/srv/irclogs.ubuntu.com/2023/01/19/#ubuntu-server.txt

sergiodjlvoytek: hey, still there?00:42
sergiodjlvoytek: for when you're aroung, I'm wondering about bind9's MRE.  are you focusing only on Jammy, or will it include Focal as well?00:45
=== cpaelzer_ is now known as cpaelzer
lunatiqhttps://www.ryadel.com/en/vsftpd-configure-different-home-folder-each-user-specific-directory/ I folllowedd this guide for 22.04 but used the information found here https://www.how2shout.com/linux/how-to-install-vsftpd-to-setup-ftp-server-on-ubuntu-22-04/06:12
lunatiqbut I can't connect to my directory06:12
lunatiqI got it working06:31
lunatiqif I wanted to add a ftp user to the www-data:www-data /var/www/example.com I would have to add that user to the www-data group right?07:07
lunatiqI mean07:07
lunatiqallow that user ti write07:07
andollunatiq: I would probably rather change the directory ownership of /var/www/example.com.07:09
andolBy adding the user to the www-data group you are also giving that user access to whatever else that group might have access to.07:10
andolOf course, the web server still need to be able to read the /var/www/example.com folder, so unless you have it globally readable you might want to create a new group, containg both your ftp user(s) and the www-data user07:11
lunatiqandol I don't understand the solution07:14
lunatiqhttps://groveld.com/articles/give-user-permission-to-edit-and-add-files-in-var-www doesn't this imply files have more than 644 ?07:23
=== polymorp- is now known as polymorphic
ahasenack_kanashiro[m]: lunar-proposed has containerd 1.6.12, latest upstream is 1.6.1513:32
ahasenack_do you want to update that in unapproved for the SRU, or is 1.6.12 still fine?13:32
ahasenack_did you check the changelogs for .13, .14, .15? Nothing to worry about in .12 that is being fixed?13:33
ahasenack_(and next week we will probably have 1.6.16, and so on, I know...)13:40
ahasenack_kanashiro[m]: also, containerd 1.6.12 has reds in excuses (https://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html#containerd)13:59
kanashiro[m]ahasenack: I was not planning to update it to a newer upstream release14:05
ahasenack_ok, what about it being stuck in lunar-proposed for 36 days?14:05
kanashiro[m]I can't keep the upstream pace due to other duties 14:05
kanashiro[m]It is stuck because of another golang package that was added as runtime dependency 14:06
kanashiro[m]There is one regression now, but the reference test is being executed, might not be a regression 14:08
ahasenack_how does this affect the backport? Is that new runtime dependency also needed for the backport? (I haven't checked the packages yet, just doing preliminary checks)14:09
kanashiro[m]golang-google-grpc is blocking it for a while14:09
kanashiro[m]ahasenack: those new runtime deps were added in ubuntu2 and I backported ubuntu1 to avoid this exact issue 14:10
ahasenack_are they vendored in ubuntu1?14:11
kanashiro[m]I am working on containerd right now to see if I can make it better (not adding all those runtime deps that were not even used to build it) 14:11
kanashiro[m]ahasenack: yes14:11
kanashiro[m]They are still vendored in ubuntu2, but to fix some other packages depending on the containerd library those deps were added (other packages cannot import vendor code right now)  14:12
lvoyteksergiodj: For the bind9 MRE I have been focusing on jammy but I should be able to add focal to the mix too if we want14:12
ahasenack_kanashiro[m]: in the focal upload (https://launchpadlibrarian.net/644066393/docker.io_20.10.21-0ubuntu1~20.04.1_source.changes), you have a d/changelog entry stating a change in d/control to not build it on riscv64, but I'm failing to find that change, or any reference to risc in d/control. WHat is it?14:34
ahasenack_ftr, I checked and the focal builds in the archive indeed do not have riscv6414:35
ahasenack_so this is just about the changelog mention, and a pontential change to d/control I'm not seeing14:35
kanashiro[m]hum, let me check14:40
kanashiro[m]ahasenack: I have this change in place: https://github.com/tianon/debian-docker/commit/46669329a1c698f9b98117a8ca8eb839d6b6751e14:41
-ubottu:#ubuntu-server- Commit 4666932 in tianon/debian-docker "d/control: do not build docker.io in riscv64"14:41
ahasenack_I see14:43
ahasenack_it's indeed applied14:43
ahasenack_but doesn't show in the diff, so maybe it was applied before already, checking14:43
kanashiro[m]I think I needed to do the same in the last SRU14:46
ahasenack_in any case, since it's a backport from an ubuntu release which does not have it, we need it14:48
ahasenack_I'm just trying to figure out what's going on with the diffs14:48
sergiodjlvoytek: great.  let's discuss this with the team, but I believe it's worth supporting Focal as well15:50
lvoyteksergiodj: sounds good15:50
xibalbaanyone know of a tool I could use to simulate latency and packetloss on an interface? I want to put 2 interfaces into a bridge and connect Router 1 <-- bridge --> Router2 and use that to simulaten pkt loss or latency15:59
xibalbain freebsd i'd use dummynet, i know linux has a tool i forgot it's name16:00
sdezielxibalba: AFAIK, the tool to use on Linux is called `tc`16:07
xibalbathats it, thank you!16:07
xibalbatrafficcontrol16:07
LinuxakiasGRhi16:17
LinuxakiasGRi was wondering what the best sysctl config would be for values like offloading and tcp mem etc for 100 mbit so finetuning for latency instead of throughput16:18
lunatiqhow to allow www-data and ftp user to have write permissions to vsftpd local_root=16:22
lunatiqwithout chaning to 77516:22
LinuxakiasGR*silence*16:32
sdeziellunatiq: you can use ACLs or maybe put both users in a group that has write access to that dir16:37
lunatiqsdeziel that exposes people to write to files if attacker gain access16:48
lunatiqI don't want 77516:48
patdk-laplowering mtu size always gives better latency16:49
patdk-lapany other adjustment doesn't really help latency16:49
patdk-lapthere is no other way16:50
patdk-lapif you use acl or 775 it could give only www-data and ftp access to the files16:50
patdk-lapbut both methods can be used to attack and update the files16:50
patdk-lapthere is no way around it, other than to not get hacked16:50
patdk-lapfor offloading, disable gso, tso, lro, gro, ... too remove the batch offloading features, but I don't think this will give you any real measurable latency increase16:52
patdk-laptcp mem only handles bandwidth16:52
patdk-lapI just use 775, 755, or some other 7xx value, depending on the need of the file, file is owned by the user, and ftp logs in as that user16:54
LinuxakiasGRhmmm thanks for the info16:54
patdk-lapuser can make the file group to www-data, giving webserver read, and maybe also write access16:55
LinuxakiasGRand rx tx values ?16:55
patdk-lapand I protect it with apparmor so different users cannt access different users websites16:55
patdk-lapwhat rx and tx values?16:55
LinuxakiasGRive read higher values are good for high bandwith but increase latency16:55
LinuxakiasGRfor offloading i mean16:56
LinuxakiasGRwas experimenting with rx tx values16:56
patdk-lapthat is just queue size16:56
patdk-lapthat value doesn't matter16:56
LinuxakiasGRhmm16:56
patdk-laphigher is better always16:56
patdk-laplower means you could have dropped packets16:57
LinuxakiasGRtxqeuelen also low right?16:57
patdk-lapif you dont empty the queue fast enough16:57
patdk-lapya, that you would want lower16:57
patdk-lapmaybe 100 for 100mbit16:57
LinuxakiasGRi seee people set vrazy values like 10000 or more i set it 12816:57
patdk-lapwell, they are doing 10gbit16:57
patdk-lapso you want it higher than 100016:57
LinuxakiasGRhmm thanks16:58
sdeziellunatiq: not sure I understand your requirements ... you want the ability to write but are also worried about it /me confused16:58
patdk-lapfor how your ethtool -g stuff works, for the ring buffers16:58
patdk-lapyou need to look at ethtool -c16:58
lunatiqI found this https://blog.sys4.de/vsftpd-local-chrooted-user-write-access-ubuntu-precise-1204-en.html16:58
patdk-lapas that controls how often the nic tells the os something is in the buffer16:59
patdk-lapand will impact latency16:59
patdk-lapbut normally that value is defaulted for most nics very low16:59
patdk-lapI have only seen it high on a single brand16:59
LinuxakiasGRbtw i found bbr in combination with fq_codel to be best for client side in latency17:00
LinuxakiasGRwhat about router side?17:00
patdk-laprouter has no control over those17:00
LinuxakiasGRfq_codel does bad for routers ive heard... cake?17:00
patdk-laphmm it doesn't affect routers at all17:00
LinuxakiasGRim on openwrt with latest kernel17:01
LinuxakiasGRnot latest but 5.15 or smth17:01
LinuxakiasGRso i can set it directly on wan17:01
patdk-lapbbr is a tcp thing, it ONLY can be affect the sending endpoint of a tcp connection, not anything inbetween like a router17:02
patdk-lapit wont affect receving latency or bandwidth of a tcp connection17:02
LinuxakiasGRhmm17:02
patdk-lapthat is controlled by what the sender is using on the other end, be it bbr or somethign else17:03
LinuxakiasGRgoogle servers use it17:03
patdk-lapand they MOSTLY send data17:03
patdk-lapusing it at home only AFFECTS uploads17:03
LinuxakiasGRi notice when i configure firefox to get rid of bufferbloat in prefs.jsĀ  and enable http3 on top of that on client side bbr2 and fq_codel videos load in nanosecond lol17:03
LinuxakiasGReven on 100 mbit latency is amazing17:04
patdk-lapbbr has no affect on http317:04
LinuxakiasGRyoutube which is bbr with http3 i mean17:04
patdk-laphttp3 isn't even using tcp, so congestion control protocols wouldn't matter at all17:04
LinuxakiasGRi know its 2 diferent things but enabling them on sites like youtube does make a good change17:04
patdk-lapyou cannot do bbr with http317:04
LinuxakiasGRhmm17:04
LinuxakiasGRits udp right17:05
patdk-laphttp3 is udp, there is no congestion control. so no bbr or anything is needed17:05
patdk-lapand again, you are receiving, so you cannot change that by picking a new congestion control method, like bbr, if it was tcp (http/http2)17:05
LinuxakiasGRhttp3 is great though17:06
patdk-lapdepends17:06
patdk-lapit doesn't resolve single stream issues17:06
patdk-lapthat http2 created17:06
LinuxakiasGRif only ipv6 didnt suck. i believe it makes more difference17:06
patdk-lapso if your router is throttling you per stream, to share across users and stuff17:06
patdk-lapit hurts you17:07
LinuxakiasGRhmmm17:07
patdk-lapif your not throttled, and dont have much packet loss, it's great17:07
LinuxakiasGRyes single user on the router17:07
LinuxakiasGRmost of the time at least17:07
patdk-lapit gets really problematic at like hotels17:07
LinuxakiasGRwhat about tcp fast openĀ  and tcp low latency parameters17:08
LinuxakiasGRin my setup something is messing with the connection so disabled most tcp config17:09
patdk-lapdoubt it's very useful17:09
patdk-lapmatters only when making lots of connections to the same server17:09
LinuxakiasGRhmm17:10
patdk-lapif you don't make a lot of connections constantly, no use17:10
patdk-lapso for a webserver that uses mysql, it can be very helpful17:10
patdk-lapbut not normally a client desktop17:10
LinuxakiasGRi see17:10
patdk-lapand as it's considered a vulnerability, doubt many people use it17:11
LinuxakiasGRdidnt know17:11
patdk-lapI would say, unless your directly connected to the internet with <1ms latency17:13
patdk-lapnothing you do on your machine will matter much at all17:13
patdk-lapas it will all be overrun with the latency your isp adds17:14
patdk-lapkindof like, does 0.002 ms matter when your isp adds 8ms17:15
LinuxakiasGRonly hardware or browser config was the bottleneck i could really change17:15
patdk-lapit matters if your doing server to server on a local network, or localish17:15
LinuxakiasGRfor example firefox on default settings has terrible bufferbloat17:15
LinuxakiasGRmost of the kernel settings didnt influence much yes17:15
patdk-lapwell, cause bufferboat doesn't happen there17:16
patdk-lapbut at whatever had the buffer17:16
lunatiqhttps://blog.sys4.de/vsftpd-local-chrooted-user-write-access-ubuntu-precise-1204-en.html does this enable anyone to login to your vsftpd?17:16
patdk-lapnormally your isp modem17:16
LinuxakiasGRbtw when im using pppoe passhtrough it gets even worse cause they connect me to a server far away. when i dont use passthrough its local17:16
patdk-lapand you can only resolve outgoing buffer bloat, cause incoming isn't under your control17:16
LinuxakiasGRcant even use passthrough im losing bandwith and latency17:17
LinuxakiasGRhmm17:17
LinuxakiasGRthis isp modem is quite good hardware. tried to find a workaround to hack it and put openwrt on it but no luck17:18
LinuxakiasGRits fully locked even console locked17:18
LinuxakiasGRbootloader locked17:18
patdk-lapalways best to use an isp that doesn't use a modem17:18
patdk-lapjust drop me fiber and let me plug it directly into my router17:19
LinuxakiasGRthey still carry the connection to all house with thick copper wire. like coax... no twisted pair nothing17:19
LinuxakiasGRimagine17:19
LinuxakiasGRtheres lots of loss even if it comes with glassfiber. then it goes through coax to every house locally17:19
patdk-lapya, and then you need a modem, and it has to time multiplex the data, adding lots of latency you cannot control17:20
patdk-lapand due to that, they have large buffers17:20
LinuxakiasGRyes bufferbloat and ping can never be good on these things17:20
LinuxakiasGRcurrently i cant get it better than 9 ping 33 bufferbloat on upload and download17:20
LinuxakiasGRin better hardware. on slow hardware its worse17:20
LinuxakiasGRand wired btw17:20
LinuxakiasGRnot eve wireless17:20
LinuxakiasGRheading out again thanks for the valuable info take care17:26
ahasenackkanashiro[m]: did you have to reintroduce debian/helpers/gitcommit.sh when doing the focal backport of lunar's docker.io?17:55
ahasenackthat whole directory (debian/helpers) was removed in hirsute, 20.10.2-0ubuntu117:55
ahasenackso current focal-devel still has it17:55
ahasenackand your upload too, if I'm correct17:55
kanashiro[m]ahasenack: I did not touch it, and I do not recall any change regarding that 17:57
kanashiro[m]It should be still the same 17:57
ahasenackkanashiro[m]: can we jump into a quick hangout?17:57
lunatiqCan anyone help with vsftpd?17:58
kanashiro[m]ahasenack: yes17:58
lunatiqI keep 755 on folders how do I enable a FTP user to access www-data without adding them to the group and making 77518:27
lunatiqwrite permission18:27
kanashiro[m]ahasenack: both packages are building here: https://launchpad.net/~lucaskanashiro/+archive/ubuntu/container-backports18:37
ahasenackok18:37
* ahasenack leaves a ppa watch running18:37
LinuxakiasGRhttps://www.youtube.com/watch?v=EOfw61bjfE418:42
LinuxakiasGRLoL18:42
ahasenackkanashiro[m]: hm, one other thing, in containerd for jammy this time18:49
ahasenackkanashiro[m]: your upload has no CVE patches in d/p/series, but the patches themselves are still in debian/patches/CVE*.patch18:49
kanashiro[m]ahasenack: meh, let me take a look18:50
ahasenackdget https://launchpad.net/ubuntu/jammy/+upload/30336274/+files/containerd_1.6.12-0ubuntu1~22.04.1.dsc18:50
kanashiro[m]my bad, let me upload them to the PPA without those files18:53
ahasenackkanashiro[m]: same thing for containerd focal18:57
* ahasenack is going down the line18:57
kanashiro[m]it is in all of them18:57
ahasenackkinetic is fine I think18:58
ahasenackthe backport dropped two CVEs, compared to kinetic18:58
ahasenackd/p/series is consistent with d/p/*18:58
kanashiro[m]but they should also have been removed from kinetic, fixing it18:59
kanashiro[m]all the CVE patches are included in the version in lunar18:59
ahasenack-CVE-2022-23471.patch18:59
ahasenack-CVE-2022-31030.patch18:59
-ubottu:#ubuntu-server- containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to sen... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23471>18:59
-ubottu:#ubuntu-server- containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kuber... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31030>18:59
ahasenackthese two were removed18:59
ahasenackoh, hi bto18:59
ahasenackthere are no CVE patches in the kinetic backport19:00
ahasenackkanashiro[m]: in runc, focal, got something similar do the d/helpers situation from docker.io19:22
ahasenackbut this time about debian/source/lintian-overrides19:22
ahasenackit was removed in impish, 1.0.1-0ubuntu119:22
ahasenackbut in the runc focal backport, it's back19:22
kanashiro[m]ack19:26
kanashiro[m]ahasenack: fixed containerd is building in the PPA19:28
kanashiro[m]ahasenack: same for runc, let me know if something is missing19:38
ahasenackkanashiro[m]: in runc, bionic, I just noticed a patch that exists in d/p/*, but not in d/p/series19:38
ahasenackbut that is the case in pkg/ubuntu/bionic-devel already19:38
ahasenackthis patch: debian/patches/test--skip-Hugetlb.patch19:38
kanashiro[m]right, I'm going to remove it too19:39
ahasenackthat was removed in jammy, 1.1.0-0ubuntu119:39
ahasenackthe focal backport doesn't have it, so it's ok19:40
ahasenackeven the previous focal upload does not have it already (pkg/ubuntu/focal-devel)19:40
kanashiro[m]a bunch of leftovers, sorry for that 19:41
ahasenackthis passed previous reviews too19:41
ahasenackat some point its luck would run out and we would catch it :)19:41
kanashiro[m]ahasenack: runc re-uploaded without the patch19:43
ahasenackthis all to the ppa for now, right?19:43
kanashiro[m]yes, all in the ppa19:44
kanashiro[m]once you give me a +1 I'll upload them to the archive19:44
kanashiro[m]but if you prefer I can upload to the archive :)19:44
ahasenackjust check if it builds19:44
ahasenackthen upload to unapproved19:44
ahasenackand I can review again with this tooling19:45
kanashiro[m]no need to bump the version, right?19:45
ahasenackright19:45
ahasenackI'll reject the ones these are replacing in unapproved19:45
kanashiro[m]starting from docker.io19:46
kanashiro[m]ahasenack: all fixed packages uploaded to -unapproved20:14
ahasenackok20:17
=== JanC is now known as Guest3686
=== JanC_ is now known as JanC
=== blippe is now known as MekApelsin
=== MekApelsin is now known as blippe
=== blippe is now known as MekApelsin
HansYou guys and girls are really good at computer right?23:03
HansI have a problem. So I set up a file server at home running and really old Ubuntu OS. I access the server from my windows computer. I did this about 15 years ago, not know much about Ubuntu (having only used in on occations for fun).23:03
HansI thought it was a smart idea, allocating space for me and my daughter on the server. Now my daughter, now married and has not been living at home for over 10 years, wants her files on the Ubuntu server.23:04
HansSo I thought this will be easy - I'll just change the permissions to me and send them to her. As I am an administrator on my Ubuntu sever, I thought I'd just log in and change it.23:04
HansBut I can't. I've tried grafic OS and also the terminal with chmod, but whatever I do the servers tells me to f*ck off. Is there a super user mode I must use and if so -  how do I use it. Thank you in advance if anyone has any information about this.23:05
arrayboltXEHans: Use "sudo".23:17
arrayboltXEFor instance, rather than "chown user:user /path/to/file", use "sudo chown user:user /path/to/file".23:17
arrayboltXETo chown a whole directory, "sudo chown -R user:user /path/to/file". Careful with that one, a typo could change the ownership on files you didn't mean to change.23:18
JanCI hope you didn't use user home encryption...23:40

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!