teward | RoyK: running memtest86 right now, but I don't think there'll be anything failing, this thing's passed memtest in the past | 01:05 |
---|---|---|
teward | memtest86+ * | 01:06 |
RoyK | good | 01:10 |
teward | RoyK: so far, 41% of the tests are done, and it's passing them all. I'm fairly sure it's not a memory or CPU problem, this happened on an 18.04 plain install too, kernels updated and then *wham* dead with panics on boot | 01:14 |
teward | maybe i need to go yell at #ubuntu-kernel... | 01:14 |
teward | (memtest also takes some time when the system as 24GB of RAM :| ) | 01:15 |
RoyK | teward: make sure you have netconsole running in case something happens | 01:33 |
teward | RoyK: again, how do I enable netconsole when I can't even get into the system with any boot process? | 01:37 |
teward | the unanswered question from before there remains | 01:38 |
teward | literally the moment after Grub the system panics | 01:38 |
teward | not enough time to get in to do anything | 01:38 |
teward | same from LiveUSB | 01:38 |
teward | RoyK: yeah, 100% memtest pass. so unless you know how to enable netconsole before the system boots... | 01:42 |
teward | ah there it is | 01:43 |
teward | hmm i'll work on this tomrrow after work | 01:43 |
teward | tired now :p | 01:43 |
RoyK | teward: you'll need to reboot | 01:45 |
teward | well that's a given | 01:45 |
teward | but i'll deal with this tomorrow, CBA to set up a syslog receiver at the moment | 01:46 |
teward | (and i'm dead tired and have to be up early so... bed time.) | 01:46 |
RoyK | the only issue is that syslog won't send a panic | 01:47 |
Checkmate | i've this problem with mod_evasive | 04:01 |
Checkmate | everything work fine but if i refresh the url page i can see it and the forbidden message disappear | 04:02 |
Checkmate | i've tryed mod_qos and mod_evasive nothing work good | 04:28 |
tomreyn | Checkmate: mod_evasive can work ok if properly tuned. but it's kind of a last resort measure, it's much better to optimize the application / service configuration to cause less load (improve application source code, use caching, replace outdated software components by newer ones). alternatively, you can increase system resources and use load balancing, too. | 04:44 |
Checkmate | @tomreyn i'm trying to stop multiple POST request | 04:48 |
Checkmate | i've tryed all kind of things but seems not working | 04:48 |
tomreyn | Checkmate: you said so some hours ago. if you're looking for assitence with this you'll need to provide details (but there may be better places to ask this, such as in #httpd if you use apache httpd, as 'mod_evasive' suggests) | 04:49 |
tomreyn | there is also mod_security which can be an option if you cannot modify the application source. | 04:52 |
Checkmate | MaxKeepAliveRequests not work with me too | 04:52 |
tomreyn | Checkmate: maybe sztart by discussing the web application and versio which is under attack, the ubuntu version and web server you run there. | 04:54 |
tomreyn | then discuss the path to the file which is being attacked, and how you can tell (logs). you can rewrite any ip addresses by 127.0.x.1 where you replace x by a different number (1-255) for every new ip address. | 04:56 |
Checkmate | @tomreyn i'm under the latest version of Ubuntu getting attack at index.php | 05:00 |
Checkmate | multiple post request | 05:00 |
tomreyn | Checkmate: and index.php is part of which standard web application, or is it custom code? what do these requests look like? | 05:01 |
tomreyn | the latest released version of ubuntu is 18.10. are you sure that'S the one you run? "lsb_release -ds" will tell. | 05:01 |
Checkmate | @tomreyn yes apache2 | 05:03 |
tomreyn | this doesn't answer an of the questions i asked :) | 05:04 |
Checkmate | ubuntu are you sure = yes which standard web application = apache2 | 05:08 |
Checkmate | maybe i'm losing time here | 05:08 |
tomreyn | apache2 is the package name of the Apache HTTPd web server, version 2.x. "index.php" suggests this is PHP code. this PHP code will be part of a web application such as workpress, drupal, typo3, or something you wrote yourself. i'm asking which one it is. | 05:10 |
tomreyn | maybe i'm losing time here | 05:10 |
Checkmate | yeah my bad its personnel php encoding | 05:11 |
tomreyn | then my bet is that this application cariies out too many tasks before authentication is required, allowing anyone to keep the server busy. | 05:13 |
tomreyn | you shoould change it so that those actions which cause increased server load are only available after authentication, or for a given set of source ip addresses. | 05:14 |
Checkmate | i dont wanna use a database | 05:16 |
Checkmate | i want to limit connection request for each ip | 05:17 |
tomreyn | if you can share the source code, feel free to do so, i can take a quick look later, but this only makes sense if you can also provide more information on the POST requests which are sent. you can capture them using tcpdump, a proxy server, mod_dumpio (but be casreful there since it will drive up server load further). | 05:17 |
lordievader | good morning | 06:20 |
muhaha | Is possible to download signing key from keyserver with curl ? instead of this apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367 ? | 07:45 |
TJ- | muhaha: it should be possible with gpg, using its --dry-run option *or* by setting an empty or null keyring so it doesn't write the retreived key into the trust store | 07:50 |
muhaha | TJ-: like this? gpg --dry-run --keyserver keyserver.ubuntu.com --recv 93C4A3FD7BB9C367 | 07:54 |
muhaha | I can not pass internet proxy. It has some kind of useragent whitelisting... curl user agent works, thats why I need to download it with curl directly... | 07:55 |
muhaha | *trough | 07:55 |
TJ- | muhaha: try using hkps://keyserver.ubuntu.com (uses TLS) | 07:58 |
Skuggen | muhaha: Have you tried adding --keyserver-options http_proxy=$value? | 07:58 |
muhaha | yes, it does not work | 07:59 |
Skuggen | Ah | 07:59 |
muhaha | like I said, I need to pass curl user agent to access internet | 07:59 |
lucylu | Hi guys.. I installed a second WP site on my ubuntu server. On the second site I was able to get the WP install screen and istall it. However when I went to change the theme the site disconnected and I cant connect to it : ERR_conn_timed_out .. Any way to check how to debug this? | 08:46 |
tomreyn | lucylu: see #ubuntu | 09:02 |
tomreyn | muhaha: curl 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x93C4A3FD7BB9C367' | 09:04 |
tomreyn | you may need to strip the surrounding html | 09:05 |
cqs | hello, I'd like to ask whether there is some known issue while installing postgresql db on ubuntu server | 11:15 |
cqs | it just hangs when setting up alternatives.. | 11:15 |
cqs | it's basically a clean installation | 11:15 |
cqs | 18.04 | 11:15 |
cpaelzer | cqs: I'd not know of one | 11:16 |
cqs | sheet | 11:16 |
cpaelzer | I have seen an issue that sounds similar, but it was "update alternative ... already owned by <pkg>" | 11:17 |
cpaelzer | and said pkg was not in the archive | 11:17 |
cqs | update-alternatives: using /usr/share/postgresql/10/man/man1/postmaster.1.gz to provide /usr/share/man/man1/postmaster.1.gz (postmaster.1.gz) in auto mode | 11:17 |
cqs | this is where it ends up | 11:17 |
cpaelzer | ok, you have a different file at least | 11:17 |
cpaelzer | maybe it makes sense for this one (other than the bug I checked a while ago) | 11:17 |
cqs | i see | 11:18 |
* cpaelzer is checking ... | 11:18 | |
ahasenack | good morning | 11:19 |
cpaelzer | hi ahasenack | 11:20 |
ahasenack | hi cpaelzer | 11:20 |
cpaelzer | have you seen above already (before I check too deep and you just know it) ^^ | 11:20 |
cqs | thanks for you time | 11:21 |
cpaelzer | cqs: I'm pretty sure you are "after" that update alternatives | 11:21 |
cqs | r* | 11:21 |
cqs | yes i am | 11:21 |
cpaelzer | what is an "ps axlf" showing you | 11:21 |
cpaelzer | maybe pastebinit ? | 11:22 |
cqs | sure | 11:22 |
cpaelzer | just retried postgresql on fresh bionic and cosmic - works as expected | 11:22 |
cqs | https://paste.gnome.org/p8dcex7uf | 11:22 |
cpaelzer | is that the systemctl start hanging ? | 11:23 |
cpaelzer | hmm | 11:23 |
cqs | hard to tell u | 11:23 |
cpaelzer | yeah looks that way, and that would be the last command of configure_version in /usr/share/postgresql-common/maintscripts-functions | 11:25 |
cpaelzer | cqs: what is "systemctl status postgresql.service" showing you atm? | 11:25 |
cqs | loaded and active | 11:26 |
cqs | looks normal | 11:26 |
cpaelzer | cqs: how long is that hanging already? | 11:27 |
cqs | all looks fine, it's just apt stayed locked | 11:27 |
cqs | 16mins | 11:27 |
xnox | I have questions about git-ubuntu.... sometimes the merge proposals diffs look odd in launchpad, is that normal? | 11:28 |
ahasenack | xnox: we recon it's a but in python-git | 11:28 |
RoyK | cqs: can you connect to the db with 'psql' with user postgres? | 11:28 |
xnox | ok | 11:28 |
xnox | second question - there is nowhere one should push things? one should just dput & close MP right? | 11:28 |
xnox | there is no automagic marking things as merged? | 11:29 |
cpaelzer | xnox: there is, if you follow the tagging procedure that we do | 11:29 |
cpaelzer | xnox: but I'm not sure if this is reasonable for everyone | 11:29 |
xnox | hmmmm | 11:29 |
cpaelzer | xnox: that would also retain your git commit history on the import | 11:29 |
xnox | i thought i tagged stuff, but all pushes from me were declined..... | 11:30 |
cpaelzer | and the importer sees your dput being published, realizes it is the same and then closes things | 11:30 |
xnox | and if i can't push things back to origin.... where does one supposed to push? | 11:30 |
xnox | are there docs, i did not find/read? | 11:30 |
cpaelzer | xnox: the repo "pkg" that is set up by default is the target | 11:30 |
cpaelzer | but push access to that is rather restricted | 11:31 |
cqs | RoyK: yes i can connect to psql | 11:31 |
cpaelzer | especially as we long term don't want to require manual tagging anyways | 11:31 |
cpaelzer | we want the importer to find approved MPs and use those | 11:31 |
cpaelzer | xnox: it would be in (outdated I think) https://wiki.ubuntu.com/UbuntuDevelopment/Merging/GitWorkflow#Detailed_workflow | 11:32 |
xnox | cpaelzer, tah, i'll read up on that, and will try to use that again. | 11:32 |
cpaelzer | xnox: I'd ask you to get in touch with rbasak - I think we need to decide what we should do until the intended future workflow (with just approved MPs) can happen | 11:32 |
cpaelzer | he is coordinating the related efforts | 11:32 |
cpaelzer | cqs: so it seems all is fine, but the systemctl start did not return and due to that blocks | 11:33 |
cpaelzer | I unfortunately have no former case like this to base the next steps on :-/ | 11:33 |
cqs | so shall i just kill that stuck process and unlock apt? | 11:34 |
cpaelzer | I guess, so - that will most likely make it fail | 11:35 |
cpaelzer | you might apt install --reinstall afterwards just to be sure | 11:35 |
cqs | ok | 11:35 |
cqs | it wants to run 'sudo dpkg --configure -a' again but i guess it will hang again | 11:36 |
cpaelzer | try it | 11:36 |
cqs | btw i was installing postgresql-contrib in one shot | 11:38 |
cqs | maybe this one is the guilty one | 11:38 |
cqs | Package postgresql-10 which provides postgresql-contrib-10 is not configured yet. | 11:38 |
rbasak | xnox: since Launchpad publications are the single source of truth for Ubuntu, we can't allow uploaders to push things to origin since those might mismatch Launchpad publications, and the git view is supposed to be an exact reflection of what Launchpad published. So only the importer pushes after verifying correctness. But then uploaders need to supply rich history to the importer somehow. We don't | 11:39 |
rbasak | have a good workflow for this yet. As a stop gap we push "upload tags" but right now they have to be processed manually. | 11:39 |
rbasak | When Launchpad per-ref ACL support arrives, we will be able to give uploaders access to push upload tags directly (but that'll still be a stop-gap) | 11:39 |
rbasak | Before then, if you want rich history preserved, ping someone in ~usd-import-team to do it. | 11:39 |
xnox | ah i see, push a tag, rather than push branch refs. | 11:39 |
xnox | fair enough. | 11:39 |
xnox | to be fair, i don't mind either way, just didn't know what i should be doing today. | 11:40 |
rbasak | The importer will only adopt tag if the upload matches in Lanchpad. | 11:40 |
xnox | and if i did `something wrong, by not pushing something somewhere` | 11:40 |
rbasak | It's fine to dput without using git. The importer will cope by synthesizing a commit, which will effectively be the squashing of your commits. | 11:40 |
cpaelzer | cqs: apt install postgresql postgresql-contrib does not fail for me either | 11:48 |
cqs | the only thing that comes to my mind is that i didnt have locales properly set, so it defaulted to som utf8 | 11:48 |
cqs | but that's all | 11:48 |
cqs | some* | 11:48 |
rbasak | xnox: that was becoming an FAQ, so here you go: https://askubuntu.com/q/1086094/7808 | 12:36 |
xnox | heh | 12:40 |
mad_moses | Hi, can I use NFSv4 securely in the internet? (Enabling encryption?) | 12:49 |
Ussat | I would NEVER mount a NFS over the net unless it was over a VPN | 12:50 |
Ussat | and then only as a last resort | 12:51 |
mad_moses | Ussat: okay, just read that NFSv4 also supports encryption. So I thought it might be safe | 12:52 |
sdeziel | mad_moses: you could look at SSHFS maybe | 12:52 |
mad_moses | sdeziel: sshfs is doing strange things. I mounted a server folder and try to work remotely with my pycharm on my python project but git and pycharm are doing strange things (refereshing every second) | 12:53 |
ahasenack | cpaelzer: if you do a "lxc launch ubuntu-daily:trusty trusty-foo", and then enter that container and run "hostname -f", do you get trusty-foo.lxd? | 13:45 |
RoyK | mad_moses: nfs4 uses kerberos for authentication, but sends the data in cleartext | 13:47 |
RoyK | mad_moses: that is - nfs4 may use sec=sys and then only checks the client's ip address | 13:48 |
cpaelzer | ahasenack: seeing the quesiton just now | 13:51 |
cpaelzer | just a sec | 13:51 |
ahasenack | no rush | 13:51 |
cpaelzer | ahasenack: yes I see the same | 13:52 |
ahasenack | ok, thx | 13:52 |
mad_moses | RoyK: okay, vpn is the answer ... | 14:16 |
mfo | xnox, hey :) so, i noticed there are some regressions in systemd rdeps in pending-sru page. i gone through them, and apparently none are related to the LP/patch I submitted (LP 1795658), but wondering if you'd like me to review any of them. | 14:37 |
ubottu | Launchpad bug 1795658 in systemd (Ubuntu Xenial) "xenial systemd reports 'inactive' instead of 'failed' for service units that repeatedly failed to restart / failed permanently" [Medium,Fix committed] https://launchpad.net/bugs/1795658 | 14:37 |
xnox | mfo, well, your patch is not the only thing in that upload. | 14:37 |
xnox | there are 6 bug fixes. | 14:37 |
xnox | as you can see on the pending-sru page | 14:38 |
mfo | xnox, yes, I see. that's why I'm asking :) i could not track the test errors to _that_ part of the upload, but you know, maybe there are symptoms that are not that clearly linked. | 14:39 |
mfo | i offered checking some of them in case you were suspicious they were not from the other uploads either. | 14:39 |
mfo | xnox, well, and sorry to bother, but I just wanted to offer help in case that helped. no worries :) if you find something for me about that, please just let me know and I'll take a look. | 14:41 |
xnox | mfo, i've hit retry on all of the regressions, to see if any of the flaky ones would clear. | 14:41 |
xnox | mfo, and then i'd be writting up to release team for things that are clearly broken. | 14:41 |
mfo | xnox, ok. iirc there are a few ones after "rebooting" in autopkgtest, which seems like a couldn't connect post-reboot type of error, not really pkg code itself. | 14:42 |
mfo | xnox, thanks! | 14:42 |
xnox | mfo, well, or a VM failing to boot with new systemd =/ | 14:42 |
mfo | xnox, oh, indeed. hopefully not the case! | 14:45 |
Checkmate | guys my ip server down after typing this command iptables -L -n | 16:22 |
Checkmate | whats i do now ? | 16:23 |
tomreyn | what is an ip server? | 16:23 |
Checkmate | vps | 16:23 |
tomreyn | use your out of bound access to flush iptables, or if you have none, power cycle it. | 16:24 |
Checkmate | @tomreyn my vps down its like all opened ports closed do i need to restart server? | 16:26 |
TJ- | "iptables -Ln" isn't going to add a rule, it just lists with numerics | 16:26 |
tomreyn | yes it should not cause this, but apparently somehow Checkmate was working on iptables and locked themselves out. | 16:27 |
Checkmate | well i put this command and same time the vps down | 16:27 |
TJ- | Checkmate: did you issue any commands before that one? | 16:27 |
tomreyn | Checkmate: if you have no other way to access the system, such as through a virtual serial console or KVM your VPS host provides through e.g. their web panel, you will need to have them power cycle it (maybe also through a self service web panel). | 16:28 |
Checkmate | @tomreyn yes iptables -F | 16:28 |
TJ- | Checkmate: -F flushes the tables; if the default policy is DROP then you've cut yourself off | 16:29 |
Checkmate | damn what i need to do now @TJ- | 16:30 |
Checkmate | i have a web shell access please provide me how to get my vps server back | 16:31 |
TJ- | Checkmate: tomreyn has told you twice; reboot the server and hope there are saved rules in place to open ports. Otherwise use your host's out-of-band console access to fix it | 16:31 |
tomreyn | you need to undo what you did last, or reboot which will undo non permanent configuration changes | 16:31 |
Checkmate | @tomreyn after restarting everything work fine thx | 16:34 |
tomreyn | good. keep the web shell open while you work on iptables, make sure you know how to undo changes before you make them | 16:36 |
Checkmate | @tomreyn do u know how to clear all banned ip fail2ban service | 16:43 |
mason | Checkmate: man fail2ban-client - there's probably some sleek way to do it all at once, but this will let you do it granularly. | 16:48 |
tomreyn | Checkmate: not of the top of my head, no | 16:48 |
Checkmate | i see something about removing fail2ban.sqlite3 its safe? | 16:49 |
tomreyn | sqlite is a flat file database, often used for storing configurations. removing this is probably not what you want. | 16:50 |
RoyK | Checkmate: if the server goes down with an iptables command, contact the people you got it from - it shouldn't panic or shut down for something like this | 17:37 |
RoyK | Checkmate: where do you have this VPS? | 17:38 |
RoyK | tomreyn: serial consoles are a bit hard to work out on virtual machines ;) | 17:38 |
tomreyn | RoyK: why so? | 17:39 |
tomreyn | both KVM + Xen support (virtual) serial consoles just fine. | 17:39 |
teward | RoyK: so it did a full blown panic immediately when attempting to boot | 17:39 |
RoyK | because there's no serial port, for starters, at least if you rent a VM from some company abroad | 17:39 |
teward | on my HP Z400 workstation | 17:39 |
teward | i'll have to picture the screen when I get the data up to share the panic error | 17:40 |
RoyK | netconsole should work, though | 17:40 |
tomreyn | RoyK: you'll just need to add the virtualized equivalent of a serial console switch | 17:40 |
RoyK | but then again - if a VM panics just after iptables -Ln, something is very, very wrong | 17:41 |
RoyK | tomreyn: something you can't do if someone else controls the hypervisor | 17:42 |
tomreyn | RoyK: right | 17:45 |
mason | I'm curious how libvirtd presents microcode to VMs. Which is to say, with Ubuntu 18.04, my qemu-kvm VMs show vulnerable to Spectre 3a and 4 where the host does not. Guests tried include Ubuntu 16.04, RHEL 7.5, Debian 9.5. | 20:46 |
JanC | I doubt showing microcode to VMs makes any sense at all | 20:47 |
mason | JanC: The facility has to be there in the CPU presented, no? | 20:48 |
JanC | no | 20:48 |
mason | Okay, could you explain how it's supposed to work, then? | 20:48 |
ahasenack | mason: can you setting up the cpu in the vm to be a copy of the host? | 20:50 |
ChmEarl | mason, qemu-system-x86_64 -cpu ? , then try some CPUID/CPU combinations | 20:50 |
ahasenack | I don't know how to do it with virsh, but in virt-manager you have a dropdown menu in the cpu tab | 20:50 |
mason | I've tried a couple CPU combinations, all with IBRS. | 20:50 |
JanC | how microcode & all those controller CPUs work isn't really documented | 20:51 |
JanC | so there really isn't any way you could implement them virtually | 20:51 |
mason | Well. Microcode application, right. But the guests themselves should believe they've got the correct facilities, as I understand it. | 20:52 |
JanC | so, did you test if those guests are actually vulnerable? | 20:53 |
mason | JanC: Yes. That's why I'm asking. | 20:54 |
JanC | I mean, did you test if they are actually vulnerable, or did you just test a kernel flag or something? | 20:55 |
mason | JanC: I ran https://github.com/speed47/spectre-meltdown-checker which I believe looks at more than flags. I'm open to suggestions for testing with PoC somehow. | 20:56 |
ahasenack | rbasak: still around? | 20:56 |
mason | If it's a false positive, that's fine. | 20:56 |
mason | I'll migrate the guests to a RHEL hypervisor and test there too I guess, for comparison. | 20:57 |
tyhicks | mason: hi - variant 4 mitigations are only enabled when there's a seccomp filter in place for the process in question or the process has opted into mitigation by making a certain prctl(2) systemcall | 20:58 |
tyhicks | mason: this is documented in the Mitigations section of https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4 | 20:59 |
tyhicks | mason: as far as variant 3a goes, that's something that is entirely mitigated in microcode | 20:59 |
mason | tyhicks: Thank you. Odd that the spectre-meltdown-checker script doesn't set this. I'll have to read what they're doing. | 20:59 |
tyhicks | mason: VMs don't load microcode - it is something that the host is in charge of | 20:59 |
mason | tyhicks: That seems fine, but I thought the CPU then presented would have all the bits needed for the kernels to mitigate things. I'm clearly a bit confused. | 21:00 |
tyhicks | mason: there's a lot of different ways that your virtual CPUs can be configured, you'd need to paste the contents of /proc/cpuinfo for me to start understanding what's going on inside your vm | 21:01 |
mason | tyhicks: kk, coming up | 21:01 |
ahasenack | rbasak: n/m, filed a bug :) | 21:01 |
tyhicks | mason: going back to variant 4... you can use the ssbd-exec tool that I wrote to enable mitigations and then run the checker script (replace the grep command in the second example with the checker script): https://github.com/tyhicks/ssbd-tools#using-ssbd-exec | 21:02 |
mason | tyhicks: https://bpaste.net/show/e19b21dd662e - the first one is https://bpaste.net/show/e5b63791427f on the host, and the second is https://bpaste.net/show/154b82e83888 on the host | 21:03 |
mason | tyhicks: ty, will try that | 21:03 |
tyhicks | mason: I'm starting to get cloudy on the details but the kernel reports a bogus microcode revision inside of VMs (which is why you see 0x1 reported as the microcode revision in the cpuinfo pasts)... I wonder if the checker script is relying on that revision to be correct... | 21:06 |
* tyhicks checks the source | 21:06 | |
JanC | mason: microcode is never enough to prevent all spectre-style vulnerabilities AFAIK | 21:07 |
mason | There's one of the more recent ones that requires guest cooperation, yeah. | 21:07 |
mason | I want want the fence to be as high as possible. | 21:08 |
JanC | or if it would be enough, it would likely slow down the CPU to the point where you could be using your smartphone instead of that high end Xeon :P | 21:08 |
mason | tyhicks: # ./ssbd-exec -- ~/spectre-meltdown-checker.sh | 21:09 |
mason | ERROR: Speculation cannot be controlled via prctl | 21:09 |
mason | tyhicks: That's on the second system from that initial bpaste, which has a Skylake Xeon box as a host that shows all green with the script. | 21:11 |
tyhicks | mason: the correct command is: $ ./ssbd-exec -p disable -- ~/spectre-meltdown-checker.sh | 21:12 |
tyhicks | (but I think you're going to hit the same error) | 21:12 |
mason | ah, trying again | 21:12 |
mason | Close: https://bpaste.net/show/4efbd9fc3bd8 | 21:12 |
tyhicks | mason: what kernel version are you running? (cat /proc/version_signature) | 21:15 |
mason | tyhicks: Host or guest? | 21:15 |
mason | tyhicks: I'll give you both. | 21:15 |
tyhicks | both | 21:15 |
mason | tyhicks: 3.10.0-862.14.4.el7.x86_64 (RHEL 7.5, guest) seems not to offer this. The host is 4.15.0-36.39-generic. | 21:17 |
tyhicks | mason: did you run ssbd-exec in the guest or host? | 21:17 |
mason | guest | 21:17 |
mason | I didn't bother running it on the host, because the host makes the script happy. | 21:18 |
tyhicks | mason: oh, RHEL must not have backported the fix | 21:18 |
tyhicks | mason: err, they must not have backported the prctl portion of the fix | 21:18 |
mason | tyhicks: I'll try again on an Ubuntu guest. | 21:18 |
JanC | there is a big spread between fixing those vulnerabilities entirely and keeping your CPU performant :) | 21:31 |
JanC | I suppose at some point there will have to be host & guest profiles where admins will have to make their choices... | 21:32 |
tyhicks | mason: that checker script has become pretty complex - I can't say for sure but I'm pretty confident that the variant 3a failure is a false positive most likely caused by the microcode revision being obscured inside of the VM | 21:33 |
mason | tyhicks: I'll look around for other ways to test - a PoC would be the best way I imagine. | 21:35 |
JanC | testing 8.04 guest on 8.04 host would probably be a good test too | 21:37 |
mason | tyhicks: Thank you very much for your time. Also JanC and ahasenack | 21:37 |
ahasenack | welcome | 21:37 |
mason | JanC: Oddly, I don't actually have an 18.04 guest, only hypervisors. I'll have to spin one up. | 21:38 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!