Re: Bind9 vragen

[Wouter Verhelst]

On Fri, Jul 13, 2018 at 09:24:44PM +0200, Paul van der Vlis wrote:
> Op 13-07-18 om 15:17 schreef Wouter Verhelst:
> > On Wed, Jun 27, 2018 at 02:04:37PM +0200, Paul van der Vlis wrote:
> > De échte manual van bind is de "Administrator's Reference Manual":
> > 
> > https://www.isc.org/downloads/bind/doc/
> > 
> > Daar staat ook een "BIND DNSSEC Guide", die je wil lezen.
> 
> Ik had de officiële documentatie ondertussen ook gevonden.
> Vreemd inderdaad dat ik daar in eerste instantie niet zocht, ik denk dan
> vaak dat dat meer naslag is dan iets leesbaars.

Heh, in dit geval niet echt :-)

> >> https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2
> >>
> >> Wat lijkt jullie een goede plek om keys en zones neer te zetten, zelf
> >> denk ik over /etc/bind/zones/ en /etc/bind/keys/ .
> > 
> > Dat is ook (ongeveer) wat ik doe.
> > 
> >> Voor de keys wil ik graag een aparte map, want ik overweeg ze ergens
> >> anders neer te zetten zodat ze offline zijn, maar wel te mounten.
> > 
> > Sure.
> > 
> >> Vernieuwen jullie de KSK en de ZSK regelmatig of niet?
> > 
> > Dat moet je doen voor de veiligheid.
> 
> Heb jij al bepaald hoe vaak je het gaat doen? En zet je ook harde
> einddatums in de keys? Op het moment heb ik geen einddatums in de keys,
> en ook niet in de RRSIG. Vooral dat laatste lijkt me fout.

KSK wordt aangeraden om jaarlijks te vernieuwen.

ZSK hangt af van de grootte van je domein. Eens per drie maand is
voldoende voor een gemiddeld domein.

> >> En wat voor strategie hebben jullie voor online of offline bewaren?
> > 
> > Persoonlijk doe ik dat laatste niet.
> 
> Op zich heb je die KSK key eigenlijk niet meer nodig, alleen als je een
> nieuwe ZSK key wilt maken, of hem wilt intrekken.

ACK.

> >> Hoe vaak vernieuwen jullie de RRSIG, als er geen wijzigingen zijn?
> > 
> > Dat kan je aan bind overlaten (en dat raad ik je heel erg aan):
> > 
> > zone "dyn-cust.nixsys.be" {
> > type master;
> > update-policy {
> > grant local-ddns zonesub any;
> > grant wou...@grep.be zonesub any;
> > grant cgi zonesub any;
> > };
> > allow-transfer { !notslaves; key latin; };
> > file "/etc/bind/zones/dyn-cust.nixsys.be";
> > key-directory "/etc/bind/keys";
> > auto-dnssec maintain;
> > };
> > 
> > De belangrijkste lijnen hierboven zijn die met "key-directory" en
> > "auto-dnssec". De eerste configureert waar je je keys dropt (die je van
> > tijd tot tijd moet genereren met "dnssec-keygen", waarbij je ook tijden
> > moet opgeven -- de manpage is daar redelijk duidelijk over). 
> 
> Ik neem aan tijden waarna ze verlopen? Wat voor tijden hou jij aan?

Zie boven :-)

> > BIND zal
> > die keys dan automatisch inladen, en de RRSIGs automatisch roteren. De
> > KSKs worden ook automatisch vervangen op basis van de tijden die je aan
> > dnssec-keygen meegegeven hebt. Alleen de glue van je ZSKs moet je nog
> > handmatig updaten (want daar heeft BIND geen toegang toe).
> 
> De ZSK wordt door de KSK ondertekend en daaruit haalt hij/zij zijn
> waarde. Ik neem dus aan dat je de KSK bedoeld met "glue"?

Ik had me in bovenstaande paragraaf inderdaad vergist. De glue is voor
de KSK, niet voor de ZSK. De ZSK kan je automatisch laten vervangen, de
KSK niet (daarvoor moet je de glue idd updaten).

> > Bovenstaande is een directe kopie uit mijn live configuratie van een
> > domein waarin een aantal klanten met dynamisch IP-adres zitten. Bij de
> > klant draait een cronjob die gewoon een wget doet naar een CGI-script;
> > dat script draait dan nsupdate met een speciale "cgi" key, wat de zone
> > aanpast. Werkt perfect: dynamische DNS-updates met DNSSEC-ondersteuning
> > :-)
> 
> Is dat vergelijkbaar met dyndns?

Sortof. Alleen draai je het zelf en heeft dyndns geen DNSSEC, VZIW.

> >> Het is mij nog niet helemaal duidelijk wat het "dsset" bestand nu
> >> precies doet.
> > 
> > Dat heeft te maken met de glue van je DNSSEC, en is redelijk belangrijk.
> > 
> > DNSSEC werkt als volgt:
> > 
> > - In de root zone zit er een aantal DS records voor de naam "be" met
> >   daarin de fingerprints van de KSKs van het domein "be"
> > - In de "be" zone zitten er DNSKEY records voor die KSKs. Deze KSKs
> >   tekenen de RRs van de DNSKEY records van de ZSKs.
> > - De ZSKs van de "be" zone tekenen dan alle andere RRs in die zone,
> >   inclusief het DS record voor "nixsys.be"
> > 
> > Het zelfde verhaal wordt dan herhaald door "nixsys.be" dat DS records
> > bevat voor "dyn-cust.nixsys.be", enzovoort.
> > 
> > Het "dsset" bestand bevat simpelweg de DS records die je aan je parent
> > zone moet doorgeven.
> 
> Dat is inderdaad gebruikelijk, maar niet bij .nl domeinen. Daar moet je
> namelijk je pubkey uploaden en de DS records genereren ze zelf.

Het parent domein heeft een DS-record nodig. Dat DS-record kan je
inderdaad makkelijk genereren vanuit je pubkey (het is uiteindelijk
gewoon een hash). Hoe het parent domein aan dat DS record geraakt, 

apt-get update hangs forever

[deloptes]

Hi
on one of my machines apt-get update hangs forever.


Get:32 http://ftp.at.debian.org/debian stretch/non-free i386 Packages [69.7
kB]
Get:33 http://ftp.at.debian.org/debian stretch/non-free Translation-en [80.6
kB]
0% [Working]   

What can I do to understand the reason and to solve it?

thanks  

Re: Thunderbird always launching 2 copies.

[Carl Fink]

On 07/15/2018 12:54 AM, Octopus Octopus wrote:

Heyo,


I'm having this confusing bug where I launch thunderbird and it instead
launches 2 copies of it, I originally had an extra .desktop file for the
thunderbird-beta deleting it had no effect.


Does it do that if you launch Thunderbird from the command line,
instead of by clicking a link? What is the result of
'which thunderbird'?

--
Carl Fink  c...@finknetwork.com
Thinking and logic and stuff at Reasonably Literate
http://reasonablyliterate.com

Re: Wrapping lines, was Re: BTRFS and debian

[Zenaan Harkness]

On Sun, Jul 15, 2018 at 01:23:36PM +1000, Zenaan Harkness wrote:
> On Sat, Jul 14, 2018 at 10:10:01PM -0500, David Wright wrote:
> > On Sat 14 Jul 2018 at 19:50:03 (+1000), Zenaan Harkness wrote:
> > > On Fri, Jul 13, 2018 at 05:59:58PM -0700, David Christensen wrote:
> > > > ZFS is killer technology.  zfs-fuse is sawed off.  ZOL rocks, but the 
> > > > license keeps it out of Debian.  We'll see if
> > > > and when btrfs catches up.
> > > 
> > > (Do you know why your mail client (or perhaps server) wraps at 115
> > > chars? 72 or 69 or even 80 would be much better...)
> > 
> > Your own mail client is doing this. You need to find out how to set
> > the wrapping value. In mutt, you might add the line
> > 
> > set reflow_wrap=80
> 
> Sweet!
> 
> Very informative. Daŋkə schön :)

Ahh yes, now I remember, I set reflow_wrap to 69 originally, then
added the sidebar, and mutt has a bug where the sidebar width is
included in the reflow width. But some weeks (months?) ago I removed
the sidebar, so must again change reflow_wrap.

Thanks heaps,

Debian got too fat?

[Harald Dunkel]

Hi folks,

would you mind to take a look at

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888743

The fix is pretty easy. Whats really bugging me is that nobody
dares to touch the complex code of lsb-base. IMHO this is a clear
indication that Debian lost the blessed path other Unixes do follow.

What is your suggestion here? Apply the patch I provided (or maybe a
better one), or get rid of lsb-base completely?


Regards
Harri

Re: apt-get update hangs forever

[Carl Fink]

On 07/15/2018 06:27 AM, deloptes wrote:

Hi
on one of my machines apt-get update hangs forever.


Get:32 http://ftp.at.debian.org/debian stretch/non-free i386 Packages [69.7
kB]
Get:33 http://ftp.at.debian.org/debian stretch/non-free Translation-en [80.6
kB]
0% [Working]

What can I do to understand the reason and to solve it?

thanks


May we assume you tried switching repos? Because the only times I've
seen that, a particular repository was unreachable.

--
Carl Fink  c...@finknetwork.com
Thinking and logic and stuff at Reasonably Literate
http://reasonablyliterate.com

Re: Warning: Debian/testing full-upgrade removes security packages!

[likcoras]

On 07/15/2018 02:49 PM, Hans wrote:
> be warned: Wheh you do apt full-upgrade, then most security tools, we rely 
> on, 
> are deinstallesd. These are rkhunter, chrootkit, autopsy, tripwire, 
> needrestart and tiger. Also forensics-full and forensics-all are deinstalled 
> (however, this might have other reasons).

Most likely the upgrade is changing packages that are depended on by the
packages you mention. Just re-install them. Just examine which packages
are being changed, see why apt wants to uninstall, and reinstall if needed.

> This is no good behaviour, and it looks for me like the preparation for a 
> global attack on debian. 

The extent of the evidence that supports the idea that this is in fact
an attack on Debian is just that apt is removing these packages on
update. This behavior could be explained by other means, without first
jumping to conclusions about NSA interference.

"Never attribute to malice that which is adequately explained by
stupidity." or, in this case, basically any simpler explanation than
"the preparation for a global attack on debian".

I believe it would have been more helpful if this had been written as a
question on why apt might be removing said packages on upgrade, with
more context, instead of spreading FUD on the list.

Re: Thunderbird always launching 2 copies.

[Octopus Octopus]

which thunderbird produces

/usr/bin/thunderbird

launching it through the terminal does not alter the results.
*I have disabled all addons and seems to have solved the problem. *I
might go through some further testing to see if it relates to
xul-ext-google-tasks-sync or xul-ext-firetray since those are both
addons from the repos I'm currently using (this problem occurred in both
and stretch to buster). However Reenabling all addons seems to not have
reproduced the issue. I believe it might be caused by Provider for
Google Calendar but I don't believe I got it from the debian repos (or
that its even there).

On 07/15/2018 05:59 AM, Carl Fink wrote:
> On 07/15/2018 12:54 AM, Octopus Octopus wrote:
>> Heyo,
>>
>>
>> I'm having this confusing bug where I launch thunderbird and it instead
>> launches 2 copies of it, I originally had an extra .desktop file for the
>> thunderbird-beta deleting it had no effect.
>>
> Does it do that if you launch Thunderbird from the command line,
> instead of by clicking a link? What is the result of
> 'which thunderbird'?
>

Re: Thunderbird always launching 2 copies.

[Curt]

On 2018-07-15, Octopus Octopus  wrote:
>
> which thunderbird produces
>
> /usr/bin/thunderbird
>
> launching it through the terminal does not alter the results.
> *I have disabled all addons and seems to have solved the problem. *I
> might go through some further testing to see if it relates to
> xul-ext-google-tasks-sync or xul-ext-firetray since those are both
> addons from the repos I'm currently using (this problem occurred in both
> and stretch to buster). However Reenabling all addons seems to not have
> reproduced the issue. I believe it might be caused by Provider for
> Google Calendar but I don't believe I got it from the debian repos (or
> that its even there).
>

I've heard that firetray doesn't close windows by default but rather
hides them in the systray, which means they can restored in the context
menu of the systray icon, but equally signifies they reappear when
Thunderbird is restarted. To alter that behavior right-click the icon,
select preferences, and unclick 'Closing window hides to systray', or
alternatively 'Only last window can be hidden'. 

[Xen]: Heads UP: kernel from linux-image-4.9.0-7-amd64 might not boot on Xen

[Markus Schönhaber]

Hi,

if you are running Debian on Xen you should keep your eyes open when
upgrading the kernel.
For me, the kernel 4.9.110-1 from the linux-image-4.9.0-7-amd64 package
wouldn't boot as a DomU kernel. As I've read, it won't work as a Dom0
kernel either (I didn't check that, though).

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903767

-- 
Regards
  mks

Re: Stretch 9.5 amd64 kernel panic

[Andy Smith]

Hello,

On Sat, Jul 14, 2018 at 08:48:18PM -0400, Chuck Zmudzinski wrote:
> I captured a little bit of what was written to the xen console
> when the kernel panics which is shown below.
> 
> Anyone else seen this?

Seems the new point release kernel broke Xen PV:



Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Warning: Debian/testing full-upgrade removes security packages!

[John Hasler]

Henrique de Moraes Hols writes:
> Same goes for dist-upgrade.  dist-upgrade/full-upgrade will more
> aggressively attempt to remove packages than the alternatives
> safe-upgrade and upgrade.

I always do "upgrade" and look at what did not get upgraded and why.  I
then sometimes follow with "full-upgrade" and other times just upgrade
selected packages.  Testing is always consistent but not always
complete.  Unstable is always complete but not always consistent.  Only
Stable is both.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

Re: Debian got too fat?

[Reco]

Hi.

On Sun, Jul 15, 2018 at 12:16:20PM +0200, Harald Dunkel wrote:
> Hi folks,
> 
> would you mind to take a look at
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888743
> 
> The fix is pretty easy.

But does not address all the cornercases, IMO.
Consider, for instance, an LXC container which shares root filesystem
with the host.


> Whats really bugging me is that nobody
> dares to touch the complex code of lsb-base. IMHO this is a clear
> indication that Debian lost the blessed path other Unixes do follow.

Agreed. Debian drifted away from LSB several years ago, so the lack of
maintainers' interest is sad, but is to be expected.


> What is your suggestion here? Apply the patch I provided (or maybe a
> better one), or get rid of lsb-base completely?

Aim to ditch lsb-base in the long run.
For here and now I'd used something like 'pgrep -x --ns 1
$DAEMON_EXECUTABLE' instead of pidof.

Reco

Re: Warning: Debian/testing full-upgrade removes security packages!

[Henrique de Moraes Holschuh]

On Sun, 15 Jul 2018, The Wanderer wrote:
> >> be warned: Wheh you do apt full-upgrade,
> > 
> > You're in testing: what are you "full-upgrade"-ing to and why?
> 
> To testing, of course.

Eh, I believe the meant that as "why are you using full-upgrade instead
of safe-upgrade or upgrade" (depending on which frontend), which are not
nearly as aggressive at removing packages.

Same goes for dist-upgrade.  dist-upgrade/full-upgrade will more
aggressively attempt to remove packages than the alternatives
safe-upgrade and upgrade.  AFAIK, anyway.

-- 
  Henrique Holschuh

Re: Naive newbie question [Re: Debian got too fat?]

[Reco]

Hi.

On Sun, Jul 15, 2018 at 02:33:02PM -0500, Richard Owlett wrote:
> > > What is your suggestion here? Apply the patch I provided (or maybe a
> > > better one), or get rid of lsb-base completely?
> > 
> > Aim to ditch lsb-base in the long run.
> > For here and now I'd used something like 'pgrep -x --ns 1
> > $DAEMON_EXECUTABLE' instead of pidof.
> 
> I didn't know what "lsb-base" was when I read original post.
> Not sure I know now ;/
> Did web search. Found it's an acronym for "Linux Standard Base".

In the context of the original discussion, LSB refers to
/lib/lsb/init-functions provided by lsb-base package.


> Searched.
> Found its purpose was to provide outside programmers a "sane" &/or
> "consistent" target.

LSB was more than that. It was a set of standards declaring what you can
find in your typical GNU/Linux system.
LSB was always somewhat controversial when one tried to apply it to any
non-rpm distribution (LSB mandated rpm as package manager), personal
tastes (LSB mandated both Qt and GTK+ installed) or a common sense
(not every server needs CUPS contrary to what they think).
What's true - one does not need LSB if one writes free software. LSB was
designed for all those proprietary software vendors in mind.

But, they invented Docker, Flatpack and Appimage since then, so LSB is
dead, and good riddance.


> Is it of any use to Debian _users_ who *ONLY* use official Debian
> repositories?

Assuming that said users do not deviate from the Debian default init
system - lsb-base is mostly useless if one's using systemd.
Again, in the context of the original question.


> I know that is a "loaded" question".
> Answers should be "food for thought."
> 
> IOW Can I a Debian user opt to not install "LSB" without ill effects?

The package has 'Priority: required', so I suppose that one *could*
build a bootable Debian installation without it given a sufficient
determination or curiosity.

I, for one, value rsync, smartmontools and rsyslod too much to purge
lsb-base. And let's not forget cron. Any OS is imperfect unless it has
cron.

Reco

Re: Réseau qui tombe

[roger . tarani]

"Le réseau internet est inaccessible" (pour la machine) = aucun paquet ne 
semble pouvoir être échangé avec le réseau internet :

apt-get update n'arrive pas à joindre les serveurs
...E: Some index files failed to download. They have been ignored, or old ones 
used instead. ; 

le navigateur n'accède pas aux pages web; 
"Unable to connect
etc."

un ping site_machin.com (qui marche quand le réseau internet est accessible) 
montre que les paquets sont perdus)
$ ping yahoo.fr
PING yahoo.fr (106.10.248.151) 56(84) bytes of data.
>From test (169.254.5.6) icmp_seq=1 Destination Host Unreachable



Merci pour les commandes. 
En voici le résultat ci-dessous.
Est-ce que ça te permet d'identifier la cause du problème ?
Merci pour ta patience 


*** Cas 1 : Réseau internet accessible

$ ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast master xenbr0 state 
DOWN group default qlen 1000
link/ether 00:23:26:3b:9f:15 brd ff:ff:ff:ff:ff:ff
3: wlan0:  mtu 1500 qdisc noop state DOWN group default 
qlen 1000
link/ether 00:21:6a:35:4b:34 brd ff:ff:ff:ff:ff:ff
5: eth1:  mtu 1500 qdisc pfifo_fast state 
UNKNOWN group default qlen 1000
link/ether e2:5f:45:78:0c:7d brd ff:ff:ff:ff:ff:ff
inet 172.20.10.8/28 brd 172.20.10.15 scope global dynamic eth1
   valid_lft 85400sec preferred_lft 85400sec
inet6 fe80::e05f:45ff:fe78:c7d/64 scope link 
   valid_lft forever preferred_lft forever
6: xenbr0:  mtu 1500 qdisc noqueue state 
DOWN group default 
link/ether 00:23:26:3b:9f:15 brd ff:ff:ff:ff:ff:ff

$ ip route
default via 172.20.10.1 dev eth1  proto static  metric 1024 
172.20.10.0/28 dev eth1  proto kernel  scope link  src 172.20.10.8 

$ ip -6 route
fe80::/64 dev eth1  proto kernel  metric 256 

$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 172.20.10.1

$ brctl show
bash: brctl: command not found

$ sudo brctl show
bridge name bridge id   STP enabled interfaces
xenbr0  8000.0023263b9f15   no  eth0



*** Cas 2 : Réseau internet NON accessible

$ ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast master 
xenbr0 state DOWN group default qlen 1000
link/ether 00:23:26:3b:9f:15 brd ff:ff:ff:ff:ff:ff
3: wlan0:  mtu 1500 qdisc noop state DOWN group default 
qlen 1000
link/ether 00:21:6a:35:4b:34 brd ff:ff:ff:ff:ff:ff
5: eth1:  mtu 1500 qdisc pfifo_fast state 
UNKNOWN group default qlen 1000
link/ether e2:5f:45:78:0c:7d brd ff:ff:ff:ff:ff:ff
inet 172.20.10.8/28 brd 172.20.10.15 scope global dynamic eth1
   valid_lft 84920sec preferred_lft 84920sec
inet6 fe80::e05f:45ff:fe78:c7d/64 scope link 
   valid_lft forever preferred_lft forever
9: xenbr0:  mtu 1500 qdisc noqueue state 
DOWN group default 
link/ether 00:23:26:3b:9f:15 brd ff:ff:ff:ff:ff:ff
inet 169.254.5.6/16 brd 169.254.255.255 scope link xenbr0:avahi
   valid_lft forever preferred_lft forever

$ ip route
default dev xenbr0  scope link  metric 1009 
default via 172.20.10.1 dev eth1  proto static  metric 1024 
169.254.0.0/16 dev xenbr0  proto kernel  scope link  src 169.254.5.6 
172.20.10.0/28 dev eth1  proto kernel  scope link  src 172.20.10.8 

$ ip -6 route
fe80::/64 dev eth1  proto kernel  metric 256

$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 172.20.10.1

$ sudo brctl show
bridge name bridge id   STP enabled interfaces
xenbr0  8000.0023263b9f15   no  eth0



- Original Message -
From: "Pascal Hambourg" 
To: "Liste Debian" 
Sent: Saturday, July 14, 2018 12:14:03 PM
Subject: Re: Réseau qui tombe

Inutile de me mettre en copie.

Le 12/07/2018 à 23:01, roger.tar...@free.fr a écrit :
> * le réseau n'est pas accessible = le réseau internet n'est pas accessible.

On ne se comprend pas. Tu te doutes je vais inévitablement te demander 
de définir "le réseau internet n'est pas accessible", ce qui ne veux 
concrètement rien dire. Tu vas encore répondre à côté et on n'en sortira 
pas.

> $ sudo apt-get update
> renvoie une erreur, faute de connexion.

Seuls les messages d'erreur exacts et complets m'intéressent.

> et Firefox renvoie le message "page inaccessible" typique d'une absence 
> d'accès au réseau internet.

Les messages d'erreur des navigateurs sont rarement informatifs.

> * je récupère mon réseau = je récupère mon accès au réseau internet

Cf. commentaire précédent. Je vais essayer en étant plus directif.
Peux-tu poster les sorties des 

[SOLVED] Re: apt-get update hangs forever

[deloptes]

Carl Fink wrote:

> May we assume you tried switching repos? Because the only times I've
> seen that, a particular repository was unreachable.

no, I have not switched anything, but your answer helped me rewind the tape
back and yes I have added one source (Signal) by myself and the stupid
skype package adds it's source each time you install it, so I removed both
and now it works. I would bet it hangs on the Signal source.

thank you very much for the hint

regards

Re: Bind9 vragen

[Paul van der Vlis]

Hoi Wouter en anderen,

Op 15-07-18 om 12:29 schreef Wouter Verhelst:
> Ik had me in bovenstaande paragraaf inderdaad vergist. De glue is voor
> de KSK, niet voor de ZSK. De ZSK kan je automatisch laten vervangen, de
> KSK niet (daarvoor moet je de glue idd updaten).

Ook dat kan tegenwoordig automatisch als er een eerste geldige key op
staat, kan deze worden vervangen. Kijk eens naar RFC 7344 en 8078.

Zelf heb ik ook het uploaden van de eerste keer nu geautomatiseerd, met
de API van de registrar (ik gebruik opendomainregistry.net, mensen die
interesse hebben kunnen de scripts krijgen).

>>> Bovenstaande is een directe kopie uit mijn live configuratie van een
>>> domein waarin een aantal klanten met dynamisch IP-adres zitten. Bij de
>>> klant draait een cronjob die gewoon een wget doet naar een CGI-script;
>>> dat script draait dan nsupdate met een speciale "cgi" key, wat de zone
>>> aanpast. Werkt perfect: dynamische DNS-updates met DNSSEC-ondersteuning
>>> :-)
>>
>> Is dat vergelijkbaar met dyndns?
> 
> Sortof. Alleen draai je het zelf en heeft dyndns geen DNSSEC, VZIW.

O, leuk. Hier in NL heb je wat vaker een vast IP-adres dan in België
denk ik. Maar hier rukt het dynamische gebeuren ook op, ahum.

 Het is mij nog niet helemaal duidelijk wat het "dsset" bestand nu
 precies doet.
>>>
>>> Dat heeft te maken met de glue van je DNSSEC, en is redelijk belangrijk.
>>>
>>> DNSSEC werkt als volgt:
>>>
>>> - In de root zone zit er een aantal DS records voor de naam "be" met
>>>   daarin de fingerprints van de KSKs van het domein "be"
>>> - In de "be" zone zitten er DNSKEY records voor die KSKs. Deze KSKs
>>>   tekenen de RRs van de DNSKEY records van de ZSKs.
>>> - De ZSKs van de "be" zone tekenen dan alle andere RRs in die zone,
>>>   inclusief het DS record voor "nixsys.be"
>>>
>>> Het zelfde verhaal wordt dan herhaald door "nixsys.be" dat DS records
>>> bevat voor "dyn-cust.nixsys.be", enzovoort.
>>>
>>> Het "dsset" bestand bevat simpelweg de DS records die je aan je parent
>>> zone moet doorgeven.
>>
>> Dat is inderdaad gebruikelijk, maar niet bij .nl domeinen. Daar moet je
>> namelijk je pubkey uploaden en de DS records genereren ze zelf.
> 
> Het parent domein heeft een DS-record nodig. Dat DS-record kan je
> inderdaad makkelijk genereren vanuit je pubkey (het is uiteindelijk
> gewoon een hash). Hoe het parent domein aan dat DS record geraakt, is
> minder belangrijk.
> 
> Als je zelf het parent domein beheert, dan kan je via dat dsset
> bestand--of via het bind-commando 'dnssec-dsfromkey'--het DS record zelf
> genereren. Dit is in jouw geval niet van toepassing.
> 
>> Dus vandaar mijn verwarring waarvoor dat dsset bestand nodig is.
>>
>> "Door uit die DNSKEY records zelf de DS records te genereren houdt SIDN
>> controle over het daarbij gebruikte hash-algoritme."
> 
> Juist.
> 
>> Wat ik nog niet helemaal begrijp is het volgende: stel iemand kan de
>> nameserver manipuleren of de antwoorden vervalsen, dat is toch iets waar
>> dnssec tegen zou moeten beveiligen.
> 
> Dat is de raison d'être van DNSSEC, ja.
> 
>> Maar dan kan hij toch ook antwoorden dat het domein geen dnssec heeft en
>> er dus ook niks te controleren valt.
> 
> Neen.
> 
>> Hoe controleert een computer of een programma dat?
> 
> DNSSEC is alleen veilig als er een ononderbroken keten van DS en DNSKEY
> records is van een trust anchor (meestal de root key) tot het domein.
> Als er ergens een onderbreking is, dan kan een aanvaller inderdaad valse
> antwoorden voor die onderbreking genereren en claimen dat er voor child
> domeinen geen DNSSEC aanwezig is.
> 
> Als een parent domein een DS record heeft voor een child domein, dan
> MOET dat child domein een overeenkomstige DNSKEY record hebben. Is dat
> niet het geval, dan wordt het domein als ongeldig gezien en genegeerd.
> Als er een ononderbroken keten van DS en DNSKEY records bestaat van het
> trust anchor tot het domein, dan kan een aanvaller alleen de afwezigheid
> van DNSSEC faken door eerst een private key te kraken.
> 
> (Als dat gebeurt, dan is er uiteraard een probleem ;-)

Maar hoe weet je dat de parent een DS record heeft? Dat vraag je neem ik
aan aan de nameserver. Als die nameserver niet te vertrouwen is, dan
werkt dit dus niet.

Ik bedacht me ook nog dat je ook nog een nameserver kunt neerzetten die
gewoon niet aan DNSsec doet.

Denk bijvoorbeeld aan een situatie bij het koffietentje op de hoek. Je
logt in op de wifi, en je krijgt via DHCP een nameserver toegewezen. Les
uit bovenstaande is volgens mij dat dit niet OK is, ook niet met dnssec.

Ook een ISP zou je in principe verkeerde gegevens kunnen geven. Volgens
mij heel simpel via "split DNS".

Eigenlijk lijkt het mij daarom het beste qua security om op b.v. een
laptop zelf een nameserver te draaien, dat heb je zelf in de hand.

Wat ook nog een security aspect is als ik me niet vergis, is dat de
root-keys geheel in handen zijn van de Amerikanen. Het lijkt me dat ze
de boel kunnen vervalsen. Volgens mij hebben de 

Re: Warning: Debian/testing full-upgrade removes security packages!

[Hans]

Am Sonntag, 15. Juli 2018, 17:43:47 CEST schrieb Henrique de Moraes Holschuh:

Maybe I was not clear enough. I did not mourn,. that packages are dienstalled, 
this may happen in testing. I mourned,m that almost ALL SECURITY related 
packages are deinstalled. And I would have nothing said, if it would have been 
one or maybe two, bat ALL most important rootkit watchers? And intrusion 
detection? This was the point.

Best regards

Hans 
> On Sun, 15 Jul 2018, The Wanderer wrote:
> > >> be warned: Wheh you do apt full-upgrade,
> > > 
> > > You're in testing: what are you "full-upgrade"-ing to and why?
> > 
> > To testing, of course.
> 
> Eh, I believe the meant that as "why are you using full-upgrade instead
> of safe-upgrade or upgrade" (depending on which frontend), which are not
> nearly as aggressive at removing packages.
> 
> Same goes for dist-upgrade.  dist-upgrade/full-upgrade will more
> aggressively attempt to remove packages than the alternatives
> safe-upgrade and upgrade.  AFAIK, anyway.

Re: Warning: Debian/testing full-upgrade removes security packages!

[Roberto C . Sánchez]

On Sun, Jul 15, 2018 at 06:07:32PM +0200, Hans wrote:
> Am Sonntag, 15. Juli 2018, 17:43:47 CEST schrieb Henrique de Moraes Holschuh:
> 
> Maybe I was not clear enough. I did not mourn,. that packages are 
> dienstalled, 
> this may happen in testing. I mourned,m that almost ALL SECURITY related 
> packages are deinstalled. And I would have nothing said, if it would have 
> been 
> one or maybe two, bat ALL most important rootkit watchers? And intrusion 
> detection? This was the point.
> 

What you are writing does not make sense.  I almost replied to your
first message after you posted it, but I had to leave.  After
researching the packages you mention, they are all currently in testing.
That means that the removal would have to be triggered by a package
conflict.  Even if a package were not in testing, the system would not
automatically removed it (unless you explicitly removed packages without
a corresponding apt source).

Can you post your sources.list and/or sources.list.d/ entries and also
your dpkg.log that shows the specific packages being removed?

The idea that this is part of some conspiracy just seems wrong.  There
must be another logical explanation.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: Warning: Debian/testing full-upgrade removes security packages!

[The Wanderer]

On 2018-07-15 at 10:09, David Wright wrote:

> On Sun 15 Jul 2018 at 07:49:36 (+0200), Hans wrote:
> 
>> Hi folks,
>> 
>> be warned: Wheh you do apt full-upgrade,
> 
> You're in testing: what are you "full-upgrade"-ing to and why?

To testing, of course.

Just because you're running testing doesn't mean the package versions
you have installed are the ones currently available from testing. If you
last upgraded more than about a day ago, there's a very good chance that
one or more of your installed packages has a newer version available in
testing now.

Running upgrade commands on at least an intermittent basis is just good,
normal practice for tracking testing.

That said, the nature of testing does sometimes mean that the result is
not entirely stable and consistent, so occasionally you get undesired
package-removal results such as the ones described in this thread. The
solution is generally to either specify explicitly (on the upgrade
command line) which packages you want to retain, or wait until whatever
dependency-resolution situation led to the problem gets resolved.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: Warning: Debian/testing full-upgrade removes security packages!

[Reco]

Hi.

On Sun, Jul 15, 2018 at 01:02:48PM -0400, Roberto C. Sánchez wrote:
> On Sun, Jul 15, 2018 at 06:07:32PM +0200, Hans wrote:
> > Am Sonntag, 15. Juli 2018, 17:43:47 CEST schrieb Henrique de Moraes 
> > Holschuh:
> > 
> > Maybe I was not clear enough. I did not mourn,. that packages are 
> > dienstalled, 
> > this may happen in testing. I mourned,m that almost ALL SECURITY related 
> > packages are deinstalled. And I would have nothing said, if it would have 
> > been 
> > one or maybe two, bat ALL most important rootkit watchers? And intrusion 
> > detection? This was the point.
>
> The idea that this is part of some conspiracy just seems wrong.  There
> must be another logical explanation.

I'd put my money on some debconf breakage (the only Depends all those
packages have at common), but [1] claims that the most recent debconf
migration to testing happened a month ago.
Next most possible candidate is a perl-base, but if [2] is to be
trusted, perl migration to testing was more than a month ago too.

So a conspiracy idea does not seem that weird. On the contrary, it would
look absolutely hilarious in the light of the news such as [3].
Or it might be broken Debian mirror that OP's using.

Reco

[1] https://tracker.debian.org/pkg/debconf
[2] https://tracker.debian.org/pkg/perl
[3] https://linux.slashdot.org/story/18/06/09/052249

Naive newbie question [Re: Debian got too fat?]

[Richard Owlett]

On 07/15/2018 06:44 AM, Reco wrote:

Hi.

On Sun, Jul 15, 2018 at 12:16:20PM +0200, Harald Dunkel wrote:

Hi folks,

would you mind to take a look at

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888743

The fix is pretty easy.


But does not address all the cornercases, IMO.
Consider, for instance, an LXC container which shares root filesystem
with the host.



Whats really bugging me is that nobody
dares to touch the complex code of lsb-base. IMHO this is a clear
indication that Debian lost the blessed path other Unixes do follow.


Agreed. Debian drifted away from LSB several years ago, so the lack of
maintainers' interest is sad, but is to be expected.



What is your suggestion here? Apply the patch I provided (or maybe a
better one), or get rid of lsb-base completely?


Aim to ditch lsb-base in the long run.
For here and now I'd used something like 'pgrep -x --ns 1
$DAEMON_EXECUTABLE' instead of pidof.


I didn't know what "lsb-base" was when I read original post.
Not sure I know now ;/
Did web search. Found it's an acronym for "Linux Standard Base".
Searched.
Found its purpose was to provide outside programmers a "sane" &/or 
"consistent" target.


Is it of any use to Debian _users_ who *ONLY* use official Debian 
repositories?


I know that is a "loaded" question".
Answers should be "food for thought."

IOW Can I a Debian user opt to not install "LSB" without ill effects?

Re: Editor de jogos 2D e 3D

[Leonardo S. S. da Rocha]

Valeu gente. Obrigado.

Em 14 de julho de 2018 12:12, Vinícius Moraes  escreveu:

> Recomendo:
> löve - lua, 2d
> libgdx - java, 2d e 3d
> phaser - javascritp, 2d
> Todos opensource.
>
> --
> Vinícius Moraes
> Monitor de Introdução a Programação (if669) - 2018.1
> Monitor de Infra-Estrutura de Comunicação (if678) - 2016.2 - 2017.2
> Ciência da Computação - 2015.1 - UFPE - CIn
> (82) 9 9925-9508
>
>

Re: HP ProLiant ML350p Gen8 Hot Plug 6 LFF - Is Jessie or Stretch ok?

[rv riveravaldez]

On Sat, Jul 14, 2018 at 1:28 PM, Bernie Elbourn  wrote:
> Hi
>
> I have one of these running Wheezy - been stable for years without issue. It
> also has original firmware etc. Yep - needs updating
>
> Has anyone got one of these running Jessie, or Stretch OK ... Is/was there
> any pain?
>
> Debian is actually safely on a sata ssd - the raid array holds all the data
> in logical volumes.
>
> Thanks,
>
> Bernie
>

Why don't you try a live version?

Re: Warning: Debian/testing full-upgrade removes security packages!

[David Wright]

On Sun 15 Jul 2018 at 07:49:36 (+0200), Hans wrote:
> Hi folks,
> 
> be warned: Wheh you do apt full-upgrade,

You're in testing: what are you "full-upgrade"-ing to and why?

> then most security tools, we rely on, 
> are deinstallesd. These are rkhunter, chrootkit, autopsy, tripwire, 
> needrestart and tiger. Also forensics-full and forensics-all are deinstalled 
> (however, this might have other reasons).
> 
> This is no good behaviour, and it looks for me like the preparation for a 
> global attack on debian. 
> 
> Maybe it is wanted by the maintainers, but to remove suddenly almost all of 
> the most effective tools looks very, very fishy to me!
> 
> Keep your eyes open, the NSA is everywhere.

Cheers,
David.

Re: [SOLVED] Re: apt-get update hangs forever

[Cindy-Sue Causey]

On 7/15/18, deloptes  wrote:
> Carl Fink wrote:
>
>> May we assume you tried switching repos? Because the only times I've
>> seen that, a particular repository was unreachable.
>
> no, I have not switched anything, but your answer helped me rewind the tape
> back and yes I have added one source (Signal) by myself and the stupid
> skype package adds it's source each time you install it, so I removed both
> and now it works. I would bet it hangs on the Signal source.
>
> thank you very much for the hint


There's also this that JUST occurred:

https://lists.debian.org/debian-announce/2018/msg3.html

+++ BEGIN QUOTE +++

The Debian project is pleased to announce the fifth update of its stable
distribution Debian 9 (codename "stretch"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

+++ END QUOTE +++

It's possible a mirror was burping or something, too. That last line
is the hint there.

I'm on a brand new, 24-hour-old debootstrap that was 100% up-to-date,
*yes, including security releases (grin)*. I just  "apt-get updated".
It took about 4 hours and now says another 23MB of upgrades are needed
that quickly. :D

Just thought to check libreoffice, too, since I hadn't install it again and yet:

0 upgraded, 132 newly installed, 0 to remove and 38 not upgraded.
Need to get 132 kB/179 MB of archives.
After this operation, 578 MB of additional disk space will be used.

It sure pays to hoard previously downloaded dotDeb archive files when
you're on dialup!

Cindy :)
-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with duct tape *

Re: HP ProLiant ML350p Gen8 Hot Plug 6 LFF - Is Jessie or Stretch ok?

[Dan Ritter]

On Sat, Jul 14, 2018 at 05:28:47PM +0100, Bernie Elbourn wrote:
> Hi
> 
> I have one of these running Wheezy - been stable for years without issue. It
> also has original firmware etc. Yep - needs updating
> 
> Has anyone got one of these running Jessie, or Stretch OK ... Is/was there 
> any pain?
> 
> Debian is actually safely on a sata ssd - the raid array holds all the data 
> in logical volumes.
> 

This will all work with stretch. Go through Jessie first.

Some large percentage of the HP P8xx RAID cards eventually
developed hardware bugs that would crash the system. If that
starts happening to you:

1. Backup your data to another system.
2. Replace the P8xx card with an LSI 20xx or 30xx SAS/SATA card.
   There are relatively cheap adapter cables that will work.
   Check before buying.
3. Create new RAID and filesystems, restore your data.

-dsr-

Re: Naive newbie question [Re: Debian got too fat?]

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sun, Jul 15, 2018 at 02:33:02PM -0500, Richard Owlett wrote:

[...]

> Is it of any use to Debian _users_ who *ONLY* use official Debian
> repositories?

It is useful for someone who wants to write a program which shall
run on an LSB-compliant system.

The _users_ profit from that because writing programs for them
becomes easier.

So yes.

Cheers
- -- t
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAltLtLUACgkQBcgs9XrR2kYxxgCeN+HX+9fTmDCpeyfjqiCVPkuF
bjkAn1rkzITSjwHT5JSCFAiK2N6ull1G
=yWFL
-END PGP SIGNATURE-

Re: Réseau qui tombe

[Pascal Hambourg]

Le 15/07/2018 à 22:17, roger.tar...@free.fr a écrit :


*** Cas 1 : Réseau internet accessible

(...)

$ ip route
default via 172.20.10.1 dev eth1  proto static  metric 1024
172.20.10.0/28 dev eth1  proto kernel  scope link  src 172.20.10.8

(...)

*** Cas 2 : Réseau internet NON accessible

(...)

$ ip route
default dev xenbr0  scope link  metric 1009
default via 172.20.10.1 dev eth1  proto static  metric 1024
169.254.0.0/16 dev xenbr0  proto kernel  scope link  src 169.254.5.6
172.20.10.0/28 dev eth1  proto kernel  scope link  src 172.20.10.8


C'est la configuration IP du pont xenbr0 (créé pour/par Xen je suppose) 
qui met le bazar en créant une route par défaut qui ne mène à rien avec 
une métrique inférieur (donc une priorité supérieure) à celle de la 
route par défaut normale sur eth1.


Comme je ne connais rien à Xen, je ne peux pas te dire comment le 
configurer. Tout ce que je peux te dire, c'est qu'il ne faut pas que 
cette route soit présente.

Re: Réseau qui tombe

[roger . tarani]

Quand je choisis Debian et non Debian+ Xen (avec Grub), j'ai le même 
comportement.
Xen peut-il mettre le bazar dans ce cas aussi ?
Est-ce une information utile ?

Comment expliquer que l'accès au réseau internet tient, mais seulement pour une 
durée limitée ?


- Original Message -
From: Pascal Hambourg 
To: Liste Debian 
Sent: Sun, 15 Jul 2018 23:03:59 +0200 (CEST)
Subject: Re: Réseau qui tombe

Le 15/07/2018 à 22:17, roger.tar...@free.fr a écrit :
> 
> *** Cas 1 : Réseau internet accessible
(...)
> $ ip route
> default via 172.20.10.1 dev eth1 proto static metric 1024
> 172.20.10.0/28 dev eth1 proto kernel scope link src 172.20.10.8
(...)
> *** Cas 2 : Réseau internet NON accessible
(...)
> $ ip route
> default dev xenbr0 scope link metric 1009
> default via 172.20.10.1 dev eth1 proto static metric 1024
> 169.254.0.0/16 dev xenbr0 proto kernel scope link src 169.254.5.6
> 172.20.10.0/28 dev eth1 proto kernel scope link src 172.20.10.8

C'est la configuration IP du pont xenbr0 (créé pour/par Xen je suppose) 
qui met le bazar en créant une route par défaut qui ne mène à rien avec 
une métrique inférieur (donc une priorité supérieure) à celle de la 
route par défaut normale sur eth1.

Comme je ne connais rien à Xen, je ne peux pas te dire comment le 
configurer. Tout ce que je peux te dire, c'est qu'il ne faut pas que 
cette route soit présente.

Re: Naive newbie question [Re: Debian got too fat?]

[John Crawley]

On 2018-07-16 04:33, Richard Owlett wrote:

Can I a Debian user opt to not install "LSB" without ill effects?


Some ...er, many Debian packages depend on lsb-base.
'apt-cache rdepends lsb-base' for a long list.
--
John

Regarding Installation over Windows 10

[Vijay Sehgal]

Hey,

I am writing in reference to the above stated subject. I want to install
Linux on my machine.

Can anyone guide me via walkthrough to how to do that?
I have downloaded one iso file of 3.38 GB but there are 2 more in 64bit
without internet installation. Do i have to install other 2 iso files also?

What is the use of other 2 iso files of nearly same size?

Re: Regarding Installation over Windows 10

[Ben Finney]

Vijay Sehgal  writes:

> I want to install Linux on my machine.

Welcome! Thank you for choosing to install Debian.

> Can anyone guide me via walkthrough to how to do that?

The installation guide is at
https://www.debian.org/releases/stable/installmanual>, you can
choose one for your language.

> What is the use of other 2 iso files of nearly same size?

Different architectures are incompatible; they need separate
installation programs. You will need to choose the right one (and choose
the corresponding Debian installation manual).


You will need to know the “architecture” of your machine; this is a term
roughly meaning “what is the CPU in the machine”.

For a machine on which you are running MS Windows, the architecture is
almost certainly “64-bit PC (amd64)”.

-- 
 \   “Anyone who puts a small gloss on [a] fundamental technology, |
  `\  calls it proprietary, and then tries to keep others from |
_o__)   building on it, is a thief.” —Tim O'Reilly, 2000-01-25 |
Ben Finney

Re: Regarding Installation over Windows 10

[Vijay Sehgal]

Thanks Ben for replying.

I know the architecture of my machine which is 64-bit(amd)
But check this link -
https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/
I am following this. Here when you scroll down, you will find 3 iso files.
I have downloaded the first one.

My question is do i have to download the other two also & what's the use of
other two?

Thanks!

On Mon, Jul 16, 2018 at 7:47 AM Ben Finney  wrote:

> Vijay Sehgal  writes:
>
> > I want to install Linux on my machine.
>
> Welcome! Thank you for choosing to install Debian.
>
> > Can anyone guide me via walkthrough to how to do that?
>
> The installation guide is at
> https://www.debian.org/releases/stable/installmanual>, you can
> choose one for your language.
>
> > What is the use of other 2 iso files of nearly same size?
>
> Different architectures are incompatible; they need separate
> installation programs. You will need to choose the right one (and choose
> the corresponding Debian installation manual).
>
>
> You will need to know the “architecture” of your machine; this is a term
> roughly meaning “what is the CPU in the machine”.
>
> For a machine on which you are running MS Windows, the architecture is
> almost certainly “64-bit PC (amd64)”.
>
> --
>  \   “Anyone who puts a small gloss on [a] fundamental technology, |
>   `\  calls it proprietary, and then tries to keep others from |
> _o__)   building on it, is a thief.” —Tim O'Reilly, 2000-01-25 |
> Ben Finney
>
>

apache 2.4 envvars ? Deb 9.4

[Dave]

when i run apache2, i get an error APACHE_PID_FILE missspelled or 
unknown var.


and how do i include the "envvars" in the apache2.conf file ?

if i remove this varible i get no error but, i get errors when i try to 
install php saying missing "envvars /var/run/apache2/pid.pid"


the envvars file only has 1 active line

APACHE_PID_FILE /var/run/apapche2.pid


please advise.

Re: Thunderbird always launching 2 copies.

[Andrew McGlashan]

Hi,

On 15/07/18 14:54, Octopus Octopus wrote:
> I'm having this confusing bug where I launch thunderbird and it instead
> launches 2 copies of it, I originally had an extra .desktop file for the
> thunderbird-beta deleting it had no effect.

No, it's not launching two copies; it is doing what Firefox does with
multiple windows.

You can open a "folder" in a new window, then have two windows of TB.
When you do q -- TB will remember you had two windows open and
re-open on restart with two windows.

Cheers
A.




signature.asc
Description: OpenPGP digital signature

Re: Réseau qui tombe

[Jérémy PREGO]

Le 15/07/2018 à 23:21, roger.tar...@free.fr a écrit :

Quand je choisis Debian et non Debian+ Xen (avec Grub), j'ai le même 
comportement.
Xen peut-il mettre le bazar dans ce cas aussi ?


pour le savoir il faut refaire les même commande avec debian tout cours

Est-ce une information utile ?



quand on aura le résultat, on te dira :)



Comment expliquer que l'accès au réseau internet tient, mais seulement pour une 
durée limitée ?


route qui s'ajoute périodiquement ?

Jerem

- Original Message -
From: Pascal Hambourg 
To: Liste Debian 
Sent: Sun, 15 Jul 2018 23:03:59 +0200 (CEST)
Subject: Re: Réseau qui tombe

Le 15/07/2018 à 22:17, roger.tar...@free.fr a écrit :

*** Cas 1 : Réseau internet accessible

(...)

$ ip route
default via 172.20.10.1 dev eth1 proto static metric 1024
172.20.10.0/28 dev eth1 proto kernel scope link src 172.20.10.8

(...)

*** Cas 2 : Réseau internet NON accessible

(...)

$ ip route
default dev xenbr0 scope link metric 1009
default via 172.20.10.1 dev eth1 proto static metric 1024
169.254.0.0/16 dev xenbr0 proto kernel scope link src 169.254.5.6
172.20.10.0/28 dev eth1 proto kernel scope link src 172.20.10.8

C'est la configuration IP du pont xenbr0 (créé pour/par Xen je suppose)
qui met le bazar en créant une route par défaut qui ne mène à rien avec
une métrique inférieur (donc une priorité supérieure) à celle de la
route par défaut normale sur eth1.

Comme je ne connais rien à Xen, je ne peux pas te dire comment le
configurer. Tout ce que je peux te dire, c'est qu'il ne faut pas que
cette route soit présente.

Re: Réseau qui tombe

[Bernard Schoenacker]

- Mail original -
> De: "Jérémy PREGO" 
> À: debian-user-french@lists.debian.org
> Envoyé: Dimanche 15 Juillet 2018 23:25:37
> Objet: Re: Réseau qui tombe
> 
> Le 15/07/2018 à 23:21, roger.tar...@free.fr a écrit :
> > Quand je choisis Debian et non Debian+ Xen (avec Grub), j'ai le
> > même comportement.
> > Xen peut-il mettre le bazar dans ce cas aussi ?
> 
> pour le savoir il faut refaire les même commande avec debian tout
> cours
> > Est-ce une information utile ?
> 
> > quand on aura le résultat, on te dira :)
> 
> > Comment expliquer que l'accès au réseau internet tient, mais
> > seulement pour une durée limitée ?
> >
> route qui s'ajoute périodiquement ?
> 
> Jerem

bonjour,

voici la doc pour le problème de route:

https://superuser.com/questions/792982/forwarding-internet-using-a-raspberry-pi-eth0-and-eth1
https://daveconroy.com/how-to/how-to-tether-your-raspberry-pi-with-your-iphone-5/


ce qui est intéressant :

/etc/sysctl.conf

net.ipv4.ip_forward=1


merci
slt
bernard

90-iphone-tethering.rules
Description: Binary data

Re: Compiler segfault when building the kernel

[Celejar]

On Tue, 13 Jun 2017 20:41:25 +0300
Adrian Bunk  wrote:

> On Tue, Jun 13, 2017 at 11:57:55AM -0400, Celejar wrote:
> > On Mon, 12 Jun 2017 10:45:17 +0300
> > Adrian Bunk  wrote:
> > 
> > > On Fri, Jun 09, 2017 at 07:58:12AM -0400, Celejar wrote:
> > > > Hi,

...

> > > > line "root_cmd = fakeroot") without problem. Recently, the builds have
> > > > begun to fail with messages like these:
> > 
> > ...
> > 
> > > > > ./include/linux/rcu_sync.h:29:48: internal compiler error: 
> > > > > Segmentation fault
> > > > >  enum rcu_sync_type { RCU_SYNC, RCU_SCHED_SYNC, RCU_BH_SYNC };
> > > > > ^

...

> > > > > The bug is not reproducible, so it is likely a hardware or OS problem.

...

> "internal compiler error that is not 100% reproducible" - at that point 
> it is nearly certain that the underlying problem is a hardware problem.

Just for the record, extensive testing with memtest86 and memtest86+
confirmed that one of my DIMMs was bad. I've replaced it, and have not
had a recurrence of the problem (although I now usually offload kernel
compilaton to a different machine anyway).

Thanks, Adrian.

Celejar