Re: Anybody Skype users here?

[Dan Ritter]

Juan R.D. Silva wrote: 
> I use Skype installed from Debian official repo.  A couple of days ago it
> refused to update reporting "server timed out". After looking into it, I
> found that MS removed Skype.deb package from their server and basically
> forces everyone to use Snap package instead.

I'm pretty sure that if MS removed the package, it was not a
Debian official repo.

> Skype is the only app I would need Snap for on my system. Unfortunately, I
> still need Skype and I do not see any alternative but to concede to MS (and
> Ubuntu?) brute coercion.
> 
> Any body installed Snap on their Debian system? Any problems with that
> thing? Any suggestions to use Skype otherwise?

Does it work through a browser?

Zoom works through a browser. Google Meet works through a
browser. MS Teams works through a browser. And Jitsi works
through a browser.

-dsr-

Re: Question About Free File Transfering Apps

[Dan Ritter]

Carter Zhang wrote: 
> Are there any free apps for GNU/Linux and Android to share files over LAN? 
> There have already been LocalSend, LanXchange, LANDrop, NitroShare, Sharik, 
> Warpinator, TrebleShot, but they have respective problems. 


On the Debian side, options include:

- SFTP and SCP via SSH
- SMB via samba
- NFS v3 and v4
- various DAV implementations
- SyncThing
- and, although the server is not currently packaged, NextCloud
is reasonably easy to get up and running on Debian stable.

All of these have clients of various kinds on Android and other
systems.

-dsr-

Re: "Repeaters", etc. - FRITZ!Box 7490

[Dan Ritter]

Paul M Foster wrote: 
> On Tue, May 28, 2024 at 08:15:36AM -0400, Dan Ritter wrote:
> 
> > You're spending the money on a house, which is $LARGESUM. Spend
> > the comparatively small amount of extra money on some form of
> > wiring before you move in, so you don't end up frustrated for
> > two years before doing it anyway and also having to move
> > furniture, listen to concrete drilling, and so forth.
> 
> I wonder if I can get an electrical company to put in cat 5? Might be worth
> it. The prospect of getting up in the attic and running cat 5 myself just
> doesn't appeal to me.

Yes, absolutely. Anyone who does low-voltage work probably has
lots of experience doing this. Call or email local electrician
companies and tell them exactly what you want; they'll send
someone over to evaluate the work and give you an estimate.

-dsr-

Re: moving some packages back to bookworm stable

[Dan Ritter]

to...@tuxteam.de wrote: 
> On Mon, May 27, 2024 at 02:02:47PM -0400, Stefan Monnier wrote:
> 
> ISTR that "apt-get install =" will unconditionally
> install  of , if necessary pulling in dependencies.
> 
> But I've never tried it :-)

That pulls in dependencies but does not install packages that
would otherwise be forbidden by the priority system.

E.g.: if you have foobar 1.5 in stable and foobar 2.1 in
backports, and they each depend on libfoobar of the same version
number, then

apt-get install foobar=2.1

will fail saying that it requires libfoobar 2.1 but version 1.5
is to be installed.

You can then solve that by saying

apt-get install foobar=2.1 libfoobar=2.1

but many interesting packages will have a web of dependencies,
and sometimes following them will get you to a place it is hard
to escape.

The backports repository is generally safe (or safe-ish) because
the packages in it are meant to work in a mostly-stable system.

Other repos are less accomodating.

-dsr-

Re: "Repeaters", etc. - FRITZ!Box 7490

[Dan Ritter]

Paul M Foster wrote: 
> We're moving across the state, and from what I've seen, providers there
> will do something similar-- provide a router and/or modem which has wired
> and wireless capabilities. However, because the house is not prewired for
> internet, we must solve the problem of getting internet to the computers
> and devices in the house. I'm not a fan of wifi, versus hard-wired
> internet. It's not as reliable, and it's slower. Thus, I want cat 5/6 to my
> devices. I could possibly wire the house with cat 5/6 through the attic,
> but I'd rather not. Since the wifi signal will permeate the whole house, it
> seemed more reasonable to plant a device in each room which could pick up
> the wifi, and provide wired internet to that room.

Concrete blocks wifi very effectively. Are any of your internal,
load-bearing walls concrete?

> To the contrary, I *do* plan to string cat 5/6 to those devices, just not
> all the way to the modem/router, which will likely be in the garage.

The devices wired together in a single room will do well. They
will have issues talking across rooms, as every round-trip will
feature four wifi hops (room router to gateway, gateway to room
router, and then back again).

You're spending the money on a house, which is $LARGESUM. Spend
the comparatively small amount of extra money on some form of
wiring before you move in, so you don't end up frustrated for
two years before doing it anyway and also having to move
furniture, listen to concrete drilling, and so forth.

-dsr-

Re: "Repeaters", etc.

[Dan Ritter]

Paul M Foster wrote: 
> At some point this year, I'm moving into a new house, and it is not wired
> for internet (WHY aren't new houses wired with Cat5/6/7?). The local
> internet provider will likely provide a wireless router, as they all do. My
> idea is to put a device which receives wireless signal from the
> router/modem, and has an RJ45 jack in it in each room. So each room would
> have one of these, and the devices in it would be hooked to that device via
> cat 5e. I hope that's clear.
> 
> I'd like to shop for such a device, but I don't know what it's called. Can
> anyone provide advice, and possibly preferred brand names? I'd appreciate
> it.

Those are wireless access points, but you don't plug anything
into the WAN port, just into the LAN ports, and you turn off
DHCP on each of them.

This is highly suboptimal, by the way. If you own this house,
you really want to run cat6 from each room to a central location
(attic, basement, room where wires enter your house) and put a
WAP in about half of the rooms and a simple switch in the other
half.

If you don't own the house, you might be surprised at what's
available to run cables along baseboards safely and
inexpensively, if more visibly.

-dsr-

Re: moving some packages back to bookworm stable

[Dan Ritter]

Stefan Monnier wrote: 
> > # apt install -t=bookworm db-util db5.3-util libc-bin libc-dev-bin
> 
> I can never remember exactly what `-t` really does, but I suspect you'll
> need things like
> 
> apt install libc-bin/bookworm

To install a single backported (or other release) package, 
apt-get install packagename/releasename

and to install a backported package plus dependencies which
are also from that specific release, use 
apt-get -t releasename packagename

-dsr-

Re: Address 127.0.1.1

[Dan Ritter]

Paul M Foster wrote: 
> Folks:
> 
> In my /etc/hosts file, there's a line:
> 
> 127.0.1.1 yosemite.mars.lan yosemite
> 
> I think Debian put it there.
> 
> Later in the file, I've got:
> 
> 192.168.254.30  yosemite.mars.lan   yosemite
> 
> So there are two entries for the same (my) machine. Is this a problem?
> Specifically, could it cause problems with email (Exim4 or OpenSMTPD)?

Technically possible, but unlikely. If you had exim or opensmtpd
configured to only bind to the 192.168 address, and not the
localhost address, then you might manage to run into an issue.

As long as the 192.168 address is correct, you can replace
127.0.1.1 to refer to 'localhost' alone.

-dsr-

Re: And another Dell Vostro 1700 question

[Dan Ritter]

Van Snyder wrote: 
> I have some DisplayLink e1649Fwu USB monitors.
> 
> When I boot, there's junk (mixed graphics and text that seems to be out
> of sync) on one, and the other is dark. When I reboot, it's almost the
> same, except the monitors' roles have switched.
> 
> Would the nouveau driver work for the USB monitors?

No. The nouveau driver is for NVidia graphics controllers; the
USB monitors have their own on-board graphics controllers, which
are probably not made by NVidia, and certainly don't use the
standard drivers.

-dsr-

Re: Debian, fail2ban, Version?

[Dan Ritter]

Maurizio Caloro wrote: 
> Hello
> 
> Please why on Debian Bullseye, 11.9 is a pretty old version available in the
> repository?
> 
> # fail2ban-server -V
> 
> 0.11.2

Bullseye became stable in August of 2021. 

"Stable" means that packages don't change except to fix serious
bugs, especially security-related bugs.

Bookworm became stable in June of 2023. The fail2ban version
there is 1.0.2-2. 

-dsr-

Re: How to run automatically a script as soon root login

[Dan Ritter]

Richmond wrote: 
> I was experimenting, and found this works:
> 
> sudo xterm -e "echo 1 > hello"
> 
> It created a file owned by root. But I found I was able to remove it
> without being root even though group and world permissions were read
> only.

The owner of a directory can delete any file in it.


-dsr-

Re: How to run automatically a script as soon root login

[Dan Ritter]

Mario Marietto wrote: 
> --> If they only want this thing to happen when root logs in directly on a
> console or ssh, then .profile may indeed be the correct answer.
> 
> Yes,I don't need to run xorg and a desktop environment,since warp-cli
> disconnect and warp-cli connect do not require them.
> I wouldn't to login as root automatically,but I've realized that this
> command :
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> work only if I'm root. It does not work using sudo. So,in the end I've
> chosen to be root instead of a normal user that can use sudo.


If you run 

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

then the shell you are running it from will run "sudo echo 1"
and then try to put the output in that file. That fails because
the running process is owned by you, not root.

If you put the echo command into a script, and then run the
script with sudo, this will work.

-dsr-


then 

Re: Graphic Equalizer for Sound

[Dan Ritter]

Richmond wrote: 
> Dan Ritter  writes:
> 
> > Richmond wrote: 
> > Let's put in a broad bell that will cover bass and low treble
> > voices: tap the first gear icon on top of a slider. By default,
> > all these bands are configurable and set to no change, so we're
> > going to co-opt the first one.
> >
> > The controls you now see should be Type, Mode and Slope. Set
> > Type to Bell, ignore Mode and Slope for now.
> >
> > Underneath are Frequency and Quality, with a display in between
> > telling you the width of that combination. Let's select a center
> > frequency of 200Hz, with a Q of 1.25. The width should say about
> > 160Hz, which will affect 40 to 360Hz (200 +/- 160). Click the
> > gear icon again, and then adjust the slider up about 6 dB.
> 
> OK I did this. But over on the right there is still 194hz and 241hz
> which cover the same range.

That's a leftover thought from graphic equalizers, where each
slider has a fixed center frequency, a fixed shape, and a fixed
width. This is a parametric equalizer.

It starts out displaying 20 or so sliders all of which are set
to zero. Setting them to zero means they don't affect anything.

We then changed the frequency center of the first slider, setting it
to 200Hz.  On a graphic EQ, that's like grabbing the nearest fixed slider
and forcing it to adjust the frequency you actually want.

> Also the user interface appears to get stuck so the dialog won't go
> away.

Try clicking outside it. 
 
> I can't hear lower voices still, maybe PC speakers won't play them anyway.

The spectral display above will show you what frequencies are being
produced -- that's post-effects, so any changes you introduce with the
equalizer will be shown.

Try plugging in headphones? 

-dsr-

Re: Graphic Equalizer for Sound

[Dan Ritter]

Richmond wrote: 
> Dan Ritter  writes:
> 
> > Parametric EQs are not the same as graphic EQs, but they are
> > reasonably easy to understand and offer much more control.
> >
> > Suppose you want to boost all the bass below 50Hz. The
> > parametric type you want is a "shelf", the frequency is 50Hz,
> > the Q doesn't matter (because it's a shelf) and the volume
> > change is whatever you want -- +3dB is a safe number to produce
> > an audible effect without being overwhelming.
> >
> 
> What I want to do is make it easier to hear the lower voices in choral
> music, or even better, hear only the lower voices, i.e. eliminate the
> upper voices. Perhaps a 'shelf' would do that, but I cannot find
> anything called 'shelf' in the user interface. I am bewildered.

Human voices tend to be 80-8000Hz

On the left hand side top, there's a Presets drop-down. Create a
new Output preset by typing in a name and tapping the + button.

At the bottom center, click on Effects.

On the left, you will have a list of effects. Select Equalizer.

Let's put in a broad bell that will cover bass and low treble
voices: tap the first gear icon on top of a slider. By default,
all these bands are configurable and set to no change, so we're
going to co-opt the first one.

The controls you now see should be Type, Mode and Slope. Set
Type to Bell, ignore Mode and Slope for now.

Underneath are Frequency and Quality, with a display in between
telling you the width of that combination. Let's select a center
frequency of 200Hz, with a Q of 1.25. The width should say about
160Hz, which will affect 40 to 360Hz (200 +/- 160). Click the
gear icon again, and then adjust the slider up about 6 dB.

Play some choral music. Better? Worse? Play with the settings
until you get what you want. Then go back to Presets and use +
to save the current settings under the name you chose.

-dsr-

Re: Graphic Equalizer for Sound

[Dan Ritter]

Richmond wrote: 
> Is it possible to have a graphic equalizer for sound output? I am using
> the Mate desktop. I installed EasyEffects from a flatpak and it appears
> on the menu but does nothing. I don't know the command line. Probably
> there is an error.

I don't know anything about why a flatpak would work or not.

You can apt install easyeffects ; it requires PipeWire. Running
it should produce a window full of available effects for both
input and output including a parametric equalizer.

Parametric EQs are not the same as graphic EQs, but they are
reasonably easy to understand and offer much more control.

Suppose you want to boost all the bass below 50Hz. The
parametric type you want is a "shelf", the frequency is 50Hz,
the Q doesn't matter (because it's a shelf) and the volume
change is whatever you want -- +3dB is a safe number to produce
an audible effect without being overwhelming.

If you have a room with one length being 4m, it might have a
resonance at 86Hz. To dial that down, you would select a bell
shaped parameter, centered at 86Hz, and play with the Q until
the range is 83-89Hz. Then reduce it by 3 or 6 dB and listen.

Does that help?

-dsr-

Re: Zoom in the official repo is outdated

[Dan Ritter]

Luiz Romário Santana Rios wrote: 
> Hello,
> 
> (Please cc me when replying as I'm not subscribed to the list)
> 
> Earlier this month, I noticed I was no longer able to login to Zoom meetings
> using the client installed from the Debian repos. In order to join meetings,
> I had to uninstall it then install the flatpack Zoom package.
> 
> I think it should either be updated or outright removed in favor of the
> flatpack version. What do you think? Should I report a bug?

Can you point to the zoom client in the Debian repos? I can't
find it.

-dsr-

Re: Efficient Package Dependency Search with aptitude

[Dan Ritter]

Yassine Chaouche wrote: 
> In my ongoing mission for precise package management,
> I embarked on a quest to swiftly locate all installed packages dependent on 
> /mysql-server/.
> Swift reconnaissance led me to /aptitude/, our stalwart ally in the Debian 
> arsenal.
> Executing a tactical maneuver akin to this:
> |# aptitude search "~i ~Rmysql-server"|
> ||
> |
> |
> Unveiled a battalion of installed packages,
> seemingly unrelated to mysql-server,
> including /adduser/, /debconf/, and others of varying ranks.
> 
> Harboring suspicions about certain results like /psmisc/,
> I executed a reverse probe using the /apt-cache/ command:
> |# apt-cache depends psmisc|
> ||
> |
> 
> |
> Conclusively, /mysql-server/ did not appear in /psmisc/'s dependency roster.
> Yet, in the face of this operation at the Debian Vanguard, doubts linger.
> I seek counsel from the esteemed Debian fraternity.
> What subtleties evade our grasp?

mysql-server doesn't really exist anymore. Try mariadb-server
instead.

Also, I think you have meanings reversed.

apt-cache depends psmisc 

produces the list of packages that psmisc needs to function.

apt-cache rdepends psmisc

produces the list of packages that need psmisc to be installed
first.

-dsr-

Re: Current best practices for system configuration management?

[Dan Ritter]

Mike Castle wrote: 
> and so on, it is time to explore solutions.  I only have four systems
> at the moment (two physical and two virtual), so I don't think I need
> something too fancy.
> 
> My first thought was to simply add a `Files:` section to *.control
> files I use for my metapackages.  After all, for configs going into
> *.d directories, they are usually easy to just drop in and remove, no
> editing in place required.  But, that is when I discovered that all
> files under `/etc` are treated specially.
> 
> I've found a lot of documentation out there, but, of course, much of
> it is out of date.  https://wiki.debian.org/ConfigPackages , for
> example, seems to recommend slightly old to really old tools.  Tools
> like `ansible`, `puppet` and so on seem, at first blush, aimed at
> larger installations than mine.  But maybe other's experience with
> them will show they scale down fine?
> 
> Anyway, suggestions based upon actually experience would be appreciated.

Chef or Puppet are good, but probably not worth the bother for
4-5 systems. Definitely worthwhile for 10+ systems, and scalable
to thousands. https://cinc.sh is producing a fully open release
of Chef (with the new name, Cinc is not chef). I use Chef at
work.

The easy end of single-machine is etckeeper, which just checks
your /etc (and whatever else you specify) into a local git. The
high end of single machine is Nix, which has a complete language
designed to capture the complete configuration of a system (and
has spawned NixOS, a complete distribution).

The easy end of multi-machine systems is cdist and itamae. You might be
quite happy with those, and itamae is reputedly very Chef-like.


-dsr-

Re: opinion - apt-mirror or aptly

[Dan Ritter]

fxkl4...@protonmail.com wrote: 
> i intend to create a local mirror for debian armhf
> it seems apt-mirror and aptly are the applications most used
> is one easier, more reliable, ...


If all you want is a local mirror, apt-mirror is less
configuration.

If you want a more complicated system -- for example, taking
multiple upstream repos and consolidating them into one local
mirror, which then is branched into a testing repo and a
production repo -- you need aptly.

-dsr-

Re: inconsistency in the symlinks under /etc/systemd

[Dan Purgert]

On Apr 10, 2024, Vincent Lefevre wrote:
> Hi,
> 
> On one machine, I have
> 
> lrwxrwxrwx 1 root root 35 2023-10-07 13:43:24 
> /etc/systemd/system/sockets.target.wants/dm-event.socket -> 
> /lib/systemd/system/dm-event.socket
> 
> and on another one, I have
> 
> lrwxrwxrwx 1 root root 39 2024-01-05 16:54:09 
> /etc/systemd/system/sockets.target.wants/dm-event.socket -> 
> /usr/lib/systemd/system/dm-event.socket
> 
> These symlinks were created at Debian installation time, and in
> both cases, the dmeventd version is 2:1.02.196-1+b1.
> 
> Shouldn't the system ensure that symlinks are consistent on different
> machines (even though the above symlinks are equivalent), for instance
> to ease the comparison of configurations between machines?

I'd hazard it's a consequence of usrmerge being the "default state" in
one installation and not the other.

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Root password strength

[Dan Ritter]

jeremy ardley wrote: 
> 
> On 20/3/24 19:03, Michael Kjörling wrote:
> > On 20 Mar 2024 15:46 +0800, fromjeremy.ard...@gmail.com  (jeremy ardley):
> > > [users are locked out from uploading their public key using ssh-copy-id]
> > So the private keys aren't private, thereby invalidating a lot of
> > assumptions inherent in public key cryptography.
> > 
> > Also, are you saying that you do not let users rotate their keys
> > themselves; and if so, why on Earth not?
> 
> 
> Private keys aren't private in any corporate network. Security management
> would be impossible to manage if users could generate their own keys and
> install them on any server. For one thing users do not have any easy way to
> revoke certificates.

No. Users create public/private keypairs, keep the private one
private and send you the public side to install on servers. A
user can revoke their own access by deleting the private one;
a sysadmin can revoke a user's access by deleting the public one
from each host that it's installed on.

For ssh, the sysadmin can also add/remove users from the
AllowUsers list in the sshd config, or add them to the DenyUsers
list, or remove their membership in an AllowGroups list.

Proponents of certificates are going to say "but this is harder
than adding their cert to the CRL", which is nominally true but
in practice, you most likely already have a distribution mechanism
for maintaining system configuration everywhere.

> In any serious network, private keys are simply a name for a secret key
> issued by an administrator to a user. Matching public keys are often
> published and are maintained by the administrator. Both keys are owned by
> the administrators.

This is incorrect, as Michael and others have stated.
 
> If you are in full control of your network and resources, sure, go ahead and
> rotate your keys. But if you are in a network run by others you have to
> accept their control of keys and access to resources.

No, you have to accept their control of access to their resources.

-dsr-

Re: Root password strength

[Dan Ritter]

Jan Krapivin wrote: 
> I read Debian Administrator's handbook now. And there are such words:
> 
> The root user's password should be long (12 characters or more) and
> impossible to guess. 
...

 
> The thing is my password is very easy now, and i haven't thought about
> *"automated
> connection attempts"*, that sounds rather... scary? My password is easy
> because i am not afraid of direct physical access to the computer.
> 
> But... if there is a serious network danger, then i should change my
> password of course. But how strong it should be? If we speak about network
> attacks... it should be like 32 symbols with special symbols? Or this
> paragraph in a handbook is rather paranoid?
> 
> I have activated sudo now for my regular user. Can it (password of regular
> user) be less sophisticated than root password? Because it would be rather
> difficult to enter 32 symbols every time i wake my PC after suspend.

The threats are different for:

- a laptop that travels and can be stolen
- a desktop that does not leave your residence
- a server that accepts connections from the outside world

If you have a laptop, you want to have your filesystem encrypted
(LUKS or ZFS encryption, most likely) and protected by a 12+
character password.

If you have a desktop, perhaps you feel it is at low risk. 

If you have a machine that runs the ssh daemon, you should not
use passwords at all for remote logins; you should use ssh keys.

Check whether you are running ssh:

/sbin/service ssh status

If it is active, use sudo to edit /etc/ssh/sshd_config to lock
down access. (It may be that you don't want it running at all,
too.)

-dsr-

Re: Debugging an USB array issue

[Dan Ritter]

Marc SCHAEFER wrote: 
> on a Debian bullseye uptodate system [1], I experiment frequent (every
> 3-4 hours on heavy load) disk disconnections from a md RAID10 array with
> 4 drives connected to an USB 1M adapter [2].
> 
> Errors do not look like a timeout, but like a DMA error [3].
> 
> Immediately after, the disk reappears as a new drive name and can be
> re-added quickly to the md RAID array (I am doing those tests with a
> read-only mounted filesystem for obvious reasons).
> 
> Initially, I was wondering if it was maybe a disk doing a too long
> recovery procedure, but it is to be noted that it's not always the same
> disk which has an error, and smartctl -a shows no recorded errors for
> any of the 4 drives [4]. The drives are connected to a SATA-to-USB
> enclosure [6].
> 
> This is on a 3.1 USB PCI-Express card [5].
> 
> I already applied this work-around (which does not seem to apply to a
> non-idle system):
>echo -1 > /sys/module/usbcore/parameters/autosuspend
> 
> What would be your recommandations?  I have thought about downgrading to
> a slower port (it should not be much different with 5000M), changing the
> cable, or maybe it's the enclosure?

I have never had long-term happiness with multiple disks
connected via USB. I strongly recommend that you find a 4 or 8
disk SATA/SAS PCIe card -- an LSI 2008, for example -- and connect
through that, instead. US prices are $40-45 new. Add $15 for an 8087-to-4xSATA
cable, you will have happiness for less than $75.

-dsr-

Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

[Dan Ritter]

John Conover wrote: 
> 
> Email from logcheck(1) contains:
> 
> E: File could not be read: /var/log/syslog
> E: File could not be read: /var/log/auth.log
> 
> which do not exist in bookworm 12.5.

They do as soon as you install rsyslog.

Arguably this should be in rsyslog's package, though -- and any 
similar replacements.

-dsr-

Re: Bind9 local DNS not forwarding query to public DNS

[Dan Ritter]

Muhammad Yousuf Khan wrote: 
> Need your experience advice, We have a BIND9 DNS server that operates both
> privately and publicly for the domain example xyz.com. I use the private
> DNS for certain secure nodes on our local network. I want all VPN users to
> be able to resolve these secure nodes using our local DNS, which is
> functioning correctly.
> 
> So I force assign all VPN user local DNS so that they can access the secure
> records and local DNS can forward their query to public DNS in case the
> record is not found in the zone file.
> 
>  locally everything is working just fine, the issue arises when a VPN user
> queries an A record that is on public. For example, if "secure.xyz.com" has
> a local entry in the zone file, it works as expected. However, when the
> entry is not present, I expect BIND to conditionally forward the query to a
> remote DNS server and resolve it for the VPN client. Unfortunately, this is
> not happening. BIND only searches for entries that are available in the
> local zone file and then times out. Here are my configuration files.
> 
> here is my bind config
> 
> 
>  options {
>  directory "/var/cache/bind";
>  recursion yes;   // Enable DNS recursion
>  allow-recursion { localhost; };

^ only localhost is allowed to do recursive queries. But you
want all your internal users to be allowed to do that.

>  allow-query { any; };   // Allow queries from any
> IP address
>  forwarders {
>   8.8.8.8;
>  };
>  dnssec-validation auto;
>  listen-on-v6 { any; };
>  };
> 
>   zone "xyz.com" {
>   type master;
>   file "/etc/bind/db.xyz.com";
>   forwarders {
>   8.8.8.8;
>   8.8.4.4;// Additional forwarder (optional)

^ you do not want forwarders here.

-dsr-

Re: very poor nfs performance

[Dan Ritter]

Mike Kupfer wrote: 
> Stefan K wrote:
> 
> > > Can you partition the files into 2 different shares?  Put the database
> > > files in one share and access them using "sync", and put the rest of the
> > > files in a different share, with no "sync"?
> > this could be a solution, but I want to understand why is it so slow and 
> > fix that
> 
> It's inherent in how sync works.  Over-the-wire calls are expensive.
> NFS implementations try to get acceptable performance by extensive
> caching, using asynchronous operations when possible, and by issuing a
> smaller number of large RPCs (rather than a larger number of small
> RPCs).  The sync option defeats all of those mechanisms.

It is also the case that databases absolutely need sync to work
properly, so running them over NFS is a bad idea. At most, a
sqlite DB can be OK -- because sqlite is single user.

-dsr-

Re: strange time problem with bullseye

[Dan Ritter]

Roy J. Tellason, Sr. wrote: 
> I don't ordinarily shut this machine down for the most part.  Every once in a 
> while all of my swap partition gets filled up,  and then there's this 
> continuous hard drive activity that I'm assuming is what they mean by 
> "thrashing". The only option at that point is to get its attention with the 
> power switch.  And then I need to go through a whole routing with bringing up 
> what I had going,  including re-starting virtualbox and the stuff that runs 
> in it,  etc.  If I'm lucky then I can get back the windows I had going 
> before,  sometimes I'm not so lucky.  A system monitor I run on desktop 4 
> always comes up,  but on the wrong desktop and I have to move it.
> 
> The "eat all available memory" culprit seems to be firefox.  I just need to 
> look at that system monitor every once in a while and when things start 
> getting excessive shut firefox down and restart it.  Then I don't have the 
> problem...

There's a kernel feature called the OOM-killer (out of memory)
which is supposed to detect when you are running out of memory
and select a process to kill.

Did you turn it off? It would be a setting in /etc/sysctl.conf
or /etc/sysctl.d/*

If not, perhaps you have an excessive amount of slow swap for it to be happy?

 
> I'm not sure if I have ntp or something else running here.  (Looking...)  I 
> don't see it in my process list.

Other likely candidates are systemd-timesync and chrony.

-dsr-

Re: ldap_result() failed: Can't contact LDAP server

[Dan Ritter]

Shaheena Kazi wrote: 
> Package: nslcd
> 
> I have upgraded from Debian 11 to Debian 12.
> 
> The problem is that I keep getting the below errors in the syslog...
> 893:2024-02-29T16:30:13.055665+00:00 hostname-shaheena nslcd[7712]:
> [d062c2]  ldap_start_tls_s() failed (uri=ldap://
> 127.0.0.1:389/): Can't contact LDAP server: Transport endpoint is not
> connected

nslcd is expecting to reach an LDAP server that sits on the same
machine (127.0.0.1 means "me") and it can't.

This probably means that there is no LDAP server running on the
same machine.

> binddn cn=ldap_login,ou=people,dc=subdomain,dc=domain,dc=com
> bindpw xxx
> ldap_version 3
> base ou=people,dc=subdomain,dc=domain,dc=com

Are those literal values, or did you obfucate them?

Do you think that you are running an LDAP server?

-dsr-

Re: Spam from the list?

[Dan Ritter]

Hans wrote: 
> Hi folks,
> 
> during the last moonths I get more mails from the debian-user list marked as 
> spam than before. Something must have changed.
> 
> I examined the header of the mails, but did not see any unusual.
> 
> Below I send the header of an example of such a mail, maybe you can see the 
> reason?
> 
> On my computer I am also using spamassassin, and my own score is set to 3.4, 
> so even so it should not considered as spam. 
> 
>  X-Spam-Flag: YES
> X-SPAM-FACTOR: DKIM

What sets these two headers?


> Authentication-Results: mail104c50.megamailservers.eu;
>   dkim=fail reason="signature verification failed" (4096-bit key) 
> header.d=4angle.com header.i=@4angle.com header.b="bS+3bWmq"

That's the source of the DKIM fail.

> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on bendel.debian.org
> X-Spam-Level: 
> X-Spam-Status: No, score=-6.7 required=4.0 tests=BODY_INCLUDES_PACKAGE,
>   
> DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,LDO_WHITELIST,
>   T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
>   version=3.4.2

This is debian.org's mailserver checking for spam and deciding that it isn't,
even though DKIM is invalid.

> X-Virus-Scanned: at lists.debian.org with policy bank en-ht
> X-Amavis-Spam-Status: No, score=-8.561 tagged_above=-1 required=5.3
>   tests=[BAYES_00=-2, BODY_INCLUDES_PACKAGE=-2, DKIM_INVALID=0.1,
>   DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
>   LDO_WHITELIST=-5, T_SCC_BODY_TEXT_LINE=-0.01]
>   autolearn=ham autolearn_force=no

This is debian.org again.

> X-Bogosity: Ham, tests=bogofilter, spamicity=0.053994, version=1.2.5
> 
> --- snap ---
> 
> Does one see any reason, why this is considered as spam???

Whatever set X-SPAM-FLAG: YES is probably at fault.

-dsr-

Re: Temporary failure in name resolution

[Dan Ritter]

Shaheena Kazi wrote: 
> Package: ntpsec
> 
> Hello, we were using Bullseye and have upgraded to Bookworm.
> With Bookworm, we have ntpsec.
> The package is installed successfully and the service looks good.
> But the syslog is filled with below messages:
> 
> 2024-03-06T14:58:11.724851+05:30 hostname-shaheena ntpd[35823]: DNS:
> dns_check: DNS error: -3, Temporary failure in name resolution
> 2024-03-06T14:58:11.724862+05:30 hostname-shaheena ntpd[35823]: DNS:
> dns_take_status: None=>temp, 3
> 2024-03-06T14:58:19.572547+05:30 hostname-shaheena ntpd[35823]: DNS:
> dns_probe: None, cast_flags:1, flags:20801
> 2024-03-06T14:58:19.588607+05:30 hostname-shaheena ntpd[35823]: DNS:
> dns_check: processing None, 1, 20801
> 
> In ntp.conf the server is always set to None. We keep it to None always.

Did you name a machine "None" in /etc/hosts or your local DNS?

NTP does not work without either an authoritative clock or a
remote NTP server - preferably a pool of NTP servers. Do you
have an authoritative clock source, such as a GPS receiver or an
atomic clock?

Please show us your complete ntp.conf


-dsr-

Re: “Secure Connection Failed” Error in Firefox

[Dan Ritter]

Marcelo Laia wrote: 
> Hello Debian users!
> 
> When accessing the website https://gontijoonibus.gontijo.com.br/ on Firefox 
> Android (on my smartphone), the site is accessed normally. However, when 
> attempting to access this site on the desktop, Debian Firefox-ESR version 
> 115.8.0esr (64-bit), the following error occurs:
>

https://www.ssllabs.com/ssltest/analyze.html?d=gontijoonibus.gontijo.com.br

shows that there are several IP addresses that could be serving
this, but only 206.41.74.19 seems to be responsive.

And then it doesn't serve any content.

I would say that there are deep problems going on, which have
nothing to do with the client and everything to do with the
server.

-dsr-

Re: Getting my PCMCIA Serial card to work

[Dan Ritter]

Anders Andersson wrote: 
> I like old PCMCIA cards, and would like to get a serial card to work
> on a Thinkpad X40 running Debian 12.5.
> 
> The card is just called "Serial I/O PC Card" and should be physically
> and electrically compatible, 3.3V/5V, 16 bit. I think it is this:
> https://shop.ocr.ca/media/pdf/Socket-Mobile/srliopc.pdf
> 
> It didn't immediately work when I inserted it, and instead of spending
> hours following the red herring down the rabbit hole I thought I
> should try asking here first for a change. This is what I get from
> dmesg:
> 
> [  331.059401] pcmcia_socket pcmcia_socket0: pccard: PCMCIA card
> inserted into slot 0
> [  331.059429] pcmcia_socket pcmcia_socket0: cs: memory probe
> 0xd820-0xdf9f:
> [  331.060446]  excluding 0xd898-0xd90f 0xdaf0-0xdb67
> 0xdbe0-0xdc57 0xdcd0-0xdd47 0xddc0-0xde37
> 0xdeb0-0xdf27
> [  331.068677] pcmcia (null): pcmcia: registering new device
> pcmcia(null) (IRQ: 3)
> [  331.141504] orinoco 0.15 (David Gibson
> , Pavel Roskin , et al)
> [  331.197037] spectrum_cs 0.0: Failed to initialize firmware (err = -16)
> [  331.197062] spectrum_cs: orinoco_init() failed
> 
> When I searched for "spectrum_cs" and "orinico" I got a lot of results
> for some PC Card WLAN interface, which isn't right. Does anyone
> recognize this? It should have a bog-standard 16550 compatible UART
> and PCMCIA is more or less an ISA bus so I did not foresee any
> problem. Is it perhaps incorrectly detecting my card as a WLAN card?

It is definitely recognizing your card incorrectly; I have a
couple of those orinocos about. (Lucent 802.11b wifi, the first
mass-market chipset for wifi. $150 each when they first came
out.)

This might be a useful doc for you -- in particular, section
4.4 on serial and modem devices:

https://tldp.org/HOWTO/PCMCIA-HOWTO-4.html

-dsr-

Re: Error: Failed to start Apache2 service on boot

[Dan Ritter]

Stephen P. Molnar wrote: 
> 
> 
> On 03/01/2024 11:08 AM, Markus Schönhaber wrote:
> > 
> > [1] Look at /etc/apache2/mods-enabled/userdir.conf line 11
> > there you should see something like
> > [2] "ExecCG" which probably should read "ExecCGI" instead.
> > 
> That was the problem. Many thanks.

If you install etckeeper on this machine, you can check in
snapshots of every configuration change you make and the
packaging system makes, and then see precisely what changed and
when.

$ sudo apt install etckeeper

before each change:

$ sudo etckeeper commit [optional message to yourself]

when there's a problem:

$ sudo etckeeper vcs diff
will show you the difference between what you have now and what
you last stored


You can actually do just about anything you need to do on a
single user system with those two commands, but you have the
whole power of git available as well.

-dsr-

Re: Useful Unix compatible commands

[Dan Ritter]

Jonathan Matthew Gresham wrote: 
> If you know any more that can work on GNU compatible software or Unix 
> compatible software please indicate the commands in your reply.


Perhaps you want to read the Debian Administrator's Handbook? 

https://www.debian.org/doc/manuals/debian-handbook/

Or an introduction to Linux command line work?

Or to BASH?

Your question is very unfocused.

-dsr-

Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

[Dan Ritter]

Jeffrey Walton wrote: 
> 
> I don't want to bikeshed, though. Slavery ended in the US about 150
> years ago. I don't know any slaves, and I don't own any slaves, so I
> don't really have a dog in the fight.


Point of fact: slavery is legal in the USA, as a legal punishment.

Other point of fact: the effects of slavery in the USA continue
to be felt in the present.

At this point we have diverged completely from Debian topics.

Let's bring it back around to actual action.

The possible positions:

1. The terminology is bad, and I'm willing to work on fixing it.

2. The terminology is bad, but I can't work on it myself.

3. The terminology does not bother me, but I don't care if someone else wants 
to fix it.

4. The terminology is good and we should not fix it.


People taking positions one through three are people that I can
work with.

-dsr-

Re: Journald's qualities (was: Selective rotation of journald logs)

[Dan Ritter]

Stefan Monnier wrote: 
> Makes one wonder why they don't use naive append-only "plain text" logs
> (tho with appropriate delimiters (maybe some kind of CSV) to make
> searches more reliable than with old-style plain text logs)?
> 
> What are the advantages of journald's representation?
> I mean, to justify the slow search and large disk space usage, there is
> presumably some upside for some use cases.  I can see some weak argument
> against Sqlite based on the size of Sqlite, but what are the advantages
> of journald's representation compared to a naive one?


systemd's design philosophy, observed from the outside, goes
like this:

- assume that the machine is a laptop or mobile device that is
always changing: moves from network to network, plugs and
unplugs devices, goes to sleep and is woken up

- disk space is limited, but cpu time is free

- the network knows better than local config

- all services serve the local user's desktop, primarily

- the local user doesn't know anything but can call on a remote
  sysadmin

- systemd is the best at doing anything, so it should do
everything.

If all of these assumptions match up with your particular use
case, systemd is happy.


Long-term logs are for servers, so systemd doesn't want them.
systemd thinks logs are for finding out what just happened
recently. If you wanted long-term logs, obviously you would
configure a central repository on some other machine and ship
them across the network.


I have nothing but praise for the Debian maintainers of rsyslog,
who have arranged it so that installing rsyslog immediately does
appropriate things to pull data out of systemd.

-dsr-

Re: 'sensors -j' and "ERROR: Can't get value of subfeature in0_input: Can't read"

[Dan Ritter]

Emanuel Berg wrote: 
> sensors(1) and in particular the command 'sensors -j' now
> reports
> 
>   ERROR: Can't get value of subfeature in0_input: Can't read
>   ERROR: Can't get value of subfeature in1_input: Can't read
> 
> for the CPU and GPU temperatures.
> 
> This previously worked so I don't know why it doesn't all of
> a sudden. Some sysfs driver issue? Or hardware
> malfunction? Unlikely?

In general, the first thing you should try is running
sensors-detect again, as root.

It is possible that your kernel is not loading some particular
sensor module which would be recommended by sensors-detect.

Depending on the hardware, there can also be BIOS or equivalent
features which turn on or off various sensors.

-dsr-

Re: how to downgrade nvidia-graphics-drivers packages?

[Dan Ritter]

Harald Dunkel wrote: 
> Hi folks,
> 
> Looking at a set of installed binary packages built from the same source
> package, I would like to keep the version numbers consistent. There might
> be exceptions, but in general you won't like to mix unstable and experimental
> binary packages from the nvidia-graphics-drivers, for example.
> 
> Question is, how can I tell apt to avoid mixing version numbers?

If they come from different repositories (i.e. backports,
unstable, experimental) you can set priorities in
/etc/apt/preferences.d/ -- read the man page for
apt_preferences, because it's not intuitive.

Package: *
Pin: release a=bookworm
Pin-Priority: 900

Package: *
Pin: release a=bookworm-backports
Pin-Priority: 50

Or you can set things per-package by name, or a variety of other
mechanisms.

-dsr-

Re: Hard links - How do they work

[Dan Ritter]

Keith Bainbridge wrote: 
> As promised:
> I said sometime in this thread that timeshift (and Back in Time) use hard
> links to create progressive copies of the system. The more I think about how
> hard links reportedly work, I reckon it can't be simply hard links.
> 
> So I'm starting a new thread on that topic.
> 
> My understanding is that a hard link (ln with no option) will list the file
> in another directory, but the file remains the same no matter where I may
> edit it.I use cp -lru as a quick and dirty way to protect me against
> accident deleting a file. (Sym-link doesn't give that protection, but does
> allow me to keep my home on a separate partition so that a fresh install is
> a LOT easier; but that is another topic)

A hard link is a name for a file -- it points to the first inode. Most
files only have one name, but they can have many. Hard links can be in
many directories, but must stay on the same filesystem. If you
mv the file by any of its links on the same filesystem, all the
links remain valid. When the last name for a file is deleted,
the file is deleted. Now you know why deleting a file is
sometimes called "unlinking".

A symbolic link is a tiny file that contains a path to a file.
The kernel reads the path, then looks for the substitute file.
This can fail. But -- it can cross filesystems, even filesystems
of completely different types. If you move the symbolic link, it
continues to point to the same path. If you move the referenced
file, the symbolic links are no longer valid.


> Snapshots reportedly hard link the directory/ies (generally means /  but not
> limited ). a new snapshot copies the latest set and then updates any new
> files in the base.The more I try to visualise that process the more I
> reckon there must be more to it

"snapshot" is not a single definition; the software you are using
produces different results.

rsnapshot/rsync, lvm, btrfs and zfs, for example, each use completely
different mechanisms with different semantics.

It looks like timeshift uses either rsync or btrfs snapshots,
and backintime uses rsync, so first you would need to define which of those you 
are using
and in what mode.

-dsr-

Re: Debian bookworm: reboot required

[Dan Ritter]

Klaus Singvogel wrote: 
> I'm not searching for kind of notifier, instead I want to lookup the reboot 
> by my own (shell) script, like via existance of a file.
> 
> I'll install unattended-upgrades now, and will see, if it helps at next 
> kernel installation.


I will note that while unattended-upgrades can be quite useful,
most individual users and small installations -- in my
experience -- prefer the default policy of apticron, which is to
download upgraded packages and send a mail notification, rather
than to install them automatically.

-dsr-

Re: hexchat being discontinued?

[Dan Ritter]

Default User wrote: 
> Well, it seems that hexchat is being discontinued. 
> IMHO, it is/was the only IRC client that was actually usable. 
> 
> Any recommendations for a GOOD alternative?

I like weechat. Some people like quassel.

Hexchat is packaged in bookworm, so there's no reason for you to
panic until it's removed.

-dsr-

Re: Home UPS recommendations (Was Re: rsync --delete vs rsync --delete-after)

[Dan Ritter]

hw wrote: 
> On Fri, 2024-02-09 at 06:44 -0500, Dan Ritter wrote:
> > hw wrote: 
> > > On Thu, 2024-02-08 at 15:29 +, Andy Smith wrote:
> > > > [...]
> > > That sucks.  I didn't know that they don't stand behind their
> > > products, and it makes APC not recommendable any longer.
> > > 
> > > What other manufacturers could we buy UPSs from?
> > 
> > Liebert at the high end, CyberPower at the low end. 
> 
> I've never heard of Liebert, they are rather expensive.  Cyberpower
> seems to be cheap.
> 
> Are they any good, and how is the battery availability?  Can they even
> be monitored?

Liebert is very good, and -- as you said -- expensive. If you
are outfitting a datacenter, they are usually on the list.

Cyberpower is reasonably reliable; the batteries can be found
online. They are USB connected devices readable by NUT.

Some selected stats:

battery.charge: 100
battery.charge.low: 10
battery.charge.warning: 20
battery.runtime: 3060
battery.runtime.low: 300
battery.type: PbAcid
battery.voltage: 24.0
battery.voltage.nominal: 24
device.mfr: CPS
device.model: CST135XLU
device.type: ups
driver.name: usbhid-ups
driver.version: 2.8.0
driver.version.data: CyberPower HID 0.6
driver.version.internal: 0.47
driver.version.usb: libusb-1.0.26 (API: 0x1000109)
input.voltage: 121.0
input.voltage.nominal: 120
output.voltage: 121.0
ups.beeper.status: enabled
ups.load: 16
ups.mfr: CPS
ups.productid: 0501
ups.realpower.nominal: 810
ups.serial: CDQHX2004035
ups.vendorid: 0764

Re: testing new sdm drive

[Dan Ritter]

to...@tuxteam.de wrote: 
> On Fri, Feb 09, 2024 at 07:50:18AM -0500, Stefan Monnier wrote:
> > So, if you want to use `badblocks`, you may want to do it on an
> > encrypted partition (that covers the whole device) rather than on the
> > raw device.
> 
> This is an interesting idea. I haven't wrapped my head around "what if
> the controller maps several block addresses to the same physical block"?
> 
> Perhaps you'd have to fill the disk and check afterwards?

Blocks are very likely to be 128KB, sometimes 64KB.

I would (I have, in the past) generate a non-random but mostly
incompressible large file -- a compressed movie is pretty good for this -- 
use md5sum to get its hash, and then write it under a variety of
names until I fill the disk. 

Then read back each file and compare the md5sum of each file to
the known value. They should be all the same.

I found a bad RAID controller this way.

-dsr-

Re: Home UPS recommendations (Was Re: rsync --delete vs rsync --delete-after)

[Dan Ritter]

hw wrote: 
> On Thu, 2024-02-08 at 15:29 +, Andy Smith wrote:
> > [...]
> That sucks.  I didn't know that they don't stand behind their
> products, and it makes APC not recommendable any longer.
> 
> What other manufacturers could we buy UPSs from?

Liebert at the high end, CyberPower at the low end. 

-dsr-

Re: testing new sdm drive

[Dan Ritter]

David Christensen wrote: 
> 
> Page 1-16 states:
> 
> USB 3.1 Gen 1 connectors (20-1 pin U31G1_12; U31G1_34)
> 
> This connector allows you to connect a USB 3.1 Gen 1 module for additional
> USB 3.1 Gen 1 front or rear panel ports. With an installed USB 3.1 Gen 1
> module, you can enjoy all the benefits of USB 3.1 Gen 1including faster data
> transfer speeds of up to 5 Gb/s, faster charging time for USB-chargeable
> devices, optimized power efficiency, and backward compatibility with USB
> 2.0.
> 
> The USB 3.1 Gen 1 module is purchased separately.
> 
> 
> STFW including asus.com, I am unable to find "USB 3.1 Gen 1 module" or "USB
> 2.0 module" (?).

USB 3.0 Gen 1 is a rename of USB 3.0.

2x Type A from standard motherboard header:
https://www.newegg.com/p/181-0783-00017?Item=9SIAPY9F266548

-dsr-

Re: NUC freeazing due to kernel bug

[Dan Ritter]

Tim Janssen wrote: 
> I use debian server on my NUC to run a low powered home server. It freezes
> every 2-3 days what looks to be a kernel bug. From a lot of testing it only
> occurs when the ethernet cable is inserted and it seems it has to do
> something with low power mode (c-states). These issues have been reported
> ever since kernel 5.10. I wonder if the debian devs are aware of this issue
> and if a fix is undereway.


Things that you really ought to tell us:

- CPU?
- model or motherboard identifier?
- have you tried disabling low C states in BIOS?
- you say it's been reported across major kernel releases --
  what bug numbers?
- are there any log entries written before it freezes?
- can you avoid it by not unplugging/replugging the ethernet
  cable?
- what ethernet NIC is in use?
- have you run htop or another means to disable power saving on
  the NIC?

...and probably a dozen other things, but start there.

-dsr-

Re: Copy from Firefox and paste into Terminal with Vim

[Dan Ritter]

David Christensen wrote: 
> On 2/5/24 16:48, Dan Ritter wrote:
> > David Christensen wrote:
> 
> 
> Please provide a URL that describes the Vim "+ and "* buffers, how to
> interact with them within Vim, how to interact with them from other apps,
> etc..

https://www.oreilly.com/library/view/learning-the-vi/9780596529833/ch04s03.html

The "+ and "* buffers will get filled with primary and clipboard
selections when they occur, or you can fill them yourself so
that other applications can read from them.

:set clipboard=unnamed, unnamedplus

makes the basic vim clipboard -- the one without a name, the one
that you use if you just dd or y a line -- be the same as the
X11 primary selection buffer.

https://vimdoc.sourceforge.net/htmldoc/gui.html#clipboard

-dsr-

Re: Mixing HDD and SSD in lvm

[Dan Ritter]

Kamil Jońca wrote: 
> 
> Debian box with LVM
> LVM uses  2 PV - raid devices each uses 2 HDD (rotating)
> discs (with sata interfaces).
> 
> Now I am considering replacing one PV with md device constisting of SSD
> discs, so LVM will be have one "HDD" based pv and one SSD based PV.
> Should I worry about anything (speed differences or sth)?

1. Refer to the disks in mdadm with the /dev/disk/by-id names, not
/dev/sdb style names.

2. Use mdadm's RAID-1 with the write-intent bitmap feature and
specify that the spinning disk will use the write-mostly
feature.

RAID 0 will be bad; don't try it.

Good luck; I've never actually tried this, but thought about
quite a bit.

-dsr-

Re: Copy from Firefox and paste into Terminal with Vim

[Dan Ritter]

David Christensen wrote: 
> Normally, I can cut and paste between Xfce desktop applications.
> 
> 
> Enter a Zip Code of "12345", highlight the first result, copy it to the
> clipboard, start Terminal, open a file with Vim, press "i" to enter insert
> mode, and paste, sometimes I see what I copied to the clipboard and
> sometimes I see nothing.
> 
> 
> I am unable to determine if the problem is Firefox, Vim, or something else.

Are you aware that there are at least three 'clipboards' here?

X11 primary selection: this usually get filled by selecting text
in a terminal. It usually gets pasted by Button 2. In vim, this
is the "+ buffer.

X11 clipboard: this usually gets filled by ctrl-c or
ctrl-shift-c or a menu "Copy". It usually gets pasted by ctrl-v
or ctrl-shift-v or a menu "Paste". In vim, this is the "*
buffer.

X11 secondary selection: you are unlikely to encounter it, but
when you do, it will be bizarre. Read: 
http://www.cs.man.ac.uk/~lindsec/secondary-selection.html

Vim can bypass a chunk of this by combining primary and
clipboard:

:set clipboard=unnamed,unnamedplus

in which case "* and "+ will be pasted simultaneously from vim.

-dsr-

Re: what keyboard do you use?

[Dan Ritter]

Henrik Morsing wrote: 
> Happy Hacking lite for the last 20+ years, absolutely nothing else will 
> suffice. And I work faster than any colleague I've ever met because of it.
> 
> And it has to be that exact version (they don't make it anymore) because of 
> the right-side Fn key and the separate arrow keys.
> 
> So it will be a task over the next 50 years getting my current one 
> repaired/replaced should it break.

You might want to buy a spare as soon as you see one and wrap it
up against dust and mechanical accidents.

-dsr-

Re: what keyboard do you use?

[Dan Ritter]

jeremy ardley wrote: 
> Lee wrote:
> > > I bought a Dell desktop in 2019 and the keyboard just died :(
> 
> I have decided to go to the mechanical keyboard style where you get positive
> feedback on key strokes.
> 
> For me there are two 'colors' that are interesting
> 
> Blue which has strong tactile feedback, requires slight force, and gives a
> loud audible mechanical click on each keystroke.
> 
> Brown is the same as blue but has no load mechanical click, just the tactile
> feedback.
> 
> I don't necessarily make no mistakes but I know certainly when I have struck
> a key.
> 
> As far as brands go, most ones with names you don't recognise won't last a
> year. Probably a logitech one would be O.K.?
> 
> You can also get ones with keyboard lighting. It is actually helpful, though
> ones that do light shows are to be avoided. Just a simple green or such and
> perhaps ones that briefly dim the light on each key when you strike it.

As far as I know, Logitech doesn't make a mechanical keyboard.

Brands which have proven reliable to me:

Keychron
Ducky
CoolerMaster's MasterKeys series

-dsr-

Re: printing problem, markdown files

[Dan Ritter]

gene heskett wrote: 
> On 2/1/24 12:24, Dan Ritter wrote:
> > gene heskett wrote:
> > pandoc -f markdown FILEIN.md -t pdf -o FILEOUT.pdf
> > 
> > will turn markdown into PDF, which you can probably print, if by
> > no other means than FTP to the printer itself. (Try it, Brothers
> > come with this by default.)
> > 
> 
> Thanks DSR.
> 
> Scanning thru the docs I don't see anything that looks like what the print
> job shops of the last century called a "binding ditch".  That is where the
> output file has say a 15mm blank space inserted on the left edge of odd
> numbered pages, while that same 15mm of blank space is inserted to the right
> of the text on even pages, leave a blank area to perfect bind the duplex
> pages w/o burying the text into the center crack of the opened pages. Have
> they adopted a new name for this?

Printers (the people) still call it that. 

You will also want to install latex ( apt install texlive-extra-utils 
will get you what you need)

pandoc options:

-V geometry:margin=1in

(all four sides)

-V geometry:left=3cm,right=3cm,top=2cm,bottom=2cm

(separate values for each side)

and finally, what you probably want: 

-V geometry:twoside,left=15mm,right=30mm,top=2cm,bottom=3cm

I just tested that and it did a pretty nice job. My actual
command:

pandoc -f markdown -t pdf -V 
geometry:twoside,left=15mm,right=30mm,top=2cm,bottom=3cm test.md -o foo.pdf

-dsr-

Re: printing problem, markdown files

[Dan Ritter]

gene heskett wrote: 
> debian bookworm everting updated earlier this morning.
> 
> I have an about 125 page .md file I need hardcopy of.

If you don't have pandoc installed:

sudo apt install pandoc

then:

pandoc -f markdown FILEIN.md -t pdf -o FILEOUT.pdf

will turn markdown into PDF, which you can probably print, if by
no other means than FTP to the printer itself. (Try it, Brothers
come with this by default.)

pandoc will translate all sorts of formats into many other
formats; if you don't want PDF, HTML, docx, rtf and even epub
are available.

-dsr-

Re: can't type certain letters

[Dan Ritter]

fjd wrote: 
> You cannot type 'w', 'r', 'y', 'u', 'o' and return key. I haven't checked if
> capitals are affected or if non-alphabeticals like '$' or '=' are affected.
> It's got an American keyboard.
> 
> The problem is present when you boot direct to BIOS/UEFI.
> 
> All I want to know are likely causes. I don't propose to fix it if it
> involves hardware replacement.
> 
> So why would such a thing occur? I've never encountered this failure mode
> before.

That would be a dead keyboard. 

Despite your mention of not fixing it, I think you should know
that keyboards are generally cheap and easy to replace. In this
case,

https://www.amazon.com/Replacement-Keyboard-UX330UA-AH54-UX330UA-AH55-UX330UAK/dp/B08LG1SN1V
is $35, and replacement would take ...

https://www.ifixit.com/Guide/Asus+Zenbook+UX303L+Keyboard+Replacement/53551

35 screws. No, I wouldn't bother fixing this. Attach an external
USB keyboard, copy all the data off, wipe the disk and send to
electronics recycling.

-dsr-

Re: Automatically installing GRUB on multiple drives

[Dan Ritter]

hw wrote: 
> How is btrfs going to deal with this problem when using RAID?  Require
> hardware RAID?
> 
> Having to add mdadm RAID to a setup that uses btrfs just to keep efi
> partitions in sync would suck.


You can add hooks to update-initramfs or update-grub.

To a first approximation:

firstbootpart = wwn-0x5006942feedbee1-part1
extrabootparts = wwn-0x5004269deafbead-part1\
 wwn-0x5001234adefabe-part1 \
 wwn-0x5005432faebeeda-part1

for eachpart in $extrabootparts ; \
do cp /dev/disk/by-id/$firstbootpart /dev/disk/by-id/$eachpart; done

You'll need to provide suitable values for the partitions, and
remember to fix this when you change disks for any reason.

And test it, because I have not even run it once.

-dsr-

Re: Changing The PSI Definition

[Dan Ritter]

Greg Wooledge wrote: 
> On Thu, Jan 25, 2024 at 07:32:38PM -0500, Thomas George wrote:
> > The current PSI works perfectly but I don't like the pale green prompt.
> > 
> > Tried editing .bashrd , /ext/fprofile and /ext/bash.bashrc but no changes to
> > the PSI definition had any effect
> 
> You appear to be asking about the shell prompt.
> 
> In bash, the shell prompt is defined in the PS1 variable, which stands
> for "Prompt String One (1)".  The last character is the numeral 1, not
> the capital letter I.

Might be time for a new font. I like Inconsolata, but l1I!
should never look similar, nor O0@ or S$. 


In the kernel, PSI is pressure stall information, a way of
looking at performance under load.


-dsr-

Re: Can't view videos in firefox: VA-API test failed

[Dan Ritter]

Stefan Monnier wrote: 
> Server Version: 15.0.0
> Default Sample Specification: float32le 2ch 48000Hz
> Default Channel Map: front-left,front-right
> Default Sink: @DEFAULT_SINK@
> Default Source: @DEFAULT_SOURCE@
> Cookie: 40db:2cde
> %
> 
> Not sure what the `Cookie` does and even less whether those @DEFAULT_SINK@
> thingies are normal, tho a quick `grep` indicates at least `zsh`
> completion for `wpctl` finds them normal:
> 
> /usr/share/zsh/site-functions/_wpctl:
> 'pw-defaults:defaults:(@DEFAULT_SINK@ @DEFAULT_SOURCE@)' \

I would set them explicitly and see if things get better.

-dsr-

Re: Can't view videos in firefox: VA-API test failed

[Dan Ritter]

Stefan Monnier wrote: 
> > Does mplayer give any more interesting errors? 
> 
> Oh, I didn't notice it at first, but now that you ask, yes it does:
> after something like a timeout period it says:
> 
> AO: [pulse] Init failed: Timeout
> Failed to initialize audio driver 'pulse'
> 
> And lo and behold if I start it with `mplayer -ao none `, the
> video plays just fine (whether Theora, MPEG2, or H.264).
> 
> So maybe I was barking up the wrong tree and the problem was on the
> audio side all this time.

Well, yes and no. I think we've established that there's no
hardware support for decoding anything except MPEG2, but also
that the machine is capable of doing most decoding in software.

Sound problems are... excessive amounts of fun. 

> This machine is running Debian testing,
> which seems to have selected Pipewire for me.
> 
> % ps auxw|grep pipewire
> monnier   1810  0.0  0.1  46096  9396 ?Ssl  jan18   0:00 
> /usr/bin/pipewire
> monnier   1813  0.0  0.0  34436  6412 ?Ssl  jan18   0:00 
> /usr/bin/pipewire -c filter-chain.conf
> monnier   1818  0.0  0.1  41540 10460 ?Ssl  jan18   0:00 
> /usr/bin/pipewire-pulse
> monnier   7472  0.0  0.0   8276  2304 pts/6SN+  16:40   0:00 grep 
> pipewire

OK. First diagnostic: `pactl info`.

On my bookworm desktop, I get this:

$ pactl info
Server String: /run/user/1042/pulse/native
Library Protocol Version: 35
Server Protocol Version: 35
Is Local: yes
Client Index: 13692
Tile Size: 65472
User Name: dsr
Host Name: spike
Server Name: PulseAudio (on PipeWire 0.3.65)
Server Version: 15.0.0
Default Sample Specification: float32le 2ch 48000Hz
Default Channel Map: front-left,front-right
Default Sink: PulseEffects_apps
Default Source: 
alsa_input.usb-Blue_Microphones_Yeti_Stereo_Microphone_REV8-00.analog-stereo

Which says the things I expect: pulseaudio's interface is being
supplied by pipewire, it's configured for 2 channel stereo,
there's a USB microphone available and the output is being
filtered through PulseEffects (which is doing equalization for
me.)




-dsr-

Re: Can't view videos in firefox: VA-API test failed

[Dan Ritter]

Stefan Monnier wrote: 
> > This should be the Intel 4500 integrated gpu, which is part of
> > the i915/i965 family. It needs:
> >
> > - an intel kernel module
> 
> According to `lsmod | grep '^i'` I have `i915` loaded.  Is that the one?

Yes.

> > - X11 running the intel video driver
> 
> Interesting.  I was using the `modesetting` driver.
> So I installed `xserver-xorg-video-intel` and then put
> 
> % cat /etc/X11/xorg.conf
> Section "Device"
> Identifier  "Intel Corporation 965GM"
> Driver  "intel"
> EndSection
> % 
> 
> to force Xorg to use that `intel` driver (since apparently by default
> nowadays it tries only `vesa`, `fbdev`, and `modestting`).

Yup.

> > It will support MPEG2 accelerated decoding but not H264, H265 or
> > any of the newer codecs -- and Youtube may not be supplying old
> > codecs these days.
> 
> That might be part of the problem, indeed.
> Tho the `vainfo` failure suggests that even MPEG2 isn't working.
> 
> I tried to view an MPEG2 video with totem/xine/mplayer and that didn't
> work either (it doesn't eat up all the CPU, instead they just "sit
> there", sometimes emitting the same kind of VA errors as shown earlier).


Does mplayer give any more interesting errors? 

-dsr-

Re: Can't view videos in firefox: VA-API test failed

[Dan Ritter]

Stefan Monnier wrote: 
> Whenever I try to view videos in Firefox in my trusty Thinkpad T61,
> Firefox just eats up the CPU but doesn't actually show the video.
> 
> At startup I get the following message:
> 
> [GFX1-]: vaapitest: VA-API test failed: failed to initialise VAAPI 
> connection.
...
 
> I understand that my machine is fairly old, but it used to be able to
> play youtube videos just fine without eating all my CPU time (i.e. using
> hardware video decoding from its GM965/GL960 Intel integrated graphcs).
> 
> Any idea what might be going on?  Any hint how I could diagnose the problem?


This should be the Intel 4500 integrated gpu, which is part of
the i915/i965 family. It needs:

- an intel kernel module
- X11 running the intel video driver
- libva-drm2
- libva-x11-2
- libva2
- i965-va-driver

It will support MPEG2 accelerated decoding but not H264, H265 or
any of the newer codecs -- and Youtube may not be supplying old
codecs these days.

-dsr-

Re: su su- sudo dont work

[Dan Ritter]

Schwibinger Michael wrote: 
> Good afternoon.
> Root terminal is fine.
> What do I do wrong?
> What did I destroy?
> 
> PC does have only one user=admin.
> 
> Regards Sophie
> Is it the rescue mode?

Please tell us:

 exactly what rescue mode you were using

 exactly what the prompt was

 exactly what you typed

 exactly what the response was

 exactly what you want to have happen

Unless you tell us all of these things in one email message, it
will not be a good idea for any of us to try to help you.

Re: NUT and Eaton UPS produce a lot of error messages

[Dan Ritter]

Stefan Schumacher wrote: 
> Hello
> 
> I recently bought a small UPS by Eaton in order to prevent my
> btrfs-fileserver (running Debian 12 Bookworm, which is also the source
> of my nut-installation) from shutting down abruptly while writing
> something important during a power loss. I have found very good
> documentation on how to set up the UPS and the services on the server
> connected to it. Unfortunately it's in German
> (https://techbotch.org/blog/ups-setup/index.html) which is not a
> problem for me but possibly for others trying to understand my set-up.

 
> The problem is the dozens of errors the systemctl status messages
> show. I bought the UPS to increase reliability and now I don't know if
> the service is working in case of an emergency. How can I fix this ?
> Should I try to contact the Package Maintainer? Are there alternatives
> I could use or is nut the gold standard?
> 
> ● nut-server.service - Network UPS Tools - power devices information server
> Loaded: loaded (/lib/systemd/system/nut-server.service; enabled;
> preset: enabled)
> Active: active (running) since Fri 2024-01-19 05:17:03 CET; 5s ago
> Main PID: 1303 (upsd)
> Tasks: 1 (limit: 38253)
> Memory: 640.0K
> CPU: 3ms
> CGroup: /system.slice/nut-server.service
> └─1303 /lib/nut/upsd -F
> Jan 19 05:17:03 servername nut-server[1303]: fopen /run/nut/upsd.pid:
> No such file or directory
> Jan 19 05:17:03 servername nut-server[1303]: Could not find PID file
> '/run/nut/upsd.pid' to see if previous upsd instance is already
> running!
> Jan 19 05:17:03 servername nut-server[1303]: listening on 127.0.0.1 port 3493
> Jan 19 05:17:03 servername nut-server[1303]: listening on ::1 port 3493
> Jan 19 05:17:03 servername upsd[1303]: listening on 127.0.0.1 port 3493
> Jan 19 05:17:03 servername upsd[1303]: listening on ::1 port 3493
> Jan 19 05:17:03 servername nut-server[1303]: Connected to UPS [Eaton]:
> usbhid-ups-Eaton
> Jan 19 05:17:03 servername upsd[1303]: Connected to UPS [Eaton]:
> usbhid-ups-Eaton
> Jan 19 05:17:03 servername upsd[1303]: Running as foreground process,
> not saving a PID file
> Jan 19 05:17:03 servername nut-server[1303]: Running as foreground
> process, not saving a PID file


So far, we aren't seeing any errors at all. This is just startup
logging.


> ● nut-monitor.service - Network UPS Tools - power device monitor and
> shutdown controller
> Loaded: loaded (/lib/systemd/system/nut-monitor.service; enabled;
> preset: enabled)
> Active: active (running) since Fri 2024-01-19 03:37:28 CET; 1h 41min ago
> Main PID: 847 (upsmon)
> Tasks: 2 (limit: 38253)
> Memory: 3.4M
> CPU: 338ms
> CGroup: /system.slice/nut-monitor.service
> ├─847 /lib/nut/upsmon -F
> └─849 /lib/nut/upsmon -F
> Jan 19 03:43:08 servername nut-monitor[849]: UPS Eaton@localhost on battery
> Jan 19 03:43:09 servername nut-monitor[916]: Network UPS Tools upsmon 2.8.0
> Jan 19 03:43:33 servername nut-monitor[849]: UPS Eaton@localhost on line power
> Jan 19 03:43:34 servername nut-monitor[920]: Network UPS Tools upsmon 2.8.0

The UPS decided to activate, then decided to go back to the
line. This might be a power fluctuation -- quite possibly an
undervoltage so brief that nothing else in the house noticed.


> Jan 19 05:17:04 servername nut-monitor[849]: Poll UPS
> [Eaton@localhost] failed - Write error: Broken pipe
> Jan 19 05:17:04 servername nut-monitor[849]: Communications with UPS
> Eaton@localhost lost
> Jan 19 05:17:04 servername nut-monitor[1305]: Network UPS Tools upsmon 2.8.0
> Jan 19 05:17:09 servername nut-monitor[849]: Login on UPS
> [Eaton@localhost] failed - got [ERR ACCESS-DENIED]
> Jan 19 05:17:14 servername nut-monitor[849]: Communications with UPS
> Eaton@localhost established
> Jan 19 05:17:14 servername nut-monitor[1312]: Network UPS Tools upsmon 2.8.0

That, however, is lost-and-regained communication with the UPS. It might be
a bad USB cable, a reset of the UPS's controller, a USB
controller issue... 

Does it happen repeatedly?

Does it ever not re-connect?

-dsr-

Re: standardize uid:gid?

[Dan Ritter]

Stefan Monnier wrote: 
> > I haven't tried it but I would assume that if the user exists then the
> > package uses that.  So cresting a template /etc/passwd before
> > installing packages would fix this.
> 
> That works, indeed.  Maybe Someone™ should develop a small "UGID server"
> which integrates into Debian's `adduser/addgroup` system (i.e. those
> tools would first ask the UGID server if that user has already been
> allocated an ID and if not register a new ID for it), so you can run
> such a server locally and tell Debian to use it so that all your
> machines share the same UID/GID namespace.


If someone is going to do that, they will re-invent LDAP.

Quite possibly in a more sane fashion -- LDAP is not sane, being
based on X.400 and ASN.1 -- but losing the compatibility of
thousands of LDAP applications.

-dsr-

Re: man page for cut

[Dan Ritter]

Richmond wrote: 
> echo hello|cut -b=2-5
> cut: invalid byte/character position ‘=2-5’
> Try 'cut --help' for more information.
> 
> Why is this?
> 
> (An example paints a thousand words).

$ echo hello|cut -b 2-5
ello

$ echo hello|cut --bytes=2-5
ello

-dsr-

Re: ata6.00: failed to IDENTIFY (I/O error, err_mask=0x100)

[Dan Purgert]

On Jan 12, 2024, Vincent Lefevre wrote:
> In one of my new machines, I have a DVD+/-RW drive. There were
> no issues on January 8 and 9. But today, I'm getting
> 
>   ata6.00: failed to IDENTIFY (I/O error, err_mask=0x100)
> 
> errors at boot time.
> [...]
> 
> Any idea?

It's an I/O error between the SATA controller and whatever device when
the controller is asking it to identify its capabilities.

Could be as simple as a loose cable (or bad cable / port).



-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Seeking a Terminal Emulator on Debian for "Passthrough" Printing

[Dan Ritter]

phoebus phoebus wrote: 
> Dear members of the Debian community,
> 
> I am currently on the lookout for a terminal emulator on Debian that can 
> handle controlled printing from a remote server often referred to as 
> "passthrough" printing. Our specific requirement is the ability to select the 
> printing device using a specific method, either the physical COM port or the 
> virtual COM port (emulated by a USB device).
> 
> To be more precise, we want the terminal emulator to transmit data exactly as 
> it is received from a remote server (which is a Linux server) when it 
> attempts to print data through a set of escape sequences to send text in 
> transparent mode. This transmission should be directed to the COM device 
> without any modifications.
> 
> Our application runs on Linux and needs to communicate with a specialized 
> serial printer by sending data directly to it through a terminal emulator on 
> a client machine (with the printer connected to the client machine's serial 
> port).


Would it be correct to say that you don't care about the
"terminal emulator" at all, and merely need a way for the Linux
server to send data over the network to a serial port on a
remote Debian machine which is attached to a printer?

If so, I direct you to the sredird package.

-dsr-

Re: SMART Uncorrectable_Error_Cnt rising - should I be worried?

[Dan Ritter]

Stefan Monnier wrote: 
> > manufacturers in different memory banks, but since it's always
> > possible to power down, replace or just remove memory, and power
> > up again,
> 
> Hmm... "always"?  What about long running computations like that
> simulation (or LLM training) launched a month ago and that's expected to
> finish in another month or so?

If the job is that big, it's being run on multiple machines. This
machine's current chunk is corrupt, so you can't use it anyway.
The orchestrator stops using this machine, someone comes in to
replace the RAM. Later the machine is re-added to the pool.


> Some mainframes have supported hot (un)plugging RAM modules as well and
> I wouldn't be surprised if some x86 servers also support it nowadays.

https://www.kernel.org/doc/html/latest/admin-guide/mm/memory-hotplug.html

That said, you won't find this feature without specifying it
when you buy it, and very few have a use case for it.

-dsr-

Re: SMART Uncorrectable_Error_Cnt rising - should I be worried?

[Dan Ritter]

David Christensen wrote: 
> On 1/11/24 05:50, Dan Ritter wrote:
> > David Christensen wrote:
> STFW the Dell PowerEdge 6850 (circa 2004) featured "hot plug" disk drives,
> expansion slots, memory risers, power supplies, and system cooling fans:
> 
> https://downloads.dell.com/manuals/all-products/esuprt_ser_stor_net/esuprt_poweredge/poweredge-6850_user%27s%20guide4_en-us.pdf
> 
> 
> STFW dell.com today, I see servers with:
> 
> * hot plug hard drives
> * hot spare hard drives
> * dual hot plug redundant power supplies
> * dual hot plug fully redundant power supplies
> * dual hot plug fault tolerant power supplies
> * dual hot plug fault tolerant redundant power supplies.

Hot plug disks are easy -- SATA, SAS and NVMe U.2 interfaces are all
specified so that the chassis manufacturer can arrange for data
to be disconnected before power. This is nearly but not quite ubiquitous
in rackmountable servers; somewhat rare in desktops.

Hot plugged fans are extremely easy -- there's no data being
stored and no state of any consequence. Arranging an easy
disconnect mechanism is the maximum difficulty.

Hot spare is more a property of the RAID management software.
mdadm, btrfs and zfs all support marking a disk as 'spare' and
not using it until another disk is marked as failing.

Interestingly: all PCIe cards are nominally hot-pluggable.

-dsr-

Re: SMART Uncorrectable_Error_Cnt rising - should I be worried?

[Dan Ritter]

David Christensen wrote: 
> On 1/10/24 09:07, Curt wrote:
> > On 2024-01-10, David Christensen  wrote:
> 
> dual network interfaces, and dual power supplies come to mind.  I am unclear
> about dual processors and/or dual memory banks.  Moving beyond one computer,

There are no systems that I'm aware of which allow you to use 2
or more processors of different models; they always have to be
exact duplicates. Sometimes different step revisions of the same
model will not work -- if Intel makes a Xeon 5254 in March, and
fixes things in June, August and November, sometimes the
November release won't work perfectly with a chip produced in
March.

You can always use identically spec'd RAM from different
manufacturers in different memory banks, but since it's always
possible to power down, replace or just remove memory, and power
up again, I don't know that there's any reason to bother
distributing the manufacturers in a single machine.

-dsr- 

Re: SMART Uncorrectable_Error_Cnt rising - should I be worried?

[Dan Ritter]

Curt wrote: 
> On 2024-01-10, David Christensen  wrote:
> >
> >
> > Given the OP's situation -- 8 consumer SSD's, same make and model, 
> > possibly from a defective manufacturing batch, all purchased at the same 
> > time, all deployed in the same RAID-6, all run 2.5 years 24x7, and all 
> > suddenly showing lots of SMART warnings -- I would not have confidence 
> > in that RAID.
> 
> It's curious, but I just heard something on French TV from a journalist
> that's relevant to this. She said she'd covered the aeronautics field in
> the past and mentioned the *principe de dissemblance* (dissimilarity
> principle). Critical redundant parts on aircraft, she claimed, would be
> sourced from different manufacturers in order to obviate the possibility
> of redundant failures you've raised here.

I don't know whether that's true in aeronautics, but at the home
and small business scale, that's always something I've
practiced.

At the large scale, server assemblers don't want to mix parts
very often (you can get some of them to do it), so you usually
need your servers as a whole to be the unit of redundancy, not
disks in an array.

-dsr-

Re: SMART Uncorrectable_Error_Cnt rising - should I be worried?

[Dan Ritter]

The Wanderer wrote: 
> So... as the Subject asks, should I be worried? How do I interpret these
> results, and at what point do they start to reflect something to take
> action over? If there is not reason to be worried, what *do* these
> alerts indicate, and at what point *should* I start to be worried about
> them?
> 
> I already *am* worried, to the point of having heartburn and difficulty
> sleeping over the possibility of data loss (there's enough on here that
> external backup would be somewhat difficult to arrange), but I'm not
> sure whether or not that is warranted.

YES. Backup ASAP.

2TB and 4TB Samsung 870 EVO disks produced before November 2022 have this as
a known failure mode.


> Model Family: Samsung based SSDs
> Device Model: Samsung SSD 870 EVO 2TB
> Serial Number:S620NJ0R410888A

These may or may not be under warranty, depending on when you
purchased them and from whom. Assume Samsung will take a long
time, no matter what.

-dsr-

Re: xfce screen detachment

[Dan Ritter]

Russell L. Harris wrote: 
> system:  amd64 desktop, debian 12, xfce, NEC MultiSync EA192M monitor
> 
> I don't know precisely how to describe the problem, other than
> "detachment".  About every week or so, when using the rodent, the
> entire screen -- borders and all -- moves with respect to the monitor
> screen as I move the mouse.
> 
> The only recovery method I have discovered is to reboot.
> 
> My hands and finders no longer are working well, so I likely clicked
> on something or pressed a key to cause the problem.

That sounds something like having an X11 screen larger than the
monitor it is on, and X panning around that. Typically, though,
panning requires the mouse to hit the border of the monitor.

If that's what is happening, try right clicking-on the desktop
to get the application menu, and run Settings => Desktop; then
reset the resolution to what your monitor actually supports.

You might also check if some key is being held down on your
keyboard, or if your mouse buttons are misfiring.

-dsr-

Re: 1 Currently unreadable (pending) sectors How worried should I be?

[Dan Ritter]

Charles Curley wrote: 
> On Tue, 2 Jan 2024 17:47:18 -0500
> Dan Ritter  wrote:
> 
> root@tiassa:~# smartctl -a /dev/sda 
> smartctl 7.3 2022-02-28 r5338 [x86_64-linux-6.1.0-17-amd64] (local build)

> Vendor Specific SMART Attributes with Thresholds:
> ID# ATTRIBUTE_NAME  FLAG VALUE WORST THRESH TYPE  UPDATED  
> WHEN_FAILED RAW_VALUE
>   1 Raw_Read_Error_Rate 0x0032   100   100   050Old_age   Always  
>  -   0
>   5 Reallocated_Sector_Ct   0x0032   100   100   050Old_age   Always  
>  -   1
>   9 Power_On_Hours  0x0032   100   100   050Old_age   Always  
>  -   764
>  12 Power_Cycle_Count   0x0032   100   100   050Old_age   Always  
>  -   25
> 178 Used_Rsvd_Blk_Cnt_Chip  0x0032   100   100   050Old_age   Always  
>  -   1
> 194 Temperature_Celsius 0x0022   100   100   050Old_age   Always  
>  -   45
> 195 Hardware_ECC_Recovered  0x0032   100   100   050Old_age   Always  
>  -   0
> 196 Reallocated_Event_Count 0x0032   100   100   050Old_age   Always  
>  -   0
> 197 Current_Pending_Sector  0x0032   100   100   050Old_age   Always  
>  -   1
> 198 Offline_Uncorrectable   0x0032   100   100   050Old_age   Always  
>  -   0
> 199 UDMA_CRC_Error_Count0x0032   100   100   050Old_age   Always  
>  -   0
> 232 Available_Reservd_Space 0x0032   100   100   050Old_age   Always  
>  -   96
> 241 Total_LBAs_Written  0x0030   100   100   050Old_age   Offline 
>  -   13943
> 242 Total_LBAs_Read 0x0030   100   100   050Old_age   Offline 
>  -   5610

These are the values that can indicate health problems with the
disk.

None of them look bad except the temperature - which is only bad
because of the specs on the disk - and
> 197 Current_Pending_Sector  0x0032   100   100   050Old_age   Always  
>  -   1

which confirms that something is stuck, but it's just one
sector.

I would not worry about this unless some new symptom emerges.

Make backups, but only because you should pretty much always
have backups.

-dsr-

Re: 1 Currently unreadable (pending) sectors How worried should I be?

[Dan Ritter]

Charles Curley wrote: 
> I have a brand new NVME device, details below, in a brand new computer.

You might, but that's not what the details you show us are
saying.

> smartd just started returning pending sector errors.
> 
> A recent extended (long) test run since the first reported pending
> sector returned no errors.
> 
> How worried should I be?
> 
> 
> Device Model: NS256GSSD330
> Serial Number:W3ZK047027T
> Firmware Version: V0823A0
> User Capacity:256,060,514,304 bytes [256 GB]
> Sector Size:  512 bytes logical/physical
> Rotation Rate:Solid State Device
> Form Factor:  mSATA

That says this is a SATA device, not an NVMe device.

Looking up the device model shows me this:
https://smarthdd.com/database/Netac-SSD-256GB/S0626A0/

which confirms: SATA in an M.2 form factor, not NVMe.

> ATA Version is:   ACS-2 T13/2015-D revision 3
> SATA Version is:  SATA 3.2, 6.0 Gb/s (current: 6.0 Gb/s)
> Local Time is:Tue Jan  2 15:27:45 2024 MST
> SMART support is: Available - device has SMART capability.
> SMART support is: Enabled
> 
> === START OF READ SMART DATA SECTION ===
> SMART overall-health self-assessment test result: PASSED
> 
> …
> 
> SMART Self-test log structure revision number 1
> Num  Test_DescriptionStatus  Remaining  LifeTime(hours)  
> LBA_of_first_error
> # 1  Extended offlineCompleted without error   00%   764 -
> # 2  Short offline   Completed without error   00%   116 -
> 
> 
> root@tiassa:~# journalctl -u smartmontools.service | grep unreadable
> Jan 02 13:07:39 tiassa smartd[740]: Device: /dev/sda [SAT], 1 Currently 
> unreadable (pending) sectors
> Jan 02 13:37:39 tiassa smartd[740]: Device: /dev/sda [SAT], 1 Currently 
> unreadable (pending) sectors
> Jan 02 14:07:39 tiassa smartd[740]: Device: /dev/sda [SAT], 1 Currently 
> unreadable (pending) sectors
> Jan 02 14:37:39 tiassa smartd[740]: Device: /dev/sda [SAT], 1 Currently 
> unreadable (pending) sectors
> Jan 02 15:07:39 tiassa smartd[740]: Device: /dev/sda [SAT], 1 Currently 
> unreadable (pending) sectors

These are logged at suspiciously even times, like something is
looking at the disk every 30 minutes exactly.

Note that "currently unreadable" sometimes means "the disk is
too busy to get back to us" and sometimes means "there's damage
on the disk".  The disk's onboard controller should map around
damage automatically.

Do you have any other symptoms? Anything interesting in the
SMART variables?

-dsr-

Re: 1 Currently unreadable (pending) sectors How worried should I be?

[Dan Purgert]

On Jan 02, 2024, Charles Curley wrote:
> I have a brand new NVME device, details below, in a brand new computer.
> smartd just started returning pending sector errors.

Means you've got "N" bad sector(s) on the drive.  It happens, even on
new drives.

> 
> A recent extended (long) test run since the first reported pending
> sector returned no errors.
> 
> How worried should I be?

I wouldn't be "very" worried; but I'd keep an eye on it (especially with
regards to any warranties you may have on the machine)

> Device Model: NS256GSSD330
> Serial Number:W3ZK047027T
> Firmware Version: V0823A0
> User Capacity:256,060,514,304 bytes [256 GB]
> Sector Size:  512 bytes logical/physical
> Rotation Rate:Solid State Device
> Form Factor:  mSATA
> TRIM Command: Available
> Device is:Not in smartctl database 7.3/5533
> ATA Version is:   ACS-2 T13/2015-D revision 3
> SATA Version is:  SATA 3.2, 6.0 Gb/s (current: 6.0 Gb/s)
> Local Time is:Tue Jan  2 15:27:45 2024 MST
> SMART support is: Available - device has SMART capability.
> SMART support is: Enabled
> 
> === START OF READ SMART DATA SECTION ===
> SMART overall-health self-assessment test result: PASSED
> 
> …
> 
> SMART Self-test log structure revision number 1
> Num  Test_DescriptionStatus  Remaining  LifeTime(hours)  
> LBA_of_first_error
> # 1  Extended offlineCompleted without error   00%   764 -
> # 2  Short offline   Completed without error   00%   116 -


You kinda removed the important bits out of this report with regards to
the drive health.  That being said, this drive is not an NVMe -- did you
check the right one?


-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Bug on upgrade to bookworm with Apache/PHP?

[Dan Ritter]

Andrew Wood wrote: 
> This is because the php7.4 files have now been replaced with php8.2
> 
> Specifically sym linsk in  /etc/apache2/mods-enabled/ which link to 
> /etc/apache2/mods-available/
> php7.4.conf -> ../mods-available/php7.4.conf
> php7.4.load -> ../mods-available/php7.4.load
> 
> Should be removed and replaced with a link to
> 
> php8.2.conf -> ../mods-available/php8.2.conf
> php8.2.load -> ../mods-available/php8.2.load
> 
> 
> Is this known about?


Yes. It is not an error, per se, because it is possible that a
person would want to keep the php7 system around a bit longer,
and not yet install the php8 system.

It is just part of the decisions that a sysadmin has to make for
their systems.

-dsr-

Re: No Sound With Bookworm

[Dan Ritter]

Thomas George wrote: 
> Pulseaudio Volume control shows a strong signal audio output but nothing
> reaches the speakers.
> 
> This must be a well known problem but I can't find the answer.

Check the volume control's tabs for Output Device and
Configuration; frequently PA decides there is no output or it
should go to a recently-plugged-in device with no speakers or
headphones attached, or a muted physical volume control.

Re: APT preferring `stable` over `stable-security`

[Dan Ritter]

Stefan Monnier wrote: 
> I noticed today that one of my machines was still running openssh
> 1:9.2p1-2+deb12u1 rather than  1:9.2p1-2+deb12u2 even though it is
> supposed to do its unattended-upgrades, so I tried a manual upgrade and
> the result was still the same.
> 
> Only after
> 
> apt install openssh-server/stable-security
> 
> did the machine get the new version :-(
> 
> The `sources.list` files says:
> 
> deb http://security.debian.org/ stable-security main
> deb http://deb.debian.org/debian stable main
> 
> and the `apt.conf` says:
> 
> APT::Default-Release "stable";
> Aptitude::CmdLine::Show-Deps "true";
> APT::Periodic::Unattended-Upgrade "1";
> 
> Which I thought was the "normal" config (modulo the use of "stable"
> instead of "bookworm") where the `stable-security` would automatically
> take precedence when applicable.  But it looks like the
> `stable-security` repository is just not used at all!
> 
> What am I missing?

https://wiki.debian.org/AptConfiguration#Be_careful_with_APT::Default-Release

(quoted entirely)

Maybe you have noticed examples like setting APT::Default-Release "stable"; or 
APT::Default-Release "bookworm";. It prevents installing security updates by 
apt upgrade, so avoid it. Instead of increasing priority of the current 
release, consider setting lower priority of added repositories through 
#apt_preferences (APT pinning). Since Debian 11 bullseye the security 
repository is labeled as stable-security and e.g. bookworm-security, so at 
least use regular expression matching all primary suites

APT::Default-Release "/^bookworm(|-security|-updates)$/";

-dsr-

Re: Help: network abuse

[Dan Ritter]

David Christensen wrote: 
> Does Debian and/or Linux support SYN cookies?

Yes.

Put

net.ipv4.tcp_syncookies=1

in an appropriate sysctl.d/ file.

To check on current settings:

sysctl -n net.ipv4.tcp_syncookies

Re: Mouse single click handling?

[Dan Ritter]

Jeremy Nicoll wrote: 
> I keep hoping that my next laptop will have a backlit
> keyboard but very often the machines I choose (for
> other higher-priority criteria) don't have them.
> 
> I've also tried a few clip-on mini lights (plugged into a
> spare USB socket) but many such lights come with poor
> quality clips &/ cables that are too short to reach the
> USB socket of choice (or indeed any USB socket). 

IKEA sells the Jansjo USB LED, $7.99, which has about
20cm of gooseneck which will hold its shape quite well in any
shape except straight out sideways -- then it will droop.

-dsr-

Re: systemd and timezone (was: Re: difference in seconds between two formatted dates ...)

[Dan Ritter]

Max Nikulin wrote: 
> I am not going to discuss code posted by Albretch, despite it has serious
> issues from my point of view. This is a response to Greg.
> 
> On 20/12/2023 22:04, Greg Wooledge wrote:
> > The default time zone has nothing to do with systemd, nor with any other
> > init system that may be in place.  Systemd does not know or care about
> > the system's default time zone.
> 
> See systemd-timedated.service(8) and org.freedesktop.timedate1(5)
> 
> busctl introspect org.freedesktop.timedate1 /org/freedesktop/timedate1
> # Values are stripped
> org.freedesktop.DBus.Properties interface -
> .PropertiesChanged  signalsa{sv}as
> org.freedesktop.timedate1   interface -
> .SetTimezonemethodsb
> .Timezone   property  s
> 
> Desktop environments use this interface.

Is this set per-user? Because I certainly have multiple users on
the same computer at the same time from different timezones. And
it is quite possible on a few of those machines to have multiple
desktop users, each from a different TZ.

-dsr-

Re: Help: network abuse

[Dan Purgert]

On Dec 21, 2023, Alain D D Williams wrote:
> My home PC is receiving, for hours at a time, 12-30 kB/s input
> traffic. This is unsolicited. I do not know what it is trying to
> achieve but suspect no good. It is also eating my broadband
> allowance.
> 
> Questions:
> 
> • What is going on ?

Looks like bots.

> 
> • What can I do about it ?
 

Dropping the entirety of Asia/Africa has helped my logs (though, my ISP
doesn't track usage; and I imagine if they did, it wouldn't actually
HELP anything there, since the traffic already made it to me).  If it's
a reputable hosting company, contacting their abuse department may
possibly help them kill the account(s) running the bots.

-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Mouse single click handling?

[Dan Purgert]

On Dec 19, 2023, Felix Miata wrote:
> Alexander V. Makartsev composed on 2023-12-19 11:37 (UTC-0500):
> 
> > local10 wrote:
> 
> >> I have several mice that went bad with the same defect: they
> >> sometimes generate two single clicks very quickly (say, within
> >> 10-20ms) instead of a single click.
> > This is a very common problem with micro-switches inside computer mice, 
> > mechanical keyboards, etc.
> > They wear out with use and has to be replaced, given that they are very 
> > inexpensive, standardized and relatively easy to replace.
> > Here is a link to PDF datasheet [1] for Omron D2F series switches 
> > specifications.
> > You need a switch with pin plunger and compatible terminals, those 
> > depend on mice model.
> > You can buy them at local electronics store, order them from China 
> > (AliExpress), or from any other reputable source.
> 
> > [1] https://omronfs.omron.com/en_US/ecb/products/pdf/en-d2f.pdf
> 
> Can you suggest any particular online source in North America that
> sells those switches? I had no success trying to refurb one in my
> invaluable Logitech Trackman Marble FX PS/2 trackball. It took 2 hours
> to get that tiny switch back together after disassembly and cleaning.
> :( A Kensington Orbit I had much better luck with cleaning, so didn't
> need a new switch.

Mouser () or Digikey () both
carry the D2F series. They're both wonderful to work with, although I
prefer Digikey's parametric search over Mouser.


-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Mouse single click handling?

[Dan Purgert]

On Dec 19, 2023, local10 wrote:
> I have several mice that went bad with the same defect: they sometimes
> generate two single clicks very quickly (say, within 10-20ms) instead
> of a single click.
> 
> With reference to the above, is there a way or setting to force
> several mouse clicks within a short period of time to be interpreted
> as a single mouse click?

As far as I'm aware, there are no "low-pass" options in the drivers /
software to accommodate the case when the mechanical parts in the mouse
start sending spurious clicks, thanks to the contacts / springs / etc.
wearing out.  

It'd probably be less effort to just replace the failing switch(es) in
the mouse than trying to add that to the software.


-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Zoom on Bookworm?

[Dan Ritter]

Jerome BENOIT wrote: 
> can we efficiently jail zoom ?

It needs access to a microphone, camera, and the network. I
suppose you could call that a jail, but for programs, that's
pretty much everything except filesystems and root privileges.

-dsr-

Re: Desktop environment

[Dan Ritter]

William Torrez Corea wrote: 
> I have installed Debian 12 and use XFCE 4.18. The installation has a
> problem, the windows do not adjust size and figure like the previous
> version. In addition to the title, the fonts are very small.
> 
> I don't know if it is a bug or configuration problem.

I'm not sure what "windows do not adjust size and figure" means,
but here are some things to try:

- In Settings - Display, change DPI. At a minimum, look at 75,
110 and 125 in order to see what the differences are. Set what
you like.

- in Settings - Window Manager, you can set the font and size of
the window titles. (Also the theme -- there are many to choose
from, and XFCE is particularly easy to write your own.)

- in Settings - Appearance, you can set the GUI theme and the
default font and font size.

-dsr-

Re: raid10 is killing me, and applications that aren't willing towait for it to respond

[Dan Ritter]

Pocket wrote: 
> 
> Many reasons
> 
> If the RAID controller bites the bullet you are usually toast unless you
> have another RAID controller (same manufacturer and type) as a spare.

mdadm, zfs and btrfs all lack this problem.

> I have zero luck replacing one companies raid controller with another and
> ditto on raid built into the motherboard.

As above.
 
> I really don't need any help losing my data/files as I do a good job of that
> all by myself ;)

btrfs and zfs have snapshots which really help avoiding losing
data. On other machines, rsnapshot is often suitable.


> I found it is better to just have my data on several backup disks, that way
> if one fails I get another disk and copy all the data to the newly purchased
> disk.

RAID isn't a backup solution, it's a way of keeping things going
until you have time to restore. (And also a way of improving
performance and/or manageability.)

If you don't need or want it, you shouldn't use it. Same as any
tool.

-dsr-

Re: Bug report

[Dan Ritter]

Iman Hajibagheri wrote: 
> Hello
> My laptop model is asus zenbook duo ux481 and I installed ubuntu desktop
> After installation, when I log in to my account for the first time, a
> welcome to ubuntu tab appears. I click on the help improve ubuntu section.
> My laptop stops after the yes option and the operating system crashes. I
> think this is due to the detection of the hardware of the second monitor.
> It happens because whenever I get lshw or other hardware ls, the same thing
> happens.
> And it does not have the ability to adjust the brightness and other
> features for the second screen.

This is the Debian users mailing list.

Ubuntu support is here: https://ubuntu.com/community/support

Re: Unattended Upgrades Ran Anyway.

[Dan Ritter]

Stefan Monnier wrote: 
> On my trusty Thinkpad X30, upgrades are sufficiently taxing that having
> them run unexpectedly can be a real problem, so I tried to prevent
> unattended upgrades a few months ago.


I have always preferred the apticron package, which by default
updates daily and sends an email letting me know that they are
available, rather than doing the upgrade itself.

-dsr-

IMPORTANT: do NOT upgrade to new stable point release

[Dan Ritter]

https://fulda.social/@Ganneff/111551628003050712

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057843

The new kernel release is reported to contain an ext4 data
corruption bug. It's prudent not to upgrade, or if you have
started to upgrade, not to reboot, until a new kernel release
is prepared.


-dsr-

Re: Could not find interfaces configuration file /etc/network/interfaces in Debian Linux 11 (bullseye)

[Dan Purgert]

On Dec 07, 2023, to...@tuxteam.de wrote:
> On Thu, Dec 07, 2023 at 03:52:20PM +, Turritopsis Dohrnii Teo En Ming 
> wrote:
> 
> [...]
> 
> > Problem
> > =
> > 
> > On 6 Dec 2023, our client discovered that their UDM Pro could not perform 
> > firmware updates automatically. Their UDM Pro was running UniFi OS version 
> > 3.0.20. Client wants to upgrade firmware to latest version 3.1.16 but 
> > couldn't.
> > 
> > UDM Pro runs Debian 11 (bullseye)
> > 
> 
> Now I don't understand: is it running UniFi OS or Debian bullseye?

"UniFi OS" (And EdgeOS on other lineups) is customized Debian Stable of
some flavor or other.

> 
> Or is Ubiquiti just cheapskating and sending their customers here
> to save on customer support?

I've never seen them direct customers anywhere other than their support
forums... 

-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Load in minor time one page

[Dan Ritter]

William Torrez Corea wrote: 
> One page by means of firefox has a latency of 49.9 ms.
> 
> 
> *How can I improve the latency?*
> 
> I want a latency of 0 ms

Every page is different.

You can measure with the developer tools, in the performance
tab.

Things you can try:

- different network connections
- different DNS resolver
- remove ads with an adblocker (uBlock Origin is generally
  preferred)
- turn off JavaScript
- turn off graphics

If you have control of the page, on the other hand:

- remove JavaScript
- reduce graphics size
- simplify or eliminate CSS


0 ms is, of course, unobtainable. The browser needs to ask for
the page, receive the page, decode the page, and render the
content.

-dsr-

Re: ntpsec as server questions

[Dan Purgert]

On Dec 04, 2023, gene heskett wrote:
> [...]
> So here on coyote: date -u:
> Mon Dec  4 15:47:44 UTC 2023
> but on mkspi: date -u:
> Mon 04 Dec 2023 03:47:16 PM UTC
> [...]
> 
> WTH?  Where is that false 12 hour offset coming from?

Coyote seems to use the standard output of 'date' (in 24-hour clock
format).  

mkspi /appears/ to be using an approximation of "-R" ("--rfc-email",
as set in RFC5322), though it's missing the comma between "Mon" and "04
Dec", and is set in 12-hour mode.

It's been ages since I've dug into it, but I _BELIEVE_ the LC_TIME
environment variable has an effect here. (Or had, at some point in the
past).

-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Print flakes off mailing labels, use a fixative?

[Dan Ritter]

Tom Browder wrote: 
> On Sat, Dec 2, 2023 at 2:18 PM Donald Mac Dougall  wrote:
> If I do need a new printer, I want another B laser, double
> sided-printing, copying,
> and scanning. Multiple paper trays for two sizes of paper would be nice.
> I have had great luck with HP over the years, but  I'm open to suggestions.


Brother has all those features, plus BRScript/3 and ethernet. I
buy them for work where they tend to last about 8-10 years of high-volume work.

Extra paper trays are expensive, but often compatible across 2
generations; consider EBay or Craigslist for more.

Recommended.

-dsr-

Re: time question, as in ntp?

[Dan Purgert]

On Dec 01, 2023, Greg Wooledge wrote:
> On Fri, Dec 01, 2023 at 08:20:57AM -0500, gene heskett wrote:
> > You claim I don't have to do anything to that printer machine, so I
> > installed the ICC server here. I have done zip to the dhcpd.conf which looks
> > as it it is fully disabled. Assuming I want a pool of 16 addresses, say from
> > 192.168.71.100 to 192.168.71.115, what do I uncomment and fill in, in
> > dhcpd.conf?
> > 
> > If I'm going to have to do this, I want it done the approved way.
> > 
> > I want the server to only respond to the MAC address of that printer, no
> > response to any other MAC that might come calling.
> 
> The pool is for "anyone who comes calling".
> 
> Your reserved addresses should be outside the pool.

At one time (or I'm just conflating isc-dhcp-server with some other
dhcp server option), it was required that a host's "fixed-address" was
within the defined range ("address pool").  Looking at a manpage dated
2021 (or well at least /usr/share/man/man8/dhcpd.8.gz is dated 2021), it
doesn't specify one way or the other.

It does, however, note that if you do set a host's fixed-address that
falls in the range, it just gets skipped when a client that doesn't
match the defined host-identifier (e.g. MAC Address) is requesting an
IP.

-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: time question, as in ntp?

[Dan Purgert]

On Dec 01, 2023, gene heskett wrote:
> [lotsa snipping ... ]
> 
> You claim I don't have to do anything to that printer machine, so I
> installed the ICC server here. I have done zip to the dhcpd.conf which
> looks as it it is fully disabled. Assuming I want a pool of 16
> addresses, say from 192.168.71.100 to 192.168.71.115, what do I
> uncomment and fill in, in dhcpd.conf?

Sent you a mail off-list with greater detail (hopefully it'll get
through).  

Simple approach --> look for the stanza beginning "subnet".  It should
already be uncommented (as I recall), and probably setup for the "pretty
standard default RFC1919 range" of 192.168.1.0/24.



-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: time question, as in ntp?

[Dan Purgert]

On Dec 01, 2023, gene heskett wrote:
> On 11/30/23 23:18, Max Nikulin wrote:
> > [...]
> > What I see in your messages are false claims, e.g. that DHCP addresses
> > are unstable. DHCP servers *may* be configured to assign fixed addresses
> > to particular clients.
> > 
> My ISP does that, so my exterior net address has been stable for over a
> decade, but I've tried it 2-3 times in the 2000's and got unstable
> addresses from  the distro versions of dhcp every time.

Your router just renews its lease within the renewal window. If you had
no power for a week, then your router would lose its lease, and the IP
address would change. That is -- no, your ISP does not reserve your IP
address at all.

Likewise, a Debian box running isc-dhcp-server (or any of the other
myriad of options) will hand out the same address to the same machine
forever, provided that machine asks to renew before the lease expires.

Note that if we're talking about devices that leave your network, this
somewhat goes out the window; because if they happened to join a remote
network that happens to share the same subnet, AND that network tells
them to use a different IP address (e.g. home was 192.168.1.100,
starbucks told your laptop '100' wasn't available), then the laptop MAY
request the IP address Starbucks gave when you get back home.

-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: time question, as in ntp?

[Dan Purgert]

On Dec 01, 2023, gene heskett wrote:
> On 12/1/23 05:41, Dan Purgert wrote:
> > On Nov 30, 2023, gene heskett wrote:
> > > On 11/30/23 22:07, John Hasler wrote:
> > > > Gene writes:
> > > > > let me clarify: This buster machine acting like a 3d printer does NOT
> > > > > have dhcpcd installed. No trace of it in /etc Only dhcp.
> > > > 
> > > > I'm sure it's running dhclient.  do
> > > > 
> > > >   ls /etc/dhcp
> > > > 
> > > > and
> > > > 
> > > >   ps ax | grep dhc
> > > > 
> > > > You don't need to do anything on that machine.  Just install a dhcp
> > > > server somewhere on your network (on the router is conventional) and it
> > > > will give that machine an ip number.
> > > 
> > > At risk of repeating myself forever, I don't need an unstable address, I
> > > don't want whatever the heck is left in the pool. Hosts files do that, 
> > > dhcp
> > > doesn't. It just hands out the next number in the pool.  hosts files are
> > > static. A forveer lease.
> > 
> > DHCP will only hand out the "next" ('unstable') address to a host that
> > currently has no valid lease AND does not have a reservation set on the
> > DHCP server.  Reservations are based on host MAC address.
> > 
> > Any host that has a valid lease will renew that lease indefinitely, at
> > lease half-life (and if the DHCP server happens to be missing at
> > half-life, retry at 7/8ths ).
> 
> Assuming I install a dhcp SERVER on this machine, how do I edit the
> client.conf on that machine to query this one?, and how to I enable this
> "reservation" on this SERVER so it hands out a stable address ONLY if the
> reservation matches? Point me at the docs please and I'll go away.

You don't tell the client anything.  DHCP is initiated by a broadcast
from a client looking for an IP address.

Reservation syntax depends on which DHCP server you're using.  If it's
isc-dhcp-server (predecessor to kea; though I've not yet migrated to
kea), then, in the 'subnet' directive, you add a "host" directive.

The isc-dhcp-server example config file (and html manual) cover the
syntax in greater detail, but here's a short example:

  subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.199;
[... DNS, default gateway, etc ...]

host thePrinter {
  hardware ethernet 00:12:34:56:78:9A;
  fixed-address 192.168.1.120;
}
  }


-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: time question, as in ntp?

[Dan Purgert]

On Nov 30, 2023, gene heskett wrote:
> On 11/30/23 22:07, John Hasler wrote:
> > Gene writes:
> > > let me clarify: This buster machine acting like a 3d printer does NOT
> > > have dhcpcd installed. No trace of it in /etc Only dhcp.
> > 
> > I'm sure it's running dhclient.  do
> > 
> >  ls /etc/dhcp
> > 
> > and
> > 
> >  ps ax | grep dhc
> > 
> > You don't need to do anything on that machine.  Just install a dhcp
> > server somewhere on your network (on the router is conventional) and it
> > will give that machine an ip number.
> 
> At risk of repeating myself forever, I don't need an unstable address, I
> don't want whatever the heck is left in the pool. Hosts files do that, dhcp
> doesn't. It just hands out the next number in the pool.  hosts files are
> static. A forveer lease.

DHCP will only hand out the "next" ('unstable') address to a host that
currently has no valid lease AND does not have a reservation set on the
DHCP server.  Reservations are based on host MAC address.

Any host that has a valid lease will renew that lease indefinitely, at
lease half-life (and if the DHCP server happens to be missing at
half-life, retry at 7/8ths ).


-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: used vs. unused packages installed

[Dan Ritter]

Mike McClain wrote: 
> Is there any way to determine which packages are used of the many
> that come with an install?
> My Raspberry Pi install of bookworm has some 1800 packages
> installed many of which I know I don't use, many others I suspect I
> don't use but don't know if some program I do use depends on them at
> some point in its life.
> $ apropos editor | wc   reports 23 hits
> Six of which are various versions of VI which I don't use but pico,
> nano, mcedit, mousepad and mu-editor are also included. I only use jed
> but don't know what would break if I purged the others and am loathe
> to break a working system.
> There are 259 packages whose name starts with 'python', admittedly I
> could purge one a week and see if anything breaks, that would only take
> 5 years but I'm not quite that patient.
> 
> Suggestions?

Pick a suspect package and run

apt-cache rdepends --installed PACKAGE

That shows you all the packages which are installed and depend
on this PACKAGE.

That saves you from the uninstall-and-see-what-breaks dance.

-dsr-