Most recent items from Ubuntu feeds:
Ubuntu Podcast from the UK LoCo: S11E15 – Fifteen Minutes - Ubuntu Podcast from Planet Ubuntu

This week we get the Hades Canyon NUC fully working and play Pillars of Eternity II. We discuss the falling value of BitCoin, backdoored Docker images and Microsoft getting into hot water over their work with US Immigration and Customs Enforcement. Plus we round up the community news.

It’s Season 11 Episode 15 of the Ubuntu Podcast! Alan Pope, Mark Johnson and Martin Wimpress are connected and speaking to your brain.
In this week’s show:

We discuss what we’ve been up to recently:

Martin has got his Hades Canyon NUC working properly with Ubuntu MATE 18.04.
Mark has been playing Pillars of Eternity II.

We discuss the news:

Bitcoin has lost more than half its value since last year’s all-time high
Backdoored images downloaded 5 million times finally removed from Docker Hub
Microsoft are recieving flak for celebrating work with US Immigration and Customs Enforcement (ICE)

We discuss the community news:

Chromium as a snap using Mir
A Complete Look At Spectre V1/V2/V4 & Meltdown
Ubuntu Touch RC OTA-4 is Here
Bitfolk ask their users how to deal with overage notifications
Timo Aaltonen posted about the Status of Ubuntu Mesa backports

Image credit: Victoria Palacios

That’s all for this week! You can listen to the Ubuntu Podcast back catalogue on YouTube. If there’s a topic you’d like us to discuss, or you have any feedback on previous shows, please send your comments and suggestions to show@ubuntupodcast.org or Tweet us or Comment on our Facebook page or comment on our Google+ page or comment on our sub-Reddit.

Join us in the Ubuntu Podcast Telegram group.

1 day ago

Jonathan Carter: Plans for DebCamp18 from Planet Ubuntu

Dates
I’m going to DebCamp18! I should arrive at NCTU around noon on Saturday, 2018-07-21.
My Agenda

DebConf Video: Research if/how MediaDrop can be used with existing Debian video archive backends (basically, just a bunch of files on http).
DebConf Video: Take a better look at PeerTube and prepare a summary/report for the video team so that we better know if/how we can use it for publishing videos.
Debian Live: I have a bunch of loose ideas that I’d like to formalize before then. At the very least I’d like to file a bunch of paper cut bugs for the live images that I just haven’t been getting to. Live team may also need some revitalization, and better co-ordination with packagers of the various desktop environments in terms of testing and release sign-offs. There’s a lot to figure out and this is great to do in person (might lead to a DebConf BoF as well).
Debian Live: Current live weekly images have Calamares installed, although it’s just a test and there’s no indication yet on whether it will be available on the beta or final release images, we’ll have to do a good assessment on all the consequences and weigh up what will work out the best. I want to put together an initial report with live team members who are around.
AIMS Desktop: Get core AIMS meta-packages in to Debian… no blockers on this but just haven’t had enough quite time to do it (And thanks to AIMS for covering my travel to Hsinchu!)
Get some help on ITPs that have been a little bit more tricky than expected:

gamemode – Adjust power saving and cpu governor settings when launching games
notepadqq – A linux clone of notepad++, a popular text editor on Windows
Possibly finish up zram-tools which I just don’t get the time for. It aims to be a set of utilities to manage compressed RAM disks that can be used for temporary space, compressed in-memory swap, etc.

Debian Package of the Day series: If there’s time and interest, make some in-person videos with maintainers about their packages.
Get to know more Debian people, relax and socialize!

3 days ago

Benjamin Mako Hill: How markets coopted free software’s most powerful weapon (LibrePlanet 2018 Keynote) from Planet Ubuntu

Several months ago, I gave the closing keynote address at LibrePlanet 2018. The talk was about the thing that scares me most about the future of free culture, free software, and peer production.

A video of the talk is online on Youtube and available as WebM video file (both links should skip the first 3m 19s of thanks and introductions).
Here’s a summary of the talk:
App stores and the so-called “sharing economy” are two examples of business models that rely on techniques for the mass aggregation of distributed participation over the Internet and that simply didn’t exist a decade ago. In my talk, I argue that the firms pioneering these new models have learned and adapted processes from commons-based peer production projects like free software, Wikipedia, and CouchSurfing.
The result is an important shift: A decade ago,  the kind of mass collaboration that made Wikipedia, GNU/Linux, or Couchsurfing possible was the exclusive domain of people producing freely and openly in commons. Not only is this no longer true, new proprietary, firm-controlled, and money-based models are increasingly replacing, displacing, outcompeting, and potentially reducing what’s available in the commons. For example, the number of people joining Couchsurfing to host others seems to have been in decline since Airbnb began its own meteoric growth.
In the talk, I talk about how this happened and what I think it means for folks of that are committed to working in commons. I talk a little bit about the free culture and free software should do now that mass collaboration, these communities’ most powerful weapon, is being used against them.
I’m very much interested in feedback provided any way you want to reach me including in person, over email, in comments on my blog, on Mastodon, on Twitter, etc.

Work on the research that is reflected and described in this talk was supported by the National Science Foundation (awards IIS-1617129 and IIS-1617468). Some of the initial ideas behind this talk were developed while working on this paper (official link) which was led by Maximilian Klein and contributed to by Jinhao Zhao, Jiajun Ni, Isaac Johnson, and Haiyi Zhu.

3 days ago

Raphaël Hertzog: Freexian’s report about Debian Long Term Support, May 2018 from Planet Ubuntu

Like each month, here comes a report about the work of paid contributors to Debian LTS.
Individual reports
In May, about 202 work hours have been dispatched among 12 paid contributors. Their reports are available:

Abhijith PA did 6 hours (out of 10 hours allocated + 5 extra hours, he gave back the 9 remaining hours).
Antoine Beaupré did nothing (out of 12 hours allocated, thus keeping 12 extra hours for June).
Ben Hutchings did 15 hours.
Brian May did 10 hours.
Chris Lamb did 18 hours.
Emilio Pozuelo Monfort did 33.75 hours (out of 24 hours allocated + 9.75 remaining hours).
Holger Levsen did 6.5h (out of 32.75 remaining hours, the unused hours have been put back in the pool).
Hugo Lefeuvre did 24.25 hours.
Markus Koschany did 24.25 hours.
Ola Lundqvist did 9 hours (out of 14 hours allocated + 12.5 remaining hours, thus keeping 17.5 extra hours for June).
Roberto C. Sanchez did 6.5 hours (out of 18 hours allocated, thus keeping 11.5 extra hours for June).
Santiago Ruano Rincón did 1 hour (out of 8 hours allocated, thus keeping 7 extra hours for June).
Thorsten Alteholz did 24.25 hours.

Evolution of the situation
The number of sponsored hours increased to 190 hours per month thanks to a few new sponsors who joined to benefit from Wheezy’s Extended LTS support.
We are currently in a transition phase. Wheezy is no longer supported by the LTS team and the LTS team will soon take over security support of Debian 8 Jessie from Debian’s regular security team.

Thanks to our sponsors
New sponsors are in bold.

Platinum sponsors:

TOSHIBA (for 32 months)
GitHub (for 23 months)

Gold sponsors:

The Positive Internet (for 48 months)
Blablacar (for 47 months)
Linode (for 37 months)
Babiel GmbH (for 26 months)
Plat’Home (for 26 months)

Silver sponsors:

Domeneshop AS (for 48 months)
Université Lille 3 (for 47 months)
Trollweb Solutions (for 45 months)
Nantes Métropole (for 42 months)
Dalenys (for 38 months)
Univention GmbH (for 33 months)
Université Jean Monnet de St Etienne (for 33 months)
Ribbon Communications, Inc. (for 27 months)
maxcluster GmbH (for 21 months)
Exonet B.V. (for 17 months)
Leibniz Rechenzentrum (for 11 months)
Vente-privee.com (for 8 months)
CINECA

Bronze sponsors:

David Ayers – IntarS Austria (for 48 months)
Evolix (for 48 months)
Seznam.cz, a.s. (for 48 months)
Freeside Internet Service (for 47 months)
MyTux (for 47 months)
Intevation GmbH (for 45 months)
Linuxhotel GmbH (for 45 months)
Daevel SARL (for 44 months)
Bitfolk LTD (for 42 months)
Megaspace Internet Services GmbH (for 42 months)
NUMLOG (for 42 months)
Greenbone Networks GmbH (for 41 months)
WinGo AG (for 41 months)
Ecole Centrale de Nantes – LHEEA (for 37 months)
Sig-I/O (for 35 months)
Entr’ouvert (for 32 months)
Adfinis SyGroup AG (for 30 months)
GNI MEDIA (for 24 months)
Laboratoire LEGI – UMR 5519 / CNRS (for 24 months)
Quarantainenet BV (for 24 months)
RHX Srl (for 21 months)
Bearstech (for 16 months)
LiHAS (for 16 months)
People Doc (for 12 months)
Catalyst IT Ltd (for 10 months)
Supagro (for 6 months)
Demarcq SAS (for 4 months)
TrapX Security

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

4 days ago

David Tomaschik: Pros vs Joes CTF: The Evolution of Blue Teams from Planet Ubuntu

Pros v Joes CTF is a CTF that holds a special
place in my heart. Over the years, I’ve moved from playing in the 1st CTF as a
day-of pickup player (signing up at the conference) to a Blue Team Pro, to core
CTF staff. It’s been an exciting journey, and Red Teaming there is about the
only role I haven’t held. (Which is somewhat ironic given that my day job is a
red team lead.) As Blue teams have just formed, and I’m not currently attached
to any single team, I wanted to share my thoughts on the evolution of Blue
teaming in this unique CTF. In many ways, this will resemble the Blue Team
player’s guide I
wrote about 3 years ago, but will be based on the evolution of the game and of
the industry itself. That post remains relevant, and I encourage you to read it
as well.

Basics

Let’s start by a refresher of the basics, as they exist today. The gameplay is
a two day game, with teams being completely “blue” (defensive) on the first day,
and teams moving to a “purple” stance (defending their own network, and able to
attack each other as well) on the second day. During the first day, there’s a
dedicated red team providing the offensive incentive to the blue teams, as well
as a grey team representing the users/customers of the blue team services.

Each blue team consists of eight players and two pros. The role of the pros is
increasingly mentorship and less “hands on keyboard”, fitting with the Pros v
Joes mission of providing education & mentorship.

Scoring

Scoring was originally based entirely on Health & Welfare checks (i.e., service
up and responding) and flags that can be captured from the hosts. Originally,
there were “integrity” flags (submitted by blue) and offense flags (submitted by
red).

As of 2017, scoring included health & welfare (service uptime), beacons (red
cell contacting the scoreboard from the server to prove that it is compromised),
flags (in theory anyway), and an in-game marketplace that could have both
positive and negative effects. 2018 scoring details have not yet been released,
but check the 2018 rules when published.

The Environment

The environment changes every year, but it’s a highly heterogenous network with
all of the typical services you would find in a corporate network. At a
minimum, you’re likely to see:

Typical web services (CMS, etc.)
Mail Server
Client machines
Active Directory
DNS Server

The operating systems will vary, and will include older and newer OSs of both
Windows and Linux varities. There has also always been a firewall under the
control of each team segregating that team’s network from the rest of the
network. These have been both Cisco ASA firewalls as well as pfSense firewalls.

Each player connects to the game environment using OpenVPN based on
configurations and credentials provided by Dichotomy.

Preparation

There has been an increasing amount of preparation involved in each of the years
I have participated in PvJ. This preparation has essentially come in two core
forms:

Learning about the principles of hardening systems and networks.
Preparing scripts, tools, and toolkits for use during the game.

Fundamentals

It turns out that a lot of the fundamental knowledge necessary in securing a
network are just basically system administration fundamentals. Understanding
how the system works and how systems interact with each other provides much of
the basics of information security.

On both Windows and Linux, it is useful to understand:

How to install & update software and operating system updates
How to change permissions of files
How to start and stop services
How to set up a host-based firewall
Basic Shell Commands
User administration

Understanding basic networking is also useful, including:

TCP vs UDP
Stateful vs stateless firewalls
Using tcpdump and Wireshark to debug and understand network traffic

Knowing some kind of scripting language as well can be very useful, especially
if your team prepares some scripts in advance for common operations. Languages
that I’ve found useful include:

Bash
Powershell
Python

Player Toolkit

Obviously, if you’re playing in a CTF, you’ll need a computer. Many of the
tools you’ll want to use are either designed for Linux or are more commonly used
on Linux, so almost everyone will want to have some sort of a Linux environment
available. I suggest that you use whatever operating system you are most
comfortable with as your “bare metal” operating system, so if that’s Windows,
you’ll want to run a Linux virtual machine.

If you use a Macbook (which seems to be the most common choice at a lot of
security conferences), you may want both a Windows VM and a Linux VM, as the
Windows Server administration tools (should you choose to use them) only run on
Windows clients. It’s also been reported that TunnelBlick
is the best option for an OpenVPN Client on MacOS.

As to choice of Linux distribution, if you don’t have any personal preference, I
would suggest using Kali Linux. It’s not that Kali has
anything you can’t get on other distributions, but it’s well-known in the
security industry, well documented, and based on Debian Linux, which makes it
well-supported and a close cousin of Ubuntu Linux that many have worked with
before.

There are some tools that are absolutely necessary and you should familiarize
yourself with them in advance:

nmap for network enumeration
SSH for connecting to Linux Machines
RDP for connecting to Windows Machines
git, if your team will use it for managing configurations or scripts
OpenVPN for connecting to the game environment

Other tools you’ll probably want to get some experience with:

metasploit for going offensive
Some kind of directory enumeration tool (Dirbuster,
WebBorer)
sqlmap for SQL injection

Useful Resources

Metasploit
Unleashed is a free
online tutorial for penetration testing from Offensive Security.
Nmap Network Scanning is a book all about (and
from) the Nmap network scanner. About half the content is available online
for free.
The Red Team Field Manual and the Blue Team Field
Manual are great references both in preparation, but
also to have on hand during the game. They provide quick references for “how
to” on a variety of applications and operating systems.
SANS Hardening Checklists

Game Strategy

Every team has their own general strategy to the game, but there are a few
things I’ve found that seem to make gameplay go more smoothly for the team:

During initial hardening, have one team member working on the firewall.
Multiple players configuring the firewall is a recipe for lockouts or
confusion.
Communicate, communicate, communicate. Ask questions when needed, and make
sure it’s clear who’s working on what.
Document everything you do. You don’t need to log every command (though it’s
not a bad idea), but you should be able to answer some questions about the
hosts in your network:

What hosts exist?
What are the passwords for the accounts?
Have the passwords been changed from the defaults?
What services are scored?
What hardening steps have been applied?

Dos & Don’ts

DO make sure you have a wired ethernet port on your laptop, or a USB to
ethernet adapter and an ethernet
cable.
DO make sure you’ve set up OpenVPN on your host OS (not in a VM) and
you’ve tested it before game day.
DO make sure you’ve read the rules. DON’T try to cheat, Gold team
will figure it out and make you pay.
DO make an effort to try new things. This game is a learning experience,
and you miss 100% of the shots you don’t take.
DO ask questions. DON’T be afraid of looking stupid – everyone in
the security industry has things to learn, and the whole point of this event
is that you can learn. You might even stump the pros.

Making the Most of It

Like so many things in life, the PvJ CTF is a case where you get out of it what
you put into it. If you think you can learn it all by osmosis or being on the
same team but without making effort, it’s unlikely to work out. PvJ gives you
an enthusiastic team, mentors willing to help, and a top-notch environment to
try things out that you might not have the resources for in your environment.

To all the players: Good luck, learn new things, and have fun!

4 days ago

Benjamin Mako Hill: Honey Buckets from Planet Ubuntu

When I was growing up in Washington state, a company called Honey Bucket held a dominant position in the local portable toilet market. Their toilets are still a common sight in the American West.
<figure class="wp-caption aligncenter" id="attachment_2963" style="width: 1368px;">Honey Bucket brand portable toilet. Photo by donielle. (CC BY-SA)</figure>
They were so widespread when I was a child that I didn’t know that “Honey Bucket” was the name of a company at all until I moved to Massachusetts for college. I thought “honey bucket” was just the generic term for toilets that could be moved from place-to-place!
So for the first five years that I lived in Massachusetts, I continued to call all portable toilets “honey buckets.”
Until somebody asked me why I called them that—five years after moving!—all my friends in Massachusetts thought that “honey bucket” was just a personal, idiosyncratic, and somewhat gross, euphemism.

4 days ago

The Fridge: Ubuntu Weekly Newsletter Issue 532 from Planet Ubuntu

Welcome to the Ubuntu Weekly Newsletter, Issue 532 for the week of June 10 – 16, 2018. The full version of this issue is available here.
In this issue we cover:

Ubuntu Stats
Hot in Support
FOSS Talk Live 2018
LoCo Events
This week in Mir (15th June, 2018)
Closed Source and Ethics: Good, Bad, Or Ugly?
Status of Ubuntu Mesa backports
The questions you really want FSFE to answer
Other Community News
Canonical News
In the Press
In the Blogosphere
In Other News
Featured Audio and Video
Meeting Reports
Upcoming Meetings and Events
Updates and Security for 14.04, 16.04, 17.10, and 18.04
And much more!

The Ubuntu Weekly Newsletter is brought to you by:

Krytarik Raido
Bashing-om
Che Dean
Wild Man
Chris Guiver
And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!
Except where otherwise noted, this issue of the Ubuntu Weekly Newsletter is licensed under a Creative Commons Attribution ShareAlike 3.0 License

4 days ago

Daniel Pocock: The questions you really want FSFE to answer from Planet Ubuntu

As the last man standing as a fellowship representative in FSFE, I propose to give a report at the community meeting at RMLL.
I'm keen to get feedback from the wider community as well, including former fellows, volunteers and anybody else who has come into contact with FSFE.
It is important for me to understand the topics you want me to cover as so many things have happened in free software and in FSFE in recent times.

Some of the things people already asked me about:
the status of the fellowship and the membership status of fellows
use of non-free software and cloud services in FSFE, deviating from the philosophy that people associate with the FSF / FSFE family
measuring both the impact and cost of campaigns, to see if we get value for money (a high level view of expenditure is here)
What are the issues you would like me to address? Please feel free to email me privately or publicly. If I don't have answers immediately I would seek to get them for you as I prepare my report. Without your support and feedback, I don't have a mandate to pursue these issues on your behalf so if you have any concerns, please reply.
Your fellowship representative

8 days ago

Kees Cook: security things in Linux v4.17 from Planet Ubuntu

Previously: v4.16.
Linux kernel v4.17 was released last week, and here are some of the security things I think are interesting:
Jailhouse hypervisor
Jan Kiszka landed Jailhouse hypervisor support, which uses static partitioning (i.e. no resource over-committing), where the root “cell” spawns new jails by shrinking its own CPU/memory/etc resources and hands them over to the new jail. There’s a nice write-up of the hypervisor on LWN from 2014.
Sparc ADI
Khalid Aziz landed the userspace support for Sparc Application Data Integrity (ADI or SSM: Silicon Secured Memory), which is the hardware memory coloring (tagging) feature in Sparc M7. I’d love to see this extended into the kernel itself, as it would kill linear overflows between allocations, since the base pointer being used is tagged to belong to only a certain allocation (sized to a multiple of cache lines). Any attempt to increment beyond, into memory with a different tag, raises an exception. Enrico Perla has some great write-ups on using ADI in allocators and a comparison of ADI to Intel’s MPX.
new kernel stacks cleared on fork
It was possible that old memory contents would live in a new process’s kernel stack. While normally not visible, “uninitialized” memory read flaws or read overflows could expose these contents (especially stuff “deeper” in the stack that may never get overwritten for the life of the process). To avoid this, I made sure that new stacks were always zeroed. Oddly, this “priming” of the cache appeared to actually improve performance, though it was mostly in the noise.
MAP_FIXED_NOREPLACE
As part of further defense in depth against attacks like Stack Clash, Michal Hocko created MAP_FIXED_NOREPLACE. The regular MAP_FIXED has a subtle behavior not normally noticed (but used by some, so it couldn’t just be fixed): it will replace any overlapping portion of a pre-existing mapping. This means the kernel would silently overlap the stack into mmap or text regions, since MAP_FIXED was being used to build a new process’s memory layout. Instead, MAP_FIXED_NOREPLACE has all the features of MAP_FIXED without the replacement behavior: it will fail if a pre-existing mapping overlaps with the newly requested one. The ELF loader has been switched to use MAP_FIXED_NOREPLACE, and it’s available to userspace too, for similar use-cases.
pin stack limit during exec
I used a big hammer and pinned the RLIMIT_STACK values during exec. There were multiple methods to change the limit (through at least setrlimit() and prlimit()), and there were multiple places the limit got used to make decisions, so it seemed best to just pin the values for the life of the exec so no games could get played with them. Too much assumed the value wasn’t changing, so better to make that assumption actually true. Hopefully this is the last of the fixes for these bad interactions between stack limits and memory layouts during exec (which have all been defensive measures against flaws like Stack Clash).
Variable Length Array removals start
Following some discussion over Alexander Popov’s ongoing port of the stackleak GCC plugin, Linus declared that Variable Length Arrays (VLAs) should be eliminated from the kernel entirely. This is great because it kills several stack exhaustion attacks, including weird stuff like stepping over guard pages with giant stack allocations. However, with several hundred uses in the kernel, this wasn’t going to be an easy job. Thankfully, a whole bunch of people stepped up to help out: Gustavo A. R. Silva, Himanshu Jha, Joern Engel, Kyle Spiers, Laura Abbott, Lorenzo Bianconi, Nikolay Borisov, Salvatore Mesoraca, Stephen Kitt, Takashi Iwai, Tobin C. Harding, and Tycho Andersen. With Linus Torvalds and Martin Uecker, I also helped rewrite the max() macro to eliminate false positives seen by the -Wvla compiler option. Overall, about 1/3rd of the VLA instances were solved for v4.17, with many more coming for v4.18. I’m hoping we’ll have entirely eliminated VLAs by the time v4.19 ships.
That’s in for now! Please let me know if you think I missed anything. Stay tuned for v4.18; the merge window is open. :)
© 2018, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

8 days ago

Simos Xenitellis: How to use LXD container hostnames on the host in Ubuntu 18.04 from Planet Ubuntu

If you have two LXD containers, mycontainer1 and mycontainer2, then you can reference each other with those handy *.lxd hostnames like this,
$ lxc exec mycontainer1 -- sudo --user ubuntu --login
ubuntu@mycontainer1:~$ ping mycontainer2.lxd
PING mycontainer2.lxd(mycontainer2.lxd (fd42:cba6:557e:1a5a:24e:3eff:fce2:8d3)) 56 data bytes
64 bytes from mycontainer2.lxd (fd42:cba6:557e:1a5a:24e:3eff:fce2:8d3): icmp_seq=1 ttl=64 time=0.125 ms
^C
--- mycontainer2.lxd ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.125/0.125/0.125/0.000 ms
ubuntu@mycontainer1:~$
Those hostnames are provided automatically by LXD when you use a default private bridge like lxdbr0. They are provided by the dnsmasq service that LXD starts for you, and it’s a service that binds specifically on that lxdbr0 network interface.
LXD does not make changes to the networking of the host, therefore you cannot use those hostnames from your host,
ubuntu@mycontainer1:~$ exit
$ ping mycontainer2.lxd
ping: unknown host mycontainer2.lxd
Exit 2
In this post we are going to see how to set up the host on Ubuntu 18.04 (any Linux distribution that uses systemd-resolve) so that the host can access the container hostnames.
The default configuration per systemd of the lxdbr0 bridge on the host is
$ systemd-resolve --status lxdbr0
Link 2 (lxdbr0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
The goal is to add the appropriate DNS server entries to appear in that configuration.
Let’s get first the IP address of LXD’s dnsmasq server for the network interface lxdbr0.
$ ip addr show dev lxdbr0
2: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether fe:2b:da:d9:49:4a brd ff:ff:ff:ff:ff:ff
inet 10.10.10.1/24 scope global lxdbr0
valid_lft forever preferred_lft forever
inet6 fd42:6a89:42d0:60b::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::10cf:51ff:fe05:5383/64 scope link
valid_lft forever preferred_lft forever
The IP address of the lxdbr0 interface in this case is 10.10.10.1 and that is the IP of LXD’s DNS server.
Now we can move on by configuring the host to consult LXD’s DNS server.
Temporary network configuration
Run the following command to configure temporarily the interface and add the DNS service details.
$ sudo systemd-resolve --interface lxdbr0 --set-dns 10.10.10.1 --set-domain lxd
In this command,

we specify the network interface lxdbr0
we set the DNS server to the IP address of the lxdbr0, the interface that dnsmasq is listening on.
we set the domain to lxd, as the hostnames are of the form mycontainer.lxd.

Now, the configuration looks like
$ systemd-resolve --status lxdbr0
Link 2 (lxdbr0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.10.10.1
DNS Domain: lxd
You can now verify that you can, for example, get the IP address of the container by name:
$ host mycontainer1.lxd
mycontainer.lxd has address 10.10.10.88
mycontainer.lxd has IPv6 address fd42:8196:99f3:52ad:216:3eff:fe0f:bacb
$
Note: The first time that you try to resolve such a hostname, it will take a few seconds for systemd-resolved to complete the resolution. You will get the result shown above, but the command will not return immediately. The reason is that systemd-resolved is waiting to get a resolution from your default host’s DNS server, and you are waiting for that resolution to timeout. The next attempts will be cached and return immediately.
You can also revert these settings with the following command,
$ systemd-resolve --interface lxdbr0 --revert
$ systemd-resolve --status lxdbr0
Link 3 (lxdbr0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
$
In general, this is a temporary network configuration and nothing has been saved to a file. When we reboot the computer, the configuration is gone.
Permanent network configuration
We are going to set up systemd to run automatically the temporary network configuration whenever LXD starts. That is, as soon as lxdbr0 is up, our additional script will run and configure the per-link network.
First, create the following auxiliary script files.
$ cat /usr/local/bin/lxdhostdns_start.sh
#!/bin/sh

LXDINTERFACE=lxdbr0
LXDDOMAIN=lxd
LXDDNSIP=`ip addr show lxdbr0 | grep -Po 'inet \K[\d.]+'`

/usr/bin/systemd-resolve --interface ${LXDINTERFACE} \
--set-dns ${LXDDNSIP} \
--set-domain ${LXDDOMAIN}

$ cat /usr/local/bin/lxdhostdns_stop.sh
#!/bin/sh

LXDINTERFACE=lxdbr0

/usr/bin/systemd-resolve --interface ${LXDINTERFACE} --revert
Second, make them executable.
$ sudo chmod +x /usr/local/bin/lxdhostdns_start.sh /usr/local/bin/lxdhostdns_stop.sh
Third, create the following systemd service file.
$ sudo cat /lib/systemd/system/lxd-host-dns.service
[Unit]
Description=LXD host DNS service
After=lxd-containers.service

[Service]
Type=oneshot
ExecStart=/usr/local/bin/lxdhostdns_start.sh
RemainAfterExit=true
ExecStop=/usr/local/bin/lxdhostdnsi_stop.sh
StandardOutput=journal

[Install]
WantedBy=multi-user.target
This file

will activate after the lxd-containers.service service (therefore, lxdbr0 is up).
it is a oneshot (runs until completion before the next service).
it runs the respective scripts on ExecStart and ExecStop.
the RemainAfterExit is true, which means that it appears as running in systemd.
if something is wrong, it will be reported in the journal.
it gets installed in the multi-user target (same as the LXD service).

Fourth, now we reload systemd and enable the new service. The service is enabled so that when we reboot, it will start automatically.
$ sudo systemctl daemon-reload
$ sudo systemctl enable lxd-host-dns.service
Created symlink /etc/systemd/system/multi-user.target.wants/lxd-host-dns.service → /lib/systemd/system/lxd-host-dns.service.
$
Note: This should work better than the old (next section) instructions. Those old instructions would fail if the lxdbr0 network interface was not up. Still, I am not completely happy with this new section. It appears that when you explicitly start or stop the new service, the action may not run. To be tested.
 
(old section, not working) Permanent network configuration
In systemd, we can add per network interface configuration by adding a file in /etc/systemd/network/.
It should be a file with the extension .network, and the appropriate content.
Add the following file
$ cat /etc/systemd/network/lxd.network
[Match]
Name=lxdbr0

[Network]
DNS=10.100.100.1
Domains=lxd
We chose the name lxd.network for the filename. As long as it has the .network extension, we are fine.
The [Match] section matches the name of the network interface, which is lxdbr0. The rest will only apply if the network interface is indeed lxdbr0.
The [Network] section has the specific network settings. We set the DNS to the IP of the LXD DNS server. And the Domains to the domain suffix of the hostnames. The lxd in Domains is the suffix that is configured in LXD’s DNS server.
Now, let’s restart the host and check the network configuration.
$ systemd-resolve --status
...
Link 2 (lxdbr0)
Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.100.100.1
fe80::a405:eade:4376:3817
DNS Domain: lxd
Everything looks fine. By doing the configuration this way, systemd-resolve also picked up automatically the IPv6 address.
Conclusion
We have seen how to setup the host on a LXD installation so that processes on the host are able to see the hostnames of the containers. For Ubuntu 18.04 or any distribution that uses systemd for the DNS client needs.
If you use Ubuntu 16.04, then it requires a different way involving the dnsmasq-base configuration. There are instructions on this on the Internet, ask if you cannot find them.
Simos Xenitellishttps://blog.simos.info/

8 days ago

Ubuntu Podcast from the UK LoCo: S11E14.5 – Fourteen and a Half Pound Budgie - Ubuntu Podcast from Planet Ubuntu

This show was recorded in front of a live studio audience at FOSS Talk Live on Saturday 9th June 2018! We take you on a 40 year journey through our time trumpet and contribute to some open source projects for the first time and discuss the outcomes.

It’s Season 11 Episode 14.5 of the Ubuntu Podcast! Alan Pope, Mark Johnson and Martin Wimpress are connected and speaking to your brain.
In this live show:

We discuss what we’ve been up to recently:

Martin has been at the Electron Maintainers Summit in Prague.
Mark has been fixing a leaky toilet.
Alan has been at a GNOME Software design sprint.

We take a journey through the time trumpet:

40 years ago – Happy 40th Anniversary to the Original Intel 8086 and the x86 Architecture
20 years ago – Bruce Rebuts Linus on KDE/Gnome
10 years ago – Mozilla releases Firefox 3
10 years ago – Google release Chrome Developer Preview

Martin challenges Alan and Mark to contribute to some open source projects for the first time and we discuss the outcomes.

Mark contributed to Drupal and Active window control applet (KDE).
Alan contributed to Debian and KDE.

Image credit: Marius Quabeck

That’s all for this week! You can listen to the Ubuntu Podcast back catalogue on YouTube. If there’s a topic you’d like us to discuss, or you have any feedback on previous shows, please send your comments and suggestions to show@ubuntupodcast.org or Tweet us or Comment on our Facebook page or comment on our Google+ page or comment on our sub-Reddit.

Join us in the Ubuntu Podcast Telegram group.

8 days ago

Stephen Michael Kellat: Active Searching from Planet Ubuntu

I generally am not trying to shoot for terse blog posts. That being said, my position at work is getting increasingly untenable since we're in a position of being physically unable to accomplish our mission goals prior to funding running out at 11:59:59 PM Eastern Time on September 30th. Conflicting imperatives were set and frankly we're starting to hit the point that neither are getting accomplished regardless of how many warm bodies we're throwing at the problem. It isn't good either when my co-workers who have any military experience are sounding out KBR, Academi, and Perspecta.
I'm actively seeking new opportunities. In lieu of a fancy resume in LaTeX, I put forward the relevant details at https://www.linkedin.com/in/stephenkellat/. I can handle LaTeX, though, as seen by the example here that has some copyright-restricted content stripped from it: http://erielookingproductions.info/saybrook-example.pdf.
Ideas for things I could do:

Return to being a librarian
Work in an Emergency Operations Center (I am Incident Command System trained plus ran through the FEMA EOC basics training)
Work as a dispatcher (General class licensed ham radio operator)
Teach since I do "point of need" education now over the phone such as spending 30 minutes or more explaining to people how the "Estimated Tax Penalty" in the Internal Revenue Code works, for example
Work in a journalistic endeavor as I previously worked as a print news reporter and helmed an audio podcast for 6 years
Help coordinate interactions between programmers and regulators (Would you want to be in the uncomfortable position Mr. Zuckerberg was in front of the US Congress without support?)

If your project/work/organization/endeavor/skunkworks is looking for a new team player I may prove a worthwhile addition. You more than likely could pay me more than my current employer does.

9 days ago

Timo Aaltonen: Status of Ubuntu Mesa backports from Planet Ubuntu

It’s been quite a while since the last post about Mesa backports, so here’s a quick update on where we are now.
Ubuntu 18.04 was released with Mesa 18.0.0 which was built against libglvnd. This complicates things a bit when it comes to backporting Mesa to 16.04, because the packaging has changed a bit due to libglvnd and would break LTS->LTS upgrades without certain package updates.
So we first need to make sure 18.04 gets Mesa 18.0.5 (which is the last of the series, so no version bumps expected until the backport from 18.10) along with an updated libglvnd which bumps the Breaks/Replaces on old package versions to ensure that xenial -> bionic upgrade will go smoothly once 18.0.5 is backported to xenial, which will in fact be in -proposed soon.
What this also means is that the only release getting new Mesa backports via the x-updates PPA from now on is 18.04. And I’ve pushed Mesa 18.1.1 there today, enjoy!

9 days ago

Stuart Langridge: Little community conferences from Planet Ubuntu

This last weekend I was at FOSS Talk Live 2018. It was fun. And it led me into various thoughts of how I’d like there to be more of this sort of fun in and around the tech community, and how my feelings on success have changed a bit …

11 days ago

The Fridge: Ubuntu Weekly Newsletter Issue 531 from Planet Ubuntu

Welcome to the Ubuntu Weekly Newsletter, Issue 531 for the week of June 3 – 9, 2018. The full version of this issue is available here.
In this issue we cover:

Ubuntu Stats
Hot in Support
Ubuntu Myanmar Linux BootCamp (48Hour Non-Stop)
LoCo Events
This Week in Mir (8th Jun, 2018)
Canonical News
In the Blogosphere
Featured Audio and Video
Meeting Reports
Upcoming Meetings and Events
Updates and Security for 14.04, 16.04, 17.10, and 18.04
And much more!

The Ubuntu Weekly Newsletter is brought to you by:

Krytarik Raido
Bashing-om
Chris Guiver
Wild Man
And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!
Except where otherwise noted, this issue of the Ubuntu Weekly Newsletter is licensed under a Creative Commons Attribution ShareAlike 3.0 License

11 days ago