[07:21] <lordievader> Good morning
[09:47] <oskie> I'm setting up KVM in bionic, and I am not sure why I'd need bridge-utils. It depends on ifupdown which kind of conflicts with netplan
[11:13] <lordievader> If you want libvirt to setup bridged networking bridge-utils is needed.
[11:13] <lordievader> In the traditional sense, you want bridged networking.
[11:18] <xnox> oskie, you don't need bridge-utils, iproute2 can do everything.
[11:18] <xnox> lordievader, that's obsolete....
[11:18] <Greyztar_> how do i get ipset from fail2ban and iptables-persistent/netfilter-persistent to get along,been battling this for a long time and think ive found the culprit,it seems iptables/netfilter-persistent tries to load the rules but fail2ban or ipset havent create it yet and end up with seems like a default set
[11:19] <Greyztar_> on reboot*
[11:19] <lordievader> Really? Guess I'm old fashioned. I should look into that.
[11:19] <lordievader> Thanks xnox 😁
[11:20] <xnox> lordievader, please familiarize yourself with the new world order of https://baturin.org/docs/iproute2/ ;-)
[11:20] <xnox> https://baturin.org/docs/iproute2/#Create%20a%20bridge%20interface and so on
[11:20] <xnox> specifically
[11:21] <xnox> iproute2 is really a one-stop-shop these days, for everything.
[11:22] <lordievader> I know. I have been using it for a lot. Just wasn't aware it also did bridge stuff.
[11:30] <blackflow> Greyztar_: fail2ban is not persistent across reboot by default. You'll need to write a custom action handler that adds to the ipset AND to a file that will be used by ipset on boot.
[11:30] <blackflow> and then use the ipset in your iptables rules (loaded by netfilter-persistent)
[11:32] <Greyztar_> blackflow: thank you very much! I temporary unscuffed it by not using ipset as action for jail,then it works fine though,i saw same behaviour on other server with ipset sets not loading then netfilter-persistent would notload rules at all,im so happy finally figured this out ,really annoying when all rules gets purged
[11:33] <blackflow> Greyztar_: netfilter-persistent does nothing but exec /etc/iptables/rules.{v4,v6} on boot. so you need to write out rules that use the ipset  (-m set --match-set ...)
[11:35] <Greyztar_> blackflow: thank you,time to get stuff workin again!
[12:33] <victorh> Greyztar_: wouldn't the rule become permanent then or will it still delete the rule after the jail-time has passed
[12:51] <Greyztar_> victorh: sorry i was out having lunch,this i didnt think of thanks for pointing that out,for now im just happy that it doesnt flush iptables though but i will look into this
[13:06] <victorh> Greyztar_: Will be though I think, since fail2ban doesn't load old bans (far as i know)
[13:10] <Greyztar_> victorh: yes seems like i would have to come up with a new solution for this,really didnt think that fail2ban was the reason iptables got scuffed,have had these problem a really long time and only solution i came up with was to manually load the rules upon reboot,this did work somewhat ok as i almost never reboots with live patches,but this is computers should be auto everything (,")
[13:10] <oskie> what kind of device is "vlan5@bond0"? is it a bridge?
[13:11] <victorh> Greyztar_: did you check out these guys? http://denyhosts.sourceforge.net/
[13:14] <Greyztar_> victorh: hmm might look at that also,though i have some custom filters to fail2ban for some spesific apps with api logins i kind of need but ill check it out thanks
[13:27] <ahasenack> rbasak: hi, could you please import lmdb and add it to the whitelist?
[13:27] <ahasenack> it's a new dep debian added to ldb, we might have to mir it even
[14:14] <ahasenack> cpaelzer: dep3 question, author is optional, origin is only optional if author is present, so we need either one or the other, right?
[14:14] <ahasenack> Applied-Upstream doesn't replace either
[14:16] <muhaha> Ola Guys. Can anyone help me with Kickstart+CloudInit ? I want to provision Ubuntu like -kernel http://archive.ubuntu.com/ubuntu/dists/bionic/main/installer-amd64/current/images/hd-media/vmlinuz -initrd http://archive.ubuntu.com/ubuntu/dists/bionic/main/installer-amd64/current/images/hd-media/initrd.gz, but I am lost how to use cloud-init in this c
[14:16] <muhaha> ase
[14:18] <compdoc> who you calling an ase?!!
[14:20] <cpaelzer> ahasenack: yes
[14:21] <ahasenack> thx
[14:21] <microwaved_> hi all, just a quick question i've been struggling with the temporary failure in resolving security.ubuntu.com
[14:21] <cpaelzer> author+!origin - means coded for the package
[14:21] <cpaelzer> author+origin usually means modified from origin
[14:21] <cpaelzer> and just origin is a clear backport
[14:21] <cpaelzer> ahasenack: ^^
[14:21] <cpaelzer> that ok for you ?
[14:21] <microwaved_> i can't even ping google.com, i can ping ip addresses. i've tried multiple solutions but it doesn't work as i'm not able to call on apt-get update
[14:22] <ahasenack> cpaelzer: yep
[14:23] <compdoc> dns has to be working to use apt
[14:23] <microwaved_> i know but i edited resolv.conf to add nameserver 8.8.8.8 and 8.8.4.4
[14:24] <microwaved_> doesnt work
[14:24] <microwaved_> its an ffin new install, and its annoying me how can an iso from ubunto.com be this broken
[14:26] <nacc> microwaved_: query them directly (use dig)
[14:26] <nacc> microwaved_: if that works, then try to fix your system DNS configuration. If that doesn't work, it's something else. ping isn't a useful test.
[14:26] <microwaved_> well ping 8.8.8.8 is succesfull
[14:27] <microwaved_> but its about dns so ping isn't usefull on that level
[14:27] <microwaved_> i just wanted to confirm that i have inet connection
[14:27] <microwaved_> ok hold on i'll do a dig
[14:29] <microwaved_> nacc: what checks do i need to have my dns configuration properly conf'd
[14:29] <microwaved_> i have the idea since netplan got introduced it messed with the dns thingy
[14:33] <microwaved_> but anyway my bright new install returns: Temporary failure resolving 'security.ubuntu.com'
[14:33] <microwaved_> and its on 18.04.1 lts alternative install which is basically the old install but both the new iso's do it
[14:35] <compdoc> netplan works here
[14:35] <cyphermox> if you edit resolv.conf then yes, you might confuse things
[14:36] <cyphermox> however, 'dig google.com' should work
[14:36] <cyphermox> (or nslookup)
[14:37] <microwaved_> dig didn't work
[14:37] <cyphermox> that's to at least check that you can really reach the nameservers and they respond to you
[14:37] <cyphermox> but ping worked?
[14:37] <microwaved_> yes sir
[14:37] <cyphermox> that smells like firewall
[14:37] <cyphermox> microwaved_: could you pastebin the entire result from dig?
[14:37] <microwaved_> i checked and its completely open
[14:37] <microwaved_> ehm sure
[14:37] <microwaved_> hold on
[14:40] <microwaved_> it only returns one sentence
[14:41] <microwaved_> cyphermox: it only returns: connection timed out: no servers could be reached
[14:41] <cyphermox> right, so it doesn't reach it at all
[14:41] <microwaved_> but ping 8.8.8.8 returns , success
[14:41] <cyphermox> sure
[14:42] <cyphermox> that doesn't mean the firewall really lets you DNS to it
[14:42] <cyphermox> I don't know that there really is anything else
[14:42] <cyphermox> just to be sure, you could try "dig google.com @8.8.8.8
[14:42] <microwaved_> ofcourse sir, hold on
[14:43] <cyphermox> you should see something like this: https://paste.ubuntu.com/p/jrDzQrc7Bc/
[14:43] <cyphermox> if it still times out, the best I can say is it's a firewall issue, since you can ping the routing would be ok
[14:44] <microwaved_> exactly but ill have a look again, thnx for your effort to check
[14:44] <cyphermox> if you're seeing the same output as I just pasted, then it's your configuration on the machine
[14:45] <cyphermox> on >=18.04 we use systemd-resolved; which handles /etc/resolv.conf; so you shouldn't modify it -- all you'll see in the file is "nameserver 127.0.0.53"
[14:45] <cyphermox> then to debug this stuff you can run 'systemd-resolve --status' to see all the configs for each interface
[14:46] <cyphermox> (you'd see 8.8.8.8 under there for example, or the DNS server from your ISP)
[14:46] <microwaved_> yeah i see that
[14:50] <microwaved_> i think i'm gonna reinstall again, i just typed in the a command and i got a kernel panic
[14:50] <rbasak> ahasenack: lmdb imported and added to future whitelist
[14:51] <ahasenack> rbasak: thanks!
[14:52] <microwaved_> cyphermox: i just checked main firewall and firewall isn't an issue, i'm gonna reinstall image again and try then, thanks for your effort, check above
[14:52] <ahasenack> rbasak: just confirmed, in bionic, with squid3, I can redefine the "squid" log format
[14:53] <ahasenack> logformat  squid      %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
[14:53] <ahasenack> access_log daemon:/var/log/squid/access.log squid
[14:53] <ahasenack> leads to
[14:53] <ahasenack> 27/Nov/2018:14:52:32 +0000     15 10.0.100.20 TCP_MISS/304 263 GET http://br.archive.ubuntu.com/ubuntu/dists/bionic-security/InRelease - HIER_DIRECT/200.236.31.4 -
[15:02] <ahasenack> rbasak: I just filed https://bugs.squid-cache.org/show_bug.cgi?id=4905
[15:02] <cyphermox> microwaved_: tbh I have no idea what else it could be..
[15:06] <lordcirth> TJ-, good morning XD.  So, fresh reboot, vlan10: "Network File: /run/systemd/network/10-netplan-enp0s8.network".  Ran "brctl addif br10 vlan10": still the same
[15:06] <microwaved_> cyphermox: i just ran a reinstall again, and now it works, i don't even know whats different i even deleted the disk
[15:13] <rbasak> ahasenack: +1
[15:42] <grendal_prime> anyone familar with inotify?
[15:42] <grendal_prime> I have a sed script i need to run on my /var/www/html folder every time a file changes.
[15:43] <grendal_prime> I just want to run this script on the files that change, not the entire dir.
[15:44] <grendal_prime> So far inotify seems to be the tool (from what i have read) and i have used it in the past (very distant) but i cant remember how i scripted it.
[15:59] <vlt> grendal_prime: inotifywait is what I use.
[15:59] <grendal_prime> ya that sounds familar.
[16:01] <grendal_prime> Im looking at incrontab right now
[16:05] <grendal_prime> it seems like i had to do something to kick that off though.
[16:06] <grendal_prime> like i had to make a startup script.  I want to avoid that sort of thing.  My biggest issue is figureing out how to call the name of the file that has changed so i can feed that into the sed command.
[16:24] <grendal_prime> getting close, im just getting werid...return on the file.
[16:24] <grendal_prime> name that is
[16:33] <teward> +1 to the subiquity installer for letting me change the names of the LVM and resize it from the editing panel heh.  Just discovered this in 18.04.1 / 18.10 heh
[16:44] <grendal_prime> grrr...its not exectuting the sed command correctly
[16:44] <grendal_prime> im wondering if i need to encapsulate it quotes or something
[16:55] <grendal_prime> very frustrating
[16:56] <grendal_prime> syslog sys incron is executing the command but it is not performing the changes, if i run the exact same sed command manually it works
[16:57] <teward> has anything changed in update-grub that'd prevent `elevator=noop` from being applied in /etc/default/grub to the Grub system when I do `sudo update-grub`?  Because it's not working when I update `/etc/default/grub` and then do `sudo update-grub`
[16:57] <teward> 18.04.1
[17:01] <Greyztar_> so i did a test and edited netfilter-persistent service to be Type=idle instead of oneshot and now iptables has all rules and set for fail2ban even,so i think this was a matter of execution order and that netfilter-persistent was started before fail2ban had created ipset table so netfilter-persistent wouldnt find it and thus error and restoring default rule set
[17:14] <computa_mike> If I create a user SSH key, and add my key to the authorized_keys file then I understand that if I connect using that key I'm that user....  So I can connect using (for example ssh octopustestadmin@xxx.xxx.xxx.xxx) and a whois reveals that I am octopustestadmin - which works out because that's the name of the user on the server.  I've also got a Jenkins process that connects - and if i get the script to issue a
[17:14] <computa_mike> whoami it reports that it is the user jenkins.  Which doesn't work because I'm using the same octopustestadmin@xxx.xxx.xxx.xxx.   Not sure I understand what's going on here.
[17:16] <computa_mike> hold up - irl colleague might have an idea ... possibly picnic issue
[17:31] <sdeziel> teward: could you elaborate on the "not working"? As in not showing in /boot/grub/grub.cfg, or in /proc/cmdline or being ignored by the kernel altogether?
[17:40] <teward> sdeziel: as in if I edit it in the grub defaults line of GRUB_CMDLINE_LINUX_DEFAULT so that it says GRUB_CMDLINE_LINUX_DEFAULT="maybe-ubiquity elevator=noop" in 18.04.1 server, it does maybe-ubiquity but ignores elevator=noop to set the I/O scheduler
[17:41] <teward> doesn't show that up at all in grub.cfg after an update-grub'
[17:41] <teward> it *does* if I set it in GRUB_CMDLINE_LINUX but ignore it if it's put after maybe-ubiquity in the GRUB_CMDLINE_LINUX_DEFAULT line
[17:41] <teward> or if i manually apply it in grub.cfg
[17:42] <teward> sounds like "odd behavior" since I shouldn't have to update anything but GRUB_CMDLINE_LINUX_DEFAULT no?
[17:44] <TJ-> teward: have you done "grep elavator /boot/grub/grub.cfg" to see where it is being applied, if at all?
[17:44] <teward> yes I have, and it's not being applied at all
[17:44] <sdeziel> teward: yeah, I normally only edit the _DEFAULT version
[17:45] <teward> sdeziel: then this sounds like regressive behavior
[17:45] <teward> because I only edit DEFAULT typically too
[17:45] <teward> sdeziel: I have *zero* idea where this behavior change got introduced though
[17:45] <sdeziel> teward: maybe you have something in /etc/default/grub.d/* that overwrites the GRUB_CMDLINE_LINUX_DEFAULT var?
[17:45] <teward> sdeziel: on a base 18.04 installation I just did?
[17:45] <teward> fresh?
[17:46] <teward> i'd doubt it but i'll check
[17:47] <teward> ahhh there it is
[17:47] <teward> sdeziel: it's because curtin is a PITA
[17:47] <sdeziel> teward: I remember of a bug for this
[17:47] <teward> sdeziel: well it's present in 18.04.1
[17:47] <powersj> ah yes something we are trying to get fixed
[17:47] <grendal_prime> grrrr
[17:47] <teward> sdeziel: I assume if I make 99localized.cfg in /etc/default/grub.d then that'd be executed last and processed properly?
[17:48] <teward> (so a localized override settings)
[17:48] <sdeziel> https://bugs.launchpad.net/curtin/+bug/1527664
[17:49] <sdeziel> teward: I haven't look at the update-grub script in a while but I'd expect is use run-parts, so probably yes :)
[17:49] <sdeziel> err, probably not run-parts for that part but more like alpha sorted dir listing+include...
[17:51] <teward> there THAT worked >.>
[17:51] <teward> sdeziel: powersj: TBH I think upstream should be prodded if possible to expedite the fix?
[17:51] <teward> because this is a PITA when you try and change the IO scheduler for VMware VM performance increases >.>
[17:55] <sdeziel> TBH, I really dislike how /etc/default/grub.d is handled. Every time the grub package is updated, it wants to fold everything right back into /etc/default/grub, which is precisely not what I want since I used the .d dir...
[18:03] <teward> heh
[18:11] <lordcirth> I want to disable netplan *but* use systemd-networkd, not ifupdown or /etc/network/interfaces.  What's the correct way to toggle this?
[18:11] <cyphermox> lordcirth: just remove any file in /etc/netplan
[18:11] <lordcirth> cyphermox, great, thanks
[18:13] <teward> cyphermox: am i correct that netplan config files are read in order, such that 50-cloud-init.yaml would be overwritten by 55-blah.yaml if they touched on the same interfaces?
[18:13] <cyphermox> yes, sounds about right
[18:17] <teward> 'tis what i assumed but was never certain, thanks for confirming cyphermox
[18:37] <teward> powersj: wow, I really had 3 nginx uploads to the development release since the last dev summary went out?  o.O
[18:37] <teward> shows you how frequently I pay attention to the number of dputs I issue :|
[18:38] <powersj> heh :)
[18:39] <teward> oh that reminds me 1.15.7 was pushed by me today, just released today as well
[18:39] <teward> mostly bugfixes ;)
[18:39] <teward> powersj: i haven't kept super on top of the triage, but let me know if we start seeing TLS1.3 bugs against nginx
[18:39] <teward> that's the biggest concern on my radar as of currently
[18:39] <teward> sec team (sarnold) is probably alos keeping an eye out
[18:40] <teward> (it's not LTS though, but it's still something to keep in mind since we now enable TLS1.3 since Cosmic post-release by default for nginx)
[22:16] <DammitJim> do you guys know why there isn't a tomcat 8.5 or 9 in the Ubuntu repositories?
[22:17] <DammitJim> for Ubuntu 18.04
[22:17] <DammitJim> I only see tomcat8 but that's end of life
[22:18] <sdeziel> DammitJim: upstream EOL doesn't mean it's EOL in Ubuntu
[22:18] <DammitJim> what does it mean?
[22:18] <sdeziel> DammitJim: for packages in main, Ubuntu/Canonical will backport security fixes for as long as the distro is supported
[22:18] <DammitJim> oh, but it has to be from main?
[22:19] <DammitJim> how do I know if I'm using packages from main?
[22:19] <sdeziel> DammitJim: https://packages.ubuntu.com/bionic-updates/tomcat8 says it's in universe (not main)
[22:19] <sdeziel> DammitJim: meaning it's supported by the community
[22:20] <DammitJim> oh ok, so either way, I'm not supported by Canonical, right?
[22:21] <sdeziel> DammitJim: not officially, no
[22:21] <DammitJim> ok, thanks
[22:22] <sdeziel> DammitJim: but it looks like someone wants to have tomcat8 supported as they ensured to have some updates land in bionic-security in the past
[22:23] <DammitJim> ok, thanks for the info
[22:23] <DammitJim> I'll have to have an internal discussion, then
[22:25] <sdeziel> np