/srv/irclogs.ubuntu.com/2018/07/17/#ubuntu-server.txt

Srgjames	#ubuntu-server	00:33
Srgjames	erofl	00:33
Srgjames	How the hell can i get Mod_rewrite or the Vitrualhost when using a vhost on 443	00:33
nacc	Srgjames: hard to tell what exactly you are asking for, but: https://httpd.apache.org/docs/2.4/rewrite/vhosts.html	00:43
Srgjames	nacc so instead of Login.php its just login	00:44
nacc	Srgjames: you mean that http://.../login redirects to login.php? or you don't want to see login.php at all?	00:44
nacc	*https://...	00:45
Srgjames	nacc I have this file https://thorn.eveinterface.com/login.php but would rather people see https://thorn.eveinterface.com/login	00:47
nacc	Srgjames: i don't think that's what mod_rewrite is for	00:53
nacc	https://www.plothost.com/kb/how-to-remove-php-html-extensions-with-htaccess/	00:54
nacc	though, maybe? it's limited to just the extension, afaict	00:54
sarnold	mod_rewrite can do way more than just strip extensions http://httpd.apache.org/docs/current/mod/mod_rewrite.html	00:59
sarnold	whether or not it should do those things is another question	00:59
Srgjames	sarnold no clue why but I cant get it to work at all	01:05
Srgjames	at least with extensions	01:05
nacc	sarnold: sorry, i meant the above link, htaccess based rewrite	01:27
sarnold	ah!	01:28
nacc	sarnold: i'm not sure you can do more than the extension-based rewrite in htaccess	01:29
sarnold	I never spent much time seeing what htaccess could do, those are re-read and re-parsed and so on every single request, so I pretend they don't exist because that's just silly.	01:29
nacc	heh	01:31
hehehe	sarnold: can you even code creatively?	01:50
sarnold	no, too old now	01:51
jak2000	hi all	02:03
jak2000	how to check if a port is open?	02:03
sarnold	ss -l or netstat -lnp	02:05
easyOnMe	blackflow: good day	02:14
easyOnMe	I figure out the issue and it has something to do with codeigniter configuration	02:14
easyOnMe	do you have any idea about it	02:14
jak2000	sarnold: https://paste.debian.net/1034013/	02:46
sarnold	those are two separate commands. try them both.	02:47
jak2000	sarnold: https://paste.debian.net/1034016/	02:51
jak2000	the port 3306 is open?	02:51
jak2000	sarnold	04:14
jak2000	if stop iptables i can connect to mysql if start cant connect... how to open the port?	04:14
lordievader	Good morning	06:15
tobasco	anybody seen issues with masked systemd files before?	08:53
tobasco	https://bugs.launchpad.net/ubuntu/+source/redis/+bug/1782097	08:53
ubottu	Launchpad bug 1782097 in redis (Ubuntu) "redis-server systemd unit file is masked and cannot be enabled" [Undecided,New]	08:53
tobasco	coreycb: semi-openstack related since redis is used in the CI when testing bionic+rocky ^	08:53
oerheks	did you edit /etc/redis/redis.conf and set supervised systemd ?	08:57
tobasco	oerheks: thanks for the tip, setting supervised to "systemd" did not help, systemctl enable still fails	09:00
oerheks	i found that on, https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04	09:03
oerheks	umask gave no error .. curious	09:03
tobasco	oerheks: weird, i spawned up a new bionic machine from vagrant and it worked	09:08
tobasco	must be something puppet related that causes it to be masked or smth like that	09:09
tobasco	wonder why i can't unmask though	09:10
tobasco	oerheks: thanks for the help, I found the issue :)	09:15
oerheks	tobasco, nice	09:15
oerheks	is it just a glitch or ..?	09:15
tobasco	oerheks: somehow related to puppet when installing the package, more of a workaround, don't enable it :(	09:17
oerheks	:-)	09:17
=== blackflow is now known as blockflaw
SomeT	anyone help me with the following step, step 6 at https://gitlab.com/tslocum/tinyib it says to set directories as writeable (https://i.gyazo.com/d3c5a3997a8aa3bf1db0f109df0f91b5.png) but what chmod number do I use for this and what command in Linux Ubuntu therein?	10:04
lordievader	Writable for whom?	10:07
SomeT	this is the thing thats confusing me I think...	10:08
SomeT	it literally just says: CHMOD write permissions to these directories:	10:08
SomeT	./ (the directory containing TinyIB)	10:08
SomeT	./src/	10:08
SomeT	./thumb/	10:08
SomeT	./res/	10:08
SomeT	./inc/flatfile/ (only if you use the flatfile database mode)	10:08
SomeT	then lists those directories	10:08
SomeT	I presume it means to make them writeable publically?	10:08
lordievader	That sounds like a bad idea.	10:09
lordievader	Investigate who needs those right and only give them the rights.	10:09
ducasse	SomeT: don't crosspost, it's rude and wastes other peoples time	10:09
SomeT	I just crossposted because that other guy is crying in there	10:09
SomeT	so he is getting all the attention about his graphics driver	10:10
oerheks	SomeT, i still wonder who needs write permissions, the user, or a group, or php ?	10:10
oerheks	that guide is pretty ... not saying	10:10
SomeT	would it be all three?	10:11
SomeT	so basically 776?	10:12
lordievader	Like I said, investigate.	10:12
SomeT	I cant	10:12
SomeT	this is all the info I have	10:12
lordievader	Is it code that is supposed to run?	10:14
ducasse	contact the maintainer(s)	10:14
SomeT	no	10:14
SomeT	the folders are empty	10:15
lordievader	Looking at the gitlab page it looks like a bunch of photos scripts. So whoever runs the php stuff on your machine needs write rights, most likely.	10:16
oerheks	add it to the www-data group?	10:18
lordievader	Depends on the setup.	10:23
ahasenack	rbasak: hi, I didn't understand one thing about https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1249777	11:29
ubottu	Launchpad bug 1249777 in sssd (Ubuntu) "libsss-sudo generated nsswitch.conf leads to error messages upon sudo invocation" [Low,Confirmed]	11:29
ahasenack	rbasak: why are they installing the sss-sudo (name to be corrected) package if they do not want to use it?	11:29
ahasenack	it just comes along because of dependencies perhaps?	11:29
ahasenack	libsss-sudo*	11:29
rbasak	ahasenack: I assume it's a Recommends so is coming in automatically.	11:37
ahasenack	sssd-common indeed recommends libsss-sudo	11:37
ahasenack	teward: hi, did you see https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1781971 ?	11:41
ubottu	Launchpad bug 1781971 in nginx (Ubuntu) "nginx daemon should be provided in a package that doesn't have dependencies to systemd (or nginx-common)" [Undecided,New]	11:41
ahasenack	wishlist?	11:42
rbasak	I commented with a side note	11:47
rbasak	But yeah, +1 for Wishlist	11:48
ahasenack	thx	11:50
teward	ahasenack: rbasak: saw, and replied.	12:45
teward	there's a headache to consider here though	12:45
teward	to do this we need to do three things at least:	12:45
teward	(1) rename nginx-core (which is the 'upstream-provided modules only' version of nginx-full) to something else,	12:45
teward	(2) each flavor of NGINX needs its own -core package	12:46
teward	which means we go from nginx, nginx-{light,core,extras,full,doc,common} to nginx, nginx-doc, nginx-{light,ubuntu?,extras,full,doc,common}, nginx-core-{light,ubuntu,extras,full}	12:47
teward	of which nginx, nginx-ubuntu, nginx-core-ubuntu, and nginx-common become Main included	12:47
teward	(assuming that nginx-ubuntu is whatever name we rename nginx-core to)	12:48
teward	(3) This makes maintaining this while merging from Debian that much more difficult	12:48
teward	meaning as I said in my reply to the bug we probably have to permanently diverge in a non-mergeable way from Debian	12:48
teward	not to mention the build rules currently don't take kindly to changing, we'd have to do some serious work on the d/rules to probably make this work	12:49
teward	it may be the lack of coffee talking just now, but I'd be hesitant to do this without some heavy-duty discussions first	12:49
teward	so the earliest I think we could roll this out would be maybe next cycle if we choose to do this	12:50
teward	the key problem is nginx-{core,light,full,extras} all have different nginx binary applications in them	12:50
teward	because not all NGINX modules are dynamically includeable	12:50
teward	so to replace this so each of those flavors' nginx executables are able to be used independently in a 'core' package variant like MySQL does is a significant overhaul	12:51
teward	and I can't guarantee it'll even be done by next cycle.	12:51
teward	my suggestion would be to upstream this to Debian for their thoughts, and depending on what they do decide where we go next	12:51
rbasak	teward: OK, thank you for your thoughts.	13:06
teward	rbasak: not to say we can't do it, but it'd need thought out, adjusted, and heavily tested	13:20
teward	that's the thoughts I have on it right now	13:20
teward	I also have to get into the habit of version controlling the package (do we have it in git yet?)	13:20
teward	(Launchpad VCS is... tricky to say the least... compared to github or such)	13:20
teward	now, to be fair, I've got an idea of how this can be implemented. It'll just be very tricky to get working properly...	13:22
teward	rbasak: ahasenack: do you want me to proceed with prototyping this so we can see how the existing 18.04 package would have to be altered to work properly? do we have a replacement name for the 'core' flavor that we have for NGINX?	13:23
rbasak	teward: I suggest you hold on this for now, pending further discussion. Some of my colleagues are sprinting at the moment so it may not be for a week or two.	13:36
rbasak	(given that Andres filed the bug, I suspect that it's because MAAS would like this facility from the nginx package; there may be other possible solutions)	13:37
teward	rbasak: ACK	13:52
sweb	my preseed command is return exit code 1	13:56
sweb	here my command : https://paste.ubuntu.com/p/4YGmgJ82VR/	13:56
l4m8d4	Is it possible to create a network bridge on a physical interface, and at the same time derive MACVLAN interfaces from it?	14:57
RoyK	l4m8d4: yes - it's quite simple	15:12
RoyK	l4m8d4: something like this https://wiki.debian.org/BridgeNetworkConnections	15:13
sweb	https://serverfault.com/questions/922311/ubuntu-pressed-exit-with-code-1	15:25
l4m8d4	RoyK: Ok, not sure if what I wanted is really what I need. I (will) have 2 containers and 1 vm (possibly more in the future) on the machine, and I have 1 physical NIC (eno1) that I want to devote completely to the containers and vm. Another physical NIC is used to directly connect the host to the network seperately. Would I be able to create 3 virtual NICs, bridge them with the physical eno1, then	15:30
l4m8d4	"give" them to the containers and VM?	15:30
l4m8d4	And also, would these be able to configure these virtual NICS themselves, assigning addresses, putting up and down, and so on?	15:32
l4m8d4	Before, I planned on only containers, there I could just use MACVLAN with systemd-nspawn, which would do just that, without evem requiring a bridge, or any manual config on the host even. With VMs, I guess this approach wont work (it seems netplan can not configure macvlan that can be handed to the VM)	15:34
RoyK	l4m8d4: kvm?	15:48
l4m8d4	Yes	15:50
RoyK	then just use that bridge	15:51
l4m8d4	Ok. Systemd containers support connection to the brdige too, so that should be ok	15:51
RoyK	in the vm setup, just connect to that bridge - it'l work - I use the same thing on a few servers	15:51
l4m8d4	RoyK: Thanks, I'll try to set it up like this then!	15:53
SomeT	having trouble getting php code to connect to my sql database	15:59
SomeT	checked ufw and the port 3306 is open	15:59
SomeT	I can't figure out what else is wrong?	15:59
RoyK	SomeT: which sql server?	16:04
RoyK	mysql? postgresql? mariadb? sqlite? mssql?	16:06
SomeT	mysql	16:06
SomeT	@RoyK?	16:08
RoyK	SomeT: are you connecting from the same machine or another?	16:09
blockflaw	SomeT: what kind of "Trouble"?	16:09
SomeT	its a digitalocean dropley	16:10
blockflaw	surely there's a specific error message to it	16:10
SomeT	its a digitalocean droplet	16:10
SomeT	one sec	16:10
SomeT	give you more details	16:10
blockflaw	wait, you're accessing your db remotely, over the public internet?	16:10
RoyK	with cleartext password?	16:10
RoyK	fun	16:10
SomeT	no	16:10
SomeT	well kinda	16:10
SomeT	I am logged into a virtual machine	16:10
SomeT	https://gitlab.com/tslocum/tinyib	16:10
SomeT	I am trying to install this on a LEMP stack	16:10
SomeT	via digital ocean	16:11
SomeT	I got as far as step as step 7	16:11
SomeT	on there read me	16:11
SomeT	when I go to/imgboard.php	16:11
blockflaw	doesn't matter where you're logged. the question is on which server is the php client and on which server is the db and is the traffic going over the public internet, or infact, any network between two different IP addresses.	16:11
SomeT	https://gyazo.com/e879dd520f7e58d0eba7ee03c0635715	16:11
SomeT	I get that error message	16:11
RoyK	SomeT: can you telnet into port 3306 in that db server?	16:11
SomeT	um never tried that	16:12
SomeT	but I already checked ufw	16:12
RoyK	SomeT: erm - you're missing a library	16:12
blockflaw	mysql by defautl listens on localhost only, if I'm not mistaken? so... is this supposed to work between two different machiens or is all within localhost?	16:12
SomeT	https://gyazo.com/dea0f3ef73de514c3a35d607f6e9a2cc	16:12
SomeT	a library?	16:12
SomeT	which one?	16:12
blockflaw	mysql client lib for PHP otoh	16:13
RoyK	the first thing you pastbinned was saying "mysql library missing"	16:13
RoyK	pretty normal noob issue ;)	16:13
spaces	hi guys, do we still need ondrej for PHP packages in 18.04 ?	16:14
SomeT	wait I need that enabled?	16:14
blockflaw	spaces: probably if you'll want 7.3 in a few months.	16:14
SomeT	what thing	16:14
SomeT	https://gyazo.com/e879dd520f7e58d0eba7ee03c0635715 ?	16:14
RoyK	php-mysql something	16:14
SomeT	ah I see	16:15
SomeT	one sec	16:15
SomeT	http://zchan.net/test.php	16:15
blockflaw	mysql PDO probably (as there's THREE mysql libs for PHP.... two actually I think one was discontinued with 7.x)	16:15
SomeT	definitely the mysql library?	16:15
SomeT	if you check that page for me	16:15
spaces	blockflaw I wasn't able to install php-curl with the default repo's in 18.04, it failed, dependency and I came from ondrej	16:15
SomeT	because I find it bit confusing to read	16:15
blockflaw	SomeT: you got them all it seems, ont he _server_. where's the client? on the same machiine?	16:16
nacc	spaces: you never "needed" ondrej	16:16
SomeT	yeah	16:16
nacc	spaces: you chose to require something that wasn't in ubuntu, which then made you need ondrej's repo	16:16
SomeT	I usually just direct connect through pUTTy	16:16
spaces	nacc 7.1 and 7.2 had some advanatges where 16.04 didn't had those	16:16
blockflaw	SomeT: so, mysql and php (fpm) are running on the same machine?	16:16
nacc	spaces: can you pastebin the exact output of installing php-curl?	16:16
nacc	spaces: right, that's a choice you make	16:16
SomeT	yes	16:16
spaces	nacc I can see if it's tstill in my terminal	16:16
nacc	spaces: ok	16:17
SomeT	I don't care about the security to much at this stage	16:17
SomeT	I am still learning ;)	16:17
SomeT	I will make a not of your security advisement though	16:17
SomeT	as I get where your coming from	16:17
blockflaw	don't say that. even if you don't care, someone else cares that you don't and will gladly take over your machine and turn it into a 100Mbps UDP gun for hire.	16:17
SomeT	besides it makes sense because thats how I do it locally	16:17
spaces	nacc php-culr is sumlinked as you know: https://pastebin.com/Hd9bET7M	16:17
SomeT	the amount I delete my servers anyway it dont matter so much	16:17
nacc	spaces: you have ondrej enabled.	16:18
nacc	spaces: don't use a ppa.	16:18
SomeT	but anyway back on point, you said the mysql library is installed right?	16:18
blockflaw	SomeT: if you don't install in your brain a security savvy mind and do it the right thing from the start, it'll be harder later to do so.	16:18
spaces	nacc it was not enabled anymore	16:18
blockflaw	SomeT: according to that phpinfo, it is.	16:18
spaces	nacc earlier you needed appa	16:18
SomeT	because php -m gives:	16:18
spaces	*ppa	16:18
SomeT	mcrypt	16:18
SomeT	mysqli	16:18
SomeT	mysqlnd	16:18
SomeT	no just mysql	16:18
nacc	spaces: yes you do.	16:18
nacc	spaces: look at the output.	16:18
nacc	spaces: `apt-cache policy php7.2-curl`	16:19
blockflaw	SomeT: that's okay. also, pdo should be listed there	16:19
SomeT	yeah pdo is on there	16:19
nacc	spaces: if i had to guess, you didn't purge the ppa, and still have packages from it.	16:20
SomeT	I am at a loss	16:20
=== blockflaw is now known as blackflow
SomeT	like I even looked through the code to find whats bringing up that error message but could not find it	16:20
SomeT	ohhh	16:21
SomeT	actually	16:21
SomeT	https://gitlab.com/search?utf8=%E2%9C%93&search=MySQL+library+is+not+installed&group_id=&project_id=6824919&search_code=true&repository_ref=master	16:21
SomeT	didnt think to search using gitlab	16:21
SomeT	if (!function_exists('mysql_connect')) is my key to solving this	16:22
SomeT	question is which function?	16:22
nacc	SomeT: do you just need to set TINIB_DBMODE to mysqli?	16:23
nacc	*TINYIB	16:23
SomeT	um	16:23
SomeT	could be	16:23
SomeT	one sec	16:23
blackflow	SomeT: that tinyib thing is using mysqli, which you have according to that phpinfo	16:23
SomeT	not tried that	16:23
nacc	blackflow: i believe by default it might use 'mysql'	16:24
SomeT	how do I even enter mysqli command line in ubuntu though...	16:24
blackflow	I grep'd the source	16:24
SomeT	I will try it and see	16:24
SomeT	I tried to change to pdo already	16:24
blackflow	oh wait, yes, it can use more than one backend....	16:24
nacc	SomeT: took me about 5 seconds of reading their maing gitlab page	16:24
SomeT	ok	16:25
SomeT	Could not select database: Unknown database 'TinyIB'	16:25
SomeT	I get that when I change to mysqli	16:25
nacc	SomeT: that's a better error	16:25
SomeT	I defined the database in the code	16:25
SomeT	I thought it would auto create it	16:25
nacc	dunno	16:25
SomeT	but now my issue is I have no idea how to create a database in mysqli	16:25
nacc	that seems more like a tinyib problem than an ubuntu one	16:25
SomeT	only in mysql	16:25
SomeT	yeah at least you got me that far thanks	16:25
SomeT	is a better error	16:25
SomeT	MySQLi is a replacement for the mysql functions, with object-oriented and procedural versions. It has support for prepared statements.	16:26
spaces	nacc maybe indeed but installing curl itself fixed it all	16:26
spaces	so I think a dep issue in the ppa packages	16:26
spaces	old ones or so	16:27
spaces	dunno	16:27
nacc	spaces: no, it's because you have two repos setup	16:27
nacc	and ondrej's versions are after ubuntu's.	16:27
nacc	spaces: your issue is using a ppa you don't need	16:27
spaces	nacc yes but taht would be no issue as it should get the latest ones but I think it was still looking for 16.04 packages and didn't match where 18.04 were newer	16:28
SomeT	ok I fixed it	16:28
spaces	between ppa en 18.04	16:28
SomeT	I just went into mysql and created that database	16:28
SomeT	thansk for the help	16:28
nacc	spaces: i'm otp now, one sec	16:28
spaces	nacc I'm at att now (at the toilet)	16:29
spaces	more then one sec ;)	16:30
blackflow	...	16:30
spaces	blackflow what's wrong with it, better let people know where you are, do you know how many people die on the toilet each year ?	16:32
blackflow	a statistic I'm dying to find out.	16:33
spaces	wot?	16:33
blackflow	you asked if I knew how many people died on the toilet each year, no?	16:35
blackflow	your rhetoric question was answered with a cynical, nihilistic sarcastic answer. sans smileys for a pokerface response.	16:36
spaces	blackflow you say so but it happens a lot because people hold up too long and need to use pressure to get it out, some vane in your head can explode then	16:38
spaces	kinda tricky, really when you get older	16:38
* blackflow politely coughs and looks at the offtopic sign hung near the door.		16:38
spaces	blackflow better know then find out when it's too late ;)	16:39
spaces	nothing wrong on the side for a small talk	16:39
blackflow	=)	16:39
spaces	blackflow now I need to drink so I can pee out later on what I didn't hydrate and sweated out <- tip is drink from time to time :P	16:50
=== tobasco is now known as tobasco_away
DammitJim	is there a way to get a service status on Ubuntu 16 where it just prints the status and exits?	17:07
DammitJim	(you don't have to press q to quit)	17:07
RoyK	systemctl status <service>	17:08
DammitJim	RoyK, I appreciate it, but when you do that, you'll see at the bottom: lines 1-14/14 (END)	17:09
DammitJim	you need to press q to get out of that window	17:09
DammitJim	meaning, the systemctl command in that case doesn't return you back to the prompt	17:09
RoyK	dosaboy: it does	17:11
RoyK	DammitJim: it does	17:11
DammitJim	it does what?	17:11
RoyK	DammitJim: it returns - or if not, just "true \| systemctl status <service>"	17:12
DammitJim	did you try it for yourself?	17:12
DammitJim	even with true, it still doesn't return you to continue running more commands	17:12
RoyK	I've never seen systemctl status not return	17:13
DammitJim	try it and pastebin it... maybe I have configured something wrong	17:13
RoyK	you paste bin it	17:14
DammitJim	https://paste.debian.net/1034115/	17:15
DammitJim	Again, I appreciate you trying to help, but please don't tell me that it returns when you haven't even tried it yourself	17:15
DammitJim	because as someone who is trying to learn, it makes it even more confusing	17:16
RoyK	it doesn't stop for a prompt there	17:16
DammitJim	does it return to the prompt for you?	17:17
DammitJim	paste bin it and let me see	17:17
RoyK	it does	17:17
RoyK	DammitJim: http://paste.debian.net/1034117/ <-- systemctl status apache2 - nothing else	17:18
DammitJim	yup, yours doesn't return to the prompt either	17:19
DammitJim	you can't run another command after it	17:19
DammitJim	you have to press q or something to get out of that console	17:19
RoyK	DammitJim: no	17:19
RoyK	DammitJim: you're quite wrong here	17:19
DammitJim	can you run the date command after that?	17:23
nacc	spaces: i'm back now	17:23
DammitJim	hey nacc	17:23
DammitJim	do you know of a command on Ubuntu 16 where you can check the status of a service	17:23
DammitJim	but the command returns you back to the prompt?	17:24
sarnold	DammitJim: try this: PAGER=cat systemctl status lst-dash89-1	17:24
nacc	DammitJim: do you want to just know if it's running?	17:24
DammitJim	yes	17:24
DammitJim	you know, use shell scripts and stuff	17:24
DammitJim	the old way was running: service <service_name> status	17:25
nacc	systemctl is-active?	17:25
DammitJim	it would return something I can parse	17:25
nacc	and --quiet if you don't want any output	17:25
DammitJim	noway!	17:25
nacc	parsing is alwways the wrong choice	17:25
DammitJim	thanks man!	17:25
nacc	use exit codes/retrun codes	17:25
nacc	the textual output of those commands is not an ABI :)	17:25
nacc	there is also is-failed, iirc	17:26
DammitJim	yeah, you are right nacc... I was saying parsing because right now that was the only way I knew from looking at the huge output from systemctl <service> status	17:26
nacc	sure	17:27
nacc	DammitJim: i think the above is what you want, though	17:27
DammitJim	now, is-active is not the same as running, or is it?	17:27
DammitJim	I've seen the status say: active (<something else in here>)	17:27
DammitJim	oh yeah, like: active (exited)	17:28
nacc	that'd be a oneshot if so	17:28
nacc	you can read the systemctl manpage to see	17:28
nacc	the closest you can get to 'running' is is-active, afaick	17:28
nacc	which just means it hasn't failed	17:28
DammitJim	ok, great!	17:28
nacc	if it is long-running, it's still running, if it's oneshot, well, it shot :)	17:28
DammitJim	thanks! that's very helpful	17:44
=== JanC_ is now known as JanC
trekkie1701c	So is there a way to get the 4.15 kernel on 16.04 or do I have to go to 18.04?	21:08
nacc	trekkie1701c: you should wait for 16.04.5 to come out.	21:09
nacc	trekkie1701c: you can use the edge hwe kernel if you want, i think	21:09
trekkie1701c	hwe only goes to 4.13	21:09
nacc	!info linux-image-generic-hwe-16.04-edge	21:10
ubottu	linux-image-generic-hwe-16.04-edge (source: linux-meta): Generic Linux kernel image (dummy transitional package). In component main, is optional. Version 4.15.0.23.25 (bionic), package size 1 kB, installed size 14 kB	21:10
nacc	!info linux-image-generic-hwe-16.04-edge xenial	21:10
ubottu	linux-image-generic-hwe-16.04-edge (source: linux-meta-hwe-edge): Generic Linux kernel image. In component main, is optional. Version 4.15.0.24.46 (xenial), package size 2 kB, installed size 10 kB (Only available for i386; amd64; armhf; arm64; ppc64el; s390x)	21:10
nacc	trekkie1701c: please do some research, as that is not correct.	21:10
trekkie1701c	I installed hwe a few minutes ago and I'm on the 4.13 kernel so...	21:11
nacc	trekkie1701c: read what i wrote again.	21:12
nacc	trekkie1701c: the edge hwe kernel.	21:12
trekkie1701c	Alright then, I didn't realize there was a difference. Sorry.	21:12
ahasenack	hm, dpkg-buildpackage is complaining that I have changes that cannot be represented	21:22
ahasenack	so far, a common mistake,	21:22
ahasenack	but it's about .git/* content	21:22
ahasenack	I've never seen that before	21:22
nacc	ahasenack: pass -i -I	21:22
nacc	iirc	21:22
ahasenack	I never had to do that before	21:22
ahasenack	could something in cosmic have changed?	21:23
nacc	ahasenack: dunno, we pass it in git-ubuntu automatically	21:24
nacc	ahasenack: it's actually an option to dpkg-source, iirc	21:24
ahasenack	yeah, ignore certain default files/dir	21:24
ahasenack	nothing recent in dpkg's changelog, I must have skipped a step without realizing	21:25
Veus_uni	hello is there jshell for ubuntu? or something simular where i user would be logged into their dir, and not aloud to go out side of it, but able torun mono and screen	22:19
sarnold	you could set the user account to have a specific shell, and create an apparmor profile for that shell..	22:21
Veus_uni	how do you mean?	22:22
Veus_uni	something like rbash?	22:22
Veus_uni	i knoe with cpanel they have jailshell which will only let them go to /home/user, but will let them run almost anything	22:22
sarnold	rbash is easy to bypass if you let the user run something like vim or mutt or screen since it's trivial to get to a real shell and then do what you want	22:22
sarnold	nearly every useful tool lets you execute shell commands..	22:23
sarnold	so that's why a stronger tool like apparmor is useful; it can confine the user beyond what a single "restricted" process is able to provide	22:23
Veus_uni	with apparmor are the users able to view through ssh other folder other than thier own i,e if i have user1 in /home/user1 would they be able to see anything in /home/user2	22:27
sarnold	if you wanted something that'd work on all users with the shell, you could write the rules like: "owner /home//* r," to let them read only files they own.. if you've got one user in mind, it could be "owner /home/untrusted/** r," to only let them read the files in their own home directory, IFF they own the file ..	22:30
Veus_uni	ok i sort of get that, would they be able to run screen and mono, and be able to write in their directory etc, basically im creating a hosting service for a niche market, and the users need to access their own directory only, i.e read write, but able to execte things like mono and screen, and also editors like nano so they can edit .ini files in their directory	22:33
sarnold	yeah, all that's possible with apparmor	22:34
Veus_uni	would it also be possible to restrict the amount of ram and space a user can use with apparmor? i.e let the programs they use only use2gb ram etc, and only let them have 20gb space? i think quota will work for the space	22:35
sarnold	you may also wish to investigate lxd; it uses the kernel's namespacing features to let you build a bunch of shared instances.. it's got less overhead than full virtualization, and is easier to admin / configure..	22:35
sarnold	lxd would do resource limits easier; apparmor can set the rlimits on processes, but it's harder to work with aggregate limits that way	22:36
Veus_uni	i had thought about that but went against it with the stuff needing mono etx	22:36
Veus_uni	the ram limits its not a major must atm	22:37
Veus_uni	with lxd how would the ip work? as the server will only have 1 ip, and that would need to go over all "containers"	22:46
sarnold	hmm, I don't know how that'd work :/	22:46
Veus_uni	looks like apprmor then, just need to know how to set it up ptoperly	22:47
sarnold	Veus_uni: hm. I'm getting a bit dissapointed when tyring to find some good docs on how to use apparmor. the apparmor.d manpage is too detailed -- it's good for reference but poor for learning..	22:53
Veus_uni	yeah im tryimg to read some atm	22:53
sarnold	Veus_uni: the apparmor wiki is best ignored -- a lot of it is just notes for us for future development work, and it's not obvious which bits are which	22:53
sarnold	Veus_uni: the suse folks have a nice enough chapter at https://www.suse.com/documentation/sled11/singlehtml/apparmor_quickstart/apparmor_quickstart.html -- but bits of it are specific to suse :)	22:54
Veus_uni	yeah, im thinking of getting someone to make a profile for me, then use that as a template	22:54
Veus_uni	grrr i need ubuntu though	22:54
sarnold	Veus_uni: here's a profile that I've used for testing things before http://paste.ubuntu.com/p/T3vm8SB6Pv/	22:55
sarnold	Veus_uni: if you cp /bin/bash to /tmp/bash and load this profile (store this file in /etc/apparmor.d/tmp.bash and then load it iwth apparmor_parser --replace /etc/apparmor.d/tmp.bash)	22:56
sarnold	Veus_uni: .. you can then execute /tmp/bash, see what works, see what doesn't work, watch the kernel logs or audit logs for the DENIED lines to see how it works.. add lines as needed..	22:57
sarnold	it's not a bad starting point to learn about apparmor anyway	22:57
Veus_uni	brb need to nip down stairs	22:58
Veus_uni	will do thanks	23:30
Veus_uni	sarnold, dpes appamor work for users?	23:39

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!