/srv/irclogs.ubuntu.com/2018/12/11/#ubuntu-server.txt

=== kees_ is now known as kees
cpaelzergood morning06:16
lordievaderGood morning10:28
=== tobias-urdin is now known as tobias-urdin|lun
=== tobias-urdin|lun is now known as tobias-urdin_afk
ahasenackgood morning11:05
ahasenackcpaelzer: build-procenv        SKIP Test requires machine-level isolation but testbed does not provide that11:12
ahasenackcpaelzer: looks like we don't have machine-isolation for armhf11:12
ahasenackI'll have to change that one to use a directory other than /tmp for the debootstrap chroot11:12
ahasenack(wrt sbuild dep8 fixes)11:12
cpaelzeryeah not for hf11:15
=== tobias-urdin_afk is now known as tobias-urdin
kstenerudIs it normal nowadays for lxc containers to have an empty /proc/net/route?11:36
ahasenackcpaelzer: so, strongswan11:54
ahasenackcpaelzer: I brought up two disco vms, configured like you said, but didn't see apparmor denied messages11:55
ahasenackcpaelzer: also, did you figure out where @{pid} gets inserted into the path?11:55
ahasenackcpaelzer: and, what is the other way to start up charon? systemd and...? Your instructions say to use "sudo restart ...", but that's from upstart11:56
cpaelzerahasenack: I used systemctl, let me spawn my guests and compare your setup11:59
ahasenackcpaelzer: is the apparmor profile enabled by default?12:01
ahasenackyep12:01
ahasenack /usr/lib/ipsec/charon (enforce)   742 ?        Ssl    0:00  \_ /usr/lib/ipsec/charon12:01
cpaelzeryes it is12:03
ahasenackcpaelzer: that iptables line, I copied it as-is, just adapting --local-node12:04
ahasenackI'm not sure where that mac came from12:04
ahasenackit's not the usual mac for vms, so I figured you made it up12:05
cpaelzerdo you have actual clusterip entries $ sudo find /proc -iname '*cluster*'12:05
cpaelzerahasenack: that mac is a virtual one for the clusterip12:05
cpaelzerahasenack: no need to match anything, can keep it as is12:05
ahasenackok12:05
ahasenackso I ran that, just changing --local-node to 1 or 2 depending on where I run it12:06
ahasenackand I have results for that find command12:06
cpaelzerahasenack: I only set it up on one side12:06
cpaelzerno need to fully config both ends12:06
cpaelzerfor th ebug at least12:06
cpaelzerll /proc/net/ipt_CLUSTERIP if it exists12:06
ahasenackyes, and it contains12:07
ahasenack-rw------- 1 root root 0 Dec 11 12:06 10.10.10.1012:07
ahasenackcharon was started automatically on system boot12:07
ahasenackand I ran the iptables command after12:07
ahasenacklet me restart strongswan12:07
ahasenackmaybe it's a plugin that needs loading?12:08
ahasenackDec 10 19:50:25 disco-vpn2 charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters12:08
ahasenackdoor, 1sec12:08
cpaelzeriptables v1.6.1: can't initialize iptables table `filter': Memory allocation problem12:09
cpaelzerthanks, my guest seems to have other problems - need that to get my clusterip back ...12:09
cpaelzerI'll use a new guest12:12
cpaelzer[106082.284333] audit: type=1400 audit(1544530589.122:65): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/5311/net/ipt_CLUSTERIP/" pid=5311 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=012:16
cpaelzerahasenack: on a new guest again12:16
cpaelzerI realized that the ha.conf is picky on whitespace12:16
cpaelzerand the local/remote IP in there seem to at least need to exist12:17
cpaelzerahasenack: http://paste.ubuntu.com/p/Gwn8jbMqGz/12:17
cpaelzerthat is a ha.conf that worked12:17
cpaelzerto be sure on whitespaces12:18
ahasenackback12:18
ahasenacklet me check12:19
cpaelzerahasenack: I tested disco12:19
cpaelzerahasenack: what are you on so we really have the same?12:19
ahasenackcpaelzer: https://pastebin.ubuntu.com/p/VKzxrc9wmK/12:20
ahasenackI have tabs in one, spaces in another12:20
ahasenackcpaelzer: disco12:20
cpaelzerwell then12:20
cpaelzershould be the same12:21
cpaelzerstill not hitting the apparmor issue?12:21
* cpaelzer is starting from scratch in a fresh KVM guest12:21
ahasenackcpaelzer: then just a restart of strongswan?12:21
ahasenackI have this on both:12:22
ahasenack *** 5.7.1-1ubuntu1 50012:22
ahasenack        500 http://br.archive.ubuntu.com/ubuntu disco/main amd64 Packages12:22
cpaelzerahasenack: do you have package libcharon-extra-plugins installed?12:22
ahasenackcpaelzer: nope12:22
ahasenackjust standard plugins12:22
cpaelzerthat is it then12:22
ahasenackso it is a missing plugin12:22
cpaelzerI updated the description12:22
cpaelzerlet me know if it now triggers for you please12:22
ahasenackinstalling12:22
ahasenackright, and now I actually have a default ha.conf12:23
ahasenackI had to create that file before12:23
ahasenack[ 1356.947338] audit: type=1400 audit(1544531019.361:77): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/2588/net/ipt_CLUSTERIP/" pid=2588 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=012:23
ahasenackok, confirmed12:23
cpaelzerthanks12:24
* cpaelzer slaps himself for imperfect testcase description12:24
cpaelzerthe text said that it would drag that package in by dependencies12:24
cpaelzerbut only default plugins are auto-istalled12:24
ahasenackcpaelzer: the usr.sbin.charon-systemd profile, do we even install that?12:27
ahasenackI can't find it in /etc/apparmor.d12:27
cpaelzernot sbin12:27
ahasenackI also don't have a /usr/sbin/charon12:27
cpaelzerit is /etc/apparmor.d/usr.lib.ipsec.charon12:27
ahasenackright, but you are changing both, it's just to keep them in sync?12:27
cpaelzermatching the profile in your warning12:27
ahasenacknot that we use the other one?12:28
cpaelzerI change both to keep them in sync12:28
cpaelzerthere are two ways to start it in the debian package12:28
ahasenackwhat's the other way?12:28
cpaelzerand it resolves to one or the other12:28
cpaelzerit is installed as profile /etc/apparmor.d/usr.sbin.charon-systemd when you install package charon-systemd12:30
cpaelzernot the main route to do things12:30
cpaelzerbut keeping the profiles in sync usually is correct12:30
ahasenackwhat a peculiar package :)12:30
cpaelzerI only try to make it less broken12:31
ahasenackdid you find out where the pid is inserted into that path? or didn't bother12:31
cpaelzernot that it would not have systemd support without it12:31
cpaelzerI didn#t see it in the code, but also never tried hard to track it down12:31
cpaelzerif I'd need it I'd gdb open calls with a filter12:32
cpaelzerbut I didn't see the need to12:32
* cpaelzer -> lunch12:32
ahasenackthat's fine12:33
ahasenackthanks12:33
muhahaGuys? Why this: https://pastebin.com/fDKru7Df will not pass exit code 1 from crontab job to dumb-init and container is still running?12:41
muhahaI get it, crontab will still run, even if gets exit code 1 from jobs12:42
cpaelzerahasenack: I'll move mysql as well13:02
cpaelzerthanks for spotting13:02
cpaelzernot sure about swanctl yet, need to take a look13:02
ahasenacki don't know what type of socket that is13:03
ahasenackseqpacket, protocol 013:03
ahasenackapparently it's a thing13:04
cpaelzermaybe it is new'ish nad therefore not covered yet13:07
ahasenackcpaelzer: I'm fine with a new bug and leaving that for later13:13
cpaelzerno lets do it at once13:16
cpaelzerI'm just striggling to get the rule right13:17
cpaelzerwhat I expected to work doesn't13:17
cpaelzer(still blocking)13:17
cpaelzerI'll ping our appamor/security friends13:17
Mr_PanHello i have a server with postfix + spamassasin + amavis ...    Is it possible to change in automatic (via Amavis) the subject of an email when there is a certain attachment?  (i.e. .doc  >>   in subject i would add  ++++ Warning +++)13:37
cpaelzerahasenack: the MP is updated if you want to take a look again13:42
ahasenackdoing so now13:42
ahasenackcpaelzer: opinion on adding the bug number to the comment?13:44
ahasenack+  # for af-alg plugin13:44
ahasenack+  network alg seqpacket,13:44
cpaelzerI didn't add it as on next merge this change will be fused with the "mass enablement of extra plugins"13:45
ahasenackah, it's in the d/changelog13:45
ahasenackok13:45
cpaelzerbut I see no big harm in adding it either, yeah changelog and commit message have the bug ID13:45
ahasenackno need then13:45
ahasenackchangelog is good enough13:45
ahasenackcpaelzer: how did you know about that hints MP wrt symfony?13:59
cpaelzerI'm subscribed to any hint updates14:03
ahasenackgood plan14:03
cpaelzerahasenack: here https://code.launchpad.net/~ubuntu-release/britney/hints-ubuntu14:03
cpaelzertop right14:04
ahasenackdone14:04
kstenerudCan someone help me with using sbuild? I'm following the instructions at https://wiki.ubuntu.com/SimpleSbuild but it doesn't actually show how to build a package14:12
tafa2Does anyone know if there's a simpler Freenas equivalent for Ubuntu or CentOS? Something that allows you to create SFTP accounts and/or add SSH keys (Not webmin though? :P)14:13
ahasenackkstenerud: "Using the schroot"14:18
ahasenackkstenerud: there is a bit that starts with "Or building via sbuild directly:"14:18
kstenerudahasenack: I've tried that but it doesn't work: https://pastebin.ubuntu.com/p/FRh6sxmBsd/14:19
ahasenackkstenerud: sounds like missing build dependencies14:20
kstenerudOK, then I'm confused. I though the point of schroot was to get the dependencies?14:21
kstenerudwithout polluting your main sytem14:21
ahasenackit's been a while since I last used sbuild, I would hope something would take care of the dependencies, yes14:22
kstenerudOtherwise how is this different from apt build-dep && dpkg-buildpackage -S14:22
kstenerudBasically: I have a package (for example tomcat8) which I grabbed via git ubuntu pull. How would I go about building it with sbuild?14:23
kstenerudwithout it using whatever happens to be installed on my dev machine14:24
ahasenackrbasak is the sbuild expert, I'm sure something small is missing :)14:24
ahasenack--build-dep-resolver=resolver14:26
ahasenackdefault is apt14:26
ahasenackkstenerud: try -v (verbose)14:34
* ahasenack lunches14:35
nacckstenerud: was that all the output? or did you filter14:37
nacckstenerud: also -d seems weirdly specified. Did you mean -c ?14:38
nacckstenerud: -d is for specifying the distribution manually14:39
naccbut it's also been a while since i used it too14:40
kstenerudnacc: That's exactly as it output14:54
kstenerudRegardless of how it's supposed to be called, all I want to do is build for example tomcat8 without having to install a bunch of stuff on my dev machine directly14:55
kstenerudHere is what happens with -c: https://pastebin.ubuntu.com/p/rBCyMN2bMN/14:56
rbasakkstenerud, ahasenack: --resolve-alternatives15:37
kstenerudrbasak: I get the same result with --resolve-alternatives15:38
kstenerudrbasak: do you have time for a quick chat?15:42
rbasakkstenerud: just grabbed something to eat. Ten minutes?15:44
kstenerudok15:45
MACscrany recommendations on how i can setup my php-fpm so i dont get this notice every time i update through apt? http://paste.debian.net/1055354/15:59
MACscri am indeed running php7.1-fpm and have for some time now16:00
MACscrso i dont get why it need reenabled every time16:00
MACscraccording to it16:00
nacckstenerud: something else is wrong17:23
naccit should be *much* more verbose17:23
ahasenackrbasak: if you are still around, could you please import bind-dyndb-ldap and add it to the whitelist?19:18
rbasakahasenack: done20:51
ahasenackrbasak: \o/20:52
ahasenackthx20:52
MACscrno ideas on my php-fpm question from this morning?21:07
sdezielMACscr:21:11
sdezielMACscr: those are only notices, right? any harm in just ignoring them?21:11
MACscrsdeziel not really, but it makes me feel like something is wrong. Not sure why it would be happening21:12
sdezielMACscr: seems just informal messages to me21:13
MACscreh, doesnt make sense to give it if nothing is needed to be done21:14
sdezielMACscr: if you'd like the postinst script to have more smart, you should report this to the PPA owner21:16
evitAnyone know when Ubuntu will get latest updates to PHP?21:53
evitQuite a few are security related... http://php.net/21:55
tewardevit: patches for security issues are backported21:56
tewardthe versions themselves usually don't get version bumps for various reasons21:56
teward(https://askubuntu.com/questions/151283/why-dont-the-ubuntu-repositories-have-the-latest-versions-of-software is a pretty good way to explain it)21:56
sdezielevit: please open a bug asking for an update of the micro releases21:57
teward^ this as well21:57
tewardunless you have specific security issues you're specifically referring to21:57
sdezielteward: php 7.0 and 7.2 are special as Ubuntu tracks micro releases21:57
tewardsdeziel: we don't know which version of Ubuntu evit is using21:57
tewardsdeziel: but good to know21:57
tewardevit: might I ask which PHP you're looking at?21:57
tewardsdeziel: that said if they want mroe than a microrelease bump... :P21:57
sdezielteward: indeed, php5 gets a different treatment21:58
tewardsdeziel: also wouldn't those partly be handled by Security for security bugs?21:58
tewardcc sarnold21:58
sdezielteward: yes, the security team usually get to publish those21:58
sarnoldwhich CVEs are you interested in?21:59
tewardevit: sarnold's the server packages security team contact ;)22:00
sdezielevit: you can use LP: #1744148 as template22:00
ubottuLaunchpad bug 1744148 in php7.0 (Ubuntu Xenial) "[MRE] Please update to latest upstream release 7.0.28 / 7.1.15 / 7.2.3" [Wishlist,Fix released] https://launchpad.net/bugs/174414822:00
teward*hands sarnold the ball, then disappearifies*22:00
sarnoldI suggest skipping the bug for security issues, we don't track security issues there22:01
sarnoldif you want an sru for non-security fixes then it's probably fine22:01
evit@teward,  I just didn't understand how and why it happens but I do now.22:06
tewardevit: MRE requests for SRUing bugfixes22:06
tewardSEcurity team intervention for security packages22:07
tewards/security packages/security fixes/22:07
keithzg[m]If there's anyone else out there still running FogBugz "For Your Server" on Ubuntu (or any other Linux distro), let me know, we should form a support group in all senses of the term :P22:41
genii!info fogbugz22:41
ubottuPackage fogbugz does not exist in bionic22:41
JanCseems like it never supported other versions than 32-bit 10.04 & 12.0422:59
JanCso what you really need is to get rid of it22:59
keithzg[m]JanC: Don't I know it! Alas, the Engineers at work fear change, and one of them is my boss, so I'm stuck with it for the foreseeable future.23:01
JanCI hope it isn't accessible from outside the intranet?23:02
keithzg[m]I've already set up an alternate bugtracker (Phabricator) and written largely from scratch a full read-only interface for FogBugz in case the company that owns it decides to finally turn off the licensing server.23:02
keithzg[m]JanC: Sure isn't! And it's running on its own VM, as a non-root user, on an 18.04 server, so it's as locked-down as I can get it otherwise.23:03
JanCI see some bug trackers have import scripts for fogbugz23:03
JanCoh, so it actually works on newer versions?23:03
keithzg[m]Yup, I had to write a systemd unit file IIRC? But other than that it's been surprisingly smooth sailing, going up the versions, all the way to 18.04 now.23:04
JanCat least that should mean the OS is up-to-date23:04
keithzg[m]Yup, and the database too even, since it's actually pointed towards a modern MariaDB installation. It's just the old, terrible server software itself, written in a bespoke variant of Visual Basic (!) compiled into Mono, that's so grievously outdated.23:05
JanCI guess they don't depend on a lot of external libraries?23:05
JanCah, Mono23:06
keithzg[m]Yeah naw it's pretty much all bundled with it.23:06
JanCit's written in VB.NET?23:06
keithzg[m]Nope, although maybe it compiles down to that at some point? The language it's written in is "Wasabi", a VB-like language developed in-house by Fog Creek, very ironically since, well, there was a whole thing about that back in the day: https://blog.codinghorror.com/has-joel-spolsky-jumped-the-shark/23:10
keithzg[m]Luckily the modern versions of FogBugz aren't written in this proprietary language. Unluckily, they're only available to run on Windows Server using MS SQL for the database backend, and yeah, nope, hard no on that one.23:12
keithzg[m](Also they were nearly an order of magnitude more expensive. And all that's up in the air now since Fog Creek sold off FogBugz to a somewhat sketchy company called DevFactory now.)23:14
CodeMouse92keithzg[m]: Y'know, that's kinda a surprising post, since Joel and Jeff have been friends for years, and founded StackOverflow together23:19
CodeMouse92I dunno how I feel about either of them, now. Jeff kinda jumped the shark a while back himself.23:19
keithzg[m]CodeMouse92: Yeah I know what you mean.23:19
keithzg[m](I don't remember when I noticed, but I distinctly remember thinking "oh hey, now Jeff has jumped the shark" ;)23:20
CodeMouse92keithzg[m]: Well, and his dismissal out-of-hand of developing a language is rather alarming. Joel's logic may not have been sound (I don't know, this is just Jeff's interpretation)...but there are valid use cases for developing a language.23:21
CodeMouse92I think the both of them just started believing their own press releases, is all.23:21
keithzg[m]CodeMouse92: Yeah undoubtedly true.23:22
keithzg[m]And yeah that's fair, developing your own language can certainly have a place, although having trounced around FogBugz's source code a while back for my job I . . . don't think it was worth it. (And it really is basically just VisualBasic, Kate's syntax highlighting for VB worked 100% perfectly from what I remember.) And certainly Fog Creek themselves appear to have reconsidered since they eventually abandoned not23:23
keithzg[m]just that version of FogBugz but the Wasabi language itself.23:23
CodeMouse92keithzg[m]: No, that particular application didn't sound logical.23:24
JanCwait until you hear about the guy who wrote a language for creating meta languages...   ;)23:24
CodeMouse92keithzg[m]: I think I'm just sitting here and thinking "well, crap, there goes more of the old guard. We're screwed."23:24
keithzg[m]CodeMouse92: Hah!23:25
CodeMouse92But...I guess we aren't as long as we still have sane people. My current icons include Ben Halpern and April Wensel.23:25

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!