| === chris14_ is now known as chris14 | ||
| === voeid5 is now known as voeid | ||
| === ahasenack__ is now known as ahasenack | ||
| === wete_ is now known as wete | ||
| === wete_ is now known as wete | ||
| === wete_ is now known as wete | ||
| === wete_ is now known as wete | ||
| hwpplayer1 | hello | 20:42 |
|---|---|---|
| hwpplayer1 | sarnold: hello | 20:42 |
| hwpplayer1 | May I ask you a question about Canonical ? (I think that you work at Canonical) | 20:42 |
| hwpplayer1 | I'll ask later | 20:44 |
| hwpplayer1 | Thanks | 20:44 |
| sarnold | hwpplayer1: yes, I work at canonical; I'm happy to answer anything :) | 21:44 |
| hwpplayer1 | I want to work at Canonical | 21:50 |
| hwpplayer1 | For kernel engineer position | 21:50 |
| hwpplayer1 | do you have any suggestion in your mind ? | 21:50 |
| hwpplayer1 | I changed my mind | 21:51 |
| hwpplayer1 | sarnold: how are you doing by the way ? | 21:53 |
| hwpplayer1 | Sorry I directly asked my question | 21:53 |
| hwpplayer1 | my bad | 21:53 |
| sarnold | hwpplayer1: hey :) not bad not bad, I'm enjoying the cooler weather that we're having lately, it's been too hot for me most of the summer | 21:55 |
| sarnold | hwpplayer1: how's it going for you? | 21:55 |
| hwpplayer1 | I'm excited I started C++ course | 21:56 |
| hwpplayer1 | And also I have a relaxed mind | 21:56 |
| hwpplayer1 | Here is too hot same | 21:56 |
| sarnold | hwpplayer1: oo relaxed mind and a good course, sounds nice, except for the heat, hehe | 21:56 |
| hwpplayer1 | :D yes | 21:57 |
| hwpplayer1 | I have icecream to warm down | 21:57 |
| sarnold | \o/ | 21:57 |
| hwpplayer1 | to become colder maybe better | 21:58 |
| hwpplayer1 | Do you run Emacs ? | 21:58 |
| sarnold | hwpplayer1: we've got a fairly large kernel team and I really only talk with a handful of kernel engineers where their work intersects with security .. so my insights into the team are a bit limited. generally speaking, I'd encourage making the most of the written essays, highlighting successes and trying to write with a 'voice' | 21:58 |
| sarnold | hwpplayer1: the essays are read by humans and if you keep that in mind it'll probably help out | 21:59 |
| hwpplayer1 | understood | 22:00 |
| sarnold | hwpplayer1: heh, I run vim .. back when I started, vi was everywhere, but emacs was only on some systems, so the choice was easy. today I might choose differently, the emacs users seem happier. | 22:00 |
| hwpplayer1 | I run vim/vi on BSD systems | 22:00 |
| hwpplayer1 | I don't struggle to install | 22:01 |
| hwpplayer1 | emacs | 22:01 |
| hwpplayer1 | how many computers and phones do you have ? I have one Debian machine and an Android | 22:01 |
| hwpplayer1 | what should I do to be elected to the kernel team ? how to start contributing ? | 22:02 |
| hwpplayer1 | Should I start by visiting kernel newbies upstream developers ? | 22:03 |
| hwpplayer1 | I will study hard this year until the 2025 / 2024 December and try my best | 22:05 |
| sarnold | heh, when I started, it was very common to use someone else's computer -- I'd dial in to my ISP and use the stock vi on the thing | 22:05 |
| sarnold | I interact with two android phones, one android table, very regularly, and have a handful of replaced android phones sitting around; I've got three ubuntu computers powered on at the moment; I've got one powered down right now because it generates a lot of heat, and two more that are less useful than I would like :( | 22:06 |
| sarnold | i've also got an ubuntu VM hosted in AWS for irc | 22:07 |
| hwpplayer1 | cool | 22:08 |
| hwpplayer1 | Do you have Ubuntu Pro | 22:08 |
| hwpplayer1 | I was using 22.04 LTS with Pro | 22:08 |
| hwpplayer1 | I'll be back soon to Ubuntu with the latest LTS | 22:10 |
| hwpplayer1 | Now I run Debian, my goal is to learn the Debian infrastructure the deb packaging I mean and the other things | 22:11 |
| hwpplayer1 | I run Emacs 29.4 with backports | 22:11 |
| hwpplayer1 | brb | 22:13 |
| sarnold | yes, I've got ubuntu pro enabled on most of my computers | 22:13 |
| hwpplayer1 | thanks | 22:13 |
| hwpplayer1 | That's good to hear | 22:13 |
| sarnold | I use the kernel livepatches on some of them, and universe updates on all of them | 22:13 |
| hwpplayer1 | I'm very interested in livepatch | 22:13 |
| hwpplayer1 | Did canonical start after Red Hat and Suse | 22:14 |
| sarnold | oh right, kernelnewbies .. it used to be much more active. there's still conversations in the irc channel; I haven't been on the mail list for a very long time, I'm not sure how healthy that is | 22:14 |
| sarnold | yes | 22:14 |
| sarnold | we got to benefit from their efforts, because we got to use the livepatching facility that was upstreamed into the kernel, while I believe both redhat and suse were using their own out-of-tree functionality that formed the basis of what got upstreamed | 22:14 |
| hwpplayer1 | But in my opinion Ubuntu is at the center between enterprise companies and individuals so it is better for me | 22:15 |
| hwpplayer1 | a better karma | 22:15 |
| sarnold | i'm not sure if red hat and suse are still using their own things or if they've been able to switch to the upstream implementation; I expect the process of preparing updates is pretty similar for all three approaches | 22:15 |
| hwpplayer1 | understood | 22:16 |
| hwpplayer1 | What do you think the position in the market of the Canonical's Ubuntu ? Like I tried to tell | 22:16 |
| hwpplayer1 | A better karma between companies and individuals | 22:17 |
| hwpplayer1 | Also has a phone still supported by UBports | 22:17 |
| hwpplayer1 | volla phone etc | 22:17 |
| sarnold | ubports is completely separate from canonical these days | 22:17 |
| hwpplayer1 | I'm interested in Purism also which is GTK and Debian based | 22:17 |
| sarnold | a group of enthusiasts have kept it alive | 22:18 |
| hwpplayer1 | yes I know | 22:18 |
| sarnold | okay good good | 22:18 |
| hwpplayer1 | But That thing ubuntu-touch still lives despite canonical left the project | 22:18 |
| sarnold | ubuntu is popular with both enterprises and enthusiasts, largely because a lot of things "just work" | 22:18 |
| hwpplayer1 | yes | 22:18 |
| sarnold | some very demanding workloads like SAP or Oracle DB might be hyper-tuned for RHEL or SLES | 22:18 |
| hwpplayer1 | understood | 22:19 |
| sarnold | and some very demanding enthusiasts might be a better fit for arch :) | 22:19 |
| hwpplayer1 | I don't know about arch | 22:19 |
| hwpplayer1 | I didn't try it | 22:19 |
| sarnold | our packages come through debian unstable before they enter our devel release, and every six months we ship it. arch may do a better job of providing very fresh versions of a wider variety of packages. | 22:19 |
| sarnold | I've never tried it either :( I think we'd like it, if only we'd try it, hehe | 22:20 |
| hwpplayer1 | yes maybe blackarch :D | 22:20 |
| hwpplayer1 | tons of tools | 22:20 |
| hwpplayer1 | do you contribute to any spesific security tool like wireshark or any other / | 22:21 |
| sarnold | apparmor, though it's been a while since I contributed in any significant way | 22:21 |
| hwpplayer1 | hmm let me check the source code | 22:24 |
| hwpplayer1 | do you please give the repository link sarnold ? | 22:26 |
| hwpplayer1 | is it on GitLab ? | 22:26 |
| hwpplayer1 | https://gitlab.com/apparmor/apparmor | 22:26 |
| hwpplayer1 | https://apparmor.net/ | 22:28 |
| hwpplayer1 | also | 22:28 |
| hwpplayer1 | okay cool Thanks | 22:29 |
| sarnold | hwpplayer1: heh yeah that's the one ;) | 22:34 |
| hwpplayer1 | great | 22:40 |
| hwpplayer1 | Do you have Zram on your Ubuntu machines ? | 22:40 |
| hwpplayer1 | I have 8(7.6 when calculated) GB RAM and 70 GB Zram | 22:41 |
| hwpplayer1 | 76 or 70 idk | 22:41 |
| hwpplayer1 | :D | 22:41 |
| sarnold | zounds :) | 22:44 |
| sarnold | I don't think I've got zram or zswap configured | 22:44 |
| sarnold | I keep meaning to give it a try but it's never a top priority for me | 22:44 |
| oerheks | what if system borks ans zram cannot write a log? | 22:45 |
| hwpplayer1 | I configured it for mobile development like Android Qt mobile and Ubuntu Touch | 22:45 |
| oerheks | ans/and | 22:45 |
| hwpplayer1 | I am totally new to this tech | 22:45 |
| Juest | except when ubuntu constantly has issues, particularly livecds whereas debian is fine | 22:48 |
| hwpplayer1 | I run Debian 12 | 22:48 |
| hwpplayer1 | I think that it crashes when GNOME extensions are enabled | 22:49 |
| hwpplayer1 | Same for Ubuntu 22.04 | 22:49 |
| Juest | yeah umm, this is a channel to discuss ubuntu security matters, do you have a on topic question? | 22:49 |
| hwpplayer1 | system crashes are on topic ? | 22:50 |
| Juest | sounds like #linux or #ubuntu is a better fit for you. system crashes are more a support thing not security. | 22:50 |
| hwpplayer1 | thanks | 22:51 |
| hwpplayer1 | I'll stay here to be connected | 22:51 |
| oerheks | 'constantly has issues' .. lets talk about that | 22:51 |
| Juest | well, you stay connected to the network server if you leave a channel | 22:51 |
| hwpplayer1 | I mean I'll read this channel's messages | 22:52 |
| Juest | oerheks: im more talking past experiences really, its not as bad nowadays and frankly i do not interact too often with the live environment | 22:52 |
| hwpplayer1 | It is a buffer in Emacs | 22:52 |
| Juest | cool | 22:52 |
| oerheks | if one needs a live environment, use a daily build | 22:53 |
| Juest | oh so for installation/rescue/live is it preferred to use the bleeding edge isos? | 22:53 |
| Juest | or what did you mean by daily build? | 22:54 |
| oerheks | https://cdimage.ubuntu.com/daily-live/current/ for desktop, sure you can find server and such | 22:55 |
| Juest | thanks, oddly enough this is not recommended/noted anywhere | 22:56 |
| oerheks | one must have a reason to do so, i guess | 22:58 |
| Juest | i see, i mean its not really advertised or anything, but good to know there's that choice for those who dont mind recycling isos | 22:58 |
| Juest | hmm, cdimage.ubuntu seems to only contain desktop stuff? | 22:58 |
| Juest | oh is probably in ubuntu-server | 22:59 |
| Juest | i see that the spins folders are there on the root | 22:59 |
| oerheks | yes even cloud images https://cloud-images.ubuntu.com/buildd/daily/ | 22:59 |
| sarnold | heh yeah we've got downloads scattered over so many domains :/ | 22:59 |
| oerheks | but that is more likely | 23:00 |
| sarnold | s/domains/subdomains/ | 23:00 |
| Juest | oerheks: interesting, the buildd folder is not exposed in the homepage of cloud-images and it says in the description that its technically not supported for bug reports | 23:01 |
| Juest | and oci is empty | 23:02 |
| oerheks | i think technically it is, as it contains the latest updates | 23:02 |
| Juest | anyways, is there a better channel for this discussion other than here and ubuntu? | 23:02 |
| oerheks | this channel is fine | 23:02 |
| Juest | the buildd folder says: These are not general-purpose images and their usage is not supported outside of Multipass or Launchpad. Bugs found on those platforms should be filed in the cloud-images project on Launchpad.net. | 23:02 |
| oerheks | jups, as regular update issue | 23:03 |
| Juest | oh hmm, i see | 23:03 |
| Juest | ah so its only supported in rolling update scenarios? | 23:04 |
| oerheks | one can see this as rolling, which is not true, still holding on to stable packages for lts | 23:05 |
| Juest | yeah i understand that, sorry for the misnomer | 23:05 |
| oerheks | just bug fixes, not new features | 23:05 |
| oerheks | no, your question is valid. | 23:05 |
| Juest | hence why i said rolling updates not release | 23:05 |
| Juest | a rolling model for updates not for releases which the latter is more popular/common | 23:06 |
| oerheks | i used to wanna run latest, but i am back to solid lts | 23:06 |
| Juest | ah interesting | 23:06 |
| oerheks | 22.04 for now | 23:06 |
| Juest | hey at least its the little corner to chat with ubuntu people outside of the support channels :D | 23:06 |
| Juest | appreciate the attention and time ^^ | 23:07 |
| oerheks | sometimes it is minutes, sometimes it takes a year to meet and greet, Juest | 23:07 |
| Juest | true | 23:07 |
| oerheks | have fun! | 23:07 |
| Juest | nice to meet you likewise | 23:07 |
| Juest | hmmmm just remained thinking.... | 23:08 |
| oerheks | in shortl; i love a good argument | 23:08 |
| Juest | oh btw i got the ubuntu installation booted in a isolated container with systemd init with success on connecting to systemd through a chroot after entering the namespace | 23:09 |
| Juest | on a different non-systemd distro | 23:09 |
| sarnold | wow :) | 23:09 |
| sarnold | I thought that sounded like a pretty good challenge | 23:09 |
| Juest | but im facing permission issues when it comes to processes creating a user namespace | 23:09 |
| Juest | yeah it was sarnold :) | 23:09 |
| oerheks | i read the suggestions of phogg and tingo | 23:10 |
| hwpplayer1 | sarnold: Can I pm you : | 23:11 |
| oerheks | still not sure it can be done | 23:11 |
| Juest | the better help came from the #systemd channel :) | 23:11 |
| Juest | it can be done, you just have to be careful and mount everything correctly | 23:11 |
| oerheks | yes, but there are 2 parts missing something. | 23:11 |
| Juest | oh? which? | 23:11 |
| Juest | the issue is that if i use a isolated user namespace there's no privileges, causing cgroups to fail to be created, and basically no users other than the root mapping | 23:13 |
| oerheks | therefore one cannot mount anything in it.. yet | 23:14 |
| Juest | something i wasnt doing before is making brand new mounts for /dev (shm, pts), and /run and /tmp | 23:14 |
| Juest | the mount issue is fixed by adding --mount-proc, and the privileges can be partially resolved by mapping root to have privileges | 23:15 |
| Juest | oerheks: you drop in a shell, do the necessary mounts and exec systemd and that works | 23:15 |
| oerheks | there must be a trick, avoiding or capsulation of namespace | 23:15 |
| oerheks | no idea, this goes over my heas :-D | 23:16 |
| Juest | only ipc, pid, mount and uts are isolated | 23:16 |
| Juest | before i was doing -i<args> instead of each separate namespace spec | 23:17 |
| Juest | so thats one part of the issue lol | 23:17 |
| Juest | anyways | 23:17 |
| oerheks | each separate namespace spec .. ? from host and vm ? | 23:18 |
| Juest | this is not a vm | 23:18 |
| oerheks | a backup | 23:18 |
| Juest | nor runc based | 23:18 |
| Juest | its a full-on linux partition install of ubuntu that i have | 23:18 |
| Juest | im doing this method because i dont want to reboot the whole computer to perform updates | 23:18 |
| sarnold | hwpplayer1: sure | 23:19 |
| oerheks | you made a genuine copy, now trying to keep it updated, without systemd involved, i understand | 23:19 |
| Juest | and the reason why chroot doesnt cut it is because i need the systemd stack to run snapd socket properly for the sake of running snap refresh | 23:19 |
| Juest | oerheks: its not a copy lol, just a ubuntu installation that actually can boot on the same computer without issues :) | 23:20 |
| Juest | im not trying to kexec (replace the booted system) nor use more resources through virtualization or container runtimes | 23:20 |
| oerheks | ai, snap refresh.. time to run your own snap mirror | 23:20 |
| Juest | the problem is that snap cannot connect to snapd | 23:21 |
| oerheks | that gives double security | 23:21 |
| Juest | also because of the chroot and not mounting /tmp, /dev, /run i have data in the partition on those folders lol | 23:21 |
| Juest | heh, fun idea | 23:22 |
| Juest | i was seeing issues where systemd sockets couldn't be reachable because it was a incoming private connection from a unknown client therefore not allowing it | 23:23 |
| Juest | to enter the environment outside of the unshare shell once systemd is executed i have to chroot inside after running nsenter | 23:23 |
| oerheks | sudo journalctl --no-pager -u snapd | 23:24 |
| oerheks | https://snapcraft.io/docs/fix-common-issues | 23:24 |
| sarnold | Juest: hah, that sounds right | 23:24 |
| Juest | now i am correctly able to connect to systemd | 23:24 |
| oerheks | yes, supposed so | 23:24 |
| Juest | but the problem is that units do not have permission to use the user namespace | 23:24 |
| oerheks | so you need to, snapd ? | 23:25 |
| oerheks | err, question is: do you need to? | 23:25 |
| Juest | oerheks: yes, i want to get snapd up and running because its required by snap to do any operations | 23:25 |
| sarnold | lxd can get 'ubuntu' things working in containers, so there's got to be a way for you to construct a similar enough environment by hand | 23:26 |
| Juest | the whole reason im into this is because i wanted to do snap refresh | 23:26 |
| Juest | sarnold: sure, maybe i could get somewhere with lxc, im not using lxd because its not light | 23:26 |
| Juest | i have lxc but im not sure how to tell it to containerize a entire partition and boot that | 23:26 |
| Juest | doing a volume sounds very risky because it could wipe it | 23:27 |
| sarnold | tar it up, ask it to boot the tarball? copy over the changed files by hand? | 23:27 |
| Juest | i dont have storage for that | 23:27 |
| Juest | i feel more comfortable with the unshare "example utility" | 23:28 |
| Juest | okay im back to the same issue | 23:31 |
| Juest | failed to get properties: transport endpoint is not connected | 23:31 |
| Juest | hmmmm | 23:32 |
| Juest | oh well | 23:32 |
| Juest | oh lol i forgot to enter in the pid namespace | 23:33 |
| sarnold | Juest: maybe run dmesg -w ... | 23:33 |
| sarnold | doorbell | 23:33 |
| oerheks | food? | 23:33 |
| oerheks | 01:33 here | 23:34 |
| oerheks | oops security | 23:34 |
| Juest | oh lol | 23:35 |
| Juest | sarnold: i forgot to enter in the systemd namespace, i was in the unshare namespace instead :P | 23:35 |
| oerheks | hostname should not be of importance, unless ssh certs? | 23:36 |
| Juest | issue now is dns resolver | 23:36 |
| Juest | okay | 23:39 |
| Juest | networkmanager has limited connectivity | 23:39 |
| Juest | hmmmmm | 23:39 |
| Juest | oh well | 23:39 |
| Juest | oerheks, sarnold, where would it be preferred to discuss this in? | 23:39 |
| sarnold | Juest: aha, awesome! hard to know, maybe someone else in #ubuntu would have more ideas, but namespacing is kind of a security-ish thing? maybe #lxcontainers would have folks with more direct container experience? this is probably fine | 23:47 |
| sarnold | oerheks: heh, a new exercise bike | 23:47 |
| Juest | :D | 23:48 |
| Juest | i see | 23:48 |
| Juest | well, its related because the target is a ubuntu system :P | 23:48 |
| Juest | you mean #lxc maybe? | 23:49 |
| Juest | i guess that #linux is fine as well | 23:50 |
| oerheks | sure, post on stack | 23:51 |
| Juest | another little issue, it seems the gui started up but i dont see it, i should check the console | 23:51 |
| Juest | well | 23:55 |
| Juest | im having a issue refreshing the snap | 23:55 |
| Juest | ill check the link | 23:56 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!