/srv/irclogs.ubuntu.com/2018/11/14/#ubuntu-server.txt

sleepeeoh..  and the kvm host runs CentOS700:00
sleepeething is, virt-install works just fine when creating a CentOS vm.  But with Ubuntu vm's, the --extra-args option seems to get ignored.00:01
sleepeeand from what i can tell, i'm not the only one in this boat.00:02
sleepeehttps://unix.stackexchange.com/questions/428858/warning-did-not-find-console-ttys0-in-extra-args00:02
sleepee^that guy seems to have a suspiciously similar problem as me.00:02
rbasakvirt-install is not the preferred way to run Ubuntu VMs. It's long and convoluted to run an installer designed for bare metal in a VM. We left that method behind years ago.00:03
sleepeenot sure if it's an Ubuntu issue, but it works fine with CentOS, so i figured I'd ask00:03
rbasakYou should just be able to download and run an Ubuntu cloud image. On any distro.00:04
rbasakTo bootstrap it with a ssh key so you can get in is a little tedious without tooling, but it's still honestly easier than messing with driving an installer.00:05
rbasakBy all means use virt-install, and even fix it - it's a Free Software world after all :)00:06
sleepeemakes sense.  does multipass suport other os'es like CentOS or is it just for Ubuntu?00:06
rbasakBut you won't get much help from Ubuntu people with that method because it's not 2008 any more :)00:06
sleepeesorry if it's a dumb question. i've never heard of multipass before00:06
rbasakI'm not sure. multipass is distributed as a snap so I think that means it'll work anywhere snaps do.00:06
sleepeei'm just starting out in this world00:06
rbasakLooks like you should be able to build it from source without too much difficulty though.00:07
sleepeesorry.  i meant are there other images i can install other than ubuntu00:07
sleepeeyou know what.  im just going to go ahead and google multipass.  it seems like i need to do a bit of research on that.00:08
sleepeethanks!00:08
rbasaksleepee: nothing to apologise for. Sorry if my tone was a bit harsh.00:23
sleepeenah. You're good.00:24
sleepeethanks for the suggestion.00:24
rbasakCloud images are still a new thing for many people. It's just that we've been doing it for a long time in Ubuntu - longer than everyone else even I think, and it makes life sooo much easier that doing things the old fashioned way seems extra backwards to us.00:24
rbasaksleepee: same with containers.00:24
rbasaksleepee: if I want to reproduce a bug report in Ubuntu, for example on 14.04, I type "lxc launch ubuntu:14.04" and can have a shell prompt about three seconds later, on something that looks exactly like a fully operational fresh Ubuntu 14.04 sytsem.00:25
sleepeeYeah.  It actually makes sense that Canonical put out a tool to make it easier/quicker to deploy Ubuntu vm's.  I know Ubuntu's huge in the cloud.00:26
rbasakUsing virt-install seems as backwards to me as perhaps ordering bare metal hardware to get an instance seems to you :)00:27
* sarnold quickly hides his CPU "product brief" tabs from rbasak00:27
geniiheh00:29
* teward hides sarnold's internet browser from everyone including sarnold. :P00:33
=== berglh_ is now known as berglh
cpaelzermdeslaur: I would not mind, ahasenack was working (or planngin to work) on it but these weeks are rather busy06:02
cpaelzermdeslaur: if you have pg-10.6 ready and it tests fine feel free to release it06:03
cpaelzerahasenack: ^^06:03
cpaelzerahasenack: for the ssh review - as discussed in standup I'll take a look at that06:03
=== jelly-home is now known as jelly
=== kallesbar_ is now known as kallesbar
patz0rhey all, does anyone have an updated guide for creating a raid1 mdadm array during OS installation?08:52
patz0ri'm trying to follow this but doesn't seem current08:52
patz0rhttps://help.ubuntu.com/lts/serverguide/advanced-installation.html.en08:52
patz0ri'm trying to create a raid1 mirror to install my OS on but i must be doing something wrong as it's not working09:05
patz0ri'm using the 18.04.1 live installer09:05
patz0ri'm going to try the alternate debian installer...09:08
SlashmanI dunno if it's been reported but there is an issue with "http://fr.archive.ubuntu.com/ubuntu", I have several hash mismatch, switching to "http://de.archive.ubuntu.com/ubuntu" solves the issue11:03
lotuspsychjeSlashman: report this in #ubuntu-mirrors please11:03
Slashmanlotuspsychje: sure, I didn't know where to report this exactly, thanks11:04
ahasenackgood morning11:08
tomreyngood morning11:12
tomreynis it normal that proposed is enabled by default on daily server-live images?11:13
ahasenackI would think not, and would also ask about it11:15
tomreyni don't think i did it manually, but i'll re-check just to be sure.11:16
lotuspsychjetomreyn: the #ubuntu-release guys might know that111:18
tomreynlotuspsychje: thanks. i think the server team (here) would know, but let me double-check first.11:20
ahasenackit's a funny situation, because even though it's called the server installer, we don't code it11:26
tomreynso yes, proposed is enabled by default on the bionic server-live amd64 daily images. on both the Nov 12 (af59b87edf6ef02d230d94b87312c0255dead3bda399588cba44d83a0bda1180) and Nov 14 (403059a8fd19da81b1561970f859cf92aa74950ed91a809ae27d89cb4df3379e) one.11:33
tomreyndo i report a bug against subiquity, curtin, the one in ubuntu or 'upstream'? something else?11:33
ahasenacksubiquity please11:36
ahasenackthey can sort it out if it's curtin/cloud-init or subiquity11:36
TJ-tomreyn: sounds like that might be an artifact of the disco images11:36
ahasenacklike that other one where only main was enabled11:36
ahasenackTJ-: is it the same for cloud images?11:36
* ahasenack checks lxd11:36
ahasenacklxd image is fine, no proposed11:37
ahasenacktomreyn: do you have a url to the iso at hand?11:39
ahasenackah, found it11:40
ahasenackn/m11:40
tomreynahasenack: http://cdimage.ubuntu.com/ubuntu-server/bionic/daily-live/current/bionic-live-server-amd64.iso - i downloaded from 2001:67c:1360:8001::1d11:40
tomreynbug 180333811:51
ubottubug 1803338 in subiquity (Ubuntu) ""proposed" is enabled by default on bionic server-live amd64 daily images" [Undecided,New] https://launchpad.net/bugs/180333811:51
ahasenacktomreyn: I just installed in a vm from that iso (same hash), I don't see proposed in /etc/apt/sources.list11:52
ahasenackah, it's in a sources.list.d11:52
ahasenackwtf11:53
tomreyncorrect, it's in a sources.list.d/11:57
mdeslaurcpaelzer: thanks!12:13
lotuspsychjeahasenack: can you also add yourself affected to the bug?12:15
ahasenacklotuspsychje: the one from tomreyn?12:16
lotuspsychjeyeah12:16
lotuspsychjethe more, the better for attention/solving12:16
lotuspsychjeahasenack: tnx mate12:17
samba35i am using updated kernel of 18.04.1 do i require intel acs patch ? as i can't see patch for this version ?12:57
samba35is any one using pci-passthrough ?12:57
ahasenackwhat is that about? intel acs?13:00
samba35yes13:02
tomreynhttps://wiki.archlinux.org/index.php/PCI_passthrough_via_OVMF#Bypassing_the_IOMMU_groups_(ACS_override_patch)13:03
samba35yes i check this page but i could not find patch here13:05
tomreyni just posted this url to explain what you're inquiring about13:05
samba35ok13:06
tomreynthe patch seems to be https://lkml.org/lkml/2013/5/30/51313:08
tomreyn(it won't apply to current kernel versions without further modifications)13:09
tomreynupdated patch https://aur.archlinux.org/cgit/aur.git/tree/add-acs-overrides.patch?h=linux-vfio13:10
samba35let me check links13:11
samba35is patching kernel os version specific and distro specific ?13:13
tomreynpotentially both, most likely distro specific at least13:14
samba35ok13:15
jamespagecoreycb: doing oslo bumps, poking at glance and keystone snapshots with a switch to py3 as the default13:34
coreycbjamespage: alrighty! good bye py2!13:35
coreycbjamespage: are we keeping the py2 packages around as an alternative?13:36
jamespagedunno13:36
jamespagecoreycb: what do you think? maybe we should just drop them13:36
jamespagethus avoiding any confusion13:37
coreycbjamespage: i wouldn't mind maintaining just one version13:37
coreycbjamespage: let's drop them13:37
jamespagecoreycb: agreed, it will cut down build times13:37
jamespageand reduce complexity13:37
coreycbjamespage: yes13:37
jamespagecoreycb: that said we may want to either update openstack-pkg-tools to be py3 only friendly or switch everything over to pybuild13:38
coreycbjamespage: it should be py3-only friendly, no?13:39
coreycbjamespage: but it doesn't default to py3-only. i think it probably could now if we were to make the switch.13:40
jamespagecoreycb: the pkgos-dh_* commands do have some --no-py2 type options13:41
jamespagewe may just need to review those13:41
coreycbjamespage: ok13:41
coreycbjamespage: i think we can drop the shebang dep8 tests if we drop the py2 packages13:47
coreycbjamespage: or may be useful to keep around to test upgrades to py4 :)13:47
jamespagecoreycb: I'd be tempted to - we can drop all of the alterantives stuff as well13:49
coreycbjamespage: ok great13:55
jamespagecoreycb: we need a tweak to pkg-tools to not do the python{vers}- prefixing for binaries if only py2 or py3 is being built - testing that now14:12
cpaelzerahasenack: chrony now completed its test14:37
cpaelzerI'll tag and upload14:37
ahasenackcpaelzer: +114:42
ahasenackrbasak: I gather you are not reviewing karl's branch about at?14:54
coreycbjamespage: ok thanks14:55
rbasakahasenack: not right now.14:55
jamespagecoreycb: ok tweaked openstack-pkg-tools uploaded15:02
coreycbjamespage: great, looks good. i'm wondering if we need to do anything for upgrades.15:09
coreycbjamespage: i think we're good because postinst scripts should be removing alternatives15:10
coreycbjamespage: postrm that is15:10
jamespagecoreycb: yeah15:15
jamespagecoreycb: lol - http://paste.ubuntu.com/p/C2MckBXMHK/15:15
jamespagenice little quick fix15:15
jamespagecoreycb: OK going for an upload run on the oslo's15:15
jamespagethey install and test ok15:15
coreycbjamespage: ok! :-)15:16
lucidguyOk, I have a static ubuntu mirror, been loading servers for days with no issues.  All of a sudden an identical server is failing to install mailutils, dependency issues.  How is that possible?15:35
coreycbjamespage: shall i start on clients or is their stein uca opening i should focus on?15:46
jamespagecoreycb: please do - UCA is a bit blocked until we get quota increased sorted out15:47
coreycbjamespage: ok clients it is then15:47
jamespagecoreycb: openstack-pkg-tools (>= 85ubuntu3~) gives you the right behaviour with regards to no alternatives if you pass --no-py2 to pkgos-dh_auto_install and pkgos-dh_auto_test15:53
coreycbjamespage: ok great, thanks15:53
TheHonorableGood afternoon everyone, I need some help with scripting. I'm not a coder, but I'm alright with linux commands. I have a task I'm constantly doing which is running this command: iptables -I INPUT -s -IPADDRESS- -j DROP17:30
TheHonorableI would like to setup something where I just punch in something like: permaban -IPADDRESS- and done, can you help me do this?17:31
TJ-TheHonorable: "  echo -e "#!/bin/sh\n[ -n \"$1\" ] && /sbin/iptables -I INPUT -s $1 -j DROP\n" | sudo dd of=/usr/local/bin/permaban ; sudo chmod +x /usr/local/bin/permaban  "17:41
TheHonorableresponse: bash: !/bin/sh\n[: event not found17:43
TJ-TheHonorable: ahhh, sorry, I was trying to make it easy. Let me pastebin it for you instead!17:43
TheHonorablethanks TJ- :)17:43
TJ-TheHonorable: try this https://paste.ubuntu.com/p/ZjZZySSjZh/17:46
TheHonorablesweet, it works man :D17:54
TheHonorableI added in a new line " iptables-save " so that I know for certain they're perm banned. but when I do this, it gives me a huge feedback of the entire iptables file. any way how to snuff that and make it quiet?17:55
TJ-TheHonorable: that's what iptables-save does; it writes to standard output. If you want to save to a file you redirect the I/O to the file. The filename should be one that, at boot-time, iptables-restore is going to read.17:56
TJ-TheHonorable: are you already using a package that saves/loads the rules using iptables-{save,restore} ?17:57
TJ-TheHonorable: e.g. iptables-persistent ?17:57
TheHonorablei just run iptables-save so that when I reboot I don't lose all my bans17:57
TJ-TheHonorable: right, but to load those bans, at boot-time you also have to have iptables-restore /path/to/file run.17:58
lordcirthTheHonorable, have you considered using a tool made for automatic bans, like fail2ban?17:58
TheHonorableO.o didn't know that17:58
lordcirthYou can totally do it with iptables, but there are tools for this too17:58
TheHonorableI do use fail2ban, but the command to utilize it is just as long and frustrating as the one I use straight wth iptables17:58
compdocI use fail2ban to ban people from trying to guess email passwords. I love that program18:01
TheHonorableI'm literally just watching a wireshark feed of icmp requests and banning anyone who shows up as red at abuseipdb.com :D18:01
TJ-TheHonorable: if you install "iptables-persistent" it installs a system service via "netfilters-persistent" that loads/saves rules automatically at boot/shutdown, and you can also do "netfilter-persistent save" to save rules at any time18:01
TheHonorablethat I'm going to do right now18:02
TheHonorableso I don't have to do iptables-save anymore, just run netfilter-persistent save and I'm good?18:02
TJ-TheHonorable: not even that if the PC always shutdowns cleanly because it runs that at shutdown18:03
TJ-TheHonorable: but if you want to be sure, then it won't hurt to run the command18:03
TJ-TheHonorable: once installed see "man netfilter-persistent" for more info18:04
TheHonorablegot it!! :D18:05
TheHonorableKittstill here, just under my correct username ;)18:09
cpaelzerahasenack: and chrony migrated19:04
ahasenackyay19:05
openfireTheHonorableKitt: Why don't you just use ufw?20:40
openfireTheHonorableKitt: That's my first question. My second question is "why are you doing that stuff at all?"20:41
TheHonorableKittwhy am I banning hackers?? :thinking:20:41
openfireEvery ICMP request that comes your way isn't a hacker, but nice try at sarcasm. Sadly, your attempt is woefully misdirected.20:42
openfireYou're acting like random internet scans are a threat to you, and expending energy to stop what quite literally will never stop.20:42
TheHonorableKittwell, mr openfire, I always cross check icmp requests with https://www.abuseipdb.com, and if they show up red, they get banned, because they're obviously hackers. Let me do me, thanks :) :*20:44
openfireUm, no, they're not. You could be banning random grandmothers who don't realize their routers have been exploited. You have no idea, because you think you know what you're doing, and won't listen to anyone who knows better. So, sure, you can do you, but you're doing 1. stupid things for 2. the wrong reasons. :*20:45
TheHonorableKitt<--- systems admin with 15+ years as a security expert. Please don't tell me how to run my damn server. Thank you, bye20:46
sdezielexploited routed owned by a grandmother or not is a bad thing IMHO20:47
sdezielhackers really have no sense of ethic20:48
openfireThat's not the point.20:48
openfireThe point is to actually determine if something is a threat. A threat is an entity that has both the capability and intent to cause damage in some way. Random ping scans show neither capability nor intent, and thus are not evidence of a threat.20:49
TheHonorableKittif a known hacker is pinging my server, there's only one reason why: they're trying to find potential vulnerabilities to exploit. Period. Thereofre, banned. Period. If you don't like it, fine, enjoy your hacked server my friend20:49
openfireTherefore, they don't warrant some newb script-kiddie excuse for a sysadmin to add iptables DROP rules every time one pops up, and then get snappy with people that try to educate him.20:50
TheHonorableKittno one wants unasked for advice ;)20:50
openfireTheHonorableKitt: Pings aren't vulnerability scans, child. If you were being vuln scanned, or actually reconned by someone who knows what they're doing, you'd be hopelessly clueless.20:51
TheHonorableKitt*sigh* you're a hopeless moron. please don't speak to me again.20:51
smoserrbasak: https://jenkins.ubuntu.com/server/job/git-ubuntu-ci/80/console21:25
smoserlooks new21:25
cyberspectreHi. Could someone explain to me why the images at this page: http://nutrigold.info/flipbooks/turnjs4/samples/basic/ return a 403 forbidden when attempted to be fetched by jquery?21:26
cyberspectreIt is ubuntu server 16.04 lts21:26
sarnoldthe system administrator either configured their webserver, a proxy in front of the server, filesystem permissions, or apparmor permissions on the server, in such a way to return that error code when those assets are requested21:27
lordcirthcyberspectre, that link loads a blank white rectangle for me21:28
cyberspectrelordcirth, check developer console21:28
lordcirthcyberspectre, are you hosting this website and trying to fix it?21:29
lordcirth<script src="../../lib/turn.js"></script> - ../.. seems likely to cause permission problems, depending on your directory layout21:31
lordcirthNo, I can request http://nutrigold.info/flipbooks/turnjs4/lib/turn.js21:31
lordcirthPerhaps you should ask on a channel more dedicated to webservers21:32
cyberspectrelordcirth, so it's not likely a conf file I need to edit that doesn't allow this out of the box?21:36
lordcirthcyberspectre, webservers are complex, and while I have worked with them, I am not an expert.  Consider asking on #httpd or the equivalent for your webserver.21:37
cyberspectreUnderstood, thank you lordcirth21:37
tewardwhat's the actual question?21:37
* teward knows a bit about webservers21:37
tewardusually 403s give you log data that can help to glean the problem, on the web server side21:37
teward(I would not be using `../../` in your requests by the way, I'd use a root-relative full path such as `/flipbooks/turnjs4/lib/turn.js`)21:38
sdezielcyberspectre: looks like the web host doesn't want any Referer header21:38
tewardalso ^ that could be the problem21:38
sdezielcyberspectre: I could fetch 11.jpg after dropping that header using the dev tools in Firefox21:38
sdezielyep, they all load fine when stripping the referer21:39
cyberspectresdeziel, I actually don't know what a referrer header is21:42
cyberspectreis that in the html?21:42
tewardno...21:42
tewardit's a request header21:42
tewardyou should probably read up on how web headers work21:42
sdezielcyberspectre: no, it's a request header set by browsers21:42
teward^ this21:42
cyberspectresdeziel, brief explanation of how you disabled it in devtools? That will put me on the right trac21:43
cyberspectrek21:43
sarnoldwhat web server are you using? what configuration have you done to it? are you using something like mod_security? etc21:44
sdezielcyberspectre: this was just to confirm the weird behavior but I opened the devtools, clicked on a .jpg 403 and selected edit and resend21:44
sarnoldsdeziel: jpw21:44
sarnoldsdeziel: how did you think to remove a referer header? :)21:44
sdezielcyberspectre: then you get to edit the set of headers your browser would like to send so you need to drop the Referer: line21:44
sdezielsarnold: I tried fetching just an image without the JS code21:45
sdezieland got lucky21:47
sarnoldsdeziel: I'll say, removing a standard header wouldn't have been anywhere near my top list of things to try :) hehe21:48
sdezielsome web host filter on the referer to avoid image download "abuse" by other sites21:49
sdezielthis one apparently forgot to treat itself differently than other sites ;)21:49
sarnold:D21:51
cyberspectreOkay this is beyond me for the moment21:52
cyberspectreBut thank you21:52
sdezielcyberspectre: if you share your web host config, I'm sure someone will be able to assist21:55
coreycbjamespage: all the clients except python-neutronclient (still working on) are at upper-constraints now for disco22:29

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!