[06:16] <cpaelzer> good morning
[10:28] <lordievader> Good morning
[11:05] <ahasenack> good morning
[11:12] <ahasenack> cpaelzer: build-procenv        SKIP Test requires machine-level isolation but testbed does not provide that
[11:12] <ahasenack> cpaelzer: looks like we don't have machine-isolation for armhf
[11:12] <ahasenack> I'll have to change that one to use a directory other than /tmp for the debootstrap chroot
[11:12] <ahasenack> (wrt sbuild dep8 fixes)
[11:15] <cpaelzer> yeah not for hf
[11:36] <kstenerud> Is it normal nowadays for lxc containers to have an empty /proc/net/route?
[11:54] <ahasenack> cpaelzer: so, strongswan
[11:55] <ahasenack> cpaelzer: I brought up two disco vms, configured like you said, but didn't see apparmor denied messages
[11:55] <ahasenack> cpaelzer: also, did you figure out where @{pid} gets inserted into the path?
[11:56] <ahasenack> cpaelzer: and, what is the other way to start up charon? systemd and...? Your instructions say to use "sudo restart ...", but that's from upstart
[11:59] <cpaelzer> ahasenack: I used systemctl, let me spawn my guests and compare your setup
[12:01] <ahasenack> cpaelzer: is the apparmor profile enabled by default?
[12:01] <ahasenack> yep
[12:01] <ahasenack>  /usr/lib/ipsec/charon (enforce)   742 ?        Ssl    0:00  \_ /usr/lib/ipsec/charon
[12:03] <cpaelzer> yes it is
[12:04] <ahasenack> cpaelzer: that iptables line, I copied it as-is, just adapting --local-node
[12:04] <ahasenack> I'm not sure where that mac came from
[12:05] <ahasenack> it's not the usual mac for vms, so I figured you made it up
[12:05] <cpaelzer> do you have actual clusterip entries $ sudo find /proc -iname '*cluster*'
[12:05] <cpaelzer> ahasenack: that mac is a virtual one for the clusterip
[12:05] <cpaelzer> ahasenack: no need to match anything, can keep it as is
[12:05] <ahasenack> ok
[12:06] <ahasenack> so I ran that, just changing --local-node to 1 or 2 depending on where I run it
[12:06] <ahasenack> and I have results for that find command
[12:06] <cpaelzer> ahasenack: I only set it up on one side
[12:06] <cpaelzer> no need to fully config both ends
[12:06] <cpaelzer> for th ebug at least
[12:06] <cpaelzer> ll /proc/net/ipt_CLUSTERIP if it exists
[12:07] <ahasenack> yes, and it contains
[12:07] <ahasenack> -rw------- 1 root root 0 Dec 11 12:06 10.10.10.10
[12:07] <ahasenack> charon was started automatically on system boot
[12:07] <ahasenack> and I ran the iptables command after
[12:07] <ahasenack> let me restart strongswan
[12:08] <ahasenack> maybe it's a plugin that needs loading?
[12:08] <ahasenack> Dec 10 19:50:25 disco-vpn2 charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
[12:08] <ahasenack> door, 1sec
[12:09] <cpaelzer> iptables v1.6.1: can't initialize iptables table `filter': Memory allocation problem
[12:09] <cpaelzer> thanks, my guest seems to have other problems - need that to get my clusterip back ...
[12:12] <cpaelzer> I'll use a new guest
[12:16] <cpaelzer> [106082.284333] audit: type=1400 audit(1544530589.122:65): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/5311/net/ipt_CLUSTERIP/" pid=5311 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[12:16] <cpaelzer> ahasenack: on a new guest again
[12:16] <cpaelzer> I realized that the ha.conf is picky on whitespace
[12:17] <cpaelzer> and the local/remote IP in there seem to at least need to exist
[12:17] <cpaelzer> ahasenack: http://paste.ubuntu.com/p/Gwn8jbMqGz/
[12:17] <cpaelzer> that is a ha.conf that worked
[12:18] <cpaelzer> to be sure on whitespaces
[12:18] <ahasenack> back
[12:19] <ahasenack> let me check
[12:19] <cpaelzer> ahasenack: I tested disco
[12:19] <cpaelzer> ahasenack: what are you on so we really have the same?
[12:20] <ahasenack> cpaelzer: https://pastebin.ubuntu.com/p/VKzxrc9wmK/
[12:20] <ahasenack> I have tabs in one, spaces in another
[12:20] <ahasenack> cpaelzer: disco
[12:20] <cpaelzer> well then
[12:21] <cpaelzer> should be the same
[12:21] <cpaelzer> still not hitting the apparmor issue?
[12:21]  * cpaelzer is starting from scratch in a fresh KVM guest
[12:21] <ahasenack> cpaelzer: then just a restart of strongswan?
[12:22] <ahasenack> I have this on both:
[12:22] <ahasenack>  *** 5.7.1-1ubuntu1 500
[12:22] <ahasenack>         500 http://br.archive.ubuntu.com/ubuntu disco/main amd64 Packages
[12:22] <cpaelzer> ahasenack: do you have package libcharon-extra-plugins installed?
[12:22] <ahasenack> cpaelzer: nope
[12:22] <ahasenack> just standard plugins
[12:22] <cpaelzer> that is it then
[12:22] <ahasenack> so it is a missing plugin
[12:22] <cpaelzer> I updated the description
[12:22] <cpaelzer> let me know if it now triggers for you please
[12:22] <ahasenack> installing
[12:23] <ahasenack> right, and now I actually have a default ha.conf
[12:23] <ahasenack> I had to create that file before
[12:23] <ahasenack> [ 1356.947338] audit: type=1400 audit(1544531019.361:77): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/2588/net/ipt_CLUSTERIP/" pid=2588 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[12:23] <ahasenack> ok, confirmed
[12:24] <cpaelzer> thanks
[12:24]  * cpaelzer slaps himself for imperfect testcase description
[12:24] <cpaelzer> the text said that it would drag that package in by dependencies
[12:24] <cpaelzer> but only default plugins are auto-istalled
[12:27] <ahasenack> cpaelzer: the usr.sbin.charon-systemd profile, do we even install that?
[12:27] <ahasenack> I can't find it in /etc/apparmor.d
[12:27] <cpaelzer> not sbin
[12:27] <ahasenack> I also don't have a /usr/sbin/charon
[12:27] <cpaelzer> it is /etc/apparmor.d/usr.lib.ipsec.charon
[12:27] <ahasenack> right, but you are changing both, it's just to keep them in sync?
[12:27] <cpaelzer> matching the profile in your warning
[12:28] <ahasenack> not that we use the other one?
[12:28] <cpaelzer> I change both to keep them in sync
[12:28] <cpaelzer> there are two ways to start it in the debian package
[12:28] <ahasenack> what's the other way?
[12:28] <cpaelzer> and it resolves to one or the other
[12:30] <cpaelzer> it is installed as profile /etc/apparmor.d/usr.sbin.charon-systemd when you install package charon-systemd
[12:30] <cpaelzer> not the main route to do things
[12:30] <cpaelzer> but keeping the profiles in sync usually is correct
[12:30] <ahasenack> what a peculiar package :)
[12:31] <cpaelzer> I only try to make it less broken
[12:31] <ahasenack> did you find out where the pid is inserted into that path? or didn't bother
[12:31] <cpaelzer> not that it would not have systemd support without it
[12:31] <cpaelzer> I didn#t see it in the code, but also never tried hard to track it down
[12:32] <cpaelzer> if I'd need it I'd gdb open calls with a filter
[12:32] <cpaelzer> but I didn't see the need to
[12:32]  * cpaelzer -> lunch
[12:33] <ahasenack> that's fine
[12:33] <ahasenack> thanks
[12:41] <muhaha> Guys? Why this: https://pastebin.com/fDKru7Df will not pass exit code 1 from crontab job to dumb-init and container is still running?
[12:42] <muhaha> I get it, crontab will still run, even if gets exit code 1 from jobs
[13:02] <cpaelzer> ahasenack: I'll move mysql as well
[13:02] <cpaelzer> thanks for spotting
[13:02] <cpaelzer> not sure about swanctl yet, need to take a look
[13:03] <ahasenack> i don't know what type of socket that is
[13:03] <ahasenack> seqpacket, protocol 0
[13:04] <ahasenack> apparently it's a thing
[13:07] <cpaelzer> maybe it is new'ish nad therefore not covered yet
[13:13] <ahasenack> cpaelzer: I'm fine with a new bug and leaving that for later
[13:16] <cpaelzer> no lets do it at once
[13:17] <cpaelzer> I'm just striggling to get the rule right
[13:17] <cpaelzer> what I expected to work doesn't
[13:17] <cpaelzer> (still blocking)
[13:17] <cpaelzer> I'll ping our appamor/security friends
[13:37] <Mr_Pan> Hello i have a server with postfix + spamassasin + amavis ...    Is it possible to change in automatic (via Amavis) the subject of an email when there is a certain attachment?  (i.e. .doc  >>   in subject i would add  ++++ Warning +++)
[13:42] <cpaelzer> ahasenack: the MP is updated if you want to take a look again
[13:42] <ahasenack> doing so now
[13:44] <ahasenack> cpaelzer: opinion on adding the bug number to the comment?
[13:44] <ahasenack> +  # for af-alg plugin
[13:44] <ahasenack> +  network alg seqpacket,
[13:45] <cpaelzer> I didn't add it as on next merge this change will be fused with the "mass enablement of extra plugins"
[13:45] <ahasenack> ah, it's in the d/changelog
[13:45] <ahasenack> ok
[13:45] <cpaelzer> but I see no big harm in adding it either, yeah changelog and commit message have the bug ID
[13:45] <ahasenack> no need then
[13:45] <ahasenack> changelog is good enough
[13:59] <ahasenack> cpaelzer: how did you know about that hints MP wrt symfony?
[14:03] <cpaelzer> I'm subscribed to any hint updates
[14:03] <ahasenack> good plan
[14:03] <cpaelzer> ahasenack: here https://code.launchpad.net/~ubuntu-release/britney/hints-ubuntu
[14:04] <cpaelzer> top right
[14:04] <ahasenack> done
[14:12] <kstenerud> Can someone help me with using sbuild? I'm following the instructions at https://wiki.ubuntu.com/SimpleSbuild but it doesn't actually show how to build a package
[14:13] <tafa2> Does anyone know if there's a simpler Freenas equivalent for Ubuntu or CentOS? Something that allows you to create SFTP accounts and/or add SSH keys (Not webmin though? :P)
[14:18] <ahasenack> kstenerud: "Using the schroot"
[14:18] <ahasenack> kstenerud: there is a bit that starts with "Or building via sbuild directly:"
[14:19] <kstenerud> ahasenack: I've tried that but it doesn't work: https://pastebin.ubuntu.com/p/FRh6sxmBsd/
[14:20] <ahasenack> kstenerud: sounds like missing build dependencies
[14:21] <kstenerud> OK, then I'm confused. I though the point of schroot was to get the dependencies?
[14:21] <kstenerud> without polluting your main sytem
[14:22] <ahasenack> it's been a while since I last used sbuild, I would hope something would take care of the dependencies, yes
[14:22] <kstenerud> Otherwise how is this different from apt build-dep && dpkg-buildpackage -S
[14:23] <kstenerud> Basically: I have a package (for example tomcat8) which I grabbed via git ubuntu pull. How would I go about building it with sbuild?
[14:24] <kstenerud> without it using whatever happens to be installed on my dev machine
[14:24] <ahasenack> rbasak is the sbuild expert, I'm sure something small is missing :)
[14:26] <ahasenack> --build-dep-resolver=resolver
[14:26] <ahasenack> default is apt
[14:34] <ahasenack> kstenerud: try -v (verbose)
[14:35]  * ahasenack lunches
[14:37] <nacc> kstenerud: was that all the output? or did you filter
[14:38] <nacc> kstenerud: also -d seems weirdly specified. Did you mean -c ?
[14:39] <nacc> kstenerud: -d is for specifying the distribution manually
[14:40] <nacc> but it's also been a while since i used it too
[14:54] <kstenerud> nacc: That's exactly as it output
[14:55] <kstenerud> Regardless of how it's supposed to be called, all I want to do is build for example tomcat8 without having to install a bunch of stuff on my dev machine directly
[14:56] <kstenerud> Here is what happens with -c: https://pastebin.ubuntu.com/p/rBCyMN2bMN/
[15:37] <rbasak> kstenerud, ahasenack: --resolve-alternatives
[15:38] <kstenerud> rbasak: I get the same result with --resolve-alternatives
[15:42] <kstenerud> rbasak: do you have time for a quick chat?
[15:44] <rbasak> kstenerud: just grabbed something to eat. Ten minutes?
[15:45] <kstenerud> ok
[15:59] <MACscr> any recommendations on how i can setup my php-fpm so i dont get this notice every time i update through apt? http://paste.debian.net/1055354/
[16:00] <MACscr> i am indeed running php7.1-fpm and have for some time now
[16:00] <MACscr> so i dont get why it need reenabled every time
[16:00] <MACscr> according to it
[17:23] <nacc> kstenerud: something else is wrong
[17:23] <nacc> it should be *much* more verbose
[19:18] <ahasenack> rbasak: if you are still around, could you please import bind-dyndb-ldap and add it to the whitelist?
[20:51] <rbasak> ahasenack: done
[20:52] <ahasenack> rbasak: \o/
[20:52] <ahasenack> thx
[21:07] <MACscr> no ideas on my php-fpm question from this morning?
[21:11] <sdeziel> MACscr:
[21:11] <sdeziel> MACscr: those are only notices, right? any harm in just ignoring them?
[21:12] <MACscr> sdeziel not really, but it makes me feel like something is wrong. Not sure why it would be happening
[21:13] <sdeziel> MACscr: seems just informal messages to me
[21:14] <MACscr> eh, doesnt make sense to give it if nothing is needed to be done
[21:16] <sdeziel> MACscr: if you'd like the postinst script to have more smart, you should report this to the PPA owner
[21:53] <evit> Anyone know when Ubuntu will get latest updates to PHP?
[21:55] <evit> Quite a few are security related... http://php.net/
[21:56] <teward> evit: patches for security issues are backported
[21:56] <teward> the versions themselves usually don't get version bumps for various reasons
[21:56] <teward> (https://askubuntu.com/questions/151283/why-dont-the-ubuntu-repositories-have-the-latest-versions-of-software is a pretty good way to explain it)
[21:57] <sdeziel> evit: please open a bug asking for an update of the micro releases
[21:57] <teward> ^ this as well
[21:57] <teward> unless you have specific security issues you're specifically referring to
[21:57] <sdeziel> teward: php 7.0 and 7.2 are special as Ubuntu tracks micro releases
[21:57] <teward> sdeziel: we don't know which version of Ubuntu evit is using
[21:57] <teward> sdeziel: but good to know
[21:57] <teward> evit: might I ask which PHP you're looking at?
[21:57] <teward> sdeziel: that said if they want mroe than a microrelease bump... :P
[21:58] <sdeziel> teward: indeed, php5 gets a different treatment
[21:58] <teward> sdeziel: also wouldn't those partly be handled by Security for security bugs?
[21:58] <teward> cc sarnold
[21:58] <sdeziel> teward: yes, the security team usually get to publish those
[21:59] <sarnold> which CVEs are you interested in?
[22:00] <teward> evit: sarnold's the server packages security team contact ;)
[22:00] <sdeziel> evit: you can use LP: #1744148 as template
[22:00] <teward> *hands sarnold the ball, then disappearifies*
[22:01] <sarnold> I suggest skipping the bug for security issues, we don't track security issues there
[22:01] <sarnold> if you want an sru for non-security fixes then it's probably fine
[22:06] <evit> @teward,  I just didn't understand how and why it happens but I do now.
[22:06] <teward> evit: MRE requests for SRUing bugfixes
[22:07] <teward> SEcurity team intervention for security packages
[22:07] <teward> s/security packages/security fixes/
[22:41] <keithzg[m]> If there's anyone else out there still running FogBugz "For Your Server" on Ubuntu (or any other Linux distro), let me know, we should form a support group in all senses of the term :P
[22:41] <genii> !info fogbugz
[22:59] <JanC> seems like it never supported other versions than 32-bit 10.04 & 12.04
[22:59] <JanC> so what you really need is to get rid of it
[23:01] <keithzg[m]> JanC: Don't I know it! Alas, the Engineers at work fear change, and one of them is my boss, so I'm stuck with it for the foreseeable future.
[23:02] <JanC> I hope it isn't accessible from outside the intranet?
[23:02] <keithzg[m]> I've already set up an alternate bugtracker (Phabricator) and written largely from scratch a full read-only interface for FogBugz in case the company that owns it decides to finally turn off the licensing server.
[23:03] <keithzg[m]> JanC: Sure isn't! And it's running on its own VM, as a non-root user, on an 18.04 server, so it's as locked-down as I can get it otherwise.
[23:03] <JanC> I see some bug trackers have import scripts for fogbugz
[23:03] <JanC> oh, so it actually works on newer versions?
[23:04] <keithzg[m]> Yup, I had to write a systemd unit file IIRC? But other than that it's been surprisingly smooth sailing, going up the versions, all the way to 18.04 now.
[23:04] <JanC> at least that should mean the OS is up-to-date
[23:05] <keithzg[m]> Yup, and the database too even, since it's actually pointed towards a modern MariaDB installation. It's just the old, terrible server software itself, written in a bespoke variant of Visual Basic (!) compiled into Mono, that's so grievously outdated.
[23:05] <JanC> I guess they don't depend on a lot of external libraries?
[23:06] <JanC> ah, Mono
[23:06] <keithzg[m]> Yeah naw it's pretty much all bundled with it.
[23:06] <JanC> it's written in VB.NET?
[23:10] <keithzg[m]> Nope, although maybe it compiles down to that at some point? The language it's written in is "Wasabi", a VB-like language developed in-house by Fog Creek, very ironically since, well, there was a whole thing about that back in the day: https://blog.codinghorror.com/has-joel-spolsky-jumped-the-shark/
[23:12] <keithzg[m]> Luckily the modern versions of FogBugz aren't written in this proprietary language. Unluckily, they're only available to run on Windows Server using MS SQL for the database backend, and yeah, nope, hard no on that one.
[23:14] <keithzg[m]> (Also they were nearly an order of magnitude more expensive. And all that's up in the air now since Fog Creek sold off FogBugz to a somewhat sketchy company called DevFactory now.)
[23:19] <CodeMouse92> keithzg[m]: Y'know, that's kinda a surprising post, since Joel and Jeff have been friends for years, and founded StackOverflow together
[23:19] <CodeMouse92> I dunno how I feel about either of them, now. Jeff kinda jumped the shark a while back himself.
[23:19] <keithzg[m]> CodeMouse92: Yeah I know what you mean.
[23:20] <keithzg[m]> (I don't remember when I noticed, but I distinctly remember thinking "oh hey, now Jeff has jumped the shark" ;)
[23:21] <CodeMouse92> keithzg[m]: Well, and his dismissal out-of-hand of developing a language is rather alarming. Joel's logic may not have been sound (I don't know, this is just Jeff's interpretation)...but there are valid use cases for developing a language.
[23:21] <CodeMouse92> I think the both of them just started believing their own press releases, is all.
[23:22] <keithzg[m]> CodeMouse92: Yeah undoubtedly true.
[23:23] <keithzg[m]> And yeah that's fair, developing your own language can certainly have a place, although having trounced around FogBugz's source code a while back for my job I . . . don't think it was worth it. (And it really is basically just VisualBasic, Kate's syntax highlighting for VB worked 100% perfectly from what I remember.) And certainly Fog Creek themselves appear to have reconsidered since they eventually abandoned not
[23:23] <keithzg[m]> just that version of FogBugz but the Wasabi language itself.
[23:24] <CodeMouse92> keithzg[m]: No, that particular application didn't sound logical.
[23:24] <JanC> wait until you hear about the guy who wrote a language for creating meta languages...   ;)
[23:24] <CodeMouse92> keithzg[m]: I think I'm just sitting here and thinking "well, crap, there goes more of the old guard. We're screwed."
[23:25] <keithzg[m]> CodeMouse92: Hah!
[23:25] <CodeMouse92> But...I guess we aren't as long as we still have sane people. My current icons include Ben Halpern and April Wensel.