sarnold | hmm I wonder why that didn't work : | 00:02 |
---|---|---|
jayjo | could it be a permisions issue? | 00:04 |
jayjo | I am mounting existing partitions using curtin and the autoinstall configuration | 00:04 |
jayjo | not sure if there will be a way around that if that's the case | 00:05 |
sarnold | jayjo: if you want to try apt-ftparchive, here's some internal tooling we use https://paste.ubuntu.com/p/5knWHsGMkN/ | 00:07 |
sarnold | the function shows roughly how we use it | 00:07 |
jayjo | when using the new terminal ALT + F2 I can see the permissions are root for the mounted partition | 00:07 |
jayjo | Thanks for that, I'll take a look and maybe try generating signed Releases | 00:08 |
jayjo | It does seem like in the logs I'm getting a Get and Ign for InRelease and Release | 00:12 |
jayjo | and then about 8 Get Ign for the Packages file (which exists) | 00:12 |
jayjo | does subiquity/curtin run as a non-root user? If that's the case, when I use curtin storage to mount, is there way to give a uid or gid? | 00:13 |
jayjo | It looks like the installer has an ubuntu-server user and an _apt user | 00:34 |
jayjo | how can I inspect which one of these actually is trying to open the local repo? | 00:35 |
sarnold | if the system were up and running already, it'd be easy to use eg opensnoop-bpfcc... but you've got an awkward time to try to troubleshoot things | 00:36 |
jayjo | both `sudo -u ubuntu-server cat /target/mnt/ubuntu-apt-repo/debs/Packages.gz` and `sudo -u _apt ...` fail due to permissions, but I can read the file as root | 00:37 |
jayjo | when I mount using curtin storage, I can use options from mount(8) - Is that where I should look to make this mounted repo group readable? | 00:38 |
sarnold | try namei -l /target/mnt/ubuntu-apt-repo/debs/Packages.gz -- it might help spot something | 00:40 |
=== halvors1 is now known as halvors | ||
jayjo | hmm - it belongs to `installer:netdev` | 00:42 |
jayjo | I'm looking at the cloud-init docs to see if I can mount it in a specific manner | 00:49 |
jayjo | should I maybe use bindfs as a mount tool in order to restrict permissions? | 00:49 |
jayjo | I'm mounting an ext4 partition with current uid:gid 1000:1000. The installer only has a handful of users, but I'm not able to tell which one is running these commands | 01:00 |
jayjo | maybe _apt is trying to access the repo, or maybe ubuntu-server. (If it was root it would just work, right?) | 01:01 |
jayjo | does using Alt + F2 and have that drop me in a new shell with ubuntu-server user tell me that ubuntu-server is running most installation commands? | 01:03 |
jayjo | I'm wondering if I can just add the correct user to the 1000 group as an "early-command" for installation | 01:03 |
sarnold | if your partition has world read and execute permissions it ought not matter | 01:09 |
sarnold | I'd also hope you could get something concrete like "permission denied" or "file not found" etc *somewhere* | 01:09 |
jayjo | The error I am getting is "File not found - /target/mnt/ubuntu-apt-repo/debs/Packages (2: no such file or directory)" | 01:12 |
jayjo | I thought ext4 was a linux FS and had no partition-level flags like that when mounting. Maybe that's completely wrong. | 01:12 |
jayjo | but I have confirmed that file exists | 01:16 |
sarnold | have I ever said how much I dislike that apt 'friendlifies' the filenames and removes the extensions in its logs? | 01:16 |
jayjo | You have:) I'm following in your footsteps, I also despise it now. | 01:18 |
jayjo | is ubuntu-server user deleted after installation? | 02:21 |
jayjo | when I try to install packages from my offline local deb repository, it looks like some packages are held back by things in /var/lib/dpkg/status which is pinned at 100 | 05:08 |
jayjo | and my package is pinned at 500 | 05:08 |
jayjo | can I just use my repo as the priority for a one-off priority? | 05:08 |
lordievader | Good morning | 07:02 |
twb | I use Ubuntu's live media as a rescue image for my ZFS systems, because Debian's a bit ugh in the ZFS department. | 07:37 |
twb | I'm about to zpool upgrade to 2.0 features, so I want to know if/when Ubuntu can talk to ZFS 2 pools. | 07:37 |
twb | Is "rmadison -u ubuntu zfs-dkms" an appropriate package to check? | 07:37 |
twb | I guess "zfsutils-linux" is a better choice, because even if Ubuntu isn't using a dkms, it will still use those for userland | 07:39 |
pavement | Hello, I am running a Ubuntu 18.04 server.. I have the latest updates. Is the sudo vulnerability fixed in bionic? I have 1.8.21p2-3ubuntu1.4 installed. | 08:02 |
twb | https://ubuntu.com/security/CVE-2021-23239 ? | 08:04 |
ubot3 | The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23239> | 08:04 |
twb | I *think* that is saying 1.8.21p2-3ubuntu1.4 has the fix | 08:04 |
twb | Over in Debian we have this table which I am used to reading: https://security-tracker.debian.org/tracker/source-package/sudo | 08:05 |
=== denningsrogue8 is now known as denningsrogue | ||
rbasak | I agree with twb's interpretation of that page. | 10:43 |
Ussat | So, I am being asked if Ubuntu has anything similar to yum history. If you are not familiar, yum history can allow yopu to roll back a bad update, among other things. I dont THINK there is (and IMHO there should be) but wanted to be sure | 15:17 |
teward | Ussat: i don't think there's a *specific* command to roll back but you can extrapolate such a command to run (install with package=version) based off of the apt history.log file | 15:28 |
teward | nearest thing I've seen to a revert command like that is from a Landscape instance | 15:29 |
Ussat | Right, I know you can do that, I am really a fan of yum history, not just for the rollback feature | 15:30 |
Ussat | OK, thanks, kinda what I thought. | 15:30 |
rbasak | I've always wanted to write a tool that parses history.log and provides the rollback command :-/ | 15:41 |
nacc | ahasenack: hey! I had a sssd question for you :) | 16:15 |
ahasenack | hi nacc | 16:42 |
teward | rbasak: got a few minutes? | 17:05 |
nacc | ahasenack: hi! So I'm testing something a bit different here and for baremetal CI, I'm booting a host with overlayroot=tmpfs. We use sssd and it fails to start in the overlayed root kernel. If i modify the apparmore config to include `attach_disconnected`, though, it does work. And I noticed that other binaries (e.g., libvirtd, ntpd) have this flag by default | 17:09 |
ahasenack | we had to add it to a few profiles, yes | 17:09 |
ahasenack | I remember that bit, not exactly what it does, though | 17:10 |
rbasak | teward: o/ | 17:12 |
teward | rbasak: PMs, which you've replied to. (I find it easier to ping you here heh) | 17:13 |
nacc | ahasenack: yes, me either! it seems to do with the namespace/filesystem issues where you're crossing a boundary | 17:17 |
nacc | I think in my case, because I have an overlay in the effective root, it gets confused with some of the absolute paths in the config? | 17:18 |
ahasenack | I'd have to check. What's annoying is that you can't add that flag via an /etc/apparmor.d/local/ override :/ | 17:19 |
nacc | ahasenack: yes, that's what I am encountering. So I can fork sssd internally for now, but really, I'd like to get it fixed in Ubuntu so I don't need to maintain that ;) | 17:19 |
ahasenack | cpaelzer: do you remember what `attach_disconnected` was for? | 17:19 |
ahasenack | or change the config, and press "n" every dpkg upgrade | 17:19 |
nacc | ahasenack: equally yucky :) | 17:20 |
ahasenack | I'm asking in #ubuntu-hardened | 17:21 |
ahasenack | sergiodj: might be a good fix to make ^ | 17:21 |
ahasenack | nacc: sergiodj is maintaining sssd this year, while I'm away on a different assignment | 17:21 |
nacc | ahasenack: ah sorry! | 17:21 |
ahasenack | np | 17:22 |
ahasenack | the description doesn't help much to see if that's the case here, with overlayfs: "attach_disconnect and no_attach_disconnected are mutually exclusive and determine if pathnames resolved to be outside of the namespace are attached to the root. ie. have the / character prepended. This is generally not considered a good idea as it allows disconnected paths to alias to other files that exist in the file name. It is only provided to work around | 17:27 |
ahasenack | problems that can arise if delegation is not being used." | 17:27 |
ahasenack | "outside of the namespace" | 17:27 |
nacc | ahasenack: yeah, I haven't resolved it much further either. What I saw was when i used `aa-complain usr.sbin.sssd` it explicitly complained about a disconnected path for the ldb dependency | 17:30 |
ahasenack | I think there is no other way for now, and that's the same approach we took with other profiles in the past | 17:31 |
ahasenack | can you file a bug please? | 17:31 |
nacc | ahasenack: agreed. Do you want me to file a bug? | 17:31 |
nacc | ahasenack: heh, will do! | 17:31 |
nacc | ahasenack: LP: #1913470 | 17:34 |
ubot3 | Launchpad bug 1913470 in sssd (Ubuntu Bionic) "sssd also needs `attach_disconnected` in its apparmor profile" [Undecided, New] https://launchpad.net/bugs/1913470 | 17:34 |
ahasenack | thanks | 17:35 |
ahasenack | sergiodj: ^ | 17:35 |
nacc | it's very easy to reproduce with the overlayroot= option | 17:35 |
sergiodj | ahasenack: nacc: thanks. I will take a look at it later today | 17:35 |
ahasenack | can you add a very quick log snippet? | 17:35 |
nacc | ahasenack: yeah, i just need to reboot a node | 17:35 |
ahasenack | it only happens in a reboot? | 17:35 |
ahasenack | if you restart sssd afterwards, it doesn't complain? | 17:35 |
ahasenack | or you can't login to try that :) | 17:36 |
nacc | ahasenack: so the symptom is it only happens in the overlayroot= boot | 17:42 |
nacc | ahasenack: i'm kexecing inot the same kernel with overlayroot=tmpfs set | 17:42 |
nacc | ahasenack: but i ened to do that kexec to get you the log info :) | 17:43 |
ahasenack | ok | 17:43 |
ahasenack | nacc: security's TL;DR "it sucks, but there is no other way right now" | 17:46 |
ahasenack | (using the flag) | 17:46 |
nacc | ahasenack: sounds about right | 17:47 |
jayjo | I'm trying to autoinstall a server with some additional packages, and using the autoinstall and curtin to mount drives and then add to my sources.list and update the packages offine is just not working. I think it could work, though. What are my other options? I took down an edge server and it was really difficult to debug without WAN access yesterday. My goal is to autoinstall an ubuntu server with | 17:50 |
jayjo | libvirt, qemu, and kvm installed. Should I remaster an ISO? | 17:50 |
ahasenack | jayjo: have you tried the subiquity server installer? afaik it has an automated install mode | 17:51 |
ahasenack | it does use curtin behind the curtains | 17:51 |
jayjo | that's precisely what I've been using. It can autoinstall the system just fine, but then to use a mounted partition with debs (an offline repo I maintain) is just so going against the grain. Because of installer/netdev permissions, when stuff is installed on the target stystem, etc. THen when I diverted to just mounting the partition manually and installing (again manually) after autoinstallation | 17:53 |
jayjo | completes, pakages won't upgrade because I'm offline and have "held back packages" from the additional repo | 17:53 |
jayjo | I may be wrong, but it feels really "against the grain". But at the same time this seems like a very common thing to do, to install a server with additional packages offline | 17:53 |
nacc | ahasenack: logs added | 17:54 |
ahasenack | thanks nacc | 17:54 |
ahasenack | jayjo: I see. Sorry, I don't have any tips at the moment | 17:55 |
ahasenack | I haven't personally used the autoinstall feature yet | 17:55 |
jayjo | ahasenack: no worries, thanks for your input | 17:56 |
ahasenack | maybe a next step could be a forum post, on the autoinstaller topic | 17:56 |
ahasenack | maybe on this topic, or start a new one: https://discourse.ubuntu.com/t/please-test-autoinstalls-for-20-04/15250 | 17:57 |
ahasenack | most recent one is https://discourse.ubuntu.com/t/subiquity-21-01-2-has-been-released-to-stable/20554 from a few hours ago, about a new release | 17:58 |
teward | anyone know how hard or different it is to configure iptables-nft vs. iptables-legacy or is the syntax pretty similar for rule adding (not necessarily restoration por persistent, but initial config of rules) | 20:16 |
sergiodj | nacc: thanks a lot for filing the sssd bug. I'm trying to reproduce it here; are you available to answer a few questions? | 21:04 |
nacc | sergiodj: yep | 21:05 |
sergiodj | nacc: I have Bionic VM with sssd and overlayroot installed. I configured /etc/overlayroot.conf and set overlayroot="tmpfs", as well as aa-enforce'd usr.sbin.sssd | 21:06 |
sergiodj | is there anything that I'm missing here? | 21:06 |
nacc | did you rebuild the initrd and actually boot into the overlay? | 21:07 |
nacc | and/or update-grub, maybe? | 21:07 |
sergiodj | I booted into the overlay, or at least I think I did, according to mount's output | 21:07 |
nacc | sergiodj: ack | 21:08 |
nacc | sergiodj: and sssd started, i assume, by your comment? | 21:08 |
sergiodj | yes, it did | 21:08 |
sergiodj | I haven't touched sssd's config, FWIW | 21:08 |
nacc | sergiodj: yeah, we actively use sssd so maybe that's the difference. Symptomatically, I can't ssh into the box without my change | 21:09 |
sergiodj | I'd expect to see sssd failing to start because of the apparmor denial | 21:10 |
nacc | sergiodj: only if it actaully talks to ldb, maybe? | 21:10 |
nacc | sergiodj: not sure if that's happening with yours | 21:10 |
sergiodj | I don't think it is talking to ldb, no | 21:10 |
sergiodj | do you have a sample configuration file for sssd which I can use to try to reproduce the bug here? | 21:10 |
nacc | sergiodj: let me see -- these are our HVs. I think the difference might be we are using ldap for the auth provider? | 21:12 |
nacc | sergiodj: https://gist.github.com/nacc/cdc548214afcc2c28a5c3f55c9655c04 | 21:14 |
nacc | I'm guessing that you'd need the ldap config so that ldb is invoked and that will be what breaks, but not sure | 21:14 |
sergiodj | yeah, it is possible | 21:14 |
sergiodj | I thought this was going to be an easy one :-/ | 21:15 |
teward | who here's familiar with the differences between legacy iptables and iptables-nft? | 21:20 |
nacc | sergiodj: sorry :( it feels easy to me because the change very linearly fixes it for me all the time, but I also am struggling to understand exactly why | 21:20 |
teward | asking because I'm tempted to start making the migration from legacy iptables to iptables-nft but I've got > 500 rules, half of which are autopopulated by blacklist population from a script | 21:20 |
teward | so I need to understand the fundamental differences from a manipulation perspective | 21:21 |
sergiodj | nacc: no, that's OK, it's just that this has been a frustrating week with a lot of "this-looks-easy-but-it's-actually-impossible-to-reproduce" kind of bugs | 21:21 |
sergiodj | :) | 21:21 |
nacc | sergiodj: love/hate those weeks :) | 21:21 |
sergiodj | yep! | 21:22 |
nacc | sergiodj: if there's anything I can provide to help, please lmk on the bug (or here, if I'm around) | 21:23 |
sergiodj | nacc: will do, thanks a lot! | 21:23 |
ahasenack | sergiodj: I have sample configs for sssd with ldap | 21:25 |
ahasenack | and the dep8 test uses those | 21:25 |
sergiodj | ah, that helps | 21:25 |
sergiodj | thanks, ahasenack | 21:25 |
ahasenack | so maybe running the dep8 tests in that env can be the easiest way to trigger it | 21:25 |
sergiodj | let me check | 21:26 |
ahasenack | run as a script, no need to invoke autopkgtest itself | 21:26 |
sdeziel | teward: personally, I'm waiting for nftables to go into main before looking into switching | 21:26 |
teward | sdeziel: meh, maybe i'll futz in a VM ;) | 21:28 |
teward | but i'm still curious if the addition of rules / manipulation is similar | 21:28 |
teward | in terms of command line syntax, etc. | 21:28 |
ahasenack | sergiodj: I'm gonna eod, we can talk again tomorrow | 21:30 |
ahasenack | tl;dr sssd will only bring up the processes it needs | 21:30 |
ahasenack | and they are all socket activated nowadays | 21:30 |
ahasenack | (via systemd) | 21:30 |
=== vlm_ is now known as vlm |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!