/srv/irclogs.ubuntu.com/2021/10/05/#ubuntu-server.txt

=== genii is now known as genii-core
FuZi0N	How can I update to the latest version of curl on Ubuntu 18.04? I tried doing "apt-get update && apt-get upgrade" but this is still giving me an older version of curl. Is there a special mirror I can add to my sources.list??	02:47
sdeziel	FuZi0N: packages versions are frozen when the distro is initially released. Bug and security fixes are backported but the original package version remains the same.	02:49
lotuspsychje	!latest	02:49
ubottu	Packages in Ubuntu may not be the latest. Ubuntu aims for stability, so "latest" may not be a good idea. Post-release updates are only considered if they are fixes for security vulnerabilities, high impact bug fixes, or unintrusive bug fixes with substantial benefit. See also !backports, !sru, and !ppa.	02:49
sdeziel	FuZi0N: if there is a feature of curl that is not in the version shipped by 18.04, you should consider upgrading to 20.04	02:50
Guest1356	Hello	05:23
Guest1356	I have an iptables related question w.r.t. setting up WireGuard	05:23
Guest1356	I framed this `PostUp` value from https://xalitech.com/wireguard-vpn-server-on-aws-lightsail/	05:24
Guest1356	`PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE`	05:24
Guest1356	But... I think `iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE` already allows for what `iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE` does. Am I right?	05:24
Guest1356	(Just in case I'm wrong, to be exact, the tutorial says, `iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE;` and `iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE` but I think that by `ens3`/`eth0` they meant one or the other and it was just a copy-paste error.)	05:25
Guest1356	Any help is greatly appreciated. I'm having a hard time with iptables as I have clue about networking.	05:25
lordievader	Good morning	06:16
lordievader	Guest1356: Could you put those commands you used in a pastebin, this is not really readable this way.	06:16
Soni	okay we really don't know how to get the systemd timer to behave	12:50
new_guest_21	Hi, I'd like some help with understanding the `iptables` rules provided in this tutorial: https://xalitech.com/wireguard-vpn-server-on-aws-lightsail/	13:34
new_guest_21	Specifically, doesn't `iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE` already do what `iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o ens3 -j MASQUERADE` does? (I think it's a typo that used `eth0` instead of `ens3` in the latter, or is it not?)	13:34
sdeziel	new_guest_21: FYI, this tutorial is a bit dated, there is no wireguard PPA anymore (IIRC) as that's now in the official archives now.	13:35
new_guest_21	Sure. I am only interested in the configuration. :)	13:36
sdeziel	new_guest_21: regarding the iptables question, yes it seems like a typo. The 2 rules you provided are similar except the later will only apply when the source IP range is 10.200.200.0/24	13:37
lordievader	<Soni> "okay we really don't know how to..." <- How come?	13:38
new_guest_21	Excellent. Been scratching my head at this for hours now. Thank you very much. Now I can move on to understanding the other set of iptables rules. This tutorial uses much more of them than any other I've seen for WireGuard. I am thinking they are being more restrictive with security in mind (i.e. only allow what needs to be). Guess I'll see.	13:38
sdeziel	new_guest_21: essentially, you want to make sure that whatever IP you assign to your wireguard "clients" will be translated to a public IP address (MASQUERADE'd) when going out on the Internet though the uplink NIC, ens3 in your example presumably	13:38
new_guest_21	Understood, thank you sdeziel	13:39
sdeziel	new_guest_21: well, it's seems a bit weird to me that they are adding IPv6 NAT rules when they don't even assign IPv6 to the wireguard peers	13:39
new_guest_21	hehe, yeah. They are doing a bunch of things right, so I am using it for guidance, that's all. Hetzner and Linode docs provide more recent instructions.	13:41
new_guest_21	They don't have anon comments or I'd have left a comment.	13:41
new_guest_21	Hetzner's iptables rules are a bit confusing for me as well. `iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j SNAT --to-source 1.2.3.4` and `iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE`.	13:46
new_guest_21	The first one seems to specify how everything should happen down to the public IP address. The second one seems to suggest using the default public IP... which confuses me.	13:47
sdeziel	new_guest_21: if you know what public IP to rewrite the source to, you can use SNAT. If you don't know of if it's dynamic in nature, MASQUERADE should be used and the kernel will try to figure it out for you	13:47
new_guest_21	But both those commands aren't meant to be used together right?	13:48
new_guest_21	Or are they...?	13:48
new_guest_21	That's what is unclear to me (because as I see it, they are mutually exclusive).	13:48
sdeziel	new_guest_21: could be but for a simple setup, probably not	13:48
sdeziel	new_guest_21: the first rule that matches win so worse case, you end up with a rule that's never going to be hit (and will confuse people)	13:49
Soni	lordievader: it enables the target and then that's it, never runs again	13:50
lordievader	Soni: What is your output of `sudo systemctl list-timers`?	13:50
Soni	uh don't currently have sudo access ("lost" keys)	13:51
new_guest_21	sdeziel: So, for e.g., if the server changes to a diff. IP address, say from 1.2.3.4 to 1.1.1.4, the first IP Tables rule will be ignored and the second one will match and shall be followed. Am I understanding this correctly?	13:52
new_guest_21	Like a backup scenario.	13:52
lordievader	Soni: That doesn't make it easier. Can a normal user still read the data?	13:52
Soni	but the refresh-certs timer has NEXT and LEFT as "n/a"	13:52
Soni	(the keys are secure, but the computer/PSU is dead. guess who didn't setup an admin key on their phone...)	13:53
lordievader	Soni: Could you pastebin the output of `systemctl cat <name-of-timer>.timer`?	13:54
TJ-	Soni: you have 'keys' to control sudo access?	13:55
Soni	lordievader: https://bpa.st/HO2A	13:56
Soni	assuming that worked correctly	13:56
Soni	TJ-: yeah the admin account can just use sudo and it's protected by an ssh key?	13:57
TJ-	Soni: it's triggering a .target not a .service; presumably the .target stays active - it doesn't stop just because a .service that it has as a Wants stops	13:58
lordievader	Soni: Did you also 'start' the timer? I.e. `systemctl enable --now <name>.timer` or `systemctl start <name>.timer`?	13:58
sdeziel	new_guest_21: no, if your server's IP changes, you need to update the SNAT --to-source target. Failing to do so will have your translated packets using the wrong/old IP	13:58
TJ-	Soni: "systemctl status refresh-certs.target"	13:58
Soni	lordievader: yes	13:58
Soni	https://bpa.st/R74A	13:59
sdeziel	new_guest_21: iptables rules are matched on conditions prior to the "-j" thing which is the JUMP to destination	13:59
TJ-	Soni: so it is as I said	14:00
sdeziel	new_guest_21: another way to put it is that once you jump'ed (-j), you are taking action no longer making a decision	14:00
new_guest_21	sdeziel: Ah! So in this case for any other outgoing interface other than `enp1s0`, the 2nd rule would be a match...	14:00
TJ-	Soni: targets are stages that are passed they don't 'run/stop' like services	14:00
new_guest_21	Am I right? sdeziel	14:01
sdeziel	new_guest_21: yes if the source traffic is within 10.0.0.0/24	14:01
new_guest_21	Understood. This is brilliant!	14:01
sdeziel	new_guest_21: in plain English, the first rule could be translated like that: If a packet comes from 10.0.0.0/24 and would be routed through enp1s0, let's rewrite the source as 1.2.3.4	14:02
new_guest_21	gotcha	14:03
Soni	hmm so why can timers start targets	14:03
Soni	anyway thanks	14:06
Soni	will fix this once the computer parts arrive etc	14:06
TJ-	Soni: you'd be better off using a placeholder .service unit, say "refresh-certs.service" that does a simple ExecStart=/usr/bin/true and is triggered by the timer	14:06
=== genii-core is now known as genii
TJ-	Soni: then, in all the units you want to actually execute (those that current are part of the .target's Wants=), use instead BindsTo=refresh-certs.service. That will cause those units to start/stop based on the state of fresh-certs.service	14:07
Soni	TJ-: how do you set that up with e.g. renew-certs.service and notify-webserver-new-certs.service?	14:10
TJ-	Soni: see "BindsTo=" in "man systemd.unit"	14:13
TJ-	Soni: actually, for your use-case, a simple "Requires=" in a notional "refresh-certs.service" would be more suitable	14:14
=== thegodsquirrel is now known as THEGODSQUIRREL
=== THEGODSQUIRREL is now known as thegodsquirrel
shubjer0	I am trying to upgrade Ceph Nautilus to Ceph Octopus on Ubuntu 18.04 using Ceph ubuntu packages and once I've installed Ceph octopus I cannot start any of the ceph services. They all complain about ` global_init: error reading config file.`	15:43
shubjer0	Anyone know what might be the cause?	15:43
shubjer0	All fixed. I used the ceph assimilate conf to give me a new config and now it starts up	17:29
jrwren	anyone else think the lack of a JRE here is surprising? https://hub.docker.com/u/ubuntu/ no docker hub openjdk/jre based on ubuntu either!	21:06
jrwren	maybe all I really want is FROM ubuntu:bionic and RUN apt-get update && apt-get install -y openjdk-11-jre	21:10
patdk-lap	not suprised at all, I wouldn't expect someone to release docker images on every os that exists	21:28
patdk-lap	looks like they opted for oracle linux and windowscore	21:28
jrwren	and debian :(	21:37

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!