[05:25] <cpaelzer> good morning
[06:19] <lordievader> Good morning
[11:23] <neildugan> I have been trying to use upnpc to open up an external access (for ssh) to a lxc VM ... but every time I try to connect (with ssh) I get a "connection refused" error ... but I can find no indication in the VM that a connection was even attempted ... can anyone help here?
[11:24] <tomreyn> neildugan: does the configuration change take place on the router the upnpc is talking to, though?
[11:25] <neildugan> tomreyn, I think so upnpc -l returns a line "TCP 30000->10.8.0.134:30000 'libminiupnpc' '' 14400"
[11:26] <neildugan> tomreyn, I have also setup ssh to listen to that port.
[11:27] <tomreyn> neildugan: does the router also report that this configuration has been applied?
[11:28] <neildugan> tomreyn, no idea, there appears to be no way to interogate (via web interface) anything about upnp (except it being enabled)
[11:30] <tomreyn> neildugan: i see. so i'm afraid i forgot how lxc does networking. does it do bridging, nat or routing?
[11:31] <neildugan> tomreyn, this VM is connected to my LAN (via a bridged interface) that has the router on it.
[11:32] <tomreyn> ok, so the lxc host (the main ubuntu system) has a different IP address than 10.8.0.134, but one on the same subnmet?
[11:32] <tomreyn> *subnet
[11:32] <neildugan> tomreyn, yes , and I just tested to make sure the the VM can ping the router directly.
[11:33] <tomreyn> neildugan: do you have another computer on the same subnet?
[11:33] <neildugan> yes
[11:34] <tomreyn> neildugan: can you connect to 10.8.0.134:30000 from the ubuntu lxc host? nc -vv 10.8.0.134 30000
[11:35] <tomreyn> (ignore my question about other computer on the same subnet for now, this is now unrelated)
[11:36] <neildugan> tomreyn, yes that connected
[11:38] <tomreyn> i just tried to connect to your public ip address on tcp port 30000, and the connection was refused.
[11:39] <tomreyn> is this the external ip address you'Re trying to port forward?
[11:39] <neildugan> tomreyn, I can also ssh in with the ssh -p 30000 10.8.0.134
[11:40] <tomreyn> from where?
[11:40] <neildugan> the lxc host
[11:41] <tomreyn> neildugan: can you try this from the other computer on the same subnet, too?
[11:41] <tomreyn> you didn't comment on my connection attempt, on purpose?
[11:44] <neildugan> tomreyn, was that last message for me?  I did ssh in via port 30000 from a different computer
[11:44] <tomreyn> neildugan: yes it was
 i just tried to connect to your public ip address on tcp port 30000, and the connection was refused.
[11:45] <neildugan> yea that is my problem
[11:45] <tomreyn> so this is a router issue.
[11:46] <neildugan> tomreyn, I think so, but all the examples I have found for upnpc don't say I need to do anything else to get a connection.
[11:46] <tomreyn> you could try deleting, then re-addig the port redirection using upnpc. but with a router bahving so unreliably, i guess i would rather try to setup port forwarding statically.
[11:47] <tomreyn> some routers will accept the port forwarding configuration but not actually forward traffic unless you also enable a upnp option (such as pon their web interface)
[11:48] <neildugan> tomreyn, when you tried to connect it should have said 'permission denied public key'  not 'connection refused'
[11:48] <tomreyn> it would have, if port forwarding had actually taken place, yes
[11:48] <neildugan> tomaw, the upnp is enabled.
[11:49] <tomreyn> but apparently your router or a firewall between the router and the lxc guest just drops the traffic.
[11:50] <tomreyn> it may be a good idea to try port forwarding a port to the lxc host first, and to test whether this is reachable form the internet.
[11:50] <neildugan> tomreyn, the only firwall operational for that VM is on the router.
[11:50] <tomreyn> this way you save some complexity
[11:51] <neildugan> I thought it would be fairly simple myself that is why I am testing it.... but something unknown is wrong.
[11:52] <tomreyn> run this on the lxc host: while true; do echo 'You are connected.' | nc -vv -l 6000; sleep 2; done
[11:53] <tomreyn> then run this in a separate terminal window on the lxc host, substituting LXCHOST by the lxc hosts' LAN ip address: upnpc -a LXCHOST 6000 6000 TCP
[11:54] <tomreyn> confirm the symmetric port forwarding for port 6000 to the lxc host was correctly configured using 'upnpc -l'
[11:54] <tomreyn> then tell me to test it.
[11:54] <tomreyn> neildugan: ^
[11:55] <tomreyn> you can also use a service like this to test it (specify port 6000): http://canyouseeme.org/
[11:56] <neildugan> I was just test a already setup port forward to a different VM . it isn't working ether I am getting a 'Connection timed out' error with that one.
[12:01] <neildugan> tomreyn, it I understand the second part this will allow you into the host computer?
[12:03] <tomreyn> neildugan: 'connection timed out' (no response was received at all, traffic was dropped) is different from what i was seeing, i got connection refused (traffic was actively denied, so a TCP RST was returned to me).
[12:04] <neildugan> tomreyn, that was via a NAT port forward setup in the router via the web-interface into a different VM
[12:05] <tomreyn> neildugan: the second part of the command would allow me (or anyone) to connect to the netcat (nc) process on your lxc host, which you start in the first part. this netcat process only accepts an incoming tcp connection and responds to it with the text 'You are connected.'. it doesn't grant any means of running commands on your system
[12:05] <neildugan> ok
[12:06] <tomreyn> neildugan: you dont need to trust me there, though, pick any port for nc and (the same) for upnpc and try it with canyouseemee.org or a similar service of your choice.
[12:07] <tomreyn> the idea there is to ensure that your router actually does the port forwarding from the internet
[12:07] <neildugan> ok those commands have been done
[12:09] <tomreyn> neildugan: i just seem to have connected fine. you should see my connection on the terminal window you ran 'nc' on
[12:10] <tomreyn> i didn't get to see the expeced output, thougfh, and my connection was dropped after it had been established
[12:10] <neildugan> tomreyn, I don't , but I do see my test it
[12:11] <tomreyn> neildugan: how / where from did you test?
[12:11] <tomreyn> oh, it worked this time
[12:12] <neildugan> are now I see your connection, I have an externally host VM
[12:12] <tomreyn> so now you should see my connection attempt, from an ip address ending 101.119
[12:12] <neildugan> yes
[12:12] <neildugan> tomreyn, from mue-88-130-101-119.dsl.tropolys.de 56240 received!
[12:13] <tomreyn> so port forwarding does work generally on the router
[12:13] <neildugan> tomreyn, so if the VMs sshd_config was wrong in some way wouldn't the attempt still show up in /var/log/auth.log
[12:14] <tomreyn> it is possible that you need to enable ip forwarding on your lxc host.
[12:15] <tomreyn> whether or not the connection attempt would still show on the lxc guests' /var/log/auth.log would depend on whether or not sshd is binding to the right ip address and port on the lxc guest.
[12:15] <tomreyn> luckily, you can repeat the same 'nc' test on the lxc guest
[12:17] <tomreyn> i.e. stop the ssh server on the lxc guest, then verify the port forwarding to its port 30000 is still configured, using upnpc -l
[12:17] <neildugan> the modem has a 'ping' dianostics ... it can ping the VM
[12:18] <tomreyn> okay, but this doesnt tell you too much about whether tcp traffic would reach it, and would be returned to where it was initiated from
[12:19] <tomreyn> 'ping' (icmp echo request / response) is a different ip protocol than tcp, and is much more simple (which is why it is a good first test, but not as meaningful as a tcp data transfer test)
[12:22] <neildugan> tomreyn, I was just seeing if the modem could initiate a connection to VM.  I set up the same test as before on port 6001 on the VM it seems to work.
[12:23] <tomreyn> neildugan: good. but you really want to test this from the internet
[12:23] <neildugan> tomreyn, I did, from my external VM
[12:24] <tomreyn> oh, so you can now reach port 6001 on the lxc *guest* from the internet?
[12:24] <tomreyn> neildugan: ^
[12:24] <neildugan> tomreyn, port 6001 is redirected to the VM
[12:25] <tomreyn> if you can reach port 6001 on the lxc *guest* from the internet, then all that's left to diagnose is the ssh server configuration.
[12:26] <neildugan> hang on a sec I am going to test with port 30000
[12:27] <neildugan> can't do that 30000 is in use by sshd
[12:28] <tomreyn> and it should be :)
[12:28] <tomreyn> you could stop the ssh service temporarily
[12:29] <tomreyn> systemctl stop ssh
[12:29] <tomreyn> then you could run the looped 'nc' command on port 30000 as we did above
[12:31] <tomreyn> i still get:    nc: connect to [your wan/internet ipv4] port 30000 (tcp) failed: Connection refused
[12:32] <neildugan> here is the sshd_config .... I can't see anything wrong... https://paste.ubuntu.com/p/qCNmQQfyGb/
[12:33] <neildugan> tomreyn, atm I am connected to the VM via SSH so wouldn't stoping the service lock me out.
[12:37] <tomreyn> neildugan: if, by 'the VM' you are now referring to the lxc guest on your LAN we are diagnosing, then my answer would be: yes, it would lock you out in terms of ssh. but you will containue to be able to manage it through lxc from the lxc host.
[12:37] <whislock> Stopping the ssh service does not terminate your current session.
[12:37] <neildugan> I have found something strange here... i disconnected from the VM ... and got in another way... but what I found was that when I setup nc on port 30000 ... it didn't work ... but it does on port 6001
[12:38] <tomreyn> whislock: are you sure there? i know that restarting the ssh service doesn't, but stopping it wouldn, doesn't it?
[12:39] <whislock> Just stopped it on this system, and I'm still here talking.
[12:39] <whislock> So yes. I'm quite certain.
[12:39] <tomreyn> whislock: whoops, i guess i should have known this, thanks.
[12:40] <ahasenack> cpaelzer: can you import a new package into git-ubuntu?
[12:42] <neildugan> tomreyn, I have setup nc on both port 6001 and 30000 , and only port 6001 is working... any ideas why the port number seems to be important?
[12:42] <tomreyn> neildugan: since you have so far referred to both the lxc guest on your (bridged) LAN (the system you are trying to connect to by ssh) as well as some VM somewhere on the internet as 'VM', using this term is now ambiguous.
[12:42] <whislock> What are we trying to accomplish here exactly?
[12:45] <tomreyn> neildugan: if you have both nc on the lxc gues on your lan running in listen mode on these ports AND have setup port synchronous forwardings for these ports on the router and you can establish a tcp connection to only one of the two ports from the internet then this would suggest that your isp blocks connections to one of these ports.
[12:45] <neildugan> tomreyn, I suppose so, sorry, but by VM I am referring to my local VM not the one I am testing from.   What I need to do is be able to connect to the local VM from the Internet ... I am using an external VPS to check the connection from the Internet.
[12:47] <neildugan> ahh... I wonder if some other use of port 30000 is a problem... and is getting blocked.
[12:49] <tomreyn> whislock: neildugan has an lxc guest on his LAN at 10.8.0.134, with ssh binding on port 30000. he uses a network bridging configuiration for LXC. he is trying to make this lxc guests' sshd port available from the internet on the sam port (30000) by using miniupnpc's demo client 'upnpc' to setup UPNP port forwardings on his internet / WAN router (which is reachable at neildugan's IRC clients' public ipv4 address).
[12:50] <whislock> One immediately asks... why?
[12:51] <neildugan> I have want to give limited access to certain resources to some people.
[12:51]  * tomreyn did not, doesn't consider it an unsual use case
[12:51] <whislock> The use case is not unusual. The method is.
[12:53] <tomreyn> whislock: you mean you'd prefer a static port forwarding / symmetric NAT configuration on the router?
[12:53] <neildugan> I shifted the ssh to port 6001 and had no trouble... all this time wasted because of the ISP ... I have been trying to get this to work for quite a few days now.
[12:53] <cpaelzer> ahasenack: I can import
[12:53] <ahasenack> cpaelzer: libcloud please
[12:54] <cpaelzer> ahasenack: are you looking for a one-off import or to include something in the regular automation
[12:54] <cpaelzer> ?
[12:54] <whislock> Yes. UPnP is a security nightmare.
[12:54] <michal_f> hello. I can't do: apt install lxc
[12:54] <ahasenack> cpaelzer: well, I don't know what our policy is
[12:54] <michal_f> should I add any repo's ?
[12:54] <ahasenack> cpaelzer: if we don't import, then I can't make an MP, and it will be a debdiff
[12:54] <michal_f> package is not found
[12:54] <cpaelzer> ahasenack: so far I have imported some as one-off which was fine - if it turned out to be a regular need I made a suggestion to add it to the whitelist
[12:55] <whislock> tomreyn: The right way to do this is to leave the ssh service port as the default, and forward whatever desired public port to the service's IP/port.
[12:55] <cpaelzer> ahasenack: I'd do a one-shot import now ok?
[12:55] <ahasenack> cpaelzer: make it so
[12:55] <ahasenack> :)
[12:55] <ahasenack> thanks
[12:55] <kstenerud> morning!
[12:56] <ahasenack> hello kstenerud
[12:56] <tomreyn> whislock: so asymmetric nat, yes this can be a little easier, but not much.
[12:56] <neildugan> whislock, yes I know, but as port 30000 was being blocked (unknown to me) when I tried by using external port 30000 -> internal 22 it did work I tried other things.
[12:57] <whislock> tomreyn: It's FAR easier, and it's the right way to do things.
[12:57] <tomreyn> neildugan: pointing this out earlier could have helped ;)
[12:58] <neildugan> tomreyn, thanks for all the help.
[12:58] <tomreyn> neildugan: you're welcome
[12:59] <neildugan> tomreyn, pointing out what .... I said I was using port 30000 and I was trying to use SSH ... what did I miss
[12:59] <sdeziel> michal_f: do you want to use LXC/LXD containers?
[13:00] <michal_f> actually I'm following instructions to install Zulip server https://zulip.readthedocs.io/en/latest/development/setup-vagrant.html#ubuntu
[13:00] <michal_f> a development installation
[13:02] <sdeziel> michal_f: oh OK. They use of the old lxc which I'm not familiar with, sorry
[13:02] <tomreyn> neildugan: diagnosing this could have been easier if you had previously stated that an assymetric nat configuration (WAN port 30000 to LAN port 22) failed to work (and how). but don't worry about it now.
[13:02] <michal_f> sdeziel, thanks! any tips at all I could follow ?
[13:03] <sdeziel> michal_f: I don't know zulip but maybe you could join their chat: https://zulip.readthedocs.io/en/latest/contributing/chat-zulip-org.html
[13:04] <neildugan> tomreyn, ok .... but it failed in exactly the same manner ... just 'connection refused' .... anyway thanks
[13:08] <cpaelzer> ahasenack: it imported 8 versions and then died on a http 410 - retrying and taking a look
[13:09] <ahasenack> ok
[13:09] <cpaelzer> always seems to break on 0.5.0-1
[13:09] <ahasenack> I still hit this bug every now and then when using git-ubuntu build-source
[13:09] <ahasenack> FileNotFoundError: [Errno 2] No such file or directory: '.pc'
[13:09] <ahasenack> that's 410 again?
[13:10] <ahasenack> gone
[13:10] <cpaelzer> gone it is
[13:10] <ahasenack> 0.5.0 is the first one we have in lp
[13:10] <ahasenack> https://launchpad.net/debian/+source/libcloud
[13:10] <ahasenack> hm, no
[13:10] <ahasenack> publishing history has more
[13:11] <tomreyn> michal_f: you are probably affected by #1783129
[13:11] <tomreyn> https://bugs.launchpad.net/subiquity/+bug/1783129
[13:11] <tomreyn> neildugan: okay, then ignore my remark, sorry.
[13:12] <cpaelzer> ahasenack: I was playing around with arguments, but I can't get it like libcloud
[13:12] <ahasenack> cpaelzer: n/m then, it's a simple diff
[13:12] <michal_f> tomreyn, thx. looking intoit
[13:13] <ahasenack> thanks for trying
[13:13] <neildugan> where would I make a suggestion on an improvement to the UI
[13:17] <michal_f> tomreyn, that was it. thank you
[13:21] <tomreyn> you're welcome, michal
[13:23] <tomreyn> ahasenack: is there a chance to have a 18.04.1 live-server (subiquity) installer iso rebuild (i.e. before .2) to help people affected by this (and maybe some of the other more serious bugs in it)?
[13:24] <tomreyn> the 'cannot install package' issue affects a lot of users from what i see on irc.
[13:25] <tomreyn> (and its not immediately obvious what the cause is / what they need to search for to find a fix)
[13:26] <tomreyn> alternatively, a hint on this could be placed in the (network/canonical) generated motd 'news' (unless this is strictly reserved for marketing purposes).
[13:27] <ahasenack> tomreyn: yeah, I know, I pinged about this
[13:27] <ahasenack> tomreyn: dpb1 is back today, maybe he can do something about it
[13:30] <tomreyn> thanks
[14:13] <ahasenack> cpaelzer: I attached a debdiff to the bug, and local dep8 runs. Bileto is still running: https://bugs.launchpad.net/ubuntu/+source/libcloud/+bug/1788931
[14:13] <ahasenack> cpaelzer: this basically disables py3.7 support, since it's not working, and upstream is aware
[14:15] <kstenerud> ahasenack: Can you help me set up virtual networking that will allow a VM to talk to a container? I keep hitting dead ends trying to configure bridges and virtual interfaces
[14:15] <kstenerud> trying to get an IPA server and an IPA client to talk to each other
[14:16] <kstenerud> but keep getting things like: libvirtError: error creating macvtap interface macvtap0@vethWG668H (52:54:00:6d:b9:15): Device or resource busy
[14:16] <ahasenack> hm
[14:17] <ahasenack> kstenerud: are both (vm and container) on the same host?
[14:17] <kstenerud> yes
[14:17] <ahasenack> kstenerud: don't use macvtap then
[14:17] <ahasenack> kstenerud: when creating the network with libvirt,
[14:17] <cpaelzer> kstenerud: could you be rather brute and just make lxd and this VM use the same bridge?
[14:18] <cpaelzer> might need to make sure that only one has a dhcp server on it
[14:18] <ahasenack> kstenerud: and I use virt-manager for that (the gui), I just tell it to create a bridge, nat, and forward to any physical interface
[14:18] <ahasenack> I don't even have to put them on the same bridge, the host can route between them
[14:18] <kstenerud> TBH I have no idea what I'm doing. I have an existing br0 running, and that just exposes anything that uses it directly to the lan, which is fine
[14:19] <cpaelzer> kstenerud: who does dhcp on that br0 ?
[14:19] <kstenerud> but when I try to connect a kvm to it via virtual manager, my two options are NAT and macvtap
[14:19] <kstenerud> dhcp is another machine on the lan
[14:19] <cpaelzer> kstenerud: ok just a sec
[14:20] <cpaelzer> kstenerud: you want to create a new network in libvirt as outlined at https://netplan.io/examples#bridging
[14:20] <kstenerud> There seem to be two different places to set up networking on vmm
[14:20] <cpaelzer> kstenerud: essentially put that in a .xml and run "virsh network define filename.xml"
[14:20] <cpaelzer> then you have a new netwrok called br0
[14:20] <RoyK> a new nic
[14:20] <cpaelzer> and even in virt manager you can then select that as an alternative to the default network
[14:20] <RoyK> not a network
[14:20] <cpaelzer> when you edit the nic
[14:21] <cpaelzer> virsh net-define I meant
[14:21] <cpaelzer> thanks RoyK
[14:21] <cpaelzer> but I meant him to create a new "network" in the sense of a libvirt network with a name and an associated configuration
[14:21] <RoyK> bridging is nice for VMs or containers
[14:22] <RoyK> sometimes you want them on a separate VLAN, if so, configure the bridge to setup one etc
[14:22] <RoyK> mostly you don't need that
[14:22] <cpaelzer> ack
[14:23] <kstenerud> hmm I have br0 on this machine somehow. It's not defined anywhere that I can see in /etc
[14:23] <kstenerud> # brctl show br0
[14:23] <kstenerud> bridge name	bridge id		STP enabled	interfaces
[14:23] <kstenerud> br0		8000.fee2613aae5b	no		vethMBNVBM
[14:23] <RoyK> kstenerud: pastebin output of "ip r" and "ip a"
[14:23] <RoyK> kstenerud: don't paste it here
[14:23] <RoyK> !pastebin
[14:24] <kstenerud> https://paste.ubuntu.com/p/cFBhndyYWK/
[14:24] <kstenerud> The lan is 10.5.0.0/16
[14:25] <kstenerud> dhcp is from 10.5.0.1
[14:25] <RoyK> you don't want an ip address on the bridged interface
[14:25] <RoyK> that is - if your physical is eth0, you don't want an ip on that - only on the bridge
[14:27] <ahasenack> cpaelzer: hold off on that review, I also actually need to fix the py3.7 incompatbility. The package is installable with just that debdiff, but I need more to unblock the strongswan migration (long chain of dep8 tests)
[14:29] <ahasenack> and upstream seems more responsive in github than in jira
[14:29] <ahasenack> surprise! :)
[14:31] <cpaelzer> ahasenack: ok holding back
[15:10] <ahasenack> kstenerud: did you see cpaelzer's comment in https://code.launchpad.net/~kstenerud/ubuntu/+source/openssh/+git/openssh/+merge/353531 ?
[15:11] <ahasenack> kstenerud: you should have gotten an email about it
[15:12] <kstenerud> Oh yes I see it
[15:12] <kstenerud> I'm not sure what it means...
[15:12] <ahasenack> it means it's your last chance to make changes :)
[15:13] <ahasenack> he is ready to upload it for you
[15:13] <kstenerud> oh ok :)
[16:39] <ahasenack> kstenerud: make sure you are subscribed to bug #1771340 so you don't miss it when the SRU team accepts it, or wants to get in touch with you
[22:16] <lob0> hi!