Kernel compilation problem

[Taren]

I'm running Stretch, with kernel 4.9.0.7, and am trying to compile a new 
kernel (preferably 4.17.11) into which I can boot.



The kernel builds successfully, but whenever I try booting into the new 
kernel, I end up in emergency mode, with the error



Unit dev-disk-by\x2duuid-.device has failed.

The result is timeout.


This device is anmd device, with two mirrors (each 2.7T in size).  The 
submirrors are present when I boot into 4.9.0.7 (installed when the 
system was built).


However, they do not appear to be visible under any kernel which I build 
and try to boot into.



I've tried setting LBDAF in the kernel configuration, but that requires 
that a 32bit kernel be built (and x64 deselected), and I'm running on an 
AMD 8350 chip, which is x86_64.



Kernel 4.9.0.7 does not have LBDAF set (and x64 is set), yet it's able 
to see my 2.7T drives, and my raid device mounts with no problem.



Would someone point me in the correct direction for configuring a new 
kernel, so that my 2T+ drives are visible?



Thanks


Taren

Trouble with multistrap and even apt-get

[Tabor Kelly]

Hello,

What I really want is for this to work (it works without the --source-dir):

mkdir packages && multistrap -f /usr/share/multistrap/stretch.conf -d
./chroot --source-dir ./packages > multistrap_log.txt 2>&1

However, apt-get fails to find the source packages, but I can't figure
out why. I copied /usr/sbin/multistrapand edited it to see that this is
the command that is failing:

APT_CONFIG=/tmp/multistrap.I7F4HN apt-get  -o Apt::Architecture=amd64 -o
Dir::Etc::TrustedParts=/work/multistrap.debug/chroot/etc/apt/trusted.gpg.d
-o Dir::Etc::Trusted=/work/multistrap.debug/chroot/etc/apt/trusted.gpg
-o Apt::Get::Download-Only=true -o Apt::Install-Recommends=false -o
Dir=/work/multistrap.debug/chroot/ -o
Dir::Etc=/work/multistrap.debug/chroot/etc/apt/ -o
Dir::Etc::Parts=/work/multistrap.debug/chroot/etc/apt/apt.conf.d/ -o
Dir::Etc::PreferencesParts=/work/multistrap.debug/chroot/etc/apt/preferences.d/
-o APT::Default-Release='*' -o
Dir::State=/work/multistrap.debug/chroot/var/lib/apt/ -o
Dir::State::Status=/work/multistrap.debug/chroot/var/lib/dpkg/status -o
Dir::Cache=/work/multistrap.debug/chroot/var/cache/apt/ -d source acl

I can reproduce this on the command-line. If I do the (carefully
crafted) apt-get update and then this apt-get source I see the same
failure, but I'm really scratching my head as to why? I can see the
deb-src line in
/work/multistrap/chroot/etc/apt/sources.list.d/multistrap-debian.list,
If I strace apt-get install source I can see it opening
/work/multistrap.debug/chroot/var/lib/apt/lists/http.debian.net_debian_dists_stretch_main_source_Sources.lz4.
If I decompress
http.debian.net_debian_dists_stretch_main_source_Sources.lz4 I see the
package that it says that it can't find.

What am I missing? I am happy to find a place to post any of the files
that people are interested in looking at.

Thanks,

Tabor

PS - This is on an up-to-date stretch system but I also saw the same
behavior on my Ubuntu 18.04 system.

Statement of Confidentiality

The contents of this e-mail message and any attachments are confidential and 
are intended solely for the addressee. The information may also be legally 
privileged. This transmission is sent in trust, and the sole purpose of 
delivery to the intended recipient. If you have received this transmission in 
error, any use, reproduction or dissemination of this transmission is strictly 
prohibited. If you are not the intended recipient, please immediately notify 
the sender by reply e-mail or at 508-535-5100 and delete this message and its 
attachments, if any.
multistrap 2.2.9 using /usr/share/multistrap/stretch.conf
multistrap 2.2.9 using /usr/share/multistrap/stretch.conf
Defaulting architecture to native: amd64
multistrap building amd64 multistrap on 'amd64'
I: Setting /work/multistrap/chroot/lib64 -> /work/multistrap/chroot/lib 
symbolic link.
I: Downloading debian-archive-keyring 
Get:1 http://deb.debian.org/debian stretch/main amd64 debian-archive-keyring 
all 2017.5 [56.4 kB]
Fetched 56.4 kB in 0s (420 kB/s)
W: Download is performed unsandboxed as root as file 
'/work/multistrap/debian-archive-keyring_2017.5_all.deb' couldn't be accessed 
by user '_apt'. - pkgAcquire::Run (13: Permission denied)
Getting package lists: APT_CONFIG=/tmp/multistrap.QCJ7PU apt-get  -o 
Apt::Architecture=amd64 -o 
Dir::Etc::TrustedParts=/work/multistrap/chroot/etc/apt/trusted.gpg.d -o 
Dir::Etc::Trusted=/work/multistrap/chroot/etc/apt/trusted.gpg -o 
Apt::Get::Download-Only=true -o Apt::Install-Recommends=false -o 
Dir=/work/multistrap/chroot/ -o Dir::Etc=/work/multistrap/chroot/etc/apt/ -o 
Dir::Etc::Parts=/work/multistrap/chroot/etc/apt/apt.conf.d/ -o 
Dir::Etc::PreferencesParts=/work/multistrap/chroot/etc/apt/preferences.d/ -o 
APT::Default-Release='*' -o Dir::State=/work/multistrap/chroot/var/lib/apt/ -o 
Dir::State::Status=/work/multistrap/chroot/var/lib/dpkg/status -o 
Dir::Cache=/work/multistrap/chroot/var/cache/apt/ update
Ign:1 http://cdn-fastly.deb.debian.org/debian stretch InRelease
Get:2 http://cdn-fastly.deb.debian.org/debian stretch Release [118 kB]
Get:3 http://cdn-fastly.deb.debian.org/debian stretch Release.gpg [2434 B]
Get:4 http://cdn-fastly.deb.debian.org/debian stretch/main Sources [6758 kB]
Get:5 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 Packages [7099 
kB]
Get:6 http://cdn-fastly.deb.debian.org/debian stretch/main Translation-en [5393 
kB]
Fetched 19.4 MB in 3s (6107 kB/s)
Reading package lists...
I: Calculating required packages.
APT_CONFIG=/tmp/multistrap.QCJ7PU apt-get  -o Apt::Architecture=amd64 -o 
Dir::Etc::TrustedParts=/work/multistrap/chroot/etc/apt/trusted.gpg.d -o 
Dir::Etc::Trusted=/work/multistrap/chroot/etc/apt/trusted.gpg -o 
Apt::Get::Download-Only=true -o Apt::Install-Recommends=false -o 
Dir=/work/multistrap/chroot/ -o Dir::Etc=/work/multistrap/chroot/etc/apt/ -o 
Dir::Etc::Parts=/work/multistrap/chroot/etc/apt/apt.conf.d/ -o 
Dir::Etc::PreferencesParts=/work/multistrap/chroot/etc/apt/preferences.d/ -o 

Re: Indicador de volumen en XFCE4

[rv riveravaldez]

2018-07-31 17:19 GMT-03:00 Julian Daich :
> Hola,
>
> No me aparece el indicador de volumen en Sid¿ como hago para que esté
> en el área de notificaciones?
>
> Saludos,
>
> Julián
>
> --
> Julian
>

Por si acaso prueba 'alsamixer' (sin comillas) en una terminal, a ver
si el audio funciona bien.

Luego en XFCE creo recordar que el indicador de volumen era un plugin
(o como lo quieras llamar) del panel inferior: búscalo con
click-derecho entre las opciones que salen en el menú.

Saludos

Re: how to prevent security update installation during stretch installation

[David Christensen]

On 08/01/2018 01:00 AM, Long Wind wrote:

i don't like security update because i suspect it cause problem (some packaged 
can't be installed) during stretch installation last time


I suggest that you obtain the debian-9.5.0-amd64-xfce-CD-1.iso image 
(via jigdo), burn it to CD/USB, configure your Internet gateway to block 
the target host from connecting to the Internet, and install from local 
media only (e.g. do not select an package mirror during installation):


https://www.debian.org/CD/jigdo-cd/


If it works, you're done.  If it doesn't, start working backwards 
through the releases -- e.g. 9.4.0, 9.3.0, 9.2.0, etc.:


https://cdimage.debian.org/cdimage/archive/


David

Re: update hell

[Ben Caradoc-Davies]

On 02/08/18 13:05, Default User wrote:

So, if apt-get is for non-trivial upgrades, then why not for daily use?


I use it daily and for trivial upgrades.


Not efficient to have multiple choices. Debian, please choose one and
deprecate the others.


Debian is all about multiple choices. Debian tries to include everything 
that meets the DFSG, from choice of init system, filesystems, servers, 
to desktop. Debian is inclusive.


Choice reduces happiness:
https://www.ted.com/talks/dan_gilbert_asks_why_are_we_happy

For enhanced new-user happiness, other distributions provide more 
curated selections. Once users have become accustomed to a curated 
subset, the breadth and flexibility of Debian makes it easy to reproduce 
a selection found in a more limited distribution.



I patiently await your hate mail.


You did not mention systemd; no hate mail for you!  ;-)

Kind regards,

--
Ben Caradoc-Davies 
Director
Transient Software Limited 
New Zealand

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[David Christensen]

On 08/01/2018 03:47 PM, Carles Pina i Estany wrote:

Hi,


Hello.  :-)



I have a Debian Stretch and recently I added a new cyphered partition.
All works well but I don't understand why and it's bothering me.

Setup:
$ cat /etc/crypttab
m2_root_crypt UUID=4e655198-a111-... none luks,discard
m2_swap_crypt UUID=56485640-8a04-... none luks,discard
ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard

All three partitions have the same passphrase.

On restart I'm asked for two passwords:
m2_root_crypt
m2_swap_crypt


You should have set up your encrypted swap partition to use a random 
passphrase every boot.  (A side benefit is that you never have to enter 
a passphrase for swap.)



The Debian Installer for Stretch put the following line in my crypttab:

sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap


I changed the source device field to point to a path under 
/dev/disk/by-id so that my swap partition is found even if the /dev/sd* 
entries change (which can happen when I move or add disks):


sda2_crypt 
/dev/disk/by-id/ata-INTEL_SSDSC2CW060A3_**-part2 
/dev/urandom cipher=aes-xts-plain64,size=256,swap




The question is:
"Please unlock disk m2_root_crypt:"

I expcted to write the password three times.


Given your crypttab, above, I agree that you should have to enter three 
passphrases.




My only theory is that after the root partition is decyphered it's also
mounted and then systemd-ask-password is used somehow (how?) and
--keyname= is used to "Configure a kernel keyring key name". I haven't
tested or seen scripts that do this.

I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock
(where I can see the string "Please unlock disk") and I don't see
anything like this happening. Maybe initrd lib/cryptsetup/askpass is
doing it?

A question would be:
a) How to enter the passphrase only once?
b) When/where (scripts) and how is the passphrase stored?

This is just to know as the system is working perfectly.

Thanks for reading all of this!


My guess is that you made a mistake and stepped on your encrypted 
container (ssd_dades_crypt?) when you created the new file system.  Did 
you keep a copy of your console session?  Posting it would help.



Please run the following commands and post your console session 
(substitute DIR with the directory where your new file system is mounted):


# grep crypt /etc/fstab

# ll /dev/mapper

# mount | grep DIR


David

Re: a dh keys question?

[Karen Lewellen]

There is no error at all in any way shape or form that I am given 
indicating that there is a key range overflow.
I have successfully reached  locations with various editions of openssh, 
including in the 7 plus range...on a different port. 
There are some indications likewise  that my isp indeed blocked port 22 
and 
21 access for what they consider non standard applications i. e. Linux, 
which  is not on my desktop, or DOS, which is on my desktop.

i cannot update what does not exist for me.
I can however invest resources  where the solution  I have discovered does 
exist.
Karen



On Thu, 2 Aug 2018, Dan Purgert wrote:


Karen Lewellen wrote:

1.
I am not using Linux, but an ssh client compiled from a combination of
tools, Linux and otherwise, including putty.
I have been very firm in not stating that I use Linux at all.


Kind of a bad move, what with this being a Debian (Linux) mailing list.
Lot of wasted effort would've been saved.


In fact the first sentence of my question stated that while the issue is
complex, the question, where dh keys are generated, was simple.


They're generated on the fly at the time of connection.  The server and
client each (should) have a "moduli" file somewhere, where they can seed
the DH key generation from (in whichever version of Debian I'm running
on this test box, it happens to be /etc/ssh/moduli)


2. I can state firmly that the port number  has absolutely a great  deal
to do with my issue.


You can say that til you're blue in the face, it doesn't make you
correct though.  As I said before, the selection of a standard vs.
nonstandard port for ssh (or, any service for that matter) has no
bearing on the Diffie-Hellman Key Exchange portion of the handshake.


best evidence?  your getting this e-mail at all.


I assume you mean to imply that you're ssh'd into some remote host and
it just so happens to be running a service on a nonstandard port.  See
above for the refutation of this claim.


I am writing using a shell service that uses Ubuntu 16.04 as its
platform...same as dreamhost.
we do not use port 22 here, and I can use my ssh client to reach my
workspace..doing such as we speak..
Likewise  an associate who hosts their  own servers created a temp account
for   me, using port 4460...worked perfectly.
I respect other factors might  be involved, but my goal is the swiftest
solution that lets us move our services from dreamhost somewhere else to
which I can ssh from my desktop/
If choosing a location with a port other than 22 solves the issue, it is
good enough for me.


The thing is, it's NOT the selection of the port that's making it work
(or not) - it's a difference between your SSH client and the server's
acceptable range for key moduli.

For Openssh 6.7p1
 DH_GRP_MIN  1024
 DH_GRP_MAX  8192


For Openssh 7.4
 DH_GRP_MIN 2048
 DH_GRP_MIN 8192

Since you're running a series of ssh clients (? ... or a amalgamation of
all of them ...?), it's up to you to check the various changelogs of
them to see if you need updates (or if they've been abandoned or ... )


--
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: a dh keys question?

[Dan Purgert]

Karen Lewellen wrote:
> 1.
> I am not using Linux, but an ssh client compiled from a combination of 
> tools, Linux and otherwise, including putty.
> I have been very firm in not stating that I use Linux at all.

Kind of a bad move, what with this being a Debian (Linux) mailing list.
Lot of wasted effort would've been saved.

> In fact the first sentence of my question stated that while the issue is 
> complex, the question, where dh keys are generated, was simple.

They're generated on the fly at the time of connection.  The server and
client each (should) have a "moduli" file somewhere, where they can seed
the DH key generation from (in whichever version of Debian I'm running
on this test box, it happens to be /etc/ssh/moduli)

> 2. I can state firmly that the port number  has absolutely a great  deal 
> to do with my issue.

You can say that til you're blue in the face, it doesn't make you
correct though.  As I said before, the selection of a standard vs.
nonstandard port for ssh (or, any service for that matter) has no
bearing on the Diffie-Hellman Key Exchange portion of the handshake.

> best evidence?  your getting this e-mail at all.

I assume you mean to imply that you're ssh'd into some remote host and
it just so happens to be running a service on a nonstandard port.  See
above for the refutation of this claim.

> I am writing using a shell service that uses Ubuntu 16.04 as its 
> platform...same as dreamhost.
> we do not use port 22 here, and I can use my ssh client to reach my 
> workspace..doing such as we speak..
> Likewise  an associate who hosts their  own servers created a temp account 
> for   me, using port 4460...worked perfectly.
> I respect other factors might  be involved, but my goal is the swiftest 
> solution that lets us move our services from dreamhost somewhere else to 
> which I can ssh from my desktop/
> If choosing a location with a port other than 22 solves the issue, it is 
> good enough for me.

The thing is, it's NOT the selection of the port that's making it work
(or not) - it's a difference between your SSH client and the server's
acceptable range for key moduli.  

For Openssh 6.7p1
  DH_GRP_MIN  1024
  DH_GRP_MAX  8192


For Openssh 7.4
  DH_GRP_MIN 2048
  DH_GRP_MIN 8192

Since you're running a series of ssh clients (? ... or a amalgamation of
all of them ...?), it's up to you to check the various changelogs of
them to see if you need updates (or if they've been abandoned or ... )


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: update hell

[Default User]

Deep thoughts:

Debian docs seem to say that apt-get is best for significant upgrades.

Why?

But that aptitude is best for daily package management.

Why?

So, if apt-get is for non-trivial upgrades, then why not for daily use?

And if aptitude is preferred for daily, use, why not for serious upgrades?

Not efficient to have multiple choices. Debian, please choose one and
deprecate the others.

I patiently await your hate mail.


On Wed, Aug 1, 2018, 03:53 Joe  wrote:

> On Wed, 1 Aug 2018 15:14:57 +1200
> Ben Caradoc-Davies  wrote:
>
> > On 01/08/18 11:11, Default User wrote:
>
> >
> > synaptic? No love for synaptic?
> >
> > > Would Debian please just settle on one, and stick with it?
> >
> > They do different things at different levels and seem to play nicely
> > together.
> >
>
> Indeed. I use apt-get, aptitude, synaptic and occasionally dpkg, as the
> purpose requires.
>
> If I have time, in the situation described in this thread I use
> synaptic to install whatever isn't held up. I just pick likely-looking
> packages and install them, backing off if I get a list of removals.
> Aptitude interactive can do exactly the same, but I'm more comfortable
> with synaptic.
>
> I do actually use upgrade-system for routine upgrades, and switch to
> synaptic when necessary. On my server, I don't have synaptic, but
> being stable, I don't ever see this problem, either. For a simple
> installation of a package whose name I know, I use aptitude. For
> upgrading an unstable that hasn't been upgraded for a few months, I'd
> use apt-get, as aptitude clogs up when presented with hundreds of
> packages to sort out dependencies for. For a broken package that is
> beyond the abilities of the apt tools, dpkg is less intelligent and
> usually brutal enough to remove it. Horses for courses...
>
> --
> Joe
>
>

Re: luks, crypttab: why 3 partition only 2 passphrases entered

[Matthew Crews]

On 8/1/18 3:47 PM, Carles Pina i Estany wrote:
> 
> Hi,
> 
> I have a Debian Stretch and recently I added a new cyphered partition.
> All works well but I don't understand why and it's bothering me.

*snip*

> A question would be:
> a) How to enter the passphrase only once?
> b) When/where (scripts) and how is the passphrase stored?

a) Short version:

Use LVM to set up your partitions. This can be done in the installer.
Have your overall hierarchy look like this:

Raw disk (/dev/sda)
 |
LUKS partition (/dev/sdaX) + /boot partition (likely /dev/sda1)
 |
LVM Physical Volume (/dev/LVM)
 |
LVM Logical Volumes (/dev/LVM/root mounted as /, and /dev/LVM/swap
mounted as /swap)


Long version:

Here is an example of how an encrypted LVM partition can look. We will
look at how I have it set up.

First, output of lsblk:

matthew@matt-tower:~$ lsblk /dev/sda
NAME  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda 8:00 465.8G  0 disk
├─sda1  8:10 953.7M  0 part  /boot
├─sda2  8:20 1K  0 part
└─sda5  8:50 464.8G  0 part
  └─sda5_crypt254:00 464.8G  0 crypt
├─root--swap-root 254:10   447G  0 lvm   /
└─root--swap-swap 254:20  17.8G  0 lvm   [SWAP]

sda1 is /boot (necessary as encrypted /boot is not really possible right
now), sda2 is an unused 1K partition (necessary due to partitioning
oddities, don't worry about it), and sda5 is my actual encrypted
partition. sda5 then has a LUKS encrypted partition called sda5_crypt.
Within the LUKS partition, is a LVM group called root-swap, which we can
see when we run pvdisplay::

matthew@matt-tower:~$ sudo pvdisplay
  --- Physical volume ---
  PV Name   /dev/mapper/sda5_crypt
  VG Name   root-swap
  PV Size   464.83 GiB / not usable 2.00 MiB
  Allocatable   yes (but full)
  PE Size   4.00 MiB
  Total PE  118995
  Free PE   0
  Allocated PE  118995
  PV UUID   XX------XX

Within this LVM group are two sub partitions, which act as my /root and
/swap partitions.

matthew@matt-tower:~$ sudo lvdisplay
  --- Logical volume ---
  LV Path/dev/root-swap/root
  LV Nameroot
  VG Nameroot-swap
  LV UUIDXX------XX
  LV Write Accessread/write
  LV Creation host, time matt-tower, 2018-06-25 10:24:13 -0700
  LV Status  available
  # open 1
  LV Size447.04 GiB
  Current LE 114441
  Segments   1
  Allocation inherit
  Read ahead sectors auto
  - currently set to 256
  Block device   254:1

  --- Logical volume ---
  LV Path/dev/root-swap/swap
  LV Nameswap
  VG Nameroot-swap
  LV UUIDXX------XX
  LV Write Accessread/write
  LV Creation host, time matt-tower, 2018-06-25 10:24:19 -0700
  LV Status  available
  # open 2
  LV Size17.79 GiB
  Current LE 4554
  Segments   1
  Allocation inherit
  Read ahead sectors auto
  - currently set to 256
  Block device   254:2

Lastly, the output of my /etc/crypttab and /etc/fstab

matthew@matt-tower:~$ cat /etc/crypttab
sda5_crypt UUID=ea2034e1-c550-466c-b9a4-61c40f0891b6 none luks

matthew@matt-tower:~$ cat /etc/fstab
#
/dev/mapper/root--swap-root /   ext4
discard,errors=remount-ro 0   1
# /boot was on /dev/sda1 during installation
UUID=5c24b6a3-f1ec-42b7-9d03-251295853167 /boot   ext2
noatime,nodiratime 0   2
/dev/mapper/root--swap-swap noneswapsw  0
0

Here is the overall hierarchy:

Raw disk (/dev/sda)
 |
LUKS partition (/dev/sda5)
 |
LVM Physical Volume (/dev/root-swap)
 |
LVM Logical Volumes (/dev/root-swap/root mounted as /, and
/dev/root-swap/swap mounted as /swap)

At boot time, /boot is automatically mounted, and when it is time to
mount /, it will ask for the LUKS partition password. Once unlocked, it
will mount the LVM physical volume, then subsequently mount both LVM
logical volumes in one swoop. One password for two logical partitions.



b) Read the manpage for cryptsetup. It has everything you need to
understand how LUKS encryption works.


Cheers,

-Matt

Re: a dh keys question?

[Karen Lewellen]

1.
I am not using Linux, but an ssh client compiled from a combination of 
tools, Linux and otherwise, including putty.

I have been very firm in not stating that I use Linux at all.
In fact the first sentence of my question stated that while the issue is 
complex, the question, where dh keys are generated, was simple.
2. I can state firmly that the port number  has absolutely a great  deal 
to do with my issue.

best evidence?  your getting this e-mail at all.
I am writing using a shell service that uses Ubuntu 16.04 as its 
platform...same as dreamhost.
we do not use port 22 here, and I can use my ssh client to reach my 
workspace..doing such as we speak..
Likewise  an associate who hosts their  own servers created a temp account 
for   me, using port 4460...worked perfectly.
I respect other factors might  be involved, but my goal is the swiftest 
solution that lets us move our services from dreamhost somewhere else to 
which I can ssh from my desktop.
If choosing a location with a port other than 22 solves the issue, it is 
good enough for me.

Karen



On Thu, 2 Aug 2018, Dan Purgert wrote:


Karen Lewellen wrote:

Hi,

On Wed, 1 Aug 2018, Dan Ritter wrote:


She's been asked for logs and exact error message several times
now, and has not provided any.

That is because according to the locations I am trying to visit, i. e.
our organizations new server with pair network,  my attempts are not
producing logs at all.


The output when you run the command "ssh -vv" is the log information
that we're asking for.  It's spit out right there on your stderr.  You
can then copy/paste that into a message for us to read.

Now, if you're not using the (linux) command-line ssh client, it would
be kind of a good idea to tell us this information (if you already did,
I apologize, as I missed it).


[...]
Remote host closed connection
DH Key exchange failed
remote reset connection.
that is all I am getting .
As for my comment in another post about the fastest solution, that refers
to finding a hosting company for our office that provides server  access
that does not use port 22.


Using a port other than 22 has absolutely zero to do with the
diffie-hellman error you are receiving.  If you would run the ssh
commands with higher verbosity (IIRC, minimally "-vv"), you would see
the actual error.

If you feel like testing this assertion out, feel free to ssh as
ka...@djph.net. Also try ka...@djph.net:2022 (both are non-existant
accounts).

Both ports forward to the same relatively modern server (ssh version
6.7p1+), and I fully expect you to get the error:
   "Permission Denied (publickey)"

Although, that being said, they are also running pretty limited sets of
allowed ciphers/kexalgos/micalgs ... so if it is indeed your client that
is old, you may get some other error, such as a Diffie-Hellman
out-of-range error.

Again, the proper minimal command to get the full logs for review would be

   ssh -vv ka...@djph.net

or

   ssh -vv -p 2022 ka...@djph.net


--
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: a dh keys question?

[Dan Purgert]

Karen Lewellen wrote:
> Hi,
>
> On Wed, 1 Aug 2018, Dan Ritter wrote:
>
>> She's been asked for logs and exact error message several times
>> now, and has not provided any.
> That is because according to the locations I am trying to visit, i. e. 
> our organizations new server with pair network,  my attempts are not 
> producing logs at all.

The output when you run the command "ssh -vv" is the log information
that we're asking for.  It's spit out right there on your stderr.  You
can then copy/paste that into a message for us to read.

Now, if you're not using the (linux) command-line ssh client, it would
be kind of a good idea to tell us this information (if you already did,
I apologize, as I missed it).

> [...]
> Remote host closed connection
> DH Key exchange failed
> remote reset connection.
> that is all I am getting .
> As for my comment in another post about the fastest solution, that refers 
> to finding a hosting company for our office that provides server  access 
> that does not use port 22.

Using a port other than 22 has absolutely zero to do with the
diffie-hellman error you are receiving.  If you would run the ssh
commands with higher verbosity (IIRC, minimally "-vv"), you would see
the actual error.

If you feel like testing this assertion out, feel free to ssh as
ka...@djph.net. Also try ka...@djph.net:2022 (both are non-existant
accounts).

Both ports forward to the same relatively modern server (ssh version
6.7p1+), and I fully expect you to get the error:
"Permission Denied (publickey)"

Although, that being said, they are also running pretty limited sets of
allowed ciphers/kexalgos/micalgs ... so if it is indeed your client that
is old, you may get some other error, such as a Diffie-Hellman
out-of-range error.

Again, the proper minimal command to get the full logs for review would be 

ssh -vv ka...@djph.net

or

ssh -vv -p 2022 ka...@djph.net


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Set the MTU on the interface

[Michael Stone]

On Wed, Aug 01, 2018 at 01:28:17PM +0300, Алексей wrote:

Well, i can't use the pre-up direcrive without the iface statement. Or I can
use one on the first vlan interface however it seems not very obvious decision
to maintain it later.


You can actually put it on all of the interfaces that need the larger 
mtu; calling it repeatedly is a no-op.



I followed the advice by Pascal Hambourg (setting the
iface statement to manual) and it worked.


That also works. At one time ifupdown didn't have interface dependencies 
so this was a potential gotcha in corner cases, but I think it should be 
fine now.


Mike Stone

luks, crypttab: why 3 partition only 2 passphrases entered

[Carles Pina i Estany]

Hi,

I have a Debian Stretch and recently I added a new cyphered partition.
All works well but I don't understand why and it's bothering me.

Setup:
$ cat /etc/crypttab
m2_root_crypt UUID=4e655198-a111-... none luks,discard
m2_swap_crypt UUID=56485640-8a04-... none luks,discard
ssd_dades_crypt UUID=8d1d855d-17a7-... none luks,discard

All three partitions have the same passphrase.

On restart I'm asked for two passwords:
m2_root_crypt
m2_swap_crypt

The question is:
"Please unlock disk m2_root_crypt:"

I expcted to write the password three times.

My only theory is that after the root partition is decyphered it's also
mounted and then systemd-ask-password is used somehow (how?) and
--keyname= is used to "Configure a kernel keyring key name". I haven't
tested or seen scripts that do this.

I'm reading initrd scripts/local-top/cryptroot and bin/cryptoot-unlock
(where I can see the string "Please unlock disk") and I don't see
anything like this happening. Maybe initrd lib/cryptsetup/askpass is
doing it?

A question would be:
a) How to enter the passphrase only once?
b) When/where (scripts) and how is the passphrase stored?

This is just to know as the system is working perfectly.

Thanks for reading all of this!

-- 
Carles Pina i Estany
Web: http://pinux.info || Blog: http://pintant.cat
GPG Key 0x8CD5C157

Re: Specifying multiple NICs

[Brian]

On Wed 01 Aug 2018 at 19:54:03 +0100, Darac Marjal wrote:

> On Wed, Aug 01, 2018 at 12:00:41PM -0400, Mark Neidorff wrote:
> > I'm setting up a "just in case" replacement mailserver for my domain and my
> > local network.  I'm using Debian Jessie, because the latest instructions for
> > setting the mailserver (qmail) are written for Jessie.  The mailserver has 2
> > NICs (one for local network, and one for Internet).
> > 
> > In the past,  I referred to each NIC as eth0, eth1,. but now, these 
> > names
> > are not permanent, and the designation can change on boot.  I looked at the
> > "Network Coinfiguration" document which didn't have a solution.  So, either 
> > how
> > do I make the names for the NICs permanent or what do I use fot the names of
> > the NICs?
> 
> In my opinion, the most "debian" way is to do the following in
> /etc/network/interfaces:
> 
> rename eth0=localnet
> auto localnet
> iface localnet inet static
>   address blahblah
> 
> rename eth1=internet
> iface internet inet dhcp
>   and so on

Is rename part of the file format of interfaces on jessie?

-- 
Brian.

Re: a dh keys question?

[Karen Lewellen]

Hi,

On Wed, 1 Aug 2018, Dan Ritter wrote:


She's been asked for logs and exact error message several times
now, and has not provided any.
That is because according to the locations I am trying to visit, i. e. 
our organizations new server with pair network,  my attempts are not 
producing logs at all.
I did provide them with the errors real time, as at least for the moment, 
I have no other way to capture them.

I did state the error,
Remote host closed connection
DH Key exchange failed
remote reset connection.
that is all I am getting .
As for my comment in another post about the fastest solution, that refers 
to finding a hosting company for our office that provides server  access 
that does not use port 22.

Apparently hostgator is one such company.

 Kare

Re: a dh keys question?

[Dan Purgert]

Dan Ritter wrote:
> On Wed, Aug 01, 2018 at 03:16:26PM -0400, Dan Purgert wrote:
>> On August 1, 2018 2:50:39 PM EDT, Karen Lewellen  
>> wrote:
>> But without seeing logs, it's kind of impossible to see what's going on.
>
> She's been asked for logs and exact error message several times
> now, and has not provided any.
>
> -dsr-

Indeed.  Kind of defeats the purpose, doesn't it.

The DH thing gave me heartburn for like 3 weeks earlier this year, until
we realized it was the other party using a positively _ancient_ ssh
client.


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: a dh keys question?

[Dan Ritter]

On Wed, Aug 01, 2018 at 03:16:26PM -0400, Dan Purgert wrote:
> On August 1, 2018 2:50:39 PM EDT, Karen Lewellen  
> wrote:
> But without seeing logs, it's kind of impossible to see what's going on.

She's been asked for logs and exact error message several times
now, and has not provided any.

-dsr-

Re: a dh keys question?

[john doe]

On 8/1/2018 9:16 PM, Dan Purgert wrote:

On August 1, 2018 2:50:39 PM EDT, Karen Lewellen  
wrote:

Hi,
just a slight update..and correction of an idea below.



On Wed, 1 Aug 2018, Dan Purgert wrote:


Precisely.  DH failures are typically because one end or the other is
trying to use an "out of bounds" keysize.  E.g. you have a SSH 7.x
client, and the server is 6.0 or lower.

Not the case here,
as stated the problem exists, on every server I have tried,  that uses
port 22.



That doesn't prove or disprove anything about a mismatch between client and 
server versions.



The error message is _probably_ something like this, right (note -

may

require "ssh -vv" in order to see):

not at all.
As stated I was able to do this until about 5:00 p. m. on the last
Friday
of   June.
Additionally, one test done this morning, of a server using a port
other
than   22 proves my concern.  I could reach it perfectly.
Granted I intend doing yet another test  on a different server  with
only
the port number changed. However regardless of where I visit, even
when
I should have no issues  like the chat.shazow  idea,
The error is the same.


As someone else said, it might be your ISP, though if it was them, you'd be 
getting a different error than the Diffie-Hellman key exchange.

But without seeing logs, it's kind of impossible to see what's going on.


A simple check to make things work is running the ssh command as


My client already allows an option for  some slight dh key
manipulation,
no difference.


What client are you using that you can change them?  I mean, the DH Key 
Exchange parameters are hard-coded in the openssh source (and cannot be changed 
without recompiling the client).


I cannot type the command you put here, but  it does not seem to be the fastest 
solution.


I don't follow what you mean here.

(Apologies to all in case of weird formatting, responding from my mobile)




TL;DR

You seem to use your own domain name, it might be some policy changes 
that restrict the use of ssh and not your ISP.


--
John Doe

Re: a dh keys question?

[Dan Purgert]

On August 1, 2018 2:50:39 PM EDT, Karen Lewellen  
wrote:
>Hi,
>just a slight update..and correction of an idea below.
>
>
>
>On Wed, 1 Aug 2018, Dan Purgert wrote:
>
>> Precisely.  DH failures are typically because one end or the other is
>> trying to use an "out of bounds" keysize.  E.g. you have a SSH 7.x
>> client, and the server is 6.0 or lower.
>Not the case here,
>as stated the problem exists, on every server I have tried,  that uses 
>port 22.
>

That doesn't prove or disprove anything about a mismatch between client and 
server versions.

>>
>> The error message is _probably_ something like this, right (note -
>may
>> require "ssh -vv" in order to see):
>not at all.
>As stated I was able to do this until about 5:00 p. m. on the last 
>Friday 
>of   June.
>Additionally, one test done this morning, of a server using a port
>other 
>than   22 proves my concern.  I could reach it perfectly.
>Granted I intend doing yet another test  on a different server  with
>only 
>the port number changed. However regardless of where I visit, even 
>when 
>I should have no issues  like the chat.shazow  idea,
>The error is the same.

As someone else said, it might be your ISP, though if it was them, you'd be 
getting a different error than the Diffie-Hellman key exchange.

But without seeing logs, it's kind of impossible to see what's going on.

>> A simple check to make things work is running the ssh command as
>
>My client already allows an option for  some slight dh key
>manipulation, 
>no difference.

What client are you using that you can change them?  I mean, the DH Key 
Exchange parameters are hard-coded in the openssh source (and cannot be changed 
without recompiling the client).

>I cannot type the command you put here, but  it does not seem to be the 
>fastest solution.

I don't follow what you mean here.

(Apologies to all in case of weird formatting, responding from my mobile)

Re: Specifying multiple NICs

[Brian]

On Wed 01 Aug 2018 at 19:57:32 +0200, Pascal Hambourg wrote:

> Le 01/08/2018 à 19:32, Brian a écrit :
> > On Wed 01 Aug 2018 at 12:00:41 -0400, Mark Neidorff wrote:
> > > 
> > > In the past,  I referred to each NIC as eth0, eth1,. but now, these 
> > > names
> > > are not permanent, and the designation can change on boot.  I looked at 
> > > the
> > > "Network Coinfiguration" document which didn't have a solution.  So, 
> > > either how
> > > do I make the names for the NICs permanent or what do I use fot the names 
> > > of
> > > the NICs?
> > 
> > Starting with v197, systemd/udev will automatically assign predictable,
> > stable network interface names for all local Ethernet devices. jessie
> > has udev v215. jessie-backports has v230.
> 
> Jessie still has the old persistent naming scheme using
> /lib/udev/rules.d/75-persistent-net-generator.rules and
> /etc/udev/rules.d/70-persistent-net.rules by default, and the new
> predictable naming scheme is disabled (net.ifnames=0). The new predictable
> naming scheme has been enabled by default only since Stretch.

Enable it, then.

Delete /etc/udev/rules.d/70-persistent-network.rules and put
net.ifnames=1 on the kernel command line when booting.

-- 
Brian.

Re: Specifying multiple NICs

[Darac Marjal]

On Wed, Aug 01, 2018 at 12:00:41PM -0400, Mark Neidorff wrote:

I'm setting up a "just in case" replacement mailserver for my domain and my
local network.  I'm using Debian Jessie, because the latest instructions for
setting the mailserver (qmail) are written for Jessie.  The mailserver has 2
NICs (one for local network, and one for Internet).

In the past,  I referred to each NIC as eth0, eth1,. but now, these names
are not permanent, and the designation can change on boot.  I looked at the
"Network Coinfiguration" document which didn't have a solution.  So, either how
do I make the names for the NICs permanent or what do I use fot the names of
the NICs?


In my opinion, the most "debian" way is to do the following in 
/etc/network/interfaces:


rename eth0=localnet
auto localnet
iface localnet inet static
address blahblah

rename eth1=internet
iface internet inet dhcp
and so on




Thanks,
Mark
--
If you finding the going easy, you're probably going downhill.




--
For more information, please reread.


signature.asc
Description: PGP signature

Re: a dh keys question?

[Karen Lewellen]

Hi,
just a slight update..and correction of an idea below.



On Wed, 1 Aug 2018, Dan Purgert wrote:


Precisely.  DH failures are typically because one end or the other is
trying to use an "out of bounds" keysize.  E.g. you have a SSH 7.x
client, and the server is 6.0 or lower.

Not the case here,
as stated the problem exists, on every server I have tried,  that uses 
port 22.




The error message is _probably_ something like this, right (note - may
require "ssh -vv" in order to see):

not at all.
As stated I was able to do this until about 5:00 p. m. on the last  Friday 
of   June.
Additionally, one test done this morning, of a server using a port other 
than   22 proves my concern.  I could reach it perfectly.
Granted I intend doing yet another test  on a different server  with only 
the port number changed. However regardless of where I visit, even  when 
I should have no issues  like the chat.shazow  idea,

The error is the same.

A simple check to make things work is running the ssh command as


My client already allows an option for  some slight dh key manipulation, 
no difference.
I cannot type the command you put here, but  it does not seem to be   the 
fastest solution.


Kare

Re: What's the deal with the mpfr versioning? libmpfr4 vs. libmpfr6

[David Wright]

On Tue 31 Jul 2018 at 16:27:27 (-0400), Stefan Monnier wrote:
> > I can't find any evidence for that without being told where to look.
> 
> It was in the previous message:
> 
> https://packages.debian.org/sid/libmpfr4
> https://packages.debian.org/sid/libmpfr6
> 
> >> Doesn't explain why one says "Package: libmpfr4 (3.1.6-1)" and the other
> >> says "[mpfr4_4.0.1-1.dsc]": both "3.1.6-1" and "4.0.1-1" are Debian
> >> version numbers and they are usually the same.
> >
> > I'm not sure you're quoting from here.
> 
> >From https://packages.debian.org/sid/libmpfr4

Oh, OK. I don't know how they maintain the links to sources on the
web page. It looks like they're out of kilter, so it's probably
bug-filing time.

The OP appeared to assert that two different binary packages were
built from the same source, but I could find no *evidence* for
that, ie in the packages themselves.

But just right click on any package, copy and paste its address
into the address bar, rubout the actual filename and you can get to
http://ftp.us.debian.org/debian/pool/main/m/mpfr4/
At the bottom of that page there are sources for 3.1.0-5 (debian),
3.1.0 (original), 3.1.2-2 (debian), 3.1.2 (original), 3.1.5-1 (debian),
3.1.5 (original), 3.1.6-1 (debian), 3.1.6 (original), 4.0.1-1 (debian)
and 4.0.1 (original).

> > That
[the 4.0.1 source code can build both versions under discussion]
> > seems unlikely to me. I'm not going to bother to download the
> > source to find out, but I suspect that the 4 in Packages's "Source:
> > mpfr4" line is spurious,
> 
> Agreed, I hadn't noticed this little "4" in there.  I have no idea what
> it means.  I was only looking at (and talking about) the Debian
> version numbers and the "4" and "6" of "libmpfr4" and "libmpfr6".

It seems plausible that someone thought it should be in there if and
when versions 1 and 4 were being simultaneously supported around the
time of squeeze≡testing. Just speculation.

Cheers,
David.

Re: how to prevent security update installation during stretch installation

[Matthew Crews]

On 8/1/18 1:00 AM, Long Wind wrote:
> i don't like security update because i suspect it cause problem (some
> packaged can't be installed) during stretch installation last time
> 
> and i've used linux for a long time and i think it's stable even without
> security update. and installing update always takes time and space, and
> it offer little value

I would beg to differ on the "little value" aspect. If you are still
running Debian 9.0 (and not the latest version, 9.5) you are vulnerable
to Meltdown, Spectre, various web browser exploits, and a whole host of
other issues that are documented here:

https://lists.debian.org/debian-security-announce/2017/threads.html
https://lists.debian.org/debian-security-announce/2018/threads.html

If you suspect a specific package has a problem due to a security
update, I would file a bug against that package. But to blindly
disregard security updates is irresponsible and dangerous.

Re: quel debian sur un samsung 500T

[Pascal Hambourg]

Le 31/07/2018 à 20:21, Bernard Schoenacker a écrit :



De: "Pascal Hambourg" 

Le 31/07/2018 à 18:04, Bernard Schoenacker a écrit :


pour l'image iso, il faut choisir une architecture 32bits :


Pourquoi ? Cette machine n'a pas un processeur 64 bits ?


c'est un cpu atom et je pense qu'il soit judicieux de passer
en 32bits pour l'essai en live cdrom ...


Un simple "non" aurait été préférable à cette réponse ambiguë.
Les Atom ne sont pas tous 32 bits.


rien n'interdit d'essayer une image iso 64bits


Ben si puisque c'est un processeur 32 bits.

Re: Specifying multiple NICs

[Pascal Hambourg]

Le 01/08/2018 à 19:32, Brian a écrit :

On Wed 01 Aug 2018 at 12:00:41 -0400, Mark Neidorff wrote:


In the past,  I referred to each NIC as eth0, eth1,. but now, these names
are not permanent, and the designation can change on boot.  I looked at the
"Network Coinfiguration" document which didn't have a solution.  So, either how
do I make the names for the NICs permanent or what do I use fot the names of
the NICs?


Starting with v197, systemd/udev will automatically assign predictable,
stable network interface names for all local Ethernet devices. jessie
has udev v215. jessie-backports has v230.


Jessie still has the old persistent naming scheme using
/lib/udev/rules.d/75-persistent-net-generator.rules and 
/etc/udev/rules.d/70-persistent-net.rules by default, and the new 
predictable naming scheme is disabled (net.ifnames=0). The new 
predictable naming scheme has been enabled by default only since Stretch.


So the behaviour described by the OP is a bit surprising.
Mark, could you elaborate ?

Re: Specifying multiple NICs

[Brian]

On Wed 01 Aug 2018 at 12:00:41 -0400, Mark Neidorff wrote:

> I'm setting up a "just in case" replacement mailserver for my domain and my 
> local network.  I'm using Debian Jessie, because the latest instructions for 
> setting the mailserver (qmail) are written for Jessie.  The mailserver has 2 
> NICs (one for local network, and one for Internet).
> 
> In the past,  I referred to each NIC as eth0, eth1,. but now, these names 
> are not permanent, and the designation can change on boot.  I looked at the 
> "Network Coinfiguration" document which didn't have a solution.  So, either 
> how 
> do I make the names for the NICs permanent or what do I use fot the names of 
> the NICs?

Starting with v197, systemd/udev will automatically assign predictable,
stable network interface names for all local Ethernet devices. jessie
has udev v215. jessie-backports has v230.

-- 
Brian.

RE: Specifying multiple NICs

[Edwin Pers]

Toss something like this for each interface into 
/etc/udev/rules.d/10-interface-names.rules

SUBSYSTEM=="net", ACTION=="add",ATTR{address}=="00:25:90:80:2e:a4", NAME="1gig1"

Replace the mac address with the one your interface has.

-Ed

-Original Message-
From: Mark Neidorff  
Sent: Wednesday, August 1, 2018 12:01 PM
To: debian-user@lists.debian.org
Subject: Specifying multiple NICs

I'm setting up a "just in case" replacement mailserver for my domain and my 
local network.  I'm using Debian Jessie, because the latest instructions for 
setting the mailserver (qmail) are written for Jessie.  The mailserver has 2 
NICs (one for local network, and one for Internet).

In the past,  I referred to each NIC as eth0, eth1,. but now, these names 
are not permanent, and the designation can change on boot.  I looked at the 
"Network Coinfiguration" document which didn't have a solution.  So, either how 
do I make the names for the NICs permanent or what do I use fot the names of 
the NICs?

Thanks,
Mark
--
If you finding the going easy, you're probably going downhill.

Specifying multiple NICs

[Mark Neidorff]

I'm setting up a "just in case" replacement mailserver for my domain and my 
local network.  I'm using Debian Jessie, because the latest instructions for 
setting the mailserver (qmail) are written for Jessie.  The mailserver has 2 
NICs (one for local network, and one for Internet).

In the past,  I referred to each NIC as eth0, eth1,. but now, these names 
are not permanent, and the designation can change on boot.  I looked at the 
"Network Coinfiguration" document which didn't have a solution.  So, either how 
do I make the names for the NICs permanent or what do I use fot the names of 
the NICs?

Thanks,
Mark
-- 
If you finding the going easy, you're probably going downhill.

Re: LXC Memory Limits wont work

[Markus Raps]

Ok

somehow the processes bypasses the group/namespace

under libvirt the cgroups.procs file ( 
/sys/fs/cgroup/memory/machine/lxc-4296-deb4.libvirt-lxc/cgroup.procs )

shows only one process

with the lxc tools the cgroups.procs file ( 
/sys/fs/cgroup/memory/lxc/debian/cgroup.procs )

shows up to all 11 processes

--
Mit freundlichen Grüßen / best regards
Markus Raps

cgroup.clone_children:0
cgroup.procs:2796
memory.failcnt:0
memory.kmem.failcnt:0
memory.kmem.limit_in_bytes:9223372036854771712
memory.kmem.max_usage_in_bytes:2494464
memory.kmem.slabinfo:slabinfo - version: 2.1
memory.kmem.slabinfo:# name   
  : tunables: 
slabdata   
memory.kmem.slabinfo:fuse_inode 0  076851 : 
tunables   54   278 : slabdata  0  0  0
memory.kmem.slabinfo:shmem_inode_cache 55 55688   112 : 
tunables   54   278 : slabdata  5  5  0
memory.kmem.slabinfo:mqueue_inode_cache  0  089641 : 
tunables   54   278 : slabdata  0  0  0
memory.kmem.slabinfo:kmalloc-5120  051281 : 
tunables   54   278 : slabdata  0  0  0
memory.kmem.slabinfo:pool_workqueue 0  0256   161 : 
tunables  120   608 : slabdata  0  0  0
memory.kmem.slabinfo:proc_inode_cache 11113264061 : 
tunables   54   278 : slabdata 22 22  0
memory.kmem.slabinfo:sock_inode_cache  12 1864061 : 
tunables   54   278 : slabdata  3  3  0
memory.kmem.slabinfo:pid1 32128   321 : 
tunables  120   608 : slabdata  1  1  0
memory.kmem.slabinfo:anon_vma  37112 72   561 : 
tunables  120   608 : slabdata  2  2  0
memory.kmem.slabinfo:vm_area_struct   120160200   201 : 
tunables  120   608 : slabdata  8  8  0
memory.kmem.slabinfo:mm_struct  1  4   102441 : 
tunables   54   278 : slabdata  1  1  0
memory.kmem.slabinfo:signal_cache   2  7   108872 : 
tunables   24   128 : slabdata  1  1  0
memory.kmem.slabinfo:sighand_cache  2  6   211232 : 
tunables   24   128 : slabdata  2  2  0
memory.kmem.slabinfo:fs_cache   2 63 64   631 : 
tunables  120   608 : slabdata  1  1  0
memory.kmem.slabinfo:files_cache2 11704   112 : 
tunables   54   278 : slabdata  1  1  0
memory.kmem.slabinfo:anon_vma_chain67320 64   641 : 
tunables  120   608 : slabdata  5  5  0
memory.kmem.slabinfo:cred_jar   5 84192   211 : 
tunables  120   608 : slabdata  4  4  0
memory.kmem.slabinfo:task_struct3  4   339222 : 
tunables   24   128 : slabdata  2  2  0
memory.kmem.slabinfo:kmalloc-1024   2  8   102441 : 
tunables   54   278 : slabdata  2  2  0
memory.kmem.slabinfo:kmalloc-1922 21192   211 : 
tunables  120   608 : slabdata  1  1  0
memory.kmem.slabinfo:inode_cache   14 2158471 : 
tunables   54   278 : slabdata  3  3  0
memory.kmem.slabinfo:dentry   202294192   211 : 
tunables  120   608 : slabdata 14 14  0
memory.kmem.tcp.failcnt:0
memory.kmem.tcp.limit_in_bytes:9223372036854771712
memory.kmem.tcp.max_usage_in_bytes:0
memory.kmem.tcp.usage_in_bytes:0
memory.kmem.usage_in_bytes:581632
memory.limit_in_bytes:102400
memory.max_usage_in_bytes:4317184
memory.move_charge_at_immigrate:0
memory.numa_stat:total=188 N0=188
memory.numa_stat:file=0 N0=0
memory.numa_stat:anon=188 N0=188
memory.numa_stat:unevictable=0 N0=0
memory.numa_stat:hierarchical_total=188 N0=188
memory.numa_stat:hierarchical_file=0 N0=0
memory.numa_stat:hierarchical_anon=188 N0=188
memory.numa_stat:hierarchical_unevictable=0 N0=0
memory.oom_control:oom_kill_disable 0
memory.oom_control:under_oom 0
memory.soft_limit_in_bytes:9223372036854771712
memory.stat:cache 4096
memory.stat:rss 765952
memory.stat:rss_huge 0
memory.stat:mapped_file 0
memory.stat:dirty 0
memory.stat:writeback 0
memory.stat:pgpgin 1763
memory.stat:pgpgout 1575
memory.stat:pgfault 3264
memory.stat:pgmajfault 0
memory.stat:inactive_anon 0
memory.stat:active_anon 770048
memory.stat:inactive_file 0
memory.stat:active_file 0
memory.stat:unevictable 0
memory.stat:hierarchical_memory_limit 102400
memory.stat:total_cache 4096
memory.stat:total_rss 765952
memory.stat:total_rss_huge 0
memory.stat:total_mapped_file 0
memory.stat:total_dirty 0
memory.stat:total_writeback 0
memory.stat:total_pgpgin 1763
memory.stat:total_pgpgout 1575
memory.stat:total_pgfault 3264
memory.stat:total_pgmajfault 0
memory.stat:total_inactive_anon 0
memory.stat:total_active_anon 

Re: LXC Memory Limits wont work

[Dan Purgert]

Markus Raps wrote:
> --=_d351436e7ed6bda8f193a786d6f710fa
> Content-Transfer-Encoding: 8bit
> Content-Type: text/plain; charset=UTF-8;
>  format=flowed
>
> Hello,
>
> iam currently trying to run LXC Containers with libvirt
> but the memory limit doesn't want to work
>
> in the container i see the full 32GB from the Host OS
> iam pretty sure that iam missing a configline in the xml
>

In my config files, I have the following stanzas:

  2097152
  2097152

And the result on the VM is:

$ free -k
  total 
Mem:2052352 
Swap:   2879484 

No idea why it differs, probably a difference between KiB and KB
somewhere (yes, -k is SUPPOSED to be KiB, but ... )

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

LXC Memory Limits wont work

[Markus Raps]

Hello,

iam currently trying to run LXC Containers with libvirt
but the memory limit doesn't want to work

in the container i see the full 32GB from the Host OS
iam pretty sure that iam missing a configline in the xml

lxc-template ~ # free -m
  totalusedfree  shared  buff/cache   
available
Mem:  32108 626   31396 249  85  
 31396

Swap: 0   0   0
lxc-template ~ #


the host is running debian 9 with default repos

hv1 ~ # dpkg -l | grep virt
ii  libgovirt-common 0.3.4-2 
all  GObject-based library to access oVirt REST API 
(common files)
ii  libgovirt2:amd64 0.3.4-2 
amd64GObject-based library to access oVirt REST API
ii  libvirt-clients  3.0.0-4+deb9u3  
amd64Programs for the libvirt library
ii  libvirt-daemon   3.0.0-4+deb9u3  
amd64Virtualization daemon
ii  libvirt-daemon-system3.0.0-4+deb9u3  
amd64Libvirt daemon configuration files
ii  libvirt-glib-1.0-0:amd64 1.0.0-1 
amd64libvirt GLib and GObject mapping library
ii  libvirt0 3.0.0-4+deb9u3  
amd64library for interfacing with different 
virtualization systems
ii  python-libvirt   3.0.0-2 
amd64libvirt Python bindings
ii  qemu-kvm 1:2.8+dfsg-6+deb9u4 
amd64QEMU Full virtualization on x86 hardware
ii  virt-viewer  5.0-1   
amd64Displaying the graphical console of a virtual 
machine
ii  virtinst 1:1.4.0-5   
all  Programs to create and clone virtual machines


--
Mit freundlichen Grüßen / best regards
Markus Raps


  deb4
  b1981e50-3bbc-40bf-b145-4a50e927eb7d
  400
  400
  2
  
/machine
  
  
exe
/sbin/init
  
  
  destroy
  restart
  destroy
  
/usr/lib/libvirt/libvirt_lxc

  
  


  
  


  
  


  
  


  
  


  
  


  
  


  
  
  
  


  
  
  

  
  

 

Re[2]: Set the MTU on the interface

[Алексей]

Hi.

Well, i can't use the pre-up direcrive without the iface statement. Or I can 
use one on the first vlan interface however it seems not very obvious decision 
to maintain it later. I followed the advice by Pascal Hambourg (setting the 
iface statement to manual) and it worked.

Thank you all for help.

Best regards,
Alex

31 июля 2018, 13:36:36, от "Michael Stone" :

On Mon, Jul 30, 2018 at 03:55:52PM +0300, Алексей wrote:
>I can't set the MTU in the eth0 configuration. I can probably write a pre-up
>directive in the configuraion of the first vlan interface however I'm not sure
>if this is correct way. Probably someone can advice better one?

You can do it with a pre-up to set the mtu of the base device. Once you 
set the base device to 9000 or whatever, you'll want to set the mtu on 
all of the other devices to the original value.

Mike Stone

Re: a dh keys question?

[Dan Purgert]

Richard Hector wrote:
> On 01/08/18 03:57, Dan Ritter wrote:
>> On Tue, Jul 31, 2018 at 11:38:34AM -0400, Karen Lewellen wrote:
>>> I have a problem now where each place I try to visit using my ssh
>>> client, and my sftp one, I am getting a dh key exchange failure.
>>> using the -v command  is not shedding light on the issue. I am using
>>> the same client now to reach another  service, but here  we use a
>>> different port from port 22. the error started on the 29th of June,
>>> and the company providing my dsl service did claim to have a service
>>> issue on that day. However they do not speak Linux let alone
>>> anything else Unusual.
>>> Thoughts?
>>
>> Are you having problems SSHing to all servers that you try, or
>> just to one in particular?
>>
>> If it's just one, and that one uses a port other than 22, it's
>> likely that your DSL company started filtering that port on the
>> 29th.
>
> If it was a simple port filtering issue, then you'd get something like
> 'Connection Refused' or 'Destination unreachable' or 'Connection timed
> out' - you wouldn't get as far as dh key exchange.
>
> I'm not an expert in this, so might have some details wrong, but I think
> the gist of it is right. Happy to be corrected.

Precisely.  DH failures are typically because one end or the other is
trying to use an "out of bounds" keysize.  E.g. you have a SSH 7.x
client, and the server is 6.0 or lower.

The error message is _probably_ something like this, right (note - may
require "ssh -vv" in order to see):

   debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1536<3072<8192) sent
   debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
   DH_GEX group out of range: 1536 !< 1024 !< 8192`

The likely cause is that you're trying to use the KexAlgorithm
"diffie-hellman-group-exchange-sha256". 

A simple check to make things work is running the ssh command as 

  ssh -oKexAlgorithms="diffie-hellman-group14-sha1" you@host

This WILL limit you to the single KexAlgorithm noted, but we're only
using it to force a cipher that pretty much will go through.

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Re: Quel debian sur un samsung 500T + tactile

[Daniel Huhardeaux]

Le 31/07/2018 à 18:07, andre_deb...@numericable.fr a écrit :

[...]

Est-ce que Linux globalement fonctionne bien en mode tactile ?
J'avais un portable tactile Acer, il fonctionnait bien avec Windows-8,
mais pas trop avec Debian (bureau Trinity).


Jamais eu de problème avec Ubuntu

--
Daniel Huhardeaux
+33.368460...@tootai.netsip:8...@sip.tootai.net
+41.445532...@tootai.nettootaiNET

Re: Recherche carte Wifi bien compatible Debian Stretch

[andre_debian]

On Monday 30 July 2018 21:21:26 you wrote:
> pour ma part j'ai çà et çà fonctionne très bien (depuis Jessie):
> Qualcomm Atheros AR9227 Wireless Network Adapter

Merci.
J'ai acheté une carte WiFi TD-Link à 2 antennes,
reconnue immédiatement par Debian, sans avoir
à installer le pilote car déjà présent.

Maintenant, reste à savoir si elle fonctionnera bien,
c'est à dire une bonne qualité d'émission / réception (DB) :
le PC sera dans une maison au 2ème étage et antenne box WiFi 
au rez-de -chaussée.

Bonne journée,

André

> Le 29/07/2018 à 19:34, andre_deb...@numericable.fr a écrit :
> > Tout est dans le titre,
> > je recherche pour un pc de bureau une carte Wifi,
> > compatible Debian Stretch, sans trop de manips.
> > Faut-il prendre de preference une carte avec 2 antennes ?

Re: Configuration des sources avec synaptic

[Bernard Schoenacker]

- Mail original -
> De: "Sylvain Caselli" case...@wanadoo.fr>
> À: "Liste Debian" 
> Envoyé: Mercredi 1 Août 2018 11:10:19
> Objet: Configuration des sources avec synaptic
> 
> Bonjour,
> 
> je me doute que vous préférez la ligne de commande mais je ne suis
> jamais très sûr de l'orthographe d'un paquet et j'aime bien choisir
> dans
> une liste déjà triée.
> 
> Bon, sur mon nouveau poste debian, si je veux actualiser la liste des
> paquets avec synaptic j'ai un problème de lecture des sources :
> > Échec du téléchargement de tous les fichiers d'index
> > 
> > Le dépôt ne semble plus être disponible ou ne peut être contacté à
> > cause de problèmes de réseau. S'il existe un fichier d'index plus
> > ancien, il sera utilisé. Sinon, le dépôt sera ignoré. Vérifiez
> > votre connexion réseau et corrigez l'adresse du dépôt dans les
> > préférences.
> > 
> > http://deb.debian.org/debian/dists/stretch-updates/InRelease: The
> > key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file
> > is not readable by user '_apt' executing
> > apt-key.http://security.debian.org/dists/stretch/updates/InRelease:
> > The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the
> > file is not readable by user '_apt' executing
> > apt-key.http://deb.debian.org/debian/dists/stretch-proposed-updates/InRelease:
> > The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the
> > file is not readable by user '_apt' executing apt-key.The
> > repository 'http://deb.debian.org/debian stretch/updates Release'
> > does not have a Release file.Updating from such a repository can't
> > be done securely, and is therefore disabled by default.See
> > apt-secure(8) manpage for repository creation and user
> > configuration
> > details.http://deb.debian.org/debian/dists/stretch/Release.gpg:
> > The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the
> > file is not readable by user '_apt' executing apt-key.
> 
> 
> Sa configuration est (Config1_synaptic & Config2_synaptic). Ce n'est
> pas
> moi qui l'ai écrite, j'ai juste supprimer le dvd.
> > Debian Software = serveur principal
> > Other Software = http://deb.debian.org/debian/stretch/updates main
> > contrib non-free
> 
>   J'ai chercher (pas bien) sur internet (debian facile) mais je n'ai
> trouvé ou rien compris, visiblement les différents logiciels de
> gestion
> de paquets ont chacun leurs sources.
> 
> Merci d'avance, Sylvain.
> 
> 
bonjour,

que donne cette instruction :

dpkg -l |awk '/debian-keyring/ {print $1 " "$2" "$3}'

et tu installes la clé :

http://ftp.de.debian.org/debian/pool/main/d/debian-keyring/debian-keyring_2018.07.24_all.deb

ton sources.list doit être celui-ci (root) :

cat >/etc/apt/sources.list
deb http://deb.debian.org/debian/ stretch main non-free contrib
# deb-src http://deb.debian.org/debian/ stretch main non-free contrib

deb http://security.debian.org/debian-security stretch/updates main contrib 
non-free
# deb-src http://security.debian.org/debian-security stretch/updates main 
contrib non-free

# stretch-updates, previously known as 'volatile'
deb http://deb.debian.org/debian/ stretch-updates main contrib non-free
# deb-src http://deb.debian.org/debian/ stretch-updates main contrib non-free

# stretch-backports, previously on backports.debian.org
deb http://deb.debian.org/debian/ stretch-backports main contrib non-free
# deb-src http://deb.debian.org/debian/ stretch-backports main contrib non-free
EOF

et le fichier deb-multimedia :

cat >/etc/apt/sources.list.d/deb-multimedia.list << EOF
deb ftp://ftp.deb-multimedia.org stretch main non-free
deb ftp://ftp.deb-multimedia.org stretch-backports main
EOF


merci
slt
bernard

Configuration des sources avec synaptic

[Sylvain Caselli]

Bonjour,

je me doute que vous préférez la ligne de commande mais je ne suis 
jamais très sûr de l'orthographe d'un paquet et j'aime bien choisir dans 
une liste déjà triée.


Bon, sur mon nouveau poste debian, si je veux actualiser la liste des 
paquets avec synaptic j'ai un problème de lecture des sources :

Échec du téléchargement de tous les fichiers d'index

Le dépôt ne semble plus être disponible ou ne peut être contacté à cause de 
problèmes de réseau. S'il existe un fichier d'index plus ancien, il sera 
utilisé. Sinon, le dépôt sera ignoré. Vérifiez votre connexion réseau et 
corrigez l'adresse du dépôt dans les préférences.

http://deb.debian.org/debian/dists/stretch-updates/InRelease: The key(s) in the 
keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user 
'_apt' executing 
apt-key.http://security.debian.org/dists/stretch/updates/InRelease: The key(s) 
in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by 
user '_apt' executing 
apt-key.http://deb.debian.org/debian/dists/stretch-proposed-updates/InRelease: 
The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not 
readable by user '_apt' executing apt-key.The repository 
'http://deb.debian.org/debian stretch/updates Release' does not have a Release 
file.Updating from such a repository can't be done securely, and is therefore 
disabled by default.See apt-secure(8) manpage for repository creation and user 
configuration details.http://deb.debian.org/debian/dists/stretch/Release.gpg: 
The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not 
readable by user '_apt' executing apt-key.



Sa configuration est (Config1_synaptic & Config2_synaptic). Ce n'est pas 
moi qui l'ai écrite, j'ai juste supprimer le dvd.

Debian Software = serveur principal
Other Software = http://deb.debian.org/debian/stretch/updates main contrib 
non-free


 J'ai chercher (pas bien) sur internet (debian facile) mais je n'ai 
trouvé ou rien compris, visiblement les différents logiciels de gestion 
de paquets ont chacun leurs sources.


Merci d'avance, Sylvain.

Re: update hell

[Joe]

On Wed, 1 Aug 2018 15:14:57 +1200
Ben Caradoc-Davies  wrote:

> On 01/08/18 11:11, Default User wrote:

> 
> synaptic? No love for synaptic?
> 
> > Would Debian please just settle on one, and stick with it?  
> 
> They do different things at different levels and seem to play nicely 
> together.
> 

Indeed. I use apt-get, aptitude, synaptic and occasionally dpkg, as the
purpose requires.

If I have time, in the situation described in this thread I use
synaptic to install whatever isn't held up. I just pick likely-looking
packages and install them, backing off if I get a list of removals.
Aptitude interactive can do exactly the same, but I'm more comfortable
with synaptic.

I do actually use upgrade-system for routine upgrades, and switch to
synaptic when necessary. On my server, I don't have synaptic, but
being stable, I don't ever see this problem, either. For a simple
installation of a package whose name I know, I use aptitude. For
upgrading an unstable that hasn't been upgraded for a few months, I'd
use apt-get, as aptitude clogs up when presented with hundreds of
packages to sort out dependencies for. For a broken package that is
beyond the abilities of the apt tools, dpkg is less intelligent and
usually brutal enough to remove it. Horses for courses...

-- 
Joe 

Re: a dh keys question?

[Joe]

On Tue, 31 Jul 2018 17:49:52 -0400 (EDT)
Karen Lewellen  wrote:

> Hi
> just putting my answer at the top.
> My client does have a log option, will aim for that.  still again my
> first priority is finding a place to test  with a nonstandard port.
> then I can be sure  it really is all about port 22 and 21.
> Kare
> 

Do you have access to the client's router? If not, can you ask someone
who does to forward a high port to 22? This is the simplest way of
running sshd on a non-standard port and does not interfere with its
operation on 22. sshd doesn't care about this kind of redirection.

> 
> 
> On Tue, 31 Jul 2018, Dan Ritter wrote:
> 
> > On Tue, Jul 31, 2018 at 01:01:31PM -0400, Karen Lewellen wrote:  
> >> Hi again,

> >>  Otherwise I
> >> just get a repeat of the same conversation, we do not support your
> >> operating system. 

"I'm not paying you to support my operating system, I'm paying you for
a functional Internet connection."

Having said all that, I've often lost contact with an ssh server, but
never seen this kind of error, just a 'timed out' message.

-- 
Joe