[00:02] <sarnold> hmm I wonder why that didn't work :
[00:04] <jayjo> could it be a permisions issue?
[00:04] <jayjo> I am mounting existing partitions using curtin and the autoinstall configuration
[00:05] <jayjo> not sure if there will be a way around that if that's the case
[00:07] <sarnold> jayjo: if you want to try apt-ftparchive, here's some internal tooling we use https://paste.ubuntu.com/p/5knWHsGMkN/
[00:07] <sarnold> the function shows roughly how we use it
[00:07] <jayjo> when using the new terminal ALT + F2 I can see the permissions are root for the mounted partition
[00:08] <jayjo> Thanks for that, I'll take a look and maybe try generating signed Releases
[00:12] <jayjo> It does seem like in the logs I'm getting a Get and Ign for InRelease and Release
[00:12] <jayjo> and then about 8 Get Ign for the Packages file (which exists)
[00:13] <jayjo> does subiquity/curtin run as a non-root user? If that's the case, when I use curtin storage to mount, is there way to give a uid or gid?
[00:34] <jayjo> It looks like the installer has an ubuntu-server user and an _apt user
[00:35] <jayjo> how can I inspect which one of these actually is trying to open the local repo?
[00:36] <sarnold> if the system were up and running already, it'd be easy to use eg opensnoop-bpfcc... but you've got an awkward time to try to troubleshoot things
[00:37] <jayjo> both `sudo -u ubuntu-server cat /target/mnt/ubuntu-apt-repo/debs/Packages.gz` and `sudo -u _apt ...` fail due to permissions, but I can read the file as root
[00:38] <jayjo> when I mount using curtin storage, I can use options from mount(8) - Is that where I should look to make this mounted repo group readable?
[00:40] <sarnold> try namei -l /target/mnt/ubuntu-apt-repo/debs/Packages.gz -- it might help spot something
[00:42] <jayjo> hmm - it belongs to `installer:netdev`
[00:49] <jayjo> I'm looking at the cloud-init docs to see if I can mount it in a specific manner
[00:49] <jayjo> should I maybe use bindfs as a mount tool in order to restrict permissions?
[01:00] <jayjo> I'm mounting an ext4 partition with current uid:gid 1000:1000. The installer only has a handful of users, but I'm not able to tell which one is running these commands
[01:01] <jayjo> maybe _apt is trying to access the repo, or maybe ubuntu-server. (If it was root it would just work, right?)
[01:03] <jayjo> does using Alt + F2 and have that drop me in a new shell with ubuntu-server user tell me that ubuntu-server is running most installation commands?
[01:03] <jayjo> I'm wondering if I can just add the correct user to the 1000 group as an "early-command" for installation
[01:09] <sarnold> if your partition has world read and execute permissions it ought not matter
[01:09] <sarnold> I'd also hope you could get something concrete like "permission denied" or "file not found" etc *somewhere*
[01:12] <jayjo> The error I am getting is "File not found - /target/mnt/ubuntu-apt-repo/debs/Packages (2: no such file or directory)"
[01:12] <jayjo> I thought ext4 was a linux FS and had no partition-level flags like that when mounting. Maybe that's completely wrong.
[01:16] <jayjo> but I have confirmed that file exists
[01:16] <sarnold> have I ever said how much I dislike that apt 'friendlifies' the filenames and removes the extensions in its logs?
[01:18] <jayjo> You have:)  I'm following in your footsteps, I also despise it now.
[02:21] <jayjo> is ubuntu-server user deleted after installation?
[05:08] <jayjo> when I try to install packages from my offline local deb repository, it looks like some packages are held back by things in /var/lib/dpkg/status which is pinned at 100
[05:08] <jayjo> and my package is pinned at 500
[05:08] <jayjo> can I just use my repo as the priority for a one-off priority?
[07:02] <lordievader> Good morning
[07:37] <twb> I use Ubuntu's live media as a rescue image for my ZFS systems, because Debian's a bit ugh in the ZFS department.
[07:37] <twb> I'm about to zpool upgrade to 2.0 features, so I want to know if/when Ubuntu can talk to ZFS 2 pools.
[07:37] <twb> Is "rmadison -u ubuntu zfs-dkms" an appropriate package to check?
[07:39] <twb> I guess "zfsutils-linux" is a better choice, because even if Ubuntu isn't using a dkms, it will still use those for userland
[08:02] <pavement> Hello, I am running a Ubuntu 18.04 server.. I have the latest updates. Is the sudo vulnerability fixed in bionic? I have 1.8.21p2-3ubuntu1.4 installed.
[08:04] <twb> https://ubuntu.com/security/CVE-2021-23239 ?
[08:04] <ubot3> The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23239>
[08:04] <twb> I *think* that is saying 1.8.21p2-3ubuntu1.4 has the fix
[08:05] <twb> Over in Debian we have this table which I am used to reading: https://security-tracker.debian.org/tracker/source-package/sudo
[10:43] <rbasak> I agree with twb's interpretation of that page.
[15:17] <Ussat> So, I am being asked if Ubuntu has anything similar to yum history. If you are not familiar, yum history can allow yopu to roll back a bad update, among other things. I dont THINK there is (and IMHO there should be) but wanted to be sure
[15:28] <teward> Ussat: i don't think there's a *specific* command to roll back but you can extrapolate such a command to run (install with package=version) based off of the apt history.log file
[15:29] <teward> nearest thing I've seen to a revert command like that is from a Landscape instance
[15:30] <Ussat> Right, I know you can do that, I am really a fan of yum history, not just for the rollback feature
[15:30] <Ussat> OK, thanks, kinda what I thought.
[15:41] <rbasak> I've always wanted to write a tool that parses history.log and provides the rollback command :-/
[16:15] <nacc> ahasenack: hey! I had a sssd question for you :)
[16:42] <ahasenack> hi nacc
[17:05] <teward> rbasak: got a few minutes?
[17:09] <nacc> ahasenack: hi! So I'm testing something a bit different here and for baremetal CI, I'm booting a host with overlayroot=tmpfs. We use sssd and it fails to start in the overlayed root kernel. If i modify the apparmore config to include `attach_disconnected`, though, it does work. And I noticed that other binaries (e.g., libvirtd, ntpd) have this flag by default
[17:09] <ahasenack> we had to add it to a few profiles, yes
[17:10] <ahasenack> I remember that bit, not exactly what it does, though
[17:12] <rbasak> teward: o/
[17:13] <teward> rbasak: PMs, which you've replied to.  (I find it easier to ping you here heh)
[17:17] <nacc> ahasenack: yes, me either! it seems to do with the namespace/filesystem issues where you're crossing a boundary
[17:18] <nacc> I think in my case, because I have an overlay in the effective root, it gets confused with some of the absolute paths in the config?
[17:19] <ahasenack> I'd have to check. What's annoying is that you can't add that flag via an /etc/apparmor.d/local/ override :/
[17:19] <nacc> ahasenack: yes, that's what I am encountering. So I can fork sssd internally for now, but really, I'd like to get it fixed in Ubuntu so I don't need to maintain that ;)
[17:19] <ahasenack> cpaelzer: do you remember what `attach_disconnected` was for?
[17:19] <ahasenack> or change the config, and press "n" every dpkg upgrade
[17:20] <nacc> ahasenack: equally yucky :)
[17:21] <ahasenack> I'm asking in #ubuntu-hardened
[17:21] <ahasenack> sergiodj: might be a good fix to make ^
[17:21] <ahasenack> nacc: sergiodj is maintaining sssd this year, while I'm away on a different assignment
[17:21] <nacc> ahasenack: ah sorry!
[17:22] <ahasenack> np
[17:27] <ahasenack> the description doesn't help much to see if that's the case here, with overlayfs: "attach_disconnect and no_attach_disconnected are mutually exclusive and determine if pathnames resolved to be outside of the namespace are attached to the root. ie. have the / character prepended. This is generally not considered a good idea as it allows disconnected paths to alias to other files that exist in the file name. It is only provided to work around
[17:27] <ahasenack> problems that can arise if delegation is not being used."
[17:27] <ahasenack> "outside of the namespace"
[17:30] <nacc> ahasenack: yeah, I haven't resolved it much further either. What I saw was when i used `aa-complain usr.sbin.sssd` it explicitly complained about a disconnected path for the ldb dependency
[17:31] <ahasenack> I think there is no other way for now, and that's the same approach we took with other profiles in the past
[17:31] <ahasenack> can you file a bug please?
[17:31] <nacc> ahasenack: agreed. Do you want me to file a bug?
[17:31] <nacc> ahasenack: heh, will do!
[17:34] <nacc> ahasenack: LP: #1913470
[17:34] <ubot3> Launchpad bug 1913470 in sssd (Ubuntu Bionic) "sssd also needs `attach_disconnected` in its apparmor profile" [Undecided, New] https://launchpad.net/bugs/1913470
[17:35] <ahasenack> thanks
[17:35] <ahasenack> sergiodj: ^
[17:35] <nacc> it's very easy to reproduce with the overlayroot= option
[17:35] <sergiodj> ahasenack: nacc: thanks.  I will take a look at it later today
[17:35] <ahasenack> can you add a very quick log snippet?
[17:35] <nacc> ahasenack: yeah, i just need to reboot a node
[17:35] <ahasenack> it only happens in a reboot?
[17:35] <ahasenack> if you restart sssd afterwards, it doesn't complain?
[17:36] <ahasenack> or you can't login to try that :)
[17:42] <nacc> ahasenack: so the symptom is it only happens in the overlayroot= boot
[17:42] <nacc> ahasenack: i'm kexecing inot the same kernel with overlayroot=tmpfs set
[17:43] <nacc> ahasenack: but i ened to do that kexec to get you the log info :)
[17:43] <ahasenack> ok
[17:46] <ahasenack> nacc: security's TL;DR "it sucks, but there is no other way right now"
[17:46] <ahasenack> (using the flag)
[17:47] <nacc> ahasenack: sounds about right
[17:50] <jayjo> I'm trying to autoinstall a server with some additional packages, and using the autoinstall and curtin to mount drives and then add to my sources.list and update the packages offine is just not working. I think it could work, though. What are my other options? I took down an edge server and it was really difficult to debug without WAN access yesterday. My goal is to autoinstall an ubuntu server with
[17:50] <jayjo> libvirt, qemu, and kvm installed. Should I remaster an ISO?
[17:51] <ahasenack> jayjo: have you tried the subiquity server installer? afaik it has an automated install mode
[17:51] <ahasenack> it does use curtin behind the curtains
[17:53] <jayjo> that's precisely what I've been using. It can autoinstall the system just fine, but then to use a mounted partition with debs (an offline repo I maintain) is just so going against the grain. Because of installer/netdev permissions, when stuff is installed on the target stystem, etc. THen when I diverted to just mounting the partition manually and installing (again manually) after autoinstallation
[17:53] <jayjo> completes, pakages won't upgrade because I'm offline and have "held back packages" from the additional repo
[17:53] <jayjo> I may be wrong, but it feels really "against the grain". But at the same time this seems like a very common thing to do, to install a server with additional packages offline
[17:54] <nacc> ahasenack: logs added
[17:54] <ahasenack> thanks nacc
[17:55] <ahasenack> jayjo: I see. Sorry, I don't have any tips at the moment
[17:55] <ahasenack> I haven't personally used the autoinstall feature yet
[17:56] <jayjo> ahasenack: no worries, thanks for your input
[17:56] <ahasenack> maybe a next step could be a forum post, on the autoinstaller topic
[17:57] <ahasenack> maybe on this topic, or start a new one: https://discourse.ubuntu.com/t/please-test-autoinstalls-for-20-04/15250
[17:58] <ahasenack> most recent one is https://discourse.ubuntu.com/t/subiquity-21-01-2-has-been-released-to-stable/20554 from a few hours ago, about a new release
[20:16] <teward> anyone know how hard or different it is to configure iptables-nft vs. iptables-legacy or is the syntax pretty similar for rule adding (not necessarily restoration por persistent, but initial config of rules)
[21:04] <sergiodj> nacc: thanks a lot for filing the sssd bug.  I'm trying to reproduce it here; are you available to answer a few questions?
[21:05] <nacc> sergiodj: yep
[21:06] <sergiodj> nacc: I have Bionic VM with sssd and overlayroot installed.  I configured /etc/overlayroot.conf and set overlayroot="tmpfs", as well as aa-enforce'd usr.sbin.sssd
[21:06] <sergiodj> is there anything that I'm missing here?
[21:07] <nacc> did you rebuild the initrd and actually boot into the overlay?
[21:07] <nacc> and/or update-grub, maybe?
[21:07] <sergiodj> I booted into the overlay, or at least I think I did, according to mount's output
[21:08] <nacc> sergiodj: ack
[21:08] <nacc> sergiodj: and sssd started, i assume, by your comment?
[21:08] <sergiodj> yes, it did
[21:08] <sergiodj> I haven't touched sssd's config, FWIW
[21:09] <nacc> sergiodj: yeah, we actively use sssd so maybe that's the difference. Symptomatically, I can't ssh into the box without my change
[21:10] <sergiodj> I'd expect to see sssd failing to start because of the apparmor denial
[21:10] <nacc> sergiodj: only if it actaully talks to ldb, maybe?
[21:10] <nacc> sergiodj: not sure if that's happening with yours
[21:10] <sergiodj> I don't think it is talking to ldb, no
[21:10] <sergiodj> do you have a sample configuration file for sssd which I can use to try to reproduce the bug here?
[21:12] <nacc> sergiodj: let me see -- these are our HVs. I think the difference might be we are using ldap for the auth provider?
[21:14] <nacc> sergiodj: https://gist.github.com/nacc/cdc548214afcc2c28a5c3f55c9655c04
[21:14] <nacc> I'm guessing that you'd need the ldap config so that ldb is invoked and that will be what breaks, but not sure
[21:14] <sergiodj> yeah, it is possible
[21:15] <sergiodj> I thought this was going to be an easy one :-/
[21:20] <teward> who here's familiar with the differences between legacy iptables and iptables-nft?
[21:20] <nacc> sergiodj: sorry :( it feels easy to me because the change very linearly fixes it for me all the time, but I also am struggling to understand exactly why
[21:20] <teward> asking because I'm tempted to start making the migration from legacy iptables to iptables-nft but I've got > 500 rules, half of which are autopopulated by blacklist population from a script
[21:21] <teward> so I need to understand the fundamental differences from a manipulation perspective
[21:21] <sergiodj> nacc: no, that's OK, it's just that this has been a frustrating week with a lot of "this-looks-easy-but-it's-actually-impossible-to-reproduce" kind of bugs
[21:21] <sergiodj> :)
[21:21] <nacc> sergiodj: love/hate those weeks :)
[21:22] <sergiodj> yep!
[21:23] <nacc> sergiodj: if there's anything I can provide to help, please lmk on the bug (or here, if I'm around)
[21:23] <sergiodj> nacc: will do, thanks a lot!
[21:25] <ahasenack> sergiodj: I have sample configs for sssd with ldap
[21:25] <ahasenack> and the dep8 test uses those
[21:25] <sergiodj> ah, that helps
[21:25] <sergiodj> thanks, ahasenack
[21:25] <ahasenack> so maybe running the dep8 tests in that env can be the easiest way to trigger it
[21:26] <sergiodj> let me check
[21:26] <ahasenack> run as a script, no need to invoke autopkgtest itself
[21:26] <sdeziel> teward: personally, I'm waiting for nftables to go into main before looking into switching
[21:28] <teward> sdeziel: meh, maybe i'll futz in a VM ;)
[21:28] <teward> but i'm still curious if the addition of rules / manipulation is similar
[21:28] <teward> in terms of command line syntax, etc.
[21:30] <ahasenack> sergiodj: I'm gonna eod, we can talk again tomorrow
[21:30] <ahasenack> tl;dr sssd will only bring up the processes it needs
[21:30] <ahasenack> and they are all socket activated nowadays
[21:30] <ahasenack> (via systemd)