[07:19] <lordievader> Good morning
[07:53] <V7> Mornin o/
[09:27] <mgedmin> anyone have problems with docker in 19.10?  I've a container with four uwsgi processes all blocked trying to write to stderr
[09:28] <mgedmin> the containerd-shim that's supposed to be reading from the pipe isn't doing anything
[09:28] <mgedmin> (well it has a lot of threads that do various things, but they're not reading from the right pipes)
[11:26] <im0nde> Can someone help me install ubuntu server on a nvme drive? I get an error in the installation with the drive.  This is the full error https://imgur.com/a/ijNDCDM
[11:28] <weedmic> im0nde: I have not done what you want to do, but... it appears that the machine does not see the drive.  did you setup the cmos to boot the nvme drive first?  this is not possible on many older machines.
[11:30] <im0nde> weedmic: The thing is, I can partition it in the installer. So it seems to be there?
[11:30] <im0nde> Also the machine is very new and came with a linux distro prenstalled
[11:30] <im0nde> I deleted it though, because I wanted a server OS
[11:31] <weedmic> yes, it is there - but if it is not a bootable drive, then you need to setup the install differently and put the bootloader on a disc that can be read, then access the nvme one.  but... u sh'd check the cmos, it might be an option to boot to that drive
[11:32] <weedmic> just one click/boot away...
[11:32] <badv991> Im0nde: I can't really see the text in the pic you posted, but you might want to try the "alternative installer"
[11:34] <im0nde> weedmic: Sorry, I don't fully understand what to select in the bios. I have pressed f12 to boot from the drive, isn't that correct?
[11:34] <im0nde> also there was a linux distro installed (which worked) in exactly that hardware configuratioooooooooooooooooo
[11:34] <im0nde> *configuration
[11:35] <im0nde> badv991: I have only the option of "safe graphics"
[11:35] <mgedmin> weedmic: that looks like a bug in the installer to me
[11:35] <badv991> Yeah then definitely try alternative installer since it's basically Debian
[11:35] <im0nde> mgedmin: Yeah to me too
[11:35] <mgedmin> weedmic: report it
[11:35] <mgedmin> and try an alternative installer
[11:35] <badv991> Yes it's a different ISO you need to download that uses Debian curses installer
[11:35] <im0nde> mgedmin: badv991 Where do I select the alternate installer?
[11:36] <im0nde> ah ok
[11:36] <weedmic> i think u need to go into the cmos, setup the boot order so that the nvme drive is 1st likely, this might be a good way to tell, if your "boot order" setup does not contain the nvme drive/slot - then it is not an option.
[11:36] <im0nde> sorry, thougth that was an option
[11:37] <mgedmin> I think http://cdimages.ubuntu.com/releases/18.04/release/ is the debian-installer based image
[11:37] <mgedmin> the subiquity one is called *-live-server-*.iso
[11:37] <mgedmin> debian-installer is called *-server-*.iso
[11:37] <mgedmin> they're split between cdimages.ubuntu.com and releases.ubuntu.com using some moon logic I don't follow
[11:38] <mgedmin> (an neither links to the other one afaics)
[11:38] <im0nde> :D
[11:38] <im0nde> ok, I'll download an alternate server install then, brb
[12:26] <tomreyn> im0nde: could you please report a bug on this, it doesn't seem like there is a bug report for it, yet (from what i can find)
[12:27] <tomreyn> !bug
[12:27] <tomreyn> you can do so from a different tty:
[12:27] <im0nde> tomreyn: I will. Just updated the bios to see if that makes a difference
[12:27] <tomreyn> ok
[12:28] <im0nde> tomreyn: yes?
[12:28] <tomreyn> !tty
[12:28] <tomreyn> i assume you know so much ;)
[12:28] <tomreyn> and this is more targetted at desktops
[12:28] <im0nde> tomreyn: yes, i know. Thing is, i can't copy paste
[12:29] <tomreyn> you can pipe output into   | nc termbin.com 9999
[12:29] <im0nde> I'll try my best. At least I have a photo and can provide the hardware
[12:29] <im0nde> Oh nice
[12:29] <im0nde> didn't know that one
[12:29] <im0nde> I'm trying out the alternate installer too
[12:29] <tomreyn> or you can just run    DISPLAY=:1 ubuntu-bug subiquity
[12:30] <tomreyn> this should print a URL which you can access form a desktop computer to continue your bug report (aftzer it collected and posted the relevant logs)
[12:41] <im0nde> tomreyn: mgedmin the alternate installer worked perfectly!
[12:41] <mgedmin> im0nde: have you filed a subiquity bug?
[12:41] <im0nde> Thanks for the help, I would have trying for ages
[12:41] <im0nde> mgedmin: I'm doing that right now
[12:42] <im0nde> mgedmin: here, right? https://bugs.launchpad.net/subiquity
[12:43] <mgedmin> hm, ubuntu desktop doesn't have problems installing into nvme disks -- I've just checked and my laptop has the same kind of /dev/disk/by-id/nvme-eui.XXXXXX structure
[13:29] <weedmic> how does one do "systemctl snapshot test" in ubuntu?  says "snapshot is unknown command"?
[13:31] <weedmic> actual error was - Unknown operation snapshot.
[13:38] <lordievader> (if your display hangs out there, /me might miss backlog but typically the first display hangs out at :0 )
[14:10] <RoyK> weedmic: I guess you'll need a rather new version of systemd to support that
[14:12] <weedmic> it was depricated between 2015 and now - unsure how to tell I seldom use github and was not about to make an account just to say, well I was that one bloke - there was a comment no one uses it :D
[14:15] <RoyK> ah
[14:15] <weedmic> no problems, if the files are similar each go (around), I'll have python do it for me and create some colour highlighted report with changes, then manually change them.
[14:16] <weedmic> but, it was exactly the command I wanted (already done)
[14:16] <weedmic> I mean it had a bow on it and everything
[20:47] <albech> anyone have experience with fail2ban and RBLs? I am getting thousands of brute force attempts on my mail server and fail2ban is doing a great job banning offenders after 5 tries, but eventually someone will get in and I was wondering about tightening the security with a RBL. Suggestions/comments?
[20:51] <lordcirth_> albech, If you are worried about your password being brute-forced, ban passwords and only allow keys
[20:51] <lordcirth_> Oh wait, mail, not ssh. nvrm
[20:54] <tomreyn> fail2ban usually does banning via iptables, which is not the right place to apply RBLs, those can be used by your mail server, though
[20:54] <sdeziel> albech: RBL should be used on SMTP port (TCP/25) only where no auth should be permitted as that's normally on smtps/submission/submissions (TCP/465 or TCP/587)
[20:55] <tomreyn> what you can use with iptables / at the network layer are drop lists / ipsets
[20:56] <sdeziel> albech: that said, to protect your SMTP port, I would recommend postscreen (builtin with postfix) as it has a good DNSBL/DNSWL integration among other nice features to weed off spammers
[20:57] <albech> thanks for the input guys.. highly appreciated.. ill have a look at postscreen as its already postfix im running
[20:59] <albech> that doesnt strengthen security on dovecot however. switching to keys isnt really an option unfortunately.
[21:01] <sdeziel> albech: SASL should NOT be offered on TCP/25. Removing this should already mitigate the problem to some extent
[21:05] <albech> sdeziel: it already is disabled
[21:05] <sdeziel> albech: I also noticed that requiring recent TLS versions (1.2+) on the TCP/465 and TCP/587 services prevent some dummy bots to be able to pass the StartTLS while being compatible with every legitimate users' MSA
[21:07] <sdeziel> albech: you can also try those http://www.postfix.org/TUNING_README.html#conn_limit
[21:07] <albech> sdeziel: cheers
[21:09] <tomreyn> if you want something to firewall against (and thus keep traffic out of your mail server and tcp sessions already): https://www.spamhaus.org/drop/
[21:09] <sdeziel> albech: I don't know if it applies in your case but here I'm adding IP ACLs (allow_nets) to some accounts in dovecot's password file
[21:13] <albech> sdeziel: that is one option i have thought about. i will look at postscreen and some limit thresholds first and see how it works out
[21:13] <albech> thanks again
[21:13] <sdeziel> albech: postscreen is designed to protect TCP/25 only though