/srv/irclogs.ubuntu.com/2021/09/08/#ubuntu-server.txt

=== genii is now known as genii-core
ShellcatZero1Someone in #ubuntu-security mentioned that they use PXE to unlock a /boot/ encrypted system by having their router load GRUB. Can anyone explain how this works? All of the documention I've found for PXE details network OS-installs, rather than anything like remote boot and decryption.04:46
mybalzitchI wonder what, if any, security benefit there is to that05:26
ShellcatZero1mybalzitch: My impression was that it provides some remote unlocking functionality since dropbear cannot be used at this stage, or at the very least an obfuscated key stored remotely.05:30
TJ-That would be me06:35
TJ-It's an emergency back-up for remote devices that can lose power unexpectedly06:36
TJ-in the 'regular' boot case, a usually unattended headless router/NAS requires LUKS secret at boot-time via serial console. If it loses power it needs to be able to reboot without waiting for the passphrase. There is a battery-backed very low power device connected to it (RasPi) that serves an alternative GRUB core image via PXE/TFTP06:40
ShellcatZero1TJ-: Wow, ok, so the RasPi device is a PXE server which provides an alternative GRUB image that does not require password input? It is unclear to me how this works with GRUB_ENABLE_CRYPTODISK=y, as I have not seen any method of automatically providing a key/password at this early stage, except maybe for https://grub.johnlane.ie/.07:13
TJ-ShellcatZero1: we use DRBD to mirror the router's /boot/ file-system to the raspi so at any time it has an up-to-date copy. When power is lost RasPi detects that and only then mounts the mirror as a local file-system and starts the DHCPv6/TFTP processes. The router then boots completely from the RasPi. As soon as RasPi sees the router OS is starting it stops the DHCPv6/TFTP and unmounts the07:20
TJ-DRBD mirror07:20
TJ-ShellcatZero1: the GRUB core loaded via PXE does not need or use LUKS07:21
ShellcatZero1Hmm, ok07:22
ShellcatZero1TJ-: Thanks, I believe I understand that process now. So in this process, does the RasPi have some higher boot priority in the router's GRUB, so that if the router sees your RasPi device it will PXE-boot to it, otherwise proceed with normal password-prompting boot?07:33
TJ-ShellcatZero1: correct07:36
TJ-but not in router's GRUB, in its firmware, the whole point is to load GRUB07:36
ShellcatZero1TJ-: Awesome, thanks, I will probably be experimenting with this RasPi PXE setup, if you happen to have any relevant guide/documentation for it. I have really appreciated your input for this.07:42
TJ-ShellcatZero1: the only tricky part is getting the Pi to correctly handle the DRBD secondary without allowing any writes into it (it has to be promoted to Primary when the link goes down in order to be able to mount, and returned to Secondary before the router tries to reconnect07:44
ShellcatZero1TJ-: Yep, that part did sound tricky.07:46
=== cpaelzer_ is now known as cpaelzer
fricklericey: coreycb: jamespage: and another one, seems neutron is doing a good job keeping folk busy these days ;) https://bugs.launchpad.net/neutron/+bug/194217912:11
ubottuLaunchpad bug 1942179 in OpenStack Security Advisory "neutron api worker leaks memory when processing requests to not existing controllers" [Medium, Confirmed]12:12
iceyfrickler: gah, I was about ready to pass the last one to the security team to publish :-P12:12
icey;-P12:13
iceyfrickler: and if I'm scanning that bug correctly, it's more of a DoS vs a RCE?12:13
fricklericey: sorry, I'll delete my comment and resubmit it tomorrow, o.k.?12:13
iceyfrickler: ha12:13
fricklericey: afaict "only" DoS, yes12:13
iceyfrickler: I'll get it on my todo list,  will discuss with others if we want to push out both together or if we should do them one at a time12:16
=== genii-core is now known as genii
iceyhey frickler - I wonder if you think a Neutron point release could happen shortly? It would be really great to be able to pick up these fixes in a point release :)13:42
fricklericey: I'm assuming for the recent branches this should happen soonish. but to be sure, best ask directly in the neutron channel. I'm mostly just a deployer relaying things so I don't have to patch everything myself locally ;-D15:15
kurts_allenai[m]We're currently using Ubuntu 20.04 on our servers with ldap to authenticate our users. We are trying to migrate to active directory, but are running into issues with authenticating users correctly. 17:32
kurts_allenai[m]We have set UID numbers in active directory to be the same as in ldap, but they are not syncing across to the Ubuntu server. On 18.04 they sync correctly. We are using a Windows server 2019 backend. Has anyone run into this issue before?17:32
TJ-kurts_allenai[m]: are the 20.04 servers able to talk to AD at all?17:33
kurts_allenai[m]Yes, they're enrolling as computers fine and users are syncing over. Any attribute changes done on the AD side are not though17:34
TJ-kurts_allenai[m]: have you looked at https://ubuntu.com/engage/microsoft-active-directory 17:39
kurts_allenai[m]TJ-: I've been following Microsoft's instructions previously. I'll try the Ubuntu docs and see. Thanks!17:44
TJ-kurts_allenai[m]: not sure whether these 2 will add anything but they look to have some quality17:45
TJ-https://ubuntu.com/server/docs/service-sssd17:46
TJ-https://c-nergy.be/blog/?p=1647217:46
=== E_Eickmeyer is now known as Eickmeyer
kurts_allenai[m]TJ-: Went through the official Ubuntu doc listed above, but adcli keeps giving a "Preauthentication failed" error when I try to join the domain. Any ideas?20:23
TJ-kurts_allenai[m]: no, but presumably that will be at the Kerberos layer; can you locate any log reports relating to that, either on the Linux client or on the AD Server ?20:24
kurts_allenai[m]Not that I can find. The guide didn't say to kinit the user, so I didn't do that. Could that be the issue?20:28
kurts_allenai[m]It doesn't look like the windows server blocked the authentication20:29
TJ-I'm not sure, I try to keep away from Windows as much as possible20:30
Sonihello, using ubuntu 20.04 LTS and lighttpd, uh you can setup systemd to run lighttpd in a chroot of sorts yeah?20:31
sdezielSoni: there are many ways to interpret that question. What exactly do you want to do? Is lighhttpd able to chroot itself and you want to enable that? Or do you want systemd to do the actual chroot'ing?20:36
Soniwe'd like to use systemd to make sure lighttpd only sees a narrow view of the filesystem20:37
JanCsystemd can also run things in containers20:38
Soniall the critical stuff (lighttpd config, logs) and the web content (/var/www) we guess20:39
sdezielSoni: you can tweak the systemd unit to setup mount namespaces (see `ReadWritePaths=`, `ReadOnlyPaths=`, `InaccessiblePaths=` etc)20:40
sdezielSoni: you could also use Apparmor to restrict what the process has access to20:40
kurts_allenai[m]TJ-: Welp, kinit wasn't the solution20:43
sdezielSoni: here's a systemd hardening example https://paste.ubuntu.com/p/SkZCQZdMr5/20:48
Sonisdeziel: "you need to be logged in to view this paste"?20:49
sarnoldthe pastebin was being abused; either the paster or the pastee need to be logged in to see a paste20:50
sdezielSoni: yeah, sorry this is pretty annoying to have this behind a login. https://pastebin.com/raw/BypPcvBu should work better20:51
sdezielsarnold: are you saying I just need to be logged in and my paste will then be public?20:51
sarnoldsdeziel: yes20:52
sdezielsarnold: oh, that's very good news, thanks!20:52
sarnoldwhich is handy-ish but in practice just means I'll probably be using termbin.com a lot more :)20:52
Sonihave you heard of instant.io?20:53
sdezielif only I knew how to configure pastebinit20:53
sarnoldsdeziel: I tried to configure pastebinit to paste to debian's, but that's apparently busted :(20:53
Sonibut anyway20:54
Sonisdeziel: that's a lot of options we don't fully understand altho we do get that there's no easy solution here20:54
sdezielSoni: man systemd.exec has very good explanations for each of those but in your case, I think the minimum to understand would be: `ProtectHome=`, `ProtectSystem=`, `ReadWritePaths=`, `InaccessiblePaths=` and `PrivateTmp=`20:58
Sonihow do you setup the environment, e.g. for git-receive-pack?21:51
Sonihmm wait there's a better way to do this isn't there21:52

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!