[00:00] <sleepee> oh..  and the kvm host runs CentOS7
[00:01] <sleepee> thing is, virt-install works just fine when creating a CentOS vm.  But with Ubuntu vm's, the --extra-args option seems to get ignored.
[00:02] <sleepee> and from what i can tell, i'm not the only one in this boat.
[00:02] <sleepee> https://unix.stackexchange.com/questions/428858/warning-did-not-find-console-ttys0-in-extra-args
[00:02] <sleepee> ^that guy seems to have a suspiciously similar problem as me.
[00:03] <rbasak> virt-install is not the preferred way to run Ubuntu VMs. It's long and convoluted to run an installer designed for bare metal in a VM. We left that method behind years ago.
[00:03] <sleepee> not sure if it's an Ubuntu issue, but it works fine with CentOS, so i figured I'd ask
[00:04] <rbasak> You should just be able to download and run an Ubuntu cloud image. On any distro.
[00:05] <rbasak> To bootstrap it with a ssh key so you can get in is a little tedious without tooling, but it's still honestly easier than messing with driving an installer.
[00:06] <rbasak> By all means use virt-install, and even fix it - it's a Free Software world after all :)
[00:06] <sleepee> makes sense.  does multipass suport other os'es like CentOS or is it just for Ubuntu?
[00:06] <rbasak> But you won't get much help from Ubuntu people with that method because it's not 2008 any more :)
[00:06] <sleepee> sorry if it's a dumb question. i've never heard of multipass before
[00:06] <rbasak> I'm not sure. multipass is distributed as a snap so I think that means it'll work anywhere snaps do.
[00:06] <sleepee> i'm just starting out in this world
[00:07] <rbasak> Looks like you should be able to build it from source without too much difficulty though.
[00:07] <sleepee> sorry.  i meant are there other images i can install other than ubuntu
[00:08] <sleepee> you know what.  im just going to go ahead and google multipass.  it seems like i need to do a bit of research on that.
[00:08] <sleepee> thanks!
[00:23] <rbasak> sleepee: nothing to apologise for. Sorry if my tone was a bit harsh.
[00:24] <sleepee> nah. You're good.
[00:24] <sleepee> thanks for the suggestion.
[00:24] <rbasak> Cloud images are still a new thing for many people. It's just that we've been doing it for a long time in Ubuntu - longer than everyone else even I think, and it makes life sooo much easier that doing things the old fashioned way seems extra backwards to us.
[00:24] <rbasak> sleepee: same with containers.
[00:25] <rbasak> sleepee: if I want to reproduce a bug report in Ubuntu, for example on 14.04, I type "lxc launch ubuntu:14.04" and can have a shell prompt about three seconds later, on something that looks exactly like a fully operational fresh Ubuntu 14.04 sytsem.
[00:26] <sleepee> Yeah.  It actually makes sense that Canonical put out a tool to make it easier/quicker to deploy Ubuntu vm's.  I know Ubuntu's huge in the cloud.
[00:27] <rbasak> Using virt-install seems as backwards to me as perhaps ordering bare metal hardware to get an instance seems to you :)
[00:27]  * sarnold quickly hides his CPU "product brief" tabs from rbasak
[00:29] <genii> heh
[00:33]  * teward hides sarnold's internet browser from everyone including sarnold.  :P
=== berglh_ is now known as berglh
[06:02] <cpaelzer> mdeslaur: I would not mind, ahasenack was working (or planngin to work) on it but these weeks are rather busy
[06:03] <cpaelzer> mdeslaur: if you have pg-10.6 ready and it tests fine feel free to release it
[06:03] <cpaelzer> ahasenack: ^^
[06:03] <cpaelzer> ahasenack: for the ssh review - as discussed in standup I'll take a look at that
=== jelly-home is now known as jelly
=== kallesbar_ is now known as kallesbar
[08:52] <patz0r> hey all, does anyone have an updated guide for creating a raid1 mdadm array during OS installation?
[08:52] <patz0r> i'm trying to follow this but doesn't seem current
[08:52] <patz0r> https://help.ubuntu.com/lts/serverguide/advanced-installation.html.en
[09:05] <patz0r> i'm trying to create a raid1 mirror to install my OS on but i must be doing something wrong as it's not working
[09:05] <patz0r> i'm using the 18.04.1 live installer
[09:08] <patz0r> i'm going to try the alternate debian installer...
[11:03] <Slashman> I dunno if it's been reported but there is an issue with "http://fr.archive.ubuntu.com/ubuntu", I have several hash mismatch, switching to "http://de.archive.ubuntu.com/ubuntu" solves the issue
[11:03] <lotuspsychje> Slashman: report this in #ubuntu-mirrors please
[11:04] <Slashman> lotuspsychje: sure, I didn't know where to report this exactly, thanks
[11:08] <ahasenack> good morning
[11:12] <tomreyn> good morning
[11:13] <tomreyn> is it normal that proposed is enabled by default on daily server-live images?
[11:15] <ahasenack> I would think not, and would also ask about it
[11:16] <tomreyn> i don't think i did it manually, but i'll re-check just to be sure.
[11:18] <lotuspsychje> tomreyn: the #ubuntu-release guys might know that1
[11:20] <tomreyn> lotuspsychje: thanks. i think the server team (here) would know, but let me double-check first.
[11:26] <ahasenack> it's a funny situation, because even though it's called the server installer, we don't code it
[11:33] <tomreyn> so yes, proposed is enabled by default on the bionic server-live amd64 daily images. on both the Nov 12 (af59b87edf6ef02d230d94b87312c0255dead3bda399588cba44d83a0bda1180) and Nov 14 (403059a8fd19da81b1561970f859cf92aa74950ed91a809ae27d89cb4df3379e) one.
[11:33] <tomreyn> do i report a bug against subiquity, curtin, the one in ubuntu or 'upstream'? something else?
[11:36] <ahasenack> subiquity please
[11:36] <ahasenack> they can sort it out if it's curtin/cloud-init or subiquity
[11:36] <TJ-> tomreyn: sounds like that might be an artifact of the disco images
[11:36] <ahasenack> like that other one where only main was enabled
[11:36] <ahasenack> TJ-: is it the same for cloud images?
[11:36]  * ahasenack checks lxd
[11:37] <ahasenack> lxd image is fine, no proposed
[11:39] <ahasenack> tomreyn: do you have a url to the iso at hand?
[11:40] <ahasenack> ah, found it
[11:40] <ahasenack> n/m
[11:40] <tomreyn> ahasenack: http://cdimage.ubuntu.com/ubuntu-server/bionic/daily-live/current/bionic-live-server-amd64.iso - i downloaded from 2001:67c:1360:8001::1d
[11:51] <tomreyn> bug 1803338
[11:51] <ubottu> bug 1803338 in subiquity (Ubuntu) ""proposed" is enabled by default on bionic server-live amd64 daily images" [Undecided,New] https://launchpad.net/bugs/1803338
[11:52] <ahasenack> tomreyn: I just installed in a vm from that iso (same hash), I don't see proposed in /etc/apt/sources.list
[11:52] <ahasenack> ah, it's in a sources.list.d
[11:53] <ahasenack> wtf
[11:57] <tomreyn> correct, it's in a sources.list.d/
[12:13] <mdeslaur> cpaelzer: thanks!
[12:15] <lotuspsychje> ahasenack: can you also add yourself affected to the bug?
[12:16] <ahasenack> lotuspsychje: the one from tomreyn?
[12:16] <lotuspsychje> yeah
[12:16] <lotuspsychje> the more, the better for attention/solving
[12:17] <lotuspsychje> ahasenack: tnx mate
[12:57] <samba35> i am using updated kernel of 18.04.1 do i require intel acs patch ? as i can't see patch for this version ?
[12:57] <samba35> is any one using pci-passthrough ?
[13:00] <ahasenack> what is that about? intel acs?
[13:02] <samba35> yes
[13:03] <tomreyn> https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVMF#Bypassing_the_IOMMU_groups_(ACS_override_patch)
[13:05] <samba35> yes i check this page but i could not find patch here
[13:05] <tomreyn> i just posted this url to explain what you're inquiring about
[13:06] <samba35> ok
[13:08] <tomreyn> the patch seems to be https://lkml.org/lkml/2013/5/30/513
[13:09] <tomreyn> (it won't apply to current kernel versions without further modifications)
[13:10] <tomreyn> updated patch https://aur.archlinux.org/cgit/aur.git/tree/add-acs-overrides.patch?h=linux-vfio
[13:11] <samba35> let me check links
[13:13] <samba35> is patching kernel os version specific and distro specific ?
[13:14] <tomreyn> potentially both, most likely distro specific at least
[13:15] <samba35> ok
[13:34] <jamespage> coreycb: doing oslo bumps, poking at glance and keystone snapshots with a switch to py3 as the default
[13:35] <coreycb> jamespage: alrighty! good bye py2!
[13:36] <coreycb> jamespage: are we keeping the py2 packages around as an alternative?
[13:36] <jamespage> dunno
[13:36] <jamespage> coreycb: what do you think? maybe we should just drop them
[13:37] <jamespage> thus avoiding any confusion
[13:37] <coreycb> jamespage: i wouldn't mind maintaining just one version
[13:37] <coreycb> jamespage: let's drop them
[13:37] <jamespage> coreycb: agreed, it will cut down build times
[13:37] <jamespage> and reduce complexity
[13:37] <coreycb> jamespage: yes
[13:38] <jamespage> coreycb: that said we may want to either update openstack-pkg-tools to be py3 only friendly or switch everything over to pybuild
[13:39] <coreycb> jamespage: it should be py3-only friendly, no?
[13:40] <coreycb> jamespage: but it doesn't default to py3-only. i think it probably could now if we were to make the switch.
[13:41] <jamespage> coreycb: the pkgos-dh_* commands do have some --no-py2 type options
[13:41] <jamespage> we may just need to review those
[13:41] <coreycb> jamespage: ok
[13:47] <coreycb> jamespage: i think we can drop the shebang dep8 tests if we drop the py2 packages
[13:47] <coreycb> jamespage: or may be useful to keep around to test upgrades to py4 :)
[13:49] <jamespage> coreycb: I'd be tempted to - we can drop all of the alterantives stuff as well
[13:55] <coreycb> jamespage: ok great
[14:12] <jamespage> coreycb: we need a tweak to pkg-tools to not do the python{vers}- prefixing for binaries if only py2 or py3 is being built - testing that now
[14:37] <cpaelzer> ahasenack: chrony now completed its test
[14:37] <cpaelzer> I'll tag and upload
[14:42] <ahasenack> cpaelzer: +1
[14:54] <ahasenack> rbasak: I gather you are not reviewing karl's branch about at?
[14:55] <coreycb> jamespage: ok thanks
[14:55] <rbasak> ahasenack: not right now.
[15:02] <jamespage> coreycb: ok tweaked openstack-pkg-tools uploaded
[15:09] <coreycb> jamespage: great, looks good. i'm wondering if we need to do anything for upgrades.
[15:10] <coreycb> jamespage: i think we're good because postinst scripts should be removing alternatives
[15:10] <coreycb> jamespage: postrm that is
[15:15] <jamespage> coreycb: yeah
[15:15] <jamespage> coreycb: lol - http://paste.ubuntu.com/p/C2MckBXMHK/
[15:15] <jamespage> nice little quick fix
[15:15] <jamespage> coreycb: OK going for an upload run on the oslo's
[15:15] <jamespage> they install and test ok
[15:16] <coreycb> jamespage: ok! :-)
[15:35] <lucidguy> Ok, I have a static ubuntu mirror, been loading servers for days with no issues.  All of a sudden an identical server is failing to install mailutils, dependency issues.  How is that possible?
[15:46] <coreycb> jamespage: shall i start on clients or is their stein uca opening i should focus on?
[15:47] <jamespage> coreycb: please do - UCA is a bit blocked until we get quota increased sorted out
[15:47] <coreycb> jamespage: ok clients it is then
[15:53] <jamespage> coreycb: openstack-pkg-tools (>= 85ubuntu3~) gives you the right behaviour with regards to no alternatives if you pass --no-py2 to pkgos-dh_auto_install and pkgos-dh_auto_test
[15:53] <coreycb> jamespage: ok great, thanks
[17:30] <TheHonorable> Good afternoon everyone, I need some help with scripting. I'm not a coder, but I'm alright with linux commands. I have a task I'm constantly doing which is running this command: iptables -I INPUT -s -IPADDRESS- -j DROP
[17:31] <TheHonorable> I would like to setup something where I just punch in something like: permaban -IPADDRESS- and done, can you help me do this?
[17:41] <TJ-> TheHonorable: "  echo -e "#!/bin/sh\n[ -n \"$1\" ] && /sbin/iptables -I INPUT -s $1 -j DROP\n" | sudo dd of=/usr/local/bin/permaban ; sudo chmod +x /usr/local/bin/permaban  "
[17:43] <TheHonorable> response: bash: !/bin/sh\n[: event not found
[17:43] <TJ-> TheHonorable: ahhh, sorry, I was trying to make it easy. Let me pastebin it for you instead!
[17:43] <TheHonorable> thanks TJ- :)
[17:46] <TJ-> TheHonorable: try this https://paste.ubuntu.com/p/ZjZZySSjZh/
[17:54] <TheHonorable> sweet, it works man :D
[17:55] <TheHonorable> I added in a new line " iptables-save " so that I know for certain they're perm banned. but when I do this, it gives me a huge feedback of the entire iptables file. any way how to snuff that and make it quiet?
[17:56] <TJ-> TheHonorable: that's what iptables-save does; it writes to standard output. If you want to save to a file you redirect the I/O to the file. The filename should be one that, at boot-time, iptables-restore is going to read.
[17:57] <TJ-> TheHonorable: are you already using a package that saves/loads the rules using iptables-{save,restore} ?
[17:57] <TJ-> TheHonorable: e.g. iptables-persistent ?
[17:57] <TheHonorable> i just run iptables-save so that when I reboot I don't lose all my bans
[17:58] <TJ-> TheHonorable: right, but to load those bans, at boot-time you also have to have iptables-restore /path/to/file run.
[17:58] <lordcirth> TheHonorable, have you considered using a tool made for automatic bans, like fail2ban?
[17:58] <TheHonorable> O.o didn't know that
[17:58] <lordcirth> You can totally do it with iptables, but there are tools for this too
[17:58] <TheHonorable> I do use fail2ban, but the command to utilize it is just as long and frustrating as the one I use straight wth iptables
[18:01] <compdoc> I use fail2ban to ban people from trying to guess email passwords. I love that program
[18:01] <TheHonorable> I'm literally just watching a wireshark feed of icmp requests and banning anyone who shows up as red at abuseipdb.com :D
[18:01] <TJ-> TheHonorable: if you install "iptables-persistent" it installs a system service via "netfilters-persistent" that loads/saves rules automatically at boot/shutdown, and you can also do "netfilter-persistent save" to save rules at any time
[18:02] <TheHonorable> that I'm going to do right now
[18:02] <TheHonorable> so I don't have to do iptables-save anymore, just run netfilter-persistent save and I'm good?
[18:03] <TJ-> TheHonorable: not even that if the PC always shutdowns cleanly because it runs that at shutdown
[18:03] <TJ-> TheHonorable: but if you want to be sure, then it won't hurt to run the command
[18:04] <TJ-> TheHonorable: once installed see "man netfilter-persistent" for more info
[18:05] <TheHonorable> got it!! :D
[18:09] <TheHonorableKitt> still here, just under my correct username ;)
[19:04] <cpaelzer> ahasenack: and chrony migrated
[19:05] <ahasenack> yay
[20:40] <openfire> TheHonorableKitt: Why don't you just use ufw?
[20:41] <openfire> TheHonorableKitt: That's my first question. My second question is "why are you doing that stuff at all?"
[20:41] <TheHonorableKitt> why am I banning hackers?? :thinking:
[20:42] <openfire> Every ICMP request that comes your way isn't a hacker, but nice try at sarcasm. Sadly, your attempt is woefully misdirected.
[20:42] <openfire> You're acting like random internet scans are a threat to you, and expending energy to stop what quite literally will never stop.
[20:44] <TheHonorableKitt> well, mr openfire, I always cross check icmp requests with https://www.abuseipdb.com, and if they show up red, they get banned, because they're obviously hackers. Let me do me, thanks :) :*
[20:45] <openfire> Um, no, they're not. You could be banning random grandmothers who don't realize their routers have been exploited. You have no idea, because you think you know what you're doing, and won't listen to anyone who knows better. So, sure, you can do you, but you're doing 1. stupid things for 2. the wrong reasons. :*
[20:46] <TheHonorableKitt> <--- systems admin with 15+ years as a security expert. Please don't tell me how to run my damn server. Thank you, bye
[20:47] <sdeziel> exploited routed owned by a grandmother or not is a bad thing IMHO
[20:48] <sdeziel> hackers really have no sense of ethic
[20:48] <openfire> That's not the point.
[20:49] <openfire> The point is to actually determine if something is a threat. A threat is an entity that has both the capability and intent to cause damage in some way. Random ping scans show neither capability nor intent, and thus are not evidence of a threat.
[20:49] <TheHonorableKitt> if a known hacker is pinging my server, there's only one reason why: they're trying to find potential vulnerabilities to exploit. Period. Thereofre, banned. Period. If you don't like it, fine, enjoy your hacked server my friend
[20:50] <openfire> Therefore, they don't warrant some newb script-kiddie excuse for a sysadmin to add iptables DROP rules every time one pops up, and then get snappy with people that try to educate him.
[20:50] <TheHonorableKitt> no one wants unasked for advice ;)
[20:51] <openfire> TheHonorableKitt: Pings aren't vulnerability scans, child. If you were being vuln scanned, or actually reconned by someone who knows what they're doing, you'd be hopelessly clueless.
[20:51] <TheHonorableKitt> *sigh* you're a hopeless moron. please don't speak to me again.
[21:25] <smoser> rbasak: https://jenkins.ubuntu.com/server/job/git-ubuntu-ci/80/console
[21:25] <smoser> looks new
[21:26] <cyberspectre> Hi. Could someone explain to me why the images at this page: http://nutrigold.info/flipbooks/turnjs4/samples/basic/ return a 403 forbidden when attempted to be fetched by jquery?
[21:26] <cyberspectre> It is ubuntu server 16.04 lts
[21:27] <sarnold> the system administrator either configured their webserver, a proxy in front of the server, filesystem permissions, or apparmor permissions on the server, in such a way to return that error code when those assets are requested
[21:28] <lordcirth> cyberspectre, that link loads a blank white rectangle for me
[21:28] <cyberspectre> lordcirth, check developer console
[21:29] <lordcirth> cyberspectre, are you hosting this website and trying to fix it?
[21:31] <lordcirth> <script src="../../lib/turn.js"></script> - ../.. seems likely to cause permission problems, depending on your directory layout
[21:31] <lordcirth> No, I can request http://nutrigold.info/flipbooks/turnjs4/lib/turn.js
[21:32] <lordcirth> Perhaps you should ask on a channel more dedicated to webservers
[21:36] <cyberspectre> lordcirth, so it's not likely a conf file I need to edit that doesn't allow this out of the box?
[21:37] <lordcirth> cyberspectre, webservers are complex, and while I have worked with them, I am not an expert.  Consider asking on #httpd or the equivalent for your webserver.
[21:37] <cyberspectre> Understood, thank you lordcirth
[21:37] <teward> what's the actual question?
[21:37]  * teward knows a bit about webservers
[21:37] <teward> usually 403s give you log data that can help to glean the problem, on the web server side
[21:38] <teward> (I would not be using `../../` in your requests by the way, I'd use a root-relative full path such as `/flipbooks/turnjs4/lib/turn.js`)
[21:38] <sdeziel> cyberspectre: looks like the web host doesn't want any Referer header
[21:38] <teward> also ^ that could be the problem
[21:38] <sdeziel> cyberspectre: I could fetch 11.jpg after dropping that header using the dev tools in Firefox
[21:39] <sdeziel> yep, they all load fine when stripping the referer
[21:42] <cyberspectre> sdeziel, I actually don't know what a referrer header is
[21:42] <cyberspectre> is that in the html?
[21:42] <teward> no...
[21:42] <teward> it's a request header
[21:42] <teward> you should probably read up on how web headers work
[21:42] <sdeziel> cyberspectre: no, it's a request header set by browsers
[21:42] <teward> ^ this
[21:43] <cyberspectre> sdeziel, brief explanation of how you disabled it in devtools? That will put me on the right trac
[21:43] <cyberspectre> k
[21:44] <sarnold> what web server are you using? what configuration have you done to it? are you using something like mod_security? etc
[21:44] <sdeziel> cyberspectre: this was just to confirm the weird behavior but I opened the devtools, clicked on a .jpg 403 and selected edit and resend
[21:44] <sarnold> sdeziel: jpw
[21:44] <sarnold> sdeziel: how did you think to remove a referer header? :)
[21:44] <sdeziel> cyberspectre: then you get to edit the set of headers your browser would like to send so you need to drop the Referer: line
[21:45] <sdeziel> sarnold: I tried fetching just an image without the JS code
[21:47] <sdeziel> and got lucky
[21:48] <sarnold> sdeziel: I'll say, removing a standard header wouldn't have been anywhere near my top list of things to try :) hehe
[21:49] <sdeziel> some web host filter on the referer to avoid image download "abuse" by other sites
[21:49] <sdeziel> this one apparently forgot to treat itself differently than other sites ;)
[21:51] <sarnold> :D
[21:52] <cyberspectre> Okay this is beyond me for the moment
[21:52] <cyberspectre> But thank you
[21:55] <sdeziel> cyberspectre: if you share your web host config, I'm sure someone will be able to assist
[22:29] <coreycb> jamespage: all the clients except python-neutronclient (still working on) are at upper-constraints now for disco