/srv/irclogs.ubuntu.com/2018/10/03/#ubuntu-server.txt

=== berglh_ is now known as berglh
=== ShaRose_ is now known as ShaRose
=== trekkie1701c_ is now known as trekkie1701c
=== StathisA_ is now known as StathisA
lordievaderGood morning07:39
muhahaxnox: ping08:23
muhahaI am still wrestling with resolv.conf, seems that if I delete/recreate /etc/resolv.conf, install libnss-resolve everything works ok, except snx binary, seems that this binary can not use libnss-resolve to look inside systemd-resolved and can not connect. Is there any fallback solution like replace whole systemd-resolved ?  Thanks08:25
muhahacan https://packages.ubuntu.com/bionic/resolvconf replace systemd-resolved ? like: systemctl stop systemd-resolved.service; systemctl disable systemd-resolved.service; systemctl mask systemd-resolved; apt install -y resolvconf08:28
muhaha ?08:28
muhahaSeems that I need also dnsqmasq if stub resolver will be disabled, right?08:30
andolmuhaha: resolvconf and systemd-resolved are not equivelent in any way. dnsmasq makes more sense as a possible replacement for systemd-resolved.08:36
andolmuhaha: But really, reading some more of the backlog, what is your end goal, and what do you want to accomplish which you can't accomplish with your current setup?08:37
Vic2I see nothing that offers any information concerning virtual ethernet ... we have several IP addresses on the server and in the past created virtual ethernet for each ... how to accomplish now?08:56
Vic2Ubuntu 18.04 uses "netplan" instead of "ifupdown" to configure network devices / IP addresses. I've not found sufficient documentation to demonstrate how to configure multiple IPs such as we have on Ubuntu 14.04.  Can you offer a link or practical advice please?08:56
Vic2Sorry ... copy/pasted those two lines from another channel out of order.08:58
andolVic2: You basicially provide a list of addresses. There is an example in netplan(5) man page which among other thing has such an example.08:58
muhahaandol: Iam using SNX binary (VPN client) which modifies /etc/resolv.conf. Problem is that SNX can not edit /etc/resolv.conf directly ( I found /etc/resolv.conf.bak created by SNX), so VPN connection is established (routes are ok), but nameservers and search-domains are not updated...09:34
antalmuhaha: nothing can modify resolv.conf in 18.04, netplan rewrites it on every occasion09:35
muhahaThats the problem09:35
antalyes I've been pulling my hair out because of netplan.... and everyone else does too based on last week's IRC activity, it's been a common topic09:36
rbasakI don't think netplan writes resolv.conf. Isn't that systemd-resolved?09:37
antalmuhaha: did you edit your .yaml file correctly?09:38
antalif you did simply "netplan apply" should update those settings09:38
muhahaantal: I am using Vagrant, which uses some cloud-init.yml and another custom one09:38
antalI mean netplan's .yaml config09:39
antalyou can declare namservers and search-domain there09:39
muhahaI would have to use some kind of wrapper and parsing method to populate netplans.yaml based on results from VPN client09:39
antalalso, if you have multiple entires.... the trick is the /etc/nsswitch.conf file09:40
rbasakIn a systemd-resolved world the VPN client should tell resolved the nameservers needed over the VPN09:40
muhahayea, but its obsucre binary blob...09:41
rbasakIt's pretty well documented09:41
rbasakOh, you mean the VPN client?09:41
muhahayes09:41
rbasakSeems to me that you're struggling with systemd/networkd/resolved though, rather than netplan09:42
antalnetplan forces a lot of things sadly :/09:42
muhahaIts Checkpoint SNX (x86) client -> I can not modify its behavior. Its just setting /etc/resolv.conf directly..09:43
muhahaSo unless systemd-resolved can not handle loading different /etc/resolv.conf .. i am screwed09:44
rbasakIt does according to the manpage - if you make it a plain text file and not a symlink09:44
rbasakI don't know what else might interfere with that though09:44
rbasakresolvconf perhaps, which might need removing09:44
rbasakThen your VPN client can be in charge of maintaining /etc/resolv.conf.09:44
antaland then your netplan doesn't give a damn about resolv.conf and just rewrites it to default on every  occasion :P09:46
muhahaI am not using resolvconf09:46
rbasakFile a bug against netplan then please09:48
rbasakThough a workaround is to not use netplan. Write your .network files for networkd directly09:48
antalsadly, this a feature09:49
blackflownetplan is just config abstraction using a backend - networkd or NM. it's so easy to just not use netplan if it doesn't work for your use case.09:50
blackflowpersonally, netplan and systemd-resolved are two things nuked out first on every new installation.09:50
UssatI like netplan09:50
rbasakUnfortunately more complex use cases need something more advanced to manage things.09:51
rbasakDNS resolution is an example - on complex networks, it matters where your name queries are going09:51
Ussatrbasak, more advanced than netplan ?09:52
UssatI know came in late09:52
rbasakMore advanced than ifupdown09:52
Ussatahh yes09:52
rbasakAnd resolvconf, etc09:52
UssatI have been very happy since netplan hit09:52
lordievader> personally, netplan and systemd-resolved are two things nuked out first on every new installation.09:56
lordievaderSame here, along with lx{c,d} and snapd.09:56
rbasaklxd is _really_ handy for finding reproducers and bugs09:57
rbasak(and on the production side, for testing deployment snippets)09:57
muhahablackflow: So what is proper replacement for systemd-resolved? Not use netplan and .. ?09:57
rbasakYou could install ifupdown. Don't configure netplan. Remove resolvconf (if it's installed). And manage /etc/resolv.conf yourself.09:58
rbasakOr with the nameservers stanza in ifupdown, though I don't remember how that works exactly. Does ifupdown edit /etc/resolv.conf in that case?09:58
muhahadnsmasq can populate resolv.conf from dhcpclient?09:59
rbasakThere are a ton of options available.09:59
rbasakGetting help will become harder the more obscure you go of course.09:59
blackflowmuhaha: everyhting that existed before systemd-resolved. for starters, you don't need a local resolver at all. dhcp and resolvconf worked and still work. glibc can resolve just fine based on resolv.conf nameserver entries.10:00
blackflowmuhaha: granted, systemd-resolved has additional APIs, based on dbus, but this chan and discussion being about servers, question is do you need dbus api activated resolving on your server.10:00
blackflowtypically, you'll have static network setup and upstream resolver ips you stick into resolv.conf and then no need for dhcp, resolvconf, dnsmasq or anything like that.10:01
muhahaI just want to have backward compatibility from upstream (dhcp server) and also have an option to directly populate /etc/resolv.conf10:03
blackflowmuhaha: "backward compatibility"?  either you do dhcp or static config. and the two are mutually exclusive wrt "directly populating /etc/resolv.conf"10:05
blackflowin that you either manually manage resolv.conf or via dhcp (including forcing nameserver entries via dhcp config)10:05
muhaharesolvconf is enough then, its symlinked after instalation, resolv.conf is populated from my VPN client, and has STUB listener entry... , problem can be if nameservers are used with round robin algo, cuz, first 2 nameservers are populated by VPN client, last one is localhost from systemd-resolved....10:07
blackflowtoo much trouble. if I needed VPN I'd run bind or unbound locally on that machine. much less hassle and much less things can go wrong.10:10
muhahahm, anyway thanks10:19
* ahasenack tries to remember what he did with brotli14:00
ahasenackrbasak: checking brotli14:02
sdezielspeaking of brotli, I wonder if having it in main would make it easier to have nginx support it14:03
sdezielteward: ^ any idea?14:04
ahasenacksdeziel: there is a mir for it14:04
sdezielahasenack: yep, saw it :)14:04
ahasenackit looks like it's in main14:04
sdezielit is14:04
ahasenackrmadison shows src in main, but binaries still in universe14:04
sdezielwas pulled in this AM with Firefox update14:05
sdezielahasenack: I think the src in main and binary in universe is because only libbrotli1 was needed in main14:06
ahasenacksdeziel: ah, sure14:06
ahasenackrbasak: I think I checked on brotli when an apache2 merge came along, as debian added it as a build-depends14:10
ahasenackbut it's in main now14:10
rbasakOK, thanks14:11
ahasenackrbasak: for a non-merge git-ubuntu branch, how do I push the upload tag? Does git ubuntu tag --upload do the right thing?14:17
rbasakahasenack: it should do the right thing, yes. That'll create the tag locally. Then you can check and push the tag to pkg.14:18
ahasenackok14:18
ahasenackrbasak: so I'm on karl's branch, I ran the tag command, it created the right tag, then I "git push pkg <upload-tag-name>", right?14:19
rbasakahasenack: correct14:20
ahasenackrbasak: since it's seeded, the upload was held for approval, should I push the tag anyway? I guess we can easily fix/remove tags if needed14:21
rbasakahasenack: yeah push the tag anyway. I'd do it before dput to avoid a race. Being held in the queue is an unfortunate edge case for which we have no current solution, except to remove/replace the tag later if needed.14:23
ahasenackok14:24
=== ossurayynot is now known as tonyyarusso
tewardsdeziel: ERR: No Scrollback, can you provide me more details?16:16
tewardi'm confused by context / question16:16
tewardno scrollback before [2018-10-03 10:02:25] <ahasenack> rbasak: checking brotli  <--- that16:16
tewardso :|16:16
tewardahasenack: rbasak: sdeziel: is brotli a compression algo or something?16:17
tewardahasenack: rbasak: sdeziel: if you intend to ship it in nginx-core then yes it *must* be in main assuming it adds additional runtime deps16:17
tewardif we don't intend to ship it in nginx core but in nginx-light, nginx-full, or nginx-extras, then we don't have to worry16:18
tewardbut if we want to include in nginx-core we'll need the security team to ack it16:18
teward(cc sarnold)16:18
tewardsdeziel: rbasak: third party modules were previously NACK'd on the MIR for 14.0416:18
tewardbecause of wildly different coding styles16:18
tewardwhich is why we created nginx-core without third party modules.  if ngx_brotli is the plugin we need to add, then it needs security team audit first16:19
tewardif they NACK it then it can only go in the Universe flavors16:19
tewardbut it probably wouldn't be for this cycle, it'd probably be for next.16:19
ahasenackteward: libbrotli1 is in main16:34
ahasenack(cosmic)16:34
ahasenackI was just looking at it because there is an sru request16:35
tewardahasenack: ah.  well AFAICT to get Brotli into NGINX it needs a third party module16:35
tewardthat'd require MIR / security team review if we want it in nginx-core16:35
tewardless of a concern for the non-Main flavors16:35
tewardbut the only plugin I can find for it is 3 years old without any development changes currently,.16:35
ahasenackthe sru is about brotli for xenial iirc, it would be a NEW package there16:35
ahasenackthen someone remembered nginx could use it, that's all16:36
tewardahasenack: with a plugin, yes, it can.16:36
tewardbut it'd still need sarnold's review first16:36
tewardand it'd need a HELL of a good reason to be added to Xenial given it doesn't really fit the SRU to add that into NGINX on Xenial16:37
tewardat least, per SRU policy it doesn't fit16:37
tewardfor Cosmic, it's a bit late in the cycle to add it to nginx, for 19.04 I could look into it16:37
tewardbut it'd still need sec team review - sdeziel rbasak ^16:37
tewardsdeziel: rbasak: note that it'd add a significant delta from Debian, perhaps this should be requested there first?16:38
tewardI know we already have a pretty substantial delta already, but.16:38
sdezielteward: sorry, was out for lunch. I just wanted to know if you had plan for brotli support in nginx. Yeah, getting it from Debian would make sense16:43
=== jrwren_ is now known as jrwren
tewardsdeziel: getting it from Debian would make sense...17:28
tewardsdeziel: but given the only code I can find that adds that support is from Google and hasn't had any code changes for 3 years17:29
tewardit'd need sarnold to give it a thorough review for Main consideration17:29
tewardeven if it originated in Debian17:29
tewardI'd still suggest it for Debian17:29
tewardand then we'll determine later if Debian adds it17:29
sdezielteward: I was not asking for MIR specifically17:29
tewardsdeziel: well, that's the thing17:30
tewardsdeziel: it's not a dynamic module17:30
tewardsdeziel: so it has to be compiled into the executable at compile time.  for which flavors of the NGINX binary would you want this to target?17:30
tewardor rather, be included in?17:30
sdezielteward: right, would that mean it should go upstream first ? (in an ideal world)?17:30
tewardsdeziel: in the ideal world, yes.17:30
tewardit wouldn't go into nginx-core which is Ubuntu specific without sarnold reviewing it17:31
sdezielteward: OK so I know where to take it next if I really feel like having brotli ;)17:31
tewardsdeziel: Debian.17:31
teward:P17:31
sdezielor NGINX17:31
tewardsdeziel: NGINX if you want it included as a core module17:31
tewardDebian if you want https://github.com/google/ngx_brotli included directly17:31
tewardbut if you ask NGINX to add it, expect it to be "An Eternity" before it's available17:31
tewardor for them to NACK it.17:31
tewardsdeziel: you could probably gauge upstream's care about it by emailing nginx-devel's mailing list17:32
sdezielI'm surprised that Cloudflare didn't push for upstream inclusion17:32
tewardsdeziel: but consider a headache here - there used to be gzip encryption - it's disabled by default thanks to CVEs17:32
tewardwhich is another consideration factor if you intend to use brotli in-line with HTTP for compression17:33
teward(Just saying)17:33
sdezielI'd have to revisit this as I don't see how compressing just .css and .js would be dangerous17:34
tewardsdeziel: do you have a comparison spec for brotli vs. gzio?17:34
tewardsdeziel: https://trac.nginx.org/nginx/ticket/79817:35
teward^ that's the nginx trac ticket asking for it17:35
tewardgoogle preempted by releasing ngx_brotli17:35
teward3 years ago17:35
sdezielteward: thanks. No specific benchmark but found this https://hacks.mozilla.org/2015/11/better-than-gzip-compression-with-brotli/17:35
tewardbeen untouched since 10 months ago, that ticket.17:35
sdezielyeah, that pretty much answers my question, thanks again17:38
* Jenshae blinks like a cow and chews a snack.17:41
JenshaeWhat was all of that about in a simple version?17:41
tewardJenshae: sdeziel was asking how hard it'd be to get NGINX to support Brotli, and then we went on a tirade about how there's only third party plugin support that may not even build because it hasn't been changed in 3 years17:42
teward(and sarnold has said he'd cursory review the code if it doesn't expldoe violently on compile...)17:42
JenshaeWhat essentially is NGINX and Brotli and what is Brotli meant to do?17:43
tewardNGINX is a web server software17:43
tewardi'll let sdeziel explain brotli17:43
sarnoldbrotli's yet another compression tool17:43
sdezielone that's supported by most browser17:43
sdezielbut yeah, possibly just another in the big lot :)17:43
JenshaeCompression for video and images?17:44
sdezielJenshae: no, generic compression algo17:45
sdezielfor gory details https://tools.ietf.org/html/rfc793217:45
tewardewwwww this is ugly17:45
tewardsarnold: ^17:45
JenshaeHow would you apply it and why is it needed? For slow connections then the browser decompresses it?17:45
tewardsarnold: it looks like it pulls in a lot of extra brotli deps17:46
tewardinto the source tree17:46
tewardwhich breaks debian17:46
tewardsince it pulls the brotli deps in via git submodules and not libbrotli17:46
sarnoldteward: o_O it's not just a -lbrotli kind of thing?17:46
tewardwhich means I personally am NACKing it17:46
tewardsarnold: correct.17:46
sarnoldyeah. not interested in yet another embedded code copy :)17:46
tewardwhich means Google needs to learn how to actually write plugins.17:46
tewardsdeziel: NACK'd for NGINX17:47
sdezielI had already forgotten about it ;)17:47
teward:P17:47
Jenshae(Sorry, I am just curious, I did a bit of XML 15 years ago and 6 month contract of PHP coding a handful of years ago, both for intranets. That is the closest I have come to web development)17:47
teward*returns to kicking around a firewall*17:47
sarnoldJenshae: in this case it's probably a transparent server-applied compression that the clients then decompress.. the clients send up a header on requests to indicate which compression schemes they can cope with17:48
tewardahah wait a second17:48
tewardsarnold: i think i found a fork that'd work17:48
sarnoldJenshae: zlib's been around forever and everything on the planet supports it, but there are faster systems and there are better compressing systems and sometimes both :)17:48
JenshaeCheers. How is default SNI encryption coming along?17:49
sarnoldI think it's still in the "oh god cloudflare what are you breaking *this* time?" stage. maybe it'll come along.17:50
JenshaeHehehe :D17:50
sdezielteward: the "surviving" fork appears to be https://github.com/eustas/ngx_brotli17:51
JenshaeGitHub still kicking or is there still a steady stream of devs over to GitLab?17:51
sdezielI like what I understood from SNI encryption... leveraging DNSSEC is nice IMHO17:51
tewardsdeziel: yes i'm working with that now17:52
tewardsdeziel: or trying to17:52
tewardsdeziel: if it explodes because it's missing deps/brotli/* then it's still NACK'd17:52
tewardif it doesn't fail, sarnold gets asked to do a cursory code review ;P17:52
sarnold"add ubuntu 18.04 libbrotli-dev path " -- that's a good start, heh17:52
sdezielteward: don't lose time on this, I was just _wondering_/asking if... :P17:53
JenshaeI also like the theory of eSNI and hope it puts a finger in the eye of snooping government officials. (They really want *everything* in the UK and to distribute it across 49 agencies, which would mean leaks galore.)17:53
tewardnot a problem :P17:54
tewardsdeziel: ^17:54
tewardsdeziel: well, it didn't FTBFS17:56
JenshaeFTBFS = ?17:56
sarnoldfail to build from source17:56
JenshaeThanks17:57
tewardsdeziel: going to see if it works in runtime with their examples.17:59
tewardif it doesn't, then it won't work, if it does, sarnold gets the link next :p17:59
tewardsdeziel: i'm going to run a PPA build on this so I can test in containers more easily.  It'll take a bit though, sorry.18:05
tewardsarnold: if you want to review in the interim... https://github.com/eustas/ngx_brotli is the codebase :P18:06
tewardsarnold: thoug hI'm assuming we're going to NACK it for main because third-party :P18:06
teward(but it never hurts to ask, no?)18:06
sdezielteward: no need to be sorry, I have no pressing need for brotli, merely some interest in the tech18:06
tewardsdeziel: indeed.18:06
tewardERR:INTERNETDIED666THEENDISCOMEAPOCALYPSENOW  *goes to fix his internet*18:06
sarnoldteward: maintaining an ubuntu delta from debian to add features or remove features isn't exactly *new*.. but you'd probably need server team interest in it too. :)18:08
tewardsarnold: :P18:08
tewardsarnold: true statement, though.18:08
teward(my IRC connection runs on my phone's internet, it's why i'm still here lol)18:08
sarnoldteward: 90% of it looks pretty good. I'll pop open some issues and see what the responses are..18:14
tewardsarnold: 'cept for the license part18:21
kstenerudin https://dep-team.pages.debian.net/deps/dep3/ what do "forwarded" and "forwarded upstream" mean?18:27
tewardkstenerud: if you would read it it would explain what the forwarded tag means18:49
teward'forwarded upstream' means the patch has been relayed to the upstream developers of the code/program typically18:49
=== ChunkzZ is now known as Z3D0T
=== Z3D0T is now known as Z3DD0T
=== Z3DD0T is now known as Miidlandz
ahasenackkstenerud: about my email, I meant http://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html#postfix22:37
ahasenackto keep an eye on that22:37
ahasenackI was on my phone and didn't have the url at hand22:37

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!