| lordievader | Good morning | 07:21 |
|---|---|---|
| === Mr-Pan is now known as Mr_Pan | ||
| oskie | I'm setting up KVM in bionic, and I am not sure why I'd need bridge-utils. It depends on ifupdown which kind of conflicts with netplan | 09:47 |
| lordievader | If you want libvirt to setup bridged networking bridge-utils is needed. | 11:13 |
| lordievader | In the traditional sense, you want bridged networking. | 11:13 |
| xnox | oskie, you don't need bridge-utils, iproute2 can do everything. | 11:18 |
| xnox | lordievader, that's obsolete.... | 11:18 |
| Greyztar_ | how do i get ipset from fail2ban and iptables-persistent/netfilter-persistent to get along,been battling this for a long time and think ive found the culprit,it seems iptables/netfilter-persistent tries to load the rules but fail2ban or ipset havent create it yet and end up with seems like a default set | 11:18 |
| Greyztar_ | on reboot* | 11:19 |
| lordievader | Really? Guess I'm old fashioned. I should look into that. | 11:19 |
| lordievader | Thanks xnox 😁 | 11:19 |
| xnox | lordievader, please familiarize yourself with the new world order of https://baturin.org/docs/iproute2/ ;-) | 11:20 |
| xnox | https://baturin.org/docs/iproute2/#Create%20a%20bridge%20interface and so on | 11:20 |
| xnox | specifically | 11:20 |
| xnox | iproute2 is really a one-stop-shop these days, for everything. | 11:21 |
| lordievader | I know. I have been using it for a lot. Just wasn't aware it also did bridge stuff. | 11:22 |
| blackflow | Greyztar_: fail2ban is not persistent across reboot by default. You'll need to write a custom action handler that adds to the ipset AND to a file that will be used by ipset on boot. | 11:30 |
| blackflow | and then use the ipset in your iptables rules (loaded by netfilter-persistent) | 11:30 |
| Greyztar_ | blackflow: thank you very much! I temporary unscuffed it by not using ipset as action for jail,then it works fine though,i saw same behaviour on other server with ipset sets not loading then netfilter-persistent would notload rules at all,im so happy finally figured this out ,really annoying when all rules gets purged | 11:32 |
| blackflow | Greyztar_: netfilter-persistent does nothing but exec /etc/iptables/rules.{v4,v6} on boot. so you need to write out rules that use the ipset (-m set --match-set ...) | 11:33 |
| Greyztar_ | blackflow: thank you,time to get stuff workin again! | 11:35 |
| victorh | Greyztar_: wouldn't the rule become permanent then or will it still delete the rule after the jail-time has passed | 12:33 |
| Greyztar_ | victorh: sorry i was out having lunch,this i didnt think of thanks for pointing that out,for now im just happy that it doesnt flush iptables though but i will look into this | 12:51 |
| victorh | Greyztar_: Will be though I think, since fail2ban doesn't load old bans (far as i know) | 13:06 |
| Greyztar_ | victorh: yes seems like i would have to come up with a new solution for this,really didnt think that fail2ban was the reason iptables got scuffed,have had these problem a really long time and only solution i came up with was to manually load the rules upon reboot,this did work somewhat ok as i almost never reboots with live patches,but this is computers should be auto everything (,") | 13:10 |
| oskie | what kind of device is "vlan5@bond0"? is it a bridge? | 13:10 |
| victorh | Greyztar_: did you check out these guys? http://denyhosts.sourceforge.net/ | 13:11 |
| Greyztar_ | victorh: hmm might look at that also,though i have some custom filters to fail2ban for some spesific apps with api logins i kind of need but ill check it out thanks | 13:14 |
| ahasenack | rbasak: hi, could you please import lmdb and add it to the whitelist? | 13:27 |
| ahasenack | it's a new dep debian added to ldb, we might have to mir it even | 13:27 |
| ahasenack | cpaelzer: dep3 question, author is optional, origin is only optional if author is present, so we need either one or the other, right? | 14:14 |
| ahasenack | Applied-Upstream doesn't replace either | 14:14 |
| muhaha | Ola Guys. Can anyone help me with Kickstart+CloudInit ? I want to provision Ubuntu like -kernel http://archive.ubuntu.com/ubuntu/dists/bionic/main/installer-amd64/current/images/hd-media/vmlinuz -initrd http://archive.ubuntu.com/ubuntu/dists/bionic/main/installer-amd64/current/images/hd-media/initrd.gz, but I am lost how to use cloud-init in this c | 14:16 |
| muhaha | ase | 14:16 |
| compdoc | who you calling an ase?!! | 14:18 |
| cpaelzer | ahasenack: yes | 14:20 |
| ahasenack | thx | 14:21 |
| microwaved_ | hi all, just a quick question i've been struggling with the temporary failure in resolving security.ubuntu.com | 14:21 |
| cpaelzer | author+!origin - means coded for the package | 14:21 |
| cpaelzer | author+origin usually means modified from origin | 14:21 |
| cpaelzer | and just origin is a clear backport | 14:21 |
| cpaelzer | ahasenack: ^^ | 14:21 |
| cpaelzer | that ok for you ? | 14:21 |
| microwaved_ | i can't even ping google.com, i can ping ip addresses. i've tried multiple solutions but it doesn't work as i'm not able to call on apt-get update | 14:21 |
| ahasenack | cpaelzer: yep | 14:22 |
| compdoc | dns has to be working to use apt | 14:23 |
| microwaved_ | i know but i edited resolv.conf to add nameserver 8.8.8.8 and 8.8.4.4 | 14:23 |
| microwaved_ | doesnt work | 14:24 |
| microwaved_ | its an ffin new install, and its annoying me how can an iso from ubunto.com be this broken | 14:24 |
| nacc | microwaved_: query them directly (use dig) | 14:26 |
| nacc | microwaved_: if that works, then try to fix your system DNS configuration. If that doesn't work, it's something else. ping isn't a useful test. | 14:26 |
| microwaved_ | well ping 8.8.8.8 is succesfull | 14:26 |
| microwaved_ | but its about dns so ping isn't usefull on that level | 14:27 |
| microwaved_ | i just wanted to confirm that i have inet connection | 14:27 |
| microwaved_ | ok hold on i'll do a dig | 14:27 |
| microwaved_ | nacc: what checks do i need to have my dns configuration properly conf'd | 14:29 |
| microwaved_ | i have the idea since netplan got introduced it messed with the dns thingy | 14:29 |
| microwaved_ | but anyway my bright new install returns: Temporary failure resolving 'security.ubuntu.com' | 14:33 |
| microwaved_ | and its on 18.04.1 lts alternative install which is basically the old install but both the new iso's do it | 14:33 |
| compdoc | netplan works here | 14:35 |
| cyphermox | if you edit resolv.conf then yes, you might confuse things | 14:35 |
| cyphermox | however, 'dig google.com' should work | 14:36 |
| cyphermox | (or nslookup) | 14:36 |
| microwaved_ | dig didn't work | 14:37 |
| cyphermox | that's to at least check that you can really reach the nameservers and they respond to you | 14:37 |
| cyphermox | but ping worked? | 14:37 |
| microwaved_ | yes sir | 14:37 |
| cyphermox | that smells like firewall | 14:37 |
| cyphermox | microwaved_: could you pastebin the entire result from dig? | 14:37 |
| microwaved_ | i checked and its completely open | 14:37 |
| microwaved_ | ehm sure | 14:37 |
| microwaved_ | hold on | 14:37 |
| microwaved_ | it only returns one sentence | 14:40 |
| microwaved_ | cyphermox: it only returns: connection timed out: no servers could be reached | 14:41 |
| cyphermox | right, so it doesn't reach it at all | 14:41 |
| microwaved_ | but ping 8.8.8.8 returns , success | 14:41 |
| cyphermox | sure | 14:41 |
| cyphermox | that doesn't mean the firewall really lets you DNS to it | 14:42 |
| cyphermox | I don't know that there really is anything else | 14:42 |
| cyphermox | just to be sure, you could try "dig google.com @8.8.8.8 | 14:42 |
| microwaved_ | ofcourse sir, hold on | 14:42 |
| cyphermox | you should see something like this: https://paste.ubuntu.com/p/jrDzQrc7Bc/ | 14:43 |
| cyphermox | if it still times out, the best I can say is it's a firewall issue, since you can ping the routing would be ok | 14:43 |
| microwaved_ | exactly but ill have a look again, thnx for your effort to check | 14:44 |
| cyphermox | if you're seeing the same output as I just pasted, then it's your configuration on the machine | 14:44 |
| cyphermox | on >=18.04 we use systemd-resolved; which handles /etc/resolv.conf; so you shouldn't modify it -- all you'll see in the file is "nameserver 127.0.0.53" | 14:45 |
| cyphermox | then to debug this stuff you can run 'systemd-resolve --status' to see all the configs for each interface | 14:45 |
| cyphermox | (you'd see 8.8.8.8 under there for example, or the DNS server from your ISP) | 14:46 |
| microwaved_ | yeah i see that | 14:46 |
| microwaved_ | i think i'm gonna reinstall again, i just typed in the a command and i got a kernel panic | 14:50 |
| rbasak | ahasenack: lmdb imported and added to future whitelist | 14:50 |
| ahasenack | rbasak: thanks! | 14:51 |
| microwaved_ | cyphermox: i just checked main firewall and firewall isn't an issue, i'm gonna reinstall image again and try then, thanks for your effort, check above | 14:52 |
| ahasenack | rbasak: just confirmed, in bionic, with squid3, I can redefine the "squid" log format | 14:52 |
| ahasenack | logformat squid %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt | 14:53 |
| ahasenack | access_log daemon:/var/log/squid/access.log squid | 14:53 |
| ahasenack | leads to | 14:53 |
| ahasenack | 27/Nov/2018:14:52:32 +0000 15 10.0.100.20 TCP_MISS/304 263 GET http://br.archive.ubuntu.com/ubuntu/dists/bionic-security/InRelease - HIER_DIRECT/200.236.31.4 - | 14:53 |
| ahasenack | rbasak: I just filed https://bugs.squid-cache.org/show_bug.cgi?id=4905 | 15:02 |
| cyphermox | microwaved_: tbh I have no idea what else it could be.. | 15:02 |
| lordcirth | TJ-, good morning XD. So, fresh reboot, vlan10: "Network File: /run/systemd/network/10-netplan-enp0s8.network". Ran "brctl addif br10 vlan10": still the same | 15:06 |
| microwaved_ | cyphermox: i just ran a reinstall again, and now it works, i don't even know whats different i even deleted the disk | 15:06 |
| rbasak | ahasenack: +1 | 15:13 |
| grendal_prime | anyone familar with inotify? | 15:42 |
| grendal_prime | I have a sed script i need to run on my /var/www/html folder every time a file changes. | 15:42 |
| grendal_prime | I just want to run this script on the files that change, not the entire dir. | 15:43 |
| grendal_prime | So far inotify seems to be the tool (from what i have read) and i have used it in the past (very distant) but i cant remember how i scripted it. | 15:44 |
| vlt | grendal_prime: inotifywait is what I use. | 15:59 |
| grendal_prime | ya that sounds familar. | 15:59 |
| grendal_prime | Im looking at incrontab right now | 16:01 |
| grendal_prime | it seems like i had to do something to kick that off though. | 16:05 |
| grendal_prime | like i had to make a startup script. I want to avoid that sort of thing. My biggest issue is figureing out how to call the name of the file that has changed so i can feed that into the sed command. | 16:06 |
| grendal_prime | getting close, im just getting werid...return on the file. | 16:24 |
| grendal_prime | name that is | 16:24 |
| teward | +1 to the subiquity installer for letting me change the names of the LVM and resize it from the editing panel heh. Just discovered this in 18.04.1 / 18.10 heh | 16:33 |
| grendal_prime | grrr...its not exectuting the sed command correctly | 16:44 |
| grendal_prime | im wondering if i need to encapsulate it quotes or something | 16:44 |
| grendal_prime | very frustrating | 16:55 |
| grendal_prime | syslog sys incron is executing the command but it is not performing the changes, if i run the exact same sed command manually it works | 16:56 |
| teward | has anything changed in update-grub that'd prevent `elevator=noop` from being applied in /etc/default/grub to the Grub system when I do `sudo update-grub`? Because it's not working when I update `/etc/default/grub` and then do `sudo update-grub` | 16:57 |
| teward | 18.04.1 | 16:57 |
| Greyztar_ | so i did a test and edited netfilter-persistent service to be Type=idle instead of oneshot and now iptables has all rules and set for fail2ban even,so i think this was a matter of execution order and that netfilter-persistent was started before fail2ban had created ipset table so netfilter-persistent wouldnt find it and thus error and restoring default rule set | 17:01 |
| === TheHonorableKitt is now known as TKitten | ||
| computa_mike | If I create a user SSH key, and add my key to the authorized_keys file then I understand that if I connect using that key I'm that user.... So I can connect using (for example ssh octopustestadmin@xxx.xxx.xxx.xxx) and a whois reveals that I am octopustestadmin - which works out because that's the name of the user on the server. I've also got a Jenkins process that connects - and if i get the script to issue a | 17:14 |
| computa_mike | whoami it reports that it is the user jenkins. Which doesn't work because I'm using the same octopustestadmin@xxx.xxx.xxx.xxx. Not sure I understand what's going on here. | 17:14 |
| computa_mike | hold up - irl colleague might have an idea ... possibly picnic issue | 17:16 |
| sdeziel | teward: could you elaborate on the "not working"? As in not showing in /boot/grub/grub.cfg, or in /proc/cmdline or being ignored by the kernel altogether? | 17:31 |
| teward | sdeziel: as in if I edit it in the grub defaults line of GRUB_CMDLINE_LINUX_DEFAULT so that it says GRUB_CMDLINE_LINUX_DEFAULT="maybe-ubiquity elevator=noop" in 18.04.1 server, it does maybe-ubiquity but ignores elevator=noop to set the I/O scheduler | 17:40 |
| teward | doesn't show that up at all in grub.cfg after an update-grub' | 17:41 |
| teward | it *does* if I set it in GRUB_CMDLINE_LINUX but ignore it if it's put after maybe-ubiquity in the GRUB_CMDLINE_LINUX_DEFAULT line | 17:41 |
| teward | or if i manually apply it in grub.cfg | 17:41 |
| teward | sounds like "odd behavior" since I shouldn't have to update anything but GRUB_CMDLINE_LINUX_DEFAULT no? | 17:42 |
| TJ- | teward: have you done "grep elavator /boot/grub/grub.cfg" to see where it is being applied, if at all? | 17:44 |
| teward | yes I have, and it's not being applied at all | 17:44 |
| sdeziel | teward: yeah, I normally only edit the _DEFAULT version | 17:44 |
| teward | sdeziel: then this sounds like regressive behavior | 17:45 |
| teward | because I only edit DEFAULT typically too | 17:45 |
| teward | sdeziel: I have *zero* idea where this behavior change got introduced though | 17:45 |
| sdeziel | teward: maybe you have something in /etc/default/grub.d/* that overwrites the GRUB_CMDLINE_LINUX_DEFAULT var? | 17:45 |
| teward | sdeziel: on a base 18.04 installation I just did? | 17:45 |
| teward | fresh? | 17:45 |
| teward | i'd doubt it but i'll check | 17:46 |
| teward | ahhh there it is | 17:47 |
| teward | sdeziel: it's because curtin is a PITA | 17:47 |
| sdeziel | teward: I remember of a bug for this | 17:47 |
| teward | sdeziel: well it's present in 18.04.1 | 17:47 |
| powersj | ah yes something we are trying to get fixed | 17:47 |
| grendal_prime | grrrr | 17:47 |
| teward | sdeziel: I assume if I make 99localized.cfg in /etc/default/grub.d then that'd be executed last and processed properly? | 17:47 |
| teward | (so a localized override settings) | 17:48 |
| sdeziel | https://bugs.launchpad.net/curtin/+bug/1527664 | 17:48 |
| ubottu | Launchpad bug 1527664 in curtin "/etc/default/grub.d/50-curtin-settings.cfg overwrites GRUB_CMDLINE_LINUX_DEFAULT" [Low,Triaged] | 17:48 |
| sdeziel | teward: I haven't look at the update-grub script in a while but I'd expect is use run-parts, so probably yes :) | 17:49 |
| sdeziel | err, probably not run-parts for that part but more like alpha sorted dir listing+include... | 17:49 |
| teward | there THAT worked >.> | 17:51 |
| teward | sdeziel: powersj: TBH I think upstream should be prodded if possible to expedite the fix? | 17:51 |
| teward | because this is a PITA when you try and change the IO scheduler for VMware VM performance increases >.> | 17:51 |
| sdeziel | TBH, I really dislike how /etc/default/grub.d is handled. Every time the grub package is updated, it wants to fold everything right back into /etc/default/grub, which is precisely not what I want since I used the .d dir... | 17:55 |
| teward | heh | 18:03 |
| lordcirth | I want to disable netplan *but* use systemd-networkd, not ifupdown or /etc/network/interfaces. What's the correct way to toggle this? | 18:11 |
| cyphermox | lordcirth: just remove any file in /etc/netplan | 18:11 |
| lordcirth | cyphermox, great, thanks | 18:11 |
| teward | cyphermox: am i correct that netplan config files are read in order, such that 50-cloud-init.yaml would be overwritten by 55-blah.yaml if they touched on the same interfaces? | 18:13 |
| cyphermox | yes, sounds about right | 18:13 |
| teward | 'tis what i assumed but was never certain, thanks for confirming cyphermox | 18:17 |
| teward | powersj: wow, I really had 3 nginx uploads to the development release since the last dev summary went out? o.O | 18:37 |
| teward | shows you how frequently I pay attention to the number of dputs I issue :| | 18:37 |
| powersj | heh :) | 18:38 |
| teward | oh that reminds me 1.15.7 was pushed by me today, just released today as well | 18:39 |
| teward | mostly bugfixes ;) | 18:39 |
| teward | powersj: i haven't kept super on top of the triage, but let me know if we start seeing TLS1.3 bugs against nginx | 18:39 |
| teward | that's the biggest concern on my radar as of currently | 18:39 |
| teward | sec team (sarnold) is probably alos keeping an eye out | 18:39 |
| teward | (it's not LTS though, but it's still something to keep in mind since we now enable TLS1.3 since Cosmic post-release by default for nginx) | 18:40 |
| DammitJim | do you guys know why there isn't a tomcat 8.5 or 9 in the Ubuntu repositories? | 22:16 |
| DammitJim | for Ubuntu 18.04 | 22:17 |
| DammitJim | I only see tomcat8 but that's end of life | 22:17 |
| sdeziel | DammitJim: upstream EOL doesn't mean it's EOL in Ubuntu | 22:18 |
| DammitJim | what does it mean? | 22:18 |
| sdeziel | DammitJim: for packages in main, Ubuntu/Canonical will backport security fixes for as long as the distro is supported | 22:18 |
| DammitJim | oh, but it has to be from main? | 22:18 |
| DammitJim | how do I know if I'm using packages from main? | 22:19 |
| sdeziel | DammitJim: https://packages.ubuntu.com/bionic-updates/tomcat8 says it's in universe (not main) | 22:19 |
| sdeziel | DammitJim: meaning it's supported by the community | 22:19 |
| DammitJim | oh ok, so either way, I'm not supported by Canonical, right? | 22:20 |
| sdeziel | DammitJim: not officially, no | 22:21 |
| DammitJim | ok, thanks | 22:21 |
| sdeziel | DammitJim: but it looks like someone wants to have tomcat8 supported as they ensured to have some updates land in bionic-security in the past | 22:22 |
| DammitJim | ok, thanks for the info | 22:23 |
| DammitJim | I'll have to have an internal discussion, then | 22:23 |
| sdeziel | np | 22:25 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!