[00:02] <tomreyn> ty
[00:03] <tomreyn> keithzg[m]: it'd be good to discuss which ubuntu version you're running /upgrading from/to there.
[00:04] <keithzg[m]> In theory filed a Debian one too, but maybe I screwed up the pseudo-headers since I haven't gotten any automatic reply
[00:06] <keithzg[m]> tomreyn: Fair enough, I guess I figured in this case it's so clearly a packaging-related issue that the Postfix version from upstream was the only really relevant part.
[00:07] <tomreyn> true, but still, it'll need to be filed against *something*, and ideally that what the original reporter (you) is using.
[00:08] <keithzg> Yeah, makes sense.
[00:09]  * keithzg[m] is now tempted to open a wishlist bug for Launchpad itself for adding distro releases to the "affects" options ;)
[00:10] <tomreyn> those exist, but unfortunately only those with bug triage + higher access levels seem to be able to set them.
[00:49] <nacc> tomreyn: keithzg: anyone can request they be added, but only appropriate folks can approve them
[01:00] <tomreyn> nacc: even wehn logged in, i am unable to set the affected distribution version (codename) on the 'affects' field.
[01:02] <tomreyn> what i can do is 'also affects project' and 'Also affects distribution/package', but neither of these (as far as i can tell) allow me to set the codename of an affected ubuntu release.
[03:10] <ftmh17> hello
[03:12] <ftmh17> anybody here ?
[03:12] <ftmh17> this is so confusing
[03:13] <ftmh17> need some help
[03:13] <ftmh17> anybody
[03:17] <mason> ftmh17: State your question(s) and if someone can answer they will.
[03:18] <RoyK> !ask
[03:18] <ubottu> Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience
[03:18] <mason> Fine, one-up me.
[03:20] <mason> !cn
[03:20] <ubottu> 如欲獲得中文的協助，請輸入 /join #ubuntu-cn 或 /join #ubuntu-tw
[03:20]  * mason searches scrollback for \![a-z]
=== beatzz_ is now known as elsheepo
[06:05] <lordievader> Good m orning
[09:30] <[twisti]> im trying to (temporarily) do the following: on ubuntu server L, i am running a VPN client that allows me to connect to an ftp server F on 192.168.... now, on windows client W, on the same network as L, i would like to connect to F. ideally, i would like to set up L so that W can ftp connect to L as if L was the ftp server, without ever needing to know about the forwarding (because in
[09:30] <[twisti]> reality we got lots of Ws that we dont want to configure if we dont have to)
[09:34] <TvL2386> we're talking about this in #ubuntu at the moment
[11:15] <TJ-> Although apache2-bin (for 18.04) includes mod_http2, do we need to also add a specific "Protocols" directive to enable it?
[11:26] <cpaelzer> TJ-: "a2enmod http2" I'd thnik
[11:26] <cpaelzer> and
[11:26] <cpaelzer> echo "Protocols h2c h2 http/1.1" >> /etc/apache2/apache2.conf
[11:26] <cpaelzer> so yes
[11:36] <TJ-> cpaelzer: right, I was surprised there's no documentation or a template .conf file for it
[11:37] <TJ-> Unless you already know a specific Protocols is required, it might appear "a2enmod http2" is all that is required since there's not an accompanying .conf file
[12:04] <cpaelzer> TJ-: do you think having this line in /etc/apache2/mods-available/http2.conf would make sense?
[12:04] <cpaelzer> then a2enmod would enable/disable it along the module
[12:06] <cpaelzer> it is sort of hard to "guess" right as the order defines the preferred protocol
[12:06] <cpaelzer> maybe the same, but commented out with some text to explain
[12:10] <ahasenack> good morning
[12:24] <TJ-> cpaelzer: I think it should be documented in a comment in the .load file, which ought to point to an explanation in /usr/share/doc/apache2-bin/ or apache2/. Adding the Protocol line should be dependent on SSL being enabled /and/ available (probably best in the vhost TLS site definition guarded by a "<IfDefine SSL> -> <IfModule http2_module> ..." stanza )
[12:33] <cpaelzer> TJ-: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880993
[12:33] <ubottu> Debian bug 880993 in src:apache2 "enable http2 protocol when http2 module is enabled" [Wishlist,Open]
[12:33] <cpaelzer> you might give that bug a bump essentially asking for the same
[12:34] <TJ-> cpaelzer: that looks like someone stole my thoughts :D
[12:57] <cpaelzer> wb rbasak
[13:42] <ahasenack> cpaelzer: is the systemd task needed in https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1791220 ?
[13:42] <ubottu> Launchpad bug 1791220 in open-vm-tools (Ubuntu) "increased crash rate since 10.3 upgrade is available" [Undecided,In progress]
[13:42] <cpaelzer> ahasenack: no more
[13:43] <ahasenack> ok
[13:43] <cpaelzer> ahasenack: done
[14:04] <ahasenack> rbasak: hi, wanna take on https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1791018 ?comment #3 has a link to a debian commit to make tests on supported platforms fail the build
[14:04] <ubottu> Launchpad bug 1791018 in mysql-5.7 (Ubuntu) "self-test errors do not break the build" [Low,Triaged]
[14:08] <cpaelzer> ahasenack: the udev timeout change is ready for review as well
[14:08] <Skuggen> ahasenack: That commit was applied long ago :)
[14:10] <Skuggen> ahasenack: The question is more if it should be expanded. I did a test to debug the related test issues he reported, to https://launchpad.net/~mysql-ubuntu/+archive/ubuntu/mysql-5.7/+packages, where I changed it so test failures always caused build failures
[14:11] <ahasenack> Skuggen: but the bug says the errors do not break the build
[14:11] <Skuggen> Looks pretty good, though arm64 is still waiting for a build
[14:11] <ahasenack> or was that only for non i386/amd64?
[14:11] <Skuggen> ahasenack: On unsupported platforms
[14:11] <ahasenack> ah, ok
[14:11] <Skuggen> Test failures currently break the build on i386 and amd64
[14:11] <ahasenack> good then
[14:12] <ahasenack> n/m
[14:12] <cpaelzer> ahasenack: lol - I just see that my MP update is on workspace #8 on the small screen and not submitted. No wonder you asked if the udev changes were ready :-)
[14:12] <ahasenack> cpaelzer: do tell
[14:12] <ahasenack> I probably made the same mistakey yesteray in a bug I spent 1h troubleshooting
[14:12] <ahasenack> never pressed submit, or maybe I did and lp timed out
[14:12] <ahasenack> comment dropped :/
[14:14] <cpaelzer> yeah happened to me as wel lin the past, thought I'm on another window and double-esc killed the update
[14:14] <cpaelzer> LP needs something like https://xkcd.com/1915/ with warning sounds each 5 minutes :-)
[14:18] <ahasenack> kstenerud: did you see my review comment in https://code.launchpad.net/~kstenerud/ubuntu/+source/postfix/+git/postfix/+merge/354654 ?
[14:19] <ahasenack> kstenerud: also, since I grabbed the canonical-server slot there, could you please request another review from canonical-server, so it shows up again in our queue at https://code.launchpad.net/~canonical-server/+activereviews ?
[14:23] <kstenerud> ok
[15:55] <nacc> tomreyn: you don't see a "nominate for series" button?
[15:56] <nacc> ahasenack: that's an interesting point too, is that in the doc?
[15:56] <nacc> *docs
[15:57] <ahasenack> nacc: which point?
[15:57] <nacc> ahasenack: about re-adding the review slots?
[15:57] <nacc> ahasenack: it seems like a common pattern in some cases
[15:57] <ahasenack> no, that only happens when a "community review" is done
[15:57] <ahasenack> so no, not in the docs
[15:58] <ahasenack> actually, in this case it was as if I had taken the canonical-server slot
[15:58] <ahasenack> because I'm a member
[15:58] <ahasenack> n/m the community review comment
[15:58] <ahasenack> bottom line, we are not supposed to take the "canonical-server" slot as that is what makes the review appear in the +activereviews queue for that group
[15:59] <ahasenack> I wanted to add a comment to the MP, and LP saw I'm a member of canonical-server, and took up that slot for me, even though I just wanted to add a comment
[16:00] <nacc> yeah, it's something for your team to note
[16:00] <nacc> i guess is what i meant
[16:01] <nacc> and will potentially apply in the future too, if we do it via some meta-who-can-upload-label
[16:01] <nacc> we actually don't want it to drop off the 'to-review' queue until it's been approved or rejected, i think
[16:03] <ahasenack> I filed a launchpad bug about the queue visibility thing
[16:04] <nacc> cool, maybe add a task for usd-importer, so it also shows up there
[16:05] <nacc> it's a workflow thing, and i'm not sure what's 'right'
[16:05] <ahasenack> the bug is essentially that the mp shouldn't disappear from +activereviews
[16:05] <ahasenack> even when there are no remaining slots
[16:05] <ahasenack> it differs from ~youruser/+activereviews in that regard
[16:09] <nacc> yeah, i think that's accurate
[16:09] <nacc> team vs. user
[16:09] <nacc> but i can see an argument for the current behavior
[16:09] <nacc> the hard part is you start a review, and then you need to stop it; it's not always obvious what you should put 'back' as the reviewer
[16:10] <ahasenack> I want a simple list of open merge proposals
[16:10] <ahasenack> the fact that someone is doing a review isn't closing it
[16:10] <ahasenack> sometimes I think LP is overthinking it
[16:10] <ahasenack> "reviews I can do", "reviews I'm waiting on", etc
[16:11] <ahasenack> the thing is that here, each package is a "project"
[16:11] <ahasenack> essentially
[16:11] <ahasenack> maybe that's confusing things
[16:17] <nacc> yeah, i agree with you
[16:20] <tomreyn> no, i don't  <nacc> tomreyn: you don't see a "nominate for series" button?
[16:27] <nacc> tomreyn: hrm, ok; yeah that's weird
[16:28] <nacc> tomreyn: should you? i can see it, for sure
[16:28] <powersj> nacc, I believe the nominate for series is limited to certain users
[16:37] <tomreyn> right, i'm just a standard boring user, probably just don't have permission to do so (i *think* i said so when we startzed discussing this).
[16:53] <ahasenack> right, I can only nominate for some packages, for many I need to ask someone else. And it's not about upload rights, although the set might intersect that, as I know of other people who can't upload a thing but can accept nominations for anything
[17:12] <ahasenack> rbasak: didn't you have a way to launch an openvpn within a network namespace, so that only other processes in that namespace would see the vpn network?
[17:12] <ahasenack> or were you attempting that, and never finished?
=== kevr is now known as nvidia
=== nvidia is now known as nvidia-
[17:18] <nacc> tomreyn: powersj: ah sorry, i misunderstood, i thought tomreyn said they did have permission but didn't see it.
[17:21] <tomreyn> no, no, i'm just a lousy vagrant, clicking on whatever i can click on.
[17:21] <tomreyn> so, it's fine as it is ;)
[17:21] <nacc> heh
[17:51] <ahasenack> stgraber: hey, I suppose you have tried to use openvpn inside lxd containers already, right? Found your blog post from 2014 for lxc, not lxd. I'm trying now in a bionic lxd, but I'm getting this error:
[17:51] <ahasenack> openvpn_execve: unable to fork: Resource temporarily unavailable (errno=11)
[17:51] <ahasenack> I already removed LimitNPROC=10 from the systemd service file, but no dice
[17:51] <ahasenack> any tips?
[17:52] <ahasenack> dmesg on the host shows a denied mount attempt by openvpn, which is odd
[17:52] <sdeziel> ahasenack: IIRC the LimitNPROC needs to be removed in the host context
[17:53] <sdeziel> last I heard, rlimits were not namespace aware
[17:55] <stgraber> ahasenack: all I have here is "LimitNPROC=infinity" in an override
[17:55] <stgraber> ahasenack: but that's under 16.04, it may well be that the unit has since changed in more recent releases
[17:56] <ahasenack> I did a grep for NPROC on the host
[17:56] <stgraber> ahasenack: the mount error sounds like it may be using something like PrivateMount or some similar Private* options?
[17:56] <ahasenack> got this for lxd itself, infinity
[17:56] <ahasenack> stgraber: i see privatetmp
[17:56] <stgraber> sdeziel: you can apply rlimits in containers, just not ones that are higher than your container's, setting LimitNPROC=infinity on the openvpn@ unit avoids systemd trying to set it to some other value
[17:57] <stgraber> ahasenack: that may be it, can you try turning that off?
[17:57] <ahasenack> didn't change the denied error
[17:57] <ahasenack> [20900.386502] audit: type=1400 audit(1536688629.438:199): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-bionic-intel-vpn_</var/lib/lxd>" name="/bin/" pid=31710 comm="(openvpn)" flags="ro, remount, bind"
[17:57] <ahasenack> (I did daemon-reload in the container)
[17:57] <sdeziel> stgraber: ah, that's what I was referring to then, I remembered wrong :)
[17:58] <ahasenack> not sure if that is fatal, though
[17:58] <stgraber> ahasenack: odd, the comm="(openvpn)" suggests it actually was openvpn itself, that's pretty weird
[17:58] <stgraber> ahasenack: what LXD version?
[17:58] <stgraber> I thought we pushed a change to allow ro,remount,bind
[17:58] <ahasenack> error I have is https://pastebin.ubuntu.com/p/2N3gDqYvC7/
[17:58] <ahasenack> stgraber: 3.0.1-0ubuntu1~18.04.1
[17:58] <ahasenack> bionic
[17:59] <ahasenack> not the snap
[17:59] <ahasenack> the container itself is bionic too
[18:00] <ahasenack> this is an unprivileged container, nothing fancy, no extra devices allowed in the profile
[18:00] <ahasenack> nor denied
[18:01] <stgraber> ahasenack: ok, so 3.0.1 pre-dates that particular apparmor policy fix, so if that DENIED is the source of the issue, we have what should be a fix for it already
[18:04] <ahasenack> stgraber: do you have a oneliner to add to apparmor?
[18:06] <stgraber> ahasenack: https://paste.ubuntu.com/p/msqMCqPm79/
[18:06] <stgraber> ahasenack: putting that in raw.apparmor should make it behave like LXD 3.0.2
[18:07] <stgraber> ahasenack: alternatively you could set security.nesting to true which would then also allow those mounts
[18:09] <ahasenack> let me try that setting, one liner, and see if that fixes it
[18:09] <ahasenack> lxc config set <container> security.nesting true
[18:09] <ahasenack> ?
[18:09] <stgraber> yeah
[18:10] <ahasenack> ok, no denied error
[18:10] <ahasenack> but it still failed to fork
[18:10] <ahasenack> nice, that was live, without restarts
[18:11] <stgraber> ahasenack: can you show `systemctl cat openvpn@`?
[18:13] <ahasenack> stgraber: https://pastebin.ubuntu.com/p/p7Hd3WJX8S/
[18:13] <ahasenack> it has 2 changes already: privatetmp=false (was true), and LimitNPROC commented
[18:17] <ahasenack> hm
[18:17] <ahasenack> the actual @config service I'm using still has LimitNPROC=20
[18:18] <ahasenack> stgraber: worked now
[18:19] <ahasenack> stgraber: I changed the wrong openvpn*.service file wrt LimitNPROC
[18:19] <ahasenack> there is openvpn.service, openvpn@.service, openvpn-client@.service, openvpn-server@.service
[18:20] <ahasenack> openvpn-client@.service still had it
[18:22] <stgraber> ahasenack: oh, that's way more units than I'm used to :)
[18:22] <ahasenack> yeah, it changed in bionic, they (upstream) split client and server
[18:30] <stgraber> ahasenack: the rlimit thing at least should be fixable in systemd by having it detect the error and move on, so effectively letting it set lower values but ignoring higher ones (logging something is fine though)
[18:31] <boxrick> Hello, I want to get rid of the double quotes in the AWK in this statement. fdisk -l | grep '^/dev/[a-z]*[0-9]' | awk '$2 == "*"'
[18:31] <boxrick> Any sensible suggestions ?
[18:34] <boxrick> Or even better a sed like alternative
[18:42] <tomreyn> maybe fdisk -l | grep -E '^/dev/[a-z]*[0-9][[:space:]]+\*[[:space:]]'
[18:44] <tomreyn> boxrick: ^
[18:45] <BrianBlaze> good day beautfuls, I know how to add a route using route add... but I am unsure exactly where to put the route to make it permanent after a reboot. on ubuntu 18
[18:45] <boxrick> Thanks tom :)
[18:46] <tomreyn> :)
[18:47] <tomreyn> BrianBlaze: there's no "ubuntu 18", do you mean 18.04.1 LTS?
[18:48] <sdeziel> BrianBlaze: there is an example on how to add routes in https://netplan.io/examples#multiple-addresses-with-multiple-gateways
[18:48] <BrianBlaze> yes I do and tanks
[18:48] <BrianBlaze> thanks*
[18:48] <tomreyn> if you're asking about ubuntu 18.10 instead, this will be released in october (as the .10 indicates), ask about it in #ubuntu+1
[18:49] <BrianBlaze> I mean 18.04.1 LTS :)
[18:49] <tomreyn> cool. in case you are still going to set routes manually, use 'ip route', not just "route"
[18:50] <BrianBlaze> oh? it worked with route... wierd
[18:50] <sdeziel> route is the old deprecated way
[18:50] <BrianBlaze> gotcha
[18:50] <BrianBlaze> get used to ip route :)
[18:51] <tomreyn> !releasenotes
[18:51] <ubottu> Ubuntu 18.04 (Bionic Beaver) release notes can be found here: https://wiki.ubuntu.com/BionicBeaver/ReleaseNotes
[18:51] <tomreyn> ^ would tell so, IIRC
=== led_dark_2 is now known as led_dark_1
[19:21] <kstenerud> Regarding https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1010625
[19:21] <ubottu> Launchpad bug 1010625 in logwatch (Ubuntu) "named logs are not being reported in logwatch" [Medium,Fix released]
[19:22] <kstenerud> It looks from the comments that there's a quick fix that can be applied to logwatch to solve 90% of the problems in one go
[19:22] <kstenerud> Two possibilities:
[19:22] <kstenerud> 1: Remove 'LogFile = messages' from the conf files so that it searches for the locations itself
[19:23] <kstenerud> 2: Just hardcode syslog instead of messages
[19:23] <kstenerud> I'm not sure which is the better solution. Anyone want to chime in?
[19:25] <ahasenack> kstenerud: iirc there is some sort of overriding that can happen in logwatch
[19:25] <ahasenack> kstenerud: it has config directories, and there is one for distro overrides
[19:25] <ahasenack> ubuntu has LogFile = <rightthing> in there iirc
[19:26] <ahasenack>  /usr/share/logwatch default.conf/ and dist.conf/
[19:27] <ahasenack> default.conf has all its content using "LogFile = messages"
[19:27] <kstenerud> So if that points to the right file, we can remove 'LogFile = messages' from the individual conf files then?
[19:27] <ahasenack> if this overriding works as intended, I wouldn't touch that setting in the default.conf/ files
[19:28] <ahasenack> I would make whatever changes we have to make in the dist.conf/ tree
[19:28] <kstenerud> I'm not up on the history of this. Was everything going to messages before? It looks like things are being sent to syslog in a bunch of (if not all) cases?
[19:28] <ahasenack> maybe all that's needed is setting LogFile=syslog in dist.conf/logwatch.conf?
[19:28] <ahasenack> I think messages was just an upstream choice, RH systems I think used to log there
[19:32] <kstenerud> But now for example dhcpcd.conf has Logfile = messages
[19:32] <kstenerud> So that would override the basic config I think?
[19:33] <kstenerud> (even though the basic config also sets it to messages)
[19:33] <kstenerud> But if I changed the top level config to syslog, these configs would still set to messages right?
[19:35] <kstenerud> There are 72 config files that explicitly set the logfile
[19:35] <ahasenack> dhcpd.conf only exists in the default.conf tree, ok
[19:36] <ahasenack> it's my understanding settings in dist.conf override default.conf
[19:37] <ahasenack> see /usr/share/doc/logwatch/HOWTO-Customize-LogWatch.gz
[19:38] <ahasenack> in the dhcpd case, it's possible that the dhcpcd package (whatever it's called) ships a logwatch file
[19:38] <ahasenack> but I haven't checked
[19:39] <kstenerud> OK I'll take a look. Just need to be sure of how the override rules work (i.e. default/iptables.conf vs dist/ with no iptables.conf - does it take config from the specific conf under default, or does it take the override from dist/top-level-config?)
=== nvidia- is now known as kevr
[19:45] <ahasenack> kstenerud: I don't know
[19:45] <ahasenack> some experimenting is needed, looks like
[20:16] <TJ-> kstenerud: I wasn't able to reproduce the Strongswan issues despite doing some extensive messing about with it (my issue is a Cisco IOS device not playing nicely with the Linux strongswan, but I also set up a strongswan/charon IKEv1 config to mirror how IOS is supposed to work)
[20:20] <kstenerud> TJ-: Thanks. I think since we can't get any confirmation on the bug one way or the other, we'll let it sit for now. Hopefully the bug reporter can get back to us on how to reproduce the issue reliably!
[20:22] <TJ-> kstenerud: in other news, persuade everyone to swith to Wireguard. I had the pleasure to deploy it this week and it is a joy to config/use :) I've wasted a lot of my life on configuring IPsec and openvpn!
[20:27] <jelly> but does it do p2p if possible?  Oh it seems it does >  the server itself changes its own endpoint, and sends data to the clients, the clients will discover the new server endpoint and update the configuration just the same. Both client and server send encrypted data to the most recent IP endpoint for which they authentically decrypted data. Thus, there is full IP roaming on both ends.
[20:32] <TJ-> jelly: of course if both ends change IP address at the same time, whilst not talking, it will fail until poked using "wg set peer <pubkey> endpoint <address>"
[20:34] <jelly> I'm currently usi^H^H^Htesting a semi-abandoned vpn that has a central point (of failure) for reregistering itself
[20:41] <kneeki> Hey all, I'm trying to create a script that checks if apache2 is running and if not start it. https://pastebin.com/rPQ9Tq7Z --- Unfortunately I'm given the error:  line 14: service: command not found ‘service apache2 status’ was was not ‘active (running)’. Executing: service apache2 start
[21:01] <nacc> kneeki: what version of ubuntu?
[21:02] <kneeki> 17.10
[21:02] <nacc> kneeki: systemctl is-active apache2
[21:03] <nacc> kneeki: you're also not checking errors, etc.
[21:04] <kneeki> oh cool. You're right, I'm not checking for errors. =\
[21:05] <nacc> kneeki: the reason your output is like that is you are only redirecting stdout
[21:05] <nacc> kneeki: fwiw, checking the output of `service status` is also wrong, i think you should be looking at return codes only
[21:06] <kneeki> Ah, that'd be a much better way.
[21:09] <nacc> kneeki: also, what are you trying to fix? apache crashing?
[21:10] <kneeki> I've checked /var/log/apache2/error.log and /var/log/syslog without any luck as to why apache2 seems to be stopping or crashing so I'm making this script to run as a cron job
[21:10] <sdeziel> kneeki: I don't know if others mentioned it but 17.10 is EOL, just an FYI
[21:11] <kneeki> Yeah, I intend to update to 18.04.1 - just haven't yet. -.-
[21:11] <TJ-> kneeki: systemd units can be configured to restart if it exits
[21:13] <kneeki> Oh that sounds perfect!
[21:14] <TJ-> kneeki: see "man 5 systemd.service" and the "Restart=" option, plus it's associated timeouts, etc
[21:14] <TJ-> s/it's/its/
[21:16] <kneeki> Reading up on that now - thank you!
[21:55] <kneeki> Looks like systemd is the perfect solution. Any idea's on how I'd crash apache2 to see if it's working?
[21:57] <TJ-> kneeki: you could send the process a SIGTERM, as in "sudo pkill apache2"
[21:59] <raidghost> hmm. didnt know that was a valid command. but thanks for the info TJ- ;)
[22:24] <kneeki> ah delicious. Thanks TJ
[22:38] <keithzg> I suppose the difference between pkill and just good ol' killall is that pkill doesn't by default have to match the process name exactly?
[22:46] <nacc> keithzg: pkill is a lot more powerful than killall
[22:46] <nacc> in the sense of control