[00:00] <Greyztar> ive removed ufw only using iptables interface
[01:19] <mwhudson> tomreyn: thanks for all the subiquity bug reports btw
[01:20] <mwhudson> tomreyn: have you seen this? https://www.systutorials.com/docs/linux/man/8-lvm/#lbAG (rules for valid VG and LV names)
[01:21] <tomreyn> mwhudson: welcome :) and no, i had not. but i'm not surprised there are restrictions.
[01:22] <tomreyn> i mean ... on lvm's end.
[01:26] <TheHonorableKitt> just ran a restore on my box, apparently all the fixes I did didn't work, ufw still blocked everything
[01:26] <TheHonorableKitt> restore done, all good now
[01:28] <mwhudson> tomreyn: i'm not surprised there are restrictions, i'm a bit surprised they are so fiddly
[01:28] <mwhudson> tomreyn: the only restriction on md appears to be "non-empty" and "does not contain /"
[01:29] <mwhudson> although whether the kernel will actually allow "md/my shiny drive's raid" i'm about to find out...
[01:31] <tomreyn> hehe, good luck
[01:34] <tomreyn> those lvm restrictions are a fiddly, yes. but i guess if you just limit it to ^[a-zA-Z0-9][a-zA-Z0-9+_.-]*$ this will cover pretty much every use case.
[01:35] <TheHonorableKitt> anyone have a good answer as to how I can just create a new eth, like eth1, eth2? I'm using linode, which uses netplan
[01:37] <sarnold> TheHonorableKitt: that's not the path you want to take
[01:38] <mwhudson> yeah
[01:38] <TheHonorableKitt> what path exactly should I take then?
[01:39] <TheHonorableKitt> any and all tutorials for putting snort in inline IPS mode is that you have to have more than one eth, but when I took your advice for the other option, it shut down my entire machine's network and resulted in requiring a backup restore to fix
[01:39] <sarnold> feeding snort or suricata with nfq
[01:39] <TheHonorableKitt> yeah, I did that, it broke everyhting
[01:39] <sarnold> the "inline" option that you found in the first guide was about protecting an entire network
[01:40] <sarnold> sadly the nfq docs also assumed the same thing, because almost no one uses snort or suricata on single hosts
[01:41] <TheHonorableKitt> unfortunately I can't afford a second VPS to do it without a single host
[01:45] <openfire> TheHonorableKitt: Linode does not use netplan. Ubuntu uses netplan. Netplan can be disabled easily. So what are you trying to do?
[01:45] <TheHonorableKitt> I'm trying to get snort in inline IPS mode
[01:46] <openfire> On a Linode?
[01:46] <TheHonorableKitt> yes
[01:47] <mwhudson> i probably shouldn't use ctypes to call functions from liblvm2cmd.so.2.02 should i
[01:47] <sarnold> mwhudson: depends.. doing it from C would probably be easier and more reliable in the long run but probably harder project to start :/
[01:47] <openfire> TheHonorableKitt: And what else is this Linode doing?
[01:48] <mwhudson> well i could write a python extension to do it too
[01:48] <mwhudson> but this is being silly
[01:48] <mwhudson> better to just copy the validation into subiquity, as tedious as that will be
[01:48] <TheHonorableKitt> linode is hosting five websites, sip server, and znc bouncer
[01:48] <sarnold> I think I'd rather see ctypes than python extension :)
[01:49] <mwhudson> sarnold: how do you think subiquity talks to netlink...
[01:49] <openfire> TheHonorableKitt: Then you're using the wrong tool for the wrong job.
[01:49] <TheHonorableKitt> please be more elaborate
[01:49] <sarnold> mwhudson: I'm almost afraid to find out :)
[01:49] <mwhudson> sarnold: i wrote a c extension binding to libnl3-route ...
[01:49] <sarnold> mwhudson: my condolances
[01:49] <sarnold> mwhudson: netlink is just ... sadness
[01:50] <openfire> TheHonorableKitt: snort is a NETWORK IPS. You want something to protect a single host. snort does not do that.
[01:50] <mwhudson> sarnold: i don't know, it beats sysfs i think
[01:50] <mwhudson> sarnold: stracing lsblk, now THAT is sadness
[01:50] <sarnold> mwhudson: ouch -- you've clearly seen some dark things :)
[01:50] <TheHonorableKitt> is there something else that would do what I need to do then?
[01:51] <openfire> TheHonorableKitt: What is your experience with IDS/IPS systems in general?
[01:52] <TheHonorableKitt> basic, but I know what they are
[01:52] <TheHonorableKitt> security + certified <----
[01:52] <openfire> So is my cat.
[01:52] <openfire> In other words, zero practical experience.
[01:52] <TheHonorableKitt> your cat's fucking awesome
[01:53] <openfire> Short version: You DO NOT want to try to deploy HIDS/HIPS on something you care about without spending quite a bit of time figuring out how they work on a test system, first.
[01:53] <openfire> If you do... You're gonna have a bad time.
[01:53] <openfire> Either because you flood yourself with (not kidding) millions of alerts, or you shut down your everything.
[01:54] <sarnold> this was also why sdeziel suggested rolling it out for tjust tcp/80 first and adding protocols as you gained confidence
[01:54] <sarnold> course I suggested to go whole-hog on it because it's a VPS that you can wipe and restore in a few minutes, so an ideal platform for learning ;)
[01:55] <TheHonorableKitt> I already run snort as an IDS on this machine, and I don't get flooded with alerts.
[01:55] <openfire> TheHonorableKitt: How much tuning did you do?
[01:56] <TheHonorableKitt> a good bit
[01:56] <openfire> How long is your SID suppression list?
[01:56] <mwhudson> haha now i have /dev/md/this
[01:57] <sarnold> rofl
[01:57] <TheHonorableKitt> anyway, I'm not on here to have someone chew me out because, again, they dislike how I'm trying to run my systen.
[01:57] <TheHonorableKitt> system*
[01:57] <mwhudson> i wonder if this is curtin failing to quote something somewhere
[01:57] <mwhudson> or mdadm being terrible
[01:57] <mwhudson> the /sensible/ fix is presumably to not let people put spaces in the bod
[01:57] <mwhudson> *box
[01:58] <sarnold> [a-zA-Z0-9]
[01:58] <sarnold> (sorry kylin)
[01:58] <openfire> TheHonorableKitt: You know, with a slight perspective adjustment, you could learn to appreciate the advice being given to you by people with many years of experience, saving you from learning things the hard and aggravating way.
[01:59] <openfire> TheHonorableKitt: Snort is the wrong tool for the job. You could look into something like samhain, ossec, aide, or tripwire, and learn how much you still have to learn. Cheers.
[02:13] <mwhudson> hah yes it's mdadm
[02:13] <sarnold> o_O
[02:13] <mwhudson> tbf to lvm's man page, clearly mdadm should be validating much harder
[02:14] <mwhudson> e.g. a name of .. probably isn't going to work either
[02:15] <mwhudson> mdadm: array /dev/md/.. started
[02:15] <mwhudson> ORLY?
[02:15] <sarnold> I wonder what happens if you 'cd /dev/md ; cd ..' on that..
[02:16] <tomreyn> or try starting the /dev/md/../../etc/passwd array
[02:16] <sarnold> ENOTDIR?
[02:16] <mwhudson> the think in /dev/md/ is just a symlink
[02:16] <mwhudson> tomreyn: it does forbit / at least
[02:16] <tomreyn> aaaw
[02:17]  * mwhudson blinks
[02:17] <mwhudson> mdadm: device /dev/md/../../etc exists but is not an md array
[02:17] <mwhudson> why didn't it say that for /dev/md/.. then?
[02:22] <tomreyn> maybe it doesn't like that /dev has 0 blocks allocated
[02:25] <mwhudson> oh probably /dev/md didn't exist at all at that point
[02:26] <tomreyn> thank you for actually working on fixing these bugs i report, mwhudson, that's great. :)
[02:26]  * tomreyn zzz
[02:26] <mwhudson> tomreyn: sorry for the radio silence, it's partly me waiting until i had the time to respond sensibly...
[02:27] <tomreyn> no bad feelings, i'm glad it's moving! :)
[02:41] <TheHonorableKitt> lol I was wondering why I saw that guy, I ignored the douche openfire ages ago. strange.
[02:56] <TheHonorableKitt> when I run "ip addr del X.X.X.X dev eth0" and then "ip addr add X.X.X.X dev eth0:0" and then I re-check with "ip addr", it still shows as under eth0, and not eth0:0, am I doing something wrong here?
[02:58] <sarnold> the eth0:0 "aliases" interface was deprecated about twenty years ago in favour of just adding multiple IPs to the interface directly
[02:59] <TheHonorableKitt> oh hmmm
[02:59] <TheHonorableKitt> ok, that's fine then, that's how it is now
[02:59] <TheHonorableKitt> I'm just confused on how I can get snort to utilize them because it specifically does eth0:eth1 for it's binding/bridging feature
[02:59] <TheHonorableKitt> I'll speak to #snort about that
[03:00] <openfire> Still chasing snort for this, huh?
[03:00] <sarnold> I'd strongly rcommend asking them for help on how to solve your problem rather than starting with the "inline IPS" discussion
[03:01] <sarnold> maybe they'd be quicker to catch on than we were that you were following the wrong guide for what you were trying to solve :) but still, no need to start off on the wrong foot
[03:01] <TheHonorableKitt> yep, thanks much for your help sarnold :) <3
[03:02] <sarnold> have fun, good luck :)
[03:24] <masber> good afternoon all, I have an Ubuntu 16.04.5 LTS server I would like to enable hyperthreading
[03:24] <masber> I already setup the BIOS but I can't see the extra cores
[03:24] <masber> this is the cpu model --> Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz
[03:24] <masber> any advice?
[03:26] <sarnold> https://ark.intel.com/products/91754/Intel-Xeon-Processor-E5-2680-v4-35M-Cache-2-40-GHz-
[03:26] <sarnold> it sure looks like it should HT..
[03:30] <masber> sarnold, yes I can see the ht flag in the /proc/cpuinfo
[03:30] <masber> however lscpu says --> Thread(s) per core:    1
[03:32] <masber> do I need to reinstall the OS after enabling ht in the BIOS?
[03:32] <sarnold> masber: how about grep "core id" /proc/cpuinfo
[03:33] <masber> sarnold, no luck it only shows the physical cores for the 2 sockets http://dpaste.com/1H3WADP
[03:33] <sarnold> awwwwww
[03:34] <sarnold> masber: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/kernel-parameters.txt#n2041
[03:34] <sarnold> masber: what's your /proc/cmdline look like?
[03:35] <masber> http://dpaste.com/2SHSTHA
[03:35] <sarnold> maxcpus=28
[03:35] <sarnold> try removing that
[03:36] <masber> damn
[03:48] <masber> sarnold, thank you it is now working :)
[03:49] <masber> so I understand that grub/kernel flag was limiting the number of cpus but, why Thread(s) per core:    1 if ht was enabled?
[03:50] <sarnold> masber: excellent! :D
[03:50] <sarnold> masber: good question. :/
[03:51] <sarnold> I'm not actually sure what would be ideal to report.. or what options the different tools even have
[03:51] <sarnold> because it was accurately reporting the state of the system, as it was booted
[03:52] <sarnold> if it were reporting the silicon abilities it might have taken a while longer to figure out that htop should have completely filled your terminal :)
[03:52] <sarnold> anyway, time to run, have fun masber :) that looks like a machine for serious fun :) hehe
[07:34] <lordievader> Good morning
[11:20] <ahasenack> good morning
[11:21] <lordievader> Hey ahasenack How are you doing?
[11:27] <ahasenack> rbasak: hi, good morning, may I suggest this bug for your sru day? :) https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1791139
[11:27] <ahasenack> hello lordievader, I'm doing well, and you?
[11:28] <ahasenack> https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1782806 has also been in a verified state for almost a month now
[11:29] <ahasenack> and https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1786508 too (!)
[11:37] <lordievader> ahasenack: doing good here
[11:38] <ahasenack> lordievader: where are you from?
[11:38] <lordievader> Holland. What about you?
[11:39] <ahasenack> Brazil
[11:40] <ahasenack> it's 9h40 here now
[13:07] <TheHonorableKitt> o/
[13:54] <ahasenack> gotta love such tests: https://pastebin.ubuntu.com/p/zSbj93HqWy/
[13:59] <sdeziel> ahasenack: the " " looks different
[14:00] <ahasenack> I don't think so, I zoomed in
[14:00] <sdeziel> ahasenack: I used "od -c"
[14:01] <sdeziel> the first line has a regular space while the second one has "342 200"
[14:01] <sdeziel> as the space char between 1 and 2
[14:02] <sdeziel> putting each line in a separate file after dropping the -/+:
[14:02] <sdeziel> $ cmp 1 2
[14:02] <sdeziel> 1 2 differ: byte 3, line 1
[14:31] <bipul> So there is no solution for Install Ubuntu via preseed in Virtualbox?
[14:34] <bipul> This is my preseed configuration https://paste.ubuntu.com/p/Xbj8fyRv3G/ , I'm not sure what will be the configuration inside /isolinux/tx.cfg and /boot/grub/grub.cfg ? To automate the Installation.
[14:35] <bipul> Could anyone help me out. I'm trying to install Ubuntu server 18.04.
[15:13] <lordcirth> bipul, what happens when you try it?
[15:21] <bipul> Seems like preseed file is unable to read by initrd
[15:22] <bipul> s/initrd/debian-installer
[15:22] <lordcirth> bipul, can you provide the exact error message?  Or does it just continue as if you had not provided a preseed?
[15:23] <bipul> lordcirth, Just give me 15 Minutes, I'm trying once more time.
[15:23] <lordcirth> no hurry
[15:23] <genii> You can switch to console 4 to see the stderror
[15:24] <bipul> I'm installing it inside VirtualBox, How could i open console 4 ?
[15:24] <bipul> I'm editing the iso file. And i need to ask one thing more, that it required only to edit isolinux/txt.cfg? or boot/grub/grub.cfg ?
[15:25] <bipul> Both?
[15:25] <genii> Normally it would be alt-f4
[15:26] <bipul> Alter F4 is used to cross the application
[15:26] <genii> I was debugging preseed files like this before, switching from console 1 where it was doing regular stuff to the console 4 to see output of what it was doing or looking for
[15:27] <bipul> genii, Have you install Ubuntu server 18.04 via preseed?
[15:28] <genii> Not 18.04, but all the other LTS versions from 10.04 to 16.04
[15:29] <ahasenack> bipul: did you use the live server installer, or the old installer?
[15:29] <ahasenack> the so called live one doesn't have preseed support I think
[15:30] <genii> I was using tftp
[15:30] <bipul> I'm using Live-server i.e ubuntu-18.04.1-live-server-amd64.iso
[15:30] <genii> netboot/tftp
[15:30] <bipul> Where i can download netboot?
[15:31] <bipul> And are you sure?
[15:33] <genii> index of netboot images http://cdimage.ubuntu.com/netboot/18.04.1/
[15:36] <genii> At that time I was using full-blown isc dhcp server, etc, but now it's easier to do by dnsmasq for the server
[15:39] <bipul> genii, Which one to download?
[15:39] <bipul> mini.iso?
[15:41] <genii> The important stuff there is the pxelinux and filesystem netboot.tar.gz, you can use any iso file but they do provide the mini.iso as well
[15:42] <genii> If you already have an iso just use that
[15:42] <genii> work, afk 5-10 minutes
[15:42] <bipul> just a minute
[15:42] <bipul> md5sum, it required to updated? when we create preseed file?
[15:48] <TheHonorableKitt> hey guys, back again today. It appears my linode Ubuntu 18.04LTS server is utilizing 'netplan'. I'm unsure if it supports the creation of 'dummy network interfaces' or otherwise known as 'virtual network interfaces' or not, but can someone help me figure out how to do this properly?
[15:49] <sdeziel> TheHonorableKitt: is this still for the IDS/IPS scenario?
[15:49] <TheHonorableKitt> yeppers :)
[15:49] <TheHonorableKitt> i'm just trying to take one step at a time
[15:49] <ahasenack> TheHonorableKitt: https://netplan.io/examples has some examples, and there is also a #netplan channel on freenode
[15:49] <TheHonorableKitt> I need to get more interfaces before I can do anything
[15:49] <ahasenack> (generic examples, not exactly about your case, but they might help)
[15:49] <TheHonorableKitt> ohhhhh nice, I'll speak to them :)
[15:50] <sdeziel> TheHonorableKitt: I don't understand how dummy NICs will help you get there but good luck anyways
[15:52] <TheHonorableKitt> well, according to all of the tuts I've seen, it absolutely requires two or more ethernet interfaces, virtual or 'non-virtual' will work. In fact, one even states to give it no ip address. But I'm unsure how my system will respond, so I'd prefer to get answers before screwing around with things. It takes almost 45 minutes to do a full restore on my
[15:52] <TheHonorableKitt>  system, which I'm not afraid of, but it's annoying
[15:54] <sdeziel> TheHonorableKitt: creating dummy devices is trivial: ip link add dummy0 type dummy
[15:55] <sdeziel> TheHonorableKitt: ^ if you want to experiment quickly without making things permanent with netplan/other
[15:55] <sdeziel> but then again, I fail to see how dummy devices will help you
[15:55] <TheHonorableKitt> let me give that a test :)
[15:55] <sdeziel> a dummy device gets no traffic so it will be pointless to direct snort to it
[15:56] <TheHonorableKitt> hmm
[15:57] <TheHonorableKitt> I think virtual network interfaces still work though, but then again, someone said that this function was depreciated a long time ago. i.e. eth0:0, eth0:1, eth0:2, etc.
[15:58] <sdeziel> those are IFACE labels
[15:59] <sdeziel> and yes, they are deprecated
[15:59] <sdeziel> those are not dummy devices
[16:00] <TheHonorableKitt> I see
[16:01] <TheHonorableKitt> geeze, in the past two days I've opened four tickets with linode to try and get this resolved. It seems neither I or they fully understood what needed to happen. But hey, I was able to swing getting two additional IP addresses for my linode :D
[16:03] <sdeziel> TheHonorableKitt: for those additional IPs, you definitely don't need those deprecated IFACE labels, netplan supports adding multiple IPs to a single NIC
[16:03] <TheHonorableKitt> yes, that's already set, but snort relies on network interfaces, not ip's
[16:04] <sdeziel> I'm pretty sure that those label interfaces are in fact the same NIC so pointless
[16:04] <sdeziel> try tcpdump on one of those, I'm pretty sure you'll see the traffic for the base/original NIC
[16:05] <bipul> lordcirth, It says Boot loader /casper/initrd.1z: file not foun
[16:06] <TheHonorableKitt> oh oh, wait...I think I figured it out, don't know why I never tried this
[16:06] <TheHonorableKitt> ifconfig eth0:0 x.x.x.x
[16:06] <bipul> May be i have misconfigured.
[16:07] <lordcirth> bipul, /casper/initrd.lz is for the desktop iso.  For the server iso you need /install/initrd.gz
[16:09] <sdeziel> TheHonorableKitt: ifconfig is also deprecated, replaced by ip
[16:09] <TheHonorableKitt> seems to have worked though
[16:11] <sdeziel> TheHonorableKitt: it still works for simple stuff but not everything, just a heads up
[16:12] <bipul> lordcirth, Yes, i changed but Still i  need to interact with installation process.  It's seems like preseed configuration is not working.
[16:12]  * bipul Think to move on debian
[16:17] <cyphermox> TheHonorableKitt: that's why I was asking about network config
[16:17] <cyphermox> netplan does not and won't support labels (what eth0:0 is) unless there's a very good reason to do it
[16:17] <cyphermox> that weird setup for snort is iffy
[16:17] <cyphermox> (not your fault, just an odd requirement from it)
[16:18] <TheHonorableKitt> yeah, I've been running in circles, trying this and that to get this to work, it's been a total PITA
[16:18] <cyphermox> hence, one option to do this in netplan is to have eth0 and vlan1 (on eth0), which both will be the same network interface on the same network (unless network config says otherwise); and then Snort should be happy to bridge eth0 and vlan1
[16:19] <TheHonorableKitt> I hadn't thought about vlans, but that makes sense
[16:19] <cyphermox> it's a little hackish, but that does work in some scenarios. I haven't tried it with Snort
[16:19] <TheHonorableKitt> I'm assuming I can make vlans the same way? ifconfig vlan1 x.x.x.x?
[16:19] <sdeziel> instead of a full fledged vlan, a dummy dev would be more appropriate IMHO
[16:19] <cyphermox> no
[16:20] <cyphermox> sdeziel: not if you want to bridge the traffic across the same interface.
[16:20] <cyphermox> and it doesn't help if you can't create a dummy from netplan either ;)
[16:20] <TheHonorableKitt> was that no to me or sdeziel?
[16:20] <cyphermox> to you
[16:21] <sdeziel> cyphermox: the desired goal is have snort do the bridging (in user space)
[16:21] <cyphermox> if you want to use netplan, write the vlan in the netplan yaml
[16:21] <sdeziel> that goal is wrong IMHO though ;)
[16:21] <cyphermox> sdeziel: I agree, but bridging from eth0 to dummy0 won't achieve anything but blackholing the traffic?
[16:21] <cyphermox> sdeziel: it's a requirement from that setup
[16:21] <sdeziel> cyphermox: well, if dummy0 has the destination IP, it could work
[16:22] <cyphermox> Snort wants to take traffic from one interface and throw it out the other after sniffing at it for a bit and wagging its tail
[16:22] <sdeziel> yup
[16:22] <TheHonorableKitt> ok, let me take a look at this netplan config then, see if I can figure out how to create a vlan
[16:22] <cyphermox> I'm not familiar enough with the dummy driver to say it would work
[16:22] <sdeziel> so it could work with a dummy dev where snort filtered out the undesired stuff, I think
[16:23] <cyphermox> TheHonorableKitt: if you want a config that will persist ;)
[16:23] <TheHonorableKitt> hm?
[16:23] <sdeziel> but this whole bridging idea is wrong to begin with
[16:23] <TheHonorableKitt> snort bridges on its own, I don't
[16:23] <cyphermox> TheHonorableKitt: otherwise you can use 'ip link add link eth0 name eth0.1 type vlan id 1'
[16:24] <cyphermox> (to test that it works with a vlan before going further)
[16:24] <TheHonorableKitt> let me run that
[16:24] <sdeziel> TheHonorableKitt: snort doing bridging is when you want snort to inspect traffic for _other_ machines, not self
[16:24] <sdeziel> but I'll stop repeating this
[16:25] <cyphermox> I'm going to get back to my autopkg tests now, just ping me if there's a netplan question, I don't always look at this channel
[16:25] <TheHonorableKitt> thanks cyphermox
[16:31] <TheHonorableKitt> sdeziel I know, but I can't believe that snort isn't capable of inspecting traffic on its own system. I already have snort in IDS running on this same machine, it already sees traffic and alerts me when things happen, but it's not in IPS mode so it can't do anything with the traffic. So I don't see why IPS won't work, if IDS is
[16:32] <sdeziel> TheHonorableKitt: snort is capable of operating in IPS mode on a host but bridging isn't how you do it. NFQUEUE is the way to go
[16:33] <TheHonorableKitt> Right, I understand that. I don't know why, but running it that way shut down my entire network. I was forced to run a restore just to get it back up again.
[16:33] <sdeziel> TheHonorableKitt: have you been to #snort (if there is such channel) to expose your scenario?
[16:33] <TheHonorableKitt> I have been, but snort is generally really quiet, only about 50 people in there
[16:33] <sdeziel> TheHonorableKitt: with NFQUEUE, you divert packets to snort itself so yeah, you need to be careful what you send it cause you risk cutting your own access
[16:36] <TheHonorableKitt> yeah, it just killed everything. nothing at all worked. The problem was that I was unable to remove it after I set it, even with LISH access on Linode
[16:37] <sdeziel> the devil is in the details. How are you managing your ip{,6}tables rules?
[16:37] <TheHonorableKitt> I use iptables-save and iptables-restore, but the restore didn't fix things, so I had to run a restore
[16:38] <sdeziel> TheHonorableKitt: I highly recommend iptables-persistent
[16:38] <TheHonorableKitt> I think that's part of iptables-save and iptables-restore
[16:39] <sdeziel> also, you should be working from LISH and iptables-restore from a temp/experimental file when you do something risky
[16:39] <sdeziel> iptables-persistent is a package that takes care of loading your rulesets on boot
[16:39] <sdeziel> among other things
[16:40] <TheHonorableKitt> right
[16:40] <sdeziel> anyway, so the idea is to use a temp file to avoid introducing bogus rules in your main rulesets
[16:40] <sdeziel> this way, you preserve your known good set for an eventual restore if you screwed up
[16:40] <TheHonorableKitt> yep, lesson learned XD  lol
[16:41] <sdeziel> the alternative would be to insert rules live with "iptables -I" directly
[16:41] <sdeziel> but I find it easier to simply edit a file and feed it to iptables-restore
[16:41] <TheHonorableKitt> agreed. lol I just couldn't find the rule to remove when I set the NFQEUE setting
[16:42] <sdeziel> TheHonorableKitt: gotta run for now but I'll be happy to walk you through it later, as long as you know how to tell snort to feed from a NFQUEUE as I only did this on suricata
[16:43] <TheHonorableKitt> hope it works, but we might need an alternative way of communication
[16:43] <TheHonorableKitt> if I set NFQUEUE it'll undoubedly kill znc
[16:51] <TheHonorableKitt> honestly I do have a pfsense box at my home that protects my entire network. I'm just not confident enough to host public websites at home on my home server (which is undoubtedly much better than the linode one I'm paying for), and I know pfsense has snort IPS.
[16:51] <TheHonorableKitt> it's just that it blocks freaking everything
[17:22] <lotuspsychje> explain at wich time this occurs stormbard
[17:23] <lotuspsychje> the more info we have, the better volunteers can help
[17:25] <stormbard> I'm seeing messages that are displayed right before the grub boot menu. All I can catch before they go away are something about compression and error. I'm using a zfs root pool and installed 18.04. I'm trying to figure out how I might see these messages for longer than the flash so I can debug further.
[17:26] <XenophonF> stormbard: did you install ZFS per https://github.com/zfsonlinux/zfs/wiki/Ubuntu-18.04-Root-on-ZFS?
[17:26] <XenophonF> or did you use a different install procedure?
[17:27] <stormbard> I used that guide
[17:28] <XenophonF> are you able to re-mount the pool from the live CD per the rescue instructions in that guide?
[17:31] <XenophonF> there's also this troubleshooting guide, https://help.ubuntu.com/community/Grub2/Troubleshooting
[17:32] <stormbard> Haven't tried, but I'll give it a try. The system does boot fine. It's just that I see these messages before grub loads
[17:49] <stormbard> XenophonF: I'm able to follow the rescue steps in the guide without issue
[18:00] <stormbard> forgot I had IPMI and SoL capabilities. The message I'm seeing is "error: compression algorithm inherit not supported". I'm googling for answers now but if anyone has insight I'm posting here as well
[18:02] <ahasenack> is that zfs?
[18:02] <stormbard> yup it is a zfs rpool
[18:02] <ahasenack> I've seen grub complaining a lot about some zpool features it doesn't understand
[18:02] <ahasenack> but it would still boot
[18:03] <ahasenack> if it's not booting, the real issue might be something else
[18:04] <ahasenack> I also remember I had a machine where I couldn't get it to boot using mbr with the bios partition, it only worked with uefi
[18:10] <TJ->   if (comp != ZIO_COMPRESS_OFF && decomp_table[comp].decomp_func == NULL)
[18:10] <TJ->     return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
[18:10] <TJ->                "compression algorithm %s not supported\n", decomp_table[comp].name);
[18:11] <TJ-> stormbard: ^^^^ "inherit" method is not supported in grub. "  {"inherit", NULL},        /* ZIO_COMPRESS_INHERIT */ "
[18:15] <trippeh> Gnome thinks my 56Gbps network interface is in fact Bluetooth
[18:16] <trippeh> thats some mighty spiffy Bluetooth
[18:16] <lordcirth> lol
[18:16] <lordcirth> Nice NIC
[18:17] <stormbard> TJ-: Thanks, what is that compression mode? when I create the pool I set it up as lz4
[18:23] <TJ-> stormbard: from reading the ZFS source it seems that means the compression is inherited from the 'parent' - not sure what precisely the parent is though
[18:26] <stormbard> Ah, I didn't think about checking there. I can make a guess as to what is happening based on what I know about ZFS and how I set it up. The compression can be set on each dataset separately. I set it on the very root dataset and at the pool level and never changed it again. If you don't explicitly set the value on a child item it inherits it from the parent.
[18:27] <TJ-> stormbard: that sounds like it
[18:28] <stormbard> Everything boots fine and that pool status is healthy so it is likely just a message I can ignore for now. I was just erring on the side of caution until I could figure out more. Thanks all for the help
[18:33] <ahasenack> stormbard: that has been my experience. The warnings are there, but it ends up booting just fine
[18:36] <sdeziel> stormbard: dunno if that's related but grub warns when it cannot write to disk (to save the default boot entry) but otherwise works fine
[18:44] <TJ-> It depends on what the device is that contains GRUB's file-system. Things like RAID devices it can only read
[19:00] <sdeziel> TheHonorableKitt: I'm back
[19:00] <TheHonorableKitt> hey buuuuuuddy
[19:01] <sdeziel> TheHonorableKitt: it might be best to move to a priv conversation to avoid spamming everyone in here ;)
[19:02] <TheHonorableKitt> hehe that works :)
[19:50] <awkwardusername> help, what to check when you can DNS resolve things but can't connect to 80/443 - acls do not block any port outbound (ufw off)
[19:51] <sarnold> are you on AWS or similar cloud hosts?
[19:51] <sdeziel> awkwardusername: do you manage the target of your connection (where you are trying to connect on TCP/80 or TCP/443) ?
[19:52] <awkwardusername> sdeziel, any domain, regardless - won't connect to both. have tried pings to domain, it resolves to ip.
[19:52] <sdeziel> awkwardusername: what do you get from "nc -zv sdeziel.info 443" ?
[19:52] <awkwardusername> curl says Immediate connect fail for 2404:6800:4004:808::2004: Network is unreachable for google.com
[19:53] <sdeziel> hmm
[19:53] <sarnold> does ipv6 work on your host?
[19:55] <awkwardusername> no - i haven't enabled them. also additional info, vm is behind a NAT (it's actually an EC2 instance) with a network card that has a private and public IP
[19:55] <awkwardusername> route tables are also properly configured (i haven't actually changed them)
[19:55] <sarnold> do your security groups allow ingress/egress to the IPs in question?
[19:57] <openfire> awkwardusername: So, it's obviously trying to reach somewhere via IPv6, which will happen if you have a global-scope v6 address and a v6 default route.
[19:57] <awkwardusername> sarnold, yes - ACLs allow for outbound all traffic for all ips. for inbound , ssh, http/s, and all UDP
[19:57] <awkwardusername> openfire, how can I check that
[19:57] <openfire> awkwardusername: Your error tells you that much.
[19:58] <sarnold> ip route get is very handy
[19:58] <openfire> awkwardusername: Did you deploy an egress-only internet gateway in your VPC?
[19:58] <awkwardusername> openfire, yes but it tried ipv4 first then fallback to ipv6
[19:58] <openfire> awkwardusername: That's oddly backwards.
[19:58] <awkwardusername> that is, Trying 216.58.197.206... then Trying 2404:6800:4004:818::200e...
[19:59] <openfire> awkwardusername: So, did you deploy an IGW (v4) and an EIGW (v6), and configure routes to 0.0.0.0/0 and ::/0 in your routing tables to go to those?
[19:59] <awkwardusername> openfire, no, i didn't deploy that
[19:59] <openfire> Then that's your problem.
[19:59] <awkwardusername> lemme check
[19:59] <openfire> You have no outbound gateway.
[20:44] <Sircle> Which MTA has good features like slowing mails down in a timmed calculated cap or delaying mails down if multiple emails are sent to same recipient e.g gmail?
[20:50] <TheHonorableKitt> well that was fun
[20:50] <genii> Sircle: http://www.postfix.org/TUNING_README.html
[20:53] <TheHonorableKitt> woops think I messaged the wrong person lol
[21:00] <Sircle> genii,  ok
[21:10] <vlt> Sircle: Exim should handle most of that.
[21:11] <Sircle> vlt,  exim?
[21:11] <Sircle> vlt,  its an MTA? how do you compare it with postfix? I need most support for whatever MTA I use + featurefull MTA
[21:25] <TheHonorableKitt> soooooo I'm looking to try and move my server from linode to my own hosted server, any idea what I need to do to auto-install all the application/packages on the other server?
[21:25] <TheHonorableKitt> or is there any way for me to just clone from that server to the new one?
[21:28] <sarnold> you can use dpkg --get-selections on one server and pipe that into dpkg --set-selections on the other; I'd expect an apt-get install to be able to take it from there
[21:29] <sdeziel> I'm a big fan of 'ssh dd if=/dev/vda | dd of=/dev/vda' :)
[21:29] <TheHonorableKitt> vda?
[21:30] <TheHonorableKitt> rather, can you desect that command for me pls? :)
[21:30] <sdeziel> TheHonorableKitt: you can boot your Linode from a live CD and copy the disk as is. /dev/vda is the virtio disk which should be hooked to your Linode slice
[21:30] <TheHonorableKitt> O.o errrr how int he world do I haz do that?
[21:30] <TheHonorableKitt> lol
[21:31] <sarnold> sdeziel: hah yes that works pretty well if everything lines up just fine..
[21:31] <sdeziel> TheHonorableKitt: that's how I move Linode slices around
[21:31] <vlt> sdeziel: That might fail horribly whenever /dev/vda holds a mounted file system.
[21:32] <sdeziel> TheHonorableKitt: it basically copy the whole disk as is to your destination VM. You then just need to tweak the destination
[21:32] <sdeziel> vlt: hence the live CD
[21:32] <TheHonorableKitt> I don't have /vda, I think mine is /dev/sda
[21:32] <sdeziel> TheHonorableKitt: OK same command but different block device ;)
[21:33] <TheHonorableKitt> how do I set that live cd up there though?
[21:33] <sdeziel> TheHonorableKitt: in Linode manager, you should be able to boot off of Finnix or something like that, I don't remember the name of their rescue boot disk
[21:34] <sdeziel> TheHonorableKitt: are you going to move the Linode to a local VM or a physical machine?
[21:36] <sdeziel> cause I'd advise this dd trick only if the destination is a VM
[21:37] <TJ-> /dev/sda since Linode moved to KVM
[21:37] <sdeziel> otherwise it gets complicated, real quick
[21:37] <sdeziel> TJ-: right, didn't realize that, thx
[21:38] <sdeziel> '[    2.066417] scsi host0: Virtio SCSI HBA'
[21:39] <TJ-> "DMI: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014"
[21:40] <sdeziel> I guess I should move off of i440fx and give a try to Q35
[21:45] <TheHonorableKitt> sdeziel: I have a large vmware server at my home that I'm going to use
[21:46] <sdeziel> TheHonorableKitt:
[21:46] <TheHonorableKitt> yes?
[21:46] <sdeziel> TheHonorableKitt: good, VMs are easier to deal with when you need to fix/tweak grub and such
[21:46] <TheHonorableKitt> yup
[21:47] <sdeziel> TheHonorableKitt: If the VM isn't bootable as is after being copied over, I recommend you boot it with a external kernel/initramfs then fix grub from inside the VM
[21:48] <sdeziel> that's assuming VMWare allows you to provide a kernel/initramfs to boot the VM with
[21:48] <jayjo> is there a way to copy only changed files every 10 seconds or so using bash? I tried to use inotify but I am using a mounted s3fs filesystem and I don't think it supports the standard events like created delete modified
[21:49] <TheHonorableKitt> it might be best for me to just do a clean install, clean some junk up and move my configs all over
[21:49] <sarnold> jayjo: what are you trying to do?
[21:51] <jayjo> I have an s3fs mounted filesystem that has content I want to serve from nginx. It's shared because php-fpm is serving dynamic content and nginx is serving non .php files. I can't change the permissions on the mounted directory directly, so I attempted to use inotify to watch the directory for events
[21:51] <vlt> jayjo: rsync
[21:51] <sdeziel> TheHonorableKitt: that works too and should be made relatively quick with sarnold's trick
[21:51] <jayjo> although this is not over a network, will rsync do it from /my/first/data/dir to /my/second/data/dir ?
[21:51] <TheHonorableKitt> how exactly should I run what sarnold said? is that on my new server? do I have to ssh into the other server? #confused
[21:52] <jayjo> Hopefully I can just run every 10 seconds for perpetuity
[21:52] <sarnold> rsync can go from one dir to another fine
[21:52] <sarnold> I suggest using a tool like run-one or something similar to make sure you don't get two going at once
[21:52] <sarnold> if that happens your system's going to be unhappy in a hurry
[21:53] <sarnold> there might still be a better way to solve the problem though
[21:53] <TheHonorableKitt> I'm gonna need step by steps, because I'm still technically a novice with linux, I'm a windows sys admin by profession, but linux is still a new beast for me
[21:55] <sarnold> it'd be something like ssh linode dpkg --get-selections > /tmp/package_list ; ssh vmware dpkg --set-selections < /tmp/package_list
[21:55] <sdeziel> jayjo: with a s3fs mount, you may want to use rsync --whole-file too
[21:55] <openfire> What's the issue?
[21:56] <openfire> TheHonorableKitt: ^
[21:56] <TheHonorableKitt> sarnold: run that on the linode, or my server?
[21:59] <sarnold> TheHonorableKitt: both those commands from your desktop. it'll onnect first to your linode, grab stuff, adn save the results locally. then it'll connect to your new vmware instance and send the local package listings to the next command
[22:01] <jayjo> can I just run rsync every 10 seconds? it will do nothing if nothing has changed, right?
[22:02] <sarnold> jayjo: yueah that's not ideal but it should do fine
[22:02] <sarnold> off to lunch :)
[22:04] <XenophonF> is there a way to get my smartarray p410 to export unconfigured disks?
[22:05] <XenophonF> i want to set up a ZFS pool under Ubuntu 18.04 without having to set up lots of single-disk RAIDs
[22:07] <XenophonF> hm, according to a StackExchange article, controllers older than the p420i won't let you disable RAID functionality :(
[22:08] <XenophonF> maybe the driver can bypass that?
[22:09] <Greyztar> openfire: just curious what you mean with ^ when talking with someone?
[22:09] <openfire> Greyztar: My original message didn't have a nick prefix, so it was ambiguously targeted. The ^ was meant to be a "hey, this line was for X person."
[22:10] <Greyztar> openfire: hmm,i dont get it though,i see many use this on social media still dont get it,i know its used in some regexp to mark beginning of match or so
[22:11] <openfire> Greyztar: It's a symbol that literally by its shape points up.
[22:11] <Greyztar> openfire: ohh now i get it though haha
[22:12] <Greyztar> openfire: thanks for clarifying that been annoying me for quite som time,googling it didnt yield any result as with other prefixes and so :)
[22:26] <TheHonorableKitt> so I ran that command, and all I got was this response: "dpkg: warning: package not in status nor available database at line ***: packagename"
[22:28] <openfire> TheHonorableKitt: What are you trying to do?
[22:33] <TheHonorableKitt> sarnold: ^
[22:41] <TheHonorableKitt> ugh can't get this to work
[22:57] <TheHonorableKitt> figured it out, thanks to other people having problems XD
[22:57] <TheHonorableKitt> https://www.linuxquestions.org/questions/linux-software-2/dpkg-set-selections-fails-to-find-hundreds-of-packages-4175617954/
[23:40] <sarnold> XenophonF: sometimes controllers can be flashed with an "IT Mode" driver
[23:41] <sarnold> TheHonorableKitt: hmm. maybe youve got universe enabled on one system but not the other? or maybe linode had something specific to their systems installed, that can happen on some of the cloud providers
[23:41] <TheHonorableKitt> i figured it out :)
[23:42] <TheHonorableKitt> and it's stillllllllll installing lol
[23:45] <sarnold> ah good good