[04:45] <cpaelzer> good morning
[06:14] <lordievader> Good morning
[06:21] <cpaelzer> hi lordievader
[06:22] <lordievader> Hey cpaelzer, how are you doing?
[06:22] <cpaelzer> great, I hope you as well?
[06:22] <lordievader> Yes, doing good :)
[06:38] <boritek> hello. why is it not possible to istall Ubuntu Server 18.04.1 in Virtualbox?
[06:40] <cpaelzer> boritek: it should work, what exactly is breaking for you?
[06:46] <boritek> well i have tried a simpler method now, it seems to work if installing it via virtualbox cdrom
[06:46] <boritek> it does not work though via network pxe booting
[06:46] <boritek> and pxe booting is also broken on its own, but I was able to make it boot via some APPEND kernel parameter
[07:24] <lordievader> Does it kernel panic or something with PXE?
[11:21] <CheckmateX> Hi can i add message to a blocked ip on .htaccess file ?
[11:26] <ahasenack> CheckmateX: I don't know, sorry
[11:27] <blackflow> CheckmateX: what do you mean "add message"?
[11:28] <CheckmateX> Specified message like go away and not forbidden html message
[11:28] <blackflow> well you can have a custom 403 page, yes, see "ErrorDocument" directive
[11:29] <blackflow> not sure if you can vary them per IP. You could with nginx, but I don't know if apache has the ability
[11:29] <blackflow> unless you use PHP for the 403 page and do the IP-based magick there
[11:31] <CheckmateX> blackflow echo will not work ?
[11:32] <CheckmateX> Order Deny,Allow
[11:32] <CheckmateX>  echo '<h1> blocked </h1>'
[11:33] <blackflow> from .htaccess? no
[11:34] <CheckmateX> yes
[11:34] <CheckmateX> not work echo with me
[11:34] <blackflow> so why don't you use a custom 403 page?
[11:35] <CheckmateX> because i want it easy just echo message from htaccess
[11:35] <blackflow> CheckmateX: you'll have to write a module for that then.
[11:38] <CheckmateX> blackflow ok i will try the 403 way
[11:40] <CheckmateX> blackflow should i add the path of the file or not .?
[11:40] <CheckmateX> ErrorDocument 403 /var/www/html/test.php
[11:42] <blackflow> CheckmateX: you know what? your echo question got me looking into whether there already are modules and it appears you can actaully specify a custom message with ErrorDocument itself.     ErrorDocument 403 "Go away, or something!"
[11:42] <blackflow> otherwise the path is an URL that's processed as such.
[11:43] <CheckmateX> blackflow i've added the option but not working !!
[11:46] <blackflow> CheckmateX: not sure what you've added, but you can consult the documentation, see what you did wrong:  https://httpd.apache.org/docs/2.4/mod/core.html#errordocument
[12:24] <CheckmateX> blackflow
[12:25] <CheckmateX> i've blocked the ip but its still on the var/logs
[12:26] <CheckmateX> i still received high request on the logs from that ip
[12:29] <CheckmateX> now i need to stop logs from that ip :/
[12:29] <lordievader> You've blocked the ip? How? Apache's 403 is not a block.
[12:30] <lordievader> To block connection from that source you need to instruct your firewall to drop or reject the traffic from there.
[12:36] <CheckmateX> lordievader you mean the option i do if htaccess deny ip not working ?
[12:37] <lordievader> Yes. That denies them to see the actual content (which could lower cpu load, not having to run php code for example), but apache still serves them something (the 403 page).
[12:37] <blackflow> CheckmateX: if you have high traffic from an IP and block it anyway with deny from, then yes dropping the traffic at the firewall level is your best choice, but then they won't see your message
[12:37] <blackflow> CheckmateX: or put nginx in front of apache
[12:37] <CheckmateX> lordievader you're right i checked the ufw status  Status: inactive
[12:38] <CheckmateX> how thats possible inactive!!
[12:38] <CheckmateX> anything wrong ?
[12:39] <blackflow> sounds like you didn't configure it. it's not enabled by default, it can't read your mind.
[12:41] <CheckmateX> blackflow i've enable it right now its ok but i can see the logs from that ip
[12:42] <blackflow> CheckmateX: then you didn't configure it
[12:44] <CheckmateX> its already configured i just enable it right now
[12:44] <CheckmateX> status [ 1] Anywhere                   DENY IN
[12:44] <CheckmateX> its say the ip denyed and i still receive var/logs
[12:45] <blackflow> CheckmateX: I'm guessing because it's allowing established and related flows. it should deny new connections from that IP
[12:45] <CheckmateX> ive denyed all connection sudo ufw deny from
[12:45] <CheckmateX> i'm using cloudflare by the way
[12:47] <blackflow> CheckmateX: then it won't work as you think it would. if you use CF then the src IP is cloudeflare's
[12:49] <CheckmateX> blackflow yeah cloudflare was blocked that ip i cannot see any logs now
[12:56] <rbasak> ahasenack: opinion on bug 1770532 please?
[12:56] <rbasak> Looks like Debian haven't patched either, but I haven't looked thoroughly
[12:57] <ahasenack> I don't know how this works, I was hoping upstream would do something
[12:58] <ahasenack> can we use the mailing list thread as basis to accept the change?
[12:58] <rbasak> Yes. We don't need upstream acknowledgement. We strongly prefer to, but it's not a hard requirement.
[12:58] <rbasak> But patching ourselves alone is a judgement call because then we're on the hook to maintain it.
[12:59] <rbasak> Which can be difficult in the future if upstream does something that will cause us to change user behaviour if we drop our patch, for example.
[12:59] <CheckmateX> blackflow shit even with cloudflare i still see that ip on the firewall of cloudflare
[12:59] <ahasenack> rbasak: yes, I know nothing about DKIM and the perl code in amavisd-new
[13:00] <blackflow> CheckmateX: well then that's CF's problem, not Ubuntu, right? :)
[13:00] <rbasak> ahasenack: yeah that's the hard part :-/
[13:00] <ahasenack> rbasak: maybe if #is uses it they could take a look? I doubt they use it, though
[13:00] <ahasenack> and it's in main :/
[13:01] <blackflow> what's amavis doing dkim signing anyway?
[13:01] <ahasenack> if upsream is gone, is that basis for demoting amavisd-new?
[13:01] <ahasenack> blackflow: maybe checking?
[13:01] <ahasenack> ah no, it says signing
[13:01] <rbasak> It's definitely a basis for questioning its continued presence in main.
[13:01] <CheckmateX> blaclflow it was blocked by i still see logs even with cloudflare
[13:02] <sdeziel> ahasenack: I use amavisd-new for both signing and checking
[13:02] <blackflow> CheckmateX: check which IP you're blocking. with CF in the equation, the src IP on the packets, and those logged by apache -- if you use cloudflare mod or something other trusting and logging x-forwarded-for -- will be different.
[13:02] <sdeziel> ahasenack: on Trusty though :(
[13:03] <blackflow> amavis upstream gone, that's not good. it's the only viable middleware for post-content filtering with different sub-daemons.
[13:03] <ahasenack> sdeziel: so you just need to upgrade to xenial, then bionic, and then tell us if the patch in the bug works? :)
[13:03] <blackflow> s/post-content/post-queue/
[13:03] <CheckmateX> i think i will try the option of CF i'm under attack
[13:04] <CheckmateX> blackflow the problem on the logs cannot stop that ip on the logs keep saving
[13:04] <rbasak> ahasenack: well, one of the reporters/patch authors has already told us that the patch works :)
[13:04] <sdeziel> ahasenack: will get there eventually but I wanted to confirm it does both signing and verifying
[13:04] <blackflow> CheckmateX: well like I said, with CF the IPs are different
[13:05] <rbasak> sdeziel: apparently it doesn't do DKIM signing :-P
[13:05] <blackflow> CheckmateX: so be sure to understand what is logged exactly and what you're blocking. Are you blocking CF or end user, and do you have x-forwarded-for or something other logged, rather than packet src IP.
[13:09] <sdeziel> rbasak: that's a bad regression... renders amavisd-new almost useless for us
[13:09] <CheckmateX> yes i have a search.php page they use some POST codes to search fast
[13:10] <CheckmateX> i' think i will go with google captcha if they search fast 10 time request to enter the captcha
[13:10] <CheckmateX> disturbing me
[13:11] <rbasak> sdeziel: it'd be great to get some of your help in fixing this in Bionic. I think part of the issue here is that most of us aren't familiar with amavisd-new in the detail we think we need :-/
[13:12] <ahasenack> rbasak: we could start with a debian bug
[13:12] <rbasak> ahasenack: sure. But I'm reluctant to block on a reply since we've been handed an apparently working patch.
[13:13] <ahasenack> we could accept it, but be more rigorous with the testing period
[13:13] <ahasenack> require two people to confirm it's working and has no regressions
[13:13] <ahasenack> thinking in terms of the sru
[13:13] <CheckmateX> blackflow i dont know what to do i want keep the search as easy way possible
[13:13] <sdeziel> ahasenack: I just added https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882324 to the bug
[13:13] <ahasenack> sdeziel: is that the same issue?
[13:14] <ahasenack> ah
[13:14] <sdeziel> yes
[13:14] <ahasenack> rbasak: fedora seems to be using it
[13:15] <rbasak> Exactly the same patch?
[13:15] <rbasak> I was under the impression that there were three available :-/
[13:15] <ahasenack> didn't check. There seem to be two versions
[13:17] <CheckmateX> blackflow untile now one option work with CF "i'm under attack" option
[13:23] <rbasak> rharper: may I have some help triaging bug 1761573 please? Is this the same issue or a new one?
[13:41] <Ussat> has the update path from 16.X --> 18.X been enabled ?
[13:51] <ahasenack> I think not, I had to use -d earlier today
[13:51] <ahasenack> Ussat: ^
[13:52] <boxrick> Any reason this doesn't work? 'mount --bind /dev/null /tmp/null' ---- mount: mount point /tmp/null does not exist
[13:54] <Ussat> OK, thanks
[13:54] <Ussat> Not in a huge hurry, and I did use -d earlier last week and was fine
[13:54] <ahasenack> boxrick: /dev/null is not a directory. You can create another null in /tmp if you want, no need to bind mount it
[13:55] <boxrick> mknod isn't available in this case since its an unpriviledged container
[13:55] <boxrick> I was trying to find an alternative.
[13:55] <ahasenack> you can try cp -a /dev/null /tmp
[13:55] <ahasenack> but if /tmp doesn't allow devices, you will get a permission denied error
[13:56] <sdeziel> boxrick: did you "touch /tmp/null" first?
[13:57] <boxrick> Nope
[13:57] <boxrick> Oh that was easy
[13:58] <boxrick> I thought I tried that before, clearly not
[14:00] <boxrick> Thanks sdeziel
[14:00] <sdeziel> np
[14:03] <ahasenack> cpaelzer: have you seen this in ppc64el builds?
[14:03] <ahasenack> cc1plus: error: unrecognized command line option ‘-Wno-deprecated-register’ [-Werror]
[14:11] <rharper> rbasak: sure
[14:13]  * ahasenack scratches head
[14:13] <ahasenack> ubuntu@cosmic-squid4:~$ g++ hello.cpp -o hello -Wno-deprecated-register
[14:13] <ahasenack> ubuntu@cosmic-squid4:~$ echo $?
[14:13] <ahasenack> 0
[14:13] <ahasenack> I guess I have to try on a real ppc64el
[14:17] <cpaelzer> ahasenack: not seen yet
[14:18] <cpaelzer> ahasenack: do you have access or should I try quickly?
[14:18] <ahasenack> I have
[14:18] <cpaelzer> ok
[14:18] <ahasenack> it's super odd, previous lines in the build show that flag being used and working, then all of a sudden it fails. make -j is being used, but just -j4, and many many other g++ lines worked
[14:18] <ahasenack> will know in a minute
[14:23] <ahasenack> trying an actual build, since g++ in the command line worked just fine compiling a hello-world.cpp sample
[14:25] <cpaelzer> ahasenack: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-06-compile-errors-on-Ubuntu-12-04-td4676098.html
[14:25] <cpaelzer> but your compiler should be rather new
[14:25] <ahasenack> yeah :)
[14:25] <ahasenack> it's also a known issue in the faq, but for old compilers
[14:25] <ahasenack> and it built on all other arches, except ppc64el
[14:26] <ahasenack> https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3351/+packages
[14:27] <ahasenack> reproduced
[14:28] <ahasenack> waaaat
[14:29] <ahasenack> I think the problem is something else, the message is just misleading
[14:40] <cpaelzer> ahasenack: you reproduced it
[14:41] <cpaelzer> including the "working at first and then later breaking" ?
[14:41] <ahasenack> yes in the build
[14:41] <ahasenack> but if I copy the command line, and run again, it works
[14:41] <cpaelzer> can you sneak in an env call
[14:41] <cpaelzer> so you see what is set for the compiler?
[14:41] <ahasenack> I think the real error trigger is a bit up in the logs, where it complains about a variable that may be used uninitialized
[14:42] <ahasenack> maybe
[14:42] <ahasenack> trying a build without the parallelism enabled now
[14:42] <ahasenack> but it could really be just a different code path taken in the ppc64el arch, as I don't see what warning in the non-ppc builds
[14:42] <ahasenack> i'm talking about this one:
[14:43] <ahasenack> https://pastebin.ubuntu.com/p/HNC2Z2Yk9F/ <-- the tval warning that is being treated as an error
[14:46] <ahasenack> https://pastebin.ubuntu.com/p/JDVw8zFt6T/ I can probably fix that by just initializing tval with NULL, as parseTimeLine(&tval,...) stores a value there anyway
[17:03] <ahasenack> cpaelzer: rbasak: man
[17:03] <ahasenack> -O2/-O3 is the difference
[17:04] <ahasenack> https://gist.github.com/panlinux/4716e167c2e06612b28be4b9f8f2b52b just adding -O3 or -O2 at the end of that command line, which overrides any previous -On
[17:04] <ahasenack> first one, with -O2, worked
[17:04] <ahasenack> second one, huge error
[17:05] <ahasenack> -O3 seems to be enabling some -W options
[17:05] <ahasenack> the manpage doesn't mention that next to -O3
[17:22] <hallyn> stgraber: is landscape suppsoed to be integrated with snappy?
[17:23] <stgraber> hallyn: I don't believe there's any snap support in Landscape at this point, some kind of integration between Landscape and the snap enterprise proxy would be nice though
[17:24] <hallyn> wtf is "the snap enterprise proxy" :)
[17:24] <hallyn> forget i asked :)
[17:24] <hallyn> thanks.  so you'd recommend that casual users of landscape slowly migrate back to unattended-upgrades or ansible or something?
[17:28] <stgraber> Landscape is still good to manage your debs, apply updates, ... with snaps it doesn't get quite that much control and unless you're running an enterprise proxy, nothing really has that much control
[17:28] <stgraber> I suppose it could at least support installing and removing snaps, not sure if that's on the roadmap at this point
[17:28] <stgraber> dpb1 might know (I'd have pinged simpoir but he's not in this channel)
[17:35] <dpb1> hallyn: snappy integration will be coming in landscape but is still just in the planning stages, nothing official to announce.
[17:36] <hallyn> dpb1: "coming" as in "perhaps during 2018", or coming as in "we'll put it in plan one day for sure" ?
[17:36] <hallyn> fwiw the only reason i care about snaps is for lxd :)
[17:36] <hallyn> and i don't really want bleeding edge there usually so no urgency even there.  i'm just curious.
[17:39] <dpb1> hallyn: 'tracks' are really the thing you have there, which stgraber knows about.
[17:39] <dpb1> hallyn: and.  the enterprise snap proxy, but it's a commercial offering (as will be the landscape thing).
[17:39] <dpb1> tl;dr: fine-grained control of update frequency and pinning to specific revision numbers is an enterprise feature.
[17:40] <dpb1> hallyn: as for when it will be coming in landscape -- I don't know.
[17:42] <hallyn> thanks dpb1 :)
[18:03] <Delvien> Not sure if this is the right place to ask this... Im running xfs formating on an NVME drive, and when I do an xfs_repair /dev/nvme1n1 I get "Phase 1 - find and verify superblock...
[18:03] <Delvien> bad primary superblock - bad magic number !!!
[18:05] <tomreyn> and your question about this is?
[18:06] <Delvien> How to fix it? Or tell if the drive is bad?
[18:06] <ahasenack> Delvien: shouldn't the device be something like /dev/nvme1n1p1?
[18:06] <ahasenack> with a "pN" at the end, indicating the partition?
[18:07] <ahasenack> Delvien: for example, this is what I have: https://pastebin.ubuntu.com/p/Wy5rbpysHm/
[18:08] <Delvien> I have two nvme on board with this mobo
[18:08] <ahasenack> so?
[18:08] <Delvien> so thats what they were assigned as.
[18:08] <ahasenack> nvme0 and nvme1
[18:08] <ahasenack> n1 is the namespace
[18:08] <ahasenack> and p1 is first partition
[18:08] <ahasenack> and so on
[18:09] <ahasenack> nvme1n1 is the equivalent of a "full disk", like sda
[18:09] <ahasenack> nvme1n1p1 would be sda1 in this example
[18:09] <ahasenack> and so on
[18:11] <Delvien> alright, so
[18:11] <Delvien> xfs_repair /dev/nvme1n1p1  spits out the same thing.
[18:11] <ahasenack> did you format /dev/nvme1n1p1?
[18:11] <Delvien> yes
[18:11] <ahasenack> you have to use the same name for format and verification
[18:12] <RoyK> Delvien: pastebin output of lsblk, please
[18:14] <sarnold> is there a reason why you have seven partitions on tht devcie?
[18:14] <ahasenack> me?
[18:15] <sarnold> ahasenack: oh :) hah
[18:15] <Delvien> Seems formatting a 6th time did the trick.. Holy craperoni
[18:16] <sarnold> ahasenack: actualy now I am kind of curious :) what do you do with seven partitions on an nvme? :)
[18:16] <ahasenack> windows is still there, then I have /boot, /boot/efi, swap and one for linux (crypt)
[18:16] <sarnold> aha!
[18:17] <sarnold> I've got slog on one partition and l2arc on a second partition, and even that feels a bit silly (I should probably just remove the slog, I don't think it ever gets any use)
[18:17] <ahasenack> I did an experiment in another laptop and there I can actually have /boot encrypted (no uefi boot there)
[18:17] <ahasenack> but grub takes about 30s to unlock the luks key
[18:17] <ahasenack> oh, and /boot is on zfs as well
[18:18] <ahasenack> I didn't want to try that on this laptop just yet. That one is my testbed
[18:18] <ahasenack> this one isn't :)
[18:18] <sarnold> ooh /boot on zfs?
[18:18] <sarnold> nice
[18:18] <sarnold> I'm too lazy to even try
[18:18] <ahasenack> it spews out some warnings about unknown compression algorithms and such, but works in the end
[19:38] <tomreyn> teward: i'm a happy user of your ZNC PPA. is there a chance you'll do new builds to handle the CVEs discussed in https://wiki.znc.in/ChangeLog/1.7.1 - or do you have no motivating factor there on your own currently?
[19:51] <tomreyn> sorry, i didnt realize you have a bug tracker for those. :)
[21:03] <jonfatino> anyone know how to launch ubuntu installer over ssh (in a livecd)
[21:03] <jonfatino> like setup or install.bla   with kickstart.conf
[21:03] <jonfatino> and no I don't want to netboot and pass kernel parms.
[21:06] <tomreyn> jonfatino: i haven't done it for a long time, but you should be able to start the alterantive server installer , wait until it's booted to the installer, then press escape and find an option for ssh there.
[21:07] <tomreyn> there may also be a kernel option for this you can pass. the only way to fully automate bringing up the ssh server would be with a preseed file or netboot, i guess.
[21:08] <tomreyn> also please dont cross post
[23:04] <arooni> so my ssh user doesnt always have access to ls directories like /etc/letsencrypt/live ;; how can i do a one off ls in this case
[23:07] <sarnold> if you can't execute ls for some reason but you do have a shell, you can use 'echo *' kind of thing to see files and directories, if the read and execute permissions on the directory allow you
[23:07] <sarnold> try echo /etc/letsencrypt/live/*