View previous topic :: View next topic |
Author |
Message |
Gatsby Tux's lil' helper
Joined: 18 Jan 2010 Posts: 121 Location: 127.0.0.1
|
Posted: Tue Jan 07, 2020 4:20 pm Post subject: |
|
|
Si tacuisses, philosophus mansisses. _________________ "Its your Gentoo, your way. When it breaks, you can keep all the pieces."
-- NeddySeagoon@forums.gentoo.org
Last edited by Gatsby on Tue Jan 07, 2020 7:49 pm; edited 1 time in total |
|
Back to top |
|
|
proteusx Guru
Joined: 21 Jan 2008 Posts: 340
|
Posted: Tue Jan 07, 2020 4:42 pm Post subject: |
|
|
erm67 wrote: |
You mean you'll stick witk glep-0081? |
Gentoo works fine without the glep-81 silliness. |
|
Back to top |
|
|
dmpogo Advocate
Joined: 02 Sep 2004 Posts: 3468 Location: Canada
|
Posted: Tue Jan 07, 2020 7:18 pm Post subject: |
|
|
tholin wrote: |
The threat model he mention is "I if go though customs to a country that I don't trust" but there is no way this approach is secure against that. You simply don't know what sensitive data remains in ram. Don't he realize that? Or if he is realizing it why is he claiming this is secure?
|
This may lead to an interesting technical discussion but is really a bogus argument in real life. Customs simply demand that you enter the password to decrypt your drive and if you refuse, can just deny your admission (and that would be your best outcome, the denial of admission to US say can easily come with 5 year ban on entering US).
And if you are a returning citizen, and the admission can not be denied, they are entitled (for instance in Canada) to temorarily seize your device and send it to their lab for
analysis. You'll get it back, in few months. All of it is such a hassle that is justified only if you have really somethng serious on your drive. And if so you should not be taking
your /home to the border. Really if one is concerned about the border, one should wipe the disks/phones, and restore it from online backups on the other side, if possible.
Which can also be monitored, of course, but perhaps less personally.
Last edited by dmpogo on Tue Jan 07, 2020 7:21 pm; edited 1 time in total |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6069 Location: Removed by Neddy
|
Posted: Tue Jan 07, 2020 7:19 pm Post subject: |
|
|
Hu wrote: | Now we need someone to propose an outlandish systemd feature that, if ever implemented, would bring about the downfall of systemd. Being outlandish, no one will seriously expect it to actually happen. Then, one day it will, because so far truth is stranger than fiction. |
pjp wrote: | Hu wrote: | the downfall of systemd | That seems unlikely at this point unless MS ports AD to Linux, thereby gifting IBM fond memories of their OS/2 days. |
raise a feature request pushing for AD capability in SystemD _________________ #define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
Back to top |
|
|
erm67 l33t
Joined: 01 Nov 2005 Posts: 653 Location: EU
|
Posted: Tue Jan 07, 2020 8:22 pm Post subject: |
|
|
Gatsby wrote: |
Si tacuisses, philosophus mansisses. |
Yeah but I got this today after an update:
Code: | Scaricamento di:1 http://deb.debian.org/debian buster-backports/main armel libnss-systemd armel 244-3~bpo10+1 [194 kB]
|
And at the same time I noticed the messages below:
proteusx wrote: | erm67 wrote: |
You mean you'll stick witk glep-0081? |
Gentoo works fine without the glep-81 silliness. |
How do you stop those funny packages from emerging?
Code: |
1578392612: ::: completed emerge (84 of 533) acct-user/messagebus-0 to /
1578392636: ::: completed emerge (85 of 533) acct-user/systemd-journal-remote-0 to /
1578392660: ::: completed emerge (86 of 533) acct-user/systemd-coredump-0 to /
1578392683: ::: completed emerge (87 of 533) acct-user/systemd-network-0 to /
1578392707: ::: completed emerge (88 of 533) acct-user/systemd-resolve-0 to /
1578392731: ::: completed emerge (89 of 533) acct-user/systemd-timesync-0 to /
1578392815: ::: completed emerge (92 of 533) acct-user/man-1 to /
1578392878: ::: completed emerge (94 of 533) acct-user/mysql-0 to /
1578392902: ::: completed emerge (95 of 533) acct-user/avahi-0 to /
1578392926: ::: completed emerge (96 of 533) acct-user/mail-0 to /
1578392950: ::: completed emerge (97 of 533) acct-user/postmaster-0 to /
1578392973: ::: completed emerge (98 of 533) acct-user/redis-0 to /
1578392997: ::: completed emerge (99 of 533) acct-user/fetchmail-0 to /
1578393021: ::: completed emerge (100 of 533) acct-user/ddclient-0 to /
1578393045: ::: completed emerge (101 of 533) acct-user/mpd-0 to /
|
Apparently systemd-sysusers.d and glep-0081 have overlapping goals how will the conflict be solved?
When upstream wil begin installing droplets with user and goup info into /etc/sysusers.d portage will intercept them and create glep-0081 packages automatically for non systemd users? And is this a lucky coincidence or something else? _________________ Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia
My fediverse account: @erm67@erm67.dynu.net |
|
Back to top |
|
|
GDH-gentoo Veteran
Joined: 20 Jul 2019 Posts: 1791 Location: South America
|
Posted: Tue Jan 07, 2020 10:21 pm Post subject: |
|
|
erm67 wrote: | Apparently systemd-sysusers.d and glep-0081 have overlapping goals how will the conflict be solved? | Short term? I'd say GLEP 81 wins, and /etc/sysusers.d/* files get ignored. GLEP 81 ebuilds integrate with the package manager, and there's currently no systemd-emerge
erm67 wrote: | When upstream wil begin installing droplets with user and goup info into /etc/sysusers.d portage will intercept them and create glep-0081 packages automatically for non systemd users? | Depends, who is sysusers.d's 'audience', upstreams or distributions? |
|
Back to top |
|
|
Morality124 Tux's lil' helper
Joined: 20 Feb 2018 Posts: 102
|
Posted: Tue Jan 07, 2020 11:00 pm Post subject: |
|
|
erm67 wrote: | How do you stop those funny packages from emerging? |
nuke-acct-shit.sh: | #!/bin/sh
set -e
err_handler () { [ $? -eq 0 ] && exit; }
trap err_handler EXIT
portageDir="$(awk '
BEGIN {p = "PORTDIR="} $0 ~ p {
gsub(p "|\"|\047", "")
print
}' /etc/portage/make.conf)"
packageProvided=/etc/portage/profile/package.provided
mkdir -pv $packageProvided
tempDir=$(mktemp -d --suffix=_acct-shit)
for suffix in group user
do
find "$portageDir"/acct-$suffix/* -type d | \
awk -F '/' -v suffix="$suffix" -v packageProvided="$packageProvided" '
(!/systemd/) {
print
print $(NF - 1) "/" $NF "-0" > packageProvided "/acct-" suffix ".provided"
}'
mv -v "$portageDir"/acct-$suffix "$tempDir"
done |
Last edited by Morality124 on Wed Jan 08, 2020 3:58 am; edited 3 times in total |
|
Back to top |
|
|
saellaven l33t
Joined: 23 Jul 2006 Posts: 655
|
Posted: Tue Jan 07, 2020 11:06 pm Post subject: |
|
|
erm67 wrote: |
Apparently systemd-sysusers.d and glep-0081 have overlapping goals how will the conflict be solved?
When upstream wil begin installing droplets with user and goup info into /etc/sysusers.d portage will intercept them and create glep-0081 packages automatically for non systemd users? And is this a lucky coincidence or something else? |
Last month, Gentoo devs were debating again how they should go about implementing GLEP-81 and whether or not they should change their approach. It's another case of "DO then think" about the consequences later, then maybe revise, but meanwhile, constantly screw up production systems in the meantime.
Given the latest systemd news and the history of trying to force systemd's caveats on non-systemd users, I expect GLEP-81 to be revised in a way to force a systemd approach. I say that half tongue in cheek, but I wouldn't be surprised to see someone propose it. _________________ Ryzen 3700X, Asus Prime X570-Pro, 64 GB DDR4 3200, GeForce GTX 1660 Super
openrc-0.17, ~vanilla-sources, ~nvidia-drivers, ~gcc |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Wed Jan 08, 2020 1:20 am Post subject: |
|
|
acct-groups i.e. GLEP-81
I have them all masked. I unmask them as needed after checking what they are going to do. So far I haven't found one that changed an existing group assignment.
When one does occur, I suppose I can add it to package provided or (more likely) add an ebuil;d to local overlay that assigns the group I already have. Unless I think the devs made the right choice and I made the wrong one.
I would have just rather have had a wiki article listing the preffered group assignments. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6191 Location: Dallas area
|
Posted: Wed Jan 08, 2020 10:10 am Post subject: |
|
|
I have a few userid/groupids that would change if I activated the acct-* stuff. But the base system goes back to 2004 and things have changed since then.
What those acct* numbers are, are meaningless, other than they are supposed to be unique for each device.
I have a script that runs daily that puts all acct-* stuff in package.provided and then ,if needed, I just take care of it myself, kind of the way you used to years ago. _________________ UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
Back to top |
|
|
asturm Developer
Joined: 05 Apr 2007 Posts: 9325
|
Posted: Wed Jan 08, 2020 2:29 pm Post subject: |
|
|
saellaven wrote: | Last month, Gentoo devs were debating again how they should go about implementing GLEP-81 and whether or not they should change their approach. It's another case of "DO then think" about the consequences later, then maybe revise, ... |
The policy around GID/UID assignment was debated and changed, yes, GLEP-81 itself no. No change for end users, no need to spread fud. |
|
Back to top |
|
|
Morality124 Tux's lil' helper
Joined: 20 Feb 2018 Posts: 102
|
Posted: Thu Jan 09, 2020 12:55 am Post subject: |
|
|
asturm wrote: | No change for end users, no need to spread fud. |
...
proteusx wrote: | I delete them from the tree to prevent annoyances such as this one:
Code: | ~ # equery u pdnsd
!!! Ambiguous package name. Choose from:
acct-user/pdnsd
net-dns/pdnsd
acct-group/pdnsd |
|
Anon-E-moose wrote: | It's taking progressively longer to run a simple check "emerge -pvuDU @world" just to have it report that absolutely nothing needs to be emerged.
If it's not that more packages are added to make it longer to churn through everything, then do you think it's caused by sunspots.
Note: it's not that acct* stuff is that much but when you add all the useless virtual's along with it and a few other things, it all adds up. |
pjp wrote: | That solves the x systems, y packages problem. I'm counting 46 ebuilds in acct-group,user, so that overhead would be eliminated. |
Naib wrote: | I would want some architecting, some modeling, some system engineering so the end user doesn't get something like this
Code: | # emerge syncthing
Calculating dependencies /
[ Results for search key : syncthing ]
* acct-group/syncthing
Latest version available: 0
Latest version installed: [ Not Installed ]
Size of files: 0 KiB
Homepage:
Description: Group for the system-wide net-p2p/syncthing server
License:
* acct-user/syncthing
Latest version available: 0
Latest version installed: [ Not Installed ]
Size of files: 0 KiB
Homepage:
Description: User for the system-wide net-p2p/syncthing server
License:
* net-p2p/syncthing
Latest version available: 1.2.1
Latest version installed: [ Not Installed ]
Size of files: 21,993 KiB
Homepage: https://syncthing.net
Description: Open Source Continuous File Synchronization
License: MPL-2.0
[ Applications found : 6 ]
!!! The short ebuild name "syncthing" is ambiguous. Please specify
!!! one of the above fully-qualified ebuild names instead.
... done!
|
That is poor oversight... Signs of "I know what lets do foo" without actually modeling the problem and working through scenarios |
tholin wrote: | The update didn't go that smoothly for me. Acct-user/qemu broke my setup.
I have a gaming VM using evdev device passthrough. The user running the VM needs direct access to the input devices for that to work. Typically you put the unprivileged user into a group with permission to access the needed hardware resource so I have the "qemu" user in the "input" group. Installing acct-user/qemu will change the group membership of "qemu" to a hardcoded list of only qemu,kvm and not input. The VM will then fail to start with Permission denied.
The GLEP says "The proposal also respects direct sysadmin modifications." but obviously not in this case. |
Well that's a load of malarkey... |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20580
|
Posted: Thu Jan 09, 2020 5:18 am Post subject: |
|
|
Morality124 wrote: | pjp wrote: | That solves the x systems, y packages problem. I'm counting 46 ebuilds in acct-group,user, so that overhead would be eliminated. |
| Out of curiosity, a quick check appears to indicate 105 users, 119 groups. I only did a cursory check to see if there were any duplicates. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
asturm Developer
Joined: 05 Apr 2007 Posts: 9325
|
Posted: Thu Jan 09, 2020 3:13 pm Post subject: |
|
|
All of which is completely irrelevant to my post. |
|
Back to top |
|
|
saellaven l33t
Joined: 23 Jul 2006 Posts: 655
|
Posted: Thu Jan 09, 2020 5:32 pm Post subject: |
|
|
asturm wrote: | saellaven wrote: | Last month, Gentoo devs were debating again how they should go about implementing GLEP-81 and whether or not they should change their approach. It's another case of "DO then think" about the consequences later, then maybe revise, ... |
The policy around GID/UID assignment was debated and changed, yes, GLEP-81 itself no. No change for end users, no need to spread fud. |
Because GLEP-81 wasn't fully thought through... devs are still debating whether or not they can try to force GID/UIDs across all installs to try to simplify containers and such, and what that means for legacy installs where UIDs/GIDs are already in use. There's also the debate over what UIDs/GIDs should be restricted for system use.
This is something you (royal you) are supposed to think through before implementing things... or you're likely to screw things up and cause more headaches. I understand having to go back and tweak an implementation because some corner case arrived, but these are very fundamental questions to the very purpose of the need for GLEP-81 to begin with. _________________ Ryzen 3700X, Asus Prime X570-Pro, 64 GB DDR4 3200, GeForce GTX 1660 Super
openrc-0.17, ~vanilla-sources, ~nvidia-drivers, ~gcc |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3879 Location: Rasi, Finland
|
Posted: Sat Jan 25, 2020 12:58 pm Post subject: |
|
|
Naib wrote: | I would want some architecting, some modeling, some system engineering so the end user doesn't get something like this
Code: | # emerge syncthing
Calculating dependencies /
[ Results for search key : syncthing ]
* acct-group/syncthing
Latest version available: 0
Latest version installed: [ Not Installed ]
Size of files: 0 KiB
Homepage:
Description: Group for the system-wide net-p2p/syncthing server
License:
* acct-user/syncthing
Latest version available: 0
Latest version installed: [ Not Installed ]
Size of files: 0 KiB
Homepage:
Description: User for the system-wide net-p2p/syncthing server
License:
* net-p2p/syncthing
Latest version available: 1.2.1
Latest version installed: [ Not Installed ]
Size of files: 21,993 KiB
Homepage: https://syncthing.net
Description: Open Source Continuous File Synchronization
License: MPL-2.0
[ Applications found : 6 ]
!!! The short ebuild name "syncthing" is ambiguous. Please specify
!!! one of the above fully-qualified ebuild names instead.
... done!
|
That is poor oversight... Signs of "I know what lets do foo" without actually modeling the problem and working through scenarios | Indeed. There should be an option (in make.conf by default) to exclude such categories from any action unless specifically appended with the category name to the argument. _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1850
|
Posted: Sat Jan 25, 2020 3:24 pm Post subject: |
|
|
Zucca wrote: | Indeed. There should be an option (in make.conf by default) to exclude such categories from any action unless specifically appended with the category name to the argument. | Wow...don't get me started as to how that one has been annoying the crap out of me: Code: | equery list -p mythtv
* Searching for mythtv ...
!!! Ambiguous package name. Choose from:
media-tv/mythtv
acct-group/mythtv
acct-user/mythtv
| Given how many applications create users with the same name as the app, this was all but designed to create this scenario.
Tom |
|
Back to top |
|
|
duane Apprentice
Joined: 03 Jun 2002 Posts: 193 Location: Oklahoma City
|
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6191 Location: Dallas area
|
Posted: Wed Feb 05, 2020 11:36 am Post subject: Re: "At last, the fix no one asked for" |
|
|
duane wrote: | https://www.theregister.co.uk/2020/02/03/linux_home_directories_merged_into_systemd/ |
From the link
Quote: | One use case is where a user has a PC running Linux in both their home and office, and is able to carry their home directory with them on a portable storage device. The advent of cloud storage has made this less of a problem than would have been the case a few years back, and a common reaction to the new systemd approach is that the problems it fixes are not pressing and may be outweighed by potential incompatibilities. |
So I need homed because I can't figure out how to put a few files that I'm working on at the office on a usb stick and take it home to continue to work on it!!! _________________ UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Wed Feb 05, 2020 3:32 pm Post subject: Re: "At last, the fix no one asked for" |
|
|
Anon-E-moose wrote: | So I need homed because I can't figure out how to put a few files that I'm working on at the office on a usb stick and take it home to continue to work on it!!! |
LOL!
RedHat, the distro for complete incompetents. |
|
Back to top |
|
|
gtwrek Tux's lil' helper
Joined: 10 Mar 2017 Posts: 112 Location: San Jose, CA
|
Posted: Wed Feb 05, 2020 4:10 pm Post subject: Put home under revision control |
|
|
There's many (old!) articles out there regarding putting "home" directories under revision control. I always thought that might be an interesting experiment, but as yet haven't tried it.
I have shared home directories over NFS among a few of my servers at home. I haven't decided if that's a good idea or not.
Pretty sure I'd not trust systemd to something similar and do it well. |
|
Back to top |
|
|
dmpogo Advocate
Joined: 02 Sep 2004 Posts: 3468 Location: Canada
|
Posted: Wed Feb 05, 2020 4:44 pm Post subject: Re: Put home under revision control |
|
|
gtwrek wrote: | There's many (old!) articles out there regarding putting "home" directories under revision control. I always thought that might be an interesting experiment, but as yet haven't tried it.
I have shared home directories over NFS among a few of my servers at home. I haven't decided if that's a good idea or not.
Pretty sure I'd not trust systemd to something similar and do it well. |
Sharing home directories over NFS was a standard setup on university networks in the 90-ies. Remember during my first postdoc, all departamental computers were named after canadian wildlife, all disks - after canadian trees/plants, and nobody really paid attention to what computer what disk was physically attached. |
|
Back to top |
|
|
gtwrek Tux's lil' helper
Joined: 10 Mar 2017 Posts: 112 Location: San Jose, CA
|
Posted: Wed Feb 05, 2020 6:04 pm Post subject: Shared home |
|
|
Quote: | Sharing home directories over NFS was a standard setup on university networks in the 90-ies. |
How is this not standard over any organization? It's situation normal at any largish organization I've worked for during the last 30 years or so.
How could one manage things any differently across any decent sized org, where there's more than just a few servers?
The only drawback for me doing this at home, is making sure the one NFS server (hosting "home" directories) is always up before attempting to do anything useful on any other server. I guess I'm not yet comfortable with me keeping this NFS server up 24/7, as a prerequisite for any other server being useful. The latter servers would boot of course, but any user logging in (with /home unavailable) doesn't pass the Spousal Acceptance Factor. |
|
Back to top |
|
|
dmpogo Advocate
Joined: 02 Sep 2004 Posts: 3468 Location: Canada
|
Posted: Wed Feb 05, 2020 6:36 pm Post subject: Re: Shared home |
|
|
gtwrek wrote: | Quote: | Sharing home directories over NFS was a standard setup on university networks in the 90-ies. |
How is this not standard over any organization? It's situation normal at any largish organization I've worked for during the last 30 years or so.
How could one manage things any differently across any decent sized org, where there's more than just a few servers?
The only drawback for me doing this at home, is making sure the one NFS server (hosting "home" directories) is always up before attempting to do anything useful on any other server. I guess I'm not yet comfortable with me keeping this NFS server up 24/7, as a prerequisite for any other server being useful. The latter servers would boot of course, but any user logging in (with /home unavailable) doesn't pass the Spousal Acceptance Factor. |
I have my home desktop up for almost two years right now (well, just rebooted, since I finally upgraded the kernel), previous home record of uptime was something like 4 years, from 2004 - Gentoo install, to 2007, hard drive failed.
Anyway, my current university physics department (50 profs) has no research network management at all. Funding for system admins was cut years ago (when I came in 2001, there were two, for UNIX and Windows machines), everybody have their own desktops/server/laptop, bought with personal grants and shared only with there own group/students if any. Faculty level has IT people which manage network access to backbone and has somebody looking for secretarial windows machines. But for research we are on our own - just have to go to faculty to negotiate when we need static IP or ports open, or space for server housing. |
|
Back to top |
|
|
dmpogo Advocate
Joined: 02 Sep 2004 Posts: 3468 Location: Canada
|
Posted: Wed Feb 05, 2020 6:46 pm Post subject: Re: Shared home |
|
|
[quote="gtwrek"] Quote: | doesn't pass the Spousal Acceptance Factor. |
In my case my spouse refuse "to have anything to do with your network". To the extend that she bought a printer for herself and only connects it to her mac by USB cable,
refusing to make printer visible on wifi Well, she has her own hammer, screwdriver and a set of nails as well
The only thing I do, is silently backing up her mac laptop (initiating backups from the server) |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|