=== genii is now known as genii-core
[02:47] <FuZi0N> How can I update to the latest version of curl on Ubuntu 18.04? I tried doing "apt-get update && apt-get upgrade" but this is still giving me an older version of curl. Is there a special mirror I can add to my sources.list??
[02:49] <sdeziel> FuZi0N: packages versions are frozen when the distro is initially released. Bug and security fixes are backported but the original package version remains the same.
[02:49] <lotuspsychje> !latest
[02:49] <ubottu> Packages in Ubuntu may not be the latest. Ubuntu aims for stability, so "latest" may not be a good idea. Post-release updates are only considered if they are fixes for security vulnerabilities, high impact bug fixes, or unintrusive bug fixes with substantial benefit. See also !backports, !sru, and !ppa.
[02:50] <sdeziel> FuZi0N: if there is a feature of curl that is not in the version shipped by 18.04, you should consider upgrading to 20.04
[05:23] <Guest1356> Hello
[05:23] <Guest1356> I have an iptables related question w.r.t. setting up WireGuard
[05:24] <Guest1356> I framed this `PostUp` value from https://xalitech.com/wireguard-vpn-server-on-aws-lightsail/
[05:24] <Guest1356> `PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE`
[05:24] <Guest1356> But... I think `iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE` already allows for what `iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE` does. Am I right?
[05:25] <Guest1356> (Just in case I'm wrong, to be exact, the tutorial says, `iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE;` and `iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE` but I think that by `ens3`/`eth0` they meant one or the other and it was just a copy-paste error.)
[05:25] <Guest1356> Any help is greatly appreciated. I'm having a hard time with iptables as I have clue about networking.
[06:16] <lordievader> Good morning
[06:16] <lordievader> Guest1356: Could you put those commands you used in a pastebin, this is not really readable this way.
[12:50] <Soni> okay we really don't know how to get the systemd timer to behave
[13:34] <new_guest_21> Hi, I'd like some help with understanding the `iptables` rules provided in this tutorial: https://xalitech.com/wireguard-vpn-server-on-aws-lightsail/
[13:34] <new_guest_21> Specifically, doesn't `iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE` already do what `iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o ens3 -j MASQUERADE` does? (I think it's a typo that used `eth0` instead of `ens3` in the latter, or is it not?)
[13:35] <sdeziel> new_guest_21: FYI, this tutorial is a bit dated, there is no wireguard PPA anymore (IIRC) as that's now in the official archives now.
[13:36] <new_guest_21> Sure. I am only interested in the configuration. :) 
[13:37] <sdeziel> new_guest_21: regarding the iptables question, yes it seems like a typo. The 2 rules you provided are similar except the later will only apply when the source IP range is 10.200.200.0/24
[13:38] <lordievader> <Soni> "okay we really don't know how to..." <- How come?
[13:38] <new_guest_21> Excellent. Been scratching my head at this for hours now. Thank you very much. Now I can move on to understanding the other set of iptables rules. This tutorial uses much more of them than any other I've seen for WireGuard. I am thinking they are being more restrictive with security in mind (i.e. only allow what needs to be). Guess I'll see.
[13:38] <sdeziel> new_guest_21: essentially, you want to make sure that whatever IP you assign to your wireguard "clients" will be translated to a public IP address (MASQUERADE'd) when going out on the Internet though the uplink NIC, ens3 in your example presumably
[13:39] <new_guest_21> Understood, thank you sdeziel
[13:39] <sdeziel> new_guest_21: well, it's seems a bit weird to me that they are adding IPv6 NAT rules when they don't even assign IPv6 to the wireguard peers
[13:41] <new_guest_21> hehe, yeah. They are doing a bunch of things right, so I am using it for guidance, that's all. Hetzner and Linode docs provide more recent instructions.
[13:41] <new_guest_21> They don't have anon comments or I'd have left a comment.
[13:46] <new_guest_21> Hetzner's iptables rules are a bit confusing for me as well. `iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j SNAT --to-source 1.2.3.4` and `iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE`.
[13:47] <new_guest_21> The first one seems to specify how everything should happen down to the public IP address. The second one seems to suggest using the default public IP... which confuses me.
[13:47] <sdeziel> new_guest_21: if you know what public IP to rewrite the source to, you can use SNAT. If you don't know of if it's dynamic in nature, MASQUERADE should be used and the kernel will try to figure it out for you
[13:48] <new_guest_21> But both those commands aren't meant to be used together right?
[13:48] <new_guest_21> Or are they...?
[13:48] <new_guest_21> That's what is unclear to me (because as I see it, they are mutually exclusive).
[13:48] <sdeziel> new_guest_21: could be but for a simple setup, probably not
[13:49] <sdeziel> new_guest_21: the first rule that matches win so worse case, you end up with a rule that's never going to be hit (and will confuse people)
[13:50] <Soni> lordievader: it enables the target and then that's it, never runs again
[13:50] <lordievader> Soni: What is your output of `sudo systemctl list-timers`?
[13:51] <Soni> uh don't currently have sudo access ("lost" keys)
[13:52] <new_guest_21> sdeziel: So, for e.g., if the server changes to a diff. IP address, say from 1.2.3.4 to 1.1.1.4, the first IP Tables rule will be ignored and the second one will match and shall be followed. Am I understanding this correctly?
[13:52] <new_guest_21> Like a backup scenario.
[13:52] <lordievader> Soni: That doesn't make it easier.  Can a normal user still read the data?
[13:52] <Soni> but the refresh-certs timer has NEXT and LEFT as "n/a"
[13:53] <Soni> (the keys are secure, but the computer/PSU is dead. guess who didn't setup an admin key on their phone...)
[13:54] <lordievader> Soni: Could you pastebin the output of `systemctl cat <name-of-timer>.timer`?
[13:55] <TJ-> Soni: you have 'keys' to control sudo access? 
[13:56] <Soni> lordievader: https://bpa.st/HO2A
[13:56] <Soni> assuming that worked correctly
[13:57] <Soni> TJ-: yeah the admin account can just use sudo and it's protected by an ssh key?
[13:58] <TJ-> Soni: it's triggering a .target not a .service; presumably the .target stays active - it doesn't stop just because a .service that it has as a Wants stops
[13:58] <lordievader> Soni: Did you also 'start' the timer? I.e. `systemctl enable --now <name>.timer` or `systemctl start <name>.timer`?
[13:58] <sdeziel> new_guest_21: no, if your server's IP changes, you need to update the SNAT --to-source target. Failing to do so will have your translated packets using the wrong/old IP
[13:58] <TJ-> Soni: "systemctl status refresh-certs.target"
[13:58] <Soni> lordievader: yes
[13:59] <Soni> https://bpa.st/R74A
[13:59] <sdeziel> new_guest_21: iptables rules are matched on conditions prior to the "-j" thing which is the JUMP to destination
[14:00] <TJ-> Soni: so it is as I said
[14:00] <sdeziel> new_guest_21: another way to put it is that once you jump'ed (-j), you are taking action no longer making a decision
[14:00] <new_guest_21> sdeziel: Ah! So in this case for any other outgoing interface other than `enp1s0`, the 2nd rule would be a match...
[14:00] <TJ-> Soni: targets are stages that are passed they don't 'run/stop' like services
[14:01] <new_guest_21> Am I right? sdeziel
[14:01] <sdeziel> new_guest_21: yes if the source traffic is within 10.0.0.0/24
[14:01] <new_guest_21> Understood. This is brilliant!
[14:02] <sdeziel> new_guest_21: in plain English, the first rule could be translated like that: If a packet comes from 10.0.0.0/24 and would be routed through enp1s0, let's rewrite the source as 1.2.3.4
[14:03] <new_guest_21> gotcha
[14:03] <Soni> hmm so why can timers start targets
[14:06] <Soni> anyway thanks
[14:06] <Soni> will fix this once the computer parts arrive etc
[14:06] <TJ-> Soni: you'd be better off using a placeholder .service unit, say "refresh-certs.service" that does a simple ExecStart=/usr/bin/true and is triggered by the timer
=== genii-core is now known as genii
[14:07] <TJ-> Soni: then, in all the units you want to actually execute (those that current are part of the .target's Wants=), use instead BindsTo=refresh-certs.service. That will cause those units to start/stop based on the state of fresh-certs.service
[14:10] <Soni> TJ-: how do you set that up with e.g. renew-certs.service and notify-webserver-new-certs.service?
[14:13] <TJ-> Soni: see "BindsTo=" in "man systemd.unit"
[14:14] <TJ-> Soni: actually, for your use-case, a simple "Requires=" in a notional "refresh-certs.service" would be more suitable
=== thegodsquirrel is now known as THEGODSQUIRREL
=== THEGODSQUIRREL is now known as thegodsquirrel
[15:43] <shubjer0> I am trying to upgrade Ceph Nautilus to Ceph Octopus on Ubuntu 18.04 using Ceph ubuntu packages and once I've installed Ceph octopus I cannot start any of the ceph services. They all complain about ` global_init: error reading config file.`
[15:43] <shubjer0> Anyone know what might be the cause?
[17:29] <shubjer0> All fixed. I used the ceph assimilate conf to give me a new config and now it starts up
[21:06] <jrwren> anyone else think the lack of a JRE here is surprising? https://hub.docker.com/u/ubuntu/   no docker hub openjdk/jre based on ubuntu either!
[21:10] <jrwren> maybe all I really want is FROM ubuntu:bionic and RUN apt-get update && apt-get install -y openjdk-11-jre
[21:28] <patdk-lap> not suprised at all, I wouldn't expect someone to release docker images on every os that exists
[21:28] <patdk-lap> looks like they opted for oracle linux and windowscore
[21:37] <jrwren> and debian :(