actual sector size)
[12:41] <l4m8d4> blackflow: I specify to the partition tool the first LBA and last LBA of the partition. Now this is naturally a multple of 512 bytes, since each block is 512 bytes, right?
[12:42] <blackflow> I guess so. I'd just partition in units of MiB or even just MB, that's 1M boundary and should be fine
[12:44] <l4m8d4> Okay, then. I guess I'm just curious and a little annoyed by that, realistically irrelevant, 1MiB of free space. Which probably is a waste of time^^ Thanks
[12:46] <blackflow> being what, <0.01% of total drive size? yeah :)
[12:46] <blackflow> l4m8d4: on the other hand, I always like to leave a few GB of "just in case" free space at the end of drives. You never know when it'll come handy.
[13:10] <compdoc> just a few?
[13:10] <compdoc> sounds like a full drive to me
[13:28] <l4m8d4> Yeah, I don't do that either. Ultimately I don't care much about 1mb more or less, but if it was a gigabyte I had to leave free I would be pissed, since I want to use the system to its full potential if possible
=== tobasco is now known as tobasco_afk
=== oerheks__ is now known as oerheks
[18:26] <dpb1> rbasak: do you have that snap somewhere I can test it?
[18:26] <dpb1> rbasak: (certbot)
=== tobasco_afk is now known as tobasco
[18:47] <njbair> is there an "official" solution for hypervisor management on ubuntu server? I was playing around with Kimchi but it's still rough around the edges (at least on Ubuntu)
[18:49] <njbair> i tried xenserver instead of ubuntu once but that brought me nothing but pain
[18:52] <sarnold> libvirt is the "easy" thing. Openstack is the hard thing.
[18:52] <njbair> openstack probably doesn't make sense for 1-2 hosts i would imagine
[18:52] <dpb1> I find virt-manager good for personal needs
[18:53] <dpb1> and light work needs
[18:53] <dpb1> (libvirt gui, that has remote mgmt built in)
[18:53] <njbair> dpb1, that is gui-based, right?
[18:54] <dpb1> yes
[18:54] <njbair> i'm on ubuntu server, no wm
[18:55] <sarnold> virt-manager thing can connect to remote libvirts
[18:55] <sarnold> or you can ssh -X
[18:55] <sarnold> or you can use virsh
[18:55] <dpb1> right, virsh is the cli version
[18:55] <dpb1> it's OK
[18:55] <sarnold> I never got the hang of virsh
[18:55] <dpb1> if I'm on a windows/mac, I use ssh -X
[18:55] <njbair> i was definitely hoping for something gui-based, but was thinking web
[18:55] <dpb1> and get virt-manager
[18:56] <dpb1> there are a ton of things: https://www.linux-kvm.org/page/Management_Tools, but I don't have experience with any (other than openstack)
[18:57] <sarnold> heh, after openstack, everything else has to look nice and simple :)
[18:57] <dpb1> yes, those were my thoughts too
[18:57] <sarnold> I dislike even libvirt's extreme generalities.
[18:57] <dpb1> :)
[18:57] <sarnold> openstack says "hold my enterprise beverage of choice"
[20:39] <rbasak> dpb1: http://people.canonical.com/~rbasak/certbot_0.25.1_amd64.snap
[20:39] <rbasak> dpb1: install the snap (--classic --dangerous), and apache2 or nginx, then run "certbot"
[20:44] <dpb1> ty
[20:44] <rbasak> dpb1: https also works
[20:44] <rbasak> :-)
[20:45] <rbasak> dpb1: I'm tracking outstanding work in https://github.com/basak/certbot-snap-build/issues