[07:18] Good morning [09:30] leftyfb: have you looked into Ubuntu IoT stuff? Read only images, atomic updates, etc. [11:17] cpaelzer: rbasak: hi, when any of you have a moment, I have this MP to unblock ldb in disco: https://code.launchpad.net/~ahasenack/ubuntu/+source/ldb/+git/ldb/+merge/359774 [11:20] Looking [11:21] done [11:37] that was fast rbasak, I didn't even see it until now :-) [11:41] Anything to distract me from this qemu+libvirt SRU review :-P [11:43] * cpaelzer sniff [12:10] rbasak: hah, I did forget update-maintainers [12:10] ran it and pushed [12:10] ahasenack: go ahead and upload, no need for me to look again [12:10] thx [12:20] thanks rbasak [12:21] yw [12:21] Thank you for your diligence in preparing the update. Makes review easier. [12:22] Lining up the patch names across the releases was a great help. [12:22] yeah [12:22] unfortunately the backports were different for the two target versions [12:22] Yeah libvirt patch 5 threw me a little [12:22] but as you said - I have hoped that keeping patch metadata and names intact would help [12:22] ahasenack: What does it mean when a bileto ticket is abandoned? [12:22] rbasak: was that the fused one? [12:23] rbasak: TBH IBM was the one fusing it into one, I personally would have preferred three stripped down patches. But then I was glad for their help - so no complaining [12:23] I think so [12:23] lp1787405-0005-qemu-Extract-MDEV-VFIO-PCI-validation-code-into-a-se.patch vs. lp1787405-0005-qemu-domain-device-definition-hostdev-validation.patch [12:24] I see [12:26] What I've been doing recently for similar SRUs is to first identify how the uploads are different between devel and the SRU target releases, and confirm I'm happy with those differences. Once done I reduce what I have left to review to one release only. [12:26] (plus changelog and other metadata, but at least there's less meat that way) [12:29] kstenerud: I dropped it, since I was satisfied with the results and uploaded the package already [12:29] kstenerud: it will disappear in due time [13:56] Anyone using Proxmox and using PXE to boot/install unattended install ? [14:10] hello folks [14:25] rbasak: cpaelzer: hi again, ldb is basically done, but now I need a samba upload, which is a rebuild because of ldb bump, and a merge from debian: https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/359776 [14:25] kstenerud: check "trying: ldb" in http://people.canonical.com/~ubuntu-archive/proposed-migration/update_output.txt [14:26] kstenerud: this one is an indication that samba needs a rebuild, because of samba-dsdb-modules [14:26] ahasenack: So that means taht samba-dsdb-modules depends on ldb? [14:27] yes, a very strict dep [14:28] from d/rules (samba's): [14:28] # samba ships ldb modules, which are specific to the ldb version, so we need a [14:28] # strict dependency on the upstream ldb version [14:28] # this also mean samba needs a rebuild when the upstream ldb version changes [14:28] LDB_DEPENDS = "libldb1 (<< $(LDB_EPOCH):$(LDB_NEXT_VERSION)~), libldb1 (>> $(LDB_EPOCH):$(LDB_VERSION)~)" [14:29] * ahasenack -> lunch [15:55] rbasak: when you say "Since we can't easily unpin with a cached copy of pylint", you are talking about https://people.canonical.com/~rbasak/git-ubuntu/pylint-1.7.2.tar.gz or something else that snapcraft caches? [16:18] ahasenack: yeah, the p.c.c one. [16:34] rbasak: ok [16:47] hello Everyone and good afternoon, I would like to know if changing an Ubuntu Server 14.04 Time to just one hour up could cause any trouble with databases or the glassfish server that is running in there. [16:48] Why do you need to change the time? Is it currently wrong? [16:49] Pcost8300: if you change the server's idea of UTC, then that will break things. Changing the server's timezone is generally fine though. [16:54] rbasak: Thank you for the information, when i type date command it says time with CST 2018 at the end [16:55] rbasak: sorry for asking but what does it mean [16:57] Central Standard Time no? [16:57] He's gone [16:57] :/ [18:39] rbasak: around still? https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1805178 is asking to have apparmor allow access to /etc/letsencrypt for the certificates, is the "canonical" place for the certs? What is its structure? [18:39] Launchpad bug 1805178 in openldap (Ubuntu) "Apparmor should include letsencrypt directory for Slapd" [Undecided,New] [18:44] ahasenack: IIRC, /etc/letsencrypt/live/$domain/ and then pem and keys in there [18:45] ahasenack: private keys are very sensitive. I'm not sure it makes sense to default to giving all services access to them. [18:45] rbasak: can you imagine us shipping some sort of default allow-to-read apparmor role? [18:45] yeah [18:45] I'm inclined to suggest that users override that locally when needed [18:45] For example, if I were running an HTTPS server, it may be the completely wrong thing for a compromise of slapd to compromise the key [18:45] Maybe jjohansen and/or jdstrand have an opinion on that: ^ [18:45] I was hoping that /etc/letsencrypt structure would include the service name, or user name [18:46] AIUI letsencrypt makes no distinction on service name. [18:46] Everything is HTTPS, but you apparently can re-use certs for other services [18:46] I mean, the directory structure could be something like /etc/letsencrypt/slapd/*.pem [18:46] (and you don't need HTTP/HTTPS to get a cert, since you can use DNS to prove domain ownership) [18:46] ahasenack: I the same cert for various services (postfix + dovecot typically) [18:46] yeah, the re-use makes this more complicated, if it's common [18:47] s/I the/I use the/ [18:47] apparmor ships with two abstractions related to certificates [18:47] /etc/apparmor.d/abstractions/ssl_certs and /etc/apparmor.d/abstractions/ssl_keys [18:48] they are not pulled in by default [18:48] maybe we could have an letsencrypt abstraction, and let the user decide what he/she wants (or augment the existing ones for letsencrypt) [18:48] * ahasenack just noticed that he is not in #ubuntu-hardened [18:49] with the proliferation of Let's Encrypt clients, it will be hard to catch up with abstractions [18:50] * sdeziel uses local/ includes [18:50] sdeziel: ahasenack: it sounds like this should be posed to the Security team for additional consideration/review as well? [18:51] because such additional abstractions to /etc/letsencrypt or {Insert Paths Here} can be security concerns in and of themselves [18:51] (read: privkey security, etc.) [18:51] sure [18:56] rbasak: hrmmm I need to spend some time looking at this to have an informed opinion. I don't like having a default that might be wrong on servers [18:57] I agree with teward that this should go to the security team for additional consideration [18:58] rbasak: ahasenack: in *theory* I agree with the idea for the apparmor access via an abstraction [18:58] but from the **security** side of theory I have some very harsh critiques for the practice [18:58] in sysadmin and ease of use theory* [18:59] there is one such abstraction already, fwiw [18:59] because as rbasak says, private key sensitivity [18:59] ahasenack: the second part of the argument is catching up with all the clients [18:59] I fully expect a wide range of paranoid levels around this issue [18:59] I marked the bug public security for now [18:59] for now I suggested in the bug that he use the apparmor.d/local mechanism to add his local changes [19:00] and asked what's the structure of his /etc/letsencrypt directory [19:00] +1 for local abstractions per your suggestion ahasenack [19:00] teward: about the "all the clients" argument, we should first think about what the ubuntu client (certbot in this case) does [19:00] +1 [19:00] I subscribed to the bug, will know when there is a reply [19:00] thanks for the quick discussion :) [19:00] ahasenack: AIUI, /etc/letsencrypt/live/*/[crt,key,etc. here] is where it'd need to be reading [19:01] * for the individual domain(s) as masters on the cert [19:01] and then the individual certs and keys under that [19:01] ok [19:01] as well as the CA chain where needed [19:03] the only sensitive part in there is the key so is it root owned and with a special extension (like .key)? [19:03] I think so *double checks his LE test system* [19:03] thanks, I only use dehydrated myself :) [19:04] sdeziel: actually, access to the dir might be tricky [19:04] jjohansen: understood. Thanks! [19:04] sdeziel: live/* root:root 700 [19:04] teward: most daemons start as root so what's your concern? [19:05] sdeziel: true, but in cases where a daemon woudln't it wouldn't have access [19:05] i'm not familiar as much with openldap, it starts as root I assume? [19:05] teward: probably since it bind port 389 and/or 686 [19:06] i just realized I don't have latest certbot on this system :| [19:06] sdeziel: at least with 0.22.2, /etc/letsencrypt/live/*/privkey.pem [19:06] but i'mma have to spin a bionic for newer testing [19:07] ... once I get home (can't access my infra at home for better testing from here at the moment) [19:07] teward: thanks [19:08] sdeziel: but everything in that folder is a *.pem so it's not a special extension to specify the key [19:08] IIRC this is still the way it behaves today in latest but eh [19:09] ... oh THERE'S my VPN keys... I was looking for these earlier to VPN back home >.> [19:10] so far, the safest way I found (please let me know of any flaw) is to have an install/deploy hook to put the cert/key in /etc/$daemon/certs/ and make them root:root 0600. Combined with this Apparmor rule: "/etc/$daemon/certs/* r," [19:11] sdeziel: 30/60d cert regen means you need to redeploy the cert each time, unless I misunderstand what you mean by 'deploy hook' [19:11] root:root may mean you've got to run your daemon at higher-than-needed privs [19:12] duh I forgot sarnold was in here LOL [19:12] *facedesks, then goes to find more caffeine* [19:12] don't take that to mean I'm *paying attention* [19:13] sarnold: for the services I manages, most of them keep a master process (nginx, postfix, dovecot) so a simple reload is enough to pick up the new cert/key. prosody is an outlier here though [19:13] sarnold: no, I just meant I can ping you and annoy the heck out of you on these things in here *evil grin* [19:13] sdeziel: nice [19:13] :P [19:13] ah :) [19:14] to improve on the Apparmor rules, I guess that leveraging the hardcoded names would work "/etc/$daemon/*chain.pem r," and "owner /etc/$daemon/privkey.pem r," [19:15] and I forgot the $domain so they should all be prefixed /etc/$daemon/*/ to support whatever CN you happen to use [19:17] anyway, I like this scheme better than all the keys in /etc/ssl/private [19:20] teward: yes, I re-deploy certs and keys all the time (I don't reuse keys) [20:03] setting after and wants in systemd service file ,will that make the parent service not start until the dependencie is successfully started? [20:20] Greyztar, that's the idea, yes [20:21] lordcirth: ive been doing some reading,just wanted it confirmed as google can be sometimes well...thanks for answering me (,") [20:23] np [22:22] I have a fresh apache2 setup with two domains configured 000-default.conf and test.conf, whe nI try to navigate to test.ca, I'm getting the default location /var/www/html returned and not /var/www/test, these are the config files: https://pastebin.com/L8LYfH6x [22:22] shouldn't that work? [22:22] I just did a purge and install of apache2 so everything else should be generic [22:29] when sourcing a file with some variables or so in bash,that would only last current session no?So when a reboot takes places what have been sourced is gone? [23:55] will changes made by ovs-vsctl to add/remove ports persist through a reboot?