[06:15] <Deihmos> i notice ubuntu server updates packages unlike debian that provides just security updates
[06:16] <Deihmos> isn't package updates risky?
[06:26] <andol> There is always a tradeoff.
[06:27] <andol> ...and Debian too provides some updates which aren't neccesarily security fixes.
[06:45] <lotuspsychje> Deihmos: not updating system is a risk
[07:19] <lordievader> Good morning
[08:38] <kstenerud> cpaelzer: for https://code.launchpad.net/~kstenerud/ubuntu/+source/php7.0/+git/php7.0/+merge/364241 what did you mean by generated code? What should I be comparing?
[08:48] <cpaelzer> kstenerud: when you have e.g. dh_xyz --arg in d/rules that (especially in your case) gets generated into code in the post/pre-rm/inst files
[08:48] <cpaelzer> kstenerud: https://wiki.debian.org/MaintainerScripts
[08:49] <cpaelzer> depending on your preference you have two ways to "inspect" them to do absolutely what you expect them to do
[08:49] <cpaelzer> #1 is to check the built packes locally - e.g. sbuild and then extract the debs with dpkg -x ... to take a look
[08:50] <cpaelzer> #2 is to check the real thing you use for testing (from a PPA for example) you can check for (recently) installed packages in /var/lib/dpkd/info/<pkgname>.*
[08:50] <cpaelzer> kstenerud: I prefer #2 for most cases but both work
[08:51] <cpaelzer> kstenerud: background - just because you said "restart-after-upgrade" that might not always do the right thing (it should, but then murphy)
[08:51] <cpaelzer> kstenerud: so I got used to check indirect changes to the maintainer scripts in what was generated
[08:51] <cpaelzer> kstenerud: does the above make sense for your current case?
[08:52] <kstenerud> yes I think so. I'll need to look at it to be sure
[08:53] <cpaelzer> ok, let me know if you need more breadcrumbs or a HO to calrify
[10:21] <kstenerud> cpaelzer: actually, I can't find any reference to restart-after-upgrade, even in the PPA that has it. /var/lib/dpkg/info has not a single file with that text in it
[10:22] <kstenerud> I tried running fakeroot debian/rules build manually, but it fails on a patchfile
[10:23] <kstenerud> so it looks like the builder does something different, because the PPA did build successfully
[10:24] <kstenerud> similarly, dpkg-buildpackage doesn't generate anything with restart-after-upgrade
[10:28] <cpaelzer> kstenerud: that is correct
[10:28] <cpaelzer> kstenerud: it is not gogin to be passed literally
[10:29] <cpaelzer> kstenerud: when you tell dh_install init --restart-after-upgrade then instead of prerm:stop + postinst:start it will only to postinst:restart
[10:29] <cpaelzer> kstenerud: fortunately the dh_* tools leave headers
[10:29] <cpaelzer> so e.g. dh_installinit says something like "added by dh_installinit ..." before the snippet
[10:30] <cpaelzer> in these snippets after some checks the final calls to "actually do" things will most likely start like "service ... ", "invoke.rc ...", or "systemctl ..."
[10:35] <kstenerud> cpaelzer: None of the postrm and such files contain service, invoke.rc, or systemctl
[10:37] <cpaelzer> kstenerud: can you point me at your PPA again pleas?
[10:37] <kstenerud> https://launchpad.net/~kstenerud/+archive/ubuntu/xenial-php7.0-restart-after-upgrade-1819033
[10:38] <kstenerud> Actually, there's no such fpm module for php in xenial...
[10:39] <cpaelzer> kstenerud: php7.0-fpm is already the newest version (7.0.33-0ubuntu0.16.04.2)
[10:40] <kstenerud> I get:
[10:40] <kstenerud> E: Package 'php7.0-fpm' has no installation candidate
[10:40] <cpaelzer> kstenerud: apt update after new container maybe?
[10:42] <cpaelzer> kstenerud: http://paste.ubuntu.com/p/6CFVNmCSZs/
[10:42] <cpaelzer> looks exactly as I'd hope it would be
[10:42] <cpaelzer> kstenerud: but please take the chance to find it on your own so that you know where/how next time
[10:42] <cpaelzer> this is a copy of /var/lib/dpkg/info/php7.0-fpm.* as in-archive vs your PPA
[10:43] <cpaelzer> kstenerud: once you had the time to digest this let me know if you are fine now or if you need more
[10:43] <kstenerud> is there a tool you're using to download these files?
[10:44] <kstenerud> or do I have to spin up containers to get them?
[10:51] <cpaelzer> kstenerud: I used containers, but as I mentioned before you can also just get the .debs and use dpkg -x
[10:52] <cpaelzer> kstenerud: when looking at your PPA you can always go to "View Package details" and then flip-open the package of your interest. When you click on one of the builds you will getto e.g. https://launchpad.net/~kstenerud/+archive/ubuntu/xenial-php7.0-restart-after-upgrade-1819033/+build/16468276
[10:53] <cpaelzer> and there the debs are with proper links (e.g. you can wget them)
[12:16] <kstenerud> cpaelzer: OK, I'm still not clear on how the service will be down during the upgrade, or how this patch fixes it. It looks like it's just checking to see if a param is "configure" or "abort-upgrade", and then checks for files, then sets an action name based on that. But what does it all mean?
[12:36] <cpaelzer> kstenerud: this calls for a HO to help you removing some of the maintainer-script-mist
[12:36] <cpaelzer> kstenerud: I'll wait in the standup for when you are ready
[12:36] <kstenerud> ok
[12:47] <coreycb> jamespage: sahid: looks like we're almost done with dependency updates for stein. I'll plan to pick up on what's left during my afternoon today.
[13:44] <Ussat> no nagios4 ?
[13:46] <leftyfb> doesn't look like it
[13:47] <leftyfb> oh wait, it's there. In 18.10 and newer
[13:47] <leftyfb> https://packages.ubuntu.com/cosmic/nagios4
[13:47] <Ussat> ok
[14:37] <foo> Repeat in case someone happens to know: I'm looking for a monitoring system that has an API that I can feed an IP address (publicly accessible) and it can "onboard" that IP and then monitor. Specifically, I'd like it to determine how it can be monitored - eg. what ports are open, what ports share a banner, is it pingable - then share back when the system goes offline via an API and via whatever it
[14:37] <foo> originally found to be "onboarded." Maybe with a confidence score. eg. if 6 ports are open, and it's pingable, and everything goes unresponsive... it's likely it's all offline. Or, if 6 ports open and it's not pingable and 1 port closes, then there "may be" an issue. Does nagios or zenoss or something else happen to provide something like this? Or do we need to roll our own system
[14:49] <lordcirth> foo, so, you want it to auto-scan the IP, and monitor everything it sees?
[14:51] <foo> lordcirth: yes, and then report back if something goes down, with a % of what went down based off ports, etc. Not sure how granular I can get with different systems but I suspect something out there allows for such - hence my ask. Thank you for clarifying
[14:55] <lordcirth> I'm sure there is such a tool, but I don't know off the top of my head
[14:57] <nacc> cockpit ?
[15:04] <tomreyn> pandora fms has auto discovery
[15:05] <tomreyn> also opennms and netxms
[15:07] <tomreyn> zabbix, too, and observium. and probably a lot more.
[15:14]  * RoyK prefers zabbix
[15:23] <RoyK> foo: keep in mind that most of these tools requires an agent installed on the monitored OS. Some will work with snmp too, but then, you'll need to allow snmp access to the system and setup what to monitor
[16:09] <foo> tomreyn: opennms, haven't heard of that in a while.
[16:13] <tomreyn> foo: it's still being developed, and in use by some larger corps
[16:13] <foo> tomreyn: yup, I've seen it, may have used it at one point, it skipped my mind. Appreciate you sharing
[16:14] <foo> What I'm not sure on is exact process for discovery
[16:14] <foo> But I can investigate further
[16:14] <tomreyn> as Roy said, most use snmp.
[16:15] <tomreyn> but there are also some which use common ports, such as ssh, telnet (yes!), rdp, etc.
[16:18] <foo> The challenge is I don't know anything about the end system... but it sounds like this isn't exactly a unique problem
[16:18] <foo> I'll have to look more into snmp and how that works
[16:19] <tomreyn> a former employer of mine decided to move from a stone age nagios distribution to an SaaS monitoring solution which does SNMP discovery, from the internet. they do offer their own snmp (and  more protocols) discovery gateway you can install on your network, as a blackbox, so to have a somewhat controlled way into your network. but it's effectively still a backdoor, seeing how many devices don't support setting fine grained permissions via
[16:19] <tomreyn> snmp.
[16:19] <tomreyn> the most crazy management decision i've ever seen so far.
[16:20] <tomreyn> so you do want to host monitoring yourself, at least the main system.
[16:22] <foo> tomreyn: I'm ok with a third party doing stuff (even if it's locally), if anything I'd want an API to connect into to feed an API, webhook to report to, etc.
[16:22] <tomreyn> foo: are you referring to a single system to be monitored?
[16:22] <foo> tomreyn: thousands via Internet
[16:22] <foo> all we have is IP, nothing else.
[16:23] <foo> and nothing else to be set up (at least, at this point in time)
[16:23] <tomreyn> are your systems all on the internet then?
[16:23] <tomreyn> are all your systems on the internet then?
[16:23] <tomreyn> ^ grammar fixed ;)
[16:24] <foo> (thank you, grandma's life could have been saved) not necessarily, we mainly want to track whether or not a location's internet went down (well, I'm saying "we" but I'm asking on behalf of someone else)
[16:25] <tomreyn> are those many different / separate locations / networks then?
[16:26] <tomreyn> not like many devices in one place / network?
[16:26] <tomreyn> so more like IoT rather than 3 data centers?
[16:28] <RoyK> better use an agent - you'll get access to more data
[16:28] <RoyK> not all services etc export their stuff to snmp
[16:29] <foo> tomreyn: yes
[16:29] <foo> RoyK: yes, that's on the radar at some point... that requires a ton of other stuff, moving parts, etc, so we're curious on what we could get with just an IP
[16:29] <RoyK> and snmp is quite old and personally, I don't use it for other stuff than network devices, UPSes etc
[16:30] <RoyK> foo: moving parts?
[16:31] <tomreyn> foo: yes, you'll want some kind of an agent, and a canary like system.
[16:32] <tomreyn> ...running on a well connected (multi-homed) and highly reliable (HA) central system
[16:33] <foo> RoyK: yes, politics, talking with different companies, security procedures, etc.
[16:33] <foo> Agent is ideal, but wanted to start the level before that first... which is not an agent
[16:33] <tomreyn> about service discovery, IMO the best approach is really regular network scans. i don't know if any of these monitoring systems do this, and if they do, how they do it, and how they handle findings.
[16:34] <foo> tomreyn: ... that's my exact challenge. I can build this whole thing to do exactly what I want. But I equally don't want to re-invent the wheel.
[16:34] <foo> To recap: scan an IP and see "what is open" / trackable... eg. TCP response, banners, pingable IP, etc... then monitor that hourly or such and report back % likely down (based off how many "trackable elements")
[16:35] <tomreyn> i bet none of them have a really good implementation for this, so you'll want to choose a fast ipv6 (ideally also ipv4) network scanner which scans lists of addresses for at least tcp (ideally more), and does service detection as well.
[16:37] <tomreyn> you'd need to feed those findings into a montoring system and do anomaly detection along the way, so as to detect relevant changes to existing systems, systems added, systems removed.
[16:37] <tomreyn> and probably someone to review most but not all of these findings.
[16:38] <foo> tomreyn: agreed. So "trackable elements" would be ping, TCP open ports (with associated services if possible), with a backend system to do anomaly detection on a given time schedule... mhmmm.
[16:39] <foo> I'm leaning towards building this if possible
[16:39] <RoyK> foo: what sort of systems will you be monitoring?
[16:39] <RoyK> windows? mac? linux? something else?
[16:44] <foo> RoyK: the most important thing is we're actually monitoring the whole network. Whatever we get from an IP address is more of an indication of "if this network online" or offline
[16:45] <RoyK> perhaps https://nav.uninett.no/ ?
[16:46] <RoyK> it's used in large scale across scandinavian universities and colleges
[16:46] <RoyK> it's not superfancy, but it works well
[16:47] <RoyK> we have a few hundred devices in out installation at work
[16:47] <RoyK> we're using zabbix in addition to that, for more detailed service monitoring etc
[16:51] <foo> RoyK: interesting, I hadn't considered two services - one for discovery, and one for the actual monitoring of what was found... hmmm, that's interesting if I had two APIs. Thank you for sharing that
[16:51] <foo> RoyK: PS. Recently heard Sinne Eeg at a house concert, a Scandanavian Jazz Vocalist... she's awesome.
[16:53] <RoyK> foo: most systems don't cover the whole picture, but using more of them may be a good idea, even if they overlap a bit
[16:53] <foo> RoyK: yeah, that's not a bad idea at all, really appreciate it
[16:54]  * RoyK has been working with system monitoring for 20 years or so and rather likes it ;)
[16:55] <foo> RoyK: Thank you for sharing! I used nagios many years back and am just about wrapping my head around the latest... as long as things have an API I can pull/put from, I can definitely connect the dots and logic
[16:55] <RoyK> I've been using nagios as well and learned to dislike it quite a lot ;)
[16:55] <foo> haha
[16:56] <foo> RoyK: sounds like you like Zabbix, I think I looked at that once long ago
[16:56] <RoyK> v4 came out some months back - seems good
[16:57] <foo> Rad. I wonder if I can do https://nav.uninett.no/ for discovery + zabbix, hmm
[16:57] <RoyK> but they still store passwords in unsalted md5 hashes in the db if you use the local authentication, which isn't very good
[16:57] <RoyK> foo: I beleive uio.no has a thing for that, but I haven't seen the code
[16:58] <RoyK> foo: where're you from again?
[16:59] <foo> RoyK: States, currently California
[16:59] <RoyK> ok - I found an article about this on uio.no, but it's in Norwegian, but perhaps google translate or something can help you  though it https://www.usit.uio.no/om/organisasjon/iti/gid/publisering/overvaaking/zabbix_report.html
[17:01] <foo> RoyK: aha, thank you! ... since I probably couldn't search in Norwegian. Actually, I wonder if searches return other languages if I search in English. hmph. BTW, what country are you in?
[17:01] <RoyK> .no
[17:01] <RoyK> I work for oslomet.no
[17:01] <foo> RoyK: Permission to PM?
[17:01] <RoyK> sure
[17:02] <RoyK> (I work for Keyser Söze :D)
[18:22] <foo> RoyK: BTW, this is helpful: https://screencast.com/t/LnKLwoVL - great to see what's possible with Zabbix here
[18:23] <RoyK> foo: iirc is ping already in the standard zabbix - check_icmp iirc
[18:23] <foo> RoyK: nice
[18:24] <RoyK> foo:     Template ICMP Ping
[18:25] <foo> RoyK: aha, perfect
[20:45] <foo> RoyK: eh, my hand was forced - looks like someone else went in with librenms ... oh well. Looks like they have an API I can integrate with but I was hoping to get Zabbix in play.
[20:46] <foo> RoyK: in any capacity, I might be able to look into zabbix for another system (where I do have more control over the environment and systems)
[21:03] <RoyK> foo: just setup a VM
[21:15] <foo> RoyK: nice, will do - I think I have an amazon instance I can throw this on - thank you!
[23:47] <Marz> ubuntu server gets a lot of updates. i was previously running debian and there aren't that many updates. does upbuntu server update the packages versions?
[23:50] <sarnold> we almost always backport security fixes as necessary
[23:51] <sarnold> mysql we publish new point versions as oracle release them
[23:51] <sarnold> otto from mariadb normally supplies us with new point releases for mariadb updates as they release them
[23:53] <blackflow> ubuntu does more than just security updates. esp. with the kernel. debian however does regular point releases which include bugfixes, and other bumps.