| iconoclast_hero | ogra_: in using the systemd script and ssh, it became obvious that, in order to leverage my ssh keys as well as my visudo permissions on the client side, i was going to have to set the user in my systemd shutdown script to my user instead of root... | 00:01 |
|---|---|---|
| iconoclast_hero | it seems like that might be a security concern? | 00:01 |
| sarnold | i don't know what you're doing but this sounds weird, yes :) | 00:02 |
| iconoclast_hero | we were talking earlier about pushing a umount command over ssh via systemd execstop | 00:05 |
| iconoclast_hero | so that when i shutdown my server i didn't have issues on my laptop since asking the user to remember to dismount the volumes prior to rebooting the server will prove spectacularly unsucessful. | 00:06 |
| sarnold | ahhhh interesting idea | 00:07 |
| iconoclast_hero | as i started to put it together i realized root can't ssh into the other side. | 00:07 |
| iconoclast_hero | client side | 00:08 |
| iconoclast_hero | or server side for that matter, but that's moot | 00:08 |
| iconoclast_hero | and i would need a key pair to log in so unless i created 2 more users whose only roles were to do this, i just use my own keypair. | 00:08 |
| iconoclast_hero | however, on the client side, the visudo of the other user could be just `sudo umount -a -l -t nfs, sshfs` | 00:09 |
| sarnold | iconoclast_hero: so .. my first idea is that the server could run a 'do nothing' service, like a socat listener that forks off a sleep 9999999 program .. the client could then connect to this service, and when the connection drops, then run the umount command .. the server just needs to kill the connection to initiate the umount | 00:14 |
| sarnold | i'm guessing this could be built with nc, socat, stunnel4, sorts of things; and they might not even need to send data to each other. maybe. | 00:15 |
| iconoclast_hero | ok, this is a whole nother level of complexity | 00:15 |
| iconoclast_hero | but go on. | 00:15 |
| sarnold | try, in one terminal, nc -l 1234 ; and then in another terminal, nc localhost 1234 ; hit enter on both of them a few times, see them on the other side, things looking good .. hit ^C on the nc -l 1234 one, and then the next time you hit enter on the client one, it'll return to the shell | 00:17 |
| sarnold | i'm not entirely sure how to turn that into the thing you want :( but it's the flavor of what I'd work with .. | 00:17 |
| iconoclast_hero | well... | 00:18 |
| * JanC tries to understand what you are trying to do? | 00:18 | |
| sarnold | I got to thinking about socat because the 'exec' thing it supports might be better at handling multiple clients | 00:18 |
| sarnold | JanC: get a client to unmount a filesystem gracefully when a server is rebooting | 00:18 |
| iconoclast_hero | i only have one client, but that might not necessarily hold. | 00:18 |
| iconoclast_hero | here's what i put together. | 00:18 |
| JanC | a client-side filesystem? a network filesystem? | 00:19 |
| iconoclast_hero | https://bpa.st/B6DQ | 00:20 |
| iconoclast_hero | https://bpa.st/HVNA | 00:20 |
| iconoclast_hero | i was talking earlier about pushing a umount command over ssh via systemd exestop so that when i shutdown my server i didn't have issues on my laptop since asking the user to remember to dismount the volumes prior to rebooting the server will prove spectacularly unsucessfu | 00:21 |
| iconoclast_hero | i was using sshfs when my system was remote, but now everything's local so i'm using nfs. | 00:22 |
| iconoclast_hero | sarnold, what happens if there's a momentary loss of signal or something? will the nc connection have any timeout period or ...? | 00:23 |
| sarnold | iconoclast_hero: well, that's one of the weak points. if there's no data sent over that socket, it can 'live' silently for *ages* .. if there's a NAT firewall between them, it might drop the state .. | 00:24 |
| sarnold | iconoclast_hero: so it should ride out the network going away for a few minutes, but if you just yank the power directly, the server won't send any of the TCP teardown packets, and the client will never notice | 00:25 |
| sarnold | iconoclast_hero: doing better would require some real thought :) | 00:25 |
| JanC | one option is to have a reverse ssh tunnel that issues the unmount command, I guess, but even then... are you willing to make the server reboot wait until the client is ready, etc.? | 00:25 |
| iconoclast_hero | it is not impossible that I mess something up and reboot the server while the client has something open, but i just don't have data that's that important and it doesn't go back and forth between the machines. | 00:26 |
| iconoclast_hero | if i reboot the server and i've got vlc with an nfs share open, who cares? | 00:27 |
| JanC | but when you are writing to an NFS filesystem it might have data "in flight", and I doubt it will unmount then :) | 00:27 |
| iconoclast_hero | so i was literally going to push the umount -lat nfs, sshfs command and hope for the best... | 00:27 |
| iconoclast_hero | yeah, that came up before. | 00:28 |
| iconoclast_hero | earlier. | 00:28 |
| iconoclast_hero | what i've been doing is basically doing a umount -l on the back end so I'm not sure if that's going to work if i try to do it ahead of time. | 00:29 |
| JanC | autofs can be useful also, up to some degree | 00:29 |
| JanC | and VLC can do userspace NFS | 00:29 |
| JanC | no need to mount anything for VLC ;) | 00:30 |
| JanC | as can most Gtk applications through GIO/Gvfs | 00:30 |
| iconoclast_hero | primarily, it's just being able to move back and forth between the two file systems in the local shell. | 00:31 |
| iconoclast_hero | vlc was the last thing i can remember being open for any length of time. | 00:31 |
| iconoclast_hero | client shell | 00:32 |
| === Szadek36 is now known as Szadek | ||
| iconoclast_hero | userspace nfs is just an nfs implementation that doesn't require kernel and systemd? i don't understand what that means exactly... | 00:32 |
| JanC | it can do NFS without the need for "mounting" in the OS sense of that | 00:33 |
| sarnold | JanC: vlc does userspace NFS?? wild :) | 00:33 |
| sarnold | .. given that it's stateless though maybe it shouldn't be so surprising | 00:33 |
| JanC | libnfs | 00:34 |
| JanC | and GIO/Gvfs allows any Gtk application to do that too really | 00:34 |
| JanC | just access files as nfs://server/path/to/file | 00:34 |
| sarnold | gvfs bugs me though | 00:36 |
| iconoclast_hero | autofs: Remember, automount will mount your SSHFS file-system as root, so you need to: | 00:36 |
| iconoclast_hero | Copy your private key to the /root/.ssh directory. Be sure that you understand the security implications of this before proceeding. | 00:36 |
| iconoclast_hero | Add the necessary host keys to /root/.ssh/known_hosts. | 00:36 |
| iconoclast_hero | yeah, no. | 00:36 |
| JanC | if gvfsd-nfs ever hangs, you can just kill it--a lot less troublesome than a hanging NFS kernel mount :) | 00:38 |
| JanC | sarnold: ^ | 00:38 |
| iconoclast_hero | https://www.reddit.com/r/Fedora/comments/s3sdqj/gvfsnfs_mounts_are_significantly_slower_than/ | 00:41 |
| JanC | yes, it's slower | 00:41 |
| JanC | is it relevant? | 00:41 |
| iconoclast_hero | by 50%? | 00:41 |
| JanC | is it relevant? | 00:41 |
| iconoclast_hero | i don't know | 00:42 |
| sarnold | JanC: apparently 'intr' is the default nfs mount these days! | 00:42 |
| iconoclast_hero | i mean, i don't use nautilus, so unless i can use gvfsd in the terminal, no. | 00:43 |
| JanC | you can use the 'gio' command to mount with Gvfs | 00:43 |
| JanC | and I'm not saying it's the best solution, just an option | 00:44 |
| iconoclast_hero | well, things could have gotten better in 2 years | 00:45 |
| iconoclast_hero | what the hell is GIO? that's not googleable and man doesn't literally spell it out. | 00:46 |
| JanC | "man gio" :) | 00:46 |
| iconoclast_hero | yes, "gio - GIO commandline tool" is somewhat self-referential. | 00:47 |
| sarnold | hah yeah I really dislike the gnome docs ;( | 00:49 |
| sarnold | it's just a generic io thingy that gnome programs use to read and write files and so on that implements some network protocols in userspace rather than using the kernel mount facilities etc | 00:49 |
| JanC | right | 00:50 |
| JanC | and the 'gio' command line tool allows you to use most of its features | 00:50 |
| JanC | but again, I don't know if it is what you want to be fair | 00:51 |
| JanC | it uses FUSE to make virtual mounts available to non-Gtk applications too (which is probably why it's somewhat slow) | 00:52 |
| iconoclast_hero | well... | 00:54 |
| iconoclast_hero | there's data i saw on secured fuse-based sshfs vs secured nfs4 and maybe samaba.... and sshfs holds its own vs nfs4. | 00:55 |
| JanC | as you mentioned VLC, it's always been fast enough to play video _for me_ | 00:55 |
| iconoclast_hero | i don't transfer big files often but it does happen. | 00:55 |
| iconoclast_hero | since i'm the one moving them, it's unlikely that i'm in the middle of doing that and rebooting so the problem of writes is unlikely... so, since this is prior to the server going down, i think maybe a -f would be useful in the umount as well. | 00:57 |
| iconoclast_hero | so unoumt -alft nfs, sshfs | 00:57 |
| iconoclast_hero | but i still have the problem with sshfs and isn't that a user-space fuse system? | 00:58 |
| JanC | how is that an issue? | 00:59 |
| JanC | if you really want to trigger unmounts on server shutdown, I think you probably want a reverse ssh tunnel on every connect, and a restriction on what commands the server can issue on the client | 00:59 |
| iconoclast_hero | reverse ssh tunnel? | 01:00 |
| JanC | say, trigger some systemd session unit | 01:00 |
| JanC | you make the server ssh back into your laptop | 01:01 |
| JanC | through a tunnel set up by your client when it connects to the server | 01:01 |
| JanC | when you set up an ssh connection, it can tunnel more than just the shell you usually use it for | 01:04 |
| iconoclast_hero | ostensibly i know about ssh tunneling vnc, i just've never done it. | 01:05 |
| iconoclast_hero | but it wouldn't be a reverse tunnel, it could just be a tunnel if i understand what a reverse tunnel is. | 01:05 |
| iconoclast_hero | but as far as a trigger, if you can think of something... otherwise, i am sure i can "MAKE" soemthing that will work. | 01:06 |
| JanC | create a user service to set up (start) & tear down (stop) the sshfs mount, and through the reverse tunnel trigger a stop event for it? | 01:12 |
| JanC | sounds like that would be about the cleanest you can get... | 01:12 |
| === chris14_ is now known as chris14 | ||
| iconoclast_hero | yeah, i will look at that, thank you | 01:26 |
| sarnold | if you do use ssh, consider making an account and keys just for this specific thing -- then you can set the key to only execute the one systemctl command that you need, or a shell script that runs the systemctl command, etc | 01:27 |
| JanC | yeah | 01:28 |
| JanC | also, sshd doesn't have to listen on public IP address for this | 01:28 |
| JanC | on the laptop | 01:29 |
| JanC | (you could use something else to trigger the command also, I guess) | 01:29 |
| JanC | anything that listens on the laptop and can trigger a command could work | 01:32 |
| JanC | I guess that might include systemd itself even? (never tried) | 01:32 |
| sarnold | ha! I forgot about the .socket thingies | 01:36 |
| iconoclast_hero | i don't understand sockets yet | 01:52 |
| iconoclast_hero | i figured out mpd is using them. | 01:52 |
| iconoclast_hero | i just don't know what they are and why i want them yet. | 01:52 |
| iconoclast_hero | but as for the account and keys, how do you tie a key to a command? | 01:53 |
| iconoclast_hero | or the account can only do that one thing? | 01:53 |
| sarnold | you could use ForceCommand in a Match block in the sshd configuration https://unix.stackexchange.com/a/464640/7064 | 01:58 |
| sarnold | there's some command=/foo/bar support in the key format but I'm not sure how that works :( | 01:59 |
| sarnold | and the ssh-keygen manpage mentions a force-command with *certificates* .. which might be really cool. i've been meaning to learn how those work for years. | 02:00 |
| === lubuntu is now known as tumito | ||
| iconoclast_hero | I see | 02:07 |
| iconoclast_hero | according to mike malone, we're doing ssh wrong | 02:08 |
| iconoclast_hero | https://smallstep.com/blog/use-ssh-certificates/ | 02:08 |
| rbox | thats also how the xz backdoor worked | 02:09 |
| rbox | so... are certificates really that good? | 02:09 |
| iconoclast_hero | "SSH encourages bad security practices. Rekeying is hard, so it's not done. Users are exposed to key material and encouraged to reuse keys across devices. Keys are trusted permanently, so mistakes are fail-open." | 02:09 |
| sarnold | iconoclast_hero: thanks for the link | 02:09 |
| iconoclast_hero | well, i think he's got a point there. | 02:09 |
| sarnold | yes | 02:09 |
| iconoclast_hero | i should probably change all my keys | 02:10 |
| iconoclast_hero | like now | 02:10 |
| * iconoclast_hero sighs | 02:10 | |
| === antonispgs3 is now known as antonispgs | ||
| rbox | and who is mike malone anyway | 02:13 |
| rbox | is that post malones cousin? | 02:14 |
| iconoclast_hero | 🤷 | 02:15 |
| iconoclast_hero | i just thought it sounded good | 02:15 |
| rbox | hes trying to push some kind of a prouduct | 02:15 |
| rbox | of course hes gonna make it sound good | 02:16 |
| iconoclast_hero | no, i meant "[22:08:58] <iconoclast_hero> according to mike malone, we're doing ssh wrong" | 02:17 |
| rbox | of course hes going to say that | 02:21 |
| iconoclast_hero | well, i don't know that he succeeded in making it easier for a wider audience to understand | 02:22 |
| porkknox | knock knock | 03:28 |
| lotuspsychje | who's there? | 03:28 |
| porkknox | Surprisingly, you. This place isn't dead? | 03:28 |
| === aaaaaaa is now known as perpustakaan | ||
| === coren is now known as lillimax | ||
| === gschanuel53 is now known as gschanuel5 | ||
| rema | I try to compile module CONFIG_TOUCHSCREEN_WACOM_W8001 for friendlyelec nanopc t6. make clean fails (scripts/Makefile.clean:15: drivers/base/arm/memory_group_manager/Makefile: No such file or directory). Any suggestions how to compile and load the module for my penabled? | 07:52 |
| === zabir is now known as dickson | ||
| === deepSleep is now known as Guest3455 | ||
| Guest3569 | Hi. I've a bionic small server amd64, I cannot upgrade it to newer version of ubuntu yet. | 10:36 |
| Guest3569 | How can I compile or back port pgbackrest? | 10:36 |
| lotuspsychje | Guest3569: do you pay for ESM on your bionic? | 10:38 |
| ice9 | when doing ssh with encrypted private key, it doesn't ask any more to unlock it using the GUI/seahorse in gnome-shell, but it's asking it from the CLI; how to fix that? | 10:38 |
| legend1234 | buongiorno | 11:18 |
| eszterb | test 1 | 11:41 |
| === Guest3569 is now known as ferz | ||
| === ancientz8 is now known as ancientz | ||
| ferz | which is the package for lib openssl? | 12:40 |
| BluesKaj | Hi all | 12:49 |
| === g-lobster is now known as gammaraylobster | ||
| === coz_ is now known as Bcoz_ | ||
| a1fa | hello! is anyone testing 24.04? there are some annoying drm hangs with radeon driver | 13:37 |
| a1fa | looks like its hanging the entire pci backplane | 13:42 |
| Wyslijp16 | hi everyone | 13:53 |
| Wyslijp16 | I was here about wednesday to install Ubuntu, some persons said me to install the iso on one usb and next to install from the first usb to an other | 13:53 |
| Wyslijp16 | I have now the iso on one usb, and the other, can someone help me step-by-step or have a great tutorial on youtube please ? | 13:53 |
| respawn | just folow the installer promts | 13:54 |
| respawn | if you are dual booting you will get option to install alongside | 13:55 |
| Wyslijp16 | I'm in the ubuntu test mode, i started install ubuntu to install in my usb | 13:56 |
| Wyslijp16 | but it gives me an error about partition menu... | 13:56 |
| respawn | you need to pick the hard drive and check if it is detected disable safeboot and fast boot | 13:56 |
| Wyslijp16 | It's done | 13:57 |
| bigfoot1 | Hello All. Ihave a pi400 and wnt to do an Network-Load a KUBUNTU. Is here a version with KDE interface? | 14:33 |
| bigfoot1 | Ok,bye. | 14:35 |
| mlvn | hi | 15:33 |
| mlvn | is there anyone here | 15:35 |
| RaptureMe | hello | 15:50 |
| RaptureMe | anyone here ? | 15:50 |
| gordonjcp | RaptureMe: quite a lot of people are here | 16:00 |
| gordonjcp | it's Saturday teatime though | 16:00 |
| gordonjcp | probably very few people are looking at their computers | 16:00 |
| vargfrost | when i click show hidden files in nautilus a file named .cef-dev-tools-size.vdf and it contain: https://paste.ubuntu.com/p/b9hrFMr6r9/ what is this? why does show hidden files in nautilus create this file? im running Ubuntu 22.04.4 LTS 64 bits. | 16:01 |
| oerheks | a short search ' .cef-dev-tools-size.vdf' leads to steam creates this file? | 16:05 |
| oerheks | 'show hidden files ' itself did not create it | 16:05 |
| === Guest957 is now known as user | ||
| === user is now known as Guest7659 | ||
| vargfrost | well i thought it was for the windows version of steam it created that file | 16:08 |
| vargfrost | it looks like it creates it for linux also then | 16:09 |
| vargfrost | ok anyways thanks for the help | 16:17 |
| ice9 | how to report a bug about a snap app? | 16:25 |
| oerheks | snap info <snap_name> gives the publisher and a contact email or URL which can be used to report issues. | 16:27 |
| oerheks | probably https://forum.snapcraft.io/categories is the best place | 16:27 |
| ice9 | unfortunately Skype has no contact email and I'm getting the below line every second in the log, there are about 830 entries in few hours: | 16:36 |
| ice9 | audit: type=1400 audit(1713630883.891:16965): apparmor="DENIED" operation="open" class="file" profile="snap.skype.skype" name="/sys/devices/pci0000:00/0000:00:1f.0/PNP0C09:01/ACPI0003:00/power_supply/AC0/online" pid=37554 comm="skypeforlinux" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 | 16:36 |
| oerheks | contact them to alter apparmor spam level https://snapcraft.io/skype | 16:38 |
| oerheks | not how to do this for a snap package https://wiki.debian.org/AppArmor/HowToUse#Enabling_profiles | 16:41 |
| juliaaa | on 22.04 im trying to figure out why my sshd doesn't always start when I reboot after a kernel update. I'm pretty sure I've got it set so that it waits on the network to come up first :| | 17:44 |
| rbox | what does the journal say the failure is | 17:45 |
| juliaaa | ? | 17:46 |
| rbox | well if its not starting, that means its failing to start | 17:47 |
| rfm | actually sshd is triggered by a socket unit, so it doesn't even try to start until the first connection attempt is made | 17:48 |
| juliaaa | what might be wrong then? | 17:48 |
| oerheks | sudo systemctl status ssh | 17:49 |
| juliaaa | oerheks well, I run it headless. oddly, on a 2nd (hard) reboot, it comes up. | 17:53 |
| juliaaa | just updated and rebooted (new kernel, docker, and sshd update) | 17:55 |
| juliaaa | probably networkmanager being a b? | 17:56 |
| juliaaa | ssh.service has After=network.target set | 17:57 |
| juliaaa | ssh.service shows started, however my ssh.socket config shows the default port. I'd changed the sshd port in the sshd conf file to a non-standard port | 18:09 |
| irgendwer4711 | hi, ubuntu server installer keeps crashing again and again. I can't install after selecting partitions... | 18:19 |
| tomreyn | irgendwer4711: you might want #ubuntu-server for supported stable releases, or #ubuntu-next for what will be 24.04 LTS | 18:22 |
| irgendwer4711 | tomreyn: ok switching... | 18:23 |
| deadrom | hi | 19:08 |
| deadrom | raspi sdcard in a sdcard reader on ubu22.04, blkid has nothing on the two partitons on it but should have. sdcard reader issue? usb issue? | 19:09 |
| deadrom | nvm sudo was missing | 19:10 |
| === henry404088 is now known as henry40408 | ||
| === quique_ is now known as quique | ||
| === henry404088 is now known as henry40408 | ||
| === ajfriesen6 is now known as ajfriesen | ||
| pycurious | On my ubuntu login UI - I see enter PIN for Smartcard? How do I entery my password and login? Instead of smartcard? | 23:27 |
| pycurious | Is this what i need to run -> sudo -u gdm env DCONF_PROFILE=gdm gsettings set org.gnome.login-screen enable-smartcard-authentication false | 23:28 |
| pycurious | no matter what i try - i get "pin for smartcard" | 23:40 |
| pycurious | I guess I broke ubuntu - now it says "Something went wrong. The system cant recover" | 23:46 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!