Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
systemd-homed ???
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
Gatsby
Tux's lil' helper
Tux's lil' helper


Joined: 18 Jan 2010
Posts: 121
Location: 127.0.0.1

PostPosted: Tue Jan 07, 2020 4:20 pm    Post subject: Reply with quote

erm67 wrote:
...

Si tacuisses, philosophus mansisses.
_________________
"Its your Gentoo, your way. When it breaks, you can keep all the pieces."
-- NeddySeagoon@forums.gentoo.org


Last edited by Gatsby on Tue Jan 07, 2020 7:49 pm; edited 1 time in total
Back to top
View user's profile Send private message
proteusx
Guru
Guru


Joined: 21 Jan 2008
Posts: 340

PostPosted: Tue Jan 07, 2020 4:42 pm    Post subject: Reply with quote

erm67 wrote:

You mean you'll stick witk glep-0081?


Gentoo works fine without the glep-81 silliness.
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 3439
Location: Canada

PostPosted: Tue Jan 07, 2020 7:18 pm    Post subject: Reply with quote

tholin wrote:


The threat model he mention is "I if go though customs to a country that I don't trust" but there is no way this approach is secure against that. You simply don't know what sensitive data remains in ram. Don't he realize that? Or if he is realizing it why is he claiming this is secure?


This may lead to an interesting technical discussion but is really a bogus argument in real life. Customs simply demand that you enter the password to decrypt your drive and if you refuse, can just deny your admission (and that would be your best outcome, the denial of admission to US say can easily come with 5 year ban on entering US).
And if you are a returning citizen, and the admission can not be denied, they are entitled (for instance in Canada) to temorarily seize your device and send it to their lab for
analysis. You'll get it back, in few months. All of it is such a hassle that is justified only if you have really somethng serious on your drive. And if so you should not be taking
your /home to the border. Really if one is concerned about the border, one should wipe the disks/phones, and restore it from online backups on the other side, if possible.
Which can also be monitored, of course, but perhaps less personally.


Last edited by dmpogo on Tue Jan 07, 2020 7:21 pm; edited 1 time in total
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 6068
Location: Removed by Neddy

PostPosted: Tue Jan 07, 2020 7:19 pm    Post subject: Reply with quote

Hu wrote:
Now we need someone to propose an outlandish systemd feature that, if ever implemented, would bring about the downfall of systemd. Being outlandish, no one will seriously expect it to actually happen. Then, one day it will, because so far truth is stranger than fiction. :)


pjp wrote:
Hu wrote:
the downfall of systemd
That seems unlikely at this point unless MS ports AD to Linux, thereby gifting IBM fond memories of their OS/2 days.


:idea: :idea: :idea: :idea: raise a feature request pushing for AD capability in SystemD
_________________
Quote:
Removed by Chiitoo
Back to top
View user's profile Send private message
erm67
l33t
l33t


Joined: 01 Nov 2005
Posts: 653
Location: EU

PostPosted: Tue Jan 07, 2020 8:22 pm    Post subject: Reply with quote

Gatsby wrote:
erm67 wrote:
...

Si tacuisses, philosophus mansisses.


Yeah but I got this today after an update:

Code:
Scaricamento di:1 http://deb.debian.org/debian buster-backports/main armel libnss-systemd armel 244-3~bpo10+1 [194 kB]


And at the same time I noticed the messages below:

proteusx wrote:
erm67 wrote:

You mean you'll stick witk glep-0081?


Gentoo works fine without the glep-81 silliness.


How do you stop those funny packages from emerging?
Code:

1578392612:  ::: completed emerge (84 of 533) acct-user/messagebus-0 to /
1578392636:  ::: completed emerge (85 of 533) acct-user/systemd-journal-remote-0 to /
1578392660:  ::: completed emerge (86 of 533) acct-user/systemd-coredump-0 to /
1578392683:  ::: completed emerge (87 of 533) acct-user/systemd-network-0 to /
1578392707:  ::: completed emerge (88 of 533) acct-user/systemd-resolve-0 to /
1578392731:  ::: completed emerge (89 of 533) acct-user/systemd-timesync-0 to /
1578392815:  ::: completed emerge (92 of 533) acct-user/man-1 to /
1578392878:  ::: completed emerge (94 of 533) acct-user/mysql-0 to /
1578392902:  ::: completed emerge (95 of 533) acct-user/avahi-0 to /
1578392926:  ::: completed emerge (96 of 533) acct-user/mail-0 to /
1578392950:  ::: completed emerge (97 of 533) acct-user/postmaster-0 to /
1578392973:  ::: completed emerge (98 of 533) acct-user/redis-0 to /
1578392997:  ::: completed emerge (99 of 533) acct-user/fetchmail-0 to /
1578393021:  ::: completed emerge (100 of 533) acct-user/ddclient-0 to /
1578393045:  ::: completed emerge (101 of 533) acct-user/mpd-0 to /



Apparently systemd-sysusers.d and glep-0081 have overlapping goals how will the conflict be solved?
When upstream wil begin installing droplets with user and goup info into /etc/sysusers.d portage will intercept them and create glep-0081 packages automatically for non systemd users? And is this a lucky coincidence or something else?
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
GDH-gentoo
Veteran
Veteran


Joined: 20 Jul 2019
Posts: 1719
Location: South America

PostPosted: Tue Jan 07, 2020 10:21 pm    Post subject: Reply with quote

erm67 wrote:
Apparently systemd-sysusers.d and glep-0081 have overlapping goals how will the conflict be solved?
Short term? I'd say GLEP 81 wins, and /etc/sysusers.d/* files get ignored. GLEP 81 ebuilds integrate with the package manager, and there's currently no systemd-emerge :)

erm67 wrote:
When upstream wil begin installing droplets with user and goup info into /etc/sysusers.d portage will intercept them and create glep-0081 packages automatically for non systemd users?
Depends, who is sysusers.d's 'audience', upstreams or distributions?
Back to top
View user's profile Send private message
Morality124
Tux's lil' helper
Tux's lil' helper


Joined: 20 Feb 2018
Posts: 102

PostPosted: Tue Jan 07, 2020 11:00 pm    Post subject: Reply with quote

erm67 wrote:
How do you stop those funny packages from emerging?


nuke-acct-shit.sh:
#!/bin/sh

set -e
err_handler () { [ $? -eq 0 ] && exit; }
trap err_handler EXIT

portageDir="$(awk '
    BEGIN {p = "PORTDIR="} $0 ~ p {
        gsub(p "|\"|\047", "")
        print
    }' /etc/portage/make.conf)"
packageProvided=/etc/portage/profile/package.provided
mkdir -pv $packageProvided
tempDir=$(mktemp -d --suffix=_acct-shit)

for suffix in group user
do
   find "$portageDir"/acct-$suffix/* -type d | \
   awk -F '/' -v suffix="$suffix" -v packageProvided="$packageProvided" '
      (!/systemd/) {
         print
         print $(NF - 1) "/" $NF "-0" > packageProvided "/acct-" suffix ".provided"
      }'

   mv -v "$portageDir"/acct-$suffix "$tempDir"
done


Last edited by Morality124 on Wed Jan 08, 2020 3:58 am; edited 3 times in total
Back to top
View user's profile Send private message
saellaven
l33t
l33t


Joined: 23 Jul 2006
Posts: 655

PostPosted: Tue Jan 07, 2020 11:06 pm    Post subject: Reply with quote

erm67 wrote:

Apparently systemd-sysusers.d and glep-0081 have overlapping goals how will the conflict be solved?
When upstream wil begin installing droplets with user and goup info into /etc/sysusers.d portage will intercept them and create glep-0081 packages automatically for non systemd users? And is this a lucky coincidence or something else?


Last month, Gentoo devs were debating again how they should go about implementing GLEP-81 and whether or not they should change their approach. It's another case of "DO then think" about the consequences later, then maybe revise, but meanwhile, constantly screw up production systems in the meantime.

Given the latest systemd news and the history of trying to force systemd's caveats on non-systemd users, I expect GLEP-81 to be revised in a way to force a systemd approach. I say that half tongue in cheek, but I wouldn't be surprised to see someone propose it.
_________________
Ryzen 3700X, Asus Prime X570-Pro, 64 GB DDR4 3200, GeForce GTX 1660 Super
openrc-0.17, ~vanilla-sources, ~nvidia-drivers, ~gcc
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Wed Jan 08, 2020 1:20 am    Post subject: Reply with quote

acct-groups i.e. GLEP-81
I have them all masked. I unmask them as needed after checking what they are going to do. So far I haven't found one that changed an existing group assignment.

When one does occur, I suppose I can add it to package provided or (more likely) add an ebuil;d to local overlay that assigns the group I already have. Unless I think the devs made the right choice and I made the wrong one.

I would have just rather have had a wiki article listing the preffered group assignments.
Back to top
View user's profile Send private message
Anon-E-moose
Watchman
Watchman


Joined: 23 May 2008
Posts: 6160
Location: Dallas area

PostPosted: Wed Jan 08, 2020 10:10 am    Post subject: Reply with quote

I have a few userid/groupids that would change if I activated the acct-* stuff. But the base system goes back to 2004 and things have changed since then.

What those acct* numbers are, are meaningless, other than they are supposed to be unique for each device.

I have a script that runs daily that puts all acct-* stuff in package.provided and then ,if needed, I just take care of it myself, kind of the way you used to years ago.
_________________
UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Back to top
View user's profile Send private message
asturm
Developer
Developer


Joined: 05 Apr 2007
Posts: 9297

PostPosted: Wed Jan 08, 2020 2:29 pm    Post subject: Reply with quote

saellaven wrote:
Last month, Gentoo devs were debating again how they should go about implementing GLEP-81 and whether or not they should change their approach. It's another case of "DO then think" about the consequences later, then maybe revise, ...

The policy around GID/UID assignment was debated and changed, yes, GLEP-81 itself no. No change for end users, no need to spread fud.
Back to top
View user's profile Send private message
Morality124
Tux's lil' helper
Tux's lil' helper


Joined: 20 Feb 2018
Posts: 102

PostPosted: Thu Jan 09, 2020 12:55 am    Post subject: Reply with quote

asturm wrote:
No change for end users, no need to spread fud.


...

proteusx wrote:
I delete them from the tree to prevent annoyances such as this one:
Code:
~ # equery u pdnsd                                                                     
!!! Ambiguous package name. Choose from:                                                           
  acct-user/pdnsd                                                                                   
  net-dns/pdnsd                                                                                     
  acct-group/pdnsd


Anon-E-moose wrote:
It's taking progressively longer to run a simple check "emerge -pvuDU @world" just to have it report that absolutely nothing needs to be emerged.
If it's not that more packages are added to make it longer to churn through everything, then do you think it's caused by sunspots. :roll:

Note: it's not that acct* stuff is that much but when you add all the useless virtual's along with it and a few other things, it all adds up.


pjp wrote:
That solves the x systems, y packages problem. I'm counting 46 ebuilds in acct-group,user, so that overhead would be eliminated.


Naib wrote:
I would want some architecting, some modeling, some system engineering so the end user doesn't get something like this

Code:
# emerge syncthing
Calculating dependencies /
                                                                                                                                                     
[ Results for search key : syncthing ]
*  acct-group/syncthing
      Latest version available: 0
      Latest version installed: [ Not Installed ]
      Size of files: 0 KiB
      Homepage:     
      Description:   Group for the system-wide net-p2p/syncthing server
      License:       

*  acct-user/syncthing
      Latest version available: 0
      Latest version installed: [ Not Installed ]
      Size of files: 0 KiB
      Homepage:     
      Description:   User for the system-wide net-p2p/syncthing server
      License:       

*  net-p2p/syncthing
      Latest version available: 1.2.1
      Latest version installed: [ Not Installed ]
      Size of files: 21,993 KiB
      Homepage:      https://syncthing.net
      Description:   Open Source Continuous File Synchronization
      License:       MPL-2.0

[ Applications found : 6 ]

!!! The short ebuild name "syncthing" is ambiguous. Please specify
!!! one of the above fully-qualified ebuild names instead.

 ... done!


That is poor oversight... Signs of "I know what lets do foo" without actually modeling the problem and working through scenarios


tholin wrote:
The update didn't go that smoothly for me. Acct-user/qemu broke my setup.

I have a gaming VM using evdev device passthrough. The user running the VM needs direct access to the input devices for that to work. Typically you put the unprivileged user into a group with permission to access the needed hardware resource so I have the "qemu" user in the "input" group. Installing acct-user/qemu will change the group membership of "qemu" to a hardcoded list of only qemu,kvm and not input. The VM will then fail to start with Permission denied.

The GLEP says "The proposal also respects direct sysadmin modifications." but obviously not in this case.


Well that's a load of malarkey...
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20490

PostPosted: Thu Jan 09, 2020 5:18 am    Post subject: Reply with quote

Morality124 wrote:
pjp wrote:
That solves the x systems, y packages problem. I'm counting 46 ebuilds in acct-group,user, so that overhead would be eliminated.
Out of curiosity, a quick check appears to indicate 105 users, 119 groups. I only did a cursory check to see if there were any duplicates.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
asturm
Developer
Developer


Joined: 05 Apr 2007
Posts: 9297

PostPosted: Thu Jan 09, 2020 3:13 pm    Post subject: Reply with quote

Morality124 wrote:
...

All of which is completely irrelevant to my post.
Back to top
View user's profile Send private message
saellaven
l33t
l33t


Joined: 23 Jul 2006
Posts: 655

PostPosted: Thu Jan 09, 2020 5:32 pm    Post subject: Reply with quote

asturm wrote:
saellaven wrote:
Last month, Gentoo devs were debating again how they should go about implementing GLEP-81 and whether or not they should change their approach. It's another case of "DO then think" about the consequences later, then maybe revise, ...

The policy around GID/UID assignment was debated and changed, yes, GLEP-81 itself no. No change for end users, no need to spread fud.


Because GLEP-81 wasn't fully thought through... devs are still debating whether or not they can try to force GID/UIDs across all installs to try to simplify containers and such, and what that means for legacy installs where UIDs/GIDs are already in use. There's also the debate over what UIDs/GIDs should be restricted for system use.

This is something you (royal you) are supposed to think through before implementing things... or you're likely to screw things up and cause more headaches. I understand having to go back and tweak an implementation because some corner case arrived, but these are very fundamental questions to the very purpose of the need for GLEP-81 to begin with.
_________________
Ryzen 3700X, Asus Prime X570-Pro, 64 GB DDR4 3200, GeForce GTX 1660 Super
openrc-0.17, ~vanilla-sources, ~nvidia-drivers, ~gcc
Back to top
View user's profile Send private message
Zucca
Moderator
Moderator


Joined: 14 Jun 2007
Posts: 3740
Location: Rasi, Finland

PostPosted: Sat Jan 25, 2020 12:58 pm    Post subject: Reply with quote

Naib wrote:
I would want some architecting, some modeling, some system engineering so the end user doesn't get something like this

Code:
# emerge syncthing
Calculating dependencies /
                                                                                                                                                     
[ Results for search key : syncthing ]
*  acct-group/syncthing
      Latest version available: 0
      Latest version installed: [ Not Installed ]
      Size of files: 0 KiB
      Homepage:     
      Description:   Group for the system-wide net-p2p/syncthing server
      License:       

*  acct-user/syncthing
      Latest version available: 0
      Latest version installed: [ Not Installed ]
      Size of files: 0 KiB
      Homepage:     
      Description:   User for the system-wide net-p2p/syncthing server
      License:       

*  net-p2p/syncthing
      Latest version available: 1.2.1
      Latest version installed: [ Not Installed ]
      Size of files: 21,993 KiB
      Homepage:      https://syncthing.net
      Description:   Open Source Continuous File Synchronization
      License:       MPL-2.0

[ Applications found : 6 ]

!!! The short ebuild name "syncthing" is ambiguous. Please specify
!!! one of the above fully-qualified ebuild names instead.

 ... done!


That is poor oversight... Signs of "I know what lets do foo" without actually modeling the problem and working through scenarios
Indeed. There should be an option (in make.conf by default) to exclude such categories from any action unless specifically appended with the category name to the argument.
_________________
..: Zucca :..

My gentoo installs:
init=/sbin/openrc-init
-systemd -logind -elogind seatd

Quote:
I am NaN! I am a man!
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1845

PostPosted: Sat Jan 25, 2020 3:24 pm    Post subject: Reply with quote

Zucca wrote:
Indeed. There should be an option (in make.conf by default) to exclude such categories from any action unless specifically appended with the category name to the argument.
Wow...don't get me started as to how that one has been annoying the crap out of me:
Code:
equery list -p mythtv
 * Searching for mythtv ...
!!! Ambiguous package name. Choose from:
  media-tv/mythtv
  acct-group/mythtv
  acct-user/mythtv
Given how many applications create users with the same name as the app, this was all but designed to create this scenario.

Tom
Back to top
View user's profile Send private message
duane
Apprentice
Apprentice


Joined: 03 Jun 2002
Posts: 193
Location: Oklahoma City

PostPosted: Wed Feb 05, 2020 10:07 am    Post subject: "At last, the fix no one asked for" Reply with quote

https://www.theregister.co.uk/2020/02/03/linux_home_directories_merged_into_systemd/
Back to top
View user's profile Send private message
Anon-E-moose
Watchman
Watchman


Joined: 23 May 2008
Posts: 6160
Location: Dallas area

PostPosted: Wed Feb 05, 2020 11:36 am    Post subject: Re: "At last, the fix no one asked for" Reply with quote

duane wrote:
https://www.theregister.co.uk/2020/02/03/linux_home_directories_merged_into_systemd/

From the link

Quote:
One use case is where a user has a PC running Linux in both their home and office, and is able to carry their home directory with them on a portable storage device. The advent of cloud storage has made this less of a problem than would have been the case a few years back, and a common reaction to the new systemd approach is that the problems it fixes are not pressing and may be outweighed by potential incompatibilities.


So I need homed because I can't figure out how to put a few files that I'm working on at the office on a usb stick and take it home to continue to work on it!!!
_________________
UM780, 6.1 zen kernel, gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Wed Feb 05, 2020 3:32 pm    Post subject: Re: "At last, the fix no one asked for" Reply with quote

Anon-E-moose wrote:
So I need homed because I can't figure out how to put a few files that I'm working on at the office on a usb stick and take it home to continue to work on it!!!

LOL!
RedHat, the distro for complete incompetents.
Back to top
View user's profile Send private message
gtwrek
Tux's lil' helper
Tux's lil' helper


Joined: 10 Mar 2017
Posts: 110
Location: San Jose, CA

PostPosted: Wed Feb 05, 2020 4:10 pm    Post subject: Put home under revision control Reply with quote

There's many (old!) articles out there regarding putting "home" directories under revision control. I always thought that might be an interesting experiment, but as yet haven't tried it.
I have shared home directories over NFS among a few of my servers at home. I haven't decided if that's a good idea or not.

Pretty sure I'd not trust systemd to something similar and do it well.
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 3439
Location: Canada

PostPosted: Wed Feb 05, 2020 4:44 pm    Post subject: Re: Put home under revision control Reply with quote

gtwrek wrote:
There's many (old!) articles out there regarding putting "home" directories under revision control. I always thought that might be an interesting experiment, but as yet haven't tried it.
I have shared home directories over NFS among a few of my servers at home. I haven't decided if that's a good idea or not.

Pretty sure I'd not trust systemd to something similar and do it well.



Sharing home directories over NFS was a standard setup on university networks in the 90-ies. Remember during my first postdoc, all departamental computers were named after canadian wildlife, all disks - after canadian trees/plants, and nobody really paid attention to what computer what disk was physically attached.
Back to top
View user's profile Send private message
gtwrek
Tux's lil' helper
Tux's lil' helper


Joined: 10 Mar 2017
Posts: 110
Location: San Jose, CA

PostPosted: Wed Feb 05, 2020 6:04 pm    Post subject: Shared home Reply with quote

Quote:
Sharing home directories over NFS was a standard setup on university networks in the 90-ies.


How is this not standard over any organization? It's situation normal at any largish organization I've worked for during the last 30 years or so.
How could one manage things any differently across any decent sized org, where there's more than just a few servers?

The only drawback for me doing this at home, is making sure the one NFS server (hosting "home" directories) is always up before attempting to do anything useful on any other server. I guess I'm not yet comfortable with me keeping this NFS server up 24/7, as a prerequisite for any other server being useful. The latter servers would boot of course, but any user logging in (with /home unavailable) doesn't pass the Spousal Acceptance Factor.
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 3439
Location: Canada

PostPosted: Wed Feb 05, 2020 6:36 pm    Post subject: Re: Shared home Reply with quote

gtwrek wrote:
Quote:
Sharing home directories over NFS was a standard setup on university networks in the 90-ies.


How is this not standard over any organization? It's situation normal at any largish organization I've worked for during the last 30 years or so.
How could one manage things any differently across any decent sized org, where there's more than just a few servers?

The only drawback for me doing this at home, is making sure the one NFS server (hosting "home" directories) is always up before attempting to do anything useful on any other server. I guess I'm not yet comfortable with me keeping this NFS server up 24/7, as a prerequisite for any other server being useful. The latter servers would boot of course, but any user logging in (with /home unavailable) doesn't pass the Spousal Acceptance Factor.


I have my home desktop up for almost two years right now (well, just rebooted, since I finally upgraded the kernel), previous home record of uptime was something like 4 years, from 2004 - Gentoo install, to 2007, hard drive failed.

Anyway, my current university physics department (50 profs) has no research network management at all. Funding for system admins was cut years ago (when I came in 2001, there were two, for UNIX and Windows machines), everybody have their own desktops/server/laptop, bought with personal grants and shared only with there own group/students if any. Faculty level has IT people which manage network access to backbone and has somebody looking for secretarial windows machines. But for research we are on our own - just have to go to faculty to negotiate when we need static IP or ports open, or space for server housing.
Back to top
View user's profile Send private message
dmpogo
Advocate
Advocate


Joined: 02 Sep 2004
Posts: 3439
Location: Canada

PostPosted: Wed Feb 05, 2020 6:46 pm    Post subject: Re: Shared home Reply with quote

[quote="gtwrek"]
Quote:
doesn't pass the Spousal Acceptance Factor.


In my case my spouse refuse "to have anything to do with your network". To the extend that she bought a printer for herself and only connects it to her mac by USB cable,
refusing to make printer visible on wifi :) Well, she has her own hammer, screwdriver and a set of nails as well :)

The only thing I do, is silently backing up her mac laptop (initiating backups from the server)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Page 4 of 7

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum