[09:54] <tomreyn> how would you setup and manage networking on a single KVM based HV (no HA) with an IPv4 /28 and IPv6 /64 which you'll manage via CLI (libvirt-bin or similar) only?
[11:04] <mnms_> Hi.. looking for solid guide about hardening fresh ubuntu server, could you recommend something?
[11:24] <blackflow> mnms_: https://wiki.ubuntu.com/Security/Features    and    https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04    and employ AppArmor wherever possible. The second links a bit old, those aren't all security features available through systemd, so check its docs too.
[11:38] <mnms_> blackflow thx
[12:25] <ahasenack> rbasak: hi, is the importer stuck by any chance?
[12:25] <ahasenack> rbasak: https://git.launchpad.net/~usd-import-team/ubuntu/+source/autofs/tree/debian/changelog is at 5.1.2-3ubuntu2, rmadison shows cosmic at 5.1.2-4ubuntu1
[12:26] <rbasak> Looking
[12:28] <rbasak> Yes, the host was rebooted a week ago
[12:28] <rbasak> Looking into why
[12:30] <rbasak> The logs have rotated out :(
[12:31] <rbasak> Restarted
[13:54] <ahasenack> jamespage: hi, isn't crmsh used quite a log in openstack xenial deployments?
[13:55] <ahasenack> I came across https://bugs.launchpad.net/ubuntu/+source/crmsh/+bug/1687095 and "crm cluster health" just can't work in xenial because of the missing dep, and I also added the uca for a bunch of versions and the bug remains
[13:55] <ubottu> Launchpad bug 1687095 in crmsh (Ubuntu) "crm cluster health: NameError: global name 'parallax' is not defined" [High,Confirmed]
[15:33] <jamespage> ahasenack: we do but I don't think I have ever used 'crm cluster health'
[15:33] <jamespage> we don't hold crmsh in the UCA, so I'm not surprised that made no difference
[15:34] <ahasenack> jamespage: ok, thanks
=== jdstrand_ is now known as jdstrand
[17:29] <ahasenack> rbasak: are you aware of known issues doing release upgrades from trusty to xenial with a mysql server installed?
[17:30] <nacc> iirc, there were a bunch of bugs filed when xenial came out
[17:30] <nacc> because the config changed dramatically (again, iirc)
[17:31] <ahasenack> let me paste something
[17:31] <ahasenack> see if it rings a bell
[17:31] <ahasenack> https://pastebin.ubuntu.com/p/M2RVQdv56P/
[17:31] <ahasenack> that bit about the version, looks like not all packages were upgraded yet
[17:33] <ahasenack> there are some apparmor denied messages, but they look like the usual to me, that I have seen in other bugs already
[17:33] <nacc> ahasenack: trusty has 5.5.60
[17:33] <nacc> ahasenack: and precise as 5.5.54
[17:33] <nacc> ahasenack: i guess maybe the upgraded at some point in the past? dunno, hard to say
[17:34] <nacc> i *think* that's the postinst from mysql-server?
[17:34] <nacc> ahasenack: which implies that it didn't stop the old one?
[17:34] <nacc> stop/remove
[17:34] <tomreyn> 5.5 to 5.7 involves innodb + utf-8 collation by default (for new DBs), and strict mode on by default, IIRC.
[17:35] <ahasenack> yeah, something like that
[17:35] <nacc> ahasenack: it feels faimilar, but i'm not 100%, i tihnk you'd need rbasak
[17:38] <rbasak> I've not seen that before
[17:39] <rbasak> The postinst is running mysql_upgrade as expected, but the server daemon appears not to have restarted
[17:40] <rbasak> "start: Job is already running: mysql"
[17:40] <rbasak> Did it fail to stop previously?
[17:41] <rbasak> Need reproduction steps I think. Given I've not seen it before, I'd want to rule out user misconfiguration first.
[17:42] <nacc> ahasenack: fwiw, per publishing history of mysql-5.5, that version was superseded in trusty around april 2017
[17:42] <nacc> actually january!@
[17:42] <nacc> so i'd be likely to suspect pebkac
[17:43] <ahasenack> yeah, I got 5.5.60 when I created my test container
[17:43] <rbasak> Some customisation of the service locally perhaps, which prevents the maintainer scripts from being able to affect it.
[17:43] <ahasenack> rbasak: I don't see any messages about stopping mysql, or restarting
[17:47] <rbasak> I'd expect that to be earlier in the log
[17:47] <ahasenack> there is this, though
[17:47] <ahasenack> 180723 11:46:14 [ERROR] /usr/sbin/mysqld: Table './asterisk/freepbx_settings' is marked as crashed and should be repaired
[17:47] <ahasenack> 180723 11:46:14 [Warning] Checking table:   './asterisk/freepbx_settings'
[17:47] <rbasak> At least to see that the preinst i running, et
[17:47] <ahasenack> don't know if that was just before the upgrade, or during
[17:47] <ahasenack> https://launchpadlibrarian.net/379751877/DpkgTerminalLog.txt dpkg terminal log
[17:47] <rbasak> I think it's fine to mark as Incomplete with our standard template.
[17:48] <rbasak> If the user thinks it's a bug, they can provide reproduction steps
[17:48] <ahasenack> that's usually hard with release-upgrade bugs
[17:48] <rbasak> lxd helps with that
[17:52] <ahasenack> "Restart services during package upgrades without asking?" <-- I wonder what he answered
[17:54] <rbasak> I think that relates only to libc6. Not sure though.
[17:54] <rbasak> (as in libc6's maintainer scripts)
[17:56] <ahasenack> oops
[18:41] <v0lksman> hello all! installing apache2 on 18.04 but it seems I
[18:41] <v0lksman> 'm missing something cause php7 doesn't want to execute when hitting index.php
[18:42] <v0lksman> any hints?  seems apache2 comes pretty bare bones now and you have to manually enable all the mods
[18:43] <v0lksman> ahh poop....libapache2-mod-php...thought that was already in
[18:48] <tomreyn> neither is php only a web scripting language nor can apache httpd be only used with php (and scripting/programming language enabling modules are generally not part of the apache httpd core), so no, it's not.
[18:51] <sarnold> v0lksman: did you a2enmod php or whatever?
[18:52] <v0lksman> I was just missing the mod...thought I had already installed it
[19:09] <nacc> v0lksman: it depends on the version of ubuntu you're on, but on 18.04 it should do what you said
[19:39] <DammitJim> is there such a thing as a tomcat repo for ubuntu 18.04 ?
[19:39] <nacc> DammitJim: probalby a ppa
[19:39] <DammitJim> I've been googling but can't find one
[19:40] <DammitJim> all the tutorials I see online now use wget to download the gz
[19:42] <sarnold> if you're going to that much trouble you might as well maintain the one inthe archive :)
[19:43] <DammitJim> which trouble and what archive?
[19:43] <nacc> !info tomcat8
[19:43] <ubottu> tomcat8 (source: tomcat8): Apache Tomcat 8 - Servlet and JSP engine. In component universe, is optional. Version 8.5.30-1ubuntu1.2 (bionic), package size 43 kB, installed size 314 kB
[19:43] <DammitJim> I was looking for a ppa... and was trying to make sure I wasn't missing something since I can't find it
[19:43] <nacc> that one :)
[19:43] <nacc> archive = Ubuntu archive
[19:43] <DammitJim> oh, so there is no ppa
[19:43] <sarnold> dunno, I never looked ;)
[19:44] <sarnold> there is a package in the archive, but it's commuynity maintained
[19:44] <nacc> DammitJim: i mean there can be PPAs of archive pacakges
[19:44] <nacc> !ppa
[19:44] <ubottu> A Personal Package Archive (PPA) can provide alternate software not normally available in the offical Ubuntu repositories - Looking for a PPA? See https://launchpad.net/ubuntu/+ppas - WARNING: PPAs are unsupported third-party packages, and you use them at your own risk. See also !addppa and !ppa-purge
[19:44] <sarnold> which might mean, in practice, no one maintains it.
[19:44] <nacc> you can search there --^
[19:44] <sarnold> and if you have to build one yourself, it'd probably be less effort to maintain the one inthe archive, and let everyone benefit from your work :)
[19:46] <tomreyn> DammitJim: so why are yuo looking for a ppa? is the version in ubuntu too old / new for your needs?
[19:47] <DammitJim> actually, you guys are right... man, the mind can screw you up if you don't learn how to control it
[19:48] <DammitJim> I have been googling how to install tomcat on ubuntu 18 and all I find are tutorials to install from source
[19:48] <DammitJim> I assumed that there is no way to say: apt-get install tomcat
[19:48] <DammitJim> whoa
[19:49] <tomreyn> you can even choose from major upstream versions
[19:56] <genii> !info tomcat 9
[19:56] <ubottu> '9' is not a valid distribution: artful, artful-backports, artful-proposed, bionic, bionic-backports, bionic-proposed, cosmic, cosmic-backports, cosmic-proposed, kubuntu-backports, kubuntu-experimental, kubuntu-updates, partner, precise, precise-backports, precise-proposed, stable, testing, trusty, trusty-backports, trusty-proposed, unstable, utopic, utopic-backports, utopic-proposed, vivid, vivid-backports, vivid-proposed, wily, wily-backports, wi
[19:56] <genii> !info tomcat9
[19:56] <ubottu> Package tomcat9 does not exist in bionic
[19:57] <genii> OK so 8 and 7 still currently
[19:57] <DammitJim> I think it's 8.5
[20:02] <DammitJim> https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1712645
[20:03] <ubottu> Launchpad bug 1662654 in tomcat8 (Ubuntu) "duplicate for #1712645 Please remove resteasy (3.1.0) from zesty-proposed" [Undecided,Fix released]
[20:03] <DammitJim> weird
[20:03] <DammitJim> tomcat 8 is end of life
[20:05] <DammitJim> oh, interesting.. the package is called tomcat8, but it's acually 8.5.30
[20:21] <ScottE> Tomcat 8.0 and 8.5 are not completely compatible, either - just to make things more fun
[20:23]  * RoyK thinks tomcat and other java stuff should be left untouched
[20:41] <DammitJim> RoyK, I'm with you; however, I'm forced to touch it since our company uses it... it's truly a mess... to keep Ubuntu Version + Tomcat Version + Java Version + Grails Version compatible and supported (not EOL)
[20:45] <ScottE> If that's not all bad enough, soon to use Java in a production environment will require either using openjdk or paying oracle for a commercial license.
[20:46] <teward> state your source?
[20:49] <DammitJim> +1 teward
[20:59] <ScottE> http://www.oracle.com/technetwork/java/eol-135779.html - "Beginning with Oracle Java SE 11 (18.9 LTS), the Oracle JDK will continue to be available royalty-free for development, testing, prototyping or demonstrating purposes."
[21:01] <RoyK> DammitJim: my condolences
[21:02] <DammitJim> lol
[21:02] <DammitJim> ty