=== halvors1 is now known as halvors
=== denningsrogue9 is now known as denningsrogue
=== denningsrogue8 is now known as denningsrogue
[03:52] <leumashm> Hi i have a question, if i have a physical ubuntu server, how do i migrate it to aws ec2?
[04:20] <xibalba> really one of those 'it depends' moments
[05:14] <leumashm> xibalba how?
[05:49] <andol> The updated version of the update-notifier-common package really brings in a whole new load of dependencies. https://paste.ubuntu.com/p/7bhmD2m9Bw/
[05:49] <andol> Yes, it's kind of explained in https://launchpad.net/ubuntu/focal/+source/update-notifier/+changelog, but still.
[05:49] <andol> </rant>
=== falcojr2 is now known as falcojr
[07:05] <leumashm> Hi i have a question, if i have a physical ubuntu server, how do i migrate it to aws ec2?
[07:23] <lordievader> Good morning
=== denningsrogue6 is now known as denningsrogue
[09:22] <rbasak> sergiodj: fancy subscribing to ubuntu-server@ with the address you use to send to it, please, to skip moderation?
=== cpaelzer__ is now known as cpaelzer
=== vlm_ is now known as vlm
[14:58] <c0fe> I have this nginx config: https://dpaste.com/GR7WP5BS5 but when I try to run nginx -t I am getting this error message: https://dpaste.com/D6B2RCVGX where am i going wrong?
[15:07] <teward> c0fe: you are missing corresponding ssl_certificate and ssl_certificate_key linrd
[15:07] <teward> lines*
[15:08] <teward> required for SSL listeners
[15:08] <c0fe> teward: i am trying to get a SSL cert, there is none currently
[15:09] <teward> then you cannot run the SSL config yet.  disable your ssl listen line.
[15:09] <teward> no cert, no SSL listeners
[15:10] <teward> the error is selfexplanatory :P
[15:10] <teward> brb switching to PC to give you a temporary workaround
[15:11] <teward> hard to do that on phone ;)
[15:18] <c0fe> ok
[15:21] <c0fe> teward: i am using nginxconfig.io
[15:26] <teward> well
[15:26] <teward> they're doing it wrong
[15:26] <teward> actually
[15:26] <teward> they're doing it RIGHT
[15:26] <teward> you're doing it wrong
[15:26] <teward> you've commented out the ssl_certificate and such lines that they left uncommented.
[15:26] <teward> DO's config tool there **assumes** you've done the SSL verification and got the cert first
[15:27] <teward> you need to **remove** or **comment out** the server {} block that has your `listen 443 ssl ...;` configs in it
[15:27] <teward> launch NGINX, run your LetsEncrypt calls to get the certificate, adjust the paths accordingly for ssl_certificate_... arguments, then reactivate the `listen 443 ssl...` server block
[15:28] <teward> OR wait for your certificate first if you're getting it from an actual certificate provider.
[15:28] <teward> then use that certificate instead.
[15:28] <teward> you can't half-measure the SSL bits
[15:29] <teward> WORST CASE is you comment out the ssl_certificate_... lines like you did, install `ssl-cert` in your environment, and then add these two lines uncommented:
[15:29] <teward> ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
[15:29] <teward> ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
[15:29] <teward> that'll get your site 'running' but it won't have valid SSL until you either LetsEncrypt or use an actual cert from a trusted CA
[15:30] <teward> i also would advise you to **not** just blindly trust configuration generators
[15:30] <teward> and instead learn how all this works yourself
[15:30] <teward> because yanking out the nginx configurations that're default installed in teh package will... make things hard to debug if you ever get package installs
[15:41] <c0fe> teward: i am following their instructions precisely
[15:41] <c0fe> I used the sed command to comment out
[15:41] <c0fe> sed -i -r 's/(listen .*443)/\1;#/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g' /etc/nginx/sites-available/nextcloud.domain.com.conf
[15:47] <sdeziel> c0fe: IIRC, you have setup nginx using non-Ubuntu packages so if that's indeed/still the case, it's worth mentioning as there is a general assumption that one uses what Ubuntu ships ;)
=== tomreyn_ is now known as tomreyn
[15:58] <c0fe> sdeziel: i am using nginx's repo but this wasn't an issue for another website i got it working
[15:58] <c0fe> teward: i can start over
[15:58] <c0fe> i deleted the website conf
[15:59] <c0fe> nginx is running ok
[16:00] <sdeziel> c0fe: sure, I'm just saying that the default config files/directives might differ between upstream and what Ubuntu ships and that could play a role
[16:01] <c0fe> there are slight differences but not too big
[16:02] <teward> c0fe: you didn't need to delete them all :p
[16:02] <teward> c0fe: the instructions you were provided / are following are incorrect
[16:02] <teward> you simply needed to alter the things i said to
[16:03] <teward> you can't have a server block with a `listen 443 ssl ...;` at all without PROPERLY CONFIGURED ssl_certificate and ssl_certificate_key lines at the very least
[16:03] <teward> even if it's to selfsigned dummy certs
[16:03] <teward> (which, by the way, the Ubuntu NGINX package ships as a snakeoil snippet, and you just have to install `ssl-cert` via apt_
[16:08] <c0fe> teward: ok so i am starting over with nginxconfig.io
[16:08] <c0fe> i set it to be a frontend
[16:08] <c0fe> i set the domain
[16:08] <c0fe> www subdomain and Redirect subdomains
[16:08] <c0fe>  is unchecked
[16:09] <c0fe> Document root
[16:09] <c0fe>  is left blank
[16:09] <c0fe> https is enabled and so is reverse proxy
[16:09] <c0fe> teward: resulting conf file: https://dpaste.com/8V6X75GNK
[16:12] <teward> c0fe: you still need a valid certificate for that to work
[16:12] <teward> so unless youv'e got your LE cert you need the snakeoil cert
[16:13] <c0fe> teward: hold on, the instructions state to run this command: sed -i -r 's/(listen .*443)/\1;#/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g' /etc/nginx/sites-available/nextcloud.domain.com.conf
[16:13] <teward> *pinches nose*
[16:13] <teward> ... you came **here** to get support
[16:13] <teward> yes?
[16:14] <c0fe> teward: this supposed to comment out the SSL section though, no right?
[16:14] <teward> I don't know sed nor have you provided the 'instructions' you're following
[16:14] <teward> s/i don't know/i don't know too well the/
[16:15] <teward> so i'm going to go back to my original statement: you came here for support.  you had your config showing it as commented out.  I didn't say a thing about running sed or anything else
[16:15] <c0fe> sed -i -r 's/(listen .*443)/\1;#/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g' /etc/nginx/sites-available/nextcloud.domain.com.conf
[16:15] <c0fe> this is the line
[16:15] <teward> sdeziel: perhaps you can assist them?
[16:15] <teward> i'm a little... well 'grumpy' is an understatement today
[16:16] <c0fe> resulting config: https://dpaste.com/G368GKPQM
[16:19] <sdeziel> c0fe: when you have your ssl stuff enabled, what's the error you are getting from "nginx -t"?
[16:20] <c0fe> nginx: [warn] conflicting server name "nextcloud.domain.com" on 0.0.0.0:80, ignored
[16:21] <sdeziel> if we ignore this warning, nginx shouldn't have a problem starting anyway so please try it
[16:24] <c0fe_> i love it when isp fails in the morning
=== c0fe_ is now known as c0fe
[16:24] <c0fe> sdeziel: it fails with error 502 bad gateway
[16:25] <sdeziel> c0fe: sounds like a problem with your proxy backend
[16:25] <c0fe> sdeziel: well i am running all of this on the proxy itself
[16:25] <sdeziel> c0fe: isn't http://192.168.7.204 a remote machine?
[16:26] <c0fe> yes
[16:26] <c0fe> but i am running all this on the ssl termination reverse proxy
[16:26] <c0fe> not on the hosting machine
[16:27] <sdeziel> assuming that you are getting a 502 from the reverse proxy, it would mean it was unable to reach the 192.168.7.204 backend or maybe it got that code from the backend itself and is then just relaying it
[16:28] <sdeziel> c0fe: your nginx logs should contain useful information about that 502
[16:32] <teward> rbasak: does the Server Team want to take the two tasks of https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1893753 and bundle up the resty core in the Ubuntu package (since that's now a dep for the Lua module) or do you want to wait on Debian's decision?  (someone has to upstream it, please, for me!)
[16:32] <ubot3> Launchpad bug 1893753 in nginx (Ubuntu) "libnginx-mod-http-lua 0.10.11 not compatible with NGINX 1.18/1.17" [High, Triaged]
[16:33] <rbasak> teward: we just discussed it, and we don't be able to prioritise it for action right now. We intend to look at it that next time we merge nginx though.
[16:33] <teward> cool cool
[16:33] <rbasak> We didn't decide on any specifics - just deferring looking at it for now.
[16:34] <teward> rbasak: yeah i think we should upstream it to Debian, because that's something I think they should consider
[16:34] <rbasak> "don't be able" -> English FTW
[16:34] <teward> I know the Lua module is used by a bunch of people but :P
[16:34] <teward> rbasak: i got what you meant
[16:34] <teward> ERR: Uncaffienated Chaos Mode Enabled
[16:34] <teward> :p
[16:37] <c0fe> same config that works for one site doesn't work for another
[16:37] <c0fe> lovely
[16:39] <teward> sdeziel: i'm still in IrritatedMode thanks to work, but usually that indicates they have a conflicting config for the same listen blocks.
[16:39] <teward> just stating.
[16:39] <teward> i need coffee badly, back later.
[16:48] <flau> On an Ubuntu server installation (RPi3B+, image 20.4.1, aarch64), today I see an update of package update-notifier-common.  Looking at the description of package update-notifier: apt-cache show update-notifier | grep -A2 Description-en
[16:48] <flau> Description-en: Daemon which notifies about package updates
[16:48] <flau>  Puts an icon in the user's notification area when package updates are
[16:48] <flau>  available.
[16:48] <flau> I wonder, why that package is installed on a server installation in the first place?  Could someone shed some light on that?
[16:49] <tomreyn> !paste | flau
[16:49] <ubot3> flau: For posting multi-line texts into the channel, please use https://paste.ubuntu.com | To post !screenshots use https://imgur.com/ !pastebinit to paste directly from command line | Make sure you give us the URL for your paste - see also the channel topic.
[16:49] <ogra> it is also notifying you on cli about required reboots etc
[16:50] <flau> ogra: I've installed package needspace for that.  Could I do without that package?
[16:50] <ogra> you can do whatever you like, its your server 😉
[16:50] <flau> tomreyn: Thanks!  Will do next time!
[16:51] <tomreyn> 👍
[16:54] <c0fe> sdeziel: fresh nginx install, default settings, it shows up on my host server but i am still having certbot erroring out with 404 not found error
[16:54] <flau> ogra: Yeah, but since package needspace is written for that purpose, I now wonder if update-notifier caught up and might be enough.  The fact that package needspace is not pre-installled in a server installation already made me wonder.  Well, will google update-notifier anyway.  But I you have any advice for a casual homeserver admin, I'm always listening. :)
[16:57] <sdeziel> c0fe: I haven't seen your full config nor your logs so it's hard to guess why this 404 is returned
[17:01] <ogra> flau, well, i personally tend to trust ubuntu's picks of defaults (and i find it convenient how update-notifier makes sure to tell me how many security udates are pending n each login etc) ... stying with defaults also makes it easier to seek for support ... but if you get along better with needspace you should probably pick that one for your install
[17:03] <flau> Well, another thing that bothers me with update-notifier is that today's update wants to install 7 more packages, some of them obviously audio related, such as alsa-utils.  What the heck?
[17:04] <sdeziel> flau: I concur, I didn't like the additional set of packages brought in by the update :/
[17:05] <ogra> thats not a doing of update-notifier though ... it doesnt add or remove dependencies ...
[17:05] <ogra> (you'D very likely get the same set of packages with a simple "apt update/full-upgrade" run
[17:05] <flau> ogra: That is an interesting hint.  On a clean installation, pending updates where presented on login, but that is no more.  Thought that is because I chages sshd config.  But it might as well be because I installed needspace.  Will investigate if login information is back after removing that package.
[17:07] <sdeziel> ogra: updating update-notifier-common brought a bunch of extra packages, see https://paste.ubuntu.com/p/YF37xwzxWS/
[17:12] <ogra> https://launchpad.net/ubuntu/+source/update-notifier/3.192.30.4 ...
[17:12] <ogra> http://launchpadlibrarian.net/511246451/update-notifier_3.192.30.3_3.192.30.4.diff.gz
[17:12] <ogra> might be the new dependency on "ubuntu-drivers-common" is at fault here
[17:14] <ogra> (most likely added to support binary drivers for graphics cards to support AI stuff on server (which is needed in deep leraning etc)
[17:14] <ogra> file a bug 😉
[17:15] <ogra> (alsa surely feels like overkill (but is likely required by the graphics card drivers for HDMI output ... ) that should be cleaned up)
[17:15] <flau> Oh, whenever I wrote "needspace" I meant to refer to package needrestart.  The former is a LaTeX package. :-)
[17:16] <sdeziel> ogra: I don't it will get very far but maybe I'll decide to open one instead of complaining about it here ;)
[17:17] <sdeziel> s/don't it/don't think it/
[17:21] <flau> Hm, purging package needrestart didn't bring login information back.
[17:28] <flau> But removing custom sshd config file from /etc/ssh/sshd_config.d/ did.  Nothing fancy here: https://paste.ubuntu.com/p/wN44JdW5Tn/  Would it be possible to have custom sshd config and keep login information?
[17:42] <c0fe> sdeziel: i got it working, apparently having that error threw it all off
[17:45] <sdeziel> great
[17:48] <c0fe> it's a bit odd to be honest
[17:55] <flau> Further testing shows that sshd config "UsePAM no" prevents extended login information.
[17:55] <flau>  
=== Ussat-1 is now known as Ussat
=== ijohnson is now known as ijohnson|lunch
=== Ussat-1 is now known as Ussat
[19:10] <xibalba> i configured an ipv6 ip on my system, but i noticed when it instantiates a new connection outbound it's using it's auto configured ip. i'm looking/googling on how to change that behavior
[19:14] <xibalba> nm found it's the accept-ra option i was playing with
[19:56] <DammitJim> is it normal to see %wa above 10 when looking at top?
[19:58] <sarnold> DammitJim: it depends on your workload, but when I just ran a workload I thought might be able to reproduce that, I only got 9%
[19:59] <DammitJim> sarnold, so it depends on workload and not the storage, right?
[19:59] <DammitJim> in my case, I have Fusion IO cards which is why I was kinda surprised to see waits...
[19:59] <sarnold> DammitJim: it depends on both
[19:59] <sarnold> DammitJim: oh wow, I'd expect those to be quick
[19:59] <DammitJim> exactly
[20:00] <sarnold> DammitJim: or, uh, at least when I last thought about them, they were quick. are they still quick?
[20:00] <DammitJim> what do you recommend I do to narrow down the reason? this is in a VM
[20:00] <sarnold> are you doing pci passthrough to the vm? or is this going through a storage layer between host and guest?
[20:01] <DammitJim> storage layer
[20:02] <DammitJim> I'm using the LSI Logic Parallel SCSI controller
[20:03] <sarnold> hmm. is that a ~15 year old controller?
[20:03] <DammitJim> it's pretty old, I'd say
[20:03] <sarnold> twenty?
[20:04] <DammitJim> but again, I was trying to figure out how to approach the problem w/o jumping into conclusions, ya know?
[20:04] <sarnold> yeah, definitely a good plan
[20:04] <DammitJim> is there something on Ubuntu/Linux that I should be looking at before diving into the virtual layer?
[20:05] <sarnold> https://www.reddit.com/r/vmware/comments/g2z5rz/lsi_logic_sas_vs_lsi_logic_parallel/  suggests that you've got a bunch of choices for storage in vmware -- I'd suggest trying themn in reverse order to net-runner's post -- try nvme controller, then paravirtual, then sas, and probably the first one that works will work better
[20:05] <sarnold> paravirtual drivers are usually a lot better than having both host and guest emulate hardware
[20:06] <DammitJim> TY
[20:06] <DammitJim> I have forgotten if I can just power off the VM and edit the controller or if I'll have to remove the old one and add the new one and all Virtual Hard Disks will automatically know where to go...
[20:07] <DammitJim> separate question
[20:07] <DammitJim> I had a software raid (mirror) setup on a server
[20:07] <DammitJim> then I removed a drive from the raid
[20:08] <DammitJim> (unmapped it)
[20:08] <DammitJim> I can just turn of the system and remove the drive, right?
[20:09] <sarnold> I think so, but I've not tried that myself... I probably should have before I put a bunch of data on that machine :) heh
[20:55] <DammitJim> it seems there is no default package for installing iptables persistent in Ubuntu 20
[20:55] <DammitJim> do you guys have a recommendation on how to set iptables properly?
[20:56] <TJ-> DammitJim: 20? you mean 20.04 ?
[20:56] <sdeziel> DammitJim: iptables-persistent is available on 20.04
[20:57] <DammitJim> 20.04 yes
[20:57] <TJ-> !info iptables-persistent focal | DammitJim
[20:57] <ubot3> DammitJim: iptables-persistent (1.0.14, focal): boot-time loader for netfilter rules, iptables plugin. In component universe, is optional. Built by iptables-persistent. Size 7 kB / 47 kB
[20:57] <DammitJim> hhmmmm... I wonder why I didn't find that package to install it
[20:57] <DammitJim> oh, it's in universe, that might be why
[21:04] <teward> that'd do it
=== ijohnson|lunch is now known as ijohnson