Back to Home / #linode / 2021 / 10 / Prev Day | Next Day
#linode IRC Logs for 2021-10-12

---Logopened Tue Oct 12 00:00:16 2021
00:12<FluffyFoxeh>that's fair
00:27<LouWestin>I'm not 100 percent sure though.
00:45<@jtoscani>no can do with nested virt unless you're using bare metal
00:46<@jtoscani>and Linode is still a privately-owned company with caker at the helm - evolution rather than selling out
00:56<dwfreed>FluffyFoxeh: I would say it's a safe bet it's mostly reinvested profits :)
01:15-!-lonewulf` [] has quit [Quit: leaving]
01:28-!-Erawan [] has quit [autokilled: Possible spambot. Mail if you think this is in error. (2021-10-12 05:28:43)]
01:29-!-Erawan [~oftc@2a00:dcc0:eda:88:245:71:2d0d:740d] has joined #linode
01:29-!-Erawan is "Erawan" on #VirtualBox #linode #dogecoin @#OneProvider @#Gridseed #vbox
01:29-!-Erawan is now known as Guest2563
02:00-!-wraeth [] has quit []
02:01-!-wraeth [] has joined #linode
02:01-!-wraeth is "wraeth" on #gentoo #linode #gentoo-dev #oftc #Gentoo-Chat
03:49-!-NomadJim_ [~Jim@] has quit [Read error: Connection reset by peer]
03:49-!-NomadJim_ [~Jim@2001:5b0:2d53:d478:893a:a7fe:9d32:e59d] has joined #linode
03:49-!-NomadJim_ is "Nomad" on #debian #linode
03:50-!-blaboon [] has quit [Quit: Bye o/]
03:50-!-blaboon [] has joined #linode
03:50-!-blaboon is "Bradley LaBoon" on #alpine-linux #alpine-infra #linode
03:50-!-mode/#linode [+o blaboon] by ChanServ
03:50-!-millisa [] has quit [Quit: ZNC 1.8.2 -]
03:50-!-millisa [] has joined #linode
03:50-!-millisa is "millisa" on #linode
03:51-!-Ariadne [] has quit [Read error: Connection reset by peer]
03:51-!-igufi [] has quit [Read error: Connection reset by peer]
03:51-!-igufi [] has joined #linode
03:51-!-igufi is "igufi" on #linode
03:51-!-Ariadne [] has joined #linode
03:58-!-lonewulf` [] has joined #linode
03:58-!-lonewulf` is "U-lonewulf-PC\lonewulf" on #linode #debian-offtopic #debian #oftc
04:10-!-blaboon [] has quit [Quit: Bye o/]
04:11-!-blaboon [] has joined #linode
04:11-!-blaboon is "Bradley LaBoon" on #alpine-linux #alpine-infra #linode
04:11-!-mode/#linode [+o blaboon] by ChanServ
04:13-!-Tj [~soggy@2a01:7e00:e001:ee00:fa75:a4ff:fef3:42b4] has quit [Quit: WeeChat 2.8]
05:39-!-waltman [waltman@2601:4a:701:4451:f2ec:9c30:d6e5:9521] has quit [Remote host closed the connection]
05:39-!-waltman [waltman@2601:4a:701:4451:adb0:32c3:1d86:7604] has joined #linode
05:39-!-waltman is "= "Walt"" on #linode
08:22-!-quackgyver [] has quit [Quit: Connection closed for inactivity]
09:00-!-NomadJim_ [~Jim@2001:5b0:2d53:d478:893a:a7fe:9d32:e59d] has quit [Read error: Connection reset by peer]
09:16-!-Bdragon [~bdragon@] has joined #linode
09:16-!-Bdragon is "Brandon Bergren" on #voidlinux-ppc #multiarch #llvm #linode #freebsd-clang
09:35-!-cwaydt3 is "cwaydt" on #kernelnewbies
09:35-!-cwaydt3 [] has joined #linode
09:41-!-cwaydt [] has quit [Ping timeout: 480 seconds]
09:41-!-cwaydt3 is now known as cwaydt
10:13-!-ckaczynski [~ckaczynsk@] has joined #linode
10:13-!-ckaczynski is "ckaczynski" on #linode
10:24<FluffyFoxeh>Is it a bad idea to use a block storage volume as a root device?
10:25<millisa>depends how you feel about backups.
10:25<millisa>migrations get real quick when using block storage volumes for your boot device
10:25<millisa>they have a guide on doing it -
10:33<FluffyFoxeh>ah, cool
10:34<millisa>(only atlanta is nvme block storage so far)
10:44-!-dburrow [~oftc-webi@2601:cd:c000:3da7::100b] has joined #linode
10:44-!-dburrow is "OFTC WebIRC Client" on #linode
10:52-!-Tj [~soggy@2a01:7e00:e001:ee00:fa75:a4ff:fef3:42b4] has joined #linode
10:52-!-Tj is "soggy" on #virt #turris #linode #debian #debian-next #packaging
10:58-!-CodeMouse92 [] has joined #linode
10:58-!-CodeMouse92 is "Jason C. McDonald" on #python #packaging #linode #llvm #c++
11:00-!-dburrow [~oftc-webi@2601:cd:c000:3da7::100b] has quit [Remote host closed the connection]
11:16-!-halvors [] has joined #linode
11:16-!-halvors is "halvors" on #linode
11:18-!-GIG9 [~MYOB@] has joined #linode
11:18-!-GIG9 is "J" on #moocows #linode
11:21-!-dburrow [~oftc-webi@] has joined #linode
11:21-!-dburrow is "OFTC WebIRC Client" on #linode
11:24-!-|GIG [~MYOB@] has quit [Ping timeout: 480 seconds]
11:29<dburrow>new user needs a clue, deployed first web app and I'm getting connected but the outside world only gets an empty response
11:29<dburrow>from within the lanode console using any flavor of local host, local ip, public ip, or public domain name, all provide the web page as expected
11:30<dburrow>read similar posts indicating firewall issues, so I created a firewall for my server with access granted to ports 80, 443 and 22
11:32<dburrow>everythin using 'nc -z -v <ip/domain> 80' from the outside world I can see that I'm connecting successfully
11:33<dburrow>debugging my python/flask app though I never see the connection come to my code
11:33<dburrow>please advise...
11:35<dburrow>also in firewall, I have permitted all outbound TCP traffic
11:36-!-halvors1 [~Thunderbi@] has joined #linode
11:36-!-halvors1 is "halvors" on #linode
11:38<linbot>New news from community: How to close my account and delete payment info? <>
11:40-!-halvors [] has quit [Read error: Connection reset by peer]
11:41-!-Redentor [~armando@2600:3c01:e000:20c:debe:5dfb:632c:18ea] has joined #linode
11:41-!-Redentor is "realname" on #linode #debian-next #debian-mx #debian
11:41-!-jack420 [] has joined #linode
11:41-!-jack420 is "OFTC WebIRC Client" on #linode
11:42-!-jack420 [] has quit []
11:46-!-halvors1 [~Thunderbi@] has quit [Ping timeout: 480 seconds]
11:51<millisa>dburrow: are you using the linode cloud firewall product?
11:52<millisa>dburrow: i'm guessing its not the issue since you say you are getting connected to the port from the outside. share the IP/domain. name?
11:56-!-dburrow [~oftc-webi@] has quit [Remote host closed the connection]
13:03-!-saintdev [] has quit [Read error: Connection reset by peer]
13:04-!-saintdev [] has joined #linode
13:04-!-saintdev is "Nathan Caldwell" on #linode #asahi #alpine-linux
13:06-!-dburrow [~oftc-webi@2601:cd:c000:3da7::100b] has joined #linode
13:06-!-dburrow is "OFTC WebIRC Client" on #linode
13:06<dburrow>sorry -- I was out of the office for a bit and had trouble responding
13:07<dburrow>for the network issues -- the domain assigned to the linode instance is
13:13-!-Redentor [~armando@2600:3c01:e000:20c:debe:5dfb:632c:18ea] has quit [Remote host closed the connection]
13:16<Tj>dburrow: I see "permission denied" for 80 and 443, but I'm on IPv6-only and using DNS64/NAT64 to translate your IPv4 address. I can tracpath and it arrives at
13:17<Tj>dburrow: looks like the Atlanta DC
13:17<dburrow>ok -- so I concur your able to do things like ping/traceroute
13:17<dburrow>even --> connect <-- from the outside world
13:18<dburrow>but there seems to be no bytes on the wire after connection is made -- no bytes in or out
13:18<Robdgreat>I get address unreachable
13:18<Robdgreat>but I'm coming from outside the US, fwiw
13:18<Tj>dburrow: cannot connect
13:18<dburrow>not sure in this case if that matters
13:18<dburrow>so let's try this in order:
13:18<dburrow>1) can you ping ?
13:18<Tj>dburrow: is the public IPv4?
13:19<Tj>dburrow: may I nmap the host?
13:19<dburrow>and i can ping it from home / VPN site
13:19<Robdgreat>yeah I can ping
13:19<dburrow>... it's the smallest instance of server, but not doing anything at the moment
13:20<dburrow>so this works for me from home / outside linode instance ---> $ nc -z -v
13:20<dburrow>I get "connected successfully"
13:22<nuevu>I don't see port 80 or 443 open
13:22<dburrow>chking for myself ...
13:22<Robdgreat>when I try to load the site in w3m I get no route to host
13:23<Robdgreat> which resembles the problem in this post
13:23<Robdgreat>tl;dr it's firewall rules
13:25<dburrow>so, before I was away for a bit, I shared that I had seen (I believe) this post or one like it
13:25<Robdgreat>oh sorry
13:25<dburrow>... and that I had enabled a firewall and associated it with my linode in the *lish console
13:25<dburrow>... or web console, whatever the right terminology is
13:26<Robdgreat>ah yeah I missed all that
13:26<nuevu>Have you inspected iptables/ufw/firewalld?
13:26<Robdgreat>I see it now 🤦‍♂️
13:26<dburrow>... where I thought I was connecting from home -- apparently I mis-spoke
13:26<dburrow>so I saw someone refer to the "ufw" command, but it's not in the path
13:26<dburrow>... as root
13:26<nuevu>What distro/version?
13:27<dburrow>... let me check myself on that assertion..
13:27<dburrow>... instance is Centos7
13:28<dburrow>sure -- I'll man that command
13:28<dburrow>... so here's more info
13:28<dburrow>... was using the 'nc' command from a macbook - where I'm a bit of a newbie on mac
13:29-!-Omar-Hatem [~oftc-webi@] has joined #linode
13:29-!-Omar-Hatem is "OFTC WebIRC Client" on #linode
13:29<dburrow>from my home, I have windows, linux and mac OS's
13:29<Robdgreat>I'd expect nc to work the same cross-platform for the most part
13:29<jkc>dburrow: The command itself is firewall-cmd
13:29<dburrow>... nc -z -v 80 --- succeeds from my mac to linode, fails from my linux to linode ...
13:29<Omar-Hatem>any django expert in muli tenency in here ??
13:30<jkc>Omar-Hatem: Just ask the question. If someone can help, they will.
13:30<Omar-Hatem>aha , thx jkc
13:30<dburrow>... so I'm unsure why that would be as both are external to the cloud site we're trying to connect to
13:31<dburrow>so let's go with the more consistent result from linux -- that the server is NOT connectable as previously reported
13:31<Omar-Hatem>any one knows how can i make my subdomains of my multi tenent django app have a custom domain instead of they add their own domain as
13:32<dburrow>.. so, what is the difference between using the command line 'firewall-cmd' syntax and the linode supplied UI instance of a firewall ?
13:33<Robdgreat>they're two different firewalls
13:33<Robdgreat>not multiple interfaces to the same firewall
13:34<Omar-Hatem>that queshion for linode staff too even if i configured the aunswer i guess their are linode part in it
13:34<Omar-Hatem>how can i make my subdomains of my multi tenent django app have a custom domain instead of they add their own domain as
13:36<Robdgreat>Omar-Hatem: this seems like a good question for a django channel
13:36<Robdgreat>you're not guaranteed to have active people in here well-versed in django, though it's of course possible
13:37<dburrow>ok -- report early and often
13:37<Omar-Hatem>link pls ?
13:37<dburrow>.. success after 'firewall-cmd --add-service=http'
13:37<dburrow>I get this is not permenant ... I'll read up on the syntax to get me there
13:37<Robdgreat>Omar-Hatem: I don't know, I'd have to look for it, too
13:38<dburrow>so -- given the "two" firewalls are not one-and-the-same
13:38<dburrow>... I'm going to delete the linode UI version/instance
13:38<dburrow>... and go only with the command line / OS config of my Centos7 instance
13:38<Robdgreat>it's not really "two", it's two
13:39<Robdgreat>like, for real
13:39<dburrow>lol -- ok, I get it -- it is not rumored to be "two" -- it is exactly two
13:40<Robdgreat>it's like you have a door at the start and end of your entryway in your house, each with a lock
13:40<Robdgreat>different keys
13:40<Robdgreat>you give someone the key to one, they can't automatically get in the second
13:40<dburrow>granted, it's it given I'm going too fast , and want success easily, -- but I also thought I was doing a fair bit of self service before I joined the IRC here...
13:41<dburrow>where did I miss this "firewall-cmd" documented in FAQ or other start up docs ?
13:41<Robdgreat>well, I've never used Linode's firewall, and my os firewall needs have always been pretty basic
13:42<dburrow>are you Linode staff or "just" a user ?
13:42<linbot>Users with ops are employees of Linode, and know what they're talking about. The rest of us are the ever-so-helpful(?) community. Official Linode contact information:
13:42<dburrow>I guess it makes sense that the default behavior is not not have a node open to the internet...
13:43<Robdgreat>dburrow: I Googled linode centos firewall and got this
13:43<dburrow>... but the help docs on this speak to apache, nginx and lighttpd
13:43<@mcivi>dburrow did you disable the firewal from the UI? I was testing and showing port 80/443 were closed before. now port 80 is open, and curl returning a 200 response
13:43<@mcivi>browser shows a list of items when I vnavigate to your domain
13:44<dburrow>yep -- i entered 'firewall-cmd --add-service=http'
13:44<dburrow>it's my son's first python/web project -- a home inventory (starting with food items... )
13:46<dburrow>I did look at the start up docs on getting your first web app running under one of these three web servers... I didn't see the firewall-cmd or other command line utility program updates from other distros in my cursory hunt for a fast answer
13:46<Robdgreat>yeah, the web app docs probably don't specifically address the firewall
13:46<dburrow>I didn't see this link provided until now
13:46<Robdgreat>yeah I had to Google for it
13:47<Robdgreat>but it was the first result for centos linode firewall
13:47<Robdgreat>I included linode because their docs are *chef's kiss*
13:48<dburrow>I agree -- the docs for linode are really good -- for those with at least some experience.
13:48<Robdgreat>ah, I didn't actually read the doc in question
13:48<dburrow>I remember the days when everything was new and sites like this were beyond my level of experience
13:48<Robdgreat>beyond ctrl+f for firewall-cmd
13:49<dburrow>it's good documentaton -- it seems complete enough for the 80/20 rule
13:50<dburrow>and newbies should never get beyond the 80%
13:50<Robdgreat>unrelated: yay, work network is playing up again
13:51<dburrow>so we're good to go for now... I am working and have enough to continue to make it work permenantly
13:51<dburrow>... I like the IRC response times...
13:51<dburrow>thanks for all your help
13:52<Robdgreat>Good good. Between the handful of actives in here we have a broad range of experience
13:52<Robdgreat>even among non-staff
14:27-!-Omar-Hatem [~oftc-webi@] has quit [Remote host closed the connection]
14:46-!-MrMelon54 [] has joined #linode
14:46-!-MrMelon54 is "realname" on #linode
14:46-!-MrMelon54 [] has quit []
14:47-!-MrMelon54 is "realname" on #linode
14:47-!-MrMelon54 [] has joined #linode
14:47-!-MrMelon54 [] has quit []
15:01-!-dburrow [~oftc-webi@2601:cd:c000:3da7::100b] has quit [Quit: Page closed]
15:39<millisa>!point Robdgreat
15:39<linbot>millisa: Point given to robdgreat. (1)
15:41<Robdgreat>thank you thank you
15:41<Robdgreat>my first point xD
15:50-!-Redentor [~armando@2600:3c01:e000:20c:debe:5dfb:632c:18ea] has joined #linode
15:50-!-Redentor is "realname" on #linode #debian-next #debian-mx #debian
15:57-!-Redentor [~armando@2600:3c01:e000:20c:debe:5dfb:632c:18ea] has quit [Remote host closed the connection]
16:23-!-ckaczynski1 [] has joined #linode
16:23-!-ckaczynski1 is "ckaczynski" on #linode
16:26-!-CodeMouse92 [] has quit [Ping timeout: 480 seconds]
16:27-!-ckaczynski [~ckaczynsk@] has quit [Ping timeout: 480 seconds]
16:34-!-linville [] has quit [Quit: Leaving]
16:41-!-ckaczynski1 [] has quit [Quit: WeeChat 3.3]
17:04-!-branko [] has quit [Remote host closed the connection]
17:37-!-branko [] has joined #linode
17:37-!-branko is "Branko Majic" on #linode +#Corsair
17:50<millisa>I don't suppose anyone happens to know a way to get the fullchain in an LE cert to stop including the expired intermediate in the file?
17:51*file would be sad without the expired intermediate
17:51<millisa>!point file
17:51<linbot>millisa: Point given to file. (1)
17:51<BDIkaros>millisa I believe latest certbot,, and some others let you direct it to use a different chain, have you tried that to see if it still included the expired intermediate?
17:52<millisa>just updated the centos7 system to the latest certbot it had (which isn't that new) and it happily put a fullchain and chain back with the expired root in it on a force-renewal
17:53<millisa>it's only 1.11.0-1 out of epel. not sure how much they might be backporting, but it doesn't appear to have been updated recently
17:54<BDIkaros>That SHOULD have this option: --preferred-chain PREFERRED_CHAIN
17:54<BDIkaros>Not sure of the syntax
17:55<millisa>it does and may be what i'm looking for, much obliged
17:55<BDIkaros>No prob, just I don't remember the exact line you'd have to pass with that to get the new chain. Might have to read into that.
17:56<millisa>it at least has me looking in a direction i wasn't before
17:56<millisa>right now i have some openssl based nagios checks that have been complaining for the last couple weeks and places like are complaining in a way that customers are getting grumbly
17:57<millisa>(the LE site itself makes the site complain in the same way)
17:57<trippeh>interestingly the LE client I wrote myself years ago, is not getting any expired certs in the chain. and I've changed nothing since adding acmev2.
17:59<millisa>ex. openssl s_client -showcerts -connect -servername
17:59<millisa>you can see the DST Root CA X3 there at the end
17:59<BDIkaros>I think you'd just pass the name of the root to that switch...but again, not 100% on that.
18:00<BDIkaros>And it should theoretically pull the correct non-expired chain
18:00-!-jamespond [~jamespond@2600:3c03::f03c:91ff:fedf:6a5f] has left #linode [WeeChat 3.2.1]
18:01<BDIkaros>Yeah. Pass 'ISRG Root X1', and it should.
18:02<millisa>looks like i may not be able to use the switch on a renewal. testing with a fresh cert
18:03<jkc>millisa: Anything you use for a fresh cert can be used for a renewal. You may need to figure out what the in-profile option string is for it, though.
18:04<millisa>yeah, still poking. definitely flailing on the syntax with it
18:05<jkc>Drives me nuts that they don't properly document the renewal config files.
18:05<millisa>would probably also help if I use the right spelling of 'preferred-chain'. 'preferred-root' is wrong.
18:05<trippeh>i'm not seeing expired evenusing s_client to
18:06<millisa>trippeh: that's interesting. can you paste your output to a pastebin?
18:06<trippeh>Not After : Sep 30 18:14:03 2024 GMT
18:06<millisa>i'm seeing this:
18:06<millisa>(line79 = DST Root CA X3)
18:07<BDIkaros>Yeah when I pulled using the exact same command, pulled DST Root CA X3
18:07<millisa>yours has it
18:07<BDIkaros>Yep there it is
18:07<trippeh>but when I pipe it to x509 -noout -in it is not expired?
18:08<millisa>the cert itself isn't, no
18:08<BDIkaros>It's using the cross-signed version
18:08<BDIkaros>The version of the root CA that was cross-signed by the now-expired DST Root
18:09<millisa>with the perferred-chain option, it still throws the old cert there at the end of the fullchain
18:09<BDIkaros>That's odd then...because that's the one that should pull the new chain if instructed to do so.
18:10<BDIkaros>Try and see if a different ACME client does the same thing?
18:10<trippeh>btw, had to upgrade ca-certficates package on a bunch of servers when it expired
18:10<trippeh>or else they would walk the wrong chain
18:10<linbot>New news from community: Jupyter instance does not detect GPU <>
18:10<BDIkaros>Yeah that too, making sure your own trusted certs store was up-to-date as well.
18:10<millisa>to be clear, the certs are serving up fine to any modern browser/os. it's just an issue of this thing that's not needed is being served up unnecessarily and it upsets some testing/monitoring things
18:11<BDIkaros>Right, and some folks were pointing out that exact thing
18:11<BDIkaros>They didn't understand why LE insisted upon keeping the old cross-signature in its default chain for ancient devices
18:11<millisa>at least give an option '--goawayoldandroidphones' or something
18:13<BDIkaros>Funny enough, there are still some folks that are asking how to issue the old root
18:13<millisa>which I'm sure that option would work great for
18:14<BDIkaros>But me, I'd ask, *why*, because a few folks that use ancient phones can't connect to your services (as it should be, because they can't be secure anyway)?
18:17<trippeh>uacme seems able to select chain based on fingerprint. hm.
18:20-!-lonewulf` [] has quit [Quit: leaving]
18:20<trippeh>(or index, but thats obviously not stable)
18:21<millisa>hm. adding -trusted_first to the openssl check may fix my monitoring plugins
18:22<millisa>oh. no. it doesn't. i stupidly tested against the site i manually removed the expired cert from
18:23-!-lonewulf` [] has joined #linode
18:23-!-lonewulf` is "U-lonewulf-PC\lonewulf" on #linode #debian-offtopic #debian #oftc
18:24<trippeh>"The --preferred-chain flag now only checks the Issuer Common Name of the
18:24<trippeh>topmost (closest to the root) certificate in the chain, instead of checking
18:24<trippeh>every certificate in the chain."
18:24<trippeh>that was 1.12.0
18:26<trippeh>seems relevant:
18:26<millisa>that looks promising. worth at least getting the official client instead of the epel packaged one
18:28<trippeh>so the epel version is literally just one release (~1 month) too old :P
18:35-!-u0_a160 [~u0_a160@] has joined #linode
18:35-!-u0_a160 is "Unknown" on #linode
18:36-!-u0_a160 [~u0_a160@] has left #linode []
18:36<BDIkaros>Yeah that'd probably be it
18:36<millisa>still trying to get to the point of testing it. installing snap on a centos box makes me uncomfortable.
18:37<BDIkaros>I don't blame you.
18:38<BDIkaros>But even the EFF's own instructions say that's a way to get the most recent version
18:38<BDIkaros>If I felt uncomfortable about it I just used
18:39<millisa>would probably consider switching the clients if it wasn't for the 5-6 hundred domains all setup using the other.
18:39<millisa>weighing which is laziest still
18:39<BDIkaros>Mhm, yup
18:46<millisa>ok, can confirm that the newer certbot does not include the deadwood cert when using preferred-chain. It *does* still include it if you don't specific the preferred-chain
18:46<millisa>!point BDIkaros
18:46<linbot>millisa: Point given to bdikaros. (1)
18:46<millisa>!point trippeh
18:46<linbot>millisa: Point given to trippeh. (1)
18:49<trippeh>at least I was right on one thing :)
18:50<millisa>s/specific/specify/ . . stupid tired brain.
18:58-!-lonewulf` [] has quit [Quit: leaving]
18:59-!-u0_a160 [~u0_a160@] has joined #linode
18:59-!-u0_a160 is "Unknown" on #linode
18:59-!-u0_a160 [~u0_a160@] has quit [Read error: Connection reset by peer]
19:14<linbot>Another satisfied customer! NEXT!
20:30-!-NomadJim_ [~Jim@] has joined #linode
20:30-!-NomadJim_ is "Nomad" on #debian #linode
22:00<nuevu>If anyone's watching tickets this evening, I'd really appreciate a quick look at #16376790. Just need a disk excluded from backups (hopefully before they automatically run again).
22:01<dwfreed>hopefully it fixes the issue
22:01<nuevu>So do I!
22:02<nuevu>I did previously move the data onto a volume and was able to successfully run backups manually, so I expect this should be fine as well.
22:19<react>nuevu: I recommend backing up with someone non-Linode if the economics are right for you, at least until Linode comes clean in their docs surrounding the realities of reliability (we like to see 9's, lots of them), geographic replication, and encryption (CMEK) roadmap.
22:20<jkc>Linode's backup offerings leave a LOT to be desired.
22:20<nuevu>react: We do. The Linode Backup Service is just one of the cogs.
22:20<jkc>Be super careful restoring a backup for a system that has SELinux set to enforcing.
22:22<jkc>You WILL have to boot into recovery and force a relabel, or the system will not boot.
22:25<jkc>As I found out the hard way. Their backups do not preserve attributes like SELinux labels.
22:38<dwfreed>this is noted in the docs
22:38<dwfreed>selinux labels are xattrs; the docs note xattrs are not backed up
23:02<jkc>I'm aware that its noted in the docs... NOW. It certainly wasn't back when that incident occurred.
23:02<jkc>Which ignores the underlying issue of WHY THE HELL NOT?
23:09-!-lonewulf` [] has joined #linode
23:09-!-lonewulf` is "U-lonewulf-PC\lonewulf" on #linode #debian-offtopic #debian #oftc
23:15<dwfreed>jkc: that line has been in that doc since that file existed, which has been since the docs repo was created in July 2014
23:15<dwfreed>and a similar line was in the previous docs website
23:17<dwfreed>Here's the original file from the initial commit to the docs repo:
23:25<dwfreed>Here's the line in the original Library docs dating back to January 2011:
23:28<LouWestin>I was just reading over the doc links. I suppose I could argue that it "could be" a little clearer about what jkc mentioned
23:28<dwfreed>Sure, most people don't realize that any kind of extended info (including POSIX ACLs) about a file is stored as an xattr on Linux
23:30<LouWestin>Maybe I could send a friendly suggestion to mention that. But I of course I don't run SE anything so I haven't had to worry about that lol
23:30<dwfreed>But chances are you have things that use filecaps
23:31<dwfreed>filecaps are also xattrs
23:31<LouWestin>Ehh... that I wouldn't know offhand. Ah, let's see what I got
23:32<dwfreed>ls -l /bin/ping
23:32<LouWestin>Debian based webserver, ZNC server (Deb),
23:32<dwfreed>is the easiest check
23:32<LouWestin>I'll do that!
23:32<dwfreed>if it's not setuid root, you're using filecaps
23:32<LouWestin>checking now
23:33<kharlan>Just don't do backups
23:33<kharlan>simple fix. No docs required.
23:33<LouWestin>Ok ZNC server reports back -rwxr-xr-x 1 root root 77432 Feb 2 2021 /bin/ping
23:34<dwfreed>so yep, your ping is using filecaps
23:34<LouWestin>I'll assume everything else I have here is probably the same
23:35<dwfreed>$ /sbin/getcap -v /bin/ping
23:35<dwfreed>/bin/ping = cap_net_raw+ep
23:37<LouWestin>So sbin/getcap -v /bin/ping brings back...
23:37<LouWestin>... bin/ping cap_net_raw=ep
23:38<LouWestin>Its just like the oracle fortold
23:38<dwfreed>on my pretty minimal install, only ping, arping, and mtr-packet have any filecaps
23:38<dwfreed>(mtr-packet is what does the actual traffic for mtr)
23:39<LouWestin>This is why I hang out here, I learn something new
23:39<dwfreed>you can do /sbin/getcap -r / 2>/dev/null
23:40<dwfreed>to list every file with caps on your system that you can access
23:40<LouWestin>Survey says... /usr/bin/mtr-packet cap_net_raw=ep and /usr/bin/ping cap_net_raw=ep
23:42<LouWestin>so that's ok
23:43<virtual>TIL: cyrus imapd upgrades from one version of Debian to another at some point stopped expiring old deleted emails. whoopsy.
---Logclosed Wed Oct 13 00:00:18 2021