[00:42] <sergiodj> lvoytek: hey, still there?
[00:45] <sergiodj> lvoytek: for when you're aroung, I'm wondering about bind9's MRE.  are you focusing only on Jammy, or will it include Focal as well?
[06:12] <lunatiq> https://www.ryadel.com/en/vsftpd-configure-different-home-folder-each-user-specific-directory/ I folllowedd this guide for 22.04 but used the information found here https://www.how2shout.com/linux/how-to-install-vsftpd-to-setup-ftp-server-on-ubuntu-22-04/
[06:12] <lunatiq> but I can't connect to my directory
[06:31] <lunatiq> I got it working
[07:07] <lunatiq> if I wanted to add a ftp user to the www-data:www-data /var/www/example.com I would have to add that user to the www-data group right?
[07:07] <lunatiq> I mean
[07:07] <lunatiq> allow that user ti write
[07:09] <andol> lunatiq: I would probably rather change the directory ownership of /var/www/example.com.
[07:10] <andol> By adding the user to the www-data group you are also giving that user access to whatever else that group might have access to.
[07:11] <andol> Of course, the web server still need to be able to read the /var/www/example.com folder, so unless you have it globally readable you might want to create a new group, containg both your ftp user(s) and the www-data user
[07:14] <lunatiq> andol I don't understand the solution
[07:23] <lunatiq> https://groveld.com/articles/give-user-permission-to-edit-and-add-files-in-var-www doesn't this imply files have more than 644 ?
[13:32] <ahasenack_> kanashiro[m]: lunar-proposed has containerd 1.6.12, latest upstream is 1.6.15
[13:32] <ahasenack_> do you want to update that in unapproved for the SRU, or is 1.6.12 still fine?
[13:33] <ahasenack_> did you check the changelogs for .13, .14, .15? Nothing to worry about in .12 that is being fixed?
[13:40] <ahasenack_> (and next week we will probably have 1.6.16, and so on, I know...)
[13:59] <ahasenack_> kanashiro[m]: also, containerd 1.6.12 has reds in excuses (https://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html#containerd)
[14:05] <kanashiro[m]> ahasenack: I was not planning to update it to a newer upstream release
[14:05] <ahasenack_> ok, what about it being stuck in lunar-proposed for 36 days?
[14:05] <kanashiro[m]> I can't keep the upstream pace due to other duties 
[14:06] <kanashiro[m]> It is stuck because of another golang package that was added as runtime dependency 
[14:08] <kanashiro[m]> There is one regression now, but the reference test is being executed, might not be a regression 
[14:09] <ahasenack_> how does this affect the backport? Is that new runtime dependency also needed for the backport? (I haven't checked the packages yet, just doing preliminary checks)
[14:09] <kanashiro[m]> golang-google-grpc is blocking it for a while
[14:10] <kanashiro[m]> ahasenack: those new runtime deps were added in ubuntu2 and I backported ubuntu1 to avoid this exact issue 
[14:11] <ahasenack_> are they vendored in ubuntu1?
[14:11] <kanashiro[m]> I am working on containerd right now to see if I can make it better (not adding all those runtime deps that were not even used to build it) 
[14:11] <kanashiro[m]> ahasenack: yes
[14:12] <kanashiro[m]> They are still vendored in ubuntu2, but to fix some other packages depending on the containerd library those deps were added (other packages cannot import vendor code right now)  
[14:12] <lvoytek> sergiodj: For the bind9 MRE I have been focusing on jammy but I should be able to add focal to the mix too if we want
[14:34] <ahasenack_> kanashiro[m]: in the focal upload (https://launchpadlibrarian.net/644066393/docker.io_20.10.21-0ubuntu1~20.04.1_source.changes), you have a d/changelog entry stating a change in d/control to not build it on riscv64, but I'm failing to find that change, or any reference to risc in d/control. WHat is it?
[14:35] <ahasenack_> ftr, I checked and the focal builds in the archive indeed do not have riscv64
[14:35] <ahasenack_> so this is just about the changelog mention, and a pontential change to d/control I'm not seeing
[14:40] <kanashiro[m]> hum, let me check
[14:41] <kanashiro[m]> ahasenack: I have this change in place: https://github.com/tianon/debian-docker/commit/46669329a1c698f9b98117a8ca8eb839d6b6751e
[14:41] -ubottu:#ubuntu-server- Commit 4666932 in tianon/debian-docker "d/control: do not build docker.io in riscv64"
[14:43] <ahasenack_> I see
[14:43] <ahasenack_> it's indeed applied
[14:43] <ahasenack_> but doesn't show in the diff, so maybe it was applied before already, checking
[14:46] <kanashiro[m]> I think I needed to do the same in the last SRU
[14:48] <ahasenack_> in any case, since it's a backport from an ubuntu release which does not have it, we need it
[14:48] <ahasenack_> I'm just trying to figure out what's going on with the diffs
[15:50] <sergiodj> lvoytek: great.  let's discuss this with the team, but I believe it's worth supporting Focal as well
[15:50] <lvoytek> sergiodj: sounds good
[15:59] <xibalba> anyone know of a tool I could use to simulate latency and packetloss on an interface? I want to put 2 interfaces into a bridge and connect Router 1 <-- bridge --> Router2 and use that to simulaten pkt loss or latency
[16:00] <xibalba> in freebsd i'd use dummynet, i know linux has a tool i forgot it's name
[16:07] <sdeziel> xibalba: AFAIK, the tool to use on Linux is called `tc`
[16:07] <xibalba> thats it, thank you!
[16:07] <xibalba> trafficcontrol
[16:17] <LinuxakiasGR> hi
[16:18] <LinuxakiasGR> i was wondering what the best sysctl config would be for values like offloading and tcp mem etc for 100 mbit so finetuning for latency instead of throughput
[16:22] <lunatiq> how to allow www-data and ftp user to have write permissions to vsftpd local_root=
[16:22] <lunatiq> without chaning to 775
[16:32] <LinuxakiasGR> *silence*
[16:37] <sdeziel> lunatiq: you can use ACLs or maybe put both users in a group that has write access to that dir
[16:48] <lunatiq> sdeziel that exposes people to write to files if attacker gain access
[16:48] <lunatiq> I don't want 775
[16:49] <patdk-lap> lowering mtu size always gives better latency
[16:49] <patdk-lap> any other adjustment doesn't really help latency
[16:50] <patdk-lap> there is no other way
[16:50] <patdk-lap> if you use acl or 775 it could give only www-data and ftp access to the files
[16:50] <patdk-lap> but both methods can be used to attack and update the files
[16:50] <patdk-lap> there is no way around it, other than to not get hacked
[16:52] <patdk-lap> for offloading, disable gso, tso, lro, gro, ... too remove the batch offloading features, but I don't think this will give you any real measurable latency increase
[16:52] <patdk-lap> tcp mem only handles bandwidth
[16:54] <patdk-lap> I just use 775, 755, or some other 7xx value, depending on the need of the file, file is owned by the user, and ftp logs in as that user
[16:54] <LinuxakiasGR> hmmm thanks for the info
[16:55] <patdk-lap> user can make the file group to www-data, giving webserver read, and maybe also write access
[16:55] <LinuxakiasGR> and rx tx values ?
[16:55] <patdk-lap> and I protect it with apparmor so different users cannt access different users websites
[16:55] <patdk-lap> what rx and tx values?
[16:55] <LinuxakiasGR> ive read higher values are good for high bandwith but increase latency
[16:56] <LinuxakiasGR> for offloading i mean
[16:56] <LinuxakiasGR> was experimenting with rx tx values
[16:56] <patdk-lap> that is just queue size
[16:56] <patdk-lap> that value doesn't matter
[16:56] <LinuxakiasGR> hmm
[16:56] <patdk-lap> higher is better always
[16:57] <patdk-lap> lower means you could have dropped packets
[16:57] <LinuxakiasGR> txqeuelen also low right?
[16:57] <patdk-lap> if you dont empty the queue fast enough
[16:57] <patdk-lap> ya, that you would want lower
[16:57] <patdk-lap> maybe 100 for 100mbit
[16:57] <LinuxakiasGR> i seee people set vrazy values like 10000 or more i set it 128
[16:57] <patdk-lap> well, they are doing 10gbit
[16:57] <patdk-lap> so you want it higher than 1000
[16:58] <LinuxakiasGR> hmm thanks
[16:58] <sdeziel> lunatiq: not sure I understand your requirements ... you want the ability to write but are also worried about it /me confused
[16:58] <patdk-lap> for how your ethtool -g stuff works, for the ring buffers
[16:58] <patdk-lap> you need to look at ethtool -c
[16:58] <lunatiq> I found this https://blog.sys4.de/vsftpd-local-chrooted-user-write-access-ubuntu-precise-1204-en.html
[16:59] <patdk-lap> as that controls how often the nic tells the os something is in the buffer
[16:59] <patdk-lap> and will impact latency
[16:59] <patdk-lap> but normally that value is defaulted for most nics very low
[16:59] <patdk-lap> I have only seen it high on a single brand
[17:00] <LinuxakiasGR> btw i found bbr in combination with fq_codel to be best for client side in latency
[17:00] <LinuxakiasGR> what about router side?
[17:00] <patdk-lap> router has no control over those
[17:00] <LinuxakiasGR> fq_codel does bad for routers ive heard... cake?
[17:00] <patdk-lap> hmm it doesn't affect routers at all
[17:01] <LinuxakiasGR> im on openwrt with latest kernel
[17:01] <LinuxakiasGR> not latest but 5.15 or smth
[17:01] <LinuxakiasGR> so i can set it directly on wan
[17:02] <patdk-lap> bbr is a tcp thing, it ONLY can be affect the sending endpoint of a tcp connection, not anything inbetween like a router
[17:02] <patdk-lap> it wont affect receving latency or bandwidth of a tcp connection
[17:02] <LinuxakiasGR> hmm
[17:03] <patdk-lap> that is controlled by what the sender is using on the other end, be it bbr or somethign else
[17:03] <LinuxakiasGR> google servers use it
[17:03] <patdk-lap> and they MOSTLY send data
[17:03] <patdk-lap> using it at home only AFFECTS uploads
[17:03] <LinuxakiasGR> i notice when i configure firefox to get rid of bufferbloat in prefs.js  and enable http3 on top of that on client side bbr2 and fq_codel videos load in nanosecond lol
[17:04] <LinuxakiasGR> even on 100 mbit latency is amazing
[17:04] <patdk-lap> bbr has no affect on http3
[17:04] <LinuxakiasGR> youtube which is bbr with http3 i mean
[17:04] <patdk-lap> http3 isn't even using tcp, so congestion control protocols wouldn't matter at all
[17:04] <LinuxakiasGR> i know its 2 diferent things but enabling them on sites like youtube does make a good change
[17:04] <patdk-lap> you cannot do bbr with http3
[17:04] <LinuxakiasGR> hmm
[17:05] <LinuxakiasGR> its udp right
[17:05] <patdk-lap> http3 is udp, there is no congestion control. so no bbr or anything is needed
[17:05] <patdk-lap> and again, you are receiving, so you cannot change that by picking a new congestion control method, like bbr, if it was tcp (http/http2)
[17:06] <LinuxakiasGR> http3 is great though
[17:06] <patdk-lap> depends
[17:06] <patdk-lap> it doesn't resolve single stream issues
[17:06] <patdk-lap> that http2 created
[17:06] <LinuxakiasGR> if only ipv6 didnt suck. i believe it makes more difference
[17:06] <patdk-lap> so if your router is throttling you per stream, to share across users and stuff
[17:07] <patdk-lap> it hurts you
[17:07] <LinuxakiasGR> hmmm
[17:07] <patdk-lap> if your not throttled, and dont have much packet loss, it's great
[17:07] <LinuxakiasGR> yes single user on the router
[17:07] <LinuxakiasGR> most of the time at least
[17:07] <patdk-lap> it gets really problematic at like hotels
[17:08] <LinuxakiasGR> what about tcp fast open  and tcp low latency parameters
[17:09] <LinuxakiasGR> in my setup something is messing with the connection so disabled most tcp config
[17:09] <patdk-lap> doubt it's very useful
[17:09] <patdk-lap> matters only when making lots of connections to the same server
[17:10] <LinuxakiasGR> hmm
[17:10] <patdk-lap> if you don't make a lot of connections constantly, no use
[17:10] <patdk-lap> so for a webserver that uses mysql, it can be very helpful
[17:10] <patdk-lap> but not normally a client desktop
[17:10] <LinuxakiasGR> i see
[17:11] <patdk-lap> and as it's considered a vulnerability, doubt many people use it
[17:11] <LinuxakiasGR> didnt know
[17:13] <patdk-lap> I would say, unless your directly connected to the internet with <1ms latency
[17:13] <patdk-lap> nothing you do on your machine will matter much at all
[17:14] <patdk-lap> as it will all be overrun with the latency your isp adds
[17:15] <patdk-lap> kindof like, does 0.002 ms matter when your isp adds 8ms
[17:15] <LinuxakiasGR> only hardware or browser config was the bottleneck i could really change
[17:15] <patdk-lap> it matters if your doing server to server on a local network, or localish
[17:15] <LinuxakiasGR> for example firefox on default settings has terrible bufferbloat
[17:15] <LinuxakiasGR> most of the kernel settings didnt influence much yes
[17:16] <patdk-lap> well, cause bufferboat doesn't happen there
[17:16] <patdk-lap> but at whatever had the buffer
[17:16] <lunatiq> https://blog.sys4.de/vsftpd-local-chrooted-user-write-access-ubuntu-precise-1204-en.html does this enable anyone to login to your vsftpd?
[17:16] <patdk-lap> normally your isp modem
[17:16] <LinuxakiasGR> btw when im using pppoe passhtrough it gets even worse cause they connect me to a server far away. when i dont use passthrough its local
[17:16] <patdk-lap> and you can only resolve outgoing buffer bloat, cause incoming isn't under your control
[17:17] <LinuxakiasGR> cant even use passthrough im losing bandwith and latency
[17:17] <LinuxakiasGR> hmm
[17:18] <LinuxakiasGR> this isp modem is quite good hardware. tried to find a workaround to hack it and put openwrt on it but no luck
[17:18] <LinuxakiasGR> its fully locked even console locked
[17:18] <LinuxakiasGR> bootloader locked
[17:18] <patdk-lap> always best to use an isp that doesn't use a modem
[17:19] <patdk-lap> just drop me fiber and let me plug it directly into my router
[17:19] <LinuxakiasGR> they still carry the connection to all house with thick copper wire. like coax... no twisted pair nothing
[17:19] <LinuxakiasGR> imagine
[17:19] <LinuxakiasGR> theres lots of loss even if it comes with glassfiber. then it goes through coax to every house locally
[17:20] <patdk-lap> ya, and then you need a modem, and it has to time multiplex the data, adding lots of latency you cannot control
[17:20] <patdk-lap> and due to that, they have large buffers
[17:20] <LinuxakiasGR> yes bufferbloat and ping can never be good on these things
[17:20] <LinuxakiasGR> currently i cant get it better than 9 ping 33 bufferbloat on upload and download
[17:20] <LinuxakiasGR> in better hardware. on slow hardware its worse
[17:20] <LinuxakiasGR> and wired btw
[17:20] <LinuxakiasGR> not eve wireless
[17:26] <LinuxakiasGR> heading out again thanks for the valuable info take care
[17:55] <ahasenack> kanashiro[m]: did you have to reintroduce debian/helpers/gitcommit.sh when doing the focal backport of lunar's docker.io?
[17:55] <ahasenack> that whole directory (debian/helpers) was removed in hirsute, 20.10.2-0ubuntu1
[17:55] <ahasenack> so current focal-devel still has it
[17:55] <ahasenack> and your upload too, if I'm correct
[17:57] <kanashiro[m]> ahasenack: I did not touch it, and I do not recall any change regarding that 
[17:57] <kanashiro[m]> It should be still the same 
[17:57] <ahasenack> kanashiro[m]: can we jump into a quick hangout?
[17:58] <lunatiq> Can anyone help with vsftpd?
[17:58] <kanashiro[m]> ahasenack: yes
[18:27] <lunatiq> I keep 755 on folders how do I enable a FTP user to access www-data without adding them to the group and making 775
[18:27] <lunatiq> write permission
[18:37] <kanashiro[m]> ahasenack: both packages are building here: https://launchpad.net/~lucaskanashiro/+archive/ubuntu/container-backports
[18:37] <ahasenack> ok
[18:37]  * ahasenack leaves a ppa watch running
[18:42] <LinuxakiasGR> https://www.youtube.com/watch?v=EOfw61bjfE4
[18:42] <LinuxakiasGR> LoL
[18:49] <ahasenack> kanashiro[m]: hm, one other thing, in containerd for jammy this time
[18:49] <ahasenack> kanashiro[m]: your upload has no CVE patches in d/p/series, but the patches themselves are still in debian/patches/CVE*.patch
[18:50] <kanashiro[m]> ahasenack: meh, let me take a look
[18:50] <ahasenack> dget https://launchpad.net/ubuntu/jammy/+upload/30336274/+files/containerd_1.6.12-0ubuntu1~22.04.1.dsc
[18:53] <kanashiro[m]> my bad, let me upload them to the PPA without those files
[18:57] <ahasenack> kanashiro[m]: same thing for containerd focal
[18:57]  * ahasenack is going down the line
[18:57] <kanashiro[m]> it is in all of them
[18:58] <ahasenack> kinetic is fine I think
[18:58] <ahasenack> the backport dropped two CVEs, compared to kinetic
[18:58] <ahasenack> d/p/series is consistent with d/p/*
[18:59] <kanashiro[m]> but they should also have been removed from kinetic, fixing it
[18:59] <kanashiro[m]> all the CVE patches are included in the version in lunar
[18:59] <ahasenack> -CVE-2022-23471.patch
[18:59] <ahasenack> -CVE-2022-31030.patch
[18:59] -ubottu:#ubuntu-server- containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to sen... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23471>
[18:59] -ubottu:#ubuntu-server- containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kuber... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31030>
[18:59] <ahasenack> these two were removed
[18:59] <ahasenack> oh, hi bto
[19:00] <ahasenack> there are no CVE patches in the kinetic backport
[19:22] <ahasenack> kanashiro[m]: in runc, focal, got something similar do the d/helpers situation from docker.io
[19:22] <ahasenack> but this time about debian/source/lintian-overrides
[19:22] <ahasenack> it was removed in impish, 1.0.1-0ubuntu1
[19:22] <ahasenack> but in the runc focal backport, it's back
[19:26] <kanashiro[m]> ack
[19:28] <kanashiro[m]> ahasenack: fixed containerd is building in the PPA
[19:38] <kanashiro[m]> ahasenack: same for runc, let me know if something is missing
[19:38] <ahasenack> kanashiro[m]: in runc, bionic, I just noticed a patch that exists in d/p/*, but not in d/p/series
[19:38] <ahasenack> but that is the case in pkg/ubuntu/bionic-devel already
[19:38] <ahasenack> this patch: debian/patches/test--skip-Hugetlb.patch
[19:39] <kanashiro[m]> right, I'm going to remove it too
[19:39] <ahasenack> that was removed in jammy, 1.1.0-0ubuntu1
[19:40] <ahasenack> the focal backport doesn't have it, so it's ok
[19:40] <ahasenack> even the previous focal upload does not have it already (pkg/ubuntu/focal-devel)
[19:41] <kanashiro[m]> a bunch of leftovers, sorry for that 
[19:41] <ahasenack> this passed previous reviews too
[19:41] <ahasenack> at some point its luck would run out and we would catch it :)
[19:43] <kanashiro[m]> ahasenack: runc re-uploaded without the patch
[19:43] <ahasenack> this all to the ppa for now, right?
[19:44] <kanashiro[m]> yes, all in the ppa
[19:44] <kanashiro[m]> once you give me a +1 I'll upload them to the archive
[19:44] <kanashiro[m]> but if you prefer I can upload to the archive :)
[19:44] <ahasenack> just check if it builds
[19:44] <ahasenack> then upload to unapproved
[19:45] <ahasenack> and I can review again with this tooling
[19:45] <kanashiro[m]> no need to bump the version, right?
[19:45] <ahasenack> right
[19:45] <ahasenack> I'll reject the ones these are replacing in unapproved
[19:46] <kanashiro[m]> starting from docker.io
[20:14] <kanashiro[m]> ahasenack: all fixed packages uploaded to -unapproved
[20:17] <ahasenack> ok
[23:03] <Hans> You guys and girls are really good at computer right?
[23:03] <Hans> I have a problem. So I set up a file server at home running and really old Ubuntu OS. I access the server from my windows computer. I did this about 15 years ago, not know much about Ubuntu (having only used in on occations for fun).
[23:04] <Hans> I thought it was a smart idea, allocating space for me and my daughter on the server. Now my daughter, now married and has not been living at home for over 10 years, wants her files on the Ubuntu server.
[23:04] <Hans> So I thought this will be easy - I'll just change the permissions to me and send them to her. As I am an administrator on my Ubuntu sever, I thought I'd just log in and change it.
[23:05] <Hans> But I can't. I've tried grafic OS and also the terminal with chmod, but whatever I do the servers tells me to f*ck off. Is there a super user mode I must use and if so -  how do I use it. Thank you in advance if anyone has any information about this.
[23:17] <arrayboltXE> Hans: Use "sudo".
[23:17] <arrayboltXE> For instance, rather than "chown user:user /path/to/file", use "sudo chown user:user /path/to/file".
[23:18] <arrayboltXE> To chown a whole directory, "sudo chown -R user:user /path/to/file". Careful with that one, a typo could change the ownership on files you didn't mean to change.
[23:40] <JanC> I hope you didn't use user home encryption...