Re: [gentoo-user] Re: update gentoo without network
On Mon, 18 Jan 2016 15:28:27 +0100, Raffaele BELARDI wrote: > > Download the latest portage snapshot on B > > Unpack it on A > > Run emerge -ufp @world on A and capture the output > > Use that on B to download the files > > Copy them back to A and emerge -u @world > > > > That avoids the use of a chroot altogether but involves two round > > trips across the sneakernet. You could possible save some of that by > > transferring the portage snapshot and download list as email > > attachments, assuming A has email. > Yes, I used that procedure in the past but it requires more human > effort so I'd prefer the chroot approach; also I found that sometimes > the list of files downloaded by system B was not complete and I had to > further iterate the procedure. At the time I assumed it was due to the > two systems being based on different architectures (~amd64 and ~x86), > but did not really spend much time investigating. The architecture is irrelevant, the fetching machine doesn't have to run Gentoo, or even Linux you are simply giving it a list if URLs to fetch. The output from emerge -f gives multiple URLs for each file. Instead of taking only the first one, whch may be the cause of the failures, there is an option to wget to not download duplicates, so you can pass it the full list and it keeps trying until it succeeds. As for the effort, you could automate part of the process with cron and procmail scripts. Your current approach also requires more effort than you are currently giving it, that's why it doesn't work :( -- Neil Bothwick Actually, Microsoft is sort of a mixture between the Borg and the Ferengi. pgpBoXTG1IyEI.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: update gentoo without network
On Mon, 18 Jan 2016 15:05:35 +0100, Raffaele BELARDI wrote: > > On Mon, 18 Jan 2016 12:38:13 +0100, Raffaele BELARDI wrote: > > > >> I suppose the database I'm looking for is /var/db/pkg, right? > > > > /var/lib/portage/world - this needs to be in sync in the two > > environments. > > Ok but that's a 'static' snapshot of the packages; I also need to > update in the chroot the list of currently installed packages and their > versions and that's in /var/db/pkg, I think. I'll test it this evening. Yes, you do. > > Are the two computers networked together? If so, you could run > > http_replicator on B and it would download the packages for A. > > No, the computers are on completely separated networks. The only way to > bypass the security policy on one of the two networks is through > removable media ;-) I used a similar, but networked approach to build packages for slow machines in containers in a faster computer. Because I was building in the container, not just downloading, I didn't have to worry about the package database, I just synced /var/lib/portage/world* and etc/portage (excluding make.conf) and used a shared $PKG_DIR If you don't mind a two step approach, you could Download the latest portage snapshot on B Unpack it on A Run emerge -ufp @world on A and capture the output Use that on B to download the files Copy them back to A and emerge -u @world That avoids the use of a chroot altogether but involves two round trips across the sneakernet. You could possible save some of that by transferring the portage snapshot and download list as email attachments, assuming A has email. -- Neil Bothwick Time for a diet! -- [NO FLABBIER]. pgpjKQxVMrLFf.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: update gentoo without network
Neil Bothwick wrote: > On Mon, 18 Jan 2016 15:05:35 +0100, Raffaele BELARDI wrote: > > If you don't mind a two step approach, you could > > Download the latest portage snapshot on B > Unpack it on A > Run emerge -ufp @world on A and capture the output > Use that on B to download the files > Copy them back to A and emerge -u @world > > That avoids the use of a chroot altogether but involves two round trips > across the sneakernet. You could possible save some of that by > transferring the portage snapshot and download list as email attachments, > assuming A has email. > Yes, I used that procedure in the past but it requires more human effort so I'd prefer the chroot approach; also I found that sometimes the list of files downloaded by system B was not complete and I had to further iterate the procedure. At the time I assumed it was due to the two systems being based on different architectures (~amd64 and ~x86), but did not really spend much time investigating. raffaele
Re: [gentoo-user] Re: update gentoo without network
On Mon, 18 Jan 2016 12:38:13 +0100, Raffaele BELARDI wrote: > > I have gentoo system A (~x86) on a network that does not allow portage > > access to internet due to some authentication issue. System B (~amd64) > > is on another network with no such restrictions. > > > > To bypass the restrictions I made a copy of A on a removable media, > > chroot into it from B and 'emerge-webrsync; emerge --fetchonly' from > > there. Then attach the media to A and overwrite /usr/portage with the > > updated one from the removable media. > > > > This works but updating the chroot from B always re-downloads all the > > packages since the first time I created the chroot, not only those > > from the last update. I suppose portage maintains a database of the > > installed packages that I need to copy back to the removable media > > after each system A update, but where is it? > > I suppose the database I'm looking for is /var/db/pkg, right? /var/lib/portage/world - this needs to be in sync in the two environments. Are the two computers networked together? If so, you could run http_replicator on B and it would download the packages for A. -- Neil Bothwick OK Scotty, NOW! Detonate and energize! I mean... pgpCkiCF4mTHG.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: update gentoo without network
Neil Bothwick wrote: > On Mon, 18 Jan 2016 12:38:13 +0100, Raffaele BELARDI wrote: > >> I suppose the database I'm looking for is /var/db/pkg, right? > > /var/lib/portage/world - this needs to be in sync in the two environments. > Ok but that's a 'static' snapshot of the packages; I also need to update in the chroot the list of currently installed packages and their versions and that's in /var/db/pkg, I think. I'll test it this evening. > Are the two computers networked together? If so, you could run > http_replicator on B and it would download the packages for A. No, the computers are on completely separated networks. The only way to bypass the security policy on one of the two networks is through removable media ;-) raffaele
[gentoo-user] Python3.4 to python3.5 in ebuilds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It seems like 3.4 and 3.5 are 100% compatible, and most ebuilds involving python in some way tolerate them both (any-of ( python_targets_python3_3 python_targets_python3_4 python_targets_python3_5)). Yet there are some that are still unhappy with 3.5. This makes me really annoyed and I was wondering if it was possible to write a simple script to add python_targets_python3_5 where needed. Would this break anything, and if no, why can't the maintainers or some portage-tree admin do it? Of course there might be some other barrier to adopting 3.5 that I can't understand, so please explain it to me. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWnPGDAAoJEBYxB87Vey/RIAsH/A56lGenSnQhgBY3ItZZV+10 YkrtLo+k9miSWlSB6QI0KPRkIRJU2ldnT89gYQ2FeUqOrSwVdMcUuDdWnbOpktk5 6QBn7E3sLGHb19JznhF3SkuSjf2IhzFz28cVo7D1vG8wL9hTip1J5DQuw+q9dz9F 63T4qwepiKSrHMIKIsJaP/dMBZO8Ic0+/0mgYW5huhrSX0pKSHktMGaAIlU12bSs wFUI+uCQjAvGsHtikJJJVBvLEnuSeMiJNvlSzMfe94JXZ+27b+qYjvZ2gJTsDRUO QnIhAppF+enKcQzaAQNxCzbti2gCEg5Y3vNX25zoqAYfgC21sxDZsyhytV++Mis= =2xVk -END PGP SIGNATURE-
Re: [gentoo-user] Re: How to get rid of 32bits libraries
Thanks Nikos, thanks Neil. With your help I've managed to get rid of all 32bits libraries. I still unsure what to do for the "second step". If possible, I'd like to install any packages with abs_x86_32 which are required for dev-util/android-sdk-update-manager and app-text/acroread with a different PREFIX, such as /usr/local . Is that possible? Many thanks, Helmut
[gentoo-user] Re: How to get rid of 32bits libraries
Neil Bothwick digimed.co.uk> writes: > emerge -evp world | grep 'ABI_X86="32' Hm. OK thanks for verification on the number. emerge -evp world | grep 'ABI_X86="32'| wc -l 279 Same as:: EIX_LIMIT=0 eix -I --only-names | equery hasuse abi_x86_32 | wc -l 279 Anyway:: Why so many? The Profile? What are other getting for the number(s) of 32 bit libs? This thread has me curious. Some embedded systems may be desirable to upgrade to only 64 bit libs, besides other similar installs. James
Re: [gentoo-user] Re: How to get rid of 32bits libraries
On 18/01/2016 15:31, Helmut Jarausch wrote: > Thanks Nikos, thanks Neil. > > With your help I've managed to get rid of all 32bits libraries. > > I still unsure what to do for the "second step". > > If possible, I'd like to install any packages with abs_x86_32 which are > required for dev-util/android-sdk-update-manager and app-text/acroread > with a different PREFIX, such as /usr/local . > Is that possible? What is your rationale for wanting to do that? acroread and android-sdk-update-manager need 32 bit libs. Portage will create them for you quite happily and they have to go somewhere. Why do you want them in a different PREFIX? If it's strict separation you are after, is /lib32 and /usr/lib32 not separate enough for you? It seems odd to me to take libs that the package manager is very efficient at creating, and ut them in /usr/local - the one area that package managers by convention never touch. I can't grok what you are trying to accomplish. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Re: How to get rid of 32bits libraries
Neil Bothwick wrote: > On Mon, 18 Jan 2016 09:12:23 +, Neil Bothwick wrote: > >> equery hasuse checks which packages respect the given USE flag, it pays >> no attention to whether it is actually set. Try >> >> emerge -evp world | grep 'ABI_X86=32' > Sorry, that should be > > emerge -evp world | grep 'ABI_X86="32' > > Yep. That one works better. I have a lot of those too. I wouldn't mind getting away from the 32 bit stuff myself but it may be to early yet. Maybe later. At least I know I have a lot of them now tho. ;-) Dale :-) :-)
[gentoo-user] Handbook instructions for UEFI
First attempt at a GPT/UEFI install. Instructions in the Handbook say that for a UEFI system, prepare the disk as; Partition Filesystem Size Description /dev/sda1 (bootloader) 2M BIOS boot partition /dev/sda2 ext2 (or vfat) 128M Boot partition to end up with; (parted)print Model: Virtio Block Device (virtblk) Disk /dev/sda: 20480MiB Sector size (logical/physical): 512B/512B Partition Table: gpt Number Start End Size File system Name Flags 1 1.00MiB3.00MiB 2.00MiB grub bios_grub 2 3.00MiB131MiB 128MiBboot boot And later in the bootloader instructions is says; # grub2-install --target=x86_64-efi --efi-directory=/boot then; Note: Modify the efi-directory setting to the root of the vfat EFI System Partition. This necessary if the /boot partition was not formatting [sic] as vfat. Does it look like they intend that /dev/sda1 is the EFI system partition? If so, should /dev/sda1 be mounted at /boot/efi, and the --efi-directory set to /boot/efi...
Re: [gentoo-user] Re: How to get rid of 32bits libraries
On Mon, 18 Jan 2016 06:04:27 + (UTC), James wrote: > OK, so I run:: > EIX_LIMIT=0 eix -I --only-names | equery hasuse abi_x86_32 | wc -l > > and get '279'. Maybe I missed someting on how to determine the pacakges > installed that have 'abi_x86_32' set ? equery hasuse checks which packages respect the given USE flag, it pays no attention to whether it is actually set. Try emerge -evp world | grep 'ABI_X86=32' -- Neil Bothwick Yes, I've heard of "decaf." What's your point? pgpciMO2dTobB.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Handbook instructions for UEFI
On Mon, 18 Jan 2016 20:13:25 +1100, Adam Carter wrote: > First attempt at a GPT/UEFI install. Instructions in the Handbook say > that for a UEFI system, prepare the disk as; > Partition Filesystem Size Description > /dev/sda1 (bootloader) 2M BIOS boot partition > /dev/sda2 ext2 (or vfat) 128M Boot partition > The BIOS boot partition is needed when using GPT *without* UEFI. For EFI, the first partition should be the ESP, formatted using FAT. You can also use this as /boot, and have to if you aren't using GRUB. For example, this laptop has % sudo gdisk -l /dev/sda GPT fdisk (gdisk) version 1.0.1 Partition table scan: MBR: protective BSD: not present APM: not present GPT: present Found valid GPT with protective MBR; using GPT. Disk /dev/sda: 500118192 sectors, 238.5 GiB Logical sector size: 512 bytes Disk identifier (GUID): 26850F58-B4C1-48A7-BE0A-715BB53DDD0B Partition table holds up to 128 entries First usable sector is 34, last usable sector is 500118158 Partitions will be aligned on 2048-sector boundaries Total free space is 2014 sectors (1007.0 KiB) Number Start (sector)End (sector) Size Code Name 12048 2099199 1024.0 MiB EF00 EFI System 2 2099200 483340287 229.5 GiB 8300 Linux filesystem 3 483340288 500118158 8.0 GiB 8200 Linux swap -- Neil Bothwick Help a man when he is in trouble and he will remember you when he is in trouble again pgp1lGZ_k1g_t.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: How to get rid of 32bits libraries
On Mon, 18 Jan 2016 09:12:23 +, Neil Bothwick wrote: > equery hasuse checks which packages respect the given USE flag, it pays > no attention to whether it is actually set. Try > > emerge -evp world | grep 'ABI_X86=32' Sorry, that should be emerge -evp world | grep 'ABI_X86="32' -- Neil Bothwick Anything worth fighting for is worth fighting dirty for. pgpGDEdb1GpKT.pgp Description: OpenPGP digital signature
[gentoo-user] *dev-less gentoo
# emerge -auDN @system ... [ebuild N ] virtual/dev-manager-0 How can I get rid of dev-manager-0 from @system ? Regards, /Karl Hammar --- Aspö Data Lilla Aspö 148 S-742 94 Östhammar Sweden +46 173 140 57
Re: [gentoo-user] *dev-less gentoo
2016-01-18 15:15 GMT-02:00: > # emerge -auDN @system > ... > [ebuild N ] virtual/dev-manager-0 > > How can I get rid of dev-manager-0 from @system ? > > Regards, > /Karl Hammar > > --- > Aspö Data > Lilla Aspö 148 > S-742 94 Östhammar > Sweden > +46 173 140 57 > > > Try updating to a new kernel. I'm saying this because of the output of equery d virtual/dev-manager on my system: ~ $ equery d virtual/dev-manager * These packages depend on virtual/dev-manager: sys-kernel/gentoo-sources-3.18.9 (virtual/dev-manager) sys-kernel/gentoo-sources-3.18.12 (virtual/dev-manager) ~ $ equery l gentoo-sources * Searching for gentoo-sources ... [I--] [??] sys-kernel/gentoo-sources-3.18.9:3.18.9 [I--] [??] sys-kernel/gentoo-sources-3.18.12:3.18.12 [I--] [??] sys-kernel/gentoo-sources-4.0.5:4.0.5 [IP-] [ ] sys-kernel/gentoo-sources-4.0.9:4.0.9 [IP-] [ ] sys-kernel/gentoo-sources-4.1.12:4.1.12 Best regards, Francisco
Re: [gentoo-user] {OT} Allow work from home?
On Mon, Jan 18, 2016 at 12:06 PM, Grantwrote: > > I am 100% web-based. I don't want to administrate machines outside of > my LAN so I can imagine a Chromebook would end up vulnerable > eventually. The whole point of chromebooks is that they auto-update in a timely fashion, and have a guaranteed end-of-life policy years into the future. Sure, not quite as far as Microsoft guarantees, but nobody runs a Windows laptop for even the length of a typical Chromebook EOL. The chromebook also has secure boot and a signed OS, so if it is corrupted it will go into recovery mode. You just stick a USB drive with a rescue image on it (which you can create from any PC with a chrome browser or an installer) and it fixes itself. I don't think you can even turn off auto-updates - they're designed to be idiot-proof. I'm not sure if as an enterprise administrator you can set up a policy to force a reboot to update within n days or such if it hasn't been shut down already after an update. In any case, if you aren't going to own the client hardware, you basically are going to have to assume it is vulnerable since nobody maintains their PCs well. That means keyboard sniffing, cookie stealing, and so on. If you're web-based a hostile browser could just open another session in the background after the user authenticates (2-factor or otherwise) and do whatever it wants to. Granted, I don't know if anything is out in the wild which actually does this, and it would probably need to be somewhat targeted to work (unless somebody has a rootkit that just lets them interactively fire up another browser on a VNC display or something using the same browser session). Sure, a Chromebook will cost you $150, but that seems like a token expense for an employee and it buys you a LOT of security. You can do the same thing on another OS, but you're going to end up adding on a lot of stuff on top of the OS to make it work, and I'm certain the administrative overhead would be much higher. A chromebook is basically what you get if you take a linux desktop and lock everything down with TPM support and secure boot - they're even based on Gentoo. Sure, you can DIY, but you're not going to do better without the hardware support. > Someone mentioned 2-factor authentication which sounds interesting. > Are there good options for that besides SMS and Google Authenticator > (or a similar mobile app)? Is there a good 2FA server in Portage? Is > 2FA ever defeated in real life without the user's phone? Do you mean you don't want something that involves typing in a TOTP or similar? Google Authenticator just uses RFC 6238 so you can use any other compliant client to generate the codes - I'm sure those exist for Linux, but if you're going to do that you might as well just use an RSA-based authentication since if you can steal the client key you can steal the RFC6238 key. The whole point of 2-factor is that the second factor tends to be something that isn't on the same PC as the client. There is a PAM-based authenticator in portage for Google Authenticator, which again should work with anything RFC 6238 compliant. I use it for ssh password logins and it works great (well, aside from having to reach for my phone anytime I log in via an untrusted computer). A much older option is s/key. I'm sure that is still around as well, but I don't think it really has any advantages over RFC6238. -- Rich
[gentoo-user] Re: update gentoo without network [SOLVED]
Raffaele Belardi wrote: > Raffaele Belardi wrote: >> I have gentoo system A (~x86) on a network that does not allow portage >> access to internet due to some authentication issue. System B (~amd64) >> is on another network with no such restrictions. >> >> To bypass the restrictions I made a copy of A on a removable media, >> chroot into it from B and 'emerge-webrsync; emerge --fetchonly' from >> there. Then attach the media to A and overwrite /usr/portage with the >> updated one from the removable media. >> >> This works but updating the chroot from B always re-downloads all the >> packages since the first time I created the chroot, not only those from >> the last update. I suppose portage maintains a database of the installed >> packages that I need to copy back to the removable media after each >> system A update, but where is it? > > I suppose the database I'm looking for is /var/db/pkg, right? > Just tested, it works: 1. cp -a /var/db/pkg from system A to removable media 2. chroot ; emerge-webrsync ; emerge --fetchonly -uDvN world 3. cp -a /usr/portage from removable media to system A 4. next week, goto 1 raffaele
Re: [gentoo-user] *dev-less gentoo
Francisco Ares: > 2016-01-18 15:15 GMT-02:00: > > > # emerge -auDN @system > > ... > > [ebuild N ] virtual/dev-manager-0 > > > > How can I get rid of dev-manager-0 from @system ? ... > Try updating to a new kernel. > > I'm saying this because of the output of equery d virtual/dev-manager on > my system: > > ~ $ equery d virtual/dev-manager > * These packages depend on virtual/dev-manager: > sys-kernel/gentoo-sources-3.18.9 (virtual/dev-manager) > sys-kernel/gentoo-sources-3.18.12 (virtual/dev-manager) Not so here: # equery d virtual/dev-manager * These packages depend on virtual/dev-manager: # /// What info is there on @system ? I can change what's in @world, it seems to be the content of /var/lib/portage/world. Is there a similar file for @system ? Regards, /Karl Hammar --- Aspö Data Lilla Aspö 148 S-742 94 Östhammar Sweden +46 173 140 57
[gentoo-user] Re: update gentoo without network
Raffaele Belardi wrote: > I have gentoo system A (~x86) on a network that does not allow portage > access to internet due to some authentication issue. System B (~amd64) > is on another network with no such restrictions. > > To bypass the restrictions I made a copy of A on a removable media, > chroot into it from B and 'emerge-webrsync; emerge --fetchonly' from > there. Then attach the media to A and overwrite /usr/portage with the > updated one from the removable media. > > This works but updating the chroot from B always re-downloads all the > packages since the first time I created the chroot, not only those from > the last update. I suppose portage maintains a database of the installed > packages that I need to copy back to the removable media after each > system A update, but where is it? I suppose the database I'm looking for is /var/db/pkg, right? raffaele
Re: [gentoo-user] {OT} Allow work from home?
On Mon, Jan 18, 2016 at 1:44 AM, J. Roeleveldwrote: > On Monday, January 18, 2016 02:02:27 AM lee wrote: >> >> You would have a full VM for each user? > > Yes > >> That would be a huge waste of resources, > > Diskspace and CPU can easily be overcommitted. >... > The biggest reason why I don't use KVM is the lack of full snapshot > functionality. Snapshotting disks is nice, but you end up with an unclean- > shutdown situation and anything that's not yet committed to disk is gone. > Seems like on linux a straightforward design would be spinning up containers on demand, with snapshots underneath. Granted, somebody still needs to build it, but spinning up a container per user isn't much more resource-intensive than just running x2go with multiple users in a single namespace which is how it works today. It certainly would be less wasteful than a full VM. They also launch and shutdown super-fast. Of course, this is a linux-only solution (or BSD I believe). You're not going to be able to do this with OSX/Windows guests. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Monday, January 18, 2016 06:07:33 AM Rich Freeman wrote: > On Mon, Jan 18, 2016 at 1:44 AM, J. Roeleveldwrote: > > On Monday, January 18, 2016 02:02:27 AM lee wrote: > >> You would have a full VM for each user? > > > > Yes > > > >> That would be a huge waste of resources, > > > > Diskspace and CPU can easily be overcommitted. > > > >... > > > > The biggest reason why I don't use KVM is the lack of full snapshot > > functionality. Snapshotting disks is nice, but you end up with an unclean- > > shutdown situation and anything that's not yet committed to disk is gone. > > Seems like on linux a straightforward design would be spinning up > containers on demand, with snapshots underneath. Granted, somebody > still needs to build it, but spinning up a container per user isn't > much more resource-intensive than just running x2go with multiple > users in a single namespace which is how it works today. It certainly > would be less wasteful than a full VM. They also launch and shutdown > super-fast. > > Of course, this is a linux-only solution (or BSD I believe). You're > not going to be able to do this with OSX/Windows guests. A similar solution is generally done with VDI implementations as well. Replace "container" with VM and you have the same. -- Joost
[gentoo-user] OT:: GPU resource utilization
Hello:: Background:: Hadoop and Openstack are supported on Gentoo, probably the most noticeable of cluster code systems, and quite popular with most cloud vendors. Future:: Apache-Mesos is rapidly gaining ground and may surpass both Hadoop and Openstack in usability on Gentoo, during 2016. (hopefully). Recently, from one of the mesos user forums:: Subject: Re: Share GPU resources via attributes or as custom resources (INTERNAL) There is a design proposal coming that will include guidance around using GPUs and better GPU support in mesos, so stay tuned. As Ben and we (Nvidia) working to introduce GPU as first class resource into Mesos. By default there is no isolation. But there will be isolation module for Nvidia GPU devices which can be linked at build time and provide isolation for GPU tasks among GPU devices. Initially device level isolation will be there assuming all tasks using same device libraries (hence no file system isolation). Our initial proposal is not exposing details of GPU but subsequently more detail of GPU resources like (topology, memory, core, bandwidth etc.) will be exposed to do better job scheduling. As Ben indicated very soon we will send out design proposal to community for comments. Regards Vikram vdi...@nvidia.com Very exciting news for the Mesos communities! Anyone interested in clusters, containers or clouds on gentoo should keep an eye on the sys-cluster project here at Gentoo. Contributions are also welcome. enjoy, James
Re: [gentoo-user] {OT} Allow work from home?
>> Suppose you use a VPN connection. How do does the client (employee) >> secure their own network and the machine they're using to work remotely >> then? > > Poorly, most likely. Your data is probably not nearly as important to > them as their data is, and most people don't take great care of their > own data. This is the same mentality I have. > As I mentioned in my other post, there might be some exceptions if > you're dealing with highly-skilled IT security employees or something > like that, but most people don't take nearly the level of care with > their clients as you're probably going to want them to. Generally my employees are not technically inclined. > It sounds like Grant is concerned enough about his application to > restrict logins to a specific IP (presumably it uses SSL and sign-ons > as well). If you care THAT much about where valid users can connect > from, I don't see why you'd just let them VPN into your LAN running > who-knows-what-rootkit on their workstations. > > If you're truly 100% web-based I'd just go the chromebook route. If > not, I'd issue laptops that you control with full-disk encryption, and > you can then set them up however you need to. I am 100% web-based. I don't want to administrate machines outside of my LAN so I can imagine a Chromebook would end up vulnerable eventually. Someone mentioned 2-factor authentication which sounds interesting. Are there good options for that besides SMS and Google Authenticator (or a similar mobile app)? Is there a good 2FA server in Portage? Is 2FA ever defeated in real life without the user's phone? - Grant
Re: [gentoo-user] Shutdown through systemctl as a normal user
lukashwrote: > Hi all, > > I'm reading on the internet that systemctl poweroff should work for > normal user if he is the only one logged in, he is logged in locally > and his session is active. I seem to be meeting these conditions: > > # loginctl > SESSIONUID USER SEAT > 2 1000 lukash seat0 > > $ loginctl show-session 2 > Id=2 > User=1000 > Name=lu > Timestamp=Sat 2016-01-16 17:27:30 CET > TimestampMonotonic=9614418 > VTNr=7 > Seat=seat0 > Display=:0 > Remote=no > Service=lightdm > Desktop=awesome > Scope=session-2.scope > Leader=529 > Audit=2 > Type=x11 > Class=user > Active=yes > State=active > IdleHint=no > IdleSinceHint=0 > IdleSinceHintMonotonic=0 > > But invoking the command gives me: > > $ systemctl poweroff > Failed to set wall message, ignoring: Access denied > Failed to power off system via logind: Access denied > Failed to start poweroff.target: Access denied > > How is this supposed to work on Gentoo? > > Thanks in advance, > Lukas IIRC "CONFIG_AUDIT" and "CONFIG_HAVE_ARCH_AUDITSYSCALL" must be set in the kernel configuration. But as I don't use this method I cannot say this for sure. -- Regards wabe
Re: [gentoo-user] {OT} Allow work from home?
"J. Roeleveld"writes: > On Monday, January 18, 2016 02:02:27 AM lee wrote: >> "J. Roeleveld" writes: >> > On 17 January 2016 18:35:20 CET, Mick wrote: >> > >> > [...] >> > >> >>I use the icaclient provided by Citrix to access my virtual desktop at >> >>work, >> >>but have never tried to set up something similar at home. What >> >>opensource >> >>software would I need for this? Is there a wiki somewhere to follow? >> >> >> > I'd love to do this myself as well. >> > >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you need >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into the >> > VM display. (Spice or VNC) >> > >> > Then you need some way of authenticating users and providing access to the >> > client software. [...] >> >> You would have a full VM for each user? > > Yes > >> That would be a huge waste of resources, > > Diskspace and CPU can easily be overcommitted. Overcommitting disk space sounds like a very bad idea. Overcommitting memory is not possible with xen. >> plus having to take care of a lot of VMs, > > Automated. Like how? >> plus having to buy a lot of Windoze licenses > > Volume licensing takes care of that. expensive >> and taking about a week to install the updates >> after installing a VM. > > Never heard of VM templates? It still takes a week to put the updates onto the template. >> Add to that that the xen host goes down at >> random time intervals (because the sending queue of the network card >> times out for reasons that cannot be determined) which can be as long as >> a day, a week or even up to three weeks, and you are likely to become a >> rather unhappy administrator. > > Sorry, but I consider that a bug in your hardware. If it's really that > unstable, replace it. > I've been running Xen enabled servers for nearly 15 years. Never had issues > like that. If it were truly that unstable, it wouldn't be gaining popularity. The hardware has already been replaced, and the problem persists. Other machines of identical hardware that don't run xen don't show any issues. >> Try kvm instead, and you'll find that >> it's impossible to migrate the VMs from xen to to kvm when you want to >> use virtio drivers because you can't install them on an existing Windoze >> VM. > > Not a problem with the virtualisation technology. It is an issue with driver > management inside MS Windows. > There are ways to migrate VMs succesfully, I just don't see the point in > wasting time for that. It's time consuming when you have to reinstall the VMs to migrate them to kvm. And when you don't have the installers of all the software that's on some of the VMs and can't get them, you either have to run them without virtio drivers or you can't migrate them. > The biggest reason why I don't use KVM is the lack of full snapshot > functionality. Snapshotting disks is nice, but you end up with an unclean- > shutdown situation and anything that's not yet committed to disk is gone. I'm not sure what you mean. When you take a snapshot while the VM is not shut down, what difference does it make whether you use xen or kvm? >> Then there's the question how well vnc or spice connections work over a >> VPN that goes over the internet. > > VNC works quite well, as long as you use a minimal desktop. (like blackbox). > Don't expect KDE or Gnome to be usable. > I haven't tried Spice yet, but I've read that it performs better. It's not like you had a choice when you have Windoze VMs. >> It's not like the employees could get >> reliable internet connections with sufficient bandwidth, not to mention >> that the company would have to get one in the first place, which isn't >> much easier to get, if any. > > That depends on where you are. In this country, you have to be really lucky to find a place where you can get a decent internet connection. > The company could host the servers in a decent datacentre, which should take > care of the bandwidth issues. And give all their data out of hands? And how much does that cost? > For the employees, if they want to work from home, it's up to them to ensure > they have a reliable connection. It is as much problem of the company when they want the employees to work at home. And the employees don't have a choice, they can only get a connection they can get. >> It might work in theory. How would it be feasible in practise? > > Plenty of companies do it this way. If you don't want to pay for software > like > XenDesktop, you need to do all the work setting it up yourself. VNC is somewhat slow over a 1Gbit LAN. Did they find some way to overcome this problem? This sounds like it is for people with unlimited resources. BTW, access a VM through VNC, and you don't even have any way to make the mouse pointer in the VNC window actually follow the mouse pointer you're using, which makes it rather annoying to do anything in the VM you're
Re: [gentoo-user] {OT} Allow work from home?
writes: > lee wrote: > >> Rich Freeman writes: >> >> > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: >> >> Suppose you use a VPN connection. How do does the client >> >> (employee) secure their own network and the machine they're using >> >> to work remotely then? >> > >> > Poorly, most likely. Your data is probably not nearly as important >> > to them as their data is, and most people don't take great care of >> > their own data. >> >> That's not what I meant to ask. Assume you are an employee supposed >> to work from home through a VPN connection: How do you protect your >> LAN? > > Depends on the VPN connection. If you use an OpenVPN client on your PC > then it is sufficient to use a well configured firewall (ufw, iptables > or whatever) on this PC. The PC would be connected to the LAN, even if only to have an internet connection for the VPN. I can only guess: Wouldn't that require to put this PC behind a firewall that separates it from the LAN to protect the LAN? > If you use a VPN gateway then you could > configure this gateway (or a firewall behind) in a way that it blocks > incoming connections from the VPN tunnel. Hm. I'd prefer to avoid having to run another machine as such a firewall because electricity is way too expensive here. And I don't know if the gateway could be configure in such a way. > IMHO there is no more risk to use a VPN connection than with any other > Internet connection. But it's a double connection, one to the internet, and another one to another network, so you'd have to somehow manage to set up some sort of double protection. Setting up a VPN alone is more than difficult enough already.
Re: [gentoo-user] {OT} Allow work from home?
Rich Freemanwrites: > On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: >> Rich Freeman writes: >> >>> However, while an RDP-like solution protects you from some types of >>> attacks, it still leaves you open to many client-side problems like >>> keylogging. I don't know any major corporation that lets people RDP >>> into their applications in general. >> >> What do they use instead? >> > > As I mentioned in my previous email - they just hand all their > employees laptops. Control the hardware, control the software, > control the security... I mean instead of rdp. It's a simple solution which works really well on a LAN with Windoze. What's the equivalent that works with Linux? I wouldn't try it over an internet connection, though, it requires too much bandwidth.
Re: [gentoo-user] {OT} Allow work from home?
On Mon, Jan 18, 2016 at 7:57 PM, leewrote: > Rich Freeman writes: >> On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: >>> Rich Freeman writes: >>> However, while an RDP-like solution protects you from some types of attacks, it still leaves you open to many client-side problems like keylogging. I don't know any major corporation that lets people RDP into their applications in general. >>> >>> What do they use instead? >>> >> >> As I mentioned in my previous email - they just hand all their >> employees laptops. Control the hardware, control the software, >> control the security... > > I mean instead of rdp. It's a simple solution which works really well > on a LAN with Windoze. What's the equivalent that works with Linux? Well, I've never been in a company that runs Linux on the desktop, or which even provides VDIs for Windows. The most common solution is to provide windows laptops to users with various software packages for management/security/etc. The closest thing to RDP for Linux that I'm aware of us various NX-based implementations, like x2go, which I've mentioned a few times. It can be somewhat finicky. And of course there is VNC, which is much less efficient. I don't think either really gets to the level of RDP in general. I do sometimes wonder how the #1 server OS in the world somehow lacks decent facilities for graphical remote login, and for sharing files across the network. (For the latter NFS is a real pain to set up in a remotely secure fashion - part of the problem is that it is hard to use some kind of a UUID to drive file permissions, and kerberos/etc is a pain to set up. There is certainly nothing approaching the ease of just setting a password on a share or connecting to a windows domain (even a samba-driven one)). -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Mon, Jan 18, 2016 at 9:45 PM, Alec Ten Harmselwrote: > > All Joost is saying is that most resources can be overcommitted, since > all the users will not be using all their resources at the same time. > Don't want to sound like a broken record, but this is precisely why containers are so attractive. You can set hard limits wherever you want, but otherwise absolutely everything can be over-comitted/shared/etc to the degree you desire. They're just processes and namespaces and cgroups and so on. You just have to be willing to live with whatever kernel is running on the host. Of course, it isn't a solution for Windows, and there aren't any mature VDI-oriented solutions I'm aware of. However, running as non-root in a container should be very secure so there is no reason it couldn't be done. I just spun up a new container yesterday to test out burp (alas, ago beat me to the stablereq) and the server container is using all of 54M total / 3M RSS (some of that because I like to run sshd and so on inside). I can afford to run a LOT of those. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Mon, Jan 18, 2016 at 10:33 PM,wrote: > > Sharing files can be done via SCP/SFTP. If a VPN connection is used, > then even NFS or FTP are possibilities. I have 100 computers. I want a user on those 100 computers to be able to share a file on their computer with just me. On windows they just right-click and pick sharing, search for my name on the domain, and grant me permissions. You're not going to get an experience anything like that with scp or nfs or ftp. Heck, nfs is almost completely insecure in the way most people use it. I don't just want to copy a file from point A to point B. I want to have a robust set of permissions and security and so on behind that. If a user changes their password, that password gets them access to everything they used to have access to, and none of those random clients ever see the password. Sure, you can do it on linux with lots of NFSv4 and kerberos and all that. But it is painful to set up and almost nobody actually seems to do it as a result. You can also do something like Bitlocker on linux, but there isn't a single distro that supports it out of the box because it uses a lot of features nobody has bothered to seriously develop. (Before somebody points out LUKS, be aware that Bitlocker lets you do full-disk encyption that is secure without having to actually type a decryption key at any point. Remove the hard drive or boot from a CD, and the disks are unreadable - you can only read them if you boot off them on the original PC.) It is just a bit frustrating to behold. But, I'm getting what I'm paying for, so... :) -- Rich
Re: [gentoo-user] {OT} Allow work from home?
Rich Freemanwrote: > On Mon, Jan 18, 2016 at 10:33 PM, wrote: > > > > Sharing files can be done via SCP/SFTP. If a VPN connection is used, > > then even NFS or FTP are possibilities. > > I have 100 computers. I want a user on those 100 computers to be able > to share a file on their computer with just me. On windows they just > right-click and pick sharing, search for my name on the domain, and > grant me permissions. You're not going to get an experience anything > like that with scp or nfs or ftp. Heck, nfs is almost completely > insecure in the way most people use it. I'm an absolute windows noop. I only use it for graphics work. I even didn't know that such a kind of file sharing is possible with it. :-) > I don't just want to copy a file from point A to point B. I want to > have a robust set of permissions and security and so on behind that. > If a user changes their password, that password gets them access to > everything they used to have access to, and none of those random > clients ever see the password. > > Sure, you can do it on linux with lots of NFSv4 and kerberos and all > that. But it is painful to set up and almost nobody actually seems to > do it as a result. You can also do something like Bitlocker on linux, > but there isn't a single distro that supports it out of the box > because it uses a lot of features nobody has bothered to seriously > develop. (Before somebody points out LUKS, be aware that Bitlocker > lets you do full-disk encyption that is secure without having to > actually type a decryption key at any point. Remove the hard drive or > boot from a CD, and the disks are unreadable - you can only read them > if you boot off them on the original PC.) I never thought about such operating ranges. But maybe these are some of the reasons why windows held 43% of the server OS market share in Q4/2013, according to an article that I read some months ago. > It is just a bit frustrating to behold. But, I'm getting what I'm > paying for, so... :) That's right. I think that the effort and the outlay to implement all these features into Linux is relative high. It seems that no vendor is willing to assume such a financial risk. Maybe it is time for another crowd founding campaign? ;-) -- Regards wabe
Re: [gentoo-user] {OT} Allow work from home?
Rich Freemanwrote: > I do sometimes wonder how the #1 server OS in the world somehow lacks > decent facilities for graphical remote login, and for sharing files > across the network. (For the latter NFS is a real pain to set up in a > remotely secure fashion - part of the problem is that it is hard to > use some kind of a UUID to drive file permissions, and kerberos/etc is > a pain to set up. There is certainly nothing approaching the ease of > just setting a password on a share or connecting to a windows domain > (even a samba-driven one)). I think Linux is only #1 in the area of web services. For this you don't really need a graphical remote login. I think the main reason for the windows terminal server is that windows couldn't be configured via console login (SSH) in the same way as Linux could. But of course it would be very nice to have a RDP like feature for Linux with the same efficiency as RDP under Windows. This would really expand the facilities of Linux as a desktop based server. Sharing files can be done via SCP/SFTP. If a VPN connection is used, then even NFS or FTP are possibilities. For all of these connections you can also use graphical clients. Just my two cents. I'm sure that you are already aware of this. -- Regards wabe
Re: [gentoo-user] {OT} Allow work from home?
On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote: > "J. Roeleveld"writes: > > > On Monday, January 18, 2016 02:02:27 AM lee wrote: > >> "J. Roeleveld" writes: > >> > On 17 January 2016 18:35:20 CET, Mick wrote: > >> > > >> > [...] > >> > > >> >>I use the icaclient provided by Citrix to access my virtual desktop at > >> >>work, > >> >>but have never tried to set up something similar at home. What > >> >>opensource > >> >>software would I need for this? Is there a wiki somewhere to follow? > >> >> > >> > I'd love to do this myself as well. > >> > > >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you need > >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into the > >> > VM display. (Spice or VNC) > >> > > >> > Then you need some way of authenticating users and providing access to > >> > the > >> > client software. [...] > >> > >> You would have a full VM for each user? > > > > Yes > > > >> That would be a huge waste of resources, > > > > Diskspace and CPU can easily be overcommitted. > > Overcommitting disk space sounds like a very bad idea. Overcommitting > memory is not possible with xen. > Depends on how the load is. Right now I have a 500GB HDD at work. I use VirtualBox and vagrant for testing various software. Every VM in VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time. Add in all the other stuff on my system, which includes a 200GB dataset, and the disk is overcommitted. Of course, none of the VirtualBox disks use anywhere near 50GB. All Joost is saying is that most resources can be overcommitted, since all the users will not be using all their resources at the same time. Alec
Re: [gentoo-user] {OT} Allow work from home?
leewrote: > writes: > > > lee wrote: > > > >> Rich Freeman writes: > >> > >> > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: > >> >> Suppose you use a VPN connection. How do does the client > >> >> (employee) secure their own network and the machine they're > >> >> using to work remotely then? > >> > > >> > Poorly, most likely. Your data is probably not nearly as > >> > important to them as their data is, and most people don't take > >> > great care of their own data. > >> > >> That's not what I meant to ask. Assume you are an employee > >> supposed to work from home through a VPN connection: How do you > >> protect your LAN? > > > > Depends on the VPN connection. If you use an OpenVPN client on your > > PC then it is sufficient to use a well configured firewall (ufw, > > iptables or whatever) on this PC. > > The PC would be connected to the LAN, even if only to have an internet > connection for the VPN. I can only guess: Wouldn't that require to > put this PC behind a firewall that separates it from the LAN to > protect the LAN? Of course a separate firewall is better than a firewall on the PC, because it may protect the LAN even when the PC is compromised. But if the PC is compromised and has access to the LAN through the separate firewall (what is mostly the case) then the protection is more ore less porous (depending on the firewall rules). If you don't have a separate firewall but only a firewall on the (not compromised) PC, then the LAN should be safe as long as you don't have enabled IP forwarding on the PC and as long as the VPN is configured in a way that there is only a route to your PC and not to the rest of your LAN. Even if you have enabled IP forwarding on the PC and even if the VPN has a route to the whole LAN, the LAN should nevertheless be safe when the firewall on the PC is configured to block all incoming connections. Of course the blocking of all incoming connections implies, that the PC is acting as a client only. > > If you use a VPN gateway then you could > > configure this gateway (or a firewall behind) in a way that it > > blocks incoming connections from the VPN tunnel. > > Hm. I'd prefer to avoid having to run another machine as such a > firewall because electricity is way too expensive here. And I don't > know if the gateway could be configure in such a way. All VPN gateways that I know have also a build in firewall. If your gateway hasn't, then you should ask yourself, what is more expensive - a separate firewall or a hacked LAN? But in this case I would prefer to use the PC as OpenVPN client. > > IMHO there is no more risk to use a VPN connection than with any > > other Internet connection. > > But it's a double connection, one to the internet, and another one to > another network, so you'd have to somehow manage to set up some sort > of double protection. See above. > Setting up a VPN alone is more than difficult enough already. This depends on the VPN that you (have to) use. If you set up the VPN on both sides then you probably can choose what kind of VPN you wanna use. OpenVPN isn't really difficult to set up. If you don't wanna use PSK but X509 authorization, then the most complicated thing is the creation of the certs. But with the help of Google (or DuckDuckGo), this is quick done. There are lots of information about setting up an OpenVPN connection. -- Regards wabe
Re: [gentoo-user] Re: How to get rid of 32bits libraries
James wrote: > Neil Bothwick digimed.co.uk> writes: > > >> emerge -evp world | grep 'ABI_X86="32' > Hm. OK thanks for verification on the number. > > emerge -evp world | grep 'ABI_X86="32'| wc -l > 279 > > Same as:: > EIX_LIMIT=0 eix -I --only-names | equery hasuse abi_x86_32 | wc -l > 279 > > > Anyway:: > Why so many? The Profile? What are other getting for the number(s) > of 32 bit libs? This thread has me curious. Some embedded systems > may be desirable to upgrade to only 64 bit libs, besides other similar > installs. > > > James > > I have kde-meta installed here which pulls in a lot of packages plus some other packages that I use. I have 118 here. The total number of packages is just over 1300. I recently switched to 13.0/desktop/plasma profile. Maybe that will help shed some light on your situation. Maybe it is a setting or something. Dale :-) :-)
Re: [gentoo-user] {OT} Allow work from home?
On Monday, January 18, 2016 09:45:28 PM Alec Ten Harmsel wrote: > On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote: > > "J. Roeleveld"writes: > > > On Monday, January 18, 2016 02:02:27 AM lee wrote: > > >> "J. Roeleveld" writes: > > >> > On 17 January 2016 18:35:20 CET, Mick > > >> > wrote: > > >> > > > >> > [...] > > >> > > > >> >>I use the icaclient provided by Citrix to access my virtual desktop > > >> >>at > > >> >>work, > > >> >>but have never tried to set up something similar at home. What > > >> >>opensource > > >> >>software would I need for this? Is there a wiki somewhere to follow? > > >> >> > > >> > I'd love to do this myself as well. > > >> > > > >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you > > >> > need > > >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into > > >> > the > > >> > VM display. (Spice or VNC) > > >> > > > >> > Then you need some way of authenticating users and providing access > > >> > to the > > >> > client software. [...] > > >> > > >> You would have a full VM for each user? > > > > > > Yes > > > > > >> That would be a huge waste of resources, > > > > > > Diskspace and CPU can easily be overcommitted. > > > > Overcommitting disk space sounds like a very bad idea. Overcommitting > > memory is not possible with xen. > > Depends on how the load is. Right now I have a 500GB HDD at work. I use > VirtualBox and vagrant for testing various software. Every VM in > VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time. > Add in all the other stuff on my system, which includes a 200GB dataset, > and the disk is overcommitted. Of course, none of the VirtualBox disks > use anywhere near 50GB. > > All Joost is saying is that most resources can be overcommitted, since > all the users will not be using all their resources at the same time. If disk-space is considered too expensive, you could even have every VM use the same base image. And have them store only the differences of the disk. eg: 1) Create a VM 2) Snapshot the disk (with the VM shutdown) 3) create a new VM based on the snapshot Repeat 2 and 3 for as many clones you want. Most installs don't change that much when dealing with standardized desktops. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Tuesday, January 19, 2016 01:46:45 AM lee wrote: > "J. Roeleveld"writes: > > On Monday, January 18, 2016 02:02:27 AM lee wrote: > >> "J. Roeleveld" writes: > >> > On 17 January 2016 18:35:20 CET, Mick > >> > wrote: > >> > > >> > [...] > >> > > >> >>I use the icaclient provided by Citrix to access my virtual desktop at > >> >>work, > >> >>but have never tried to set up something similar at home. What > >> >>opensource > >> >>software would I need for this? Is there a wiki somewhere to follow? > >> >> > >> > I'd love to do this myself as well. > >> > > >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you > >> > need > >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into > >> > the > >> > VM display. (Spice or VNC) > >> > > >> > Then you need some way of authenticating users and providing access to > >> > the > >> > client software. [...] > >> > >> You would have a full VM for each user? > > > > Yes > > > >> That would be a huge waste of resources, > > > > Diskspace and CPU can easily be overcommitted. > > Overcommitting disk space sounds like a very bad idea. Overcommitting > memory is not possible with xen. Overcommitting diskspace isn't such a bad idea, considering most installs never utilize all the available diskspace. Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At least, I seem to remember reading that somewhere) > >> plus having to take care of a lot of VMs, > > > > Automated. > > Like how? How do you manage a large amount of physical machines? Just change physical to VMs and do it the same. With VMs you have more options for automation. > >> plus having to buy a lot of Windoze licenses > > > > Volume licensing takes care of that. > > expensive Depends on the requirements. It's cheaper then a few hundred seperate windows licenses. > >> and taking about a week to install the updates > >> after installing a VM. > > > > Never heard of VM templates? > > It still takes a week to put the updates onto the template. Last time I had to fully reinstall a windows machine it took me a day to do all the updates. Microsoft even has server software that will keep them locally and push them to the clients. > >> Add to that that the xen host goes down at > >> random time intervals (because the sending queue of the network card > >> times out for reasons that cannot be determined) which can be as long as > >> a day, a week or even up to three weeks, and you are likely to become a > >> rather unhappy administrator. > > > > Sorry, but I consider that a bug in your hardware. If it's really that > > unstable, replace it. > > I've been running Xen enabled servers for nearly 15 years. Never had > > issues > > like that. If it were truly that unstable, it wouldn't be gaining > > popularity. > The hardware has already been replaced, and the problem persists. Other > machines of identical hardware that don't run xen don't show any issues. I still say the hardware is buggy. With replacing, I meant replace it with different hardware, not a different version of the same buggy stuff. > >> Try kvm instead, and you'll find that > >> it's impossible to migrate the VMs from xen to to kvm when you want to > >> use virtio drivers because you can't install them on an existing Windoze > >> VM. > > > > Not a problem with the virtualisation technology. It is an issue with > > driver management inside MS Windows. > > There are ways to migrate VMs succesfully, I just don't see the point in > > wasting time for that. > > It's time consuming when you have to reinstall the VMs to migrate them > to kvm. And when you don't have the installers of all the software > that's on some of the VMs and can't get them, you either have to run > them without virtio drivers or you can't migrate them. There are Howtos on the internet describing how to migrate VMs from 1 technology to another. Shouldn't be too hard. And keeping the installers at hand is, in my opinion, a requirement of sane system management. I have installers for all the versions of software I deal with. > > The biggest reason why I don't use KVM is the lack of full snapshot > > functionality. Snapshotting disks is nice, but you end up with an unclean- > > shutdown situation and anything that's not yet committed to disk is gone. > > I'm not sure what you mean. When you take a snapshot while the VM is not > shut down, what difference does it make whether you use xen or kvm? A "snapshot" for KVM is ONLY the disks. With Xen, VMWare and Virtualbox, I can also make a snapshot/copy of what's in memory. It's that which makes the difference. > >> Then there's the question how well vnc or spice connections work over a > >> VPN that goes over the internet. > > > > VNC works quite well, as long as you use a minimal desktop. (like > > blackbox). Don't expect KDE or Gnome to be usable. > > I haven't tried Spice yet,
Re: [gentoo-user] {OT} Allow work from home?
On Monday, January 18, 2016 08:35:20 PM Rich Freeman wrote: > On Mon, Jan 18, 2016 at 7:57 PM, leewrote: > > Rich Freeman writes: > >> On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: > >>> Rich Freeman writes: > However, while an RDP-like solution protects you from some types of > attacks, it still leaves you open to many client-side problems like > keylogging. I don't know any major corporation that lets people RDP > into their applications in general. > >>> > >>> What do they use instead? > >> > >> As I mentioned in my previous email - they just hand all their > >> employees laptops. Control the hardware, control the software, > >> control the security... > > > > I mean instead of rdp. It's a simple solution which works really well > > on a LAN with Windoze. What's the equivalent that works with Linux? > > Well, I've never been in a company that runs Linux on the desktop, or > which even provides VDIs for Windows. The most common solution is to > provide windows laptops to users with various software packages for > management/security/etc. VDIs are gaining ground in bigger companies as part of the BYOD push. Especially using Citrix XenDesktop with the icaclient, this works really well. > The closest thing to RDP for Linux that I'm aware of us various > NX-based implementations, like x2go, which I've mentioned a few times. > It can be somewhat finicky. And of course there is VNC, which is much > less efficient. I don't think either really gets to the level of RDP > in general. > > I do sometimes wonder how the #1 server OS in the world somehow lacks > decent facilities for graphical remote login, and for sharing files > across the network. (For the latter NFS is a real pain to set up in a > remotely secure fashion - part of the problem is that it is hard to > use some kind of a UUID to drive file permissions, and kerberos/etc is > a pain to set up. There is certainly nothing approaching the ease of > just setting a password on a share or connecting to a windows domain > (even a samba-driven one)). I'd love to get something similar to RDP working on linux. But I'm not sufficiently skilled to implement it all myself. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Tuesday, January 19, 2016 01:57:38 AM lee wrote: > Rich Freemanwrites: > > On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: > >> Rich Freeman writes: > >>> However, while an RDP-like solution protects you from some types of > >>> attacks, it still leaves you open to many client-side problems like > >>> keylogging. I don't know any major corporation that lets people RDP > >>> into their applications in general. > >> > >> What do they use instead? > > > > As I mentioned in my previous email - they just hand all their > > employees laptops. Control the hardware, control the software, > > control the security... > > I mean instead of rdp. It's a simple solution which works really well > on a LAN with Windoze. What's the equivalent that works with Linux? > > I wouldn't try it over an internet connection, though, it requires too > much bandwidth. RDP works over an internet connection, even when running it through a VPN using a dodgy wifi link over a busy road and a slowish ADSL link. VNC also, but only when reducing the quality of the display a lot. Not tried other methods yet. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Tuesday, January 19, 2016 02:15:17 AM lee wrote: >writes: > > lee wrote: > >> Rich Freeman writes: > >> > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: > >> >> Suppose you use a VPN connection. How do does the client > >> >> (employee) secure their own network and the machine they're using > >> >> to work remotely then? > >> > > >> > Poorly, most likely. Your data is probably not nearly as important > >> > to them as their data is, and most people don't take great care of > >> > their own data. > >> > >> That's not what I meant to ask. Assume you are an employee supposed > >> to work from home through a VPN connection: How do you protect your > >> LAN? > > > > Depends on the VPN connection. If you use an OpenVPN client on your PC > > then it is sufficient to use a well configured firewall (ufw, iptables > > or whatever) on this PC. > > The PC would be connected to the LAN, even if only to have an internet > connection for the VPN. I can only guess: Wouldn't that require to put > this PC behind a firewall that separates it from the LAN to protect the > LAN? > > > If you use a VPN gateway then you could > > configure this gateway (or a firewall behind) in a way that it blocks > > incoming connections from the VPN tunnel. > > Hm. I'd prefer to avoid having to run another machine as such a > firewall because electricity is way too expensive here. And I don't > know if the gateway could be configure in such a way. > > > IMHO there is no more risk to use a VPN connection than with any other > > Internet connection. > > But it's a double connection, one to the internet, and another one to > another network, so you'd have to somehow manage to set up some sort of > double protection. Setting up a VPN alone is more than difficult enough > already. Some of the companies I work with have the laptops set up that when they are not connected to the office-LAN, they will only talk via a VPN link to the company. No network connectivity (apart from what's necessary for the VPN) will work till the VPN is set up. Any ideas on how to do this using Linux without having to become root to set it up myself? I like network manager for the ease of setting up WIFI links. -- Joost
Re: [gentoo-user] Shutdown through systemctl as a normal user
On Mon, 18 Jan 2016 23:31:39 +0100 lukashwrote: > On Mon, 2016-01-18 at 20:00 +0100, waben...@gmail.com wrote: > > lukash wrote: > > > > > Hi all, > > > > > > I'm reading on the internet that systemctl poweroff should work > > > for normal user if he is the only one logged in, he is logged in > > > locally > > > and his session is active. I seem to be meeting these conditions: > > > > > > # loginctl > > > SESSIONUID USER SEAT > > > 2 1000 lukash seat0 > > > > > > $ loginctl show-session 2 > > > Id=2 > > > User=1000 > > > Name=lu > > > Timestamp=Sat 2016-01-16 17:27:30 CET > > > TimestampMonotonic=9614418 > > > VTNr=7 > > > Seat=seat0 > > > Display=:0 > > > Remote=no > > > Service=lightdm > > > Desktop=awesome > > > Scope=session-2.scope > > > Leader=529 > > > Audit=2 > > > Type=x11 > > > Class=user > > > Active=yes > > > State=active > > > IdleHint=no > > > IdleSinceHint=0 > > > IdleSinceHintMonotonic=0 > > > > > > But invoking the command gives me: > > > > > > $ systemctl poweroff > > > Failed to set wall message, ignoring: Access denied > > > Failed to power off system via logind: Access denied > > > Failed to start poweroff.target: Access denied > > > > > > How is this supposed to work on Gentoo? > > > > > > Thanks in advance, > > > Lukas > > > > IIRC "CONFIG_AUDIT" and "CONFIG_HAVE_ARCH_AUDITSYSCALL" must be set > > in the kernel configuration. But as I don't use this method I cannot > > say this for sure. > > Thanks. But I've got those in my kernel already... > > > -- > > Regards > > wabe > > > Try this https://wiki.archlinux.org/index.php/allow_users_to_shutdown , I think you might be happy with it. I don't have systemd personally so I don't have any experience with it. From what I read on the wiki, this will be an easy fix. Instead of using users in the "Users without sudo privileges" section, I think you can also use groups without the hostname. All you would have to do is make a group that you would like to be able to shutdown or whatever with the computer. -- Willie Matthews matthews.willi...@gmail.com (702) 659-9966 pgpTqKuRmPajL.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Shutdown through systemctl as a normal user
On Mon, 2016-01-18 at 20:00 +0100, waben...@gmail.com wrote: > lukashwrote: > > > Hi all, > > > > I'm reading on the internet that systemctl poweroff should work for > > normal user if he is the only one logged in, he is logged in > > locally > > and his session is active. I seem to be meeting these conditions: > > > > # loginctl > > SESSIONUID USER SEAT > > 2 1000 lukash seat0 > > > > $ loginctl show-session 2 > > Id=2 > > User=1000 > > Name=lu > > Timestamp=Sat 2016-01-16 17:27:30 CET > > TimestampMonotonic=9614418 > > VTNr=7 > > Seat=seat0 > > Display=:0 > > Remote=no > > Service=lightdm > > Desktop=awesome > > Scope=session-2.scope > > Leader=529 > > Audit=2 > > Type=x11 > > Class=user > > Active=yes > > State=active > > IdleHint=no > > IdleSinceHint=0 > > IdleSinceHintMonotonic=0 > > > > But invoking the command gives me: > > > > $ systemctl poweroff > > Failed to set wall message, ignoring: Access denied > > Failed to power off system via logind: Access denied > > Failed to start poweroff.target: Access denied > > > > How is this supposed to work on Gentoo? > > > > Thanks in advance, > > Lukas > > IIRC "CONFIG_AUDIT" and "CONFIG_HAVE_ARCH_AUDITSYSCALL" must be set > in the kernel configuration. But as I don't use this method I cannot > say this for sure. Thanks. But I've got those in my kernel already... > -- > Regards > wabe >
Re: [gentoo-user] Re: *dev-less gentoo
On 18/01/2016 23:05, k...@aspodata.se wrote: > boxc...@gmx.net: >> On Mon, 18 Jan 2016 19:48:58 +0100 (CET) >> k...@aspodata.se wrote: > ... >>> What info is there on @system ? >>> I can change what's in @world, it seems to be the content of >>> /var/lib/portage/world. Is there a similar file for @system ? >> >> It's in /usr/portage/profiles/base/packages -- I think that will be >> overwritten when profiles are updated, so I don't think it helps you. > > Great, thanks. Would it work to have that in an overlay, ehh, something ? > >> Would putting virtual/dev-manager into packages.provided work to solve >> your problem? (I phrase it as a question because I've never used >> packages.provided.) > > No, then would packages that actually needs it be fooled. > I found a workaround in the sys-fs/static-dev package. Let's be clear: static-dev is NOT a workaround. It is a full proper solution for the case when a dynamic device node solution is not desired. Of course it means you have to mknod every device you need yourself. But you know that going in right? -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Re: *dev-less gentoo
Alan McKinnon: > On 18/01/2016 23:05, k...@aspodata.se wrote: ... > > I found a workaround in the sys-fs/static-dev package. > Let's be clear: static-dev is NOT a workaround. It is a full proper > solution for the case when a dynamic device node solution is not desired. Ok, fine with me (the wording "dev-manager" go me off track). > Of course it means you have to mknod every device you need yourself. But > you know that going in right? Yes (though I alreade have a /dev from before). Regards, /Karl Hammar --- Aspö Data Lilla Aspö 148 S-742 94 Östhammar Sweden +46 173 140 57
Re: [gentoo-user] Python3.4 to python3.5 in ebuilds
Hi, On Mon, Jan 18, 2016 at 04:07:03PM +0200, Stanislav Ch. Nikolov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > It seems like 3.4 and 3.5 are 100% compatible, and most ebuilds > involving python in some way tolerate them both: > (any-of ( python_targets_python3_3 python_targets_python3_4 > python_targets_python3_5)) > > Yet there are some that are still unhappy with 3.5. This makes me > really annoyed and I was wondering if it was possible to write a > simple script to add python_targets_python3_5 where needed. Would this > break anything, and if no, why can't the maintainers or some > portage-tree admin do it? It probably will not break a whole lot, but python 3.5 is still relatively new and package maintainers are still catching up. Alec
Re: [gentoo-user] *dev-less gentoo
Karl Hammar: > # emerge -auDN @system > ... > [ebuild N ] virtual/dev-manager-0 > > How can I get rid of dev-manager-0 from @system ? Ok, found workaround with sys-fs/static-dev. Regards, /Karl Hammar --- Aspö Data Lilla Aspö 148 S-742 94 Östhammar Sweden +46 173 140 57
Re: [gentoo-user] Re: update gentoo without network [SOLVED]
On Mon, 18 Jan 2016 19:39:50 +0100, Raffaele BELARDI wrote: > Just tested, it works: > > 1. cp -a /var/db/pkg from system A to removable media > 2. chroot ; emerge-webrsync ; emerge --fetchonly -uDvN world > 3. cp -a /usr/portage from removable media to system A > 4. next week, goto 1 Interesting, that's worthy of an entry in the wiki for anyone else looking to maintain a Gentoo system without Internet access. I would suggest that you update portage within the chroot. What you are doing is lying to portage about what is actually installed, that shouldn't be a problem most of the time given what you are using it for, but different versions of portage on the two systems may cause problems at some time in the future. -- Neil Bothwick Windows Error:01F Reserved for future mistakes. pgpAPhnPe_mvc.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: *dev-less gentoo
boxc...@gmx.net: > On Mon, 18 Jan 2016 19:48:58 +0100 (CET) > k...@aspodata.se wrote: ... > > What info is there on @system ? > > I can change what's in @world, it seems to be the content of > > /var/lib/portage/world. Is there a similar file for @system ? > > It's in /usr/portage/profiles/base/packages -- I think that will be > overwritten when profiles are updated, so I don't think it helps you. Great, thanks. Would it work to have that in an overlay, ehh, something ? > Would putting virtual/dev-manager into packages.provided work to solve > your problem? (I phrase it as a question because I've never used > packages.provided.) No, then would packages that actually needs it be fooled. I found a workaround in the sys-fs/static-dev package. Regards, /Karl Hammar --- Aspö Data Lilla Aspö 148 S-742 94 Östhammar Sweden +46 173 140 57
[gentoo-user] Re: *dev-less gentoo
On Mon, 18 Jan 2016 19:48:58 +0100 (CET) k...@aspodata.se wrote: > Francisco Ares: > > 2016-01-18 15:15 GMT-02:00: > > > > > # emerge -auDN @system > > > ... > > > [ebuild N ] virtual/dev-manager-0 > > > > > > How can I get rid of dev-manager-0 from @system ? > ... > > Try updating to a new kernel. > > > > I'm saying this because of the output of equery d > > virtual/dev-manager on my system: > > > > ~ $ equery d virtual/dev-manager > > * These packages depend on virtual/dev-manager: > > sys-kernel/gentoo-sources-3.18.9 (virtual/dev-manager) > > sys-kernel/gentoo-sources-3.18.12 (virtual/dev-manager) > > Not so here: > > # equery d virtual/dev-manager > * These packages depend on virtual/dev-manager: > # > > /// > > What info is there on @system ? > I can change what's in @world, it seems to be the content of > /var/lib/portage/world. Is there a similar file for @system ? It's in /usr/portage/profiles/base/packages -- I think that will be overwritten when profiles are updated, so I don't think it helps you. Would putting virtual/dev-manager into packages.provided work to solve your problem? (I phrase it as a question because I've never used packages.provided.)