mike802 | hi all, i'm new to ubuntu server. i'm currently stuck trying to install my lamp stack. i installed apache2 with a vhost and ssl, then tried to install the moinmoin wiki with very frustrating results | 00:40 |
---|---|---|
blackflow | mike802: any specific problem? | 00:41 |
=== markthomas_ is now known as markthomas | ||
mike802 | just a 404 not found | 00:49 |
mike802 | the default apache2 page shows up (with ssl) on the root | 00:49 |
mike802 | and, i put a test html in my vhost which works | 00:50 |
sarnold | do you need to a2enable a module or two to make the wiki work? | 00:50 |
sarnold | are there more detailed errors in the apache logs? | 00:50 |
mike802 | :/ | 00:50 |
mike802 | i was just going by the ubuntu server documentation | 00:51 |
mike802 | they only mention a2enable for actual apache2 stuff | 00:51 |
mike802 | and no mention of logs.... | 00:51 |
sarnold | logs should be /var/log/apache*/ | 00:51 |
mike802 | first log says server certificate does NOT include an ID which matches the server name | 00:58 |
jak2000 | */1 * * * * root /home/scripts/reboot.sh <--- this command run every minute? | 03:12 |
whislock | Yes, but that's awfully frequent for a cronjob. Why? | 03:14 |
jak2000 | my question is, is hard for server check every minute? | 03:15 |
jak2000 | My question is, is not it very hard for the server to be checking every minute? Does not saturate the server? | 03:16 |
nacc | no, once a minute is nothing | 03:16 |
nacc | jak2000: what is your *actual* question | 03:16 |
jak2000 | if saturate the server... | 03:18 |
whislock | What is that script doing is a better question. | 03:19 |
jak2000 | i am try follow: https://stackoverflow.com/questions/5226728/how-to-shutdown-ubuntu-with-exec-php/45775280 | 03:29 |
jak2000 | first answer, i am on a local network | 03:29 |
whislock | Doesn't matter, this is a horrible idea. | 03:29 |
jak2000 | why? | 03:31 |
jak2000 | i need create a page for restart server, for restar a system, etc. | 03:31 |
whislock | It's called SSH. Use it. | 03:32 |
jak2000 | any better idea? | 03:32 |
* whislock sighs. | 03:32 | |
kzisme | Hi all - recently installed a fresh copy of 16.04 I can login just fine on one machine, but I cannot ping the server when I switch the drive to my other machine (I can login just fine and such) | 03:34 |
jak2000 | any better idea? | 03:34 |
whislock | jak2000: Use SSH. It supports strong authentication. | 03:34 |
jak2000 | php + ssh? | 03:35 |
whislock | ... No. Just SSH. | 03:35 |
whislock | Stop trying to use PHP for this. | 03:35 |
jak2000 | ok... | 03:35 |
jak2000 | other question | 03:35 |
kzisme | On Desktop 1 I can ping/ssh just fine on Desktop 2 I cannot ping it or ssh to it | 03:35 |
kzisme | both are on LAN | 03:35 |
whislock | Seriously, I wouldn't trust PHP to serve a lunch menu securely, let alone as a gateway for system-level functions. | 03:35 |
jak2000 | i can program crontab for every sunday at 11pm restart the server. but after restarted i need execute a command how to do? | 03:36 |
whislock | Depends on the command and its complexity. | 03:36 |
whislock | And what version of Ubuntu you're running. | 03:36 |
kzisme | Who me whislock ? 16.04 LTS | 03:41 |
whislock | kzisme: No, sorry. Was talking to jak2000. | 03:45 |
kzisme | Ah sry | 03:45 |
cpaelzer | good morning | 04:58 |
lordievader | Good morning | 06:12 |
cadogan | Hello, I am trying to solve problem with authentication using kerberos. So we have Firewall on our network which uses kerberos. When I try to do "sudo apt update" i get Err:1 http://XXXXXXX:XXXX/browser_challenge.php?vsys=2&rule=35&url=http://security.ubuntu.com/ubuntu xenial-security InRelease . is there way to authenticate towards kerberos without using browsers challange? | 08:48 |
cadogan | I am new to using kerberos, so just pointing to right direction would be helpful :) | 08:50 |
=== miguel is now known as Guest58415 | ||
jamespage | tobias-urdin: no - its been split out of neutron I think - https://github.com/openstack/neutron-tempest-plugin | 09:12 |
jamespage | and no package so no provision via distro for that now | 09:12 |
tobias-urdin | jamespage: yeah tried finding a package for it, but there is none in ubuntu? | 09:25 |
jamespage | no | 09:25 |
tobias-urdin | weird, wonder where i get neutron-lbaas, neutron-vpnaas and neutron-dynamic-routing plugins on ubuntu hm | 09:25 |
tobias-urdin | since those depend on the neutron tempest plugin, they fail | 09:25 |
jamespage | tobias-urdin: I suspect those install from the parent project still | 09:27 |
jamespage | rather than being split out | 09:27 |
jamespage | but depend on the now split out neutron-tempest-plugin project | 09:27 |
tobias-urdin | hm so pretty much <python package>/neutron_lbaas/tests/tempest something like that which tempest then loads and fails because neutron tempest is not available | 09:28 |
jamespage | yup | 09:29 |
boritek | hello | 09:35 |
boritek | i am trying to commission a dell server in maas but it says no rack controllers can access the BMC node | 09:36 |
boritek | i tried to setup an IPMI for that | 09:48 |
boritek | the IP address also should be for the BMC there right as well as the power mac | 09:48 |
boritek | I do not get why it cannot reach it | 09:49 |
boritek | what is the best way to configure a dell power edge 630? | 10:02 |
boritek | is it not ipmi? | 10:02 |
boritek | i mean the way to configure it for maas | 10:03 |
tobias-urdin | jamespage: any plans on packaging the tempest plugins that has been moved out of project repo trees? | 11:17 |
jamespage | boritek: the MAAS rack controller must be able to container the IPMI network address for the servers | 11:17 |
jamespage | tobias-urdin: tbh no not really | 11:17 |
jamespage | tobias-urdin: afaik the puppet modules project is the only group making use of them | 11:17 |
jamespage | tobias-urdin: for all of our tempest testing we make use of venvs and install from source | 11:17 |
tobias-urdin | jamespage: ok, i will investigate if we can do that way as well for ubuntu atleast | 11:18 |
jamespage | tobias-urdin: they got package originally as a side effect of being in=tree for existnig packaged projects | 11:19 |
jamespage | it was never really intentional IMHO | 11:19 |
tobias-urdin | ok, i c | 11:20 |
jamespage | cpaelzer: thanks for the update on that bug | 11:47 |
cpaelzer | jamespage: was that what you wanted to ask about? | 11:53 |
cpaelzer | I set Friday as a deadline for the upload to make sure I get yours fixed at soem point | 11:54 |
cpaelzer | but review of the MP is slow (as it is huge) | 11:54 |
cpaelzer | jamespage: let me know if you want to volunteer (someone else) to review the libvirt MP :-) | 11:54 |
jamespage | cpaelzer: it was | 12:21 |
ahasenack | cpaelzer: does bileto also test if the new packages are installable with dependencies from the archive? Like migration/excuses? | 12:29 |
ahasenack | or is it just build + dep8? | 12:29 |
mike-zal | I have a serious problem: after adding cache to site and adding it to cloudflare, my systems stop respoding to hosfile, meaning I forward domain to other server (developer version) but browser still opens it from the production server | 12:36 |
mike-zal | cache on wordpress shouldn't trigger that effect so I'm leaning toward cloudflare making this issue | 12:37 |
mike-zal | any idea how to work around it? using hostfile is a very useful thing when working on a site so without it, my options are limited | 12:38 |
ahasenack | rbasak: are you around? Could you please click on the "lander signoff" dropdown menu at https://bileto.ubuntu.com/#/ticket/3351 so bileto can start the dep8 tests for the squid packages from the test ppa? | 12:40 |
rbasak | ahasenack: done | 12:47 |
ahasenack | thanks | 12:47 |
cpaelzer | ahasenack: no installation test | 12:52 |
ahasenack | ok | 12:52 |
teward | sdeziel: given that your suggestion on #1782226 SEGVs in recent Ubuntu to remove the header from `ss`, and `-H` doesn't exist as a valid flag in older Ubuntu releases such as Xenial, unless you have a way to strip the header out in a way that doesn't provide the requirement of additional dependencies, I'm not sure if there's a way to skip using lsof (I commented with some details about how the current detection works - and it works well) | 13:56 |
teward | (or rather, the current detection in that proposed package in that PPA | 13:56 |
sdeziel | teward: how about "ss -nto state listening 'sport = 80' | grep -v ^Recv-Q" | 13:58 |
teward | that might work | 13:58 |
sdeziel | teward: or "ss -nlt 'sport = 80' | grep -v ^State" | 13:58 |
teward | both would work for Xenial, and so long as it doesn't output data if the port isn't in use that should be fine | 13:59 |
sdeziel | yup, no output when nothing listens | 14:00 |
sdeziel | tested on both Xenial and Bionic | 14:00 |
teward | indeed. now let's just hope that `ss` in Cosmic doesn't randomly start segfaulting heh | 14:01 |
teward | (I'm also not awake yet, or i'd have tried the greps. alas i'm still waking up >.>) | 14:01 |
sdeziel | the ss segfault was reported to LP: #1787396 | 14:02 |
ubottu | Launchpad bug 1787396 in iproute2 (Ubuntu) "ss crashes when using --no-header" [Undecided,New] https://launchpad.net/bugs/1787396 | 14:02 |
sdeziel | I'll check with a cosmic container | 14:02 |
teward | the next question is whether we're confident `ss` will always be present in Ubuntu, is there any case where `iproute2` is not installed in an ubuntu system? | 14:03 |
sdeziel | teward: I'd add a "Depends: iproute2". | 14:08 |
sdeziel | but I think that most install will already have this dep installed as ubuntu-minimal pulls it in | 14:08 |
teward | we'd have to do the same for `lsof` if we use that either. Both ways work, though I just pushed another version to the PPA that uses 'ss', and didn't add the depends yet (oops? guess ~lp1782226.8 will have the Depends then) | 14:09 |
teward | sdeziel: yeah that was my main concern | 14:09 |
teward | since there's quite a few people recently posting on Ask Ubuntu using ubuntu-minimal instead of the full server install | 14:09 |
teward | so long as the smallest Ubuntu includes `iproute2` that's fine, though I'll add it as a depends before getting this into Cosmic. | 14:09 |
sdeziel | great, thanks! | 14:10 |
teward | roaksoax: ccing you to ^ since you were also testing. Assuming this works, then this is a candidate to be added to Cosmic, and then we can work on the SRU bits. (I'll be glad when people stop filing bugs just because they have something else listening on Port 80 already and try to install NGINX...) | 14:14 |
teward | ~lp1782226.8 pushed up to that PPA, now we let it build :P | 14:15 |
blackflow | sdeziel: I just replicated with --no-header and a filter with no mathces. eg. ss --no-header 'dport = 123456' => segfault | 14:21 |
sdeziel | blackflow: thanks, the LP was also confirmed by others (you?) | 14:21 |
blackflow | yah | 14:22 |
blackflow | kinda makes sense. no header + no output + something_something = segfault | 14:23 |
dpb1 | rbasak: we are trying to have standup early, can you make it? | 14:44 |
ahasenack | kstenerud: so have you cloned a package repo with git ubuntu yet? | 16:45 |
kstenerud | test | 16:49 |
kstenerud | cool | 16:49 |
ahasenack | hi | 16:49 |
kstenerud | ok, so I have git ubuntu installed | 16:50 |
ahasenack | ok | 16:50 |
ahasenack | try cloning a package | 16:50 |
ahasenack | git ubuntu clone <sourcepackagename> | 16:50 |
ahasenack | postfix, or strongswan | 16:50 |
ahasenack | or both | 16:50 |
ahasenack | it may prompt you to configure ~/.gitconfig | 16:50 |
kstenerud | fatal: could not read Username for 'https://git.launchpad.net': terminal prompts disabled | 16:51 |
ahasenack | add a [gitubuntu] section to ~/.gitconfig | 16:52 |
ahasenack | here is mine | 16:52 |
ahasenack | [gitubuntu] | 16:52 |
ahasenack | lpuser = ahasenack | 16:52 |
kstenerud | already there | 16:52 |
kstenerud | lpuser = kstenerud | 16:52 |
ahasenack | did it download stuff before that message? | 16:52 |
kstenerud | yeah | 16:52 |
ahasenack | ah, ok, then it's just because you haven't pushed anything yet | 16:52 |
nacc | the fatal message is nothing | 16:52 |
nacc | well, it's a known issue | 16:52 |
nacc | one sec, let me find the bug | 16:53 |
nacc | it has no impact | 16:53 |
ahasenack | kstenerud: do you also have a [user] section with full name and email? | 16:53 |
kstenerud | yup | 16:53 |
ahasenack | canonical email? | 16:53 |
kstenerud | ah, no it's my gmail account | 16:54 |
nacc | LP: #1761821 | 16:54 |
ubottu | Launchpad bug 1761821 in usd-importer "fatal: could not read Username for 'https://git.launchpad.net': terminal prompts disabled" [Undecided,New] https://launchpad.net/bugs/1761821 | 16:54 |
nacc | the user seciton shouldn't matter to git-ubuntu, fwiw | 16:54 |
kstenerud | hmm so that means I'll have to switch accounts in .gitconfig when managing my github stuff? | 16:54 |
nacc | sorry, what's the symptom here? | 16:55 |
ahasenack | I don't know how that can be controlled | 16:55 |
ahasenack | nacc: nothing, I was just going over my ~/.gitconfig | 16:55 |
nacc | ahasenack: ah ok :) | 16:55 |
ahasenack | to get him started | 16:55 |
nacc | no, you don't need per-remote git user | 16:55 |
nacc | kstenerud: were you able to clone with git-ubuntu? | 16:55 |
kstenerud | yup it did clone | 16:56 |
ahasenack | kstenerud: ok, go over this blog post now: https://blog.ubuntu.com/2017/08/09/git-ubuntu-clone | 16:56 |
nacc | kstenerud: the only thing i can imagine you running into, which has not much to do with git-ubuntu itself, is who you want to commit as when using the git-ubuntu repositories | 16:56 |
nacc | the email should match your lp email | 16:56 |
nacc | (afaik, so that lp will do the right linkage) | 16:56 |
ahasenack | that sounds important :) | 16:56 |
ahasenack | kstenerud: what I would like you to know is the different branches that are available for the packages | 17:00 |
ahasenack | kstenerud: i.e., pkg/ubuntu/devel meaning the current ubuntu development package | 17:00 |
ahasenack | pkg/ubuntu/xenial-devel being the current xenial package | 17:01 |
ahasenack | and so on | 17:01 |
ahasenack | and the several tags for package versions, representing each package version as it was imported at that version | 17:01 |
kstenerud | there are 233 branches for postfix | 17:01 |
kstenerud | under applied | 17:02 |
ahasenack | applied means the branch has the patches from debian/patches applied | 17:02 |
ahasenack | we tend to work with the ubuntu/ ones, which have the patches unapplied | 17:03 |
nacc | kstenerud: each applied/ubuntu branch has the corresponding ubuntu/ branch as an ancestro (it's the result of doing `quilt push` iteratively on the unapplied until no patches are left to apply) | 17:04 |
ahasenack | kstenerud: you can ignore applied/ for now | 17:05 |
kstenerud | ok | 17:05 |
nacc | kstenerud: it's mostly an implementation detail for you :) | 17:05 |
ahasenack | kstenerud: so to fix https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1753470, we want to inspect pkg/ubuntu/devel (git-ubuntu should have landed you in ubuntu/devel after the clone) | 17:06 |
ubottu | Launchpad bug 1753470 in postfix (Ubuntu Bionic) "Postconf segfaults every 5 minutes" [Low,Triaged] | 17:06 |
ahasenack | to see what the fix was | 17:07 |
ahasenack | and then we want that fix in bionic, so for bionic you could create a local branch based on pkg/ubuntu/bionic-devel | 17:07 |
teward | sdeziel: i just got around to testing the ss-powered packages for that NGINX bug, and it seems to work. Feel free to test if you want. I intend to wait until I hear anything bad about it, or confirmation that it works as intended before I start prepping for its inclusion in Cosmic | 17:08 |
teward | roaksoax: anything to note about the daemon-only NGINX package as well? | 17:08 |
teward | since i'm gearing up to patch things and then push to Cosmic | 17:08 |
sdeziel | teward: alright, I'll give it a try and report in the bug | 17:09 |
teward | yep no rush | 17:09 |
kstenerud | ahasenack: ok so: git checkout -b pkg/ubuntu/bionic-devel remotes/pkg/ubuntu/bionic-devel | 17:10 |
ahasenack | I suggest: | 17:10 |
teward | sdeziel: because i won't be getting around to pushing it out until, what, Saturday? (tomorrow's a day filled with busy busy work and meetings, while the rest of today is network maintenance on site here and I'll be busy reconfiguring switches heh) | 17:10 |
ahasenack | git checkout -b bionic-postconf-segfault-1753470 pkg/ubuntu/bionic-devel | 17:10 |
ahasenack | how you name it is up to you, of course. As a matter of preference, I like to include the ubuntu release, package/issue and bug number | 17:10 |
rbasak | I have my ~/.gitconfig configured to personal email, and try to remember to change it to my Canonical email when doing stuff sponsored by Canonical (ie. when I'm "at work") | 17:11 |
ahasenack | because I tend to acumulate a lot | 17:11 |
* sdeziel is happy to watch the git-ubuntu walk-through! | 17:11 | |
ahasenack | sdeziel: \o/ | 17:11 |
ahasenack | kstenerud: git-ubuntu should have set up a default remote of "pkg" | 17:12 |
kstenerud | ok I have my local branch | 17:14 |
ahasenack | cosmic or bionic? | 17:18 |
ahasenack | create both | 17:18 |
kstenerud | ok done | 17:19 |
ahasenack | switch to the cosmic one, and take a look at git log | 17:19 |
ahasenack | I suggest this in ~/.gitconfig | 17:19 |
ahasenack | [log] | 17:19 |
ahasenack | decorate = short | 17:19 |
sdeziel | no need to have the local cosmic branch. On the bionic branch: git log -p -b pkg/ubuntu/cosmic-devel | 17:21 |
ahasenack | works too | 17:21 |
sdeziel | this save the branch switching | 17:21 |
sdeziel | (just found out about -b) | 17:21 |
ahasenack | what is -b for? | 17:22 |
nacc | i don't thjink you need -b | 17:22 |
nacc | git-log should understand the argument as ref, which the remote-tracking branch is | 17:22 |
sdeziel | nacc: you are right | 17:22 |
nacc | techincally, you never need to switch branches with git anymore :) | 17:23 |
nacc | use working trees and go crazy | 17:23 |
kstenerud | nifty! | 17:23 |
ahasenack | kstenerud: ok, so the cosmic log | 17:24 |
kstenerud | last entry is from git-ubuntu import | 17:24 |
sdeziel | -b was not even unneeded, it was wrong as it changes how diffs are displayed | 17:24 |
ahasenack | kstenerud: ah, another command for you: rmadison | 17:24 |
ahasenack | kstenerud: that will show you the current versions of a package in each release | 17:25 |
nacc | sdeziel: yeah, i was looking in the manpage for what it does, as i've never used it :) | 17:25 |
ahasenack | kstenerud: anyway, the tip of cosmic, shows the import of 3.3.0-1ubuntu1 | 17:25 |
ahasenack | and all the accompaining tags | 17:25 |
ahasenack | and branches | 17:25 |
ahasenack | ag: pkg/import/3.3.0-1ubuntu1, tag: import/3.3.0-1ubuntu1, pkg/ubuntu/devel, pkg/ubuntu/cosmic-proposed, pkg/ubuntu/cosmic-devel, pkg/ubuntu/cosmic, ubuntu/devel | 17:25 |
ahasenack | a bit down you will see the previous cosmic package | 17:25 |
ahasenack | pkg/import/3.3.0-1, | 17:25 |
ahasenack | between the two, two commits from me | 17:26 |
ahasenack | one with the fix | 17:26 |
ahasenack | another one saying "changelog" | 17:26 |
ahasenack | if you do git log -p you will see what was done in each | 17:26 |
ahasenack | our standard workflow is to commit a change, then commit the corresponding debian/changelog entry | 17:26 |
ahasenack | using the same as the commit message | 17:26 |
kstenerud | so in the changelog commit your message is simply "changelog" | 17:28 |
ahasenack | right | 17:28 |
ahasenack | but the contents, i.e., what was committed, is identical to the change I introduced in the previous commit | 17:28 |
ahasenack | we just say "changelog" so they are easily recognized later on when dealing with merges from debian, a topic for another time | 17:29 |
ahasenack | I've seen people saying "changelog: <actual change description>" | 17:29 |
ahasenack | but don't worry about that now, you will get your preference as time goes by | 17:30 |
nacc | it's mostly convention what the commit messages say at this point | 17:30 |
ahasenack | kstenerud: how familiar are you with the debian/patches structure? | 17:30 |
nacc | there are no hard and fast "requirements" | 17:30 |
kstenerud | ahasenack: not at all | 17:30 |
ahasenack | kstenerud: ok, so take a look at the debian/patches directory in that branch | 17:31 |
ahasenack | you will see one file called "series", and then a bunch of other files | 17:31 |
ahasenack | kstenerud: the series file contains a list of patches that will be applied before the binary build starts, and in that order | 17:31 |
kstenerud | OK. Is there a reason for the numbering? | 17:32 |
ahasenack | convention by some people | 17:32 |
ahasenack | it's free-form | 17:32 |
nacc | debian is stricter about it than ubuntu, imo | 17:32 |
nacc | well, 'stricter' :) | 17:32 |
ahasenack | ideally one should follow the established pattern in the package | 17:32 |
ahasenack | I don't remember why I didn't do it here | 17:32 |
ahasenack | probably because I wanted to avoid a possible future conflict with a patch from debian that started with the same number | 17:32 |
nacc | yeah, and it's also less required once it's in Git (at least for this team) IMO | 17:33 |
sdeziel | tls_version.diff broke the uniformity before you did | 17:33 |
ahasenack | yeah | 17:33 |
nacc | heh | 17:33 |
ahasenack | and that was added by debian | 17:33 |
ahasenack | so meh :) | 17:33 |
ahasenack | kstenerud: you should setup quilt, have you heard of that before? | 17:34 |
kstenerud | nope | 17:34 |
ahasenack | let me fetch you some config files | 17:34 |
ahasenack | kstenerud: create these two files in your home: https://pastebin.ubuntu.com/p/bxQr552PGY/ | 17:35 |
ahasenack | kstenerud: and add this bash alias somewhere: alias dquilt="quilt --quiltrc=${HOME}/.quiltrc-dpkg" | 17:35 |
ahasenack | (assuming you use bash :) | 17:36 |
ahasenack | if you use ksh or something else, you are on your own :) | 17:36 |
dpb1 | ksh | 17:36 |
dpb1 | wow | 17:36 |
ahasenack | kstenerud: once you have that done, and the alias sources, try "dquilt push -a" and afterwards "dquilt pop -a" inside the package branch directory | 17:37 |
ahasenack | push -a means apply all patches, and pop -a means deapply | 17:37 |
ahasenack | all of them | 17:37 |
ahasenack | you can push up to an individual patch by giving its name | 17:37 |
Ussat | ewww.....just had a request to install Mate GUI on a server... | 17:39 |
Ussat | I feel all sullied now | 17:39 |
ahasenack | Ussat: go over to #ubuntu-desktop :D | 17:39 |
ahasenack | j/k :) | 17:39 |
kstenerud | Damn that's cool! | 17:39 |
Ussat | OH no.....anything but that......... | 17:40 |
ahasenack | Ussat: :) | 17:40 |
sdeziel | ahasenack: both ~/.quiltrc and ~/.quiltrc-dpkg are identical, expected? | 17:40 |
ahasenack | sdeziel: oh man, I set that up so long ago | 17:40 |
sdeziel | ahasenack: tabs vs spaces diff only | 17:40 |
ahasenack | hah :) | 17:40 |
ahasenack | dquilt (the alias) uses the -dpkg one | 17:41 |
ahasenack | for raisins | 17:41 |
ahasenack | oh well | 17:41 |
sdeziel | quilt uses ~/.quiltrc by default | 17:41 |
ahasenack | yes | 17:41 |
ahasenack | maybe at some point I wanted separate configs, who knows. I don't remember | 17:42 |
sdeziel | sorry for nitpicking, just trying to follow | 17:42 |
ahasenack | no, it's helpful | 17:42 |
ahasenack | keep the picks coming | 17:42 |
sdeziel | hehe | 17:42 |
ahasenack | kstenerud: how are you doing? | 17:42 |
nacc | quilt uses --quiltrc option, then ~/.quiltrc, then /etc/quilt.quiltrc | 17:42 |
nacc | (iirc) | 17:42 |
kstenerud | I'm taking down notes on all of this so be as pedantic as possible :) | 17:42 |
ahasenack | kstenerud: so you can see that d4cb4562480496f8a1b25ddc397cef45dd45d855 then adds the quilt patch, and adds its name to the series file | 17:42 |
ahasenack | but does not touch the actual source code from postfix | 17:42 |
ahasenack | so we are adding a patch with git | 17:43 |
ahasenack | kstenerud: two things about the patch | 17:43 |
nacc | actual source code = upstream part of the packaging | 17:43 |
ahasenack | kstenerud: a) we want to mention in the commit message which files we are touching | 17:43 |
ahasenack | kstenerud: that's why you see the commit message prefixed with debian/patches/fix-postconf-segfault.diff: | 17:44 |
ahasenack | (we don't mention d/p/series because that's "obvious") | 17:44 |
ahasenack | kstenerud: and b) the patch we added to debian/patches/ has quite the verbose header | 17:44 |
ahasenack | kstenerud: we call that header DEP3 | 17:45 |
ahasenack | kstenerud: there's a whole spec about that | 17:45 |
ahasenack | (and I just misplaced the url to it, and google is failing me) | 17:46 |
ahasenack | kstenerud: here is a summary: https://pastebin.ubuntu.com/p/X3KnfftthK/ | 17:46 |
ahasenack | or template, if you will | 17:46 |
nacc | https://dep-team.pages.debian.net/deps/dep3/ | 17:46 |
ahasenack | thanks nacc | 17:46 |
nacc | all the DEP are there, iirc | 17:46 |
nacc | DEP14 being the other relevant one to g-u | 17:46 |
ahasenack | oh, and it's in the header template I pasted even | 17:47 |
nacc | yeah, i thought `dpkg-source --commit` added a link :) | 17:47 |
ahasenack | you can also use dquilt to add this header: dquilt header -e --dep3 <patchname> | 17:47 |
ahasenack | to an existing patch, that is | 17:47 |
sdeziel | wow, that's nice ^ | 17:49 |
ahasenack | kstenerud: we really want all patches we are adding to have a dep3 header, it helps soooo much when doing package maintenance later on | 17:49 |
ahasenack | not all existing patches have it, though, but we enforce it for new patches | 17:49 |
ahasenack | in our team, that is | 17:50 |
ahasenack | kstenerud: with me still? :) | 17:52 |
kstenerud | yup :) | 17:53 |
sdeziel | ahasenack: is there a tool that you use when merging that uses the "Applied-Upstream" field to know if a given patch should be dropped? | 17:53 |
ahasenack | sdeziel: not that I know of | 17:53 |
sdeziel | I'm asking cause that specific bug was fixed by upstream in 3.3.1 | 17:53 |
sdeziel | OK, thanks | 17:53 |
ahasenack | it wasn't applied yet when the patch was made | 17:54 |
ahasenack | kstenerud: ok, so we need to apply that fix to the bionic version | 17:54 |
ahasenack | kstenerud: this might be as easy as cherry-picking the cosmic fix | 17:55 |
sdeziel | yeah, was just asking how much manual work was required for merges | 17:55 |
nacc | sdeziel: i'd file a bug against git-ubuntu for that feature :) | 17:55 |
* sdeziel obliges | 17:55 | |
ahasenack | kstenerud: now, of course the cherry-pick itself will probably apply | 17:55 |
ahasenack | but that doesn't mean the patch might apply in the bionic version | 17:55 |
ahasenack | hence cherry-pick, and then try "dquilt push -a" to see if it applies | 17:55 |
kstenerud | ok so cherry-pick d4cb45? | 17:56 |
ahasenack | kstenerud: you can also run "rmadison postfix" to see which versions of postfix were released into each uuntu release | 17:56 |
ahasenack | kstenerud: yep | 17:56 |
ahasenack | in this case, bionic has the same major version as cosmic, so it should be fine | 17:57 |
sdeziel | nacc: LP: #1787455 | 17:57 |
ubottu | Launchpad bug 1787455 in usd-importer "[wishlist] create a tool that process dep3 "Applied-Upstream" field" [Undecided,New] https://launchpad.net/bugs/1787455 | 17:57 |
kstenerud | ok which branch am I cherry-picking on to? | 17:58 |
ahasenack | the bionic one you created before | 17:58 |
ahasenack | based on pkg/ubuntu/bionic-devel | 17:58 |
ahasenack | pro-tip: compare the version at the top of debian/changelog with what is actually released in bionic | 17:58 |
nacc | sdeziel: thx | 17:58 |
ahasenack | sometimes the git-ubuntu importer failed and wasn't restarted, and it could be lagging behind | 17:58 |
kstenerud | er.. but d4cb45 is already in that branch | 17:59 |
ahasenack | nope | 17:59 |
ahasenack | are you sure you are not on the cosmic one still | 17:59 |
ahasenack | or that you created the bionic branch based on cosmic, instead of bionic? | 17:59 |
kstenerud | oh wait wrong branch :P | 17:59 |
ahasenack | ah, I use a PS1 change to always have the branch name in my prompt | 18:00 |
ahasenack | you may want to do something similar, if you haven't already got something like it | 18:00 |
ahasenack | annoying drawback is that the prompt gets confused when typing a long line, because of the colors :/ | 18:00 |
kstenerud | yeah I have it on one of my machines somewhere.. This is a fresh install | 18:00 |
kstenerud | Now at patch fix-postconf-segfault.diff | 18:01 |
ahasenack | try applying it with quilt | 18:01 |
ahasenack | see if it applies cleanly | 18:01 |
kstenerud | yup it did | 18:01 |
ahasenack | cool | 18:01 |
ahasenack | revert that then | 18:01 |
ahasenack | get back to a clean branch | 18:01 |
kstenerud | or at least it didn't complain :P | 18:01 |
ahasenack | git status should only show .pc | 18:01 |
kstenerud | yup | 18:01 |
ahasenack | .pc is the control directory for the quilt patches | 18:01 |
ahasenack | you can rm -rf it to get a clean state, once you have unapplied all patches | 18:02 |
ahasenack | ok, now changelog | 18:02 |
ahasenack | sometimes the hardest part, heh | 18:02 |
nacc | ahasenack: fwiw, `git clean` can do it as well | 18:02 |
nacc | (-fdx, iirc) | 18:02 |
ahasenack | nacc: yeah, I do git clean -f -x -d | 18:02 |
dpb1 | there is a social aspect to the changelog. :) | 18:02 |
ahasenack | and a version part | 18:02 |
ahasenack | kstenerud: bookmark this, you will refer to it often: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation | 18:03 |
ahasenack | (I do) | 18:03 |
ahasenack | specifically, go to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging | 18:03 |
ahasenack | and look at that table of version examples | 18:03 |
ahasenack | the version in bionic is 3.3.0-1 | 18:04 |
ahasenack | the version in cosmic is, as of this moment, 3.3.0-1ubuntu1 | 18:04 |
nacc | dpb1: definitely, it's a large social engineering project in some sense. It's the 'shared' bit | 18:04 |
ahasenack | kstenerud: we need a version that is higher than 3.3.0-1, but lower than 3.3.0-1ubuntu1 | 18:05 |
dpb1 | hehe. | 18:05 |
dpb1 | it's true | 18:05 |
kstenerud | why lower than ubuntu1? | 18:06 |
ahasenack | because that is in cosmic already, and we want a release upgrade from bionic to cosmic to upgrade to the cosmic package | 18:06 |
ahasenack | instead of leaving the bionic package installed | 18:06 |
kstenerud | ok, so ubuntu0.1? | 18:07 |
ahasenack | 1ubuntu0.1 | 18:07 |
kstenerud | Or some other scheme in case we're putting this fix in multiple releases? | 18:07 |
ahasenack | the "1" before ubuntu means it's based on debian's -1 release | 18:07 |
sdeziel | 1ubuntu0.18.04.1 ? | 18:08 |
ahasenack | just 1ubuntu0.1 in this case | 18:08 |
ahasenack | but it's a good question whether the bug happens in other releases | 18:08 |
ahasenack | that's something that the bug triager should have checked, but you can check too | 18:09 |
ahasenack | this is where lxd containers help a lot | 18:09 |
kstenerud | so if the bug did trigger in earlier versions as well, would that affect the naming scheme? | 18:09 |
ahasenack | or, if you just want to check code, you can checkout the branches for each past ubuntu release | 18:09 |
ahasenack | kstenerud: depends on what version is in the other releases | 18:10 |
ahasenack | if they all had 3.3.0-1, they perhaps | 18:10 |
ahasenack | hence, check "rmadison postfix" | 18:10 |
ahasenack | s/they/then/ | 18:10 |
dpb1 | versions are only slightly less hard than the changelog | 18:10 |
ahasenack | kstenerud: so we have a version, here is another tip to reconstruct the changelog | 18:12 |
ahasenack | kstenerud: following the pattern of using the same text for the commit message and the d/changelog entry, there is a script that can do this for us | 18:13 |
ahasenack | part of the git-ubuntu snap | 18:13 |
ahasenack | git-ubuntu.reconstruct-changelog | 18:13 |
ahasenack | give it a base, and it will populate d/changelog with the commit messages from base to head | 18:13 |
ahasenack | in this case, the base could be pkg/ubuntu/bionic-devel for example | 18:13 |
ahasenack | just prior to your cherry-pick | 18:13 |
ahasenack | it will try to guess the version number to use, and it does that correctly most of the time for uploads to the devel release, but not for SRUs | 18:14 |
ahasenack | so you will have to adjust that bit, and the ubuntu release (it will say UNRELEASED by default) | 18:14 |
sdeziel | shouldn't "git-ubuntu.reconstruct-changelog" assume the base to be the currently checkout branch if not specified as "$1" ? | 18:16 |
nacc | sdeziel: it's never 'wrong' to use the full numeric release, IMO. rbasak and i have gone back and forth on it, as it's not strictly necessary in some cases. | 18:16 |
nacc | it won't know what to do if not given an option | 18:16 |
nacc | it needs to start somewhere *before* current branch | 18:16 |
nacc | and reconstruct d/changelog entries from there to HEAD | 18:16 |
sdeziel | nacc: OK, I was trying to find edge cases of using the full numeric release but couldn't | 18:17 |
nacc | sdeziel: right, it's the 'safer' option, but isn't necessary in some well-defined case (but using it can break future cases, etc. :) | 18:18 |
nacc | err, not using it can break future cases | 18:18 |
ahasenack | kstenerud: let me know when you have a d/changelog ready to commit, and commit it | 18:18 |
ahasenack | I'll grab some coffee, brb | 18:18 |
kstenerud | hmm | 18:19 |
kstenerud | karl@karl-tp:~/work/postfix$ git-ubuntu.reconstruct-changelog | 18:19 |
kstenerud | karl@karl-tp:~/work/postfix$ git diff | 18:19 |
kstenerud | diff --git a/debian/changelog b/debian/changelog | 18:19 |
kstenerud | index 6d9e6754..44046d9e 100644 | 18:19 |
kstenerud | --- a/debian/changelog | 18:19 |
kstenerud | +++ b/debian/changelog | 18:19 |
kstenerud | @@ -1,3 +1,8 @@ | 18:19 |
kstenerud | +postfix (3.3.0-1ubuntu1) UNRELEASED; urgency=medium | 18:19 |
kstenerud | + | 18:19 |
nacc | kstenerud: use a pastebin :) | 18:19 |
kstenerud | + | 18:19 |
kstenerud | + -- Karl <karl@karl-tp> Thu, 16 Aug 2018 11:19:05 -0700 | 18:20 |
powersj | lol | 18:20 |
kstenerud | + | 18:20 |
powersj | https://paste.ubuntu.com/ | 18:20 |
dpb1 | there is a thing | 18:20 |
dpb1 | !pastebin | kstenerud | 18:20 |
ubottu | kstenerud: For posting multi-line texts into the channel, please use https://paste.ubuntu.com | To post !screenshots use https://imgur.com/ !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic. | 18:20 |
dpb1 | there you go! | 18:20 |
nacc | and/or | nc termbin.com 9999 | 18:21 |
sdeziel | nacc: I don't understand why git-ubuntu.reconstruct-changelog could assume the currently checked out branch to be like passing it as $1 | 18:21 |
kstenerud | https://pastebin.ubuntu.com/p/qnbPByFKpb/ | 18:21 |
sdeziel | s/could/could not/ | 18:23 |
sdeziel | kstenerud: git-ubuntu.reconstruct-changelog pkg/ubuntu/bionic-devel | 18:24 |
ahasenack | kstenerud: back | 18:24 |
nacc | sdeziel: wait, that's not your current branch, that's the branch you are based off of | 18:24 |
nacc | sdeziel: sorry, i'm otp right now, so i need more context | 18:24 |
nacc | sdeziel: in general, if you're checkout to a branch, `git-ubuntu.reconstruct-changelog <current branhc name>` is a no-op | 18:25 |
nacc | as HEAD=<current branch name> and there are no commits betweeen them | 18:25 |
ahasenack | kstenerud: you didn't give it a committish where to start | 18:25 |
sdeziel | nacc: err, sorry my bad | 18:25 |
nacc | sdeziel: does that make sense? | 18:25 |
kstenerud | ok so https://pastebin.ubuntu.com/p/Gtgx4QFKFk/ | 18:25 |
sdeziel | nacc: yes, absolutely, I was not making sense ;) | 18:25 |
ahasenack | kstenerud: do git log, and use the commitish just before the cherry pick, or any of its tags | 18:26 |
ahasenack | kstenerud: that's better | 18:26 |
ahasenack | kstenerud: but you need to fix your email :) | 18:26 |
ahasenack | and full name | 18:26 |
nacc | sdeziel: we would love to be able to detect it perfect automatically, it's just not easy to always do right | 18:26 |
kstenerud | er how do I do that? | 18:26 |
ahasenack | kstenerud: your ~/.gitconfig is correct in that regard? | 18:27 |
dpb1 | DEBEMAIL? | 18:27 |
ahasenack | hm, maybe it's using that | 18:27 |
ahasenack | yeah | 18:27 |
dpb1 | and DEBFULLNAME | 18:27 |
ahasenack | $ env|grep DEB | 18:27 |
ahasenack | DEBFULLNAME=Andreas Hasenack | 18:27 |
ahasenack | DEBEMAIL=andreas@canonical.com | 18:27 |
ahasenack | I assumed it used ~/.gitconfig | 18:27 |
kstenerud | I don't have any DEB envs. .gitconfig has my full name and gmail address | 18:27 |
ahasenack | but I also had those vars set | 18:27 |
ahasenack | ok, then set those vars in some .bashrc file for later, and now just export them | 18:28 |
ahasenack | trash the changes, and run the script again | 18:28 |
sdeziel | nacc: how about looking at the branch's ancestor by default then? | 18:30 |
sdeziel | that's assuming that one always does `git checkout -b bionic-postconf-segfault-1753470 pkg/ubuntu/bionic-devel` prior to cherry picking | 18:31 |
nacc | sdeziel: right, which i think i thought was fragile :) | 18:31 |
kstenerud | https://pastebin.ubuntu.com/p/XQFrwPts4m/ | 18:33 |
sdeziel | nacc: alright. reconstruct-changelog is pretty cool even if we have to provide that commitish arg | 18:33 |
dpb1 | what about UNRELEASED ahasenack ? | 18:34 |
ahasenack | kstenerud: better | 18:34 |
ahasenack | kstenerud: now we need to fix the version number, as discussed before, and the ubuntu release, which is what dpb1 just asked about | 18:34 |
ahasenack | unreleased should be replaced with "bionic" | 18:35 |
nacc | sdeziel: yeah :) | 18:35 |
kstenerud | ok so the bionic change, and then 1ubuntu0.1? | 18:37 |
ahasenack | yes | 18:37 |
kstenerud | https://pastebin.ubuntu.com/p/Dq9bGVgMcr/ | 18:37 |
ahasenack | +1 | 18:38 |
ahasenack | one more thing about the changelog entry: the "(LP: #1753470)" string is special | 18:38 |
ubottu | Launchpad bug 1753470 in postfix (Ubuntu Bionic) "Postconf segfaults every 5 minutes" [Low,Triaged] https://launchpad.net/bugs/1753470 | 18:38 |
ahasenack | it will auto-close that bug once the package is published to updates | 18:39 |
ahasenack | if you open the bug url, you will see it has an open "bionic" task | 18:39 |
ahasenack | kstenerud: feel free to assign that task to yourself, and switch "status" to "in progress" | 18:39 |
kstenerud | where is the task link? | 18:40 |
ahasenack | it's the row that starts with "bionic" | 18:40 |
ahasenack | next to each name in each collumn should be a small yellow pencil icon | 18:41 |
ahasenack | and the "assigned to" column has the entry "unassigned" | 18:41 |
ahasenack | can you click on that pencil, or you don't have it? | 18:41 |
ahasenack | might be a permissions problem | 18:41 |
kstenerud | ok got it | 18:41 |
ahasenack | each one of those rows we call "tasks", because one bug can affect multiple projects | 18:42 |
dpb1 | specifically, launchpad calls them tasks | 18:42 |
kstenerud | ok | 18:42 |
dpb1 | (and doesn't expose that they are called tasks very well) | 18:43 |
dpb1 | :) | 18:43 |
ahasenack | lots of tricks there | 18:43 |
dpb1 | tasks, bug tasks | 18:43 |
ahasenack | kstenerud: can you change status as well? | 18:43 |
kstenerud | to fix committed? | 18:44 |
ahasenack | no, to "in progress" | 18:45 |
ahasenack | that task, the bionic update, is in progress now, since you are working on it | 18:45 |
ahasenack | it's not yet in the archive, nor uploaded, so fix committed or released are incorrect at the moment | 18:45 |
ahasenack | ok, so where do we stand | 18:46 |
ahasenack | you have a local branch with a proposed fix | 18:46 |
ahasenack | you need to test it | 18:46 |
ahasenack | there are a few ways to do it | 18:46 |
ahasenack | I like two, and it depends on the package | 18:46 |
ahasenack | a) build it locally and test | 18:46 |
ahasenack | b) build it in a ppa, and then test | 18:46 |
ahasenack | it depends if the package takes a while to build, how fast your computer is, etc | 18:47 |
ahasenack | we can try both | 18:47 |
ahasenack | sometimes ppas are slow, if we are approaching a release, for example | 18:47 |
ahasenack | then the builders are busy | 18:47 |
ahasenack | let's try a ppa first, to expose you to them | 18:47 |
ahasenack | cool? | 18:48 |
kstenerud | yup let's do it | 18:48 |
ahasenack | ok, so another versioning trick we will need | 18:48 |
ahasenack | we are proposing 3.3.0-1ubuntu0.1 for ibonic | 18:48 |
ahasenack | bionic | 18:48 |
ahasenack | if it works, that's the version that will land in bionic | 18:48 |
ahasenack | for the ppa, we will want to use a version that's lower than 3.3.0-1ubuntu0.1, because if somebody installed the package from the ppa, and the release happens, we will want that person to uprade to the official package from the archive | 18:49 |
ahasenack | so the trick is to append ~ppaN | 18:49 |
ahasenack | for example, 3.3.0-1ubuntu0.1~ppa1 | 18:49 |
ahasenack | that is higher than the current version of postfix in bionic (3.3.0-1), is lower than the version we want to propose as a fix (3.3.0-1ubuntu0.1) | 18:49 |
ahasenack | so go ahead and add ~ppa1 to the verison in d/changelog, and make a simple commit. for example, "git commit debian/changelog -m ppa1" | 18:50 |
ahasenack | we need to commit because of the step that comes next | 18:50 |
kstenerud | ok so the previous changelog change should be commited before I do this? | 18:50 |
ahasenack | but we would not push that to a remote git repo | 18:50 |
ahasenack | yes please | 18:50 |
ahasenack | kstenerud: let's do it like this then: | 18:50 |
kstenerud | with the message "changelog"? | 18:50 |
ahasenack | yes | 18:51 |
ahasenack | commit that, without the ~ppa1 suffix | 18:51 |
ahasenack | then push that to launchpad | 18:51 |
ahasenack | and then commit the ppa1 | 18:51 |
ahasenack | to push, use your launchpad name as a remote | 18:51 |
ahasenack | like this | 18:51 |
ahasenack | git push kstenerud/<branchname> | 18:51 |
ahasenack | (assuming I didn't mispell your name) | 18:51 |
ahasenack | sorry | 18:51 |
ahasenack | it's git push kstenerud <branch> | 18:51 |
dpb1 | git ubuntu push? | 18:52 |
ahasenack | no, just push | 18:52 |
dpb1 | and there is a remote called kstenerud? | 18:52 |
kstenerud | ok so I'm going to call: git push kstenerud bionic-postconf-segfault-1753470 | 18:52 |
ahasenack | yes | 18:52 |
kstenerud | * [new branch] bionic-postconf-segfault-1753470 -> bionic-postconf-segfault-1753470 | 18:53 |
ahasenack | dpb1: git ubuntu clone set that up beforehand iirc | 18:53 |
dpb1 | oic | 18:53 |
ahasenack | the remote as lp username | 18:53 |
ahasenack | kstenerud: cool: http://code.launchpad.net/~kstenerud/+git | 18:53 |
ahasenack | kstenerud: now add the ~ppa1 suffix to the version in d/changelog, commit that (but do not push) | 18:54 |
kstenerud | +postfix (3.3.0-1ubuntu0.1~ppa1) bionic; urgency=medium | 18:55 |
kstenerud | like that? | 18:55 |
ahasenack | +1 | 18:55 |
kstenerud | ok what commit msg should I use? | 18:55 |
ahasenack | a dummy one, just so you can keep track yourself | 18:55 |
ahasenack | that will never be published | 18:55 |
ahasenack | I use -m ppa1 | 18:55 |
kstenerud | ok done | 18:55 |
ahasenack | ok, now we will build a source package that we can upload to a ppa | 18:55 |
ahasenack | kstenerud: git-ubuntu has a nice feature that works *most* of the time ;) | 18:56 |
ahasenack | kstenerud: git ubuntu build-source | 18:56 |
ahasenack | kstenerud: the parameters I would use are: | 18:56 |
ahasenack | git ubuntu build-source -v --lxd-image <bionic-lxd-image-name> --sign | 18:56 |
ahasenack | -v for verbose, --sign to sign the upload (otherwise the ppa won't accept it) | 18:56 |
ahasenack | and --lxd-image needs the name of your ubuntu bionic lxd image | 18:56 |
ahasenack | lxc image list and get it from there | 18:57 |
ahasenack | can be an alias or fingerprint | 18:57 |
ahasenack | build-source needs a clean branch to work, that's why we had to commit the ppa1 change | 18:57 |
sdeziel | ahasenack: omitting the --lxd-image arg seems to pick something that worked for me in the past, what's the added benefit of providing it? | 18:58 |
ahasenack | sdeziel: it will try to guess the name of the image | 18:58 |
ahasenack | I think it assumes the name is the ubuntu release name | 18:58 |
ahasenack | my images happen to have a different name | 18:58 |
sdeziel | OK | 18:58 |
ahasenack | for historical reasons: juju wanted a particular name that was not just "bionic" | 18:58 |
dpb1 | and you are still doing that? | 18:59 |
ahasenack | I type fast | 18:59 |
ahasenack | I also have images for debian, centos, etc | 19:00 |
ahasenack | so prefixing the names with ubuntu- sounded fine | 19:00 |
kstenerud | lxd image or lxc image? | 19:00 |
dpb1 | ko | 19:00 |
ahasenack | kstenerud: "yes" :) | 19:00 |
ahasenack | it's all lxd | 19:00 |
ahasenack | but the command line is lxc | 19:00 |
dpb1 | unless you are using 'lxc-command' names | 19:00 |
dpb1 | that's the *old* lxc | 19:00 |
dpb1 | you shouldn't use anymore | 19:00 |
kstenerud | $ sudo lxd image | 19:00 |
kstenerud | EROR[08-16|12:00:39] Failed to start the daemon: LXD is already running | 19:00 |
kstenerud | Error: LXD is already running | 19:00 |
ahasenack | take it up to management :P | 19:01 |
dpb1 | (not for this type of work anyway) | 19:01 |
ahasenack | it's "lxc image list" | 19:01 |
kstenerud | ok so I'll be calling: git ubuntu build-source -v --lxd-image bbb592c417b6 --sign | 19:02 |
ahasenack | yes, | 19:02 |
ahasenack | but let's check something else first | 19:02 |
ahasenack | to not waste time if it fails later | 19:03 |
ahasenack | the --sign step | 19:03 |
ahasenack | it will call debsign on the resulting .changes file | 19:03 |
ahasenack | do you have your gpg key with the same email as DEBEMAIL | 19:03 |
ahasenack | ? | 19:03 |
kstenerud | umm not sure actually | 19:04 |
ahasenack | do a gpg --list-secret-key | 19:04 |
kstenerud | it's using my gmail account | 19:04 |
ahasenack | you should add another email to it | 19:05 |
ahasenack | do a gpg --edit-key <email> | 19:05 |
kstenerud | ok | 19:05 |
ahasenack | then "adduid" at the prompt | 19:06 |
ahasenack | answer the questions | 19:06 |
ahasenack | exit with save, when back at the prompt | 19:06 |
ahasenack | and push the key to the keyserver again like we did yesterday (gpg --keyserver keyserver.ubuntu.com --send-keys <email>) | 19:06 |
kstenerud | which email do I use? | 19:07 |
ahasenack | the same as DEBEMAIL | 19:08 |
ahasenack | the canonical one | 19:08 |
ahasenack | it's how you will sign your source package | 19:08 |
kstenerud | gpg: "karl.stenerud@canonical.com" not a key ID: skipping | 19:08 |
ahasenack | is that what you used with adduid? | 19:08 |
kstenerud | yeah | 19:09 |
ahasenack | does the @canonical email show up in gpg --list-keys now, alongside your gmail one? | 19:09 |
kstenerud | [ultimate] (1) Karl Stenerud <kstenerud@gmail.com> | 19:09 |
kstenerud | [ unknown] (2). Karl Stenerud <karl.stenerud@canonical.com> | 19:09 |
ahasenack | use the keyid then | 19:09 |
ahasenack | the hex-md5-like string just above that | 19:09 |
kstenerud | ok that worked | 19:09 |
ahasenack | what is it? let me fetch your key as well | 19:10 |
kstenerud | 7C177302572849D84A5048349E9C224744EF2A5A | 19:10 |
ahasenack | gpg: key 9E9C224744EF2A5A: public key "Karl Stenerud <karl.stenerud@canonical.com>" imported | 19:10 |
ahasenack | cool, got it | 19:10 |
ahasenack | ok | 19:10 |
ahasenack | back to the build-source command, go ahead and run it | 19:10 |
kstenerud | 08/16/2018 12:11:32 - ERROR:Failed to run apt-get in ephemeral build container (attempt 2/6) | 19:12 |
ahasenack | it tries apt-get before the network is up | 19:12 |
ahasenack | so it keeps trying | 19:12 |
kstenerud | ah ok. Yeah I had to put 5s delays in my containers for that | 19:12 |
ahasenack | afaik there is no standard/clean way to determine that from the outside | 19:12 |
ahasenack | it will install build tools, then the build dependencies of the package, and then build the source package | 19:14 |
ahasenack | and pull the files out of the container and place them in ../ | 19:14 |
kstenerud | ok, build completed | 19:15 |
ahasenack | did it sign it as well? Did you get a prompt for your gpg passphrase? | 19:15 |
ahasenack | check the changes file in ../, it should have gpg markers inside it | 19:16 |
ahasenack | kstenerud: oh, do you need a break for lunch? | 19:16 |
ahasenack | we like to respect local time :) | 19:17 |
kstenerud | yeah, but let's get this part done first | 19:17 |
kstenerud | I didn't get prompted to sign | 19:17 |
ahasenack | but is it signed? | 19:17 |
kstenerud | 08/16/2018 12:14:06 - INFO:Signing changes file ../postfix_3.3.0-1ubuntu0.1~ppa1_source.changes | 19:18 |
ahasenack | so either it was cached, from a previous usage, or you didn't set a passphrase | 19:18 |
ahasenack | you can check later | 19:18 |
ahasenack | cat you paste that file please? | 19:19 |
kstenerud | Oh I got prompted when I added the new email | 19:19 |
ahasenack | ok | 19:19 |
ahasenack | so leave that terminal for a moment, you now have to create a ppa in the launchpad gui | 19:19 |
ahasenack | go to https://code.launchpad.net/~kstenerud | 19:19 |
ahasenack | er | 19:19 |
ahasenack | I mean https://launchpad.net/~kstenerud | 19:19 |
kstenerud | https://pastebin.ubuntu.com/p/fXV3YtMBjb/ | 19:19 |
ahasenack | looks good | 19:20 |
ahasenack | in that lp page, look for the "personal package archives" | 19:20 |
ahasenack | and "create a new ppa" | 19:20 |
ahasenack | click on that | 19:20 |
kstenerud | ok | 19:20 |
ahasenack | first field in the form, url, use a name that will help you later. I suggest "postfix-postconf-segfault-1753470" | 19:21 |
ahasenack | or something like that, but at least keep the bug number | 19:21 |
ahasenack | it's free form, you may decide you like other naming schemes better, up to you | 19:21 |
ahasenack | use the same name in the next field | 19:21 |
ahasenack | "display name" | 19:22 |
ahasenack | description you can leave empty | 19:22 |
ahasenack | then "activate" | 19:22 |
* sdeziel wish git-ubuntu could support uploading to a PPA | 19:22 | |
ahasenack | you can change these later, except the url bit I think | 19:22 |
kstenerud | ok done | 19:22 |
ahasenack | ok, see it | 19:22 |
ahasenack | now let's upload | 19:23 |
ahasenack | first, let's configure dput | 19:23 |
ahasenack | create this file: https://pastebin.ubuntu.com/p/XMkkRdmYbr/ | 19:23 |
ahasenack | and leave the unspecified bit there as is | 19:23 |
ahasenack | I'll explain it later | 19:23 |
kstenerud | ok | 19:24 |
ahasenack | now the command: | 19:24 |
ahasenack | dput ppa:kstenerud/postfix-postconf-segfault-1753470 ../postfix_3.3.0-1ubuntu0.1~ppa1_source.changes | 19:24 |
ahasenack | it's dput <target> <changes-file> | 19:24 |
kstenerud | done | 19:25 |
ahasenack | you should get an email shortly | 19:25 |
ahasenack | telling you if it was accepted or not | 19:25 |
ahasenack | looks like it was accepted | 19:26 |
ahasenack | https://launchpad.net/~kstenerud/+archive/ubuntu/postfix-postconf-segfault-1753470/+packages is listing your build | 19:26 |
kstenerud | yup | 19:27 |
ahasenack | ok, wanna have lunch now? | 19:28 |
kstenerud | yeah, then we do the local build approach after? | 19:28 |
ahasenack | I'll be around for 2h more | 19:28 |
ahasenack | yes | 19:28 |
kstenerud | ok cool | 19:28 |
ahasenack | good job! | 19:28 |
kstenerud | I'll get it eventually :P | 19:29 |
ahasenack | ping when ready to continue | 19:29 |
=== jdstrand_ is now known as jdstrand | ||
kstenerud | ahasenack: ready when you are | 20:44 |
ahasenack | ok | 20:44 |
ahasenack | kstenerud: the local way, | 20:44 |
ahasenack | kstenerud: the command is simimlar | 20:44 |
ahasenack | git ubuntu build -v --lxd-image <image> | 20:44 |
ahasenack | no --sign needed, and it's build instead of build-source | 20:44 |
ahasenack | it will do the same, create a container, but this time build the binaries | 20:45 |
ahasenack | and pull them out, and then shutdown the container it use | 20:45 |
ahasenack | used | 20:45 |
kstenerud | ok built | 20:50 |
ahasenack | next step would be to test it | 20:50 |
ahasenack | you should bring up a cosmic container, | 20:51 |
ahasenack | install the normal cosmic version, reproduce the bug | 20:51 |
ahasenack | then install the updated package, confirm the bug is gone | 20:51 |
ahasenack | it also helps to write down the steps you take, because you will need them later on when preparing the bug for the update. It needs test steps; | 20:52 |
ahasenack | you can install the updated version from these binaries you just build, or the ppa that we used previously | 20:53 |
ahasenack | the ppa is always good to have, because at some point you will submit this change for review, and it helps reviewers if there is a ppa already with the fix, so they don't have to build it themselves | 20:53 |
kstenerud | ok so I'm in the cosmic container | 20:53 |
sdeziel | s/cosmic/bionic/ ^ ? | 20:55 |
keithzg | Welll great, those hardware lockups on the internal-facing ethernet adapter that I was experiencing on the router at work are happening again now. | 20:55 |
ahasenack | sorry, bionic | 20:56 |
ahasenack | sdeziel: thanks | 20:56 |
kstenerud | ok hang on | 20:56 |
kstenerud | ok so first off just apt install postfix? | 20:57 |
dpb1 | keithzg: hrm | 20:57 |
ahasenack | yeah | 20:57 |
ahasenack | that will get you the one that is currently the latest in bionic, and has the bu | 20:57 |
ahasenack | bug* | 20:57 |
dpb1 | keithzg: can you remove the hardware and see if the lock ups persist? or is it not that kind of equipment | 20:57 |
keithzg | dpb1: Alas it's a built-in adapter (two, in fact, although the external-facing built-in NIC on the motherboard isn't showing any issues) | 20:59 |
kstenerud | hmm I'm not getting a crash when I call postconf virtual_alias_map | 21:00 |
ahasenack | it has to be as a user who cannot read the map file | 21:00 |
keithzg | Hrmm wait, I bet the patched and recompiled network driver got overwritten by the latest kernel update! | 21:01 |
ahasenack | and it has to be a db map | 21:01 |
kstenerud | ok how do I set up a db map? | 21:02 |
ahasenack | I think there is an example in the bug | 21:02 |
kstenerud | what I get is /usr/sbin/postconf: fatal: open /etc/postfix/main.cf: No such file or directory | 21:02 |
ahasenack | add this to /etc/postfix/main.cf (the file should exist already): | 21:03 |
ahasenack | virtual_alias_maps = pgsql:/etc/postfix/valiases.cf | 21:03 |
ahasenack | then greate /etc/postfix/valiases.cf with any content | 21:03 |
ahasenack | and chmod 0600 /etc/postfix/valiases.cf | 21:03 |
ahasenack | then run postconf as a non-root user | 21:03 |
ahasenack | that would be one way to trigger the bug | 21:03 |
ahasenack | that was comment #8 in the bug, more or less | 21:03 |
ahasenack | and comment #9 | 21:03 |
kstenerud | ah ok got the crash | 21:06 |
ahasenack | now leave config files as they are, add the ppa, and dist-upgrade to the new packages you prepared | 21:07 |
ahasenack | https://launchpad.net/~kstenerud/+archive/ubuntu/postfix-postconf-segfault-1753470/ has instructions on how to add the ppa | 21:07 |
ahasenack | basically sudo add-apt-repository ppa:kstenerud/postfix-postconf-segfault-1753470 | 21:08 |
kstenerud | then apt upgrade? | 21:09 |
ahasenack | yes | 21:09 |
ahasenack | sometimes dist-upgrade, shouldn't make a difference in this case | 21:09 |
ahasenack | you may get other updates, not coming from the ppa | 21:09 |
ahasenack | as good practice I always dist-upgrade the container right after it started | 21:09 |
kstenerud | ok the fix works :) | 21:10 |
ahasenack | nice | 21:10 |
ahasenack | I guess now we can make a merge proposal | 21:11 |
ahasenack | and tomorrow we can run the dep8 tests, since postfix has some in debian/tests | 21:11 |
kstenerud | so if I weren't using the ppa, is it still possible to test? | 21:11 |
ahasenack | this test you just made? | 21:11 |
kstenerud | yeah. We pulled from ppa this time | 21:12 |
ahasenack | yes, you would copy the ../*.deb files that were produced by git ubuntu build previously | 21:12 |
ahasenack | into the test container | 21:12 |
ahasenack | there you would then just "sudo dpkg -i *.deb" | 21:12 |
ahasenack | or, instead of *.deb, check which postfix pcakages you have, and dpkg -i just those | 21:12 |
kstenerud | ok, but it didn't produce a .deb file. only a tar.xz file | 21:12 |
nacc | did you build or build-source? | 21:12 |
ahasenack | that was the build-source one | 21:12 |
ahasenack | didn't you run "build" before, without the --sign? | 21:12 |
ahasenack | that produces debs | 21:13 |
kstenerud | yeah that's what I did | 21:13 |
ahasenack | if that worked, the parent dir (../) should have deb files | 21:13 |
kstenerud | oh wait no | 21:13 |
kstenerud | I did builld-source :P | 21:13 |
ahasenack | you repeated the previous one? | 21:13 |
kstenerud | So when signing, I use build-source, and when building locally I use build? | 21:13 |
ahasenack | the signing is about uploading to the ppa | 21:13 |
ahasenack | the remote server only accepts signed uploads | 21:14 |
ahasenack | it's the authentication | 21:14 |
kstenerud | So the original I did was: | 21:14 |
kstenerud | git ubuntu build-source -v --lxd-image bbb592c417b6 --sign | 21:14 |
ahasenack | only you can upload packages to that ppa | 21:14 |
ahasenack | and ppas only take source uploads | 21:14 |
kstenerud | ok | 21:14 |
ahasenack | that builds the source, signs it, and you can upload that to a ppa, or even to the ubuntu archive once you have upload permission | 21:14 |
kstenerud | and then for just building the deb locally, I use: | 21:14 |
ahasenack | the same command with just "build" instead of build-source will produce binary debs | 21:14 |
kstenerud | git ubuntu build -v --lxd-image bbb592c417b6 | 21:14 |
ahasenack | which can also be signed, but won't matter in this case | 21:15 |
ahasenack | since you won't upload binary deps anywhere | 21:15 |
ahasenack | correct | 21:15 |
kstenerud | ok, so next a merge proposal? | 21:17 |
ahasenack | yes | 21:17 |
ahasenack | go to the launchpad url for your branch | 21:17 |
ahasenack | https://code.launchpad.net/~kstenerud/+git lists all your git repositories | 21:17 |
ahasenack | click your way through until you are viewing your branch | 21:18 |
kstenerud | ok | 21:18 |
ahasenack | are you there? | 21:18 |
kstenerud | yup | 21:18 |
ahasenack | you should have landed at https://code.launchpad.net/~kstenerud/ubuntu/+source/postfix/+git/postfix/+ref/bionic-postconf-segfault-1753470 | 21:19 |
ahasenack | right? | 21:19 |
kstenerud | yup. I see the commit msgs | 21:19 |
keithzg | Hmm. If reinstalling the patched kernel module works, then that definitely implies that that was *previously* working, which is odd since initially when I installed that, the problem persisted for a few hours after a reboot, so I was just assuming it hadn't helped. | 21:19 |
ahasenack | ok, click on "propose for merge" | 21:19 |
kstenerud | ok | 21:19 |
ahasenack | kstenerud: target repository should be correct already | 21:19 |
ahasenack | lp:ubuntu/+source/postfix | 21:20 |
kstenerud | yup | 21:20 |
ahasenack | kstenerud: target branch now, we have to fill in | 21:20 |
ahasenack | kstenerud: since this is for a bionic update, the branch is ubuntu/bionic-devel | 21:20 |
ahasenack | that's where you branched from even | 21:20 |
ahasenack | kstenerud: commit message leave empty | 21:21 |
* keithzg wonders what's up with the Intel e1000e driver then, particularly considering the long silence in https://sourceforge.net/p/e1000/bugs/_discuss/thread/9048ab8e/ | 21:21 | |
ahasenack | kstenerud: description you have to fill in (we will get back to this) | 21:21 |
ahasenack | kstenerud: for reviewer, type canonical-server | 21:21 |
ahasenack | kstenerud: good so far? Then lets get back to the description. We will also add a second reviewer later on | 21:22 |
kstenerud | ok | 21:22 |
ahasenack | kstenerud: ok, in the description, which is free form, you basically say what you did | 21:22 |
ahasenack | kstenerud: you should mention that you grabbed the fix that is in cosmic already, | 21:23 |
ahasenack | kstenerud: also that you tested it and how, so others can try repeating your testing steps | 21:23 |
ahasenack | kstenerud: also mention the ppa that has test packages built | 21:23 |
ahasenack | kstenerud: you can also say you will run dep8 tests still. You can start reading up on that today if you still have time, but we will get to that tomorrow | 21:24 |
ahasenack | it needs a bit of infra setup on your machine | 21:24 |
ahasenack | then click "propose merge" at the bottom | 21:25 |
ahasenack | this description text you can change after proposing, that's fine | 21:25 |
kstenerud | OK so something like this? | 21:26 |
kstenerud | https://pastebin.ubuntu.com/p/7zFNP4NFG9/ | 21:26 |
ahasenack | kstenerud: the test user won't exist by default, will, it? | 21:27 |
ahasenack | I suggest to use ubuntu, which is the default user | 21:27 |
kstenerud | no, there's a "useradd test" command | 21:27 |
kstenerud | oh ok | 21:28 |
ahasenack | ah, I missed that | 21:28 |
ahasenack | ok | 21:28 |
ahasenack | yeah, that's fine | 21:28 |
kstenerud | OK, so putting that in the description field | 21:29 |
ahasenack | yes | 21:30 |
kstenerud | then propose? | 21:30 |
ahasenack | yes | 21:30 |
kstenerud | https://code.launchpad.net/~kstenerud/ubuntu/+source/postfix/+git/postfix/+merge/353267 | 21:30 |
ahasenack | nice | 21:30 |
ahasenack | now add another reviewr | 21:30 |
ahasenack | reviewer | 21:30 |
ahasenack | there are three options | 21:30 |
ahasenack | depending on what type of package it is | 21:30 |
ahasenack | if it's a universe package, the reviewer is canonical-server-motu-reviewers | 21:31 |
ahasenack | if it's a server package, then we use canonical-server-packageset-reviewers | 21:31 |
ahasenack | the rest, which is core/main, we use canonical-server-core-reviewers | 21:31 |
ahasenack | postfix is in main, so that leaves motu out | 21:31 |
ahasenack | (you can see with rmadison postfix, or apt-cache policy postfix) | 21:31 |
ahasenack | to see if it's core or server-packageset, I use "ubuntu-upload-permission -a postfix" | 21:32 |
ahasenack | that will list who can upload postifx | 21:32 |
ahasenack | it only lists core | 21:32 |
ahasenack | so the extra reviewer slot is canonical-server-core-reviewers | 21:32 |
ahasenack | hopefully this will be automatic someday | 21:32 |
ahasenack | but we are not there yet | 21:32 |
kstenerud | ok so how do I add an extra reviewer? | 21:35 |
ahasenack | you should see a button/link just below the existing reviewer | 21:35 |
kstenerud | All I see is "claim review" | 21:36 |
ahasenack | "request another review" on the right? | 21:36 |
ahasenack | green link | 21:36 |
kstenerud | ah ok | 21:36 |
kstenerud | done | 21:37 |
ahasenack | good | 21:37 |
ahasenack | the mp part is done | 21:37 |
ahasenack | bookmark this link: https://code.launchpad.net/~canonical-server/+activereviews | 21:37 |
ahasenack | that shows all reviews | 21:37 |
ahasenack | or rather, all mps | 21:37 |
ahasenack | now we need to touch the bug again, since this is an update for a stable release (bionic) | 21:38 |
ahasenack | kstenerud: https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template | 21:38 |
ahasenack | the bug description needs to be filled out with that information | 21:38 |
kstenerud | ok | 21:39 |
ahasenack | what I do is edit the bug description (click on the pencil icon), write "[Original Description]" at the very top, so that the existing description is below it, | 21:39 |
ahasenack | and paste the template above it all | 21:39 |
ahasenack | so you will have something like | 21:39 |
ahasenack | sru template | 21:39 |
ahasenack | [original descrption] | 21:39 |
ahasenack | (here goes on what the original description was) | 21:39 |
ahasenack | and then you have to really fill out that template. Think about how this is affecting users | 21:40 |
ahasenack | how the fix was done | 21:40 |
ahasenack | why the fix is safe (committed upstream?) | 21:40 |
ahasenack | add testing steps (in this case, omit the ppa, bceause if the sru is accepted, your package will be uploaded to a special proposed pocket). Just assume people know how to get it | 21:40 |
ahasenack | that page with the sru template has links to existing sru bugs where you can see some examples | 21:41 |
ahasenack | https://bugs.launchpad.net/bugs/1583324 is a recent one I worked on | 21:41 |
ubottu | Launchpad bug 1583324 in samba (Ubuntu Xenial) "Samba won't start when an include statement in smb.conf has a variable substitution " [Undecided,In progress] | 21:41 |
ahasenack | kstenerud: ah, and if you go back to the postfix bug, you'll see your branch and merge proposal attached to it: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1753470 | 21:42 |
ubottu | Launchpad bug 1753470 in postfix (Ubuntu Bionic) "Postconf segfaults every 5 minutes" [Low,In progress] | 21:42 |
ahasenack | that's because of the special (LP: #xxxx) in the changelog entry | 21:42 |
ahasenack | kstenerud: I have to go now, shoot me an email if you have any questions, and we will continue tomorrow | 21:44 |
kstenerud | ok sounds good. Thanks! Lots to digest here :) | 21:44 |
ahasenack | cheers :) | 21:44 |
keithzg | Well I just spent a long long time trying to get systemd ethernet renaming to work, I swear that's how I have things currently named "external0" and "internal0", but changing the entries in /etc/systemd/network doesn't change anything, and I can't find where else I could have set those . . . | 22:59 |
sarnold | the usual place is /etc/udev/rules.d/70-persistent-net.rules | 23:00 |
keithzg | sarnold: Yeah that's the classic, udev (rather than systemd) place, but I have no files there at all. | 23:02 |
sarnold | oh. hrm. | 23:02 |
keithzg | Like, the entire /etc/udev/rules.d directory is empty. | 23:02 |
keithzg | This all was to try to make the spare PCIe adapter I've shoved in now be "internal0" so that I wouldn't have to change anything else, but I eventually gave up and just changed the /etc/network/interfaces and iptables rules to refer to "enp1s0" (the autogenerated name for the PCIe NIC) instead. Which has generally worked, although somehow OpenVPN clients seeing our internal network now, which is . . . bad :( | 23:06 |
keithzg | (And that also doesn't make sense really, since the OpenVPN conf only specifies routing rules, not specific adapters, although maybe I need to re-do the tun bridge? Yeah that's probably it.) | 23:08 |
keithzg | (Hmm no, that's just created by the OpenVPN service. Hrmmm.) | 23:09 |
sdeziel | tun bridge is a weird combo ... tap+bridge maybe? | 23:10 |
keithzg | sdeziel: I think I was just mistakenly presuming it was a bridge, since that would explain why changing adapters would break it. But it's definitely tun0 that's being brought up and theoretically used by OpenVPN. | 23:12 |
sdeziel | keithzg: gotcha | 23:13 |
keithzg | I wonder if this is the problem: "Thu Aug 16 17:16:00 2018 us=759598 /sbin/ip route del 10.1.190.0/24 | RTNETLINK answers: Operation not permitted | Thu Aug 16 17:16:00 2018 us=760404 ERROR: Linux route delete command failed: external program exited with error status: 2" | 23:17 |
sdeziel | keithzg: usually harmless | 23:17 |
sdeziel | keithzg: that's openvpn trying to cleanup something that's cleaned automatically afterwards anyways | 23:18 |
keithzg | sdeziel: Fair enough, although *something* is making the VPN entirely fail to work, and with multiple people who work only remotely this is a problem I really gotta figure out! | 23:18 |
sdeziel | keithzg: could you pastebin the journalctl output of the openvpn service? | 23:21 |
keithzg | sdeziel: Oh that's not gonna help any, haha, it just says "Starting OpenVPN service..." whenever I start it and "Stopped OpenVPN service." "Started OpenVPN service." when I stop it ;) I'll grab an excerpt of the actual log though . . . | 23:23 |
sdeziel | keithzg: would that be "journalctl -u openvpn" by any chance? | 23:23 |
sdeziel | keithzg: the real deal is in "journalctl -u openvpn@$INSTANCE" where instance is /etc/openvpn/$INSTANCE.conf | 23:24 |
keithzg | sdeziel: That's true, but the config file is just openvpn.conf and `journalctl -u openvpn@openvpn only differs in that it gives some errors from last week when the troubles that led me to now changing physical adapters started. Nothing other than logging the starting and stopping today. | 23:27 |
sdeziel | keithzg: maybe you have a very low "verb" param in that conf | 23:27 |
keithzg | However, it //is// logged to a file and here's the output from the most recent start of the service and while some clients connected and failed to get anything: https://paste.kde.org/pwd9kfb5y | 23:27 |
keithzg | (As of this moment no more has been written to the log) | 23:28 |
sdeziel | keithzg: do you have IP forwarding enabled? | 23:30 |
sdeziel | keithzg: now that your internal0 NIC is named differently, have you updated your firewall FORWARD rules? | 23:30 |
sdeziel | (if you use -i/-o in those rules) | 23:30 |
keithzg | sdeziel: Yes, I changed the iptables rules accordingly. To be clear, the internal0 NIC is still named the same (mysteriously), I changed the rules and the /etc/network/interfaces entry to refer to enp1s0 rather than internal0. | 23:31 |
sdeziel | keithzg: OK, cause that android client seems to have successfully connected | 23:32 |
keithzg | sdeziel: Indeed, the clients seem to connect successfully, but now cannot access anything on our internal network. | 23:32 |
sdeziel | keithzg: have you tried tcpdump'ing while the client tries to connect to the internal net? | 23:33 |
keithzg | sdeziel: Hmm. Well, `tcpdump -i tun0` doesn't show much, https://paste.kde.org/p9n8wz4wu | 23:39 |
keithzg | And I do see stuff like "17:38:43.586600 IP 10.1.190.10 > boots: ICMP echo request, id 13, seq 3, length 64" when dumping enp1s0 | 23:41 |
keithzg | So in theory the ping requests are being forwarded, although they (and any other form of traffic) certainly don't seem to be making it back to the clients. | 23:42 |
sdeziel | keithzg: try with tcpdump -ni any icmp | 23:42 |
sdeziel | err: tcpdump -nei any icmp | 23:42 |
sdeziel | keithzg: do you mind sharing iptables-save? | 23:44 |
sdeziel | keithzg: I have to go, sorry. Good luck though! | 23:47 |
keithzg | sdeziel: https://paste.kde.org/pbt8yxxyo is the ICMP dump | 23:47 |
keithzg | sdeziel: Fair enough, thanks for the help! | 23:47 |
sdeziel | keithzg: looks like systemd-resolved is not running but that's not related ;) | 23:49 |
sdeziel | keithzg: I'd check on 10.1.186.32 and see if you get the ICMP packets | 23:49 |
sdeziel | keithzg: if you do get them, check how it tries to respond to them with "ip route get 10.1.190.10". It should send packets toward the VPN server | 23:50 |
keithzg | sdeziel: Yeah on the receiving end I'm seeing "17:50:18.190642 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 128: 10.1.186.32 > 10.1.186.32: ICMP host 10.1.190.10 unreachable, length 92" | 23:50 |
keithzg | (`ip route get` returns the adapter I'd expect it to be using to reply) | 23:51 |
sdeziel | keithzg: the interesting part of ip route get is the gateway/via used | 23:51 |
keithzg | sdeziel: Hrmm, it doesn't say anything more than "10.1.190.10 dev br0 src 10.1.186.32" and then "cache" on the next line. | 23:52 |
sdeziel | keithzg: hmm, that's wrong | 23:53 |
sdeziel | it means it thinks that 10.1.190.10 is in the same LAN as the VPN client | 23:54 |
sdeziel | but they are not as you have a router (the VPN server) between the 2 | 23:54 |
keithzg | sdeziel: Hmm? 10.1.190.10 *is* the VPN client, though? | 23:55 |
* keithzg is very tempted to just try the udev method for adapter renaming and hope that magically fixes everything, heh | 23:56 | |
sdeziel | keithzg: 10.1.186.32 thinks that 10.1.190.10 is in the same LAN | 23:56 |
sdeziel | keithzg: didn't you say the NIC was renamed somehow though? | 23:56 |
keithzg | sdeziel: Yeah I suppose that's not true, although they *do* have the same gateway. | 23:56 |
sdeziel | keithzg: please pastebin: "cat /etc/network/interfaces; ip link; ip ro; iptables-save" from the VPN server | 23:58 |
keithzg | sdeziel: The exact situation is, the internal adapter is called "internal0" . . . somehow. I know that was me, but the only settings I have for that are in /etc/systemd/network, and changing those and rebooting changes nothing. The 'internal0' adapter is experiencing hardware lockups, so I put in a PCIe adapter to use instead. | 23:58 |
keithzg | sdeziel: Here ya go, from our router (which is also the VPN server): https://paste.kde.org/pi4tooz7a | 23:59 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!