[11:39] <chl_> has anyone switched from isc-dhcp to kea-dhcp recently? any difficulties?
[11:43] <Odd_Bloke> chl_: I haven't, so I can't offer any advice; one thing to note is that isc-kea is not in the set of packages that the Ubuntu Security team maintain, so you won't receive security updates for it.
[11:44] <chl_> Should be able to work around that, but thanks for the heads up Odd_Bloke
[11:44] <tomreyn> more precisely: there's no guarantee that you'll receive timely security patches for it.
[11:45] <chl_> any recommendations for another dhcp server? pref. with some kind of db support
[11:46] <Odd_Bloke> Yes, thanks tomreyn, that's more accurate.
[11:47] <tomreyn> thanks
[12:10] <supaman> so, a bit of advice would be welcome here. I have several VM's running ubuntu-server. One of them is an NFS that others have to mount from. I am having a bit of a difficulty with getting permissions right for normal users to write to the NFS from other servers. Should I debug it further or just get LDAP up and running?
[12:11] <supaman> on the nfs server I have set the permissions so that group 33 (www-data) can write to the directories that are shared
[12:12] <supaman> on the nfs-client the user that is supposed to write is a member of the same group on the nfs-client machine (id=33, www-data)
[12:13] <supaman> still if I do a 'touch filename' on the nfs-client machine in the nfs mounted directories I get permission denied
[12:13] <supaman> but if I go up a directory into a local directory on the nfs-client machine that has ownership www-data:www-data and permissions 775 then I can write to that directory
[12:21] <supaman> hmmm, the writing works if I am using NFSv3
[12:23] <supaman> argh! ... now it works fine
[12:23] <supaman> which is good, but still frustrating when it only needs time for things to work :-)
[12:25] <supaman> ahh, it needed one more thing then just time, the corresponding user on nfs-server had to be added to www-data group for the write to work, thats what fixed it
[15:59] <rbasak> ahasenack: bug 1789527 is on the 180 not touched list. Please could you take a look?
[16:00] <rbasak> It is server-next but maybe that isn't pertinent any more due to the time delay
[16:08] <ahasenack> right, server-next can be dropped
[16:08] <ahasenack> back then I thought it was an escalation, but that wasn't the case
[16:08] <ahasenack> rbasak: ^
[16:30] <rbasak> ahasenack: thanks, I dropped the tag. Is Importance: High still accurate? Should we restore to Triaged and unassign you?
[16:45] <ahasenack> rbasak: yes please
[16:46] <ahasenack> I'd mark it medium
[16:46] <ahasenack> there is a workaround
[16:48] <Ussat> Is there an upgrade path from 17.X --> 18.x ?
[16:48] <teward> Ussat: 17.04 -> 17.10 -> 18.04
[16:48] <Ussat> OK, thankyas
[16:48] <teward> or 17.10 -> 18.04 direct
[16:49] <Ussat> Ya its at 17.10 now
[16:50] <rbasak> Ussat: importantly, 17.04 to 17.10 is a major upgrade. Saying 17.X --> 18.x suggests to me that you have a dangerous misunderstanding of how Ubuntu release versions work.
[16:50] <teward> ^ this though
[16:51] <Ussat> No I understand, I just was not on the box to get the exact release when I typed that
[16:51] <Ussat> and I did not remember
[16:51] <rbasak> OK
[16:51] <Ussat> I have a few hundread and dont remember exactly detail about each one
[17:03] <AvidWolf43> hey whats up guys
[17:03] <AvidWolf43> how can I force my end users to only have access to install things from ubuntu repo
[17:17] <teward> probably shouldn't give end-users that kind of access, sounds like a security risk.
[17:19] <Ussat> How about not letting users install things
[17:20] <AvidWolf43> ok so i have a tall order and im just trying to figure out how to make it work
[17:20] <AvidWolf43> as a POC we are looking at giving developers ubuntu workstations (laptops) that are managed with landscape
[17:21] <teward> AvidWolf43: so setup the systems, and drop the 'users' to non-sudo users?
[17:21] <AvidWolf43> right, but they are developers who will need sudo acces for some things
[17:21] <AvidWolf43> just not all
[17:21] <AvidWolf43> the directive was "use your best judgement"
[17:22] <AvidWolf43> I'm just not sure what I want to allow / disallow them sudo for
[17:22] <rbasak> What type of scenario are you looking to prevent by disallowing certain sudo access?
[17:23] <AvidWolf43> data exfiltration mainly
[17:23] <rbasak> What - from elsewhere on the network?
[17:23] <AvidWolf43> installing unapproved applications that havent passed legal review
[17:23] <rbasak> Are you going to prevent developers from creating VMs and/or containers?
[17:23] <AvidWolf43> no, we are trying to be as least restrictive as possible
[17:24] <rbasak> Then a developer could just create a VM and install whatever software they like into that.
[17:24] <rbasak> So what is achieved by blocking the developer from installing software on the host machine?
[17:24] <AvidWolf43> but at least we can log all the things? and hopefully have appropriate flags setup to alert in real time
[17:24] <rbasak> You won't get a log of what happened in a VM.
[17:25] <rbasak> You'd effectively be pushing developers from doing things in places that you _can_ log (eg. host machine package list via Landscape) to doing things in places that you can't see (inside a VM).
[17:26] <AvidWolf43> we can't see what is in the vm, but we can see if there are vm's installed. So we can have a policy that you can have vm's but you have to pipe logs to us for visibility? would that be acceptable?
[17:26] <AvidWolf43> I'm just brainstorming
[17:30] <mason> Are packages for https://blog.ubuntu.com/2019/05/14/ubuntu-updates-to-mitigate-new-microarchitectural-data-sampling-mds-vulnerabilities not out the door just yet?
[17:31] <mason> Not seeing them here.
[17:33] <sdeziel> mason: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS shows that packages were built already
[17:34] <rbasak> paride, cpaelzer, ahasenack: FYI https://github.com/powersj/ubuntu-server-triage/pull/20
[17:34] <mason> sdeziel: Ah, maybe they're making their way out.
[17:34] <sdeziel> mason: looks that way
[17:35] <mason> ty for the link, though - I'll bookmark it
[17:38] <Ussat> I have a question regarding landscape, can I centerally managet encryption keys, something like the way an orginization can centerally manage TPM keys on windows ?
[17:38] <Ussat> manage
[17:55] <Ussat> AvidWolf43, its a trust thing more than a tech issue
[17:56] <Ussat> All the polocies in the world are pointless if you dont trust your devs etc