Re: [Discuss] Not Able to Access Fedoraforum Within Home Comcast Network

[Dan Ritter]

jbk wrote: 
> On 12/4/19 8:47 PM, jbk wrote:
> > On 12/4/19 7:56 PM, Dan Ritter wrote:
> > > Dan Ritter wrote:
> > > > jbk wrote:
> > > > > On 12/4/19 5:15 AM, Steven Santos wrote:
> > > > > > try a different dns.
> > > > > > 
> > > > > > It was unreachable with the comcast dns.
> > > > > > 
> > > > > > Works fine with 8.8.8.8 and opendns
> > > > > Changing dns server has not succeeded yet. How long should I
> > > > > expect to wait
> > > > > before new server provides results?
> > > > 60 seconds, max.
> > > 207.210.201.125 is the IP I resolved.
> > > 
> > > It appears to be a cPanel controlled virtual server, owned by
> > > Endurance, which, interestingly, has offices in Burlington and
> > > Waltham. Oh -- they're the corporate parent of Constant Contact,
> > > Hostgator, Sitebuilder, and a bunch of others.
> > > 
> > > The connectivity is via Cogent, and that might or might not be
> > > the issue: Cogent has a history of getting into spats with other
> > > major ISPs; it wouldn't be too surprising if there was a game of
> > > one-upsmanship going on between Comcast and Cogent. But I don't
> > > know, I'm just speculating.
> > > 
> > > -dsr-
> > > 
> > That ip agrees with what I found. The thing is I can access Fedoraforum
> > at work through a comcast modem with no trouble. I've tried the google
> > dns and opendns without success so far.
> > 
> > Is there any possibility that my dd-wrt router could be blocking a
> > single address w/o me actively blocking a particular site? Since I'm
> > bridged that is the direction the finger is going to point when comcasts
> > tech comes so I'd really like to nip that in the bud.
> > 
> I ran traceroute this AM my dns is pointing to opendns
> 
> 
> traceroute to fedoraforum.org (207.210.201.125), 30 hops max, 60 byte
> packets
> ??1?? bagshot (10.251.227.1)?? 1.351 ms?? 1.355 ms?? 1.804 ms
> ??2?? 96.120.64.65 (96.120.64.65)?? 18.290 ms?? 19.116 ms?? 20.290 ms
> ??3?? 68.87.181.193 (68.87.181.193)?? 19.296 ms?? 20.987 ms?? 20.961 ms
> ??4?? 96.108.157.94 (96.108.157.94)?? 21.663 ms?? 21.638 ms?? 22.022 ms
> ??5?? be-98-ar01.needham.ma.boston.comcast.net (68.85.106.13) 23.213 ms??
> 27.160 ms?? 27.136 ms
> ??6?? be-1003-pe02.onesummer.ma.ibone.comcast.net (68.86.90.173) 25.230 ms??
> 24.667 ms?? 23.913 ms
> ??7?? as174.onesummer.ma.ibone.comcast.net (50.242.149.54)?? 26.246 ms??
> 13.853 ms?? 16.856 ms
> ??8?? be3600.ccr22.alb02.atlas.cogentco.com (154.54.0.221)?? 20.005 ms??
> 18.970 ms?? 23.706 ms
> ??9?? be2879.ccr22.cle04.atlas.cogentco.com (154.54.29.173)?? 30.878 ms??
> 34.674 ms?? 35.542 ms
> 10?? be2718.ccr42.ord01.atlas.cogentco.com (154.54.7.129)?? 41.697 ms??
> 42.995 ms?? 42.352 ms
> 11?? be2832.ccr22.mci01.atlas.cogentco.com (154.54.44.169)?? 58.312 ms??
> 58.747 ms?? 57.608 ms
> 12?? be2433.ccr32.dfw01.atlas.cogentco.com (154.54.3.213)?? 106.073 ms??
> 105.104 ms?? 108.844 ms
> 13?? be2561.rcr21.b010621-0.dfw01.atlas.cogentco.com (154.54.6.74) 98.955
> ms?? 95.923 ms?? 95.734 ms
> 14?? 38.32.13.210 (38.32.13.210)?? 96.656 ms?? 100.994 ms?? 100.297 ms
> 15?? * * *
> 
> This without any options to the trace. I'm thinking of asking comcast to
> change my modem ip. I've had the same one for over a year.

That's unlikely to help.

Have you tried:
 - another device on your home network?
 - a different browser on the same machine?
 - telling us exactly what error you are getting?

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Not Able to Access Fedoraforum Within Home Comcast Network

[Dan Ritter]

Dan Ritter wrote: 
> jbk wrote: 
> > On 12/4/19 5:15 AM, Steven Santos wrote:
> > > try a different dns.
> > > 
> > > It was unreachable with the comcast dns.
> > > 
> > > Works fine with 8.8.8.8 and opendns
> > 
> > Changing dns server has not succeeded yet. How long should I expect to wait
> > before new server provides results?
> 
> 60 seconds, max.

207.210.201.125 is the IP I resolved.

It appears to be a cPanel controlled virtual server, owned by
Endurance, which, interestingly, has offices in Burlington and
Waltham. Oh -- they're the corporate parent of Constant Contact,
Hostgator, Sitebuilder, and a bunch of others. 

The connectivity is via Cogent, and that might or might not be
the issue: Cogent has a history of getting into spats with other
major ISPs; it wouldn't be too surprising if there was a game of
one-upsmanship going on between Comcast and Cogent. But I don't
know, I'm just speculating.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Not Able to Access Fedoraforum Within Home Comcast Network

[Dan Ritter]

jbk wrote: 
> On 12/4/19 5:15 AM, Steven Santos wrote:
> > try a different dns.
> > 
> > It was unreachable with the comcast dns.
> > 
> > Works fine with 8.8.8.8 and opendns
> 
> Changing dns server has not succeeded yet. How long should I expect to wait
> before new server provides results?

60 seconds, max.


-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Encrypt /home and allow unattended boot?

[Dan Ritter]

Daniel Barrett wrote: 
> On September 27, 2019, Dan Ritter wrote:
> >cryptmount is what you are looking for.
> 
> Wow, cryptmount is so easy to set up! Thank you so much, this is
> fantastic. I guess to make sure it's mounted when I log in, just put
> something like this in ~/.bashrc:
> 
>   mountpoint -q /home/me/crypto || cryptmount opaque
> 
> Do you know anything about the performance of large cryptmount
> filesystems?  Looks like a filesystem is stored in a single user disk
> file (~/crypto.fs), so it makes me wonder if it can handle (say)
> several terabytes without degrading. I did a quick google search for
> "cryptmount performance" but didn't see anything useful.

I've never used it for more than dozens of gigabytes, sorry.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Encrypt /home and allow unattended boot?

[Dan Ritter]

Daniel Barrett wrote: 
> 
> I'm thinking about encrypting the /home partition on an Ubuntu box.
> Is there a way to do it so I'm prompted for the decryption passphrase
> when I log in or SSH in, not at boot time? I don't want to enter the
> passphrase during the boot process because I want to permit unattended
> reboots.
> 

You can do a directory (per-user encryption) or a filesystem
(/home, which is what you asked for) or a full disk. Full disk
requires boot-time passphrase entry; the others do not.

The kernel built-in crypto system is handled by either
cryptsetup or cryptmount. Cryptsetup is generally used for
full-disk or similar "don't boot without passphrase" systems;
cryptmount is what you are looking for.

You can also use encfs, which is an overlay filesystem. It
provides less metadata security -- any user can see the number
of files, what perms they have, a lower bound on their size, and
atime/mtime stats. On the other hand, it's a lot easier to
experiment with.

Avoid ecryptfs, which was widely supported earlier but now
has no maintainer in Ubuntu or Debian:

https://help.ubuntu.com/community/EncryptedPrivateDirectory
uses ecryptfs.

http://manpages.ubuntu.com/manpages/disco/man8/cryptmount.8.html
is the helpful manpage for cryptmount.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] RMS

[Dan Ritter]

Marco Milano wrote: 
> 
> 
> On 9/26/19 12:17 PM, Dan Ritter wrote:
> > Joe Polcari wrote:
> > > You’re counting?
> > 
> > I didn't recognize his name, so I asked my mail client. I can
> > count to three pretty quickly.
> > 
> > -dsr-
> 
> How is the number of emails to the email list
> is related to anything?
> 
> Are you saying that unless you are constantly on the
> email list, you have no credibility??

Nope. I'm saying that I give this person no credibility based on their
actual words in that actual message, and I am not inclined to cut them
slack based on their long and honorable history of making other worthwhile
contributions to the list, so I plonked. I'm sorry I was unclear.

-dsr-

(everyone else is welcome to get in the last word; this 
will be my last message on this thread)
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] RMS

[Dan Ritter]

Joe Polcari wrote: 
> You’re counting?

I didn't recognize his name, so I asked my mail client. I can
count to three pretty quickly.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] RMS

[Dan Ritter]

Jim Gasek wrote: 
> Remember that the "METOO" movement is a religious movement, it is not based 
> on facts, logic, or evidence.


Your third message in three years, and this is what you want to
say?

Plonk.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] RMS

[Dan Ritter]

Seth Gordon wrote: 
> On Mon, Sep 23, 2019 at 5:55 PM Steve Litt 
> wrote:
> 
> > On Mon, 23 Sep 2019 12:55:13 -0400
> > Seth Gordon  wrote:
> >
> > > The English word “cancer” can refer to anything from a skin tumor
> > > that a doctor can remove as an outpatient procedure, to metastatic
> > > pancreatic cancer that is certain to kill you within six months. But
> > > both of these things are still cancer.
> >
> > OK, let's go with that analogy. Can you imagine if every cancer,
> > including a minor skin tumor, were treated with heavy chemotherapy and
> > radiation?
> >
> > That's what we have when we define everything from taking a leak in a
> > woods where, unknown to you, a child was watching, to jumping out from
> > behind bushes and raping an 80 year old woman, are defined as sex
> > crimes, and the sheep like public is inclined to having a zero
> > tolerance policy on sex crimes. There are plenty of people forever on
> > the sex offender registry whose crime was having sex with their 1 year
> > younger than them girlfriend.
> >
> 
> I agree that this is a problem, but the solution to that problem is to
> change the law so that not all forms of sexual assault get treated with
> this “zero tolerance” policy, not redraw the boundaries of “sexual assault”
> itself.

And many (though not all) states have done this. They are
generally called "Romeo and Juliet" laws.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Chrome and Flash

[Dan Ritter]

Bill Horne wrote: 
> On 9/21/2019 10:05 AM, Jerry Feldman wrote:
> > And, I know that Flash's EOL is the end of next year, and good riddance.
> 
> 
> I've never understood what Flash does or is supposed to do: what is it for?

It's a language plus IDE plus runtime environment that offers easy
interactive programs. There was a runtime player available for
most browsers.

People used to write games and video players in it.

Problems: closed source, no open protocols, not particularly
good at adapting to different screen sizes and shapes.  And
the security story was non-existent.

It's been effectively replaced by JavaScript, which doesn't have
any of those problems, but is less user-friendly.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] RMS in the news

[Dan Ritter]

MBR wrote: 
> I've known RMS since the 1970s when we were both regular attendees at the
> MIT Folk Dance Club.  His Aspergers has always made him a difficult person
> to deal with.

My dad has Asperger's. I have Asperger's. My son has Asperger's.

Aspies find it difficult to interpret non-literal social cues.
As a coping mechanism, all of us who are fundamentally
reasonable people say things like "If I make you uncomfortable,
please know that it's not my intention. Just tell me if I have,
and I will stop it immediately."

And then we do.

RMS hasn't stopped in at least 30 years.

Don't use Asperger's as an excuse for RMS acting like an asshole. It's rude
to all of the rest of us. 

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] RMS in the news

[Dan Ritter]

Rich Braun wrote: 
> I have a fond memory of RMS crashing one of our BLU meetings to hammer at the 
> point that our organization’s name included the word Linux and that we should 
> amend it to include the word Gnu. With rumors of his death not quite entirely 
> exaggerated—departure from FSF is tantamount to interment, it’s been his 
> whole life—I’d love to hear more RMS stories. -rich

Years before I met her, my wife-to-be went out on a date with RMS.

She says he was rude to the waitstaff, was obnoxiously overbearing
on every subject, and she feels that every allegation against
him is believable.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] excessive memory usage in Ubuntu

[Dan Ritter]

Tom Luo wrote: 
> Hi, Dan,
> 
> I did replace the startxfce4 command with
> "xfce4-session-manager".
> However, I see this screen after I login in. Please see the following
> screenshot:
> https://raw.githubusercontent.com/hkbluesky/VNC/master/Screen%20Shot%202019-09-10%20at%202.44.48%20PM.png
> I tired many key combinations. The screen stays the same.
> Do you know why?

That's interesting. It looks like the session manager didn't start the window
manager or the panel manager. 

> I also tried LXDE. This works and the memory usage is not too bad.

if that works for you, you should continue using it.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] excessive memory usage in Ubuntu

[Dan Ritter]

Tom Luo wrote: 
> Hi, Dan,
> 
> Thanks for your response. I am in the process to setup a VNC server by
> following this instruction:
> https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04
> 
> It almost works until I run into this problem when I try to connect to the
> VNC server:
> 
> So as soon as i remote is with the VNC session (the xfce4 desktop is
> displayed) but with errors.


OK, so VNC is working. That's good.

> xfce unable to determine failsafe session name. possible causes: xfconfd
> isn’t running (D-Bus setup problem); environment variable $XDG*CONFIG*DIRS
> is set incorrectly (must include… and so on.


Try replacing the startxfce4 command with
"xfce4-session-manager".

> apt-get install gnome-panel gnome-settings-daemon metacity nautilus
> gnome-terminal
> I tried this command and then I run into the memory issue.
> Even after I reboot this machine, the memory usage is still 98%.
> I know 2GB memory is not great, but I just hope it can run a VNC server.
> Right now, there is nothing I can do before I solve the memory issue.


A novice was trying to fix a broken Lisp machine by turning the
power off and on.
Knight, seeing what the student was doing, spoke sternly: “You
cannot fix a machine by just power-cycling it with no
understanding of what is going wrong.”
Knight turned the machine off and on.
The machine worked.


apt-get remove gnome-panel gnome-settings-daemon metacity
nautilus gnome-terminal

You don't need them, they won't make this easier or happier.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] excessive memory usage in Ubuntu

[Dan Ritter]

Tom Luo wrote: 
> Hi, all,
> 
> I am running a Ubuntu 16.04 server (2GB memory and 2GB swap partition). At
> the beginning, the memory usage is fine (less than 20%). However, after I
> install some packages:
> 
> apt-get install gnome-panel gnome-settings-daemon metacity nautilus
> gnome-terminal
> 
> the memory usage increases a lot, to 99%. The swap partition is also almost
> full.
> 
> I used the "top" command to see which program is using a lot of memory.
> However, this is not a single significant program. Every program uses less
> than 5% memory. The problem is very strange and I don't know how to
> solve this problem because reinstall the system.
> 
> Any suggestions?

Some questions...

1. It's rare for a server to need interactive X applications. Is
that what you meant to have happen?

2. 2 GB of RAM is not a lot of RAM these days. GNOME is
explicitly a resource-intensive desktop environment; if you need
one, maybe you should be looking at XFCE (medium) or LXDE
(light)?

3. What happens after reboot?

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] full disk backups

[Dan Ritter]

Ian Kelling wrote: 
> 
> Dan Ritter  writes:
> 
> 
> > 4. use ZFS
> > pro: lightweight snapshots, zfssend/zfsrecv
> > con: not simple to set up
> 
> 4.5 use btrfs. I use btrbk for snapshots and send. I've been using it
> for over 4 years now, recovered from several failed disks with raid 1,
> works great for me.
> 
> I don't know why people like zfs so much when it has a license
> compatiblity problem so its not supported or reviewed by upstream linux,
> and isn't used or supported by most major gnu/linux companies. Also
> btrfs is simpler and more flexible from what I've read.

I used btrfs for two years and lost data twice... both times
while doing a scrub operation on a RAID-1 mirror.

ZFS works.

The ZFS on Linux project is now the official root of all the
open ZFS versions, including those for FreeBSD and OpenSolaris's
derivatives. Ubuntu ships it fully incorporated; their lawyers think
this is acceptable. Debian ships it with the proviso that you have to
run the compilation step (via DKMS) on your machine, which satisfies
their interpretation of the license. 

I can't recommend btrfs to anyone in its current state, and I would 
recommend ZFS to people who are willing to read the fine documentation
before poking at it.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] full disk backups

[Dan Ritter]

Eric Chadbourne wrote: 
> 
> I've been using Kali Linux Light for my daily driver.  Works great.  However 
> I need to make full disk backups and be able to recover since this is used 
> for work.  I'm always screwing with it and if it's broken I'm not getting 
> paid those hours.
> 
> Any recommendations for something to use for a full disk backup and easy 
> recovery?  My first thought was dd or rsync.  However Clonezilla looks pretty 
> cool.  I remember years back one of their devs being on the BLU email list.
> 

Several options.

1. dd
pro: simple, guaranteed to copy all state
con: guaranteed to read and write all state

2. rsync
pro: reasonably simple, restartable, more efficient than dd
con: lots of small files make it slow

3. rsnapshot
pro: reasonably simple, enforces cron usage, built on rsync,
 multiple snapshots possible
con: same as rsync, plus multiple snapshots can make things
 messy

4. use ZFS
pro: lightweight snapshots, zfssend/zfsrecv
con: not simple to set up

5. buy another machine and stop futzing with your work machine
pro: work machine remains stable, damage from futzing
 limited to other machine
con: potentially expensive

I have used all of these techniques.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] CalDav/CardDav servers?

[Dan Ritter]

David Kramer wrote: 
> I am trying to move the functionality off my home server onto my Ubuntu node
> at Linode.  I already have IMAP/SMTP moved over (thanks one again to those
> that helped). The website will be trivial.  The other big part is
> CardDav/CalDav.
> 
> Right now on my home server I am running an older version of OwnCloud
> (NextCloud is a fork of OwnCloud).  OwnCloud is a whole groupware thing with
> file repo, etc, but it also has a caldav/carddav server and client.  I'm
> thinking if I'm moving over to this linode server, running full groupware
> may be a little too resource heavy, since I really don't use the rest.  I
> *MAY* install NextCloud anyway.  Not sure.  If I DO install some sort of
> groupware, I would prefer to use one that does not have built in mail
> server, so I don't have to worry about dovecot/postfix conflicts.
> 
> The leading CalDav/CardDav with wide protocol support seem to be
> https://radicale.org/ and https://www.davical.org, and possibly
> http://sabre.io/
> 
> Does anyone have any experience with these or others?
> 
> Should I just install NextCloud or some other groupware without email?

radicale is nearly trivial to set up.

NextCloud can easily be set up without being an email server.
You just tell it how to talk to an existing one.

If you don't want the other features of NextCloud, radicale is a
better choice for just being a caldav/carddav server.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] couple of cheap (free?) Asterisk telephony cards

[Dan Ritter]

Bill Bogstad wrote: 
> So a local call center near me closed down and was giving away all of
> their office furniture for free.  By the time that I got there, they
> seemed to have gotten rid of any interesting tech.  There were a
> couple of add in cards lying around that they said that I could have.
>  I think they are some form of Quad-span T1 cards.  Marking are:
> 
> Front side of board:
> 
> Compuamt 2011/4/EC
> 
> Back side of board:
> Compuamt
> 2011/4/EC
> Asterisk 2-4 Port E1/T1/J1 PRI PCIE Card
> www.asterisk.com
> 
> The boards appear to be identical and unlike most of the boards that I
> can find online they have
> 4 dip switches labeled JPO on the front.
> 
> I know some people on this list work with Linux based PBX systems, so
> maybe someone familiar with the product line can clarify what they
> are.  I have no use for them and would be happy to pass them on to a
> good home.  I only picked them up because I thought that they might be
> useful and they were going to end up in the trash if I didn't take
> them.  I have no idea if they work so buyer/taker beware.

These are telco-PC interfaces, taking a full T1 (24 voice
circuits) or ISDN PRI (23B+D circuits) and converting that for
internal VOIP use. 

There was a time when these were very much in demand; telcos
didn't have VOIP available, so you would order a bunch of lines
and feed them into your Asterisk PC, turn them into VOIP, and
handle voice mail, phone menu trees, rerouting. 

Now a really good desk VOIP phone goes for under $100, there are
a thousand VOIP telcos that will offer you service, and if you
never have to convert from analog to digital, you can run your
server in a virtual machine or have someone else do it for you.

Which is all to say, ten years ago I would have found these very
useful, and now I don't want them at all...

-dsr- 
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Application config files

[Dan Ritter]

Jerry Feldman wrote: 
> I have an application that I wrote where I am using a .ini style file for
> config. I chose that as an afterthought but maybe JSON, YAML, or TOML might
> be better formats. I set it up that way because I thought my target
> audience might be more familiar with .ini. Right now the code has no
> capability to save the preferences, but that should be an option, so a more
> Linuxish config file might be better. I'm personally very comfortable with
> both YAML and JSON. Opinions? (My code is Python3/GTK3).

It usually doesn't matter.

If it's short, .ini is perfectly fine.

If it's a potentially long config file, the best thing you can
do is make it capable of reading a directory worth of files
to include in the main config, so that replacing a small bit
without affecting the rest is easy.

include /opt/application/config.d/*


-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mastodon?

[Dan Ritter]

Mike Small wrote: 
> pulled in some serious undesirability by aping twitter. People who hate
> tinfoil hat stuff should stop reading at the next punctuation mark, but
> I was imagining a team of unscrupulous behavioural psychologists working
> at Twitter Inc. to make their site maximally addicative, by having it
> tweak but never fulfill whatever lack sends people like me to the
> computer in search of connection or whatever else. That's what I thought
> mastadon inherited and why it's something to avoid.

You don't need to invoke a big conspiracy when the ordinary kind
of profit motive will do: I'm sure that every feature manager at
Twitter is being incentivized to increase market share and
eyeball time, so even if they aren't particularly knowledgeable
about doing that, eventually they will evolve techniques.

People who think they are basically doing good-to-neutral work
are quite responsive to relatively small payments; people who
have compartmentalized evil are capable of consciously working
more evil in exchange for larger payments.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] kindle fire mount

[Dan Ritter]

dan moylan wrote: 
> 
> running fc29 on acer laptop aspire E1-472P-6860.
> kindle fire HD-10
> 
> connected the kindle fire via usb cable, does not mount.
> sudo mount does not mount it.  the cable is good because
> it's ok mounting to a windows 10 laptop.
> 
> what should i be doing?
> 

Read up on MTP; install mtpfs or jmtp.

Android no longer supports USB mass-storage, more's the pity.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Flash player on Google Chrome and Fedora 30 followup

[Dan Ritter]

Jerry Feldman wrote: 
> My wife doesn't like Firefox and won't try other browsers. However, flash
> player now works on Google Chrome on Fedora 30

What do you still use flash for? I haven't seen anything using
it in four or five years.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Need help with undelivered mail.

[Dan Ritter]

David Kramer wrote: 
> I am having trouble sending mail to GMail accounts, and I'm getting
> inconsistent explanations. I could use some help figuring out the real
> cause.
> 
> Setup: I have a mail server running on Linode running
> postfix/dovecot/clamav/etc ( I successfully moved mail off my home server
> about a year ago).  I have Verizon FIOS at home.  I use Thunderbird for
> email on my main Linux computer.
> 
> When I send email to a gmail account, I am getting:
> 
> host aspmx.l.google.com[2607:f8b0:400d:c0e::1a] said:
>     550-5.7.1 [2600:3c03::f03c:91ff:fe62:5ea] Our system has detected that
> this
>     550-5.7.1 message does not meet IPv6 sending guidelines regarding PTR
>     records 550-5.7.1 and authentication. Please review 550-5.7.1
> https://support.google.com/mail/?p=IPv6AuthError for more information 550
> 
> The link that goes to HAS ABSOLUTELY NOTHING to do with IPv6, it has to do
> with bulk emails.  What I *THINK* it means is I need to set up IPv6 records,
> but I'm not sure which ones.


dig -t mx thekramers.net
...
;; ANSWER SECTION:
thekramers.net. 3600IN  MX  10 zenyatta.thekramers.net.
thekramers.net. 3600IN  MX  20 bantha.org.
...
;; ADDITIONAL SECTION:
zenyatta.thekramers.NET. 3600   IN  A   104.237.150.41

dig -t mx bantha.org
...
;; ANSWER SECTION:
bantha.org. 3600IN  MX  20 mail.azuen.net.
bantha.org. 3600IN  MX  10 bantha.org.

dig -t a zenyatta.thekramers.net. 
...
;; ANSWER SECTION:
zenyatta.thekramers.net. 3600   IN  A   104.237.150.41

dig -t a mail.azuen.net.
...
;; ANSWER SECTION:
mail.azuen.net. 3600IN  A   192.34.87.82

dig -t a bantha.org
...
;; ANSWER SECTION:
bantha.org. 1200IN  A   173.66.162.52

dig -t  thekramers.net, zenyatta.thekramers.net,
mail.azuen.net, dig -t  bantha.org --- none of these have
IPv6 addresses.

So it's perfectly reasonable for Google to believe that mail
from an IPv6 host is not from any of these mailservers.

Anywhere you have IPv6 connectivity on a mailserver, publish
a  record and an MX record for that  record.

thekramers.net should also have an SPF txt record, most likely
something like 
"v=spf1 mx a:thekramers.net a:bantha.org a:mail.azuen.net ~all"

which will clue Google (and others) in to the fact that these
are mailservers which are authorized to send for you, and 
others are more suspicious but not impossible. (-all would make
others impossible).


> 
> According to 
> https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3athekramers.net=toolpage
> my IP address is on the SORBS DUHL list and the Spamhaus ZEN list. Digging
> into Sorbs and https://www.spamhaus.org/pbl/query/PBL1637778 I get the
> impression my whole IP range is blocked because outgoing mail should go to
> smtp.verizon.net when I'm at home.  But if that's the case how does sent
> mail get saved to my IMAP server?? Is it sent there too?

Those are advisory lists that say that IPs in those ranges are
probably not mailservers. There's nothing you can do to get off
of them, basically, because VZ supplies the info.

It has nothing to do with whether or not someone will actually
deliver mail to smtp.verizon.net, and I'm sure smtp.verizon.net
rejects mail bound for thekramers.net. That's what MX records
are for.


> So should I be sending mail through smtp.verizon.com or through my Linode
> server?

Through your linode server, and you should add its  record
to something like mail.thekramers.net and also as an MX for you,
and add mail.thekramers.net to the SPF txt record.


> If I'm sending mail through my Linode server, then why would a block on my
> home IP address range matter when my MX records point to my  Linode server?

It doesn't.

> Does this have anything to do with IPv6?

Yes, The Linode server has IPv4 and IPv6 addresses, and has been
using the IPv6 address to contact Google. When Google tries to
estimate the likelihood of it being a spammer, it sees no signs 
that this is a legitimate mailserver for thekramers.net.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Placing SIP Server in DMZ or use DNAT?

[Dan Ritter]

Derek Atkins wrote: 
> Dan,
> 
> On Wed, May 22, 2019 12:44 pm, Dan Ritter wrote:
> >
> > eth0:  .121/29
> > eth1:  10.1.1.1/30
> > eth2:  192.168.0/24
> > eth4: ...
> >
> > then SIP uses 10.1.1.2/30 with 10.1.1.1 as a gateway, and your
> > router adds a static route for .122/32 with 10.1.1.2 as a
> > gateway. This avoids assigning competing subnets to different
> > NICs.
> 
> Hmm.  So how is the SIP server configured?  Is it configured with eth0
> having two IP addresses, .122/29 and 10.1.1.2/30?  If not, then how does
> the SIP server know it's supposed to be .122/29?
 
SIP server:

eth0 10.1.1.2/30
eth0:sip a.b.c.122/32

SIP server route:
default via 10.1.1.1  

Bind the SIP server only to the .122 address.

Incoming path: internet to modem looking for a.b.c.122. Modem
gets ARP from router, hands packet for .122 to the router.
Router hands it out via eth1 to 10.1.1.2, the SIP server, which
hands it to .122.

Return path: SIP server sends to x.y.c.d, only route is via
10.1.1.1, so it sends it that way.

> I'd also be worried that SIP would attempt to send out packets "from" its
> .2/30 address?   Do don't you still need to NAT this, somehow?

I haven't set this up and tested it. I could be wrong.

> > Yes, you need to turn on proxy arp on eth0:
> >
> > echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
> >
> > so it will answer for the .122 when the modem asks.
> >
> > (If the modem spoke a routing protocol, you could advertise
> > reachability through that, but odds are good it does not.)
> 
> I am fairly sure it does not.  It's an Arris NVG599.
> 
> In my ACTUAL implementation I actually don't need proxyarp because I've
> got one more box (which I didn't show earlier) which ensures that all of
> the /29 traffic gets sent to the ERPro (except for .126/29, which gets
> shunted over to the Modem).  I could change that so that .122/29 gets sent
> to the SIP box, and the rest to the ERPro. 

I think that last bit solves all the problems, doesn't it?

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Placing SIP Server in DMZ or use DNAT?

[Dan Ritter]

Derek Atkins wrote: 
> 
> On Wed, May 22, 2019 9:34 am, Dan Ritter wrote:
> 
> > Option C: pretend NAT doesn't exist for the SIP server and:
> >
> >.126   .121
> > ISP --  --  -- intranet
> >\--  .122
> >
> > route packets to .122 without NATting them. This assumes that
> > you have an interface available on the firewall. You may want to
> > use an RFC1918 /30 subnet between them.
> 
> I had considered this approach as well, but there are several issues with
> it. The firewall is an Edgerouter-Pro-8.  It doesn't like having the same
> IP or even the same network on multiple ports.  And it does not have a
> hardware switch, so bridging ports is expensive.
> 
> So imagine this:
> 
> eth0: .121/29 (connected to ISP/Modem)
> eth1: .121/29 (connected to SIP)
> eth2: 192.168/24
> eth3: class-C
> 
> I would need specific rules to route the /29 between eth0 and eth1.  SIP
> would need to be told that the default router is .121 instead of .126
> (which I guess I can do).  But the firewall would need to proxy-arp for
> .122 in order to get the modem to send it everything.  This is where the
> demons lay.
> 
> I'm not sure where this /30 comes into play?  Could you be more explicit.

eth0:  .121/29
eth1:  10.1.1.1/30 
eth2:  192.168.0/24
eth4: ...

then SIP uses 10.1.1.2/30 with 10.1.1.1 as a gateway, and your
router adds a static route for .122/32 with 10.1.1.2 as a
gateway. This avoids assigning competing subnets to different
NICs.

Yes, you need to turn on proxy arp on eth0:

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

so it will answer for the .122 when the modem asks.

(If the modem spoke a routing protocol, you could advertise
reachability through that, but odds are good it does not.)

-dsr-



___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Placing SIP Server in DMZ or use DNAT?

[Dan Ritter]

Derek Atkins wrote: 
> HI,
> 
> I've got a network with the following configuration.  I am being routed
> IP range a.b.c.120/29.  The modem takes .126.  I've configured my
> firewall for .121.  I can add a switch between the modem and firewall to
> add additional machines there:
> 
>   .126   .121
>ISP --    -- intranet
> 
> I want to add a SIP server as .122.  I have two ways to do this.
> I could put it outside the firewall and just have it be natively on
> .122:
> 
>   .126   .121
>ISP --    -- intranet
> \-- (.122)
> 
> Or I have it inside the intranet and configure the firewall to
> forward and rewrite packets via a set of (D)NAT rules:
> 
>   .126   .121/.122
>ISP --  --  -- intranet
>  \-- 
> 
> What do you all feel is the best approach?  I feel like the former is a
> simpler configuration, even though it requires one more piece of
> hardware.  On the other hand, the latter approach lets me have more
> visibility into the packets hitting the SIP server.
> 
> I should add that I do have at least 2 phones/ATAs sitting in the
> intranet network that need to connect to the SIP server, but standard
> NAT should work for that.
> 
> Currently the SIP server is sitting behind the firewall but living on a
> tunneled class-C network.  My IP phones are able to talk to it directly,
> and because it's got a public IP on the class-C it is reachable from
> devices outside the intranet.  Part of this project is to remove that
> extra level of latency caused by the tunnel, with the hope that removing
> that extra point of failure will improve my VOIP service.

Option C: pretend NAT doesn't exist for the SIP server and:

   .126   .121
ISP --  --  -- intranet
   \--  .122

route packets to .122 without NATting them. This assumes that
you have an interface available on the firewall. You may want to
use an RFC1918 /30 subnet between them.

Then you can firewall stuff without NAT funkiness. NAT never
makes SIP better.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] mtpfs question

[Dan Ritter]

dan moylan wrote: 
> 
> great -- i've got termux installed on the tablet and sshd
> running, but where are the kindle files on the tablet?
> 
> i've poked around a bit and found nothing -- of course, /data
> and /data/data are inaccessable.
>  
> and when i ssh in:
> 
>   u0_a5 ~[40] ls
>   The program 'ls' is not installed. Install it by executing:
>pkg install busybox
>   or
>pkg install coreutils
>   u0_a5 ~[41] pkg install coreutils
>   The program 'pkg' is not installed. Install it by executing:
>pkg install termux-tools
>   u0_a5 ~[42] pkg install termux-tools
>   The program 'pkg' is not installed. Install it by executing:
>pkg install termux-tools
> 
> on the tablet, ls and pkg work as expected -- i must be sshing
> in wrong somehow.  hmmm ... where do i go from here?

Very likely /sdcard.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] cron notifications to GUI front end

[Dan Ritter]

Jerry Feldman wrote: 
> I have a crontab task to shutdown my system at a specific time each
> evening. Shutdown notifications come to terminal windows that are open.
> However, When I am logged in and using Atom and Glade to work with some
> code, I miss the notification and the system shuts down. What I would like
> to do is to write a small GUI GTK3 task pop up in my face so I can stop the
> shutdown. One possibility is to write a startup task when I log in. So, I
> am looking at ideas.

sudo -u gaf DISPLAY=:0 \
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/gaf/bus \
notify-send 'SYSTEM SHUTDOWN' \
'Gonna shut down the system Real Soon Now'

See if that works for you.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Ubuntu Install Question

[Dan Ritter]

Ivan Klimov wrote: 
> Hi Mike,
> 
> Thank you for the clarification.
> 
> I thought of swap partition to be more for temp file storage/exchange.
> Thank you for introducing the concept. When you said shuffle parts of
> programs... I have not done it and do not envision how it is done. Maybe it
> is an advanced concept for me;) I have installed FULL programs on different
> partitions -never parted programs out.

The operating system takes care of this for you -- all you do is 
specify where it is allowed to put the data.

Windows does the same thing, but doesn't ask you to tell it
where to put the data.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] mouse behavior

[Dan Ritter]

Laura Conrad wrote: 
> 
> Last fall I upgraded both my laptop and my desktop to ubuntu 18.4
> (actually Mint) from ubuntu 16.4.  In both cases I'm using xfce as my
> desktop environment.
> 
> Ever since, I have no idea what using my mouse is going to actually do.
> The specific problems are:
> 
> When I move a window by dragging with the left button in the title
> bar, often instead of just moving the window, it puts the window
> into full-screen mode.

This is the expected behavior when you drag a window to the top
of the screen. 

In XFCE Settings, Window Manager, Advanced: 
uncheck Windows Snapping to Screen Borders
and
go to Wrap Workspaces When Reaching Screen Edge
and either unclick With A Dragged Window
or reduce Edge Resistance to a very small value.

You may also get a good result with Window Manager Tweaks:
Accessibility, unclick Automatically tile windows when moving
toward screen edge.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Hacked or Scam?

[Dan Ritter]

David Kramer wrote: 
> I've gotten two of these emails so far saying my email is hacked.  I get
> these kinds of emails all the time about a password that got exposed in a
> company breach, but I haven't used that password in a long time, so I'm not
> worried about that.  Just making sure I should not be worried about this
> either.  My mail server is a Linode node running postfix, amavix,
> spamassassin, and dovecot.
> 
> Looking at the headers, it looks to me like they just sent an email to my
> server through their server like normal, not that it originated on my
> server.  Using "last" I don't see any logins that were probably not me.
> 

Laziest scam in existence:

1. Get a list of exposed email addresses and passwords.

2. Spam them all with this script.

3. Hope that someone will send in bitcoins.

4. Rinse and repeat.


Today I got three of them. I use tagged email addresses and
site-unique passwords, so I am... unconcerned.

If they only have email addresses, well, they just leave out
the bit about how they know this particular password and 
substitute a bit about how "you know this is real because I
sent it from your email address!"

Lame.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] apache problem

[Dan Ritter]

dan moylan wrote: 
> 
> > If that doesn't work, try (as root or via sudo):
> > a2enmod userdir
> 
> hmmm -- that appears to be a debianism.  what does it do?
> 

apache2 enable module "userdir" - links
/etc/apache2/modules-available/userdir to
/etc/apache2/modules-enabled/userdir

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Changing Comcast Modem to Bridged

[Dan Ritter]

jbk wrote: 
> A couple years ago we changed to comcast as our ISP and incorporated their
> modem into our network topology providing the dhcp, NAT and wireless
> functions.
> 
> Prior to this we had a DSL modem and WRT54G running tomato. The modem
> provided dhcp so it was the gateway address.
> 
> I now want to put the Comcast modem in bridge mode and have my wireless
> router running dd-wrt provide the dhcp and NAT for the wireless and wired
> LAN.
> 
> According to the research I've done there are only two ip address options
> for setting up the modem in bridge mode. 10.0.0.1 or 192.168.100.1.
> 
> My current network subnet mask is 255.0.0.0 for the dozen or so devices that
> have static IP's. I do not provide any services outside the local LAN but
> within I have a backup server that serves a number of devices.
> 
> As I understand it the modem IP in bridged mode wants to be on a different
> subnet that the internal LAN which would lead me to believe that the 192
> prefixed IP address would be the choice, this is question #1
> 
> Once I've setup the modem with the correct IP then will the router now
> become the gateway?
> 
> I have the Cisco DPC3941T modem, has anyone on here set up the bridge
> themselves, I see the option in the management GUI, or per my web searching
> this change can only be done correctly by the right Comcast personel
> remotely?
> 
> Well that's the gist of it, did I leave out anything?

You've got some confusion in there.

1. NAT has to be handled by a router which has at least one
outside address and at least one inside address.

2. DHCP can be done by any device on the inside.

3. A bridge operates at the ethernet level, not the IP level.
   So once it's in operation, you pretend it's a chunk of wire: 
   your router connects to the bridge and uses the Comcast
   assigned outside address(es), and connects to your internal
   network with internal address(es).

A subnet mask indicates how large a chunk of the IP space should
be considered as local. You've got 16.7 million addresses
considered local right now...


The net says:

 Cisco DPC3941T modem

1) Press and hold reset button on back of gateway for 30
seconds, this will reset the gateway back to the factory
defaults..
 
2) Connect a computer to ethernet port #2 on the back of the
gateway.
 
3) After the gateway boots, verify computer has connectivity,
connect to gateway @ 10.0.0.1
 
4) Change the gateway's login password, disable both private
wifi networks, set ipv4 and ipv6 firewall to custom mode and
select option disable/none.
 
5) Set Gateway > At a Glance > Bridge Mode to Enable. When you
see the timer screen pop up, you can disconnect the computer
from the gateway as it is rebooting. the reboot can take 3 - 5
minutes.
 
6) Connect your router to the gateway ethernet port #1, on the
router make sure that the WAN / Internet link is set to disabled
or off.  
 
7) Once the gateway completes it's boot cycle, enable the
Internet WAN on the router. The router should now have the IP
address issued by Comcast. 
 
8) Configure the router as you see fit.

Hope that helps.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Fedora 28 Doesn't See External DVD Drive on USB Port

[Dan Ritter]

Nancy Allison wrote: 
> Hi, all.
> 
> When I plug in my external disk drive into my Fedora 28 machine, it does
> not show up in Nautilus.
> 
> I go looking online, and, sure enough, this problem has occurred for plenty
> of people for 5+ years over many releases of Fedora.
> 
> I find a discussion in which someone evidently solved the problem. Here is
> what the person reported:
> 
> "NVM - found the cause. Old entry in fstab for a second swap not present on
> sdb1 and first USB disks being assigned sdb. Cleaned that up and now all
> drives plugging correctly.
> Willtech ( Sep 23 '18 )"
> 
> How do I apply this information? Where is fstab? When does a first swap
> occur? When does a second swap occur? What does it mean to be assigned sdb?

/etc/fstab consolidates mounting information.

Each active line defines:

 

For example:

/dev/scd0   /media/cdrom0   ISO9660 ro  1   1

device/partition name, then where you want it mounted, then the
type of filesystem.

If you have a single disk called /dev/sda, for instance, you
might see your external CD show up as /dev/sdb. If there's
already a /dev/sdb listed in the file, that will conflict.

Hope that helps.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Backup Postfix/Dovecot E-mail Server?

[Dan Ritter]

Kent Borg wrote: 
> Question about setting up Postfix/Dovecot machine as a backup e-mail server.
> 
> I should set up an e-mail backup. I have another static Linux machine I
> could use, that has a static IP address, but the question is how to
> configure it. Once upon a time I had a machine set up as a backup, but it
> only queued up messages until the primary machine came back on line. But
> sending machines do a decent job of queuing messages anyway, so that doesn't
> buy much, so I turned it off.

This is called a Secondary MX, although you can have any number
of them.

> I see three possibilities:
> 
> * Set up a backup that just queues messages.
> 
>  I don't really see the point.

It provides the illusion of high uptime, which might be
important for you. In any case, it's a set of suspenders to 
go with your belt.

> * Set up a second server that acts like the first.
> 
>  I worry when I might do a cutover the IMAP server will confuse the
>client. The client won't see old messages that were on the primary
>server and so deletes its local copies.

Yeah, that would be bad.

> * Set up something more clever that keeps the primary and backup in sync so
> both IMAP servers hold the same messages.

High-availability is hard, although this is the easiest case:
you list both machines in your MX records, and have your MTA
deliver to a shared filesystem. DRBD is the usual choice.

Then your IMAP service has to deal with all your mail in the
shared filesystem.


-dsr-



___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Container to deploy a web service

[Dan Ritter]

Tom Luo: 
> Is there any alternative besides docker?

Yes.

You can:

   - set up servers and sell the service of access to your nifty
 idea rather than shipping code to the users.

   - ask your users to sign a contract that says that they will
 not read through the source code or re-use it, because the
 copyright remains with you.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Container to deploy a web service

[Dan Ritter]

Tom Luo: 
> Hi, all,
> 
> Thanks for answers. I just feel docker should support the feature to hide
> all details inside the container and just expose a port.

How would you do that? Encrypt the container?

See my previous discussion of how that doesn't actually work.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Container to deploy a web service

[Dan Ritter]

Jason Normand: 
> from a strictly technical perspective, in order to make something like this
> work in docker you would need to set up some kind of runtime decryption.
> basically your system would need to read encrypted files from the volume
> then decrypt them into a memory based storage (harder thought not
> impossible to read form the host).  with docker any files in a running
> container are fully accessible from the host system, and further files in
> the container image can be unpacked by anyone with access to the image.  so
> with docker who ever has access to the host system, has access to all
> container files.

All of this has happened before. It's called "copy protection"
or "DRM - digital rights management".

It always goes like this:

1. I want to sell you something, but I don't want you to be able
   to look inside it or copy it or something.

2. So I encrypt the thing. Now you can't access it.

3. So I give you a method of playing the thing.

4. But you still can't access it because it's encrypted, so I
   also have to send the key along.

5. Now I have sent you the encrypted thing, a way to use the
   thing, and the key to unencrypting the thing. Why have I gone
   to all this bother again?

In case it's clear: don't do this. It's not worth while.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Container to deploy a web service

[Dan Ritter]

Tom Luo: 
> Hi, all,
> 
> I developed a software which provide a web service.
> When I deploy the software in customer's machines, I don't want them to see
> the source code.
> I tried to use docker, but I found out that docker cannot provide password
> protection. The customer can still see the source code. The source code
> contains python code and javascript code. I feel possibly virtual box is an
> option. But I have not tried yet.
> Basically, what I need is to provide a port for customers to access the
> service. At the same time, I don't want customers to see my code.
> 
> What should I do? Any ideas?

If you don't want them to see the source code, you need to not
send them the source code.

Since it's a web service, you would operate it as a service,
charging a repeating fee, rather than as a product, where you
ship it and forget about it.

Alternatively, you could depend on a contract to prevent them
from looking inside whatever you ship them. After all, you
already depend on a contract sell it to them, and the code is
covered by copyright.

Remember that when you ship code around, you need to be obeying
the applicable copyrights for anything you have included from
other people.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Feedspot and other RSS Readers

[Dan Ritter]

Bill Bogstad: 
> On Mon, Nov 5, 2018 at 8:53 AM Nancy Allison  
> wrote:
> >
> > Hi, all.
> >
> > What do you use to aggregate the things you read? I've stumbled upon
> > Feedspot, which costs $$, and I'm wondering if it is necesssary.
> 
> I've never seen the point in using an external web site as an RSS feed
> aggregator.

There are two particularly useful bits.

1. It operates with a daemon that collects feeds around the clock,
so everything is at your fingertips immediately.

2. It's consistent when you access it through different clients (at home,
on your phone, at work...) so you don't find yourself re-reading articles.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Feedspot and other RSS Readers

[Dan Ritter]

Nancy Allison: 
> Hi, all.
> 
> What do you use to aggregate the things you read? I've stumbled upon
> Feedspot, which costs $$, and I'm wondering if it is necesssary.
> 
> Is this a Linux - vs- Windows- Vs- Apple issue, or am I confused and it
> doesn't matter what OS you use?
> 
> If this question isn't really germane to BLU, just ignore!

I have an instance of Tiny Tiny RSS running, which wants to run
on a Linux server and can be accessed through a nice web front
end or via clients.  https://tt-rss.org

There are many others.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Backing up the entire filesystem

[Dan Ritter]

On Fri, Oct 26, 2018 at 02:30:10PM -0400, Marco Milano wrote:
> 
> 
> On 10/26/18 2:22 PM, Dan Ritter wrote:
> > > > 
> > > > On 10/26/18 1:55 PM, Shirley Márquez Dúlcey wrote:
> > > > > Another thing to keep in mind is that ZFS does have one flaw; it's a
> > > > > memory hog. If you have a large ZFS filesystem you will need a LOT of
> > > > > RAM to get acceptable performance. But it does represent the current
> > > > > state of the art for file system data integrity.
> > > > 
> > > > I think as long as you don't use dedup, it works perfectly fine
> > > > on a system with 8GB or 16GB RAM.
> > 
> > The rule of thumb is 1GB per TB of used space, so for Shirley's
> > NAS boxes, dedup would actually work. I don't recommend it,
> > though.
> > 
> 
> I am configuring a system with 200TB zfs data storage, with only 32GB of RAM,
> ZFS with no dedup, lz4 compression, ubuntu 18.04 server, I am pretty confident
> that it will work perfectly fine.

Yes, the rule of thumb above is the RAM required for dedup, not
anything else.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Backing up the entire filesystem

[Dan Ritter]

On Fri, Oct 26, 2018 at 02:18:12PM -0400, Shirley Márquez Dúlcey wrote:
> My NAS boxes each have 16GB. One has two 4TB and two 3TB drives in
> mirrored pairs; the other has three 1.5TB drives in a RAIDZ1 setup.
> And that's just for being a NAS. I would probably need more RAM,
> especially on the one with four drives, if I were also running
> applications on them.
> 
> Why two smaller boxes rather than one big one? Mostly because I
> already own a pair of low end AMD systems using mini-ITX motherboards
> and AM1 socket CPUs that I originally got for another purpose but was
> no longer using, and I already had all the drives. Those motherboards
> only have two DDR3 memory sockets and thus have a RAM ceiling of 16GB,
> and the cases will only hold four hard drives.
> On Fri, Oct 26, 2018 at 2:04 PM Marco Milano  wrote:
> >
> >
> >
> > On 10/26/18 1:55 PM, Shirley Márquez Dúlcey wrote:
> > > Another thing to keep in mind is that ZFS does have one flaw; it's a
> > > memory hog. If you have a large ZFS filesystem you will need a LOT of
> > > RAM to get acceptable performance. But it does represent the current
> > > state of the art for file system data integrity.
> >
> > I think as long as you don't use dedup, it works perfectly fine
> > on a system with 8GB or 16GB RAM.

The rule of thumb is 1GB per TB of used space, so for Shirley's
NAS boxes, dedup would actually work. I don't recommend it,
though.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Backing up the entire filesystem

[Dan Ritter]

On Fri, Oct 26, 2018 at 01:55:57PM -0400, Shirley Márquez Dúlcey wrote:
> Another thing to keep in mind is that ZFS does have one flaw; it's a
> memory hog. If you have a large ZFS filesystem you will need a LOT of
> RAM to get acceptable performance. But it does represent the current
> state of the art for file system data integrity.


It only looks like a memory hog. ZFS correctly marks all of it's ARC as
cache, so it's mostly available when something else asks for it.

If you feel concerned, you can limit usage with with

options zfs zfs_arc_max=8589934592

(or however many bytes you want to limit it to)

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] [BLU/Officers] update instructions for key signing

[Dan Ritter]

On Mon, Sep 17, 2018 at 11:05:48AM -0400, Bill Horne wrote:
> Bill,
> 
> I've got a question about GPG, or actually about PKI in general.
> 
> Since my browser now flags non-https sites as "Unsecure," I'd like to know
> how to generate a key to put in my Apache setup which will swing the
> padlocks shut. I know that it won't be "valid" unless I import the key into
> my browser, but that's a one-time effort and will stop the "unsecure"
> messages when I ask people to visit my websites.
> 
> Also, if possible, I'd like to be able to pass out keys for users to use in
> lieu of passwords to access secured areas.
> 
> Please tell me how to go about that, and thanks in advance.

The easiest and best thing to do is to get SSL certs from Let's
Encrypt.

Everything else is worse and harder.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Running a mail server, or not

[Dan Ritter]

On Fri, Jun 29, 2018 at 02:44:00AM +, Mike Small wrote:
> Richard Pieri  writes:
> 
> > On 6/28/2018 4:03 PM, Mike Small wrote:

> An issue I expect to run into is that when I read my email at a real
> computer I'll ssh in, start emacs with it loading Gnus, and that takes
> email out of my spool and splits it off into different folders based on
> a list of regular expressions (there are various options Gnus supports
> for mail storage but I chose nnml:
> http://www.gnus.org/manual/gnus_84.html#Mail-Spool). I'm thinking IMAP
> won't pick up the mails where Gnus put them. Doesn't IMAP have it's own
> idea of what a folder is and how that's to be set up?

I'm in a bit of pain right now, so this isn't as diplomatically
worded as it should be. Sorry.

Let's talk about "best practices".

Consulting companies love to write huge documents on "best
practices" that they can re-use for customer after customer,
telling them what they ought to be doing.

As a sysadmin, "best practices" doesn't mean following one of
those ridiculous guides. It means assessing your situation,
surveying the options, and choosing something that fits your
needs and allows the spectrum of choices in the future as
unconstrained as possible.

So when the very first line of the entry is:

  The nnml spool mail format isn’t compatible with any other known
  format. It should be used with some caution. 

you should read that as "don't use this, it was an experiment in
being better than everybody else that didn't work out".

That said, the format as described is very similar to NM format,
and reasonably similar to Maildir. I bet it could be converted
into either one (and you should pick Maildir) in about ten lines
of shell.

> And then the IMAP client wouldn't have Gnus's killer feature, the
> ability to "expire" a mail so that it 1. isn't visible again unless I
> open the folder to show read articles and articles with similar kinds of
> marks and 2. in some number of weeks, but not the day before tomorrow
> when I decide I want to keep it after all, it will automatically age out
> and really delete those expired mails. 

The point of having IMAP access on your phone is not to have
every feature from your desktop available on your phone. The
point is to be able to read new messages which are important to
you, search for a message that you need right now, and compose a
short message right now.

All other features can be safely kept on the desktop.

> What I'd really like is if someone made a mobile version of emacs,
> somehow, maybe with some complicated gesture scheme for input. There's
> some emacs person, I think, who's done something to make it possible to
> keep two Gnusae's set of folders in sync across two machines. So if I
> could run Gnus on the phone and use that person's scripts, that would be
> the ideal. Probably will never happen.

If Gnus read IMAP, you would get this for free.

Oh, it does.

https://www.gnu.org/software/emacs/manual/html_node/gnus/Connecting-to-an-IMAP-Server.html#Connecting-to-an-IMAP-Server

In fact, here's what the manual says about IMAP:

 6.3 Using IMAP

  The most popular mail backend is probably nnimap, which provides
  access to IMAP servers. IMAP servers store mail remotely, so the
  client doesn't store anything locally. This means that it's a
  convenient choice when you're reading your mail from different
  locations, or with different user agents. 


-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Running a mail server, or not

[Dan Ritter]

On Thu, Jun 28, 2018 at 02:09:57PM -0500, Derek Martin wrote:
> On Mon, Jun 25, 2018 at 04:07:23PM +, Rich Braun wrote:
> > Derek Martin  raised a couple more interesting 
> > points:
> 
> The trick is usually access.  Like I have no way to SSH into my
> server at the moment...  Technically I can do it from my phone, but
> I've found trying to do anything non-trivial on the phone is extremely
> tedious and time consuming, so while it can be done, not in the amount
> of time that wouldn't be extremely awkward while you're dealing with a
> sales clerk or whatever...

So that's why you run dovecot on your server for IMAP access on
port 993, and K9mail or whatever on your phone.

mutt is multiple-simultaneous-access safe for a reason. This is
the reason.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Running a mail server, or not

[Dan Ritter]

On Wed, Jun 27, 2018 at 03:39:23PM -0400, David Kramer wrote:
> Yes.  The problem is with automating that so I don't have to teach my wife
> ssh and command line.


> > If you're running spamd, then spamc running remotely can be
> > passed a message along with -L ham/spam/forget, as appropriate.

Install the Windows or Mac version of spamassassin, and
have her mail client pass messages to spamc?

-dsr-

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Running a mail server, or not

[Dan Ritter]

On Wed, Jun 27, 2018 at 03:14:52PM -0400, David Kramer wrote:
> into yet.  And I also haven't found how to train spamassassin on spam it
> missed yet in a way that doesn't require ssh access to the server (so my
> wife can do it too).

If you're running spamd, then spamc running remotely can be
passed a message along with -L ham/spam/forget, as appropriate.


-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Running a mail server, or not

[Dan Ritter]

On Mon, Jun 25, 2018 at 03:40:02PM -0400, Richard Pieri wrote:
> On 6/25/2018 12:07 PM, Rich Braun wrote:
> > Not mine, at least not in clear-text. Backbone providers only see
> > encrypted streams between my email server and my service providers'
> > systems located in France and Canada. I'm not aware of any government
> 
> What kind of encryption is used on the backbone connections between your
> providers in France, Canada and mine in the US?
> 
> Answer: none. There's clear text SMTP in there somewhere and that
> somewhere can be used to eavesdrop.
> 

I was talking to someone recently who was advocating encrypting
the fiber connections across oceans, in order to guard against
mid-sea taps. His argument was that people couldn't be trusted
to encrypt their own data in transit.

Mine was mostly that people who care about these things do have
decent encryption. What I should have said is that it's fine
with me if you want to encrypt your fiber, but it's essentially
useless because you're going to decrypt it at the other end,
and the state actor who is interested is going to put their taps
there, not in the middle of the ocean.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Linux has 100% of Market Share.

[Dan Ritter]

On Mon, Jun 18, 2018 at 05:26:42PM -0400, Marco Milano wrote:
> 
> 
> On 06/18/2018 04:22 PM, Bill Bogstad wrote:
> 
> I disagree, 20 years ago, that was the only option,
> now anybody can "create" a virtual supercomputer in the cloud
> as needed, as long as they have the funds for it.
> So, less relevant now compared to 20 years ago.
> If you look at the specs of this latest one, there is nothing special,
> anybody with a fat wallet can create one, and that is exactly what this is.

That would depend on your definition of supercomputer, and
particularly on the degree and speed of interconnection that
you need.

If all you need is a large number of processors working on
different chunks of data, you're absolutely right, Marco.

If you need to solve physical simulations and models that 
require lots of interprocessor communications, no, you can't
just run out to Amazon and say "Give me a data center full
of machines for 24 hours".

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Jekyll users, experts, developers anywhere?

[Dan Ritter]

On Fri, Jun 01, 2018 at 08:24:24PM -0400, Nancy Allison wrote:
> Hello, all.
> 
> I am investigating software for a new blog. I've used Wordpress before and
> don't want to get bogged down in it again. I did some searches for open
> source blogging software, and it looks as if Jekyll might be a clean,
> simple alternative that meets my requirements. (However, I'm willing to
> believe that another blogging tool might be better.)
> 
> I am not the world's most technical person, so I'm looking for help. The
> Jekyll Quick Start Guide begins with this sentence:
> 
> "If you already have a full Ruby 
> development environment with all headers and RubyGems
>  installed (see Jekyll’s requirements
> ), you can create a
> new Jekyll site by doing the following:"
> 
> This is Greek to me. No, I don't have a Ruby development environment and
> have no idea how I'd get one.
> 
> I'm looking for suggestions for user groups, forums, consultants, etc.,
> etc. All suggestions gratefully received.

You probably already know that Jekyll is one of a class of
static website generators: it takes content written in Markdown,
combines it with templates that show how each page is
structured, and finally adds in CSS to control colors and
margins and fonts and so forth.

These have excellent performance and security characteristics,
but require a fair investment in learning how to run and use
them. In particular, Jekyll assumes that you are at least a
beginner Ruby programmer.

You'll need a server to run the software on. If you don't have
one set up, you're going to need to learn how. The cheapest
method is to rent a virtual machine from Linode or Digital Ocean
or similar; the cheapest VM at $5/month will do just fine.

Once you do that, you'll have a choice of operating system. For
example, if you choose Debian, installing jekyll and all the
dependencies is as simple as saying:

sudo apt install jekyll

and all the ruby bits that are necessary will be installed for
you, and then jekyll will be installed as well. You'll be able
to proceed from instructions on the Jekyll site.

If this sounds too daunting, you might want to pay a company to
run the software on your behalf. I don't know of anyone doing
Jekyll hosting in specific, but you might want to look into
Ghost, www.ghost.org, which supports its open-source development
by selling hosting services. I think it's kind of expensive at
$20 per month, but they really do everything for you except pick
out images and write the blog.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] I Hate Ubuntu

[Dan Ritter]

On Tue, May 08, 2018 at 02:39:37PM -0400, Richard Pieri wrote:
> Specifically, I hate Ubuntu 17 and 18.
> 
> Specifically, I hate Netplan which is a requirement in Ubuntu 17 and 18.
> 

required? it's not automatically overruled by the presence of
interfaces in /etc/network/interfaces?

sheesh. Change to Debian. It may be full of systemdistas, but
/etc/network/interfaces is still authoritative.

(Also: `apt install sysv-rc sysvinit-core sysvinit-utils` will
restore sysvinit as your init system, while allowing most
systemd-infected things to work. Or you could look at nosh,
https://jdebp.eu/Softwares/nosh/ which is a pretty plausible
attempt at getting a daemontools-style init system going.)

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mothballing Synology NAS

[Dan Ritter]

On Tue, Feb 20, 2018 at 08:09:28PM -0500, Richard Pieri wrote:
> On 2/19/2018 2:43 PM, Dan Ritter wrote:
> > You might want to look at sanoid/syncoid --
> > https://github.com/jimsalterjrs/sanoid/
> 
> syncoid is exactly what I need.
> Perhaps sanoid, too, but I want to see it running for a while.
> 

Glad to be of help.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mothballing Synology NAS

[Dan Ritter]

On Mon, Feb 19, 2018 at 12:10:58PM -0500, Richard Pieri wrote:
> 
> I need to rework my external backups. The script uses Btrfs snapshots
> and rsync. It needs to be adapted to use ZFS snapshots and zfs
> send/receive. I also need to get a USB3 cradle because the ASRock board
> doesn't have eSATA.

You might want to look at sanoid/syncoid --
https://github.com/jimsalterjrs/sanoid/

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] ten more years

[Dan Ritter]

On Wed, Feb 14, 2018 at 07:10:43PM +, Mike Small wrote:
> 
> Anyone have any general advice on how to start learning the fundamentals
> you need to start porting non-Android Linux to a smart phone? My model
> isn't among those that LineageOS has a port for. That seems to be the
> starting point for all such efforts. Without that I'm not sure where to
> begin.

There's an article here:

http://www.lineageosrom.com/2017/01/how-to-build-lineageos-rom-for-any.html


-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

[Discuss] ten more years

[Dan Ritter]

On Wed, Feb 14, 2018 at 10:36:11AM -0500, Kent Borg wrote:
> 
> If your answer to my "This is ridiculous!" were "Yes, but it works.", that
> would be one thing. But this stuff doesn't work particularly well, and the
> more modern the design the worse the results. There was a lot of stuff that
> was computerized in the late '80s that still works today. How much of the
> stuff we are building now has a prayer of lasting just ten years?
> 

I think that the financial calculation engine at the heart of my company's
software-as-a-service will be still recognizably a descendant of the same
thing in ten years. I expect at least one, maybe two major overhauls of
the web interface side in that time.

I expect that ten years from now, I will still be using an
editor which is a descendant of vi in some form, and many of us
will still be using emacs.

IPv6 will be around in ten years; IPv4, too.

In ten years the Linux kernel will be at 5.something and
possibly thinking about a 6.0 release.

I'm hoping that in ten years, we will have a good universal interoperable
protocol for messaging that includes 1:1 chat, discussion rooms, voice
1:n, voice n:n, and video 1:n and n:n -- all with as much sophistication
as we presently have in the best telephone and email handling systems.
(Matrix might be that protocol. Maybe.)

-dsr-

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] node.js and npm on Debian?

[Dan Ritter]

On Tue, Feb 13, 2018 at 04:35:54PM -0500, Kent Borg wrote:
> The binary for a modern-day IRC-type program (Slack) is over 80MB. Sure, the
> original IRC didn't have pictures. But 80MB!? I have an internet radio
> program (Tunein Radio) that has an install of 65MB.

Slack is a particular outlier, because it's not really an IRC
program.

No, it's an IRC program written in Javascript as a web
application... and bundled with a complete web browser to run it
in.


-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] node.js and npm on Debian?

[Dan Ritter]

On Tue, Feb 13, 2018 at 10:51:41AM -0800, Rich Braun wrote:
> Kent Borg  asks:
> > But I can't figure out how to install npm. When I search for
> > installation instructions they all seem to want me to pipe a curl
> > command into a sudo bash. Huh? That's scary as hell.
> 
> Let others do the installation for you: my go-to technology for this is
> Docker. First get docker installed
> (https://docs.docker.com/install/linux/docker-ce/debian/). Then look for the
> official containerized release of node here:
> https://hub.docker.com/r/library/node/. Choose which versions of Node and
> Debian that you want (look among the available tags); example 8.9.4 on
> stretch. To run it, really all you need to type is this:
> 
>  docker run -d --name nodejs node:latest sleep 7d
>  docker exec -it nodejs bash
> 
> You'll be at a shell prompt that includes Node.JS and npm. You can use the
> "--volume" parameter to map a working directory into the container and to map
> the modules you decide to install (/usr/local/lib/node_modules/npm), enabling
> you to edit files on your host and work with them at the container's bash
> prompt. Docker's drop-dead simple to learn, and it solves so many of these
> installation headaches.

And transfers those headaches to your security and ops teams.

There's a new RCE vulnerability against node-sprintf version
1.1.0. Where is it running? Is it safe to keep running your
containers until the weekend, or do you need to replace some
today?

You've got a display inconsistency in floating point
representation. Which of your deployed containers has it? What
libraries were they using? If it's a one-line fix, can you
insert the patched library on every container or do you need to
rebuild every container?

Your QA team tested version 10.4.2, but node:latest is pulling
in 10.4.2a since some point after your got it tested but before
you deployed. Does your deployment process guarantee the version
number that you tested is the version you deployed?

All of those problems are solved by configuration management and
deployment systems, and containers at best obfuscate them.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Supermicro

[Dan Ritter]

On Tue, Jan 23, 2018 at 02:18:33PM -0500, Joseph Guarino wrote:
> Hello Everyone,
> 
> I've got a new client that is enamored with Supermicro and wants to only
> buy their server hardware. I'm a fan (and partner with) of a few other
> vendors. Does anyone have any experience with the quality of their support?
> Any insight is appreciated.
> 

Supermicro is very good, but they want to support a retailer
more than they want to support every individual customer.
(This would change if you're buying in quantity.)

Silicon Mechanics and PogoLinux are both retailers whom I have
worked with and been happy with; I'm sure there are many others.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Corralling Processes on Linux

[Dan Ritter]

On Sat, Jan 20, 2018 at 03:56:34PM -0500, Kent Borg wrote:
> Is there a way to do this with daemonized processes? I create an oddball
> collection, and want the ability to kill the whole lot.
> 
> Seems process group IDs might bark up this tree, but it doesn't look like I
> can tag a whole funny-shaped tree of processes with the same ID (this
> true?). And, my experiments along these lines have run into "operation not
> permitted"; I don't want to have to do this as root. (In the file example: I
> don't need to be root to put files and directories in a directory...)
> 
> I thought about creating all these processes as a different user, and then
> killing everything owned by that user, but that probably requires root again
> (if that other user isn't me), and maybe I don't want to kill /everything/
> (a login?) owned by the user.

killall can do it by name and take regexps, on Linux and MacOS.
So if you give them a distinctive name scheme, that would work.

Say all your processes start with k1-, you can use
On Mac:

killall -m "k1-*" 

and on Linux:

killall -r "k1-*"

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] LibreOffice and .docx files

[Dan Ritter]

On Mon, Dec 04, 2017 at 08:25:45PM -0500, Nancy Allison wrote:
> Hello, all.
> 
> I am using Ubuntu 16.04 and LibreOffice 5.1.6.2.
> 
> I've been sent a .docx file with a fairly complex layout, and the layout is
> trashed immediately upon opening in LibreOffice. I know from past
> experience that docx files that I've modified in LibreOffice are, if
> possible, even nastier when reopened in Word.
> 
> Is there a Word-compatible open source program that truly does not trash
> the formatting? Or is it simply not possible to pass documents back and
> forth between Word and an open source program like LibreOffice or
> OpenOffice? I used Open Office years ago, haven't used it recently, it used
> to trash the files, too.
> 
> All suggestions gratefully received.

It's an arms race in which Microsoft gets to set the default, and not tell
anyone what they're doing. Then they get to change it every so often -
with the advent of Office 360, all the time.

You would think that this poses problems of backwards compatibility with
older copies of Word, and you would be correct. Sometimes Word can't
open Word-generated files. There have been significant problems
with Word for Windows vs Word for MacOS.

Some years its better than others. But no, there's nothing better than
LibreOffice at handling complex layouts that Word generated,
except exactly the version of Word that produced it.


-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] xsane pblm

[Dan Ritter]

On Tue, Nov 21, 2017 at 05:41:36PM -0500, dan moylan wrote:
> 
> cmp#1: intel nuc 10, fc26
>   xsane: "no devices available"
> cmp#2: acer aspire 5733Z, fc26
>   xsane: finds only web cam
> cmp#3: acer aspire E1-472P, fc25
>   xsane: works fine, no problems
> 
> all three have the printers ip address in both
> /etc/sane.d/saned.conf and /etc/sane.d/net.conf
> 
> all three can ping the printer
> 
> any suggestions?

Run xsane as root once on each of #1 and #2. If it works you
have a permissions problems to track down.

If it doesn't work, perhaps you have a network problem.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Secure Wireless Router for Non-Profit

[Dan Ritter]

On Fri, Sep 15, 2017 at 09:48:47AM -0400, Eric Chadbourne wrote:
> >  Original Message 
> > Subject: [Discuss] Secure Wireless Router for Non-Profit
> > Local Time: September 15, 2017 9:31 AM
> > UTC Time: September 15, 2017 1:31 PM
> > From: willr...@gmail.com
> > To: L-blu 
> >
> > I"m helping a non-profit which has a justifiably higher than typical fear
> > of security threats. They need a new wifi router, and I wonder what the
> > BLU community might recommend? The office is pretty small (2 rooms, maybe
> > 5 connected computers at peak, usually fewer).
> >
> > Thank you,
> > Will
> 
> If you want secure, and it's only two rooms, use wires?

If possible. Cellphones and tablets have a remarkable lack of
ethernet jacks.

That said, don't depend on wifi security. Use a VPN setup.
OpenVPN is not bad.

Physical security will need to go with that, of course.

And 2-factor authentication for anything significant.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Future-proofing a house for networking -- what to run?

[Dan Ritter]

On Wed, Sep 13, 2017 at 09:39:02PM -0400, Richard Pieri wrote:
> On 9/13/2017 3:23 PM, Dan Ritter wrote:
> > So, no, you don't need jumbo packets to get 900+Mb/s
> > out of your 1000Mb/s ethernet connection. That's through
> > a very boring Netgear $50 switch.
> 
> Information is missing.
> 
> 1000Base-T is 500Mbps each way (theoretical maximum), but it works with
> Cat 5e. You cannot get 900Mbps throughput with 1000Base-T. It's
> physically impossible. Real world throughput with file data is around
> the 300Mbps I previously cited.
> 
> 1000Base-TX is 1000Mbps each way (theoretical maximum), requires full
> duplex switches (I believe but don't quote me on that), and Cat 6 or Cat
> 7. You can get nearly 1000Mbps throughput with 1000Base-TX if your
> equipment meets all of these criteria. And the NICs involved have
> enterprise class features like all of the various CPU offloading
> capabilities which consumer grade equipment typically does not have.
> Again, since this is "future-proofing a house" and not a corporate data
> center I'm figuring a majority of the equipment in use is going to be
> consumer grade and not enterprise grade.

I just showed you measurements. One end is an AMD FX-4130 with a
Realtek 8168/8411 gig-e port, built-in to the motherboard. The
other end is an Intel G3258 with an Intel I218-V gig-e port,
also on the motherboard. They are connected via Cat5e cables to
a Netgear GS316, a 16 port gig-e switch that you can buy from
NewEgg for $60 now; it was on sale for $50 or so when I bought
it.

Transmission speed as measured by netperf is 930-940 Mb/s. The
MTU is 1500 -- I had it set at 7000 for some months, but it
caused problems with a new machine, so I sighed, backed off, and
did not notice any real-world difference.

Your "300Mb/s" is an artifact of your disk subsystems.

-dsr-

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Future-proofing a house for networking -- what to run?

[Dan Ritter]

On Wed, Sep 13, 2017 at 02:36:51PM -0400, Richard Pieri wrote:
> On 9/13/2017 11:44 AM, Robert Krawitz wrote:
> > On Wed, 13 Sep 2017 11:38:36 -0400, Richard Pieri wrote:
> >> 1080p video streams (MPEG-4) need about 5-8 Mbps burst bandwidth.
> >> Gigabit Ethernet has practical throughput about 300Mbps.
> > 
> > ???  I routinely get over 100 MB/sec (>800 Mbps) transferring files --
> > even with scp -- between systems with fast enough disks.
> 
> So, yeah, whole-home wiring just doesn't make sense.

You go tend to your knitting.

I have a family of four, plus occasional guests. If I had every
device that could be connected to ethernet connected to wifi, 
I would spend all my time debugging wifi problems.

On a Saturday afternoon, it is not unusual to see:

- one person watching NetFlix.

- one person watching MythTV.

- one person playing a video game while listening to music from
  YouTube.

- one person trying to get work done

- a bunch of wifi devices chirping away at the internet, and

- a couple of backups in progress.

and as for jumbo packets:

$  netperf -H splat -p 2 -l 30
MIGRATED TCP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET
to splat () port 0 AF_INET : demo
Recv   SendSend  
Socket Socket  Message  Elapsed  
Size   SizeSize Time Throughput  
bytes  bytes   bytessecs.10^6bits/sec  

 87380  16384  1638430.01 940.42

$ ip l
2: eth0:  mtu 1500 qdisc
fq_codel state UP mode DEFAULT group default qlen 1000


So, no, you don't need jumbo packets to get 900+Mb/s
out of your 1000Mb/s ethernet connection. That's through
a very boring Netgear $50 switch.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Future-proofing a house for networking -- what to run?

[Dan Ritter]

On Wed, Sep 13, 2017 at 08:16:36AM -0700, Rich Braun wrote:
> Because I just don't see a need for going beyond 1Gbps within the home during
> the course of my life. Maybe 10Gbps applications will materialize, but for now
> there's just not much reason I'll need more than a half-dozen streams of 4K
> video flying around the house at any given time. In my current situation there
> are only two or three places in the house where I wish I had at least that
> second RJ45 jack that the idiot who wired the place failed to install; and I
> wish I had conduit running between two core locations to support the HA setup
> that I have.
> 
> The future's hard to predict but I think we're coming near the end of
> practical advancements in home-networking performance. Guess I'm a luddite.

A field of view about 180 degrees wide, 135 degrees high, 1 arc
minute in minimum pixel size, and updated 100 times per second…
twice, to account for full stereography, and using 48 bits of
color.

180 * 135 * 60 * 60 * 100 * 48 = 41990400,

420 billion bits per second.

Compress 100:1, we're still at 4.2Gb/s, plus some relatively
minor trivia for audio, osmic and haptic data.

Per simultaneous user, of course. 

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Future-proofing a house for networking -- what to run?

[Dan Ritter]

On Mon, Sep 11, 2017 at 09:44:00AM -0400, Derek Atkins wrote:
> Hi BLUers,
> 
> If you had the ability to future-proof your house (imagine open studs,
> so you could run anything you wanted), what would you run.  Assume a max
> of 6 cables per drop?
> 
> Last time I ran 4x Cat6A and 2x RG6.  However I'm never using both RG6
> F-connectors, so I figured I could replace that with something else.
> And before you ask, yes, I *AM* using all 4 RJ45 connectors in some of
> my drops (and in one place I wish I had MORE Rj45).  So, what else
> should I run?
> 
> My current theory is 4x Cat6A, 1x RG6, and 1x Fiber.
> 
> However I'm not sure what kind of "fiber" to run, nor what kind of
> connector I should use.

OM3 multimode with LC connectors can handle 25, 40, 50 and 100G ethernet at
100m. One pair per room should be fine -- but really, the 
switch cost will be nasty for all the ports you don't use.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Layer with expertise in libre licenses

[Dan Ritter]

On Thu, Sep 07, 2017 at 11:07:25PM +0200, Julian Daich wrote:
> Hi,
> 
> I am looking for a layer to help in applying the GPL in a especial
> case. Any one have an idea?

Do you mean a lawyer? 

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] CrashPlan Home is discontinued - what's next?

[Dan Ritter]

On Wed, Sep 06, 2017 at 12:35:16PM -0400, Bill Bogstad wrote:
> On Fri, Sep 1, 2017 at 2:53 AM, Rich Braun  wrote:
> >
> >> That would be etckeeper which I've used for some time.
> >
> > If you're still editing /etc config files, consider taking the time to 
> > learn how to administer them in a centralized revision-controlled manner.
> 
> This is for a home environment where I will NEVER have more than 2 or
> 3 systems to manage and I am the only
> person who changes system configuration.  Between etckeeper and
> nightly incremental backups, I feel that I am adequately covered.
> While I completely understand the utility of configuration management
> systems for larger (or potentially larger) installations, I just don't
> think they are needed for my use case.   The extra resources (both
> human and system)
> will never get paid back as far as I can see.   Maybe if I used such
> systems on a daily basis in a job, I would feel differently.
> However, I stopped doing professional system management before
> configuration management became ubiquitous.  In addition, it seems
> like every couple of years the "correct" CM package changes.  I keep
> hoping that the market will eventually stabilize.

There are a lot of use cases; people have different needs.

I just counted 32 IP-addressed devices in my house... when there
are no visitors. 12 of them run Linux. Sheesh.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Crashplan is discontinued

[Dan Ritter]

On Thu, Aug 31, 2017 at 11:10:57AM -0700, Rich Braun wrote:
> Dale Worley's approach:
> > I have a cron job which commits my home directory into a Git repository
> 
> Sounds interesting; one of my use-cases is dealing with a couple hundred gigs 
> of photos, with new ones arriving (via Nextcloud's sync capability, which 
> I've set up recently as part of my Docker infra) at a rate of a thousand or 
> so a month.
> 
> One of the issues with pics is deduplication, as they're renamed across 
> folders. My current rsnapshot approach doesn't cope well with that. Could git 
> do this automatically without complex scripting?
> 

That sounds like maybe a job for bup:

https://github.com/bup/bup/blob/master/README.md

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] CrashPlan Home is discontinued - what's next?

[Dan Ritter]

On Mon, Aug 28, 2017 at 11:18:17AM -0700, Rich Braun wrote:
> As of next summer, there won't be any more low-cost CrashPlan backup service
> for us Linux users. I liked the fact that its backup engine supports both the
> CrashPlan cloud service and private backups between servers.
> 
> There are some others, like the ones reviewed here, but nothing ideal:
>   https://www.cloudwards.net/best-online-backup-for-linux/
> 
> I always use two separate services (at the moment, CrashPlan plus a homebrew
> set of scripts based on rsnapshot) because one's bound to fail.  What's your
> strategy? And what will fill the CrashPlan void?
> 

For people who don't need fancy interfaces and hand-holding, 
rsync.net is probably a good choice.

Simple pricing:
http://rsync.net/pricing.html

Technically competent:
http://www.rsync.net/products/platform.html#zfs

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Is there a supported browser for Linux that still runs Java applets? (also Flash)

[Dan Ritter]

On Wed, Jul 05, 2017 at 11:23:24AM -0400, Bill Bogstad wrote:
> As the web marches on, older technologies fall by the wayside.  Java applets
> seem to be one of them.   All the major browsers seem to have stopped
> supporting them at this point.  Unfortunately, this can result in
> broken systems.  For me, my biggest use case is an older all-in-one
> printer from Lexmark that uses a java applet to enable its scan to PC
> functionality in a browser.  I seem to recall that java applets were
> even used to support enterprise level hardware at one point.  Is this
> an issue that other people are having?   Any suggestions on how to
> maintain browser/java applet support going forward on a Linux system?
> I'm not looking for a solution that will let me use the same browser
> for all of my web browsing.   Just something which will continue to
> work as I apply "mandatory" security upgrades to my systems.  (i.e.
> the latest browser updates)

You can get one of the firefox-esr series and use it
indefinitely, as long as you don't upgrade it.

Oracle themselves is disavowing java plugins, with official EOL
announced but not specified.


> Oh, same question about Flash.   It isn't quite as dead as Java
> applets, but it is pretty clear that it is on its way out.  There
> islots of kid oriented content out there that was created using Flash
> that is going to die when it goes away.  My biggest use case is MIT's
> Scratch project.   They switched to implementing Scratch in Flash some
> years ago.  My kids are avid scratchers and I'm worried that they may
> lose access in the near future.   Unfortunately, I've been unable to
> find anything on the Scratch web site about plans to deal with Flash
> becoming unusable. In the modern Scratch world everything is done on
> their web site so this could be a real problem for their kid/teen
> oriented user base.  Thoughts/solutions?

https://scratch.mit.edu/developers shows several projects to
avoid Flash. Dunno how well they work.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] du question

[Dan Ritter]

On Thu, Jun 08, 2017 at 02:11:22PM -0400, dan moylan wrote:
> 
> dan ritter writes:
> 
> > > I don't know backintime, but I'm guessing it uses links to
> > > do file-level snapshots. Bet there's a FAQ.
> 
> > > 35G   20170607-120002-419
> > > 86M   20170607-230005-357

almost as if there were 86MB of changes in between the first and
second snapshots.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] du question

[Dan Ritter]

On Thu, Jun 08, 2017 at 01:26:00PM -0400, dan moylan wrote:
> 
> dan ritter writes:
> > On Thu, Jun 08, 2017 at 11:48:52AM -0400, dan moylan wrote:
> 
> > > looking at the sizes of the directories created by
> > > backintime i am puzzled by a directory which shows up as
> > > 86M in one instance and 35G in another.  can someone
> > > please explain what's going on.
> 
> > I don't know backintime, but I'm guessing it uses links to
> > do file-level snapshots. Bet there's a FAQ.
> 
> yes, true enough, and i understand that.  it's the performance
> of du that i don't understand -- look at the two cases:



> now why is that?

Because hardlinks. Explained in a FAQ. I googled "backintime
faq" and got a faq which said to try this:

du -hd1 /media//backintime///1/

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] du question

[Dan Ritter]

On Thu, Jun 08, 2017 at 11:48:52AM -0400, dan moylan wrote:
> 
> looking at the sizes of the directories created by
> backintime i am puzzled by a directory which shows up as
> 86M in one instance and 35G in another.  can someone
> please explain what's going on.
> 
> moylan 1[1630] ls
> 20170607-120002-419/  20170607-230005-357/  b1*  last_snapshot@
> moylan 1[1631] du -s *
> 35G   20170607-120002-419
> 86M   20170607-230005-357
> 4.0K  b1
> 0 last_snapshot
> moylan 1[1632] du -s 20170607-230005-357/
> 35G   20170607-230005-357/
> moylan 1[1633] du -s ../
> 35G   ../

I don't know backintime, but I'm guessing it uses links to
do file-level snapshots. Bet there's a FAQ.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

[Discuss] Crontab visualizer

[Dan Ritter]

Back in 2001, someone asked (on this list) if there were some
utility that would parse a bunch of crontabs and show you when
all of them would run, so you can spot clusters and collisions.

https://github.com/alpaker/cronviz

is one such tool; I just came across it. I was certain that if 
I wrote one, I would be reinventing a wheel. Indeed.

The useful google keywords turn out to be "crontab visualizer".

(I have Bcc:d the original poster, 16 years later. It probably
won't help much.)

-dsr-


___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] etckeeper (tool to store /etc/ in version control)

[Dan Ritter]

On Sun, Apr 02, 2017 at 09:56:23PM -0400, David Kramer wrote:
> https://opensource.com/article/17/3/etckeeper-version-control
> 
> Sounds good, and I can't think of any downsides.  I think the value add of
> etckeeper over just adding /etc to git is that it ties into package
> management and every change in /etc/ caused by a package install gets
> committed to git as such.  I'm not sure if those silent commits are a good
> thing or not.
> 

I use it on a couple of boxes that aren't being kept by chef.

It's very nice for showing history and making a backup against
fumble-finger mistakes.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] AT eliminating copper phone lines

[Dan Ritter]

On Tue, Mar 28, 2017 at 03:34:04PM -0400, Daniel Barrett wrote:
> On March 28, 2017, Dan Ritter wrote:
> >1, 2 and 3 are all variations on 4 [eliminating the landline]
> 
> Oh god. Does this mean that fiber optic lines, when they replace
> copper lines in the home, reduce the voice quality to that of a cell
> phone? (If so, I'm screwed for life. I cannot make out 50% of cell
> phone conversations, even with hearing aids.)

No, it means that you will no longer have a roughly 64Kb/s analog
connection to your local phone switch. Because it's no longer 
analog, a digital adapter at your house needs to be involved --
and it needs power. Power which will not be available over the
phone line. If your house power goes out, so does your phone.

As I said, VOIP quality *can* be better than POTS. (But that's
not the way to bet.)

> >What does your alarm company recommend?
> 
> They say they'll work fine over fiber optic lines of the sort that
> AT or Verizon installs. I'm checking on Vonage. (But Vonage has
> other difficulties, like the fact that the phone lines are in the
> basement and the FIOS router is on the third floor, so I'd have to
> hire an electrician to run cables to the Vonage box, and then bring in
> the alarm company to hook up their stuff.)
> 
> >What does AT say when you say "I have an alarm system that depends
> >on a POTS line"?
> 
> "The lines brought to your home MUST be MUST be [sic] converted to
> fiber. [Otherwise], your AT service will be disconnected when the
> outside facilities in your area are fully migrated from copper to
> fiber on May 5, 2017."

Wow, that's nice of them.

Why are they charging you $100/month for that? They should have
an obligation to replace your copper with fiber at the same
cost.

I wonder if there's some fine print available that they are
carefully not drawing to your attention.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] AT eliminating copper phone lines

[Dan Ritter]

On Tue, Mar 28, 2017 at 03:01:49PM -0400, Daniel Barrett wrote:
> 
> AT is finally eliminating its copper phone lines in my area. (I
> recall Tom Metro starting a BLU discussion when Verizon did the same
> thing in 2013.)
> 
> The alternatives for a home landline now seem to be:
> 
> 1. Let AT replace my copper with a fiber optic line. (Con: Expensive
> service, $100/month.)
> 
> 2. Add phone service to my existing Verizon FIOS Internet plan. (Con:
> I lose my phone number of 25 years.)
> 
> 3. Switch to Vonage. (Con: Might not work with an alarm system.)
> 
> 4. Eliminate the landline. (Con: Screws the alarm system, and
> cellphone voice quality is too poor for my damaged hearing.)
> 
> Am I missing any better options?

1,2 and 3 are all variations on 4.

What does your alarm company recommend? What does AT say when
you say "I have an alarm system that depends on a POTS line"?

VOIP service can be better quality than POTS now, but
well-maintained VOIP is generally not as reliable as
well-maintained POTS. But you probably don't have
well-maintained POTS anymore, so...

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] emoji in my url

[Dan Ritter]

On Thu, Mar 23, 2017 at 10:08:25AM -0400, Eric Chadbourne wrote:
> I just noticed that you can have an emoji URL. I'm I just old or is this 
> moronic?
> 
> The url bar should contain plain text and obscure nothing, else how do you 
> know where you are?


Unicode is plain text for the rest of the world.

That said, choosing a domain name that isn't easily typable
by your target audience is the real idiocy; as far as I know,
nobody natively has an emoji keyboard.

Besides, how are you going to differentiate 1f952 (pickle) from
1f954 (potato) from 1f956 (loaf of bread) sine they all look 
like ovals rotated 45 degrees counter-clockwise?

Seriously, principles of western heraldry would have been a
great guide for the Unicode people. If it's hard to distinguish
A from B without looking at interior details, they're the same
thing on the battlefield.

Quick, was that three-balls-on-a-stick.com or
triangle-ball-square-on-a-stick.com?

Do you prefer the weather report from
1f324 (Sun slightly obscured by clouds) or
1f325 (Sun more obscured by clouds)?

Is that new music store 1f39c (2 musical notes rising) or 1f39d
(2 musical notes falling)?

When you say "loaf of bread" do you mean 1f956 (thick baguette)
or 1f35e (Pullman loaf)?

What the heck is the difference between 1f34e (apple shaded
vertically) and 1f34f (apple shaded diagonally)? Who approved
that?


Summary: it may be legal, but don't be foolish.

-dsr-

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Display ZFS's Checksum?

[Dan Ritter]

On Fri, Mar 17, 2017 at 06:22:42PM -0400, Kent Borg wrote:
> Is there a way to get ZFS to report what the checksum/hash is of a snapshot
> or volume?
> 
> Thanks,
> 
> -kb, the Kent who is wondering whether he could get ZFS to demonstrate that
> data has not been tampered with since some reference point.
> 

I believe that zdb, the zfs debugger, can show that.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] MIT usernames (was Re: KVM, virt-manager, and CentOS7)

[Dan Ritter]

On Thu, Feb 09, 2017 at 11:07:11AM -0800, Rich Braun wrote:
> My shortest (and first) email address was rkb@ai (DNS became the new-new thing
> a couple years later). Then for a decade or so I was ri...@mit.edu until my
> Athena sponsor headed off to the corporate world. Another fond memory of those
> early days is the domain spdcc.com.
> 
> I guess now the most concise I could do is r...@ci.net but for no good reason
> other than inertia I've kept the same lengthy address for the past 24 years.
> 
> Do you have a favorite email address, past or present?

Yes, but it's not mine. It's Tony Finch's.

d...@dotat.at

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] KVM, virt-manager, and CentOS7

[Dan Ritter]

On Thu, Feb 09, 2017 at 11:40:28AM -0500, ma...@mohawksoft.com wrote:
> Here's the problem with all this.
> 
> 8 characters for a name. Yes, in a hypothetical sense you have
> 2.183401056×10^14 possible passwords if you use 8 ascii alpha/numeric
> characters with no punctuation characters, but the vast majority of that
> space are random strings not suitable for nicknames or meaningful
> identifiers. For instance, I can't see that any remaining meaningful
> permutations of "john smith" could possibly be left. How many email
> addresses do they assign a year? How many back-logged names did they
> create at first?

Let's call it 26^8 or so: 208 billion.

The real problem is the lack of human meaning and the fact that
names are usually longer than 8 characters.

How many do they assign a year? Roughly a freshman class worth,
plus maybe a hundred more? So 1200ish.

John Smith is out of luck. So is Elizabeth Jones. But still, they probably
have better options than "bb30...@binghamton.edu" -- the login I was
assigned so many years go, can still remember, and have absolutely no
use for.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] KVM, virt-manager, and CentOS7

[Dan Ritter]

On Thu, Feb 09, 2017 at 10:27:05AM -0500, Derek Atkins wrote:
> Dan Ritter <d...@randomstring.org> writes:
> 
> > On Wed, Feb 08, 2017 at 10:24:54AM -0500, Derek Atkins wrote:
> >> Eric Chadbourne <sillystr...@protonmail.com> writes:
> >> 
> >> > Off topic, warl...@mit.edu, is the best email ever.
> >> 
> >> Thanks.  I've had it since 1989.
> >
> > MIT trivia: once you have a username, you can't change it.
> >
> > http://mitadmissions.org/blogs/entry/dont-screw-up-your-username
> 
> Only mostly true.  I know a handful of people who successfully changed
> their usernames.  It's rare, and only done in extreme circumstances.
> But it *can* be done.

Interesting. Without violating privacy, can you describe what
sort of thing qualifies as extreme circumstances?

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Fun with an Unsupported NIC...

[Dan Ritter]

On Mon, Feb 06, 2017 at 03:37:13PM -0500, Dr. Anthony Gabrielson wrote:
> Hello,
>I have an unsupported NIC I would like to hack around with.  The NIC is
> a Linksys AC600 which appears to have an ATH10k chipset.  I know the ATH10k
> works with Linux, but this specific device is not directly supported.  I'm
> hoping someone may be able to point me towards a tutorial to link alias a
> device to an existing driver even if the configuration is unsupported.

You should start here:
https://wireless.wiki.kernel.org/en/users/drivers/ath10k

and figure out how to download and compile the driver.

Then it's pretty likely that all you have to do is add the PCI
ID of your card to the list in the driver, recompile again, and
use the driver.

That assumes it's a PCI device. If it's USB or SDIO, you're
going to have to actually write a driver, because nobody else
has, to the best of my knowledge.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] deadmanish login?

[Dan Ritter]

On Fri, Feb 03, 2017 at 12:40:04PM -0500, Richard Pieri wrote:
> On 2/3/2017 8:47 AM, Kent Borg wrote:
> > I'll change it to 12-honey-denver-doctor then!
> > 
> > No one will even guess that.
> 
> A dedicated Hashcat rig can "guess" it within 5 minutes.

Assuming either:

a) it has a zero-latency, no penalty for wrong-guesses method of
trying passwords

or

b) it has the hash of the passphrase in front of it and is generating
matches.

Situation a is unlikely.

Situation b is sadly all too common.

-dsr-

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] deadmanish login?

[Dan Ritter]

On Mon, Jan 30, 2017 at 08:20:39PM -0500, Eric Chadbourne wrote:
> Just had this crazy thought.
> 
> What if when I login to my server, if I don't issue a particular command 
> within some time period, a certain action happens.
> 
> For example, say I SSH in, and within 5 minutes type foo. If "I" don't type 
> foo, the server kicks me out, closes port 22, and sends an alert email to our 
> team.
> 
> Does anything already do this type of stuff? I figure it shouldn't be hard to 
> script up in a bored afternoon.
> 
> Reason is I sometimes work with vendors who I think suck and don't want them 
> to be lazy and use my account. Use their own. Grrr.

There are a number of stories of traps like this.

First off, you should be using ssh keys and not passwords.

Second of all, you should make sure that what you are doing is
legal and won't get you arrested.

Obvious implementation methods:

 - turn on shell logging to a non-standard location. Every time
   you log in, run a date command. Last thing when you log out, 
   run another one. Now you have timestamps of what you did.

 - run a script from your .bashrc which spawns a background job.
   The background job sleeps for 300 seconds, then does things
   based on whether a particular file exists.
 
 - or run a script from your .bashrc which kills your shell if it
   isn't interrupted in ten seconds. Make "killall shellkill"  

 - run an init script that looks for a particular file, and if it finds it,
   deletes it and exits. (Best make sure you don't have any
   unexpected reboots.) It if doesn't find the file, do
   whatever.

-dsr-

___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] disappearing memory

[Dan Ritter]

On Tue, Jan 03, 2017 at 04:17:27PM -0500, Laura Conrad wrote:
> 
> My system has been running really slow lately, and I have been swearing
> at firefox and websites that load 200 ads before showing any content.
> 
> But then I noticed that I was using only 4G of memory, and I knew I had
> more than that.
> 
> I looked at the sales slip, and it has 8G.  I ran memtest, and it sees
> two chips of 4G each.  But top and  /proc/meminfo only see 4.
> 
> I'm suspecting that something about the install got screwed up when I
> updated from 14.04LTS to 16.04LTS.  It looks like I'm running a 64 bit
> kernel:
> 
> uname -a
> Linux sackbut 4.4.0-57-generic #78-Ubuntu SMP Fri Dec 9 23:50:32 UTC
> 2016 x86_64 x86_64 x86_64 GNU/Linux
> 
> Does anyone have any ideas?

Is it possible that the system got bumped, and one stick of RAM
is loose? Try pulling them both out and reseating them.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] I, uh, deleted the wrong kernel....

[Dan Ritter]

On Fri, Sep 30, 2016 at 05:30:17PM -0400, Rich Pieri wrote:
> On 9/30/2016 4:52 PM, Dan Ritter wrote:
> > startx and xfce4.
> 
> Bah. Xfce is no longer the "small, fast" desktop environment it used to
> be, not since it inherited some firm dependencies on systemd.
> 

The version I'm running on Debian stable certainly has no
dependencies on systemd, because I evicted systemd.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] I, uh, deleted the wrong kernel....

[Dan Ritter]

On Fri, Sep 30, 2016 at 03:43:23PM -0500, Derek Martin wrote:
> On Fri, Sep 30, 2016 at 12:59:34PM -0400, David Kramer wrote:
> OTOH, I'm not loving a lot of the Linux desktop changes either... like
> ultra-thin scrollbars (and/or overlay scrollbars) that seem to be a
> favorite of at least some distros now...  There's been more than one
> occasion when I thought, "Jeez, I should really just install fvwm and
> run startx from the console, be done with this..."

startx and xfce4. In addition to shipping in most distros, it has easily
replaceable themes -- three or four dozen usually come shipped,
ranging from clones of other windowing managers through
specialized high-contrast, dark, bright, B5-flavored... 

Starting a new theme is as easy as copying a directory under a
new name and pulling out gimp to work on a bunch of xpm
graphics.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] SD Cards, cheap and here for a while?

[Dan Ritter]

On Tue, Aug 23, 2016 at 08:46:55PM -0400, Kent Borg wrote:
> On 08/23/2016 08:27 PM, Eric Chadbourne wrote:
> > Poking around online I noticed sd cards are large and inexpensive.  This 
> > plus it's omnipresence seems compelling.  Slide one into the side of my 
> > laptop and local storage triples.
> > 
> > Safe bet to buy a few of these?
> 
> I would suggest you be religious about your backups: consider them a
> REdistribution medium--from you back to you, not as a storage medium. I have
> had cards die on me multiple times over the years, including a 32GB Samsung
> microsd card within the last year. Maybe full-sized SD cards are better, but
> I am skeptical.


I agree with all of this. I have a 128GB microSD card for music
storage in my tiny little MP3 player - but if it goes, I will
buy another and merely be sad about the amount of time it takes
to select the music to put on it.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Need help/consulting with apache/SSL/owncloud/mail

[Dan Ritter]

On Sun, Aug 07, 2016 at 08:55:54PM -0400, David Kramer wrote:
> 
> I'm looking for someone who can help me out with this.  I would rather
> not play 20 questions on the discuss mailing list, sending log and
> config files back and forth, if I can avoid it.  I would rather pay
> someone to work with me on it, if I can.  If you know someone whose
> interested, or are interested yourself, please let me know ASAP.  I run
> mail for the family and they are grumbling about things not working
> great right now.

I can help you out with all of that except Owncloud. Send me
mail.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mounting external hard drive on Open Solaris

[Dan Ritter]

On Thu, Jul 21, 2016 at 12:08:25PM +, Christopher Robinson wrote:
> Hello,
> I would appreciate any help with this issue.I run open Solaris on a Sun Ultra 
> 20 machine. I want to add a Lacie Minimus external hard drive.However, the 
> install Wizard is written in Windows and Wine will not load it.My computer 
> recognizes the device and I was able to format it. However, I need to 
> create a mount point or file path so I can move files from my desktop to the 
> drive.If anyone has a suggestions for writing such a script, I would be 
> extremely appreciative.I am copying this message on the hardware hack list.

You create a mount point by making a directory, say
/home/chris/externaldisk.

The mount itself is as simple as 
mount /dev/$DISKPATH /home/chris/externaldisk

If you want automounting when you plug it in, you'll need to
get advice from someone who does OpenSolaris desktop stuff.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] ssh keys question

[Dan Ritter]

On Sat, Jun 18, 2016 at 01:01:32AM -0400, Bill Ricker wrote:
> But that still leaves me with executing the 2^32 dictionary attack.
> 
>  Which is likely only interesting if i've stolen all your users' hashes
> already and you have poor salts and hashes so i can rainbow table to find
> multiple users at once. Doing 2^32 trials coming in the front door of a
> server is likely to get noticed as a DOS, aside from taking literally
> forever.

This works pretty well *if*:

- you really do rate-limit incoming connections. If you didn't
  do that right, the rate-limit becomes your total bandwidth during
  the period of time that you don't notice the attack. Do you have
  suitable monitors set up? Can they alert you? Do you pay attention to
  such alerts?

- you rate-limit other authenticated services, too. Got a mail
  server running? Your POP3 or IMAP4 needs to be rate-limited or do
  authentication completely separately from the system method.

- you don't run any nonauthenticated services that might have a flaw that
  allows an attacker to read /etc/shadow. (Everyone uses shadow passwords
  these days, right? No legacy systems without it?)  Most web servers
  are good about this, but then they let all sorts of things run via CGI,
  php-fm, mod-perl, whatever. All of those are attackable areas.

- all your users are as good and conscientious as you are. This
  is easiest if they don't exist. AllowUsers, one by one, is a
  good move, too.

-dsr-


___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] ssh keys question

[Dan Ritter]

On Thu, Jun 16, 2016 at 08:21:28PM -0400, Kent Borg wrote:
> On 06/16/2016 06:37 PM, Dan Ritter wrote:
> >1. You can assign passwords, but tell sshd to only allow access via keys.
> >This is a Good Idea.
> 
> So for you--someone running your own machine--you use keys to login but
> still use a password on sudo? (This is common? Seems part of going to keys
> is to get rid of passwords.)

No, going to SSH keys gets rid of passwords available to access
your machine from the outside. You still need to differentiate
someone who has superuser rights from someone who has just sat
down at the console.

At home I have four computer users, including myself, not
including guests. Sudo requires a password.

> But if you do not require a password on sudo it means that any program you
> run runs with root privileges if it just bothers to ask for it. Kinda the
> opposite of dropping privileges.

No, just the ones that you have set up that way:

KIDS GENERAL= NOPASSWD: /usr/sbin/shutdown

allows the members of the group KIDS on machines in class GENERAL to run
"sudo shutdown" without entering a password, thus making it more likely
that they will do that.

It doesn't give them sudo privs on any other command. (You need
to make sure that the command you specify does not have, e.g., a
shell mode. emacs would be a really bad choice.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] ssh keys question

[Dan Ritter]

On Thu, Jun 16, 2016 at 04:46:40PM -0400, Kent Borg wrote:
> When people use ssh keys, what happens with sudo?
> 

Sudo continues to work.

1. You can assign passwords, but tell sshd to only allow access
via keys. This is a Good Idea.

2. People who don't have sudo privs don't need passwords.

3. A good /etc/sudoers file can assign privilege to people based
on the UNIX group they are in, or in an internal sudoers-defined
group, or individually. Privs can vary by machine, so you can
distribute the same /etc/sudoers file everywhere in a network.

4. You can even give no-password-required access to some people
for individual commands.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] shoretel makes me laugh and cry

[Dan Ritter]

On Sat, May 28, 2016 at 03:39:22PM -0400, Eric Chadbourne wrote:
> Hi All,
> 
> At work I notice our phones are ShoreTel.  
> 
> I generally ignore phones as it is beyond my current knowledge and in the 
> past I have been around trusted specialists.  We're a small shop and my mate 
> who governs such things shows me a passage from the latest manual suggesting 
> to not patch Windows servers in-between builds.  No security patches...  They 
> say it may "degrade performance".  My job is to maintain a few Windows and 
> Gnu/Linux servers.  So I say to him that I don't care what the manual says, 
> unless they provide a channel to guide us on how to update in real time, then 
> they are f'en clowns.  Note I have not learned of such a pre approved update 
> channel as of yet.
> 
> How do banks and governments use this?  I'm not them but I like to try to be 
> secure.  We do business overseas.
> 
> 1.  If you have to use their products how to you do it?  I asked one of their 
> sales people about purchasing a pretty 1u box from their website (since they 
> offer the idiotic advice about not updating) and they said don't, stick with 
> my vm.  Oh my!  Their own sales people recommended not to purchase their 
> hardware!  Is this company falling to crap?  I have just stumbled across them 
> and wish I hadn't.
> 
> 2.  Who else can I suggest to my co-worker to look at if this company sucks?  
> I have a preference for open source but closed isn't a deal killer.
> 
> Maybe I misunderstand?  I know there's some phone geeks on the list.  Clue me 
> in.

I don't know what ShoreTel is offering, but basically every ISP
and a large number of specialists offer SIP trunk service,
inbound lines, and many offer virtual PBX services.

If ShoreTel is sending you SIP, then you can fire up Asterisk on
a Linux box (or if you are large, OpenSER or Kamailio for SIP
routing with an Asterisk box for services) and armed with some
configuration information, you can swap their box out entirely.

If you don't want to touch anything except a pretty web
interface, order service from OnSIP or Phonebooth or
RingCentral or and after it's all set up, port over the
phone numbers.

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] ZFS On Linux "in" Debian, migration from Btrfs

[Dan Ritter]

On Fri, May 20, 2016 at 01:39:51PM -0400, Jerry Feldman wrote:
> Please share your experiences with both BTRFS and ZFS.


I use btrfs in RAID 1 and RAID 10 mode on spinning disks, RAID 1 on ssd,
zfs in RAID 10 on spinning disks with independent ZIL and L2ARC (read
and write caches) on ssd, and in RAID 1 on ssd.

btrfs is a little faster, but the only time this makes a
significant difference is in weekly scrubbing, where btrfs does
it at about twice the rate of zfs.

btrfs has a nocow option that can be set on directories or
individual files which can dramatically improve performance for
databases and VM images. But... that also turns off
checksumming, which is one of the big reasons to use zfs or
btrfs in the first place. It also turns off compression.

zfs does not have a nocow option at all. If you are running a
production database, zfs is not your friend for the database
storage.

zfs has better tools for snapshotting.

zfs is generally more flexible about turning options on and
off... except for deduplication. Do not experiment with
deduplication. zfs has many, many options.

Both support rsync-like incremental send and receive functions,
nearly instantaneous snapshotting. and compression with a couple
of algorithms. 

-dsr-
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss