/srv/irclogs.ubuntu.com/2018/07/02/#ubuntu-server.txt

lordievaderGood morning06:05
punkgeekis there anyway to solve this problem? https://paste.ubuntu.com/p/XKBpjmcHMS/07:32
lordievaderYou might want to check the mysql/mariadb error log to see what the actual error is.07:40
punkgeeknow i have this error07:51
punkgeekhttps://paste.ubuntu.com/p/fmjmZkG2D5/07:51
data_Hi. I'm looking for a tool to get a server up and running repeatably. E.g. I have a clean LTS ubuntu server, which I want to hav A, B and C packages installed, X and Y users created, SSH keys installed, etc etc etc. Are tools like Ansible/Chef/Puppet what I'm looking for? They look very complicated - I'm looking for something very simple. Is my current approach of a bash script the best solution? Thanks for any help.11:50
blackflowdata_: Start with Ansible. doesn't require any client/server setup, only ssh.11:52
data_Ansible seemed really complicated11:53
blackflowsimpler than writing a bash script which woul dhave to do all the logistics of checking whether files exist, packages are installed etc...11:54
lordievaderOther automation tool you can look at is Puppet.11:54
blackflowwhich is way more complicated.11:55
data_Any tool for editing ansible yml files you could recommend?11:57
blackflowany text editor11:57
data_I guess I'm looking for something with auto-complete, discoverable modules and all that11:58
blackflowlike, how complex do you think your set up will grow that you need all that?11:59
data_well, not that complex, to be honest - and if this was just a local home server i wouldnt give it a second thought: php (composer), python (pip), postgres, apache, some users, some databases. basically ~20 lines of a bash script12:01
data_but it feels "dirty" to do it that way - "there must be a better way!"12:02
data_im thinking ansible would be more resistant to things going haywire in the middle of the script and doing lots of weird stuff12:03
blackflowwell if it's just bootstrapping (imperative, no state), then I suppose a shell script is better.12:03
blackflowdata_: and the key to that is writing idempotent rules12:03
blackflowand those require state checking so something like Ansible is really the best thing to do.12:03
data_right, because you tell ansible what you want the end result to be, not what to do (i.e. creating databases)12:04
blackflowmore or less, yeah.12:06
blackflowprimarily it is like that yes. you describe a state. but you also describe handlers that trigger when state changes and those are, for example, places where idempotency can break if you're not careful.12:06
data_blackflow: here's a an example script of what i'm talking about: https://gist.github.com/iivmok/2c6224fa33a4c4ac51207fa60101751412:09
blackflowdata_: well if that works for you.... and I'm totally not gonna say anything about running that php -r thing and fetching files to exec, as root :)12:14
data_that's from composers installation guide, and it does check the hash of the downloaded script, so i think it should be safe from MITM12:16
lordievaderThe download of the script can't be MITM'ed?12:22
blackflowdata_: you'll also need   set -e    in that script so it exits when a command fails. see, logistic requirements start to pile up if you want it done properly. just use Ansible ;)12:24
data_lordievader: if understand that line right, it removes the composer-install file if it fails a hash check12:26
lordievaderdata_: No, you are saying that because the script checks the hash of a downloaded file you should be fine against MITMs. But what if the script has been tempered with while you where downloading through a MITM attack? (I know very theoretical).12:27
blackflowbtw why are you using php for things like unlink....12:28
blackflowthis it TheDailyWTF material :)12:28
data_blackflow: as I said, that's from the composer installation docs - theres a link in the comment there12:29
data_here https://getcomposer.org/download/12:29
blackflowthat's so much full of fail.....12:30
data_should've used the script from here: https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md12:30
data_but that's beside the point12:30
data_blackflow: eh. your perl is my python is their php. i mean sure, rm would be more portable, but i don't remember a builtin md5 tool in *nix12:31
blackflowwell, not blindly running stuff found online is one of the steps toward proper server maintenance :)   Have to be harh. Unfortunately we live in the age of IT pwnage, massive data breaches, infosec-pocalypse :)12:31
blackflow*harsh12:32
blackflowmd5sum12:32
blackflowalso sha384 sum, if you really want that one.12:32
blackflowbut anyway... what I would do there, with Ansible, is prepare all such files in the config repo itself, not download ad-hoc on the machines.12:33
data_blackflow: why blindly? it does check for the hash, and i mean, it has to start somewhere. if its not in the distros ppa, its all as unsafe12:33
blackflowbeside better security, you also make sure that all the machines are running exactly the same setup procedure.12:33
data_any npm/pypa/packagist package could be compromised12:34
blackflowtechnically so can distro repos12:35
blackflowbut really, that's why you downlaod those files yourself, chekc them, test them, and upload to the server for use. with Ansible, that's very easy to do.12:35
RoyKblackflow: md5 has been cracked years ago12:54
blackflowRoyK: that's why we use sha, yes.12:55
blackflow(256 or better)12:55
RoyKsh512 is good - and faster than 256 on 64bit machines12:56
blackflowthough I have yet to see a viable misuse of md5 for checksum validation. that's quite different from crypto where all the collisions make md5 very bad choice for, say, password hashing.12:59
=== RoyK is now known as Guest82073
=== RoyK^ is now known as RoyK
DirtyCajunmy nfsd is running 16 threads on a 16 thread system and i am sitting at a 18 load often. Should i increase the threads or decrease the threads to remedy?15:35
compdoc18% cpu use, or aht?15:37
compdocwhat15:37
DirtyCajunnono. 18 load on a 16 core server15:38
DirtyCajunso about 120% load15:38
compdocwhew15:38
DirtyCajunbut low cpu/ram utilization. its all nfsd waiting to do stuff15:38
DirtyCajunpretty low iowait too15:38
dlloydwhere is the time spent if iowait is low?15:39
DirtyCajunits all nfs threads waiting15:40
DirtyCajunps -e v shows the stat for all the threads as D15:40
DirtyCajunand thats uninterruptable sleep. man page says (usually IO) but io_wait is low like i said before15:42
dlloydthen there doesn't seem to really be an issue? loadavg is a composite metric that doesn't necessarily correlate to an 'overloaded' system15:42
DirtyCajunyou dont see an issue with a loadavg metric above the threadcount of your system?15:43
DirtyCajunive never heard that opinion in my 20 years in the industry (not saying that agressively just saying)(15:44
blackflowDirtyCajun: btw is it 16 thread or 16 core system?15:47
dlloydit entirely depends on the workload. unless there are metrics indicating either processing delays or latency in handling requests, i would say that its not actionable. without knowing more about the precise state of the threads, i would say if you want to reduce the load average, reduce the count of threads. no idea what impact that will have on the performance15:47
DirtyCajun2 4core 8thread systems15:47
DirtyCajuns/systems/system15:47
blackflow2 x 4 core HT cpus, right?15:48
DirtyCajundlloyd, i would agree with you and that was my initial thought, but everything online seems to say to increase which is why i hopped on here in the first place haha15:48
DirtyCajunblackflow, yes15:48
dlloydstate D is counted against 'running' in load average calculation, but isn't necessarily consuming actual cpu time15:48
dlloydright, i was saying if you want to game load average down vs handling more throughput/connections15:49
RoyKDirtyCajun: how much of the load is I/O wait?16:20
RoyKDirtyCajun: sar/systat or top or whatever will tell - I guess it's most of it16:20
DirtyCajunSo after upping the threads to 64, it looks like the load has gone down to 10ish out of 1616:54
DirtyCajuni do see that context switches are really high (ctx_sw). LIke 100K of them16:55
steve3245Anyone running critical production web-facing servers....do you use ufw  or manually set rules with iptables directly?  other?18:13
steve3245**for establishing host firewall rules18:13
_KaszpiR_steve3245 firewalld18:17
steve3245_KaszpiR_, from fedora-land?18:17
_KaszpiR_or plain iptables or ferm18:17
steve3245_KaszpiR_, do you administer ubuntu and fedora-derived servers?18:18
_KaszpiR_both18:18
_KaszpiR_(well it's centos, not fedora but close)18:18
steve3245(a second question i'm looking into now is if i can develop a unified approach to firewalling centos/debian/ubuntu machines)18:18
steve3245right18:18
steve3245i like just using plain IPtables on centos18:19
whislockfirewalld.18:19
steve3245but i didn't know if that is a kind of lame hack for ubuntu best practices18:19
_KaszpiR_at first I was not happy with firewalld till I just beat the shit out of it and started to like it18:19
whislockHonestly, unless you're extremely good at firewalls, you shouldn't be mucking with iptables directly.18:19
_KaszpiR_there are some pretty decent things in it18:19
whislockI know a lot of people will disagree with me, but I've seen a lot of large security holes left open or created because people wanted to directly manipulate iptables.18:19
steve3245I'm no expert but what i like about plain IPtables is i just basically set default DENY on incoming, and then add very restrictive incoming allow rules18:20
_KaszpiR_do you hhave WAF (web app firewall wich actually filters out and validates requests before they reach application)?18:20
steve3245not at this time18:21
steve3245possibly in the future but we are kind of a small shop18:21
_KaszpiR_then don't spend too much time on firewall18:21
steve3245most of this stuff is just LAMP type servers etc18:21
_KaszpiR_most attacks are just on app layer itself18:21
_KaszpiR_such as exploiting app vunerabilities18:22
steve3245i hear you - we got owned recently due to web devs not keeping drupal updated18:22
steve3245~10 compromised sites18:22
_KaszpiR_where's your firewall now? :D18:22
steve3245haha18:23
_KaszpiR_ssure it's good practice to fliter unwanted stuff as close to the source as possible18:23
steve3245Yes I think they were all "drupalgeddon" attacks....it looks like all it took was someone stuffing some bogus strings into a URL and they had write permissions to the webroot dir  sigh18:24
steve3245I will look into that18:24
steve3245is that some kind of hardware appliance you run?18:24
_KaszpiR_I'd rather focus on processing logs and adding something like fail2ban on too many errors for given app18:24
steve3245yes i'm definitely hoping to get fail2ban going on these soon18:25
steve3245i inhereted a fair amount of kind of not so well kept servers18:25
steve3245and just trying to tidy them up a bit18:25
steve3245do you know if fail2ban directly depends on my using any particular firewall?18:26
steve3245(related to my earlier question about ufw/iptables/firewalld)18:26
_KaszpiR_otherwise just making very strict rules for web servers of what is acceptable by the app (this may be tricky but usually boils down to what kind of requests are allowed, what vars are allowed with what kind of type, for example page can be number only) - usually iuts just a lines and lines of regexp rules ;)18:26
_KaszpiR_fail2ban can run with different stuff, by default it talks with iptables by creating dedicated rules which it manages18:27
whislockConsider snort/suricata.18:28
steve3245yes i'm looking into running snort also to keep eyes on network stuff18:28
steve3245what is flying around the network18:28
steve3245do you need realy fast hardware to run that?18:28
whislockNo.18:28
_KaszpiR_nope18:28
steve3245it sounded like it needed a dedicated bare metal fast CPU host18:28
whislockBut it's not just network stuff. IDS can alert/IPS can mitigate some app exploits.18:28
steve3245oh awesome18:28
whislockDepends on the engine, the rules its fed, etc.18:29
steve3245yeah i'd love that....it sounded like it could inspect packets and notice "bad" signatures flying around and alert in real time?18:29
steve3245like "hey this tcp header looks like you might have some ransomware stuff in the network"?18:29
whislockIt's more interested in the content than in TCP.18:30
steve3245great - are you using snort now in production18:30
whislock"This request coming into your web server looks like a SQL injection attack" kind of idea.18:31
steve3245oh awesome18:31
steve3245yes after this recent drupal incident i'm hoping to be a little more proactive in the future18:31
steve3245and not depending on the web devs to keep drupal updated18:31
_KaszpiR_'nah that the devs that made a typo' ;D18:31
steve3245hey i'd rather have false alerts than not know :]18:32
whislockSnort is the most widely deployed IDS/IPS engine in the world.18:32
whislockIt's maintained by Talos - Cisco's threat intelligence arm.18:32
whislockhttps://www.talosintelligence.com/snort18:33
whislockI was using it for my house, before my employer transitioned me to Palo Alto firewalls.18:33
steve3245thanks I will check it out18:35
steve3245appreciate the input whislock and _KaszpiR_18:35
_KaszpiR_there is one more thing you may consider18:36
whislockZoom.18:36
_KaszpiR_https://en.wikipedia.org/wiki/Open_Source_Tripwire18:36
_KaszpiR_for validating files on host, so that you can detect if file signatures change18:37
* trippeh_ trips18:37
trippeh_clear18:37
trippeh_nm, I'm not tripwire on this IRC network it turns out18:38
oerheksinfo suckless-tools19:25

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!