cpaelzerthanks for taking logwatch rbasak06:15
Quozli'm in a do-release-upgrade for a remote headless 16.04 to 18.04 upgrade, and postgres is failing to upgrade because systemd is not responding, in another shell systemctl gives "Failed to connect to bus: No such file or directory".  journalctl has "System is tainted: var-run-bad".  any ideas?06:29
Quozlsolved with "ln -s /var/run/dbus /run"06:46
lordievaderGood morning07:18
cpaelzergood morning lordievader07:32
lordievaderHey cpaelzer07:33
lordievaderHow are you doing?07:33
cpaelzerlordievader: good, how are you today (and late happy new year to you)07:52
lordievaderHappy New Year to you too07:54
lordievaderDoing good here 😁07:54
=== JanC is now known as Guest41406
=== JanC_ is now known as JanC
ahasenackgood morning11:04
=== bigbrovar_ is now known as bigbrovar
LopeHey guys I need to choose between LXC and KVM13:26
LopeI don't have a huge number of VM's so while LXC could achieve higher density in theory, it's unlikely to be an issue for me.13:26
LopeSo my main consideration is ease of maintenance/admin of whatever I put into production.13:27
LopeSo for that reason I'm leaning towards KVM over LXC.13:27
LopeKVM supports live migration and has snapshot support.13:27
LopeLXC can't really do live migration. So I'm thinking KVM has a bit of an edge over LXC13:28
sdezielLope: nowadays you probably want to look at LXD instead of LXC13:31
Lopesure, but same thing more or less.13:32
sdezielyeah but the LXD experience is much more pleasant13:32
sdezielLope: lxc supports live snapshots too13:35
Lopesdeziel, interesting13:35
ahasenackrbasak: do you remember this bug? https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/132393014:02
ubottuLaunchpad bug 1323930 in apache2 (Ubuntu Trusty) "mod_lua.so missing from 14.04 install (apache2-bin, 2.4.7-1ubuntu4))" [Undecided,Confirmed]14:02
ahasenackrbasak: for trusty, we could just change apache'2 build-deps back to lib lua 5.1, like you did for the utopic release14:02
ahasenackrbasak: is this valid for an sru? It would make apache2 grow a (intented) lua5.1 runtime dep, something it didn't have before (due to the bug)14:03
ahasenackrbasak: trusty's backports do contain a newer apache which has lua support14:03
ahasenackand even lua 5.114:04
ahasenackbackports actually has the same change you made for utopic14:05
ahasenackLope: and you can copy lxd containers to other machines, and use snapshots too14:12
rbasakahasenack: it feels to me that lua support is rotting currently. Perhaps we'll need to eventually drop lua 5.1 support from apache2 altogether. In that case, I don't think it's of much benefit to add lua to Trusty. It will be EOL soon. Nobody should be deploying anything new on it today anyway.14:37
rbasakAnd if we're not going to support lua on apache2 any more, then I don't think it really counts as a "feature regression" for a release to not have shipped with it. It was an accident, sure, but if the long term goal is to drop support, then intermittent/no support in previous releases may be acceptable. As long as it's not a regression during the lifetime of a single release, which this isn't.14:39
ahasenackrbasak: lua in apache is fine in all other distros. Xenial is the last one with 5.1, all the rest (including disco) has 5.2 support14:44
ahasenackquestion is specifically about a trusty sru to enable it, and I think your opinion is "no", correct?14:45
ahasenackI added a comment to the bug, maybe after you read it14:45
rbasak4 people affected14:48
rbasakApparently trusty-backports has a lua-enabled apache14:48
rbasakAnd Xenial and Bionic are available of course14:48
rbasakThe last date of someone indicated caring was in 201714:49
ahasenackwell, it's an old bug, at some point people give up14:50
rbasakYeah, I accept that.14:50
rbasakBut with only four months remaining now, I don't think there's any point for Trusty any more.14:50
ahasenackok, I'll mark that task as wontfix14:50
rbasakNot from a policy perspective necessarily, just from an effort perspective, including SRU team effort.14:51
ahasenackdone, thanks14:52
rbasakkstenerud: got your logical tag, but why does it have a different prefix to the others? Is that intentional?15:52
rbasak(for logwatch)15:52
kstenerudno, not intentional15:54
rbasakIt breaks my automatic checking script :-/15:55
* rbasak works around15:55
cpaelzerjamespage: such a dependency can be added16:42
cpaelzerjamespage: my question was would you want to add it in UCA's qemu only16:42
cpaelzeror should we add it to Bionic as well?16:42
jamespagecpaelzer: I guess its really a UCA only problem so we should hold a patch for the backport to add the versioned dependency16:48
jamespageas a do-release-upgrade to bionic won't have this issue...16:48
jamespagecpaelzer: partial upgrades with UCA are a grey area - we don't test for mixed version deployment (where only certain pkgs have been upgraded).16:49
=== bigbrovar_ is now known as bigbrovar
ahasenackrbasak: sru question, wrt https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/180743917:15
ubottuLaunchpad bug 1807439 in openvpn (Ubuntu Disco) "openvpn crashes when run with fips openssl" [Undecided,New]17:15
ahasenackrbasak: fips is only offered for LTS releases17:16
ahasenackrbasak: so is cosmic needed in there?17:16
ahasenackdisco I think is, just so we can be sure it won't be forgotten until the next lts comes17:16
sayihi, can someone confirm if squid package for ubuntu18.04 supports SSL/ HTPPS?18:49
sdezielsayi: it doesn't AFAIK18:54
TJ-According to 'man squid3' on 18.04, "Squid  supports  SSL,  extensive  access  controls, and full request logging."19:01
sdezielhttp://www.squid-cache.org/Doc/config/https_port/: Requires:--with-gnutls or --with-openssl19:03
sdezielsquid -v shows none of those flags19:03
TJ-yes, the Depends also don't show any indications. Seems the man-page is not tailored for the build19:05
rbasakahasenack: Canonical only commercially offers FIPS for LTS releases, but I think if part of that involves regular-Ubuntu-archive then that's not a justification for skipping the regular "no regression on release upgrade" SRU policy.19:09
rbasakahasenack: IOW, I think that without Canonical's FIPS offering the openvpn SRU and bug would make sense on their own (eg. if an interested non-commercial user were driving it). If so, then Cosmic needs to also be fixed by my understanding of SRU policy. Assuming I understand the bug being fixed here.19:10
ahasenackrbasak: I see, thanks19:17
ahasenackrbasak: good point about the third party19:17
ahasenackrbasak: cosmic wasn't in that bug, it was I who added the task earlier today, but was left wondering19:17
sarnoldsquid build logs show a bunch of ssl stuff though https://launchpadlibrarian.net/391424489/buildlog_ubuntu-bionic-amd64.squid3_3.5.27-1ubuntu1.1_BUILDING.txt.gz19:25
ahasenackI think that is just for squidclient19:28
ahasenackproper ssl termination support was only added in squid419:28
sayisdeziel: do you know how to confirm it 100%?19:42
fletch8527Im hoping someone here can help me with my Ubuntu 18.04 server (no GUI). I have its NIC set to a static IP via the /etc/netplan/50-cloud-init.yalm but for what ever reason is seems that DNS stops working every now and then. I have the nameservers specified in the file but I cannot resolve anything, I just get "ping: www.google.com: Temporary failure in name resolution".19:49
fletch8527here is my netplan yaml: https://paste.ubuntu.com/p/43ndRgvs9n/19:49
sdezielsayi: I'd try setting https_port and see if squid successfully binds a socket with TLS/SSL on it19:50
ahasenackfletch8527: can you ping the nameservers' ip when that happens?19:51
sarnoldfletch8527: I suggest ditching and just use your own dns server, that'll probably be more debuggable19:51
sdezielsayi: but "ldd /usr/sbin/squid" doesn't show the usual SSL libs so I don't think it will work19:52
fletch8527I can try switching it back, but I switched to because I though my local one might have been the issue. I can also ping and (local dns) without issue19:53
fletch8527is there a preferred method for setting a static IP in 18.04? Im coming from a Windows background it a kinda throws me that there is more than 1 way to set a static19:58
rbasakfletch8527: see if dig works direct to a nameserver perhaps, to eliminate a network problem?19:58
Oolfletch8527: you can try dig debian.org @
sarnoldfletch8527: it's complicated in part because 18.04 upgrades from earlier releases won't automatically get netplan configs19:59
rbasaksystemd-resolve(1) might also be of help19:59
Oolwith the @ you can tell which DNS server you want to use19:59
sarnoldfletch8527: is systemd-resolved in use on this machine? (it probably is) -- I've heard once it gets one bad response it can get endlessly confused and become worthless19:59
fletch8527@sarnold it was a fresh install and i followed a guide that i think disabled systemd-resolved (it had me rename resolv.conf)20:00
fletch8527@Ool that command worked as expected20:01
sdezielfletch8527: debian.ord != debian.org20:04
Ool.org not .ord but ok you can ask your server and got an answer20:04
Ooldid you netplan generate to validate your file ?20:04
fletch8527what would be the best way to disable the netplan setting and re-enable systemd-resolve (sorry, its probably a noob question)20:04
fletch8527oops haha20:04
fletch8527jacked up on cold medicine atm :/20:05
Oolwithout following this unknown guide (link ?), your yaml file seems good20:06
UsQUEanyone known why sftp doesn't allow me to use NFS mounted directory? I get permissions denied error? when I login via terminal ssh and go to the directory I can see the content :/20:06
fletch8527@Ool, yea im trying to find it now. But I could just blank out the 50-cloud-init.yaml file then enable/start the systemd-resolve service?20:08
sdezielfletch8527: you probably want to ensure /etc/resolv.conf is a symlink to systemd-resolve's version20:09
fletch8527@sdeziel ok. ill look into that20:09
Oolfletch8527: usualy I use netplan to configure the systemd-network or I install ifupdown to use the old method20:12
fletch8527@Ool I think that it what I did, but not sure why it just loses its abaility to resolve. I actually switched to this method becuase my resolv.conf kept getting wrong info in it and would break resolving as well. Would you happen to have a guide you could link to about correctly using netplan?20:15
Oolif you install ifupdown , your yaml file isn't readed, you need to put your nameservers into /etc/network/interfaces20:16
fletch8527also, this server is used to run my Docker setup. Only the host is effected all the containers work just fice20:16
sarnoldnetplan's best docs are on the website https://netplan.io/20:17
sarnoldfigure out *why* your resolv.conf is getting bad data though..20:17
fletch8527Thanks Ill check it out. I was going down the path figuring out what was going on with my resolv.conf when I found a guide to use netplan (though I cant find the guide now :/ ). my resolv.conf is no longer being used.20:18
sayisdeziel: would you know how to install a squid server that supports ssl and https?20:34
sdezielsayi: it depends on what you want to do with it20:35
sdezielsayi: if you only want to secure the client<->proxy connection, it should be easy to do with a side daemon (like HAProxy for example)20:36
sdezielsayi: but if you want to do TLS MITM/ssl_bump'ing, this is a different story20:36
sayisdeziel: im looking for TLS MITM setup, can you help directing me to a how to doc?20:40
sayiim moving squid server from pfsense to ubuntu20:40
sdezielsayi: that's something I never tried, only read about it :(20:41
sdezielsayi: you could probably rebuild squid with the needed dependencies/compile flags and/or try on a newer version of Ubuntu/squid20:42
sayisdeziel: do you know which version of squid?20:46
sdezielsayi: ahasenack mentioned squid 420:46
sdezielcosmic ships squid 4.1 and disco will ship 4.420:47

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!