[06:16] <lordievader> Good morning
[06:40] <xylo> Morning
[12:26] <Aphrek> hey all - can anyone point me in the right direction of setting up bridging to a local network. I have the bridge setup but I cannot ping anything from the guest except the host IP.
[12:27] <Aphrek> basically following - I used the tutorial at - https://fabianlee.org/2019/04/01/kvm-creating-a-bridged-network-with-netplan-on-ubuntu-bionic/
[12:27] <Aphrek> only thing I changed was the interface name..
[12:28] <Aphrek> I suspect theres some routing I'm missing - but I'm completely new to this (kvm) 
[12:48] <lordievader> Aphrek: Could you give some more details of your network setup?
[12:48] <lordievader> `ip addr show` and `brctl show` for example
[12:51] <Aphrek> just sorting now - any preference on sharing results? Is pastebin still a thing? 
[12:52] <sdeziel> Aphrek: I don't know if libvirt does this by default but I'd check if `sysctl net.ipv4.ip_forward` gives you 1
[12:52] <Aphrek> sdeziel: yep - gives me 1
[12:53] <sdeziel> Aphrek: good, maybe a firewall/NAT issue then?
[12:53] <Aphrek> everything works fine btw straight after the initial install when the connection uses NAT 
[12:53] <Aphrek> sdeziel: yep, thats where I'm a bit stuck 
[12:53] <lordievader> Aphrek: Yes, pastebin please.
[12:53] <lordievader> !paste
[12:56] <Aphrek> is there an alternative to paste.ubuntu.com
[12:57] <Aphrek> just tried to sign up & I'm getting an invalid auth email when trying to confirm the account
[12:57] <sdeziel> https://www.termbin.com/ works well
[12:59] <Aphrek> thakns
[12:59] <Aphrek> thanks
[13:00] <Aphrek> from the host ip addr show gives:
[13:00] <Aphrek> https://termbin.com/2ds5
[13:01] <Aphrek> brctl show gives:
[13:01] <Aphrek> https://termbin.com/a46x1
[13:14] <lordievader> Aphrek: Can you reach your gateway from br0?
[13:14] <Aphrek> lordievader: do you mean from the host or guest? 
[13:16] <lordievader> From the host (the machine from which you gave the output of `ip a s`)
[13:17] <Aphrek> I see - sorry, yes I can
[13:18] <lordievader> And can you reach the vms from the host?
[13:20] <Aphrek> yes, I can ping it
[13:21] <Aphrek> and the reverse it true - I can ping the host from the vms
[13:21] <Aphrek> *is
[13:22] <lordievader> Just pinging things from vms to outside doesn't work?
[13:23] <Aphrek> thats right - I've tried setting a static IP / gateway as well as DHCP - nothing works.
[13:23] <Aphrek> everything works fine post standard install when NAT is setup - but not when I introduce the bridge
[13:25] <lordievader> Do you require a nat?
[13:26] <Aphrek> I could use it either way I suppose. I was just hoping to have the vms exposed to the network in the same way as a physical machine
[13:27] <lordievader> What I mean is, should the hypervisor do the NATting or do you have a router somewhere performing NAT (judging from the IP address I'd say the latter).
[13:27] <Aphrek> oh I see 
[13:28] <Aphrek> it was the hypervisor doing the natting
[13:31] <lordievader> Aphrek: Alright, could you share your `sudo iptables-save` output?
[13:32] <Aphrek> lordievader: https://termbin.com/cn6t
[13:35] <lordievader> Aphrek: You don't have any NAT rules related to your normal connection. Are you sure that the hypervisor should do the NATting?
[13:36] <lordievader> Erm, do vms get addresses in the 122.0/24 or in the 0.0/24 subnet?
[13:36] <Aphrek> sorry - I'm not entirely sure what you mean - I have a bog standard home network, the server is on the network & after the initial setup I was using a NATed connection but after the bridge I assumed I was no longer natting? 
[13:38] <lordievader> The translation of a network onto an address happens somewhere. For normal home networks the translation from a 192.168.0.0 network happens at the router to the ISP assigned address.
[13:39] <lordievader> I expect that this was your situation. But you said that the hypervisor was doing the natting.
[13:39] <Aphrek> right - I'm getting confsed then with the NAT conneciton you can use for a VM on KVM
[13:39] <Aphrek> apologies, I'm feeling somewhat out of my depth. 
[13:41] <lordievader> In the simplest case your hypervisor doesn't do any natting. That way the vm's are just other clients on the network, connected to a virtual switch (the bridge interface).
[13:41] <Aphrek> right - got you. 
[13:41] <Aphrek> thanks
[13:42] <lordievader> What IP address does your vm have?
[13:43] <Aphrek> 192.168.0.228
[13:44] <Aphrek> thats a static config after the dhcp didnt work
[13:44] <lordievader> And can you ping the router/gateway from the vm?
[13:45] <Aphrek> no, that doesnt work
[13:46] <lordievader> Keep the ping running and on the hypervisor run `sudo tcpdump -i br0 icmp`, do you see icmp ping requests going through and replies coming back?
[13:46] <Aphrek> ok, 2 secs
[13:48] <Aphrek> no nothing on the host 
[13:49] <Aphrek> the vm when pinging says: From 192.168.0.228 icmp_seq=1 Destination Host Unreachable
[13:49] <Aphrek> and so on
[13:49] <Aphrek> the ping was set to 192.168.0.1
[13:49] <lordievader> From the vm what is the output of `ip r`?
[13:52] <Aphrek> https://imgur.com/a/1JlTOSt
[13:52] <Aphrek> excuse the picture 
[13:54] <lordievader> Hrmm, that looks fine. On the hypervisor what is the output of `sysctl net.ipv4|grep ip_forward`?
[13:55] <Aphrek> https://termbin.com/g578
[13:59] <sdeziel> Aphrek: stupid question but are you sure the VM you are testing with is the one using `vnet0` ?
[13:59] <lordievader> Right, ofcourse I meant `sudo sysctl net.ipv4|grep forward`.
[14:00] <sdeziel> if br0 is meant as a pure bridge (no NAT), ip forwarding shouldn't matter
[14:01] <Aphrek> https://termbin.com/0y4i
[14:04] <Aphrek> sdeziel: in terms of the VM all I've done is change the network source to the bridge I created..
[14:05] <sdeziel> Aphrek: OK, just checking cause you have 2 virtual NICs it seems
[14:05] <Aphrek> https://imgur.com/a/7GAqlML
[14:07] <Aphrek> thanks sdeziel - everything is a fresh install inc the host/hypervisor 
[14:07] <Aphrek> I then followed the tutorial mentioned.. 
[14:07] <Aphrek> sorry - I know I'm not being incredibly helpful 
[14:07] <Aphrek> I do appreciate you both helping out though
[14:08] <lordievader> You did fully poweroff the vm and start it again after the change of network source?
[14:08] <Aphrek> I'm sure I did - but I'll try again
[14:08] <sdeziel> Aphrek: to keep things simple, how about you turn off the other VM?
[14:09] <sdeziel> then we'd be sure the vnetX we see is the one from the VM you are debugging
[14:09] <Aphrek> good idea 
[14:09] <Aphrek> I'll shut both down now and start up the one we've been looking at
[14:09] <sdeziel> sounds good
[14:10] <sdeziel> Aphrek: then please paste `ip addr show` again
[14:10] <Aphrek> will do
[14:11] <Aphrek> just booting up the vm
[14:11] <Aphrek> ip addr show on the host? 
[14:12] <lordievader> yes
[14:12] <Aphrek> https://termbin.com/xqk5
[14:13] <sdeziel> Aphrek: try that ^ tcpdump again while pinging from the VM to anywhere
[14:13] <Aphrek> right
[14:14] <Aphrek> same as before
[14:14] <Aphrek> no output
[14:14] <sdeziel> Aphrek: `sudo tcpdump -ni br0 arp` ?
[14:16] <Aphrek> still pinging on the vm? 
[14:18] <sdeziel> Aphrek: yes
[14:18] <Aphrek> ok - theres quite a bit of output - how long shall i run it for? 
[14:18] <Aphrek> does it matter? 
[14:20] <sdeziel> are you seeing traffic from the VM's MAC?
[14:21] <Aphrek> theres no mac but the only thing VM related is the ip in:
[14:21] <Aphrek> 14:17:55.061869 ARP, Request who-has 192.168.0.1 tell 192.168.0.228, length 28
[14:21] <sdeziel> Aphrek: in fact, can you now ping the 192.168.0.239 from the VM
[14:21] <sdeziel> Aphrek: OK good, those ARP requests are from your VM trying to get to the gateway (assuming .1 is its IP)
[14:22] <Aphrek> yes
[14:22] <Aphrek> I can ping 192.168.0.239 from the vm - do you need the host running anything ? 
[14:24] <sdeziel> Aphrek: I take it that the host uses 192.168.0.1 as gateway too and can ping it, right?
[14:24] <Aphrek> yes thats right
[14:25] <sdeziel> Aphrek: do you see something with `sudo tcpdump -ni ens160 | grep -F '192.168.0.228'`
[14:30] <Aphrek> https://imgur.com/a/zzev6YD
[14:36] <Aphrek> jeess - its working 
[14:36] <sdeziel> hmm, so it looks like those packet make it out on your network
[14:36] <Aphrek> I restarted the host - as a last ditch thing
[14:36] <Aphrek> and it now works
[14:36] <Aphrek> crikey 
[14:36] <sdeziel> oh how surprising
[14:36] <Aphrek> I know
[14:37] <Aphrek> wouldnt suprise me if it was my doing somehow - I dont see where though
[14:37] <Aphrek> thanks for taking the time on this - I really appreciate it and have learned quite a bit :)
[14:37] <Aphrek>  and lordievader of course
[14:38] <sdeziel> anyway, this br0 setup is cleaner as you don't have to deal with firewalling/NAT'ing on the host, you leave that out to your home router
[14:38] <lordievader> Good to hear it is solved 👍️
[14:38] <Aphrek> thanks! first time to ubuntu-server & its been a pleasure :)
[14:38] <sdeziel> :)
[14:38] <Aphrek> have a good one guys, back to work :)
[15:48] <Muligan> has anybody here any experience w/gfs2 or ocfs2 by any chance?
[17:14] <kurts_allenai[m]> I'm trying to connect SSSD on our Ubuntu Server 20.04 instance to our AD server. I can authenticate via kinit before joining the realm and "adcli info" says that nothing is wrong. The issue I'm having is with pam_sss. It always gives the error "User not known to the underlying authentication module" when someone logs in. Even though the user is in AD. It's like pam isn't syncing with AD at all. Anyone have ideas on a fix?
[17:34] <Muligan> sarnold, thanks for the response last night, after looking at a few more things, I'm looking at ocfs2 deployment
[17:35] <Muligan> however, I'm waiting for this meeting here in 90min if I even need to take this route or not.
[17:36] <sarnold> Muligan: here's hoping something easier comes around :) ocfs2 had a lot of enthusiasm ~dozen years ago, maybe more, but I don't know if it's had much attention and care since then