Re: [DNG] PHP question
sury breaks devuan since the maintainer decided to use systemd specific libraries to create a temp file. instead, use tdrnetworks, which is basically sury, but gets rid of that dependency. See https://kb.unixservertech.com/unix/linux/debian/devuan_sury for complete information. I'm running Devuan with ISPConfig3 also. Rod On 6/23/22 10:49, Curtis Maurand via Dng wrote: Hello, I've been running Devuan on my break even public facing webhosting system for several years. I've been using ISPConfig and the debian perfect server instructions with adjustments for Devuan. I'm up to Devuan Beowulf at the moment and trying to go to chimaera so that I can get PHP 7.4 support. I'm happy to build a new server and migrate sites from Beowulf to Chimaera except that PHP 7.4 goes end of life at the end of November of this year. The current versions PHP are 8.0 and 8.1. Using the instructions at packages.sury.org, I am able to add the other versions of PHP except for PHPN.n-fpm due to a (what seems to be a completely unnecessary) dependence upon systemd. I would love to keep running Devuan. It runs way better than anything systemd based. Is there a workaround for this limitation? I've tried installing the package from chimaera, but it's a couple of minor revisions behind sury.org. It also seems to need a version of libc6 greater than or equal to x.xx. As a web hoster I need to be able to deploy multiple versions of PHP and I don't see very advanced support for it in Devuan. Developers need to test PHP 8 as it's different enough to cause trouble for apps written intending to run on version 7.4 Trying not to install ubuntu, --Curtis ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] recommendations for filesystem
You did not say what you wanted to do with this. Workstation? Dedicated file server? That makes a big difference. For the OS, just ext4, as far as I'm concerned. It is fast and stable, though there are some tweaks to make it even less resource intensive. On your long term storage it depends on your needs. Do you need to create partitions to segregate the data? Do those partition sizes change? If so, I generally use lvm2, then format the partitions with ext4. zfs is great (it combines RAID, lvm and does a lot more), but is a resource hog. I use it quite a bit on dedicated NAS devices, but not on other machines. I start my NAS machines at 32G of RAM, and generally try for a minimum of 64G if I am using dedup and compression, with several cores in the processor. It is also fairly "interesting" on Linux (I generally build these machines using FreeBSD). Don't know anything about btrfs, but have heard good things about it. Bottom line, if you just want a big block of storage with no compresssion/deduplication/partitioning, ext4 seems to work pretty well. I have clients with 8T+ of storage running that way. Rod On 6/2/22 08:30, o1bigtenor via Dng wrote: Greetings Setting up a 'non-simple' system - - - raid 1 arrays - 2 - - used for the operating system raid 10 array - 1 - - used for longer term storage last iteration I used ext4 for system file(s) (/ IIRC) and then btrfs for most everything else (raid-10 array uses ext4 because that's what I set it up on and it'll stay that way until the array is replaced - - I think.) What is the current recommendation(s) for filesystem with the best combination of features (they all seem to have some 'issues')? ext4 or btrfs or even ZFS (understand that one isn't as high on the recommendation pole - - IIRC) Please advise TIA ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] NFS rookie mistake?
Is there anything in the logs? Rod On 6/2/22 09:03, Ken Dibble wrote: Thanks for the attempt, but I don't think the situations are related. I am on Chimaera, everything starts normally on reboot, just not on manual runlevel change. Thanks. Ken On 6/1/22 22:53, Rod Rodolico via Dng wrote: Sorry, I pushed the wrong button and did not reply to list. Apologize. Is this related to http://kb.unixservertech.com/start/debugging/linux? Summary: NFS would not start after upgrade to Devuan Beowulf. Appears to be an issue with Debian. Looking in the logs, I saw '/run/rpcbind not owned by root failed' Solution: echo 'PATH="$PATH:/usr/bin"' >> /etc/default/rpcbind Read the (short) article if you want links and a little more info (it is my notes). Rod On 6/1/22 20:04, Ken Dibble wrote: Here is the story: I needed to do some server maintenance so I issued $init 1. After the maintenance was done I issued $init 5. Everything was fine except no nfs-server-kernel running. No problem. Issue $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd Not starting: portmapper is not running ... (warning). Problem to be investigated LATER. Issue $ /etc/init.d/rpcbind restart System response: Stopping RPC port mapper daemon: rpcbind. Starting RPC port mapper daemon: rpcbind. No problem. Try nfs server again. $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd mountd. no problem. So, Now it is LATER. So obviously when I went to runlevel 1, rpcbind was stopped and didn't come back up when I went back to runlevel 5. Investigate: /etc$ sudo find . -name *nfs-kernel-server ./rc2.d/S04nfs-kernel-server ./rc0.d/K01nfs-kernel-server ./rc1.d/K01nfs-kernel-server ./default/nfs-kernel-server ./init.d/nfs-kernel-server ./rc3.d/S04nfs-kernel-server ./rc4.d/S04nfs-kernel-server ./rc6.d/K01nfs-kernel-server ./rc5.d/S04nfs-kernel-server Observation: nfs-kernel-server gets killed at 0,1,6 and gets started at runlevels 2-5 /etc$ sudo find . -name *rpcbind ./rc0.d/K06rpcbind ./rc1.d/K06rpcbind ./rcS.d/S17rpcbind ./default/rpcbind ./init.d/rpcbind ./rc6.d/K06rpcbind ./insserv.conf.d/rpcbind Observation: The only time rpcbind is brought up is at system start. RUNLEVEL 1 kills it. Conclusion: So either rpcbind shouldn't be killed at runlevel 1 or it should be started prior to nfs-kernel-server on runlevels 2-5. OR . I have no clue about something here. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] NFS rookie mistake?
Sorry, I pushed the wrong button and did not reply to list. Apologize. Is this related to http://kb.unixservertech.com/start/debugging/linux? Summary: NFS would not start after upgrade to Devuan Beowulf. Appears to be an issue with Debian. Looking in the logs, I saw '/run/rpcbind not owned by root failed' Solution: echo 'PATH="$PATH:/usr/bin"' >> /etc/default/rpcbind Read the (short) article if you want links and a little more info (it is my notes). Rod On 6/1/22 20:04, Ken Dibble wrote: Here is the story: I needed to do some server maintenance so I issued $init 1. After the maintenance was done I issued $init 5. Everything was fine except no nfs-server-kernel running. No problem. Issue $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd Not starting: portmapper is not running ... (warning). Problem to be investigated LATER. Issue $ /etc/init.d/rpcbind restart System response: Stopping RPC port mapper daemon: rpcbind. Starting RPC port mapper daemon: rpcbind. No problem. Try nfs server again. $sudo /etc/init.d/nfs-kernel-server restart System response: Stopping NFS kernel daemon: mountd nfsd. Unexporting directories for NFS kernel daemon Exporting directories for NFS kernel daemon Starting NFS kernel daemon: nfsd mountd. no problem. So, Now it is LATER. So obviously when I went to runlevel 1, rpcbind was stopped and didn't come back up when I went back to runlevel 5. Investigate: /etc$ sudo find . -name *nfs-kernel-server ./rc2.d/S04nfs-kernel-server ./rc0.d/K01nfs-kernel-server ./rc1.d/K01nfs-kernel-server ./default/nfs-kernel-server ./init.d/nfs-kernel-server ./rc3.d/S04nfs-kernel-server ./rc4.d/S04nfs-kernel-server ./rc6.d/K01nfs-kernel-server ./rc5.d/S04nfs-kernel-server Observation: nfs-kernel-server gets killed at 0,1,6 and gets started at runlevels 2-5 /etc$ sudo find . -name *rpcbind ./rc0.d/K06rpcbind ./rc1.d/K06rpcbind ./rcS.d/S17rpcbind ./default/rpcbind ./init.d/rpcbind ./rc6.d/K06rpcbind ./insserv.conf.d/rpcbind Observation: The only time rpcbind is brought up is at system start. RUNLEVEL 1 kills it. Conclusion: So either rpcbind shouldn't be killed at runlevel 1 or it should be started prior to nfs-kernel-server on runlevels 2-5. OR . I have no clue about something here. Regards, Ken ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] connecting to a chromebook (OT??)
Sorry, I copied/pasted when I should have cut/paste. I apologize. rod On 1/26/22 10:28 PM, Rod Rodolico via Dng wrote: > Ok, on my chromebook, under the Linux subsystem, I have a mac of > 00:16:3e:xx:xx:xx:xx > Which is the signature for a XenSource virtual MAC address. See > https://maclookup.app/search/result?mac=00%3A16%3A3e or > https://dnschecker.org/mac-lookup.php?query=00-16-3e > > This indicates to me that this is a virtual, which I verified by > apt -y install virt-what > > virt-what > > Which returned that it was running either lxc or kvm. I'm betting kvm. > > In this case, the virtual (the Linux subsystem) will be running under > something like libvirt, with the network in bridge mode, and the Linux > subsystem getting an IP from the DHCP server on that machine. So, your > mac and IP will not be visible to the outside. (I do a lot of > virtualization, BTW). Think of your Chromebook as a baby router. > > Your router can only set the IP on the chromebook, not the Linux > subsystem. If you open the browser to chrome://system, and go down to > ifconfig, then expand that, you'll see something like arc_ns0, arc_ns1, > etc... Those will all be in the range that ChromeOS is using for your > Linux subsystem. On my machine, arcbr0 is the actual bridge. Then, you > keep going down and, on my system, I find wlan0, which is the NIC for > the actual Chromebook. > > On 1/26/22 4:48 PM, o1bigtenor via Dng wrote: >> On Wed, Jan 26, 2022 at 1:04 PM Rod Rodolico via Dng >> wrote: >>> >>> FYI, I'm doing the same thing. I have spent some time setting up a >>> Chromebook "securely" (in theory), though mainly to access a Linux >>> Terminal Server over a VPN. >>> >>> First, are you using the built in Linux subsystem? When I bring up the >>> ChromeOS terminal (ctrl-alt-T, not the linux subsystem), the crosh >>> prompt does not have the ip or the ifconfig commands. However, when I >>> look at my network connection (via the GUI), I'm seeing an IP in my >>> network range. >> >> I have used the 'dev' mode and set up debian in it. >> Not used to pure command line (long ago Mac background spoiled me for >> that) so I'm trying to install a dual boot system. One issue is that the >> screen keyboard doesn't (on a Lenovo 10e (IIRC) chromebook anyway) >> have control and alt keys so that means there are some things that are >> too 'kinky' to do. >>> >>> I went ahead and installed the Linux subsystem again (I'm spending a lot >>> of time playing on it) and my IP for that is 10.115.92.205/28, so it >>> looks like the Linux subsystem is using using some kind of virtual IP, >>> similar to what virtlib does by default. >>> >> Well - - - the MAC address the machine gives is different than that at >> the router and the ip address at the router keeps changing - - argh! > > Ok, on my chromebook, under the Linux subsystem, I have a mac of > 00:16:3e:xx:xx:xx:xx > Which is the signature for a XenSource virtual MAC address. See > https://maclookup.app/search/result?mac=00%3A16%3A3e or > https://dnschecker.org/mac-lookup.php?query=00-16-3e > > This indicates to me that this is a virtual, which I verified by > apt -y install virt-what > > virt-what > > Which returned that it was running either lxc or kvm. I'm betting kvm. > > In this case, the virtual (the Linux subsystem) will be running under > something like libvirt, with the network in bridge mode, and the Linux > subsystem getting an IP from the DHCP server on that machine. So, your > mac and IP will not be visible to the outside. (I do a lot of > virtualization, BTW). Think of your Chromebook as a baby router. > > Your router can only set the IP on the chromebook, not the Linux > subsystem. If you open the browser to chrome://system, and go down to > ifconfig, then expand that, you'll see something like arc_ns0, arc_ns1, > etc... Those will all be in the range that ChromeOS is using for your > Linux subsystem. On my machine, arcbr0 is the actual bridge. Then, you > keep going down and, on my system, I find wlan0, which is the NIC for > the actual Chromebook. > >> I would like to use this thing for reading pdfs away from my desk but >> I'm not sure how to get things onto it. The expectation is that I'm going >> to use ms googly's drive or dropbox - - - no cottin pickin way!! to >> both. I use scp on my network but that means I need to know the ip >> address and be able to ssh into or out of it - - - I can't. >> The ssh port (#22 IIRC) is blocked - - - how's that for stupid. Likely >> everything is blocked but ms googly's stuff - - - that's the
Re: [DNG] connecting to a chromebook (OT??)
Ok, on my chromebook, under the Linux subsystem, I have a mac of 00:16:3e:xx:xx:xx:xx Which is the signature for a XenSource virtual MAC address. See https://maclookup.app/search/result?mac=00%3A16%3A3e or https://dnschecker.org/mac-lookup.php?query=00-16-3e This indicates to me that this is a virtual, which I verified by apt -y install virt-what virt-what Which returned that it was running either lxc or kvm. I'm betting kvm. In this case, the virtual (the Linux subsystem) will be running under something like libvirt, with the network in bridge mode, and the Linux subsystem getting an IP from the DHCP server on that machine. So, your mac and IP will not be visible to the outside. (I do a lot of virtualization, BTW). Think of your Chromebook as a baby router. Your router can only set the IP on the chromebook, not the Linux subsystem. If you open the browser to chrome://system, and go down to ifconfig, then expand that, you'll see something like arc_ns0, arc_ns1, etc... Those will all be in the range that ChromeOS is using for your Linux subsystem. On my machine, arcbr0 is the actual bridge. Then, you keep going down and, on my system, I find wlan0, which is the NIC for the actual Chromebook. On 1/26/22 4:48 PM, o1bigtenor via Dng wrote: > On Wed, Jan 26, 2022 at 1:04 PM Rod Rodolico via Dng > wrote: >> >> FYI, I'm doing the same thing. I have spent some time setting up a >> Chromebook "securely" (in theory), though mainly to access a Linux >> Terminal Server over a VPN. >> >> First, are you using the built in Linux subsystem? When I bring up the >> ChromeOS terminal (ctrl-alt-T, not the linux subsystem), the crosh >> prompt does not have the ip or the ifconfig commands. However, when I >> look at my network connection (via the GUI), I'm seeing an IP in my >> network range. > > I have used the 'dev' mode and set up debian in it. > Not used to pure command line (long ago Mac background spoiled me for > that) so I'm trying to install a dual boot system. One issue is that the > screen keyboard doesn't (on a Lenovo 10e (IIRC) chromebook anyway) > have control and alt keys so that means there are some things that are > too 'kinky' to do. >> >> I went ahead and installed the Linux subsystem again (I'm spending a lot >> of time playing on it) and my IP for that is 10.115.92.205/28, so it >> looks like the Linux subsystem is using using some kind of virtual IP, >> similar to what virtlib does by default. >> > Well - - - the MAC address the machine gives is different than that at > the router and the ip address at the router keeps changing - - argh! Ok, on my chromebook, under the Linux subsystem, I have a mac of 00:16:3e:xx:xx:xx:xx Which is the signature for a XenSource virtual MAC address. See https://maclookup.app/search/result?mac=00%3A16%3A3e or https://dnschecker.org/mac-lookup.php?query=00-16-3e This indicates to me that this is a virtual, which I verified by apt -y install virt-what virt-what Which returned that it was running either lxc or kvm. I'm betting kvm. In this case, the virtual (the Linux subsystem) will be running under something like libvirt, with the network in bridge mode, and the Linux subsystem getting an IP from the DHCP server on that machine. So, your mac and IP will not be visible to the outside. (I do a lot of virtualization, BTW). Think of your Chromebook as a baby router. Your router can only set the IP on the chromebook, not the Linux subsystem. If you open the browser to chrome://system, and go down to ifconfig, then expand that, you'll see something like arc_ns0, arc_ns1, etc... Those will all be in the range that ChromeOS is using for your Linux subsystem. On my machine, arcbr0 is the actual bridge. Then, you keep going down and, on my system, I find wlan0, which is the NIC for the actual Chromebook. > I would like to use this thing for reading pdfs away from my desk but > I'm not sure how to get things onto it. The expectation is that I'm going > to use ms googly's drive or dropbox - - - no cottin pickin way!! to > both. I use scp on my network but that means I need to know the ip > address and be able to ssh into or out of it - - - I can't. > The ssh port (#22 IIRC) is blocked - - - how's that for stupid. Likely > everything is blocked but ms googly's stuff - - - that's the idea behind > android anyway AFAIK - - - I'm not impressed. Although - - - if I really > don't like this thing I think my wife might like it but then I wanted a tablet > she's already got one (LOL)! I use the Nextcloud app to connect to my nextcloud instance. Works pretty well. 1. However, I did install Ghost Commander, which is a Commander type app that will do an SFTP connection. I used that to copy some files locally. 2. Additionally, if you open the ChromeOS File Manager, open the three dots in the upper right, then
Re: [DNG] connecting to a chromebook (OT??)
FYI, I'm doing the same thing. I have spent some time setting up a Chromebook "securely" (in theory), though mainly to access a Linux Terminal Server over a VPN. First, are you using the built in Linux subsystem? When I bring up the ChromeOS terminal (ctrl-alt-T, not the linux subsystem), the crosh prompt does not have the ip or the ifconfig commands. However, when I look at my network connection (via the GUI), I'm seeing an IP in my network range. I went ahead and installed the Linux subsystem again (I'm spending a lot of time playing on it) and my IP for that is 10.115.92.205/28, so it looks like the Linux subsystem is using using some kind of virtual IP, similar to what virtlib does by default. Rod On 1/26/22 8:24 AM, o1bigtenor via Dng wrote: > Greetings > > If this is too far off topic - - - please advise. > > Just got myself a chromebook - - - - lots of hoopla la about tablets > and though I'd try one. > Its a fairly brain dead POS so I'm trying to find ways to make it useful! > > So I go into the terminal ad do ifconfig and ip a and what I'm > getting is a weird ip address. > > My routher is at 192.168.1.1 and all my other hardware is visible there. > The chromebook says it is at 100.115.92.204/28. > > How did it get there? > > How is it connecting to and through the router? > Chromebook docs seem very light - - - hugely the 'trust us' modus - - > - which means that I don't. > > I am wanting to use this thing to read pdf's when not at my computer > (ie lunch or other such times). > > Not even sure what to do - - - ideas/suggestions - - please? > > TIA > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] A number of question about version 4.0
For standard users (#2), I ran into the problem and was too lazy to set up LDAP, so I wrote a perl script we can run on our machines. Feel free to use it and complain about anything you want that I didn't put in it. http://kb.unixservertech.com/unix/linux/sysadmin/syncusers We generally run this script on new machines to give us a standard setup, and also used it to standardize several servers that had old users on it that should have been removed. If it decides to eat your machine, I never heard of you :). Rod On 1/13/22 7:00 PM, Larry Linder via Dng wrote: > I have loaded and it connects up to our network without a problem. > > 1. I would like to change desktops as default is too dark to be read. > > 2. I need to add users to this system. Currently we have 50 systems in > our shop and many different users of each system. I cannot add new > users or find out how to do it. The passwords required are a pain int > he ass. Is there a way to get rid of this. > > 3. I need to run a combination of 64 it and 32 bit engrineering > application. We currently do this on SL 6.5 updated to 6.10 and it all > works. > > Any hope > > Larry Linder > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Automating the distro?
I would be willing to help with this idea. Who would I contact? I'd need to learn the process so I could help automate it. Rod On 12/7/21 3:16 PM, Steve Litt wrote: > Hi all, > > I wonder if building Devuan can be further automated. Void Linux has > some super-duper software processes to do much of this automatically. > It works right off of a git server (unfortunately, github). If I'm not > mistaken it puts out two updates a day, but of course there's no > automatic updating so the user chooses when to do all the updates up to > current. With very few people, Void Linux manages to keep a very > complete distro with very few screwups, and they fix major security > flaws about as fast as Debian. > > I'm wondering if Devuan could make use of something similar. Perhaps > doing this would free up resources to Devuanize more packages, for less > dependency on Debian. > > Before you ask, no, I can't help. I'm indexing my new book, I'm making > provisions so programs written in Freepascal, C, and pretty much any > other language, can send a sine wave to the speakers (a capability > requiring way too much programming in Linux). Of course I'll > release it as Free Software. > > The Debian "Community" is getting more rotten every day. Just today on > Debian-User, somebody asked a maybe sorta dumb question, and several > people gleefully jumped all over him. One guy (not the OP) thanked > everybody for their diverse solutions, and then criticized the OP, > signing his email "With kindest regards" :-). Another guy managed to > bring the OP's advanced age into it. So it's not just their politicians > with their rigged GRs, it's the very citizenry of Debian itself. In the > long run it's probably going to be advantageous for Devuan to move more > toward a distro of its own, before the Debian crowd decide to put in > halloween code to sabotage Devuan. > > SteveT > > Steve Litt > Spring 2021 featured book: Troubleshooting Techniques of the Successful > Technologist http://www.troubleshooters.com/techniques > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] networking thinking
We use OPNSense for almost everything that does not require untrained users to manage things. For the latter, we use IPFire. OPNSense works for small offices that just want VPN, up to our NOC where we have two routers (active/failover), DMZ and multiple backend LAN's. But, it does require some networking knowledge (though not as much as "roll your own"). Don't know what part of the world you're in, but we use Protectli (https://protectli.com/) hardware from the US. Pricey, but I've not had a hardware failure in the 5+ years I've been using their stuff. They have an option for Coreboot, a video port and a serial port, so I feel I'm covered. OPNSense also sells hardware specific to the appliance. We also purchase used enterprise grade network switches (mainly HP) and have had good results with them since we can monitor and configure at will. The smaller clients are running little 16 port, 15 year old switches, and at the NOC we're using two 96 port switches in and HA configuration. As mentioned, the webUI on the switches doesn't work most of the time, but I'm mainly a CLI type of tech anyway, so it doesn't bother me. Reply to questions: 1. Less hardware is better from a maintenance point of view. OPNSense has an excellent firewall, so I do not have a separate firewall device. My reason is pure laziness; I go to one interface I'm comfortable with and configure there. Most of my firewalling is just allowing traffic from one VLAN to another anyway, which is more of a routing thing. 2. No good training on networking that I know of except going back to school. If you decide to go with OPNSense, they have some decent documentation, and the pfSense site has more. Feel free to visit my notes site at http://kb.unixservertech.com for some recipes on OPNSense, but be warned these are my personal notes and I'm not a good writer. I mainly stick things out there so I don't have to remember them next time, but occasionally, the OPNSense people will do an upgrade that negates all or part of my notes. Rod On 11/29/21 3:38 PM, Adrian Zaugg wrote: > Hi TIA > > In der Nachricht vom Sunday, 28 November 2021 14:20:14 CET steht: > >> 1. is my splitting the network system into the three parts a good idea or >> should I truncate parts 1 and 2 into the router? If you would please give >> reasons - - - please? > Less devices, less to setup and maintain and less to break: I would go with 1 > Firewall and 1 Switch. > > Get a box with an SFP Port for your firewall and install OPNSense on it. > Stick > your fiber directly in your firewall, if your provider lets you chose and > does > not insist on some plastic box. If he does, then try to use it in bridge > mode. > Upon request, the providers over here tell what one has to do, when using a > media converter (e.g. VLAN tag or PPPoE). > > OPNSense and pfSense are excellent firewall distributions and IPv6 is well > integrated with both of them. They are almost identical, coming the same way. > OPNSense is more community oriented where as pfSense drifted away to be more > commercial now, but Documentation is better. > > PCEngines is a stable, bullet-proof hardware, it's industrial grade, lasts > for > ever and has a core boot BIOS. There soon will be a version with an SFP port > available. You won't get Gigabit-Speed through an APU with OPNSense (around > 800Mbit/s), get something with a CPU on par with a Intel N4100, if you want > to > be ready for gigabit speed. > > There are many nice boxes around without SFP ports (like the ones from AsRock > industrial e.g.) but don't use Zotac nano ci329 with pfSense, it doesn't run > stable (Linux in contrary runs like a charm on these). > > Zyxel Switches are basically OK, but you don't get security updates after > some > years, the interface doesn't work on all browsers and they have weird bugs > (e.g. prios in RSTP together with LAGGs). You're better of with a MikroTik > using SwOS. The MikroTiks boot amazingly fast, SwOS is easy to configure and > they are rather cheap. You get a Desktop Switch with 2x 10GbE and 8x 1 GbE > for > <$100. If you want to play around with your Zyxel to install whatever on it, > that's fine, but I wouldn't invest my time on that ─ better get your lab > running. > > Opinions on the topic will go apart, you'll get tons of advice in any > direction. To a certain extent it's about your personal liking. Mine you > probably just read above... > > Regards, Adrian. > > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Wanting to set up an email system
We also use ispconfig (https://www.ispconfig.org/ispconfig/). There is a free version and a supported version, though it is all open source. We use this on multiple client sites and our hosting service. Highly recommended under most circumstances, though we do have some special purpose machines where we "roll our own." Rod On 12/2/21 5:16 PM, Curtis Maurand via Dng wrote: > I run ispconfig. uses postfix/dovecot/bind or powerdns. i host several > websites and email domains on beowulf. > > follow the perfect server debian instructions. > > Sent from my iPhone > >> On Dec 2, 2021, at 6:06 PM, o1bigtenor via Dng wrote: >> >> >> >> >> On Tue, Nov 30, 2021 at 3:26 AM Adrian Zaugg >> mailto:devuan@mailgurgler.com>> wrote: >> >> In der Nachricht vom Monday, 29 November 2021 23:08:33 CET schrieb >> Adrian >> Zaugg: >> > Be prepared for a long, long journey setting up an email >> system with >> > SMTP/ IMAP/Webmail using all the goodies SPF/SRS, BATV, DKIM, >> DNSSEC, TLS >> > certs, DANE, virusscanning, anti-spam Measures (possibly >> greylisting, >> > classification, RBLs, dnswl, ...), virtual domain handling, user >> auth from >> > a directory, automatical MUA configuration, backup of the >> mailstorage, asf. >> ...sieve and vacation might also be nice and a solution for an >> addressbook, >> both integrated into the webmail >> >> >> >> Hm - - - - interesting ideas. >> A couple votes for dovecot, lots of roll your own using selected from >> the plethora of >> options - - - but - - - - - . >> >> I had thought that when I asked about an email system that there might >> be words >> re: dovecot (which I did see - - thanks) but what about iRedMail, >> Citadel, Cyrus >> - - - - - or are those considered groupware only? >> >> I think I'm getting more confused rather than less!! >> >> TIA >> >> Regards >> ___ >> Dng mailing list >> Dng@lists.dyne.org >> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] What not to back up
Or, tell bind to place the zone files where they originally were, in
/etc/bind/zones or something.
The change was made about 10 years ago as a "security feature" and is
mainly used for running bind in a jail, so if it gets hacked, they can't
mess up the rest of the server. I remember when Debian went that way and
it confused me quite a bit.
Of course, if you have a dedicated server only for BIND, that reason
goes away.
So, simply edit /etc/bind/* and change /var/lib/bind to whatever you
want. For the most part, I just store them in /etc/bind/SEC or
/etc/bind/ZONES or something. BIND doesn't care; it is the distro people
doing that.
Rod
On 11/26/21 7:07 AM, Mike Tubby wrote:
>
>
> On 24/11/2021 10:08, Olaf Meeuwissen via Dng wrote:
>> Hi Hendrik,
>>
>> Hendrik Boom writes:
>>
>>> I'm setting up a new backup script that will do it all piecemeal so
>>> that if a part of it fails, it can be retried without having to start
>>> *everythng* over from scratch.
>>>
>>> Which top-level filesystems should *not* be backed up.
>>>
>>> To start with, I presumably shouldn't back up
>>>
>>> /proc
>>> /tmp
>>> /dev (cause I'm using some version of *udev)
>>> /mnt
>> ACK.
>>
>>> and I certainly should back up /var, /usr. /root, /bin,
>>> /boot, /etc, /home, /lib, /lib64, /sbin
>> I wouldn't bother with /var/cache and /var/log but you're talking
>> top-level ;-)
>
> ... but if you run a nameserver you may well need:
>
> /var/cache/bind
>
> as that's where your zonefiles are ;-)
>
>
>> /boot is managed by installing kernel images and grub (using settings in
>> /etc/grub) so isn't all that important to include. At least on amd64.
>>
>>> But what about
>>>
>>> /run
>>> /srv
>>> /sys
>>> ?
>> Both /run and /sys are tmpfs file systems. Not worth backing up.
>
>
> However some admins put services in:
>
> /srv
>
> and some third-party suppliers of software place it in:
>
> /opt
>
> for example Sophos anti-virus.
>
>> Basically, you should only care about a subset of what lives below the
>> mount points listed by
>>
>> df | grep ^/ | awk '{print $6}'
>>
>> and make sure your backup command doesn't cross file system boundaries.
>> That should automatically exclude things like /dev, /proc, /run, /sys
>> and may (or may not) exclude /tmp (depending on installation choices).
>> As /mnt is meant for temporary mounts, that should be excluded too.
>>
>>> What are those even used for?
>> I would have pointed you to the FHS but as Lars pointed out already `man
>> 7 hier` will tell.
>>
>> Of course, if you don't use things like /srv and /opt, there's not much
>> of a cost to backing up the empty directories :-)
>>
>> Hope this helps,
>> --
>> Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27
>> GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9
>> Support Free Software https://my.fsf.org/donate
>> Join the Free Software Foundation https://my.fsf.org/join
>> ___
>> Dng mailing list
>> Dng@lists.dyne.org
>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
> ___
> Dng mailing list
> Dng@lists.dyne.org
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
--
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465 US
https://dailydata.net
214.827.2170 ext 100
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] system administration of non-systemd distros and releases
One possible point to make is that, while many system-d sysadmins may have initial difficulty with Devuan, there are tons of Unix sysadmins who would be up to speed in a manner of hours. Debian, Redhat, etc... are actually more "based on Unix" than "Unix", and that process appears to be growing as more and more functions are taken over by system-d. Just like you can say that OS X is "based on" Unix, but you can not call it Unix except in the broadest terms. By requiring system-d on their machines, your admins are locking themselves in to an experiment which may or may not be there in a few years. I personally think it will survive, but then I said the same thing about Novell Netware back in the 90's. By going with a distribution that does not rely on system-d, your admins are ensuring compatibility with Unix, a 50+ year old OS that has a proven longevity. Rod On 11/19/21 5:29 AM, Peter Duffy wrote: > I've recently been asked to recommend an upgrade route for a number of > linux servers, and I proposed going to devuan. In response, I've had a > concern raised which took me by surprise. It was suggested that in the > future, it may not be possible to find staff who have the skills to > administer and manage servers running non-systemd or pre-systemd > distros/releases. > > I've tried to give reassurance - but I'm still wondering if this could > be a valid concern. I'd always taken the view that it's primarily the > linux sysadmin community which is trying to stop the onslaught of the > systemd juggernaut - but obviously, the greater the proportion of > servers running systemd-based distros/releases, the less staff get > exposed to non-systemd management techniques and tools. > > I'd be grateful for thoughts and comments. > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US https://dailydata.net 214.827.2170 ext 100 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] routine ascii upgrade mysteriously on hold
May not mean anything, but I quit using aptitude back with Jessie, I think. Maybe ASCII. The main reason was exactly what you describe. There was a major difference between what apt/apt-get did and what aptitude did. It may not be maintained anymore, or maybe maintained, but not as strongly, but appears to have settings that are not consistent with apt/apt-get. Recommend you just use apt update/apt [dist]upgrade and all your problems could (maybe, possibly) go way. Rod On 8/1/21 10:33 AM, Bernard Rosset via Dng wrote: > On 31/07/2021 22:03, Hendrik Boom wrote: >> I'm practicing upgrades on my spare laptop, getting ready for doing my >> server >> upgrade from ascii to beowulf.. >> >> They are both running ascii. >> >> Starting, of course, by making the ascii up to date still as ascii, >> before I try tye >> upgrade to beowulf. >> >> Having trouble doing even this innocuous act. >> >> I tried starting by using interactive aptitude to just update and >> upgrade. > > After changing your sources to point to the new release, have you run > "apt-get upgrade" or "apt-get dist-upgrade"? > It looks to me as if you did the former. > >> Only to discover that *every* package that might be upgraded was >> "held", and could >> therefore not be upgraded even though newer packages were available. >> >> What could be causing this? Or rather, how should I go about trying >> to track down >> the origin of these holds/this mass hold? > Packages might be held back in several situations, for instance when > download fails or checksum mismatches. In your case I would guess it is > because dependencies of the held back packages have changed. > The "dist-upgrade" action handles that, not "upgrade". > > To check your current state, you could always run "apt-get check" or > "aptitude why-not ". > > To fix the current situation, you could run the "dist-upgrade" action, > which is the official, documented way of doing release upgrades (cf. > https://www.debian.org/doc/manuals/debian-faq/uptodate.en.html#apt). > That will also take care of the cleanup, ie will offer to remove packages. > Check what it tells you to do before accepting (and maybe run it with > the "--simulate" option?), especially having a look at the proposed > packages removal. > > You could also try "apt-get --with-new-pkgs upgrade", which should > download the new dependencies (in case that is your problem), but I > suspect it will leave litter behind. > I suggest this only as a possibility, but would encourage you to follow > the best practice stated above. > > Bernard (Beer) Rosset > https://rosset.net/ > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US http://dailydata.net 214.827.2170 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Devuan as a hypervisor?
We have been virtualizing machines, servers and workstations, for over a decade. First on Debian, then Devuan. My personal workstation is Devuan, and I have Windows 7 & 10, FreeBSD, Devuan, and CentOS available as virtuals that I spool up as needed. On our servers, we mainly virtualize Devuan servers; dbs/web/mail/nextcloud/jitsi and even one database server (MySQL + Postgres). We also have several Windows Server (2008r2, 2016 and 2019) in production as virtuals. Xen is historically good, but I've been having issues with it over the past few years. The Windows PV drivers are not as available as they have been in the past, and there have been some other issues. I tried some other tools, notably Oracle Virtualbox, and they run fine, but I decided I would not tie myself to them. Instead, we are slowly moving to KVM, and actually are using libvirt (from Redhat) to manage them. I have never been a big RedHat fan, but they did good on this. It is a front end to Xen, KVM and maybe other hypervisors, but you use a consistent set of commands to do things. It also has a GUI if you want. I use it on my workstation, but we don't install GUI's on our servers, so those are done via the cli. I think there may even be a WebUI for it, but not sure. One of the main reasons for going with KVM is the availability of PV drivers for Windows. The difference between full virtualization and the use of PV drivers is huge. About a 5-10 speedup (my personal guess). Since we manage OS X machines also, I've thought about looking at the legality of creating an OS X virtual. I understand it is fairly well documented. My notes on this are at kb.unixservertech.com. NOTE: these are my notes, and as it says on the cover, if it makes your computer fall into a black hole, it is not my fault. But, I try to put reference links at the bottom of everything, so it may give you a start. It is notes, not howto's or anything. You can feel free to contact me off list if you decide to go this route and need anything. Rod On 8/1/21 7:18 PM, Curtis Maurand via Dng wrote: > I’ve been running a production system first on ascii, but upgraded to > beowulf. the only trouble I’ve had has been hardware and that was just a > failed power supply. i run the whole thing on kvm/libvirt. runs great. > uptimes in the 100’s of days. > > Your mileage may vary. > > —Curtis > > Sent from my iPhone > >> On Aug 1, 2021, at 7:45 PM, yami...@cock.li wrote: >> >> Hi. >> >> I want to install a bare metal hypervisor in my computer to get the benefits >> from dual booting except without the mess that is dual booting. >> >> I'm going to use it for both linux and windows systems and all I want is for >> the vms and their files to be isolated, control over their resources, PCI >> passthrough, and good performance. I don't care for a GUI as long as scripts >> are an option. >> >> Currently I'm between Xen and Qemu, but I'm open to other options. >> Which would be the best option in this case, and is this even a good idea? >> >> Thanks. >> ___ >> Dng mailing list >> Dng@lists.dyne.org >> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 US http://dailydata.net 214.827.2170 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
