Re: [gentoo-user] Re: update gentoo without network

[Neil Bothwick]

On Mon, 18 Jan 2016 15:28:27 +0100, Raffaele BELARDI wrote:

> > Download the latest portage snapshot on B
> > Unpack it on A
> > Run emerge -ufp @world on A and capture the output
> > Use that on B to download the files
> > Copy them back to A and emerge -u @world
> >
> > That avoids the use of a chroot altogether but involves two round
> > trips across the sneakernet. You could possible save some of that by
> > transferring the portage snapshot and download list as email
> > attachments, assuming A has email.

> Yes, I used that procedure in the past but it requires more human
> effort so I'd prefer the chroot approach; also I found that sometimes
> the list of files downloaded by system B was not complete and I had to
> further iterate the procedure. At the time I assumed it was due to the
> two systems being based on different architectures (~amd64 and ~x86),
> but did not really spend much time investigating.

The architecture is irrelevant, the fetching machine doesn't have to run
Gentoo, or even Linux you are simply giving it a list if URLs to fetch.
The output from emerge -f gives multiple URLs for each file. Instead of
taking only the first one, whch may be the cause of the failures, there
is an option to wget to not download duplicates, so you can pass it the
full list and it keeps trying until it succeeds.

As for the effort, you could automate part of the process with cron and
procmail scripts. Your current approach also requires more effort than
you are currently giving it, that's why it doesn't work :(


-- 
Neil Bothwick

Actually, Microsoft is sort of a mixture between the Borg and the Ferengi.


pgpBoXTG1IyEI.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: update gentoo without network

[Neil Bothwick]

On Mon, 18 Jan 2016 15:05:35 +0100, Raffaele BELARDI wrote:

> > On Mon, 18 Jan 2016 12:38:13 +0100, Raffaele BELARDI wrote:
> >  
> >> I suppose the database I'm looking for is /var/db/pkg, right?  
> >
> > /var/lib/portage/world - this needs to be in sync in the two
> > environments. 
> 
> Ok but that's a 'static' snapshot of the packages; I also need to
> update in the chroot the list of currently installed packages and their 
> versions and that's in /var/db/pkg, I think. I'll test it this evening.

Yes, you do.

>  > Are the two computers networked together? If so, you could run
>  > http_replicator on B and it would download the packages for A.  
> 
> No, the computers are on completely separated networks. The only way to 
> bypass the security policy on one of the two networks is through 
> removable media ;-)

I used a similar, but networked approach to build packages for slow
machines in containers in a faster computer. Because I was building in
the container, not just downloading, I didn't have to worry about the
package database, I just synced /var/lib/portage/world* and
etc/portage (excluding make.conf) and used a shared $PKG_DIR

If you don't mind a two step approach, you could

Download the latest portage snapshot on B
Unpack it on A
Run emerge -ufp @world on A and capture the output
Use that on B to download the files
Copy them back to A and emerge -u @world

That avoids the use of a chroot altogether but involves two round trips
across the sneakernet. You could possible save some of that by
transferring the portage snapshot and download list as email attachments,
assuming A has email.


-- 
Neil Bothwick

Time for a diet! -- [NO FLABBIER].


pgpjKQxVMrLFf.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: update gentoo without network

[Raffaele BELARDI]

Neil Bothwick wrote:
> On Mon, 18 Jan 2016 15:05:35 +0100, Raffaele BELARDI wrote:
>
> If you don't mind a two step approach, you could
>
> Download the latest portage snapshot on B
> Unpack it on A
> Run emerge -ufp @world on A and capture the output
> Use that on B to download the files
> Copy them back to A and emerge -u @world
>
> That avoids the use of a chroot altogether but involves two round trips
> across the sneakernet. You could possible save some of that by
> transferring the portage snapshot and download list as email attachments,
> assuming A has email.
>

Yes, I used that procedure in the past but it requires more human effort 
so I'd prefer the chroot approach; also I found that sometimes the list 
of files downloaded by system B was not complete and I had to further 
iterate the procedure. At the time I assumed it was due to the two 
systems being based on different architectures (~amd64 and ~x86), but 
did not really spend much time investigating.

raffaele

Re: [gentoo-user] Re: update gentoo without network

[Neil Bothwick]

On Mon, 18 Jan 2016 12:38:13 +0100, Raffaele BELARDI wrote:

> > I have gentoo system A (~x86) on a network that does not allow portage
> > access to internet due to some authentication issue. System B (~amd64)
> > is on another network with no such restrictions.
> >
> > To bypass the restrictions I made a copy of A on a removable media,
> > chroot into it from B and 'emerge-webrsync; emerge --fetchonly' from
> > there. Then attach the media to A and overwrite /usr/portage with the
> > updated one from the removable media.
> >
> > This works but updating the chroot from B always re-downloads all the
> > packages since the first time I created the chroot, not only those
> > from the last update. I suppose portage maintains a database of the
> > installed packages that I need to copy back to the removable media
> > after each system A update, but where is it?  
> 
> I suppose the database I'm looking for is /var/db/pkg, right?

/var/lib/portage/world - this needs to be in sync in the two environments.

Are the two computers networked together? If so, you could run
http_replicator on B and it would download the packages for A.


-- 
Neil Bothwick

OK Scotty, NOW!  Detonate and energize!  I mean...


pgpCkiCF4mTHG.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: update gentoo without network

[Raffaele BELARDI]

Neil Bothwick wrote:
> On Mon, 18 Jan 2016 12:38:13 +0100, Raffaele BELARDI wrote:
>
>> I suppose the database I'm looking for is /var/db/pkg, right?
>
> /var/lib/portage/world - this needs to be in sync in the two environments.
>

Ok but that's a 'static' snapshot of the packages; I also need to update 
in the chroot the list of currently installed packages and their 
versions and that's in /var/db/pkg, I think. I'll test it this evening.

 > Are the two computers networked together? If so, you could run
 > http_replicator on B and it would download the packages for A.

No, the computers are on completely separated networks. The only way to 
bypass the security policy on one of the two networks is through 
removable media ;-)

raffaele

[gentoo-user] Python3.4 to python3.5 in ebuilds

[Stanislav Ch. Nikolov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

It seems like 3.4 and 3.5 are 100% compatible, and most ebuilds involving 
python in some way tolerate them both (any-of ( python_targets_python3_3 
python_targets_python3_4 python_targets_python3_5)). Yet there are some that 
are still unhappy with 3.5. This makes me really annoyed and I was wondering if 
it was possible to write a simple script to add python_targets_python3_5 where 
needed. Would this break anything, and if no, why can't the maintainers or some 
portage-tree admin do it?

Of course there might be some other barrier to adopting 3.5 that I can't 
understand, so please explain it to me.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWnPGDAAoJEBYxB87Vey/RIAsH/A56lGenSnQhgBY3ItZZV+10
YkrtLo+k9miSWlSB6QI0KPRkIRJU2ldnT89gYQ2FeUqOrSwVdMcUuDdWnbOpktk5
6QBn7E3sLGHb19JznhF3SkuSjf2IhzFz28cVo7D1vG8wL9hTip1J5DQuw+q9dz9F
63T4qwepiKSrHMIKIsJaP/dMBZO8Ic0+/0mgYW5huhrSX0pKSHktMGaAIlU12bSs
wFUI+uCQjAvGsHtikJJJVBvLEnuSeMiJNvlSzMfe94JXZ+27b+qYjvZ2gJTsDRUO
QnIhAppF+enKcQzaAQNxCzbti2gCEg5Y3vNX25zoqAYfgC21sxDZsyhytV++Mis=
=2xVk
-END PGP SIGNATURE-

Re: [gentoo-user] Re: How to get rid of 32bits libraries

[Helmut Jarausch]

Thanks Nikos, thanks Neil.

With your help I've managed to get rid of all 32bits libraries.

I still unsure what to do for the "second step".

If possible, I'd like to install any packages with abs_x86_32 which are 
required for  dev-util/android-sdk-update-manager  and app-text/acroread
with a different PREFIX, such as /usr/local .
Is that possible?

Many thanks,
Helmut

[gentoo-user] Re: How to get rid of 32bits libraries

[James]

Neil Bothwick  digimed.co.uk> writes:


> emerge -evp world | grep 'ABI_X86="32'

Hm. OK thanks for verification on the number.

emerge -evp world | grep 'ABI_X86="32'| wc -l
279

Same as::
 EIX_LIMIT=0 eix -I --only-names | equery hasuse  abi_x86_32 | wc -l
279


Anyway::
Why so many?  The Profile? What are other getting for the number(s)
of 32 bit libs? This thread has me curious. Some embedded systems
may be desirable to upgrade to only 64 bit libs, besides other similar installs.


James

Re: [gentoo-user] Re: How to get rid of 32bits libraries

[Alan McKinnon]

On 18/01/2016 15:31, Helmut Jarausch wrote:
> Thanks Nikos, thanks Neil.
> 
> With your help I've managed to get rid of all 32bits libraries.
> 
> I still unsure what to do for the "second step".
> 
> If possible, I'd like to install any packages with abs_x86_32 which are 
> required for  dev-util/android-sdk-update-manager  and app-text/acroread
> with a different PREFIX, such as /usr/local .
> Is that possible?


What is your rationale for wanting to do that?

acroread and android-sdk-update-manager need 32 bit libs. Portage will
create them for you quite happily and they have to go somewhere. Why do
you want them in a different PREFIX? If it's strict separation you are
after, is /lib32 and /usr/lib32 not separate enough for you?

It seems odd to me to take libs that the package manager is very
efficient at creating, and ut them in /usr/local - the one area that
package managers by convention never touch. I can't grok what you are
trying to accomplish.


-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] Re: How to get rid of 32bits libraries

[Dale]

Neil Bothwick wrote:
> On Mon, 18 Jan 2016 09:12:23 +, Neil Bothwick wrote:
>
>> equery hasuse checks which packages respect the given USE flag, it pays
>> no attention to whether it is actually set. Try
>>
>> emerge -evp world | grep 'ABI_X86=32'
> Sorry, that should be
>
> emerge -evp world | grep 'ABI_X86="32'
>
>


Yep.  That one works better.  I have a lot of those too.  I wouldn't
mind getting away from the 32 bit stuff myself but it may be to early
yet.  Maybe later. 

At least I know I have a lot of them now tho.  ;-)

Dale

:-)  :-) 

[gentoo-user] Handbook instructions for UEFI

[Adam Carter]

First attempt at a GPT/UEFI install. Instructions in the Handbook say that
for a UEFI system, prepare the disk as;
Partition Filesystem Size Description
/dev/sda1 (bootloader) 2M BIOS boot partition
/dev/sda2 ext2 (or vfat) 128M Boot partition


to end up with;
(parted)print

Model: Virtio Block Device (virtblk)
Disk /dev/sda: 20480MiB
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number   Start  End  Size File system  Name   Flags
 1   1.00MiB3.00MiB  2.00MiB   grub   bios_grub
 2   3.00MiB131MiB   128MiBboot   boot
 

And later in the bootloader instructions is says;
# grub2-install --target=x86_64-efi --efi-directory=/boot
then;
Note: Modify the efi-directory setting to the root of the vfat EFI System
Partition. This necessary if the /boot partition was not formatting [sic]
as vfat.

Does it look like they intend that /dev/sda1 is the EFI system partition?
If so, should /dev/sda1 be mounted at /boot/efi, and the --efi-directory
set to /boot/efi...

Re: [gentoo-user] Re: How to get rid of 32bits libraries

[Neil Bothwick]

On Mon, 18 Jan 2016 06:04:27 + (UTC), James wrote:

> OK, so I run:: 
>  EIX_LIMIT=0 eix -I --only-names | equery hasuse  abi_x86_32 | wc -l
> 
> and get '279'. Maybe I missed someting on how to determine the pacakges
> installed that have 'abi_x86_32' set ?

equery hasuse checks which packages respect the given USE flag, it pays
no attention to whether it is actually set. Try

emerge -evp world | grep 'ABI_X86=32'


-- 
Neil Bothwick

Yes, I've heard of "decaf." What's your point?


pgpciMO2dTobB.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Handbook instructions for UEFI

[Neil Bothwick]

On Mon, 18 Jan 2016 20:13:25 +1100, Adam Carter wrote:

> First attempt at a GPT/UEFI install. Instructions in the Handbook say
> that for a UEFI system, prepare the disk as;
> Partition Filesystem Size Description
> /dev/sda1 (bootloader) 2M BIOS boot partition
> /dev/sda2 ext2 (or vfat) 128M Boot partition
> 

The BIOS boot partition is needed when using GPT *without* UEFI. For EFI,
the first partition should be the ESP, formatted using FAT. You can also
use this as /boot, and have to if you aren't using GRUB. For example,
this laptop has

% sudo gdisk -l /dev/sda
GPT fdisk (gdisk) version 1.0.1

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.
Disk /dev/sda: 500118192 sectors, 238.5 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 26850F58-B4C1-48A7-BE0A-715BB53DDD0B
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 500118158
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)

Number  Start (sector)End (sector)  Size   Code  Name
   12048 2099199   1024.0 MiB  EF00  EFI System
   2 2099200   483340287   229.5 GiB   8300  Linux filesystem
   3   483340288   500118158   8.0 GiB 8200  Linux swap


-- 
Neil Bothwick

Help a man when he is in trouble and he will remember you when he is in
trouble again


pgp1lGZ_k1g_t.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: How to get rid of 32bits libraries

[Neil Bothwick]

On Mon, 18 Jan 2016 09:12:23 +, Neil Bothwick wrote:

> equery hasuse checks which packages respect the given USE flag, it pays
> no attention to whether it is actually set. Try
> 
> emerge -evp world | grep 'ABI_X86=32'

Sorry, that should be

emerge -evp world | grep 'ABI_X86="32'


-- 
Neil Bothwick

Anything worth fighting for is worth fighting dirty for.


pgpGDEdb1GpKT.pgp
Description: OpenPGP digital signature

[gentoo-user] *dev-less gentoo

[karl]

# emerge -auDN @system
...
[ebuild  N ] virtual/dev-manager-0 

How can I get rid of dev-manager-0 from @system ?

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57

Re: [gentoo-user] *dev-less gentoo

[Francisco Ares]

2016-01-18 15:15 GMT-02:00 :

> # emerge -auDN @system
> ...
> [ebuild  N ] virtual/dev-manager-0
>
> How can I get rid of dev-manager-0 from @system ?
>
> Regards,
> /Karl Hammar
>
> ---
> Aspö Data
> Lilla Aspö 148
> S-742 94 Östhammar
> Sweden
> +46 173 140 57
>
>
>
Try updating to a new kernel.

I'm saying this because of the output of equery d  virtual/dev-manager on
my system:

 ~ $ equery d virtual/dev-manager
 * These packages depend on virtual/dev-manager:
sys-kernel/gentoo-sources-3.18.9 (virtual/dev-manager)
sys-kernel/gentoo-sources-3.18.12 (virtual/dev-manager)


~ $ equery l gentoo-sources
 * Searching for gentoo-sources ...
[I--] [??] sys-kernel/gentoo-sources-3.18.9:3.18.9
[I--] [??] sys-kernel/gentoo-sources-3.18.12:3.18.12
[I--] [??] sys-kernel/gentoo-sources-4.0.5:4.0.5
[IP-] [  ] sys-kernel/gentoo-sources-4.0.9:4.0.9
[IP-] [  ] sys-kernel/gentoo-sources-4.1.12:4.1.12

Best regards,
Francisco

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Mon, Jan 18, 2016 at 12:06 PM, Grant  wrote:
>
> I am 100% web-based.  I don't want to administrate machines outside of
> my LAN so I can imagine a Chromebook would end up vulnerable
> eventually.

The whole point of chromebooks is that they auto-update in a timely
fashion, and have a guaranteed end-of-life policy years into the
future.  Sure, not quite as far as Microsoft guarantees, but nobody
runs a Windows laptop for even the length of a typical Chromebook EOL.
The chromebook also has secure boot and a signed OS, so if it is
corrupted it will go into recovery mode.  You just stick a USB drive
with a rescue image on it (which you can create from any PC with a
chrome browser or an installer) and it fixes itself.  I don't think
you can even turn off auto-updates - they're designed to be
idiot-proof.  I'm not sure if as an enterprise administrator you can
set up a policy to force a reboot to update within n days or such if
it hasn't been shut down already after an update.

In any case, if you aren't going to own the client hardware, you
basically are going to have to assume it is vulnerable since nobody
maintains their PCs well.  That means keyboard sniffing, cookie
stealing, and so on.  If you're web-based a hostile browser could just
open another session in the background after the user authenticates
(2-factor or otherwise) and do whatever it wants to.  Granted, I don't
know if anything is out in the wild which actually does this, and it
would probably need to be somewhat targeted to work (unless somebody
has a rootkit that just lets them interactively fire up another
browser on a VNC display or something using the same browser session).

Sure, a Chromebook will cost you $150, but that seems like a token
expense for an employee and it buys you a LOT of security.  You can do
the same thing on another OS, but you're going to end up adding on a
lot of stuff on top of the OS to make it work, and I'm certain the
administrative overhead would be much higher.  A chromebook is
basically what you get if you take a linux desktop and lock everything
down with TPM support and secure boot - they're even based on Gentoo.
Sure, you can DIY, but you're not going to do better without the
hardware support.

> Someone mentioned 2-factor authentication which sounds interesting.
> Are there good options for that besides SMS and Google Authenticator
> (or a similar mobile app)?  Is there a good 2FA server in Portage?  Is
> 2FA ever defeated in real life without the user's phone?

Do you mean you don't want something that involves typing in a TOTP or
similar?  Google Authenticator just uses RFC 6238 so you can use any
other compliant client to generate the codes - I'm sure those exist
for Linux, but if you're going to do that you might as well just use
an RSA-based authentication since if you can steal the client key you
can steal the RFC6238 key.  The whole point of 2-factor is that the
second factor tends to be something that isn't on the same PC as the
client.

There is a PAM-based authenticator in portage for Google
Authenticator, which again should work with anything RFC 6238
compliant.  I use it for ssh password logins and it works great (well,
aside from having to reach for my phone anytime I log in via an
untrusted computer).

A much older option is s/key.  I'm sure that is still around as well,
but I don't think it really has any advantages over RFC6238.

-- 
Rich

[gentoo-user] Re: update gentoo without network [SOLVED]

[Raffaele BELARDI]

Raffaele Belardi wrote:
> Raffaele Belardi wrote:
>> I have gentoo system A (~x86) on a network that does not allow portage
>> access to internet due to some authentication issue. System B (~amd64)
>> is on another network with no such restrictions.
>>
>> To bypass the restrictions I made a copy of A on a removable media,
>> chroot into it from B and 'emerge-webrsync; emerge --fetchonly' from
>> there. Then attach the media to A and overwrite /usr/portage with the
>> updated one from the removable media.
>>
>> This works but updating the chroot from B always re-downloads all the
>> packages since the first time I created the chroot, not only those from
>> the last update. I suppose portage maintains a database of the installed
>> packages that I need to copy back to the removable media after each
>> system A update, but where is it?
>
> I suppose the database I'm looking for is /var/db/pkg, right?
>

Just tested, it works:

1. cp -a /var/db/pkg from system A to removable media
2. chroot ; emerge-webrsync ; emerge --fetchonly -uDvN world
3. cp -a /usr/portage from removable media to system A
4. next week, goto 1

raffaele

Re: [gentoo-user] *dev-less gentoo

[karl]

Francisco Ares:
> 2016-01-18 15:15 GMT-02:00 :
> 
> > # emerge -auDN @system
> > ...
> > [ebuild  N ] virtual/dev-manager-0
> >
> > How can I get rid of dev-manager-0 from @system ?
...
> Try updating to a new kernel.
> 
> I'm saying this because of the output of equery d  virtual/dev-manager on
> my system:
> 
>  ~ $ equery d virtual/dev-manager
>  * These packages depend on virtual/dev-manager:
> sys-kernel/gentoo-sources-3.18.9 (virtual/dev-manager)
> sys-kernel/gentoo-sources-3.18.12 (virtual/dev-manager)

Not so here:

# equery d virtual/dev-manager
 * These packages depend on virtual/dev-manager:
#

///

What info is there on @system ?
I can change what's in @world, it seems to be the content of
/var/lib/portage/world. Is there a similar file for @system ?

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57

[gentoo-user] Re: update gentoo without network

[Raffaele BELARDI]

Raffaele Belardi wrote:
> I have gentoo system A (~x86) on a network that does not allow portage
> access to internet due to some authentication issue. System B (~amd64)
> is on another network with no such restrictions.
>
> To bypass the restrictions I made a copy of A on a removable media,
> chroot into it from B and 'emerge-webrsync; emerge --fetchonly' from
> there. Then attach the media to A and overwrite /usr/portage with the
> updated one from the removable media.
>
> This works but updating the chroot from B always re-downloads all the
> packages since the first time I created the chroot, not only those from
> the last update. I suppose portage maintains a database of the installed
> packages that I need to copy back to the removable media after each
> system A update, but where is it?

I suppose the database I'm looking for is /var/db/pkg, right?

raffaele

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Mon, Jan 18, 2016 at 1:44 AM, J. Roeleveld  wrote:
> On Monday, January 18, 2016 02:02:27 AM lee wrote:
>>
>> You would have a full VM for each user?
>
> Yes
>
>> That would be a huge waste of resources,
>
> Diskspace and CPU can easily be overcommitted.
>...
> The biggest reason why I don't use KVM is the lack of full snapshot
> functionality. Snapshotting disks is nice, but you end up with an unclean-
> shutdown situation and anything that's not yet committed to disk is gone.
>

Seems like on linux a straightforward design would be spinning up
containers on demand, with snapshots underneath.  Granted, somebody
still needs to build it, but spinning up a container per user isn't
much more resource-intensive than just running x2go with multiple
users in a single namespace which is how it works today.  It certainly
would be less wasteful than a full VM.  They also launch and shutdown
super-fast.

Of course, this is a linux-only solution (or BSD I believe).  You're
not going to be able to do this with OSX/Windows guests.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Monday, January 18, 2016 06:07:33 AM Rich Freeman wrote:
> On Mon, Jan 18, 2016 at 1:44 AM, J. Roeleveld  wrote:
> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
> >> You would have a full VM for each user?
> > 
> > Yes
> > 
> >> That would be a huge waste of resources,
> > 
> > Diskspace and CPU can easily be overcommitted.
> >
> >...
> >
> > The biggest reason why I don't use KVM is the lack of full snapshot
> > functionality. Snapshotting disks is nice, but you end up with an unclean-
> > shutdown situation and anything that's not yet committed to disk is gone.
> 
> Seems like on linux a straightforward design would be spinning up
> containers on demand, with snapshots underneath.  Granted, somebody
> still needs to build it, but spinning up a container per user isn't
> much more resource-intensive than just running x2go with multiple
> users in a single namespace which is how it works today.  It certainly
> would be less wasteful than a full VM.  They also launch and shutdown
> super-fast.
> 
> Of course, this is a linux-only solution (or BSD I believe).  You're
> not going to be able to do this with OSX/Windows guests.

A similar solution is generally done with VDI implementations as well.
Replace "container" with VM and you have the same.

--
Joost

[gentoo-user] OT:: GPU resource utilization

[James]

Hello::

Background::
Hadoop and Openstack are supported on Gentoo, probably the most noticeable 
of cluster code systems, and quite popular with most cloud vendors.

Future::
Apache-Mesos is rapidly gaining ground and may surpass both Hadoop and
Openstack in usability on Gentoo, during 2016. (hopefully). Recently, from
one of the mesos user forums::


Subject: Re: Share GPU resources via attributes or as custom resources
(INTERNAL)
There is a design proposal coming that will include guidance around using
GPUs and better GPU support in mesos, so stay tuned.


As Ben and we (Nvidia) working to introduce GPU as first class resource into
Mesos. By default there is no isolation. But there will be isolation module
for Nvidia GPU devices which can be linked at build time and provide
isolation for GPU tasks among GPU devices. Initially device level isolation
will be there assuming all tasks using same device libraries (hence no file
system isolation). Our initial proposal is not exposing details of GPU but
subsequently more detail of GPU resources like (topology, memory, core,
bandwidth etc.) will be exposed to do better job scheduling. As Ben
indicated very soon we will send out design proposal to community for comments.

Regards
Vikram
vdi...@nvidia.com


Very exciting news for the Mesos communities! Anyone interested in clusters,
containers or clouds on gentoo should keep an eye on the sys-cluster project
here at Gentoo. Contributions are also welcome.


enjoy,
James

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

>> Suppose you use a VPN connection.  How do does the client (employee)
>> secure their own network and the machine they're using to work remotely
>> then?
>
> Poorly, most likely.  Your data is probably not nearly as important to
> them as their data is, and most people don't take great care of their
> own data.


This is the same mentality I have.


> As I mentioned in my other post, there might be some exceptions if
> you're dealing with highly-skilled IT security employees or something
> like that, but most people don't take nearly the level of care with
> their clients as you're probably going to want them to.


Generally my employees are not technically inclined.


> It sounds like Grant is concerned enough about his application to
> restrict logins to a specific IP (presumably it uses SSL and sign-ons
> as well).  If you care THAT much about where valid users can connect
> from, I don't see why you'd just let them VPN into your LAN running
> who-knows-what-rootkit on their workstations.
>
> If you're truly 100% web-based I'd just go the chromebook route.  If
> not, I'd issue laptops that you control with full-disk encryption, and
> you can then set them up however you need to.


I am 100% web-based.  I don't want to administrate machines outside of
my LAN so I can imagine a Chromebook would end up vulnerable
eventually.

Someone mentioned 2-factor authentication which sounds interesting.
Are there good options for that besides SMS and Google Authenticator
(or a similar mobile app)?  Is there a good 2FA server in Portage?  Is
2FA ever defeated in real life without the user's phone?

- Grant

Re: [gentoo-user] Shutdown through systemctl as a normal user

[wabenbau]

lukash  wrote:

> Hi all,
> 
> I'm reading on the internet that systemctl poweroff should work for
> normal user if he is the only one logged in, he is logged in locally
> and his session is active. I seem to be meeting these conditions:
> 
> # loginctl
>    SESSIONUID USER SEAT
>  2   1000 lukash           seat0
> 
> $ loginctl show-session 2
> Id=2
> User=1000
> Name=lu
> Timestamp=Sat 2016-01-16 17:27:30 CET
> TimestampMonotonic=9614418
> VTNr=7
> Seat=seat0
> Display=:0
> Remote=no
> Service=lightdm
> Desktop=awesome
> Scope=session-2.scope
> Leader=529
> Audit=2
> Type=x11
> Class=user
> Active=yes
> State=active
> IdleHint=no
> IdleSinceHint=0
> IdleSinceHintMonotonic=0
> 
> But invoking the command gives me:
> 
> $ systemctl poweroff
> Failed to set wall message, ignoring: Access denied
> Failed to power off system via logind: Access denied
> Failed to start poweroff.target: Access denied
> 
> How is this supposed to work on Gentoo?
> 
> Thanks in advance,
> Lukas

IIRC "CONFIG_AUDIT" and "CONFIG_HAVE_ARCH_AUDITSYSCALL" must be set
in the kernel configuration. But as I don't use this method I cannot
say this for sure.

--
Regards
wabe

Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:

> On Monday, January 18, 2016 02:02:27 AM lee wrote:
>> "J. Roeleveld"  writes:
>> > On 17 January 2016 18:35:20 CET, Mick  wrote:
>> > 
>> > [...]
>> > 
>> >>I use the icaclient provided by Citrix to access my virtual desktop at
>> >>work,
>> >>but have never tried to set up something similar at home.  What
>> >>opensource
>> >>software would I need for this?  Is there a wiki somewhere to follow?
>> >>
>> > I'd love to do this myself as well.
>> > 
>> > Citrix sells the full package as 'XenDesktop'. To do it yourself you need
>> > a VMserver (Xen or similar) and a remote desktop tool that hooks into the
>> > VM display. (Spice or VNC)
>> > 
>> > Then you need some way of authenticating users and providing access to the
>> > client software. [...]
>> 
>> You would have a full VM for each user?
>
> Yes
>
>> That would be a huge waste of resources,
>
> Diskspace and CPU can easily be overcommitted.

Overcommitting disk space sounds like a very bad idea.  Overcommitting
memory is not possible with xen.

>> plus having to take care of a lot of VMs,
>
> Automated.

Like how?

>> plus having to buy  a lot of Windoze licenses
>
> Volume licensing takes care of that.

expensive

>> and taking about a week to install the updates
>> after installing a VM.
>
> Never heard of VM templates?

It still takes a week to put the updates onto the template.

>> Add to that that the xen host goes down at
>> random time intervals (because the sending queue of the network card
>> times out for reasons that cannot be determined) which can be as long as
>> a day, a week or even up to three weeks, and you are likely to become a
>> rather unhappy administrator.
>
> Sorry, but I consider that a bug in your hardware. If it's really that 
> unstable, replace it.
> I've been running Xen enabled servers for nearly 15 years. Never had issues 
> like that. If it were truly that unstable, it wouldn't be gaining popularity.

The hardware has already been replaced, and the problem persists.  Other
machines of identical hardware that don't run xen don't show any issues.

>> Try kvm instead, and you'll find that
>> it's impossible to migrate the VMs from xen to to kvm when you want to
>> use virtio drivers because you can't install them on an existing Windoze
>> VM.
>
> Not a problem with the virtualisation technology. It is an issue with driver 
> management inside MS Windows.
> There are ways to migrate VMs succesfully, I just don't see the point in 
> wasting time for that.

It's time consuming when you have to reinstall the VMs to migrate them
to kvm.  And when you don't have the installers of all the software
that's on some of the VMs and can't get them, you either have to run
them without virtio drivers or you can't migrate them.

> The biggest reason why I don't use KVM is the lack of full snapshot 
> functionality. Snapshotting disks is nice, but you end up with an unclean-
> shutdown situation and anything that's not yet committed to disk is gone.

I'm not sure what you mean.  When you take a snapshot while the VM is not
shut down, what difference does it make whether you use xen or kvm?

>> Then there's the question how well vnc or spice connections work over a
>> VPN that goes over the internet.
>
> VNC works quite well, as long as you use a minimal desktop. (like blackbox).
> Don't expect KDE or Gnome to be usable.
> I haven't tried Spice yet, but I've read that it performs better.

It's not like you had a choice when you have Windoze VMs.

>> It's not like the employees could get
>> reliable internet connections with sufficient bandwidth, not to mention
>> that the company would have to get one in the first place, which isn't
>> much easier to get, if any.
>
> That depends on where you are.

In this country, you have to be really lucky to find a place where you
can get a decent internet connection.

> The company could host the servers in a decent datacentre, which should take 
> care of the bandwidth issues.

And give all their data out of hands?  And how much does that cost?

> For the employees, if they want to work from home, it's up to them to ensure 
> they have a reliable connection.

It is as much problem of the company when they want the employees to
work at home.  And the employees don't have a choice, they can only get
a connection they can get.

>> It might work in theory.  How would it be feasible in practise?
>
> Plenty of companies do it this way. If you don't want to pay for software 
> like 
> XenDesktop, you need to do all the work setting it up yourself.

VNC is somewhat slow over a 1Gbit LAN.  Did they find some way to
overcome this problem?

This sounds like it is for people with unlimited resources.

BTW, access a VM through VNC, and you don't even have any way to make
the mouse pointer in the VNC window actually follow the mouse pointer
you're using, which makes it rather annoying to do anything in the VM
you're 

Re: [gentoo-user] {OT} Allow work from home?

[lee]

 writes:

> lee  wrote:
>
>> Rich Freeman  writes:
>> 
>> > On Sun, Jan 17, 2016 at 6:38 AM, lee  wrote:
>> >> Suppose you use a VPN connection.  How do does the client
>> >> (employee) secure their own network and the machine they're using
>> >> to work remotely then?
>> >
>> > Poorly, most likely.  Your data is probably not nearly as important
>> > to them as their data is, and most people don't take great care of
>> > their own data.
>> 
>> That's not what I meant to ask.  Assume you are an employee supposed
>> to work from home through a VPN connection:  How do you protect your
>> LAN?
>
> Depends on the VPN connection. If you use an OpenVPN client on your PC
> then it is sufficient to use a well configured firewall (ufw, iptables 
> or whatever) on this PC.

The PC would be connected to the LAN, even if only to have an internet
connection for the VPN.  I can only guess: Wouldn't that require to put
this PC behind a firewall that separates it from the LAN to protect the
LAN?

> If you use a VPN gateway then you could 
> configure this gateway (or a firewall behind) in a way that it blocks 
> incoming connections from the VPN tunnel. 

Hm.  I'd prefer to avoid having to run another machine as such a
firewall because electricity is way too expensive here.  And I don't
know if the gateway could be configure in such a way.

> IMHO there is no more risk to use a VPN connection than with any other
> Internet connection.

But it's a double connection, one to the internet, and another one to
another network, so you'd have to somehow manage to set up some sort of
double protection.  Setting up a VPN alone is more than difficult enough
already.

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
>> Rich Freeman  writes:
>>
>>> However, while an RDP-like solution protects you from some types of
>>> attacks, it still leaves you open to many client-side problems like
>>> keylogging.  I don't know any major corporation that lets people RDP
>>> into their applications in general.
>>
>> What do they use instead?
>>
>
> As I mentioned in my previous email - they just hand all their
> employees laptops.  Control the hardware, control the software,
> control the security...

I mean instead of rdp.  It's a simple solution which works really well
on a LAN with Windoze.  What's the equivalent that works with Linux?

I wouldn't try it over an internet connection, though, it requires too
much bandwidth.

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Mon, Jan 18, 2016 at 7:57 PM, lee  wrote:
> Rich Freeman  writes:
>> On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
>>> Rich Freeman  writes:
>>>
 However, while an RDP-like solution protects you from some types of
 attacks, it still leaves you open to many client-side problems like
 keylogging.  I don't know any major corporation that lets people RDP
 into their applications in general.
>>>
>>> What do they use instead?
>>>
>>
>> As I mentioned in my previous email - they just hand all their
>> employees laptops.  Control the hardware, control the software,
>> control the security...
>
> I mean instead of rdp.  It's a simple solution which works really well
> on a LAN with Windoze.  What's the equivalent that works with Linux?

Well, I've never been in a company that runs Linux on the desktop, or
which even provides VDIs for Windows.  The most common solution is to
provide windows laptops to users with various software packages for
management/security/etc.

The closest thing to RDP for Linux that I'm aware of us various
NX-based implementations, like x2go, which I've mentioned a few times.
It can be somewhat finicky.  And of course there is VNC, which is much
less efficient.  I don't think either really gets to the level of RDP
in general.

I do sometimes wonder how the #1 server OS in the world somehow lacks
decent facilities for graphical remote login, and for sharing files
across the network.  (For the latter NFS is a real pain to set up in a
remotely secure fashion - part of the problem is that it is hard to
use some kind of a UUID to drive file permissions, and kerberos/etc is
a pain to set up.  There is certainly nothing approaching the ease of
just setting a password on a share or connecting to a windows domain
(even a samba-driven one)).

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Mon, Jan 18, 2016 at 9:45 PM, Alec Ten Harmsel
 wrote:
>
> All Joost is saying is that most resources can be overcommitted, since
> all the users will not be using all their resources at the same time.
>

Don't want to sound like a broken record, but this is precisely why
containers are so attractive.  You can set hard limits wherever you
want, but otherwise absolutely everything can be
over-comitted/shared/etc to the degree you desire.  They're just
processes and namespaces and cgroups and so on.  You just have to be
willing to live with whatever kernel is running on the host.  Of
course, it isn't a solution for Windows, and there aren't any mature
VDI-oriented solutions I'm aware of.  However, running as non-root in
a container should be very secure so there is no reason it couldn't be
done.  I just spun up a new container yesterday to test out burp
(alas, ago beat me to the stablereq) and the server container is using
all of 54M total / 3M RSS (some of that because I like to run sshd and
so on inside).  I can afford to run a LOT of those.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Mon, Jan 18, 2016 at 10:33 PM,   wrote:
>
> Sharing files can be done via SCP/SFTP. If a VPN connection is used,
> then even NFS or FTP are possibilities.

I have 100 computers.  I want a user on those 100 computers to be able
to share a file on their computer with just me.  On windows they just
right-click and pick sharing, search for my name on the domain, and
grant me permissions.  You're not going to get an experience anything
like that with scp or nfs or ftp.  Heck, nfs is almost completely
insecure in the way most people use it.

I don't just want to copy a file from point A to point B.  I want to
have a robust set of permissions and security and so on behind that.
If a user changes their password, that password gets them access to
everything they used to have access to, and none of those random
clients ever see the password.

Sure, you can do it on linux with lots of NFSv4 and kerberos and all
that.  But it is painful to set up and almost nobody actually seems to
do it as a result.  You can also do something like Bitlocker on linux,
but there isn't a single distro that supports it out of the box
because it uses a lot of features nobody has bothered to seriously
develop.  (Before somebody points out LUKS, be aware that Bitlocker
lets you do full-disk encyption that is secure without having to
actually type a decryption key at any point.  Remove the hard drive or
boot from a CD, and the disks are unreadable - you can only read them
if you boot off them on the original PC.)

It is just a bit frustrating to behold.  But, I'm getting what I'm
paying for, so...  :)

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[wabenbau]

Rich Freeman  wrote:

> On Mon, Jan 18, 2016 at 10:33 PM,   wrote:
> >
> > Sharing files can be done via SCP/SFTP. If a VPN connection is used,
> > then even NFS or FTP are possibilities.
> 
> I have 100 computers.  I want a user on those 100 computers to be able
> to share a file on their computer with just me.  On windows they just
> right-click and pick sharing, search for my name on the domain, and
> grant me permissions.  You're not going to get an experience anything
> like that with scp or nfs or ftp.  Heck, nfs is almost completely
> insecure in the way most people use it.

I'm an absolute windows noop. I only use it for graphics work. I even
didn't know that such a kind of file sharing is possible with it. :-)
 
> I don't just want to copy a file from point A to point B.  I want to
> have a robust set of permissions and security and so on behind that.
> If a user changes their password, that password gets them access to
> everything they used to have access to, and none of those random
> clients ever see the password.
> 
> Sure, you can do it on linux with lots of NFSv4 and kerberos and all
> that.  But it is painful to set up and almost nobody actually seems to
> do it as a result.  You can also do something like Bitlocker on linux,
> but there isn't a single distro that supports it out of the box
> because it uses a lot of features nobody has bothered to seriously
> develop.  (Before somebody points out LUKS, be aware that Bitlocker
> lets you do full-disk encyption that is secure without having to
> actually type a decryption key at any point.  Remove the hard drive or
> boot from a CD, and the disks are unreadable - you can only read them
> if you boot off them on the original PC.)

I never thought about such operating ranges. But maybe these are some 
of the reasons why windows held 43% of the server OS market share in 
Q4/2013, according to an article that I read some months ago.

> It is just a bit frustrating to behold.  But, I'm getting what I'm
> paying for, so...  :)

That's right. I think that the effort and the outlay to implement all
these features into Linux is relative high. It seems that no vendor
is willing to assume such a financial risk.

Maybe it is time for another crowd founding campaign? ;-)

--
Regards
wabe

Re: [gentoo-user] {OT} Allow work from home?

[wabenbau]

Rich Freeman  wrote:

> I do sometimes wonder how the #1 server OS in the world somehow lacks
> decent facilities for graphical remote login, and for sharing files
> across the network.  (For the latter NFS is a real pain to set up in a
> remotely secure fashion - part of the problem is that it is hard to
> use some kind of a UUID to drive file permissions, and kerberos/etc is
> a pain to set up.  There is certainly nothing approaching the ease of
> just setting a password on a share or connecting to a windows domain
> (even a samba-driven one)).

I think Linux is only #1 in the area of web services. For this you 
don't really need a graphical remote login. I think the main reason for 
the windows terminal server is that windows couldn't be configured via 
console login (SSH) in the same way as Linux could.

But of course it would be very nice to have a RDP like feature for 
Linux with the same efficiency as RDP under Windows. This would really 
expand the facilities of Linux as a desktop based server.

Sharing files can be done via SCP/SFTP. If a VPN connection is used, 
then even NFS or FTP are possibilities. For all of these connections 
you can also use graphical clients.

Just my two cents. I'm sure that you are already aware of this.

--
Regards
wabe

Re: [gentoo-user] {OT} Allow work from home?

[Alec Ten Harmsel]

On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote:
> "J. Roeleveld"  writes:
> 
> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
> >> "J. Roeleveld"  writes:
> >> > On 17 January 2016 18:35:20 CET, Mick  wrote:
> >> > 
> >> > [...]
> >> > 
> >> >>I use the icaclient provided by Citrix to access my virtual desktop at
> >> >>work,
> >> >>but have never tried to set up something similar at home.  What
> >> >>opensource
> >> >>software would I need for this?  Is there a wiki somewhere to follow?
> >> >>
> >> > I'd love to do this myself as well.
> >> > 
> >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you need
> >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into the
> >> > VM display. (Spice or VNC)
> >> > 
> >> > Then you need some way of authenticating users and providing access to 
> >> > the
> >> > client software. [...]
> >> 
> >> You would have a full VM for each user?
> >
> > Yes
> >
> >> That would be a huge waste of resources,
> >
> > Diskspace and CPU can easily be overcommitted.
> 
> Overcommitting disk space sounds like a very bad idea.  Overcommitting
> memory is not possible with xen.
> 

Depends on how the load is. Right now I have a 500GB HDD at work. I use
VirtualBox and vagrant for testing various software. Every VM in
VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time.
Add in all the other stuff on my system, which includes a 200GB dataset,
and the disk is overcommitted. Of course, none of the VirtualBox disks
use anywhere near 50GB.

All Joost is saying is that most resources can be overcommitted, since
all the users will not be using all their resources at the same time.

Alec

Re: [gentoo-user] {OT} Allow work from home?

[wabenbau]

lee  wrote:

>  writes:
> 
> > lee  wrote:
> >
> >> Rich Freeman  writes:
> >> 
> >> > On Sun, Jan 17, 2016 at 6:38 AM, lee  wrote:
> >> >> Suppose you use a VPN connection.  How do does the client
> >> >> (employee) secure their own network and the machine they're
> >> >> using to work remotely then?
> >> >
> >> > Poorly, most likely.  Your data is probably not nearly as
> >> > important to them as their data is, and most people don't take
> >> > great care of their own data.
> >> 
> >> That's not what I meant to ask.  Assume you are an employee
> >> supposed to work from home through a VPN connection:  How do you
> >> protect your LAN?
> >
> > Depends on the VPN connection. If you use an OpenVPN client on your
> > PC then it is sufficient to use a well configured firewall (ufw,
> > iptables or whatever) on this PC.
> 
> The PC would be connected to the LAN, even if only to have an internet
> connection for the VPN.  I can only guess: Wouldn't that require to
> put this PC behind a firewall that separates it from the LAN to
> protect the LAN?

Of course a separate firewall is better than a firewall on the PC, 
because it may protect the LAN even when the PC is compromised. But 
if the PC is compromised and has access to the LAN through the 
separate firewall (what is mostly the case) then the protection is 
more ore less porous (depending on the firewall rules).

If you don't have a separate firewall but only a firewall on the (not 
compromised) PC, then the LAN should be safe as long as you don't
have enabled IP forwarding on the PC and as long as the VPN is 
configured in a way that there is only a route to your PC and not
to the rest of your LAN. 

Even if you have enabled IP forwarding on the PC and even if the VPN 
has a route to the whole LAN, the LAN should nevertheless be safe 
when the firewall on the PC is configured to block all incoming 
connections. 

Of course the blocking of all incoming connections implies, that the 
PC is acting as a client only.

> > If you use a VPN gateway then you could 
> > configure this gateway (or a firewall behind) in a way that it
> > blocks incoming connections from the VPN tunnel. 
> 
> Hm.  I'd prefer to avoid having to run another machine as such a
> firewall because electricity is way too expensive here.  And I don't
> know if the gateway could be configure in such a way.

All VPN gateways that I know have also a build in firewall. If your
gateway hasn't, then you should ask yourself, what is more expensive -
a separate firewall or a hacked LAN?
But in this case I would prefer to use the PC as OpenVPN client.

> > IMHO there is no more risk to use a VPN connection than with any
> > other Internet connection.
> 
> But it's a double connection, one to the internet, and another one to
> another network, so you'd have to somehow manage to set up some sort
> of double protection. 

See above.

> Setting up a VPN alone is more than difficult enough already.

This depends on the VPN that you (have to) use. If you set up the VPN 
on both sides then you probably can choose what kind of VPN you wanna 
use.

OpenVPN isn't really difficult to set up. If you don't wanna use PSK
but X509 authorization, then the most complicated thing is the creation
of the certs. But with the help of Google (or DuckDuckGo), this is 
quick done. There are lots of information about setting up an OpenVPN 
connection.

--
Regards
wabe 

Re: [gentoo-user] Re: How to get rid of 32bits libraries

[Dale]

James wrote:
> Neil Bothwick  digimed.co.uk> writes:
>
>
>> emerge -evp world | grep 'ABI_X86="32'
> Hm. OK thanks for verification on the number.
>
> emerge -evp world | grep 'ABI_X86="32'| wc -l
> 279
>
> Same as::
>  EIX_LIMIT=0 eix -I --only-names | equery hasuse  abi_x86_32 | wc -l
> 279
>
>
> Anyway::
> Why so many?  The Profile? What are other getting for the number(s)
> of 32 bit libs? This thread has me curious. Some embedded systems
> may be desirable to upgrade to only 64 bit libs, besides other similar 
> installs.
>
>
> James
>
>

I have kde-meta installed here which pulls in a lot of packages plus
some other packages that I use.  I have 118 here.  The total number of
packages is just over 1300.  I recently switched to 13.0/desktop/plasma
profile. 

Maybe that will help shed some light on your situation.  Maybe it is a
setting or something.

Dale

:-)  :-) 

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Monday, January 18, 2016 09:45:28 PM Alec Ten Harmsel wrote:
> On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote:
> > "J. Roeleveld"  writes:
> > > On Monday, January 18, 2016 02:02:27 AM lee wrote:
> > >> "J. Roeleveld"  writes:
> > >> > On 17 January 2016 18:35:20 CET, Mick 
> > >> > wrote:
> > >> > 
> > >> > [...]
> > >> > 
> > >> >>I use the icaclient provided by Citrix to access my virtual desktop
> > >> >>at
> > >> >>work,
> > >> >>but have never tried to set up something similar at home.  What
> > >> >>opensource
> > >> >>software would I need for this?  Is there a wiki somewhere to follow?
> > >> >>
> > >> > I'd love to do this myself as well.
> > >> > 
> > >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you
> > >> > need
> > >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into
> > >> > the
> > >> > VM display. (Spice or VNC)
> > >> > 
> > >> > Then you need some way of authenticating users and providing access
> > >> > to the
> > >> > client software. [...]
> > >> 
> > >> You would have a full VM for each user?
> > > 
> > > Yes
> > > 
> > >> That would be a huge waste of resources,
> > > 
> > > Diskspace and CPU can easily be overcommitted.
> > 
> > Overcommitting disk space sounds like a very bad idea.  Overcommitting
> > memory is not possible with xen.
> 
> Depends on how the load is. Right now I have a 500GB HDD at work. I use
> VirtualBox and vagrant for testing various software. Every VM in
> VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time.
> Add in all the other stuff on my system, which includes a 200GB dataset,
> and the disk is overcommitted. Of course, none of the VirtualBox disks
> use anywhere near 50GB.
> 
> All Joost is saying is that most resources can be overcommitted, since
> all the users will not be using all their resources at the same time.

If disk-space is considered too expensive, you could even have every VM use 
the same base image. And have them store only the differences of the disk.
eg:
1) Create a VM
2) Snapshot the disk (with the VM shutdown)
3) create a new VM based on the snapshot

Repeat 2 and 3 for as many clones you want.

Most installs don't change that much when dealing with standardized desktops.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Tuesday, January 19, 2016 01:46:45 AM lee wrote:
> "J. Roeleveld"  writes:
> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
> >> "J. Roeleveld"  writes:
> >> > On 17 January 2016 18:35:20 CET, Mick 
> >> > wrote:
> >> > 
> >> > [...]
> >> > 
> >> >>I use the icaclient provided by Citrix to access my virtual desktop at
> >> >>work,
> >> >>but have never tried to set up something similar at home.  What
> >> >>opensource
> >> >>software would I need for this?  Is there a wiki somewhere to follow?
> >> >>
> >> > I'd love to do this myself as well.
> >> > 
> >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you
> >> > need
> >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into
> >> > the
> >> > VM display. (Spice or VNC)
> >> > 
> >> > Then you need some way of authenticating users and providing access to
> >> > the
> >> > client software. [...]
> >> 
> >> You would have a full VM for each user?
> > 
> > Yes
> > 
> >> That would be a huge waste of resources,
> > 
> > Diskspace and CPU can easily be overcommitted.
> 
> Overcommitting disk space sounds like a very bad idea.  Overcommitting
> memory is not possible with xen.

Overcommitting diskspace isn't such a bad idea, considering most installs 
never utilize all the available diskspace.
Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At 
least, I seem to remember reading that somewhere)

> >> plus having to take care of a lot of VMs,
> > 
> > Automated.
> 
> Like how?

How do you manage a large amount of physical machines?
Just change physical to VMs and do it the same.
With VMs you have more options for automation.

> >> plus having to buy  a lot of Windoze licenses
> > 
> > Volume licensing takes care of that.
> 
> expensive

Depends on the requirements. It's cheaper then a few hundred seperate windows 
licenses.

> >> and taking about a week to install the updates
> >> after installing a VM.
> > 
> > Never heard of VM templates?
> 
> It still takes a week to put the updates onto the template.

Last time I had to fully reinstall a windows machine it took me a day to do 
all the updates. Microsoft even has server software that will keep them 
locally and push them to the clients.

> >> Add to that that the xen host goes down at
> >> random time intervals (because the sending queue of the network card
> >> times out for reasons that cannot be determined) which can be as long as
> >> a day, a week or even up to three weeks, and you are likely to become a
> >> rather unhappy administrator.
> > 
> > Sorry, but I consider that a bug in your hardware. If it's really that
> > unstable, replace it.
> > I've been running Xen enabled servers for nearly 15 years. Never had
> > issues
> > like that. If it were truly that unstable, it wouldn't be gaining
> > popularity.
> The hardware has already been replaced, and the problem persists.  Other
> machines of identical hardware that don't run xen don't show any issues.

I still say the hardware is buggy. With replacing, I meant replace it with 
different hardware, not a different version of the same buggy stuff.

> >> Try kvm instead, and you'll find that
> >> it's impossible to migrate the VMs from xen to to kvm when you want to
> >> use virtio drivers because you can't install them on an existing Windoze
> >> VM.
> > 
> > Not a problem with the virtualisation technology. It is an issue with
> > driver management inside MS Windows.
> > There are ways to migrate VMs succesfully, I just don't see the point in
> > wasting time for that.
> 
> It's time consuming when you have to reinstall the VMs to migrate them
> to kvm.  And when you don't have the installers of all the software
> that's on some of the VMs and can't get them, you either have to run
> them without virtio drivers or you can't migrate them.

There are Howtos on the internet describing how to migrate VMs from 1 
technology to another. Shouldn't be too hard.
And keeping the installers at hand is, in my opinion, a requirement of sane 
system management.
I have installers for all the versions of software I deal with.

> > The biggest reason why I don't use KVM is the lack of full snapshot
> > functionality. Snapshotting disks is nice, but you end up with an unclean-
> > shutdown situation and anything that's not yet committed to disk is gone.
> 
> I'm not sure what you mean.  When you take a snapshot while the VM is not
> shut down, what difference does it make whether you use xen or kvm?

A "snapshot" for KVM is ONLY the disks.
With Xen, VMWare and Virtualbox, I can also make a snapshot/copy of what's in 
memory. It's that which makes the difference.

> >> Then there's the question how well vnc or spice connections work over a
> >> VPN that goes over the internet.
> > 
> > VNC works quite well, as long as you use a minimal desktop. (like
> > blackbox). Don't expect KDE or Gnome to be usable.
> > I haven't tried Spice yet, 

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Monday, January 18, 2016 08:35:20 PM Rich Freeman wrote:
> On Mon, Jan 18, 2016 at 7:57 PM, lee  wrote:
> > Rich Freeman  writes:
> >> On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
> >>> Rich Freeman  writes:
>  However, while an RDP-like solution protects you from some types of
>  attacks, it still leaves you open to many client-side problems like
>  keylogging.  I don't know any major corporation that lets people RDP
>  into their applications in general.
> >>> 
> >>> What do they use instead?
> >> 
> >> As I mentioned in my previous email - they just hand all their
> >> employees laptops.  Control the hardware, control the software,
> >> control the security...
> > 
> > I mean instead of rdp.  It's a simple solution which works really well
> > on a LAN with Windoze.  What's the equivalent that works with Linux?
> 
> Well, I've never been in a company that runs Linux on the desktop, or
> which even provides VDIs for Windows.  The most common solution is to
> provide windows laptops to users with various software packages for
> management/security/etc.

VDIs are gaining ground in bigger companies as part of the BYOD push.
Especially using Citrix XenDesktop with the icaclient, this works really well.

> The closest thing to RDP for Linux that I'm aware of us various
> NX-based implementations, like x2go, which I've mentioned a few times.
> It can be somewhat finicky.  And of course there is VNC, which is much
> less efficient.  I don't think either really gets to the level of RDP
> in general.
> 
> I do sometimes wonder how the #1 server OS in the world somehow lacks
> decent facilities for graphical remote login, and for sharing files
> across the network.  (For the latter NFS is a real pain to set up in a
> remotely secure fashion - part of the problem is that it is hard to
> use some kind of a UUID to drive file permissions, and kerberos/etc is
> a pain to set up.  There is certainly nothing approaching the ease of
> just setting a password on a share or connecting to a windows domain
> (even a samba-driven one)).

I'd love to get something similar to RDP working on linux.
But I'm not sufficiently skilled to implement it all myself.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Tuesday, January 19, 2016 01:57:38 AM lee wrote:
> Rich Freeman  writes:
> > On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
> >> Rich Freeman  writes:
> >>> However, while an RDP-like solution protects you from some types of
> >>> attacks, it still leaves you open to many client-side problems like
> >>> keylogging.  I don't know any major corporation that lets people RDP
> >>> into their applications in general.
> >> 
> >> What do they use instead?
> > 
> > As I mentioned in my previous email - they just hand all their
> > employees laptops.  Control the hardware, control the software,
> > control the security...
> 
> I mean instead of rdp.  It's a simple solution which works really well
> on a LAN with Windoze.  What's the equivalent that works with Linux?
> 
> I wouldn't try it over an internet connection, though, it requires too
> much bandwidth.

RDP works over an internet connection, even when running it through a VPN 
using a dodgy wifi link over a busy road and a slowish ADSL link.

VNC also, but only when reducing the quality of the display a lot.

Not tried other methods yet.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Tuesday, January 19, 2016 02:15:17 AM lee wrote:
>  writes:
> > lee  wrote:
> >> Rich Freeman  writes:
> >> > On Sun, Jan 17, 2016 at 6:38 AM, lee  wrote:
> >> >> Suppose you use a VPN connection.  How do does the client
> >> >> (employee) secure their own network and the machine they're using
> >> >> to work remotely then?
> >> > 
> >> > Poorly, most likely.  Your data is probably not nearly as important
> >> > to them as their data is, and most people don't take great care of
> >> > their own data.
> >> 
> >> That's not what I meant to ask.  Assume you are an employee supposed
> >> to work from home through a VPN connection:  How do you protect your
> >> LAN?
> > 
> > Depends on the VPN connection. If you use an OpenVPN client on your PC
> > then it is sufficient to use a well configured firewall (ufw, iptables
> > or whatever) on this PC.
> 
> The PC would be connected to the LAN, even if only to have an internet
> connection for the VPN.  I can only guess: Wouldn't that require to put
> this PC behind a firewall that separates it from the LAN to protect the
> LAN?
> 
> > If you use a VPN gateway then you could
> > configure this gateway (or a firewall behind) in a way that it blocks
> > incoming connections from the VPN tunnel.
> 
> Hm.  I'd prefer to avoid having to run another machine as such a
> firewall because electricity is way too expensive here.  And I don't
> know if the gateway could be configure in such a way.
> 
> > IMHO there is no more risk to use a VPN connection than with any other
> > Internet connection.
> 
> But it's a double connection, one to the internet, and another one to
> another network, so you'd have to somehow manage to set up some sort of
> double protection.  Setting up a VPN alone is more than difficult enough
> already.

Some of the companies I work with have the laptops set up that when they are 
not connected to the office-LAN, they will only talk via a VPN link to the 
company.
No network connectivity (apart from what's necessary for the VPN) will work 
till the VPN is set up.

Any ideas on how to do this using Linux without having to become root to set 
it up myself?
I like network manager for the ease of setting up WIFI links.

--
Joost

Re: [gentoo-user] Shutdown through systemctl as a normal user

[Willie Matthews]

On Mon, 18 Jan 2016 23:31:39 +0100
lukash  wrote:

> On Mon, 2016-01-18 at 20:00 +0100, waben...@gmail.com wrote:
> > lukash  wrote:
> >   
> > > Hi all,
> > > 
> > > I'm reading on the internet that systemctl poweroff should work
> > > for normal user if he is the only one logged in, he is logged in
> > > locally
> > > and his session is active. I seem to be meeting these conditions:
> > > 
> > > # loginctl
> > >    SESSIONUID USER SEAT
> > >  2   1000 lukash           seat0
> > > 
> > > $ loginctl show-session 2
> > > Id=2
> > > User=1000
> > > Name=lu
> > > Timestamp=Sat 2016-01-16 17:27:30 CET
> > > TimestampMonotonic=9614418
> > > VTNr=7
> > > Seat=seat0
> > > Display=:0
> > > Remote=no
> > > Service=lightdm
> > > Desktop=awesome
> > > Scope=session-2.scope
> > > Leader=529
> > > Audit=2
> > > Type=x11
> > > Class=user
> > > Active=yes
> > > State=active
> > > IdleHint=no
> > > IdleSinceHint=0
> > > IdleSinceHintMonotonic=0
> > > 
> > > But invoking the command gives me:
> > > 
> > > $ systemctl poweroff
> > > Failed to set wall message, ignoring: Access denied
> > > Failed to power off system via logind: Access denied
> > > Failed to start poweroff.target: Access denied
> > > 
> > > How is this supposed to work on Gentoo?
> > > 
> > > Thanks in advance,
> > > Lukas  
> > 
> > IIRC "CONFIG_AUDIT" and "CONFIG_HAVE_ARCH_AUDITSYSCALL" must be set
> > in the kernel configuration. But as I don't use this method I cannot
> > say this for sure.  
> 
> Thanks. But I've got those in my kernel already...
> 
> > --
> > Regards
> > wabe
> >   
> 

Try this https://wiki.archlinux.org/index.php/allow_users_to_shutdown ,
I think you might be happy with it. I don't have systemd personally so
I don't have any experience with it. From what I read on the wiki,
this will be an easy fix.

Instead of using users in the "Users without sudo privileges" section, I
think you can also use groups without the hostname. All you would have
to do is make a group that you would like to be able to shutdown or
whatever with the computer.

-- 

Willie Matthews
matthews.willi...@gmail.com
(702) 659-9966


pgpTqKuRmPajL.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Shutdown through systemctl as a normal user

[lukash]

On Mon, 2016-01-18 at 20:00 +0100, waben...@gmail.com wrote:
> lukash  wrote:
> 
> > Hi all,
> > 
> > I'm reading on the internet that systemctl poweroff should work for
> > normal user if he is the only one logged in, he is logged in
> > locally
> > and his session is active. I seem to be meeting these conditions:
> > 
> > # loginctl
> >    SESSIONUID USER SEAT
> >  2   1000 lukash           seat0
> > 
> > $ loginctl show-session 2
> > Id=2
> > User=1000
> > Name=lu
> > Timestamp=Sat 2016-01-16 17:27:30 CET
> > TimestampMonotonic=9614418
> > VTNr=7
> > Seat=seat0
> > Display=:0
> > Remote=no
> > Service=lightdm
> > Desktop=awesome
> > Scope=session-2.scope
> > Leader=529
> > Audit=2
> > Type=x11
> > Class=user
> > Active=yes
> > State=active
> > IdleHint=no
> > IdleSinceHint=0
> > IdleSinceHintMonotonic=0
> > 
> > But invoking the command gives me:
> > 
> > $ systemctl poweroff
> > Failed to set wall message, ignoring: Access denied
> > Failed to power off system via logind: Access denied
> > Failed to start poweroff.target: Access denied
> > 
> > How is this supposed to work on Gentoo?
> > 
> > Thanks in advance,
> > Lukas
> 
> IIRC "CONFIG_AUDIT" and "CONFIG_HAVE_ARCH_AUDITSYSCALL" must be set
> in the kernel configuration. But as I don't use this method I cannot
> say this for sure.

Thanks. But I've got those in my kernel already...

> --
> Regards
> wabe
> 

Re: [gentoo-user] Re: *dev-less gentoo

[Alan McKinnon]

On 18/01/2016 23:05, k...@aspodata.se wrote:
> boxc...@gmx.net:
>> On Mon, 18 Jan 2016 19:48:58 +0100 (CET)
>> k...@aspodata.se wrote:
> ...
>>> What info is there on @system ?
>>> I can change what's in @world, it seems to be the content of
>>> /var/lib/portage/world. Is there a similar file for @system ?
>>
>> It's in /usr/portage/profiles/base/packages -- I think that will be
>> overwritten when profiles are updated, so I don't think it helps you.
> 
> Great, thanks. Would it work to have that in an overlay, ehh, something ?
> 
>> Would putting virtual/dev-manager into packages.provided work to solve
>> your problem?  (I phrase it as a question because I've never used
>> packages.provided.)
> 
> No, then would packages that actually needs it be fooled.
> I found a workaround in the sys-fs/static-dev package.


Let's be clear: static-dev is NOT a workaround. It is a full proper
solution for the case when a dynamic device node solution is not desired.

Of course it means you have to mknod every device you need yourself. But
you know that going in right?


-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] Re: *dev-less gentoo

[karl]

Alan McKinnon:
> On 18/01/2016 23:05, k...@aspodata.se wrote:
...
> > I found a workaround in the sys-fs/static-dev package.
> Let's be clear: static-dev is NOT a workaround. It is a full proper
> solution for the case when a dynamic device node solution is not desired.

Ok, fine with me (the wording "dev-manager" go me off track).

> Of course it means you have to mknod every device you need yourself. But
> you know that going in right?

Yes (though I alreade have a /dev from before).

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57

Re: [gentoo-user] Python3.4 to python3.5 in ebuilds

[Alec Ten Harmsel]

Hi,

On Mon, Jan 18, 2016 at 04:07:03PM +0200, Stanislav Ch. Nikolov wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> It seems like 3.4 and 3.5 are 100% compatible, and most ebuilds
> involving python in some way tolerate them both:
> (any-of ( python_targets_python3_3 python_targets_python3_4 
> python_targets_python3_5))
>
> Yet there are some that are still unhappy with 3.5. This makes me
> really annoyed and I was wondering if it was possible to write a
> simple script to add python_targets_python3_5 where needed. Would this
> break anything, and if no, why can't the maintainers or some
> portage-tree admin do it?

It probably will not break a whole lot, but python 3.5 is still
relatively new and package maintainers are still catching up.

Alec

Re: [gentoo-user] *dev-less gentoo

[karl]

Karl Hammar:
> # emerge -auDN @system
> ...
> [ebuild  N ] virtual/dev-manager-0 
> 
> How can I get rid of dev-manager-0 from @system ?

Ok, found workaround with sys-fs/static-dev.

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57

Re: [gentoo-user] Re: update gentoo without network [SOLVED]

[Neil Bothwick]

On Mon, 18 Jan 2016 19:39:50 +0100, Raffaele BELARDI wrote:

> Just tested, it works:
> 
> 1. cp -a /var/db/pkg from system A to removable media
> 2. chroot ; emerge-webrsync ; emerge --fetchonly -uDvN world
> 3. cp -a /usr/portage from removable media to system A
> 4. next week, goto 1

Interesting, that's worthy of an entry in the wiki for anyone else
looking to maintain a Gentoo system without Internet access. I would
suggest that you update portage within the chroot. What you are doing is
lying to portage about what is actually installed, that shouldn't be a
problem most of the time given what you are using it for, but different
versions of portage on the two systems may cause problems at some time in
the future.


-- 
Neil Bothwick

Windows Error:01F Reserved for future mistakes.


pgpAPhnPe_mvc.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: *dev-less gentoo

[karl]

boxc...@gmx.net:
> On Mon, 18 Jan 2016 19:48:58 +0100 (CET)
> k...@aspodata.se wrote:
...
> > What info is there on @system ?
> > I can change what's in @world, it seems to be the content of
> > /var/lib/portage/world. Is there a similar file for @system ?
> 
> It's in /usr/portage/profiles/base/packages -- I think that will be
> overwritten when profiles are updated, so I don't think it helps you.

Great, thanks. Would it work to have that in an overlay, ehh, something ?

> Would putting virtual/dev-manager into packages.provided work to solve
> your problem?  (I phrase it as a question because I've never used
> packages.provided.)

No, then would packages that actually needs it be fooled.
I found a workaround in the sys-fs/static-dev package.

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57

[gentoo-user] Re: *dev-less gentoo

[»Q«]

On Mon, 18 Jan 2016 19:48:58 +0100 (CET)
k...@aspodata.se wrote:

> Francisco Ares:
> > 2016-01-18 15:15 GMT-02:00 :
> >   
> > > # emerge -auDN @system
> > > ...
> > > [ebuild  N ] virtual/dev-manager-0
> > >
> > > How can I get rid of dev-manager-0 from @system ?  
> ...
> > Try updating to a new kernel.
> > 
> > I'm saying this because of the output of equery d
> > virtual/dev-manager on my system:
> > 
> >  ~ $ equery d virtual/dev-manager
> >  * These packages depend on virtual/dev-manager:
> > sys-kernel/gentoo-sources-3.18.9 (virtual/dev-manager)
> > sys-kernel/gentoo-sources-3.18.12 (virtual/dev-manager)  
> 
> Not so here:
> 
> # equery d virtual/dev-manager
>  * These packages depend on virtual/dev-manager:
> #
> 
> ///
> 
> What info is there on @system ?
> I can change what's in @world, it seems to be the content of
> /var/lib/portage/world. Is there a similar file for @system ?

It's in /usr/portage/profiles/base/packages -- I think that will be
overwritten when profiles are updated, so I don't think it helps you.

Would putting virtual/dev-manager into packages.provided work to solve
your problem?  (I phrase it as a question because I've never used
packages.provided.)