/srv/irclogs.ubuntu.com/2018/10/15/#ubuntu-server.txt

=== cpaelzer_ is now known as cpaelzer
ahasenackgood morning11:05
cpaelzerjamespage: have you seen any 16.04 impact in regard to nested KVM when openstack models the CPU features (like bug 1797332)?13:03
ubottubug 1797332 in qemu (Ubuntu) "qemu nested virtualization is not working with Ubuntu16.04 + Intel CPU" [Undecided,Incomplete] https://launchpad.net/bugs/179733213:03
sdeziel/usr/lib/ubuntu-release-upgrader/check-new-release makes outbound HTTPS connections which are blocked here. I'm looking for a way to have it use a HTTP proxy, any pointers?14:14
tewardsdeziel: set your HTTP_PROXY, HTTPS_PROXY, etc. to your non-https-enabled proxy?14:14
tewardand for apt too possibly it'd need it?14:15
sdezielteward: I tried a bunch of variations of that and it didn't work14:15
sdezielteward: I tried http(s)_proxy and HTTP(S)_PROXY env to no avail14:15
sdezielteward: also set Acquire::http(s)::Proxy14:16
sdezielI've also added the lower/upper cases vars to /etc/environment...14:19
sdezielstill a direct connection is attempted14:19
tewardi'd have to go and do some testing, which OS?14:25
tewards/OS/version/14:25
sdezielteward: bionic14:26
tewardgive me a minute to debug this evil thing with this other program and i'll do some tests?14:27
teward(sorry my system's being stupidly stupid today)14:27
sdezielteward: I am just wondering what I'm doing wrong and we still have a long time before Bionic becomes EOL ;)14:28
sdezielso I have ~ 5 years to address this14:29
teward:P14:29
plmHi all!14:31
ahasenackrbasak: I was looking at https://code.launchpad.net/~tdaitx/ubuntu/+source/initramfs-tools/+git/initramfs-tools/+merge/355190 and that was already gathered by the importer14:31
ahasenackrbasak: the mp is still in "needs review" state14:31
rbasakahasenack: presumably no upload tag was supplied?14:32
ahasenackrbasak: would that be because a) it was never switched to "approved"; and b) the upload tag wasn't pushed?14:32
ahasenackare both of these conditions required, or just the latter perhaps? Do you remember?14:32
ahasenackrbasak: and, I think it's safe to switch it to "merged", right? I just checked out xenial-devel and it has that code merged via the importer14:33
rbasakOnly the latter is required.14:33
plmTJ-: Hey! How are you?14:33
plmTJ-: Did you success making the script?14:34
rbasakThe importer doesn't actually touch any MPs. Launchpad is set to detect when an MP's proposed branch tip hits the target branch and automatically marks it as merged.14:34
rbasakBut that'll only happen if the importer adopted the branch which only happens currently if the upload tag was pushed.14:34
TJ-plm: working on it right now14:34
ahasenackrbasak: ah, gotcha14:35
TJ-sdeziel: there's a workaround for the HTTPS issue; simply change the protocol to HTTP in /etc/update-manager/meta-release  - it is only recently (due to me!) the protocol was changed to support HTTPS14:35
ahasenackmakes sense14:35
ahasenackcpaelzer: libvirt question, before I did in deep maybe you have a hint14:36
sdezielTJ-: that's no fix :P just a workaround14:36
TJ-sdeziel: well we lived with it for years :)14:36
ahasenackcpaelzer: bind9 monitors nic changes and detects when a new nic comes up, and starts listening on it14:36
sdezielTJ-: any idea why the proxy vars are ignored?14:36
ahasenackcpaelzer: for some reason, that isn't working when a libvirt bridge is brought up. I have to restart bind9, even though it detected the new nic and said it was listening on it14:36
ahasenackcpaelzer: tcpdump also shows no traffic hitting that nic when I do a dig @<nic-ip> test. Only after I restart bind14:37
ahasenackcpaelzer: a normal bridge, brought up with "brctl addbr br0; ifconfig br0 ...." works, bind listens on it just fine14:37
ahasenackcpaelzer: any idea what could be going on? I thought maybe firewall rules, but I can't imagine how a bind restart would make it all work14:38
plmTJ-: gfreat =D14:40
plm*great14:40
TJ-sdeziel: I'd guess from looking at the d-r-u code it is related to "from UpdateManager.Core.utils import init_proxy"14:41
cpaelzerahasenack: you are looking at the usual default network configuration?14:42
sdezielTJ-: thanks, I'll dig in14:42
ahasenackcpaelzer: yeah, the 192.168.122.0/24 that is brought up14:43
cpaelzerahasenack: the only rules that has are for the nat forwarding14:43
ahasenackor 192.168.121.0/24, if there is a conflict, and so on14:43
cpaelzerand as you said, a bind restart couldn't fix that anyway14:43
cpaelzerpuzzling for sure14:43
cpaelzerhmm14:43
TJ-sdeziel: the changelog for update-manager has "* Add support for HTTPS proxies; this breaks UpdateManager.Core.utils.init_proxy()"14:44
ahasenacknat, hm, I wonder if bind was rejecting it because of the source address or something. But again, the restart making it work puzzles me14:44
ahasenackI'll keep digging14:44
cpaelzerahasenack: you said bind realizes that it got added and pretends to listen on it14:44
ahasenackyes14:44
cpaelzerhow do you brin gup that libvirt network?14:44
cpaelzernet-start?14:44
ahasenacktried that, and also right after install, since postinst brings it up14:45
ahasenacknic hotplugging works fine as well14:45
ahasenackvia virt-manager14:45
ahasenackso far I narrowed it down to this libvirt bridge only14:45
cpaelzerahasenack: conflicting dns service?14:48
TJ-sdeziel: maybe juliank can tell us how it gets broken; I can't see why from the code of UpdateManager/Core/utils.py14:48
ahasenackhmm14:48
ahasenackcpaelzer: you mean with dnsmasq14:48
cpaelzersomething like that14:48
ahasenackthat's a good hint14:48
cpaelzerbreaking the init14:48
cpaelzerand the latter restart might succeed (unsure why)14:48
cpaelzerbut worth to keep an eye on when debugging14:48
ahasenackI need to switch the kernel in this vm14:49
ahasenackthe -virtual kernel has no support for iptables14:49
cpaelzerdnsmasq certainly has 192.168.122.1:53 bound on a default install14:50
cpaelzerto provide services to guests14:50
cpaelzeris that enough as a working theory until falsified ahasenack?14:50
ahasenackcpaelzer: it is, thanks14:50
* cpaelzer stops brain-brabble to IRC link then14:51
cpaelzerahasenack: FYI you can try <dns enable='no'/> in the network definition14:54
cpaelzereven no config would otherwise spawn a default dnsmasq14:54
ahasenackcpaelzer: this is the other error I'm getting:15:03
ahasenackhttps://pastebin.ubuntu.com/p/BkWyF5RbWq/15:03
ahasenackI wonder if the cause is line 715:03
ahasenackline 9 I thought was because of the virtual kernel: iptables -L wouldn't work15:03
ahasenackbut it is working now15:03
ahasenacklet me try bionic15:04
ahasenackbionic works just fine15:05
ahasenackhm, I installed using --no-install-recommends15:10
* ahasenack lets recommends loose15:11
ahasenackok, that fixed it15:11
ahasenackcpaelzer: you were right, it was dnsmasq \o/15:12
ahasenackcheckout who is listening on port 53 before and after the bind9 restart: https://pastebin.ubuntu.com/p/T9847Z8rSN/15:12
ahasenackon 192.168.122.115:12
tewardrbasak: sarnold: anyone else who cares: I have multiple requests in email that led to the creation of #1797897 which requests enablement of --with-compat so third party dynamic NGINX modules can be included in local installations without having to be repackaged in for Ubuntu.18:11
tewardfor the PPAs it's going to be enabled, but I would like additional inputs on for *Ubuntu* whether it should be enabled.18:11
tewardi think we had a discussion on this before and it led nowhere?18:11
tewardi forget who else was included on the discussion :|18:12
tewardbut it'd be needed for people to just add the already built .so into their 'versions' of nginx without having to install additional packages.18:12
teward(the nginx.org repositories build with --with-compat, not sure why Debian doesn't, though)18:13
teward(and this wouldn't get in until D-series, I forget what its codename is?)18:13
sarnoldteward: hrm, I'm confused.. here it sounds like --with-company lets folks package their addons separately, but the bug text gives the opposite impression?18:13
tewardsarnold: it's confusing I know18:19
tewardlet me dig up the post about it all on nginx.org18:20
tewardsarnold: https://forum.nginx.org/read.php?29,270210,270213#msg-270213 and http://mailman.nginx.org/pipermail/nginx-devel/2018-May/011119.html where I make more inquiries about what it does18:21
tewardsarnold: this WOULD let people compile third party NGINX plugins and use them without first having to compile alongside the existing source code18:21
tewardand they could then theoretically install binary-only packages that'd interact with an existing nginx build18:21
tewardbut i had a recent uptick in the requests18:21
tewardliterally ten in the past two days from 10 separate individuals18:22
tewardso it's a discussion back on the table18:22
tewardsarnold: NGINX's devels suggest it should be enabled for distros18:22
tewardand nginx.org's repos for NGINX have it, but the question is whether we should18:22
tewardand i pinged you because of the security concern.18:22
teward--with-compat, not --with-company, by the way18:22
teward(autocomplete hates you I assume, sarnold?P18:22
sarnoldteward: heh, no, that's just my stupid fingers18:23
sarnolddamn things think they know best18:23
sarnoldthe word 'internal' just happens to have several backspaces in it ;)18:23
teward:P18:23
tewardsarnold: TL;DR, if I have a copy of, say modsecurity for NGINX compiled dynamically, I could include that in a binary build of NGINX separately from the packaging if the nginx binaries were built with --with-compat18:25
teward*we* wouldn't have to worry about the security of that module since it doesn't sit in the Ubuntu repos from a Sec Team perspective18:25
tewardand it'd be the case of "End User Stupidity" if they fubar their system with a bad plugin18:25
teward... which is *technically* why we don't ahve any new modules in the packages in a long time :P18:25
sarnoldteward: --with-compat sounds like a win to me18:25
tewardsarnold: that's what I think, not sure why Debain never introduced it, even though nginx upstream did.18:26
tewardbut i thought i'd ask before I start poking.18:26
tewardI could follow up on the ML but I think i brought this up before...18:26
tewardbleh it's missing18:27
tewardsarnold: i have no issues enabling it, but I thought I'd ask you and rbasak and {anyone else who cares} first before I start planning it18:27
tewardsarnold: if you wish to make a comment from the Ubuntu package perspective https://bugs.launchpad.net/nginx/+bug/1797897 is the tracker for both the PPA and the Ubuntu package, since it's the same issue, but it's not going to eb done 'quickly' for Ubuntu.18:31
ubottuLaunchpad bug 1797897 in Nginx "Add --with-compat to NGINX packages" [Wishlist,In progress]18:31
sarnoldah good idea18:32
tewardsarnold: what's D-series named again?18:32
tewardi forget.18:32
tewardi should be shot for forgetting but eh18:32
tewardsarnold: i put my extended description into the bug description as well18:35
tewardor comments rather18:35
tewardsince I wrote the initial bug while caffeine was still taking effect in my system :P18:35
sarnold:D18:42
lucidguyI'm looking for a new method to mas deploy bare metal servers.  Currently doing pxeboot with ubuntu-installer/preesed.  Need something more modern, for larger deployments.  I'm aware of Ubuntu's MAAS, Brightmaster, even thought of going pxeboot clonezilla.  Recommendations?19:16
sarnoldlucidguy: I've heard folks happy with both maas and fai-server -- never heard of brightmaster19:18
lucidguysarnold: Thanks for response19:24
tomreynlucidguy: i like foreman20:26

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!