[00:09] <sarnold> Veus_uni: what do you mean?
[00:10] <sarnold> Veus_uni: users currently can't load their own policy, but we aim to address that some day
[00:10] <Veus_uni> its seems to only restrict apps, im needing to restrict users
[00:10] <sarnold> Veus_uni: aha
[00:10] <sarnold> Veus_uni: so .. if you restrict the processes that a user interacts with to enter the system, that achieves much the same goal
[00:11] <Veus_uni> it would be good someday but for my use not now, but im looking the is jailshell which can be installed on ubuntu which seems good, as i would need to do something like that, but would it run screen and also mono
[00:11] <sarnold> Veus_uni: so, if you let users log in via ssh, then you make sure that the shell sshd starts for the user is confined (and make sure the built-in sftp server either doesn't let them in, or confine sshd..)
[00:12] <sarnold> Veus_uni: if you let the user write their own mono or provide their own shell configuration file then those kinds of restricted shells are toys :(
[00:14] <Veus_uni> yeah, basically, im wonting to provide shared region hosting for oepnsimulator, and thought of the idea from cpanel of jailshell, but its finding a way to make it work, i know cpanel uses it. but would it work on ubuntu and would it run mono and screen, as both is needed, the only other option would be to buy a bigger server and run vpn, but that would be too much to be honest,
[05:10] <cpaelzer> good morning
[06:22] <lordievader> Good morning
[10:32] <Ussat> \o/ my private test lab is fineally done
[11:32] <RoyK> Ussat: congrats - what're you going to test there?
[11:36] <Ussat> Nothing in particular, I have my test lab at work, this is in VM's on my laptop, for more spur of the moment tests etc
[11:36] <Ussat> kinda like "hey, lets see if this works" kinda things
[11:37] <Ussat> it mimics my test lab at work
[11:37] <Ussat> if that makes sence
[15:51] <npgm> hi so I'm having difficulty getting a usb ethernet adapter to work with 16.04
[16:03] <compdoc> npgm, does it show 'unclaimed' when you list with lspci?
[16:03] <compdoc> or maybe lsusb
[16:04] <npgm> compdoc: actually realized my issue. I had a really malformed interfaces file. Things seem to be working fine.
[16:04] <compdoc> :)
[16:05] <Veus_uni> sarnold, you about?>
[17:48] <sarnold> hey Velus :)
[18:24] <l4m8d4> Is it possible to install virtinst without all the desktop package dependencies? I wanted to install it on a server without a video card and it wanted to pull in all type of desktop stuff, which I obviously don't want
[18:26] <sarnold> l4m8d4: consider uvtool instead
[18:30] <l4m8d4> sarnold: So this acts as an image fetcher + vm manager?
[18:35] <sarnold> l4m8d4: yeah
[18:36] <l4m8d4> Is it possible to customize things like networking with uvtool? Is it compatible with machinectl?
[18:42] <sarnold> configuring networking seems likely, no idea on machinectl
[20:09] <hashwagon> Can anyone recommend me a channel to answer a CPU question I have? I'm wondering if the Intel Xeon E3-1220 (BX80662E31220V5) has a integrated graphics.
[20:10] <Velus> hashwagon, it dont have intergrated graphic
[20:10] <blackflow> hashwagon: https://ark.intel.com/products/52269/Intel-Xeon-Processor-E3-1220-8M-Cache-3_10-GHz
[20:11] <blackflow> ark.intel.com is the best place to query info about CPUs
[20:11] <blackflow> *about Intel CPUs
[20:12] <Velus> thats what i checked blackflow and it dont have intergrated graphics
[20:12] <hashwagon> Thanks, guys. That's a good website - I'll book mark it. Any suggested alternatives to this CPU that have IG?
[20:13] <Velus> https://ark.intel.com/Search/FeatureFilter?productType=processors&QuickSyncVideo=true
[20:13] <Velus> that will help you
[20:14] <hashwagon> Excellent - thanks
[20:16] <blackflow> Why quicksyncvideo? The search form can do Integrated Graphics  Yes/No
[20:16] <blackflow> hashwagon: https://ark.intel.com/Search/FeatureFilter?productType=processors&FamilyText=Intel%C2%AE%20Xeon%C2%AE%20Processors&IntegratedGraphics=true
[20:17] <blackflow> assuming you want a Xeon and not a desktop-y CPU
[20:30] <l4m8d4> hashwagon: A lot of motherboards for xeon CPUs have an on-board graphics chip too, so in most cases the integrated xeon graphics is not needed
[21:03] <Velus> sarnold, do you know of any way i can jailshell someone i did look at jail-shell but it lets people look around in ssh at other peoples files which i dont want to happen, i want them to be able to use other stiff like mono and screen and be able to work in thir dirctory but not others
[21:11] <blackflow> Velus: ssh or sftp chroots
[21:11] <blackflow> (that was about ssh, wasn't it?)
[21:12] <Velus> yes
[21:12] <Velus> ssh
[21:12] <Velus> and i tried this thing from github called jail-shell
[21:13] <Velus> brb break time
[21:17] <blackflow> Velus: if it's over ssh, you don't need any additional software, you can chroot users.   Check out ChrootDirectory in sshd_config manpage. Note in particular the need to bring in the shell and any /dev/... stuff into the chroot, as needed.
[21:17] <blackflow> which is not needed for sftp, so what exactly do you need there? sftp or full ssh access?
[21:34] <sarnold> Velus: I strongly recommend skipping anything marked "jail shell" kind of tools. blackflow's suggestion of ssh'd chroot support is pretty good if you only care about ssh and want to maintain different environments for the users entirely
[21:35] <nacc> and i definitely wouldn't use it from github
[21:36] <blackflow> yeah, if exclusive to ssh "containment".
[21:44] <Velus> its only over ssh its a server held in a data center, basically wanting to do shared hosting for opensim which is a virtual world so you need ssh access to set it up
[22:12] <Velus> blackflow, lets say i have user john and user shaun on my server can user shaun kill a process that user john is useing
[22:12] <sarnold> no, standard unix discretionary access controls will prevent that
[22:13] <Velus> would they be able to see the porocess that they are using?
[22:13] <sarnold> yes
[22:13] <sarnold> there's a proc tunable ..
[22:13] <Velus> ok
[22:13] <sarnold> look through procfs(5) for the hidepid variable
[22:18] <nacc> why not just put them in private containers?
[22:18] <nacc> this seems like a lot of overhead just for isolation
[22:19] <sarnold> nacc: I think Velus only has one IP address to work with so can't just pop everybody into their own lxd
[22:19] <nacc> sarnold: ah, I'm sure you can do some trickery there, but I can see how that would be a limitation
[22:19] <sarnold> (that'd probabl also be unfortunate if you had to have N copies of mono runtime / program loaded rather than just re-using the one copy..)
[22:19] <nacc> yeah
[22:20] <sarnold> cn you do hardlink tricks to have just the one copy in memory?
[22:20] <nacc> in theory, you could share it from the host
[22:20] <nacc> to each lxd, i think
[22:20] <sarnold> .. well, that'd probably bust the moment once one of the users wants to upgrade or similar
[22:20] <nacc> yeah
[22:20] <nacc> i'd assume this is meant to be a rather restricted environment; maybe upgrades are not supported.
[22:33] <RoyK> hidepid works well
[22:33] <sarnold> hey RoyK :)
[22:34] <RoyK> hi
[22:35] <RoyK> sarnold: all well?
[22:36] <sarnold> RoyK: yeah, pretty good :) I'm feeling ever so slightly overwhelmed with all there is to do, but such is life I guess :)
[22:36] <sarnold> RoyK: how're you doing? :)
[22:40] <RoyK> sarnold: good, thanks - just got myself a cr-10s - summer fun :)
[22:40] <sarnold> RoyK: oh sweeet :D
[23:05] <RoyK> sarnold: printing out a wee lampshade now - had one in glass that hit the floor…
[23:06] <sarnold> RoyK: heh, bummer about the old one.. but hooray :D
[23:06] <RoyK> sarnold: openscad is neat
[23:07] <RoyK> blender too, but a wee bit steeper learning curve
[23:20] <rbasak> l4m8d4: uvtool is a front end to libvirt, cloud-init and image fetching. You can customise networking as much as libvirt can customise networking, which is the same level as virtinst I think (which also uses libvirt as the backend).
[23:51] <blackflow> sarnold: btw, with single IP you can have sshd's in containers on different ports.
[23:51] <sarnold> blackflow: mm interesting idea, do you know if that works with lxd?
[23:51] <blackflow> but containers are really not needed and create a whole lot of different logistic issues
[23:53] <blackflow> sarnold: not from personal experience, but I don't see why not. I do have such a setup on FreeBSD though. An alternative is bridged networking, internal IP per container, and some iptables magick for port forwarding.
[23:53] <blackflow> that one I knwo from personal experince it works (though it was LXC, not LXD)
[23:53] <sarnold> blackflow: aha, then I'd expect something similar to work with lxd, but might exceed the cost/benefit ratio ;)
[23:54] <blackflow> it's defo an overkill, since you basically have to manage whole ostree sans kernel, per user.