/srv/irclogs.ubuntu.com/2018/08/27/#ubuntu-server.txt

cpaelzergood morning05:25
lordievaderGood morning06:19
=== miguel is now known as Guest46429
neilduganI have been trying to use upnpc to open up an external access (for ssh) to a lxc VM ... but every time I try to connect (with ssh) I get a "connection refused" error ... but I can find no indication in the VM that a connection was even attempted ... can anyone help here?11:23
tomreynneildugan: does the configuration change take place on the router the upnpc is talking to, though?11:24
neildugantomreyn, I think so upnpc -l returns a line "TCP 30000->10.8.0.134:30000 'libminiupnpc' '' 14400"11:25
neildugantomreyn, I have also setup ssh to listen to that port.11:26
tomreynneildugan: does the router also report that this configuration has been applied?11:27
neildugantomreyn, no idea, there appears to be no way to interogate (via web interface) anything about upnp (except it being enabled)11:28
tomreynneildugan: i see. so i'm afraid i forgot how lxc does networking. does it do bridging, nat or routing?11:30
neildugantomreyn, this VM is connected to my LAN (via a bridged interface) that has the router on it.11:31
tomreynok, so the lxc host (the main ubuntu system) has a different IP address than 10.8.0.134, but one on the same subnmet?11:32
tomreyn*subnet11:32
neildugantomreyn, yes , and I just tested to make sure the the VM can ping the router directly.11:32
tomreynneildugan: do you have another computer on the same subnet?11:33
neilduganyes11:33
tomreynneildugan: can you connect to 10.8.0.134:30000 from the ubuntu lxc host? nc -vv 10.8.0.134 3000011:34
tomreyn(ignore my question about other computer on the same subnet for now, this is now unrelated)11:35
neildugantomreyn, yes that connected11:36
tomreyni just tried to connect to your public ip address on tcp port 30000, and the connection was refused.11:38
tomreynis this the external ip address you'Re trying to port forward?11:39
neildugantomreyn, I can also ssh in with the ssh -p 30000 10.8.0.13411:39
tomreynfrom where?11:40
neilduganthe lxc host11:40
tomreynneildugan: can you try this from the other computer on the same subnet, too?11:41
tomreynyou didn't comment on my connection attempt, on purpose?11:41
neildugantomreyn, was that last message for me?  I did ssh in via port 30000 from a different computer11:44
tomreynneildugan: yes it was11:44
tomreyn<tomreyn> i just tried to connect to your public ip address on tcp port 30000, and the connection was refused.11:44
neilduganyea that is my problem11:45
tomreynso this is a router issue.11:45
neildugantomreyn, I think so, but all the examples I have found for upnpc don't say I need to do anything else to get a connection.11:46
tomreynyou could try deleting, then re-addig the port redirection using upnpc. but with a router bahving so unreliably, i guess i would rather try to setup port forwarding statically.11:46
tomreynsome routers will accept the port forwarding configuration but not actually forward traffic unless you also enable a upnp option (such as pon their web interface)11:47
neildugantomreyn, when you tried to connect it should have said 'permission denied public key'  not 'connection refused'11:48
tomreynit would have, if port forwarding had actually taken place, yes11:48
neildugantomaw, the upnp is enabled.11:48
tomreynbut apparently your router or a firewall between the router and the lxc guest just drops the traffic.11:49
tomreynit may be a good idea to try port forwarding a port to the lxc host first, and to test whether this is reachable form the internet.11:50
neildugantomreyn, the only firwall operational for that VM is on the router.11:50
tomreynthis way you save some complexity11:50
neilduganI thought it would be fairly simple myself that is why I am testing it.... but something unknown is wrong.11:51
tomreynrun this on the lxc host: while true; do echo 'You are connected.' | nc -vv -l 6000; sleep 2; done11:52
tomreynthen run this in a separate terminal window on the lxc host, substituting LXCHOST by the lxc hosts' LAN ip address: upnpc -a LXCHOST 6000 6000 TCP11:53
tomreynconfirm the symmetric port forwarding for port 6000 to the lxc host was correctly configured using 'upnpc -l'11:54
tomreynthen tell me to test it.11:54
tomreynneildugan: ^11:54
tomreynyou can also use a service like this to test it (specify port 6000): http://canyouseeme.org/11:55
neilduganI was just test a already setup port forward to a different VM . it isn't working ether I am getting a 'Connection timed out' error with that one.11:56
neildugantomreyn, it I understand the second part this will allow you into the host computer?12:01
tomreynneildugan: 'connection timed out' (no response was received at all, traffic was dropped) is different from what i was seeing, i got connection refused (traffic was actively denied, so a TCP RST was returned to me).12:03
neildugantomreyn, that was via a NAT port forward setup in the router via the web-interface into a different VM12:04
tomreynneildugan: the second part of the command would allow me (or anyone) to connect to the netcat (nc) process on your lxc host, which you start in the first part. this netcat process only accepts an incoming tcp connection and responds to it with the text 'You are connected.'. it doesn't grant any means of running commands on your system12:05
neilduganok12:05
tomreynneildugan: you dont need to trust me there, though, pick any port for nc and (the same) for upnpc and try it with canyouseemee.org or a similar service of your choice.12:06
tomreynthe idea there is to ensure that your router actually does the port forwarding from the internet12:07
neilduganok those commands have been done12:07
tomreynneildugan: i just seem to have connected fine. you should see my connection on the terminal window you ran 'nc' on12:09
tomreyni didn't get to see the expeced output, thougfh, and my connection was dropped after it had been established12:10
neildugantomreyn, I don't , but I do see my test it12:10
tomreynneildugan: how / where from did you test?12:11
tomreynoh, it worked this time12:11
neilduganare now I see your connection, I have an externally host VM12:12
tomreynso now you should see my connection attempt, from an ip address ending 101.11912:12
neilduganyes12:12
neildugantomreyn, from mue-88-130-101-119.dsl.tropolys.de 56240 received!12:12
tomreynso port forwarding does work generally on the router12:13
neildugantomreyn, so if the VMs sshd_config was wrong in some way wouldn't the attempt still show up in /var/log/auth.log12:13
tomreynit is possible that you need to enable ip forwarding on your lxc host.12:14
tomreynwhether or not the connection attempt would still show on the lxc guests' /var/log/auth.log would depend on whether or not sshd is binding to the right ip address and port on the lxc guest.12:15
tomreynluckily, you can repeat the same 'nc' test on the lxc guest12:15
tomreyni.e. stop the ssh server on the lxc guest, then verify the port forwarding to its port 30000 is still configured, using upnpc -l12:17
neilduganthe modem has a 'ping' dianostics ... it can ping the VM12:17
tomreynokay, but this doesnt tell you too much about whether tcp traffic would reach it, and would be returned to where it was initiated from12:18
tomreyn'ping' (icmp echo request / response) is a different ip protocol than tcp, and is much more simple (which is why it is a good first test, but not as meaningful as a tcp data transfer test)12:19
neildugantomreyn, I was just seeing if the modem could initiate a connection to VM.  I set up the same test as before on port 6001 on the VM it seems to work.12:22
tomreynneildugan: good. but you really want to test this from the internet12:23
neildugantomreyn, I did, from my external VM12:23
tomreynoh, so you can now reach port 6001 on the lxc *guest* from the internet?12:24
tomreynneildugan: ^12:24
neildugantomreyn, port 6001 is redirected to the VM12:24
tomreynif you can reach port 6001 on the lxc *guest* from the internet, then all that's left to diagnose is the ssh server configuration.12:25
neilduganhang on a sec I am going to test with port 3000012:26
neildugancan't do that 30000 is in use by sshd12:27
tomreynand it should be :)12:28
tomreynyou could stop the ssh service temporarily12:28
tomreynsystemctl stop ssh12:29
tomreynthen you could run the looped 'nc' command on port 30000 as we did above12:29
tomreyni still get:    nc: connect to [your wan/internet ipv4] port 30000 (tcp) failed: Connection refused12:31
neilduganhere is the sshd_config .... I can't see anything wrong... https://paste.ubuntu.com/p/qCNmQQfyGb/12:32
neildugantomreyn, atm I am connected to the VM via SSH so wouldn't stoping the service lock me out.12:33
tomreynneildugan: if, by 'the VM' you are now referring to the lxc guest on your LAN we are diagnosing, then my answer would be: yes, it would lock you out in terms of ssh. but you will containue to be able to manage it through lxc from the lxc host.12:37
whislockStopping the ssh service does not terminate your current session.12:37
neilduganI have found something strange here... i disconnected from the VM ... and got in another way... but what I found was that when I setup nc on port 30000 ... it didn't work ... but it does on port 600112:37
tomreynwhislock: are you sure there? i know that restarting the ssh service doesn't, but stopping it wouldn, doesn't it?12:38
whislockJust stopped it on this system, and I'm still here talking.12:39
whislockSo yes. I'm quite certain.12:39
tomreynwhislock: whoops, i guess i should have known this, thanks.12:39
ahasenackcpaelzer: can you import a new package into git-ubuntu?12:40
neildugantomreyn, I have setup nc on both port 6001 and 30000 , and only port 6001 is working... any ideas why the port number seems to be important?12:42
tomreynneildugan: since you have so far referred to both the lxc guest on your (bridged) LAN (the system you are trying to connect to by ssh) as well as some VM somewhere on the internet as 'VM', using this term is now ambiguous.12:42
whislockWhat are we trying to accomplish here exactly?12:42
tomreynneildugan: if you have both nc on the lxc gues on your lan running in listen mode on these ports AND have setup port synchronous forwardings for these ports on the router and you can establish a tcp connection to only one of the two ports from the internet then this would suggest that your isp blocks connections to one of these ports.12:45
neildugantomreyn, I suppose so, sorry, but by VM I am referring to my local VM not the one I am testing from.   What I need to do is be able to connect to the local VM from the Internet ... I am using an external VPS to check the connection from the Internet.12:45
neilduganahh... I wonder if some other use of port 30000 is a problem... and is getting blocked.12:47
tomreynwhislock: neildugan has an lxc guest on his LAN at 10.8.0.134, with ssh binding on port 30000. he uses a network bridging configuiration for LXC. he is trying to make this lxc guests' sshd port available from the internet on the sam port (30000) by using miniupnpc's demo client 'upnpc' to setup UPNP port forwardings on his internet / WAN router (which is reachable at neildugan's IRC clients' public ipv4 address).12:49
whislockOne immediately asks... why?12:50
neilduganI have want to give limited access to certain resources to some people.12:51
* tomreyn did not, doesn't consider it an unsual use case12:51
whislockThe use case is not unusual. The method is.12:51
tomreynwhislock: you mean you'd prefer a static port forwarding / symmetric NAT configuration on the router?12:53
neilduganI shifted the ssh to port 6001 and had no trouble... all this time wasted because of the ISP ... I have been trying to get this to work for quite a few days now.12:53
cpaelzerahasenack: I can import12:53
ahasenackcpaelzer: libcloud please12:53
cpaelzerahasenack: are you looking for a one-off import or to include something in the regular automation12:54
cpaelzer?12:54
whislockYes. UPnP is a security nightmare.12:54
michal_fhello. I can't do: apt install lxc12:54
ahasenackcpaelzer: well, I don't know what our policy is12:54
michal_fshould I add any repo's ?12:54
ahasenackcpaelzer: if we don't import, then I can't make an MP, and it will be a debdiff12:54
michal_fpackage is not found12:54
cpaelzerahasenack: so far I have imported some as one-off which was fine - if it turned out to be a regular need I made a suggestion to add it to the whitelist12:54
whislocktomreyn: The right way to do this is to leave the ssh service port as the default, and forward whatever desired public port to the service's IP/port.12:55
cpaelzerahasenack: I'd do a one-shot import now ok?12:55
ahasenackcpaelzer: make it so12:55
ahasenack:)12:55
ahasenackthanks12:55
kstenerudmorning!12:55
ahasenackhello kstenerud12:56
tomreynwhislock: so asymmetric nat, yes this can be a little easier, but not much.12:56
neilduganwhislock, yes I know, but as port 30000 was being blocked (unknown to me) when I tried by using external port 30000 -> internal 22 it did work I tried other things.12:56
whislocktomreyn: It's FAR easier, and it's the right way to do things.12:57
tomreynneildugan: pointing this out earlier could have helped ;)12:57
neildugantomreyn, thanks for all the help.12:58
tomreynneildugan: you're welcome12:58
neildugantomreyn, pointing out what .... I said I was using port 30000 and I was trying to use SSH ... what did I miss12:59
sdezielmichal_f: do you want to use LXC/LXD containers?12:59
michal_factually I'm following instructions to install Zulip server https://zulip.readthedocs.io/en/latest/development/setup-vagrant.html#ubuntu13:00
michal_fa development installation13:00
sdezielmichal_f: oh OK. They use of the old lxc which I'm not familiar with, sorry13:02
tomreynneildugan: diagnosing this could have been easier if you had previously stated that an assymetric nat configuration (WAN port 30000 to LAN port 22) failed to work (and how). but don't worry about it now.13:02
michal_fsdeziel, thanks! any tips at all I could follow ?13:02
sdezielmichal_f: I don't know zulip but maybe you could join their chat: https://zulip.readthedocs.io/en/latest/contributing/chat-zulip-org.html13:03
neildugantomreyn, ok .... but it failed in exactly the same manner ... just 'connection refused' .... anyway thanks13:04
cpaelzerahasenack: it imported 8 versions and then died on a http 410 - retrying and taking a look13:08
ahasenackok13:09
cpaelzeralways seems to break on 0.5.0-113:09
ahasenackI still hit this bug every now and then when using git-ubuntu build-source13:09
ahasenackFileNotFoundError: [Errno 2] No such file or directory: '.pc'13:09
ahasenackthat's 410 again?13:09
ahasenackgone13:10
cpaelzergone it is13:10
ahasenack0.5.0 is the first one we have in lp13:10
ahasenackhttps://launchpad.net/debian/+source/libcloud13:10
ahasenackhm, no13:10
ahasenackpublishing history has more13:10
tomreynmichal_f: you are probably affected by #178312913:11
tomreynhttps://bugs.launchpad.net/subiquity/+bug/178312913:11
ubottuLaunchpad bug 1783129 in subiquity "Only "main" component enabled after install" [High,Confirmed]13:11
tomreynneildugan: okay, then ignore my remark, sorry.13:11
cpaelzerahasenack: I was playing around with arguments, but I can't get it like libcloud13:12
ahasenackcpaelzer: n/m then, it's a simple diff13:12
michal_ftomreyn, thx. looking intoit13:12
ahasenackthanks for trying13:13
neilduganwhere would I make a suggestion on an improvement to the UI13:13
michal_ftomreyn, that was it. thank you13:17
tomreynyou're welcome, michal13:21
tomreynahasenack: is there a chance to have a 18.04.1 live-server (subiquity) installer iso rebuild (i.e. before .2) to help people affected by this (and maybe some of the other more serious bugs in it)?13:23
tomreynthe 'cannot install package' issue affects a lot of users from what i see on irc.13:24
tomreyn(and its not immediately obvious what the cause is / what they need to search for to find a fix)13:25
tomreynalternatively, a hint on this could be placed in the (network/canonical) generated motd 'news' (unless this is strictly reserved for marketing purposes).13:26
ahasenacktomreyn: yeah, I know, I pinged about this13:27
ahasenacktomreyn: dpb1 is back today, maybe he can do something about it13:27
tomreynthanks13:30
ahasenackcpaelzer: I attached a debdiff to the bug, and local dep8 runs. Bileto is still running: https://bugs.launchpad.net/ubuntu/+source/libcloud/+bug/178893114:13
ubottuLaunchpad bug 1788931 in libcloud (Ubuntu) "FTBFS libcloud does not work or build with py3.7" [Undecided,In progress]14:13
ahasenackcpaelzer: this basically disables py3.7 support, since it's not working, and upstream is aware14:13
kstenerudahasenack: Can you help me set up virtual networking that will allow a VM to talk to a container? I keep hitting dead ends trying to configure bridges and virtual interfaces14:15
kstenerudtrying to get an IPA server and an IPA client to talk to each other14:15
kstenerudbut keep getting things like: libvirtError: error creating macvtap interface macvtap0@vethWG668H (52:54:00:6d:b9:15): Device or resource busy14:16
ahasenackhm14:16
ahasenackkstenerud: are both (vm and container) on the same host?14:17
kstenerudyes14:17
ahasenackkstenerud: don't use macvtap then14:17
ahasenackkstenerud: when creating the network with libvirt,14:17
cpaelzerkstenerud: could you be rather brute and just make lxd and this VM use the same bridge?14:17
cpaelzermight need to make sure that only one has a dhcp server on it14:18
ahasenackkstenerud: and I use virt-manager for that (the gui), I just tell it to create a bridge, nat, and forward to any physical interface14:18
ahasenackI don't even have to put them on the same bridge, the host can route between them14:18
kstenerudTBH I have no idea what I'm doing. I have an existing br0 running, and that just exposes anything that uses it directly to the lan, which is fine14:18
cpaelzerkstenerud: who does dhcp on that br0 ?14:19
kstenerudbut when I try to connect a kvm to it via virtual manager, my two options are NAT and macvtap14:19
ksteneruddhcp is another machine on the lan14:19
cpaelzerkstenerud: ok just a sec14:19
cpaelzerkstenerud: you want to create a new network in libvirt as outlined at https://netplan.io/examples#bridging14:20
kstenerudThere seem to be two different places to set up networking on vmm14:20
cpaelzerkstenerud: essentially put that in a .xml and run "virsh network define filename.xml"14:20
cpaelzerthen you have a new netwrok called br014:20
RoyKa new nic14:20
cpaelzerand even in virt manager you can then select that as an alternative to the default network14:20
RoyKnot a network14:20
cpaelzerwhen you edit the nic14:20
cpaelzervirsh net-define I meant14:21
cpaelzerthanks RoyK14:21
cpaelzerbut I meant him to create a new "network" in the sense of a libvirt network with a name and an associated configuration14:21
RoyKbridging is nice for VMs or containers14:21
RoyKsometimes you want them on a separate VLAN, if so, configure the bridge to setup one etc14:22
RoyKmostly you don't need that14:22
cpaelzerack14:22
kstenerudhmm I have br0 on this machine somehow. It's not defined anywhere that I can see in /etc14:23
kstenerud# brctl show br014:23
kstenerudbridge namebridge idSTP enabledinterfaces14:23
kstenerudbr08000.fee2613aae5bnovethMBNVBM14:23
RoyKkstenerud: pastebin output of "ip r" and "ip a"14:23
RoyKkstenerud: don't paste it here14:23
RoyK!pastebin14:23
ubottuFor posting multi-line texts into the channel, please use https://paste.ubuntu.com | To post !screenshots use https://imgur.com/ !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic.14:23
kstenerudhttps://paste.ubuntu.com/p/cFBhndyYWK/14:24
kstenerudThe lan is 10.5.0.0/1614:24
ksteneruddhcp is from 10.5.0.114:25
RoyKyou don't want an ip address on the bridged interface14:25
RoyKthat is - if your physical is eth0, you don't want an ip on that - only on the bridge14:25
ahasenackcpaelzer: hold off on that review, I also actually need to fix the py3.7 incompatbility. The package is installable with just that debdiff, but I need more to unblock the strongswan migration (long chain of dep8 tests)14:27
ahasenackand upstream seems more responsive in github than in jira14:29
ahasenacksurprise! :)14:29
cpaelzerahasenack: ok holding back14:31
ahasenackkstenerud: did you see cpaelzer's comment in https://code.launchpad.net/~kstenerud/ubuntu/+source/openssh/+git/openssh/+merge/353531 ?15:10
ahasenackkstenerud: you should have gotten an email about it15:11
kstenerudOh yes I see it15:12
kstenerudI'm not sure what it means...15:12
ahasenackit means it's your last chance to make changes :)15:12
ahasenackhe is ready to upload it for you15:13
kstenerudoh ok :)15:13
=== jelly-home is now known as jelly
ahasenackkstenerud: make sure you are subscribed to bug #1771340 so you don't miss it when the SRU team accepts it, or wants to get in touch with you16:39
ubottubug 1771340 in openssh (Ubuntu Xenial) "sshd failed on config reload" [Low,In progress] https://launchpad.net/bugs/177134016:39
=== Sven_vB_ is now known as Sven_vB
lob0hi!22:16
=== Tahvok_ is now known as Tahvok
=== Sven_vB_ is now known as Sven_vB

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!