Re: [gentoo-user] update gentoo without network
J. Roeleveld wrote: > On Monday, January 18, 2016 07:52:08 AM Raffaele BELARDI wrote: >> I have gentoo system A (~x86) on a network that does not allow portage >> access to internet due to some authentication issue. System B (~amd64) >> is on another network with no such restrictions. >> >> To bypass the restrictions I made a copy of A on a removable media, >> chroot into it from B and 'emerge-webrsync; emerge --fetchonly' from >> there. Then attach the media to A and overwrite /usr/portage with the >> updated one from the removable media. >> >> This works but updating the chroot from B always re-downloads all the >> packages since the first time I created the chroot, not only those from >> the last update. I suppose portage maintains a database of the installed >> packages that I need to copy back to the removable media after each >> system A update, but where is it? > > In the distfiles directory. > If you leave those, it will not download them again. > > If those are removed all the time, you end up re-downloading them. Thanks, but it must be something different - or I was not clear describing the problem. On system B, where there is no network restriction, I have always cleared distfiles/ contents after each update without problem. Portage downloads only the packages needed for the most recent update, not also the ones already used for the previous updates. I'm sure it keeps a database of the installed packages somewhere, it does not rely only on distfile/ contents. raffaele
Re: [gentoo-user] update gentoo without network
On Monday, January 18, 2016 07:52:08 AM Raffaele BELARDI wrote: > I have gentoo system A (~x86) on a network that does not allow portage > access to internet due to some authentication issue. System B (~amd64) > is on another network with no such restrictions. > > To bypass the restrictions I made a copy of A on a removable media, > chroot into it from B and 'emerge-webrsync; emerge --fetchonly' from > there. Then attach the media to A and overwrite /usr/portage with the > updated one from the removable media. > > This works but updating the chroot from B always re-downloads all the > packages since the first time I created the chroot, not only those from > the last update. I suppose portage maintains a database of the installed > packages that I need to copy back to the removable media after each > system A update, but where is it? In the distfiles directory. If you leave those, it will not download them again. If those are removed all the time, you end up re-downloading them. -- Joost
[gentoo-user] update gentoo without network
I have gentoo system A (~x86) on a network that does not allow portage access to internet due to some authentication issue. System B (~amd64) is on another network with no such restrictions. To bypass the restrictions I made a copy of A on a removable media, chroot into it from B and 'emerge-webrsync; emerge --fetchonly' from there. Then attach the media to A and overwrite /usr/portage with the updated one from the removable media. This works but updating the chroot from B always re-downloads all the packages since the first time I created the chroot, not only those from the last update. I suppose portage maintains a database of the installed packages that I need to copy back to the removable media after each system A update, but where is it? thanks, raffaele
Re: [gentoo-user] {OT} Allow work from home?
On Monday, January 18, 2016 02:02:27 AM lee wrote: > "J. Roeleveld" writes: > > On 17 January 2016 18:35:20 CET, Mick wrote: > > > > [...] > > > >>I use the icaclient provided by Citrix to access my virtual desktop at > >>work, > >>but have never tried to set up something similar at home. What > >>opensource > >>software would I need for this? Is there a wiki somewhere to follow? > >> > > I'd love to do this myself as well. > > > > Citrix sells the full package as 'XenDesktop'. To do it yourself you need > > a VMserver (Xen or similar) and a remote desktop tool that hooks into the > > VM display. (Spice or VNC) > > > > Then you need some way of authenticating users and providing access to the > > client software. [...] > > You would have a full VM for each user? Yes > That would be a huge waste of resources, Diskspace and CPU can easily be overcommitted. > plus having to take care of a lot of VMs, Automated. > plus having to buy a lot of Windoze licenses Volume licensing takes care of that. > and taking about a week to install the updates > after installing a VM. Never heard of VM templates? > Add to that that the xen host goes down at > random time intervals (because the sending queue of the network card > times out for reasons that cannot be determined) which can be as long as > a day, a week or even up to three weeks, and you are likely to become a > rather unhappy administrator. Sorry, but I consider that a bug in your hardware. If it's really that unstable, replace it. I've been running Xen enabled servers for nearly 15 years. Never had issues like that. If it were truly that unstable, it wouldn't be gaining popularity. > Try kvm instead, and you'll find that > it's impossible to migrate the VMs from xen to to kvm when you want to > use virtio drivers because you can't install them on an existing Windoze > VM. Not a problem with the virtualisation technology. It is an issue with driver management inside MS Windows. There are ways to migrate VMs succesfully, I just don't see the point in wasting time for that. The biggest reason why I don't use KVM is the lack of full snapshot functionality. Snapshotting disks is nice, but you end up with an unclean- shutdown situation and anything that's not yet committed to disk is gone. > Then there's the question how well vnc or spice connections work over a > VPN that goes over the internet. VNC works quite well, as long as you use a minimal desktop. (like blackbox). Don't expect KDE or Gnome to be usable. I haven't tried Spice yet, but I've read that it performs better. > It's not like the employees could get > reliable internet connections with sufficient bandwidth, not to mention > that the company would have to get one in the first place, which isn't > much easier to get, if any. That depends on where you are. The company could host the servers in a decent datacentre, which should take care of the bandwidth issues. For the employees, if they want to work from home, it's up to them to ensure they have a reliable connection. > It might work in theory. How would it be feasible in practise? Plenty of companies do it this way. If you don't want to pay for software like XenDesktop, you need to do all the work setting it up yourself. -- Joost
[gentoo-user] Re: How to get rid of 32bits libraries
Nikos Chantziaras gmail.com> writes: > > I'd like to get rid of all 32bits libraries. There are only two > > packages which I'd like to keep and which need some 32bits libraries. OK, so I run:: EIX_LIMIT=0 eix -I --only-names | equery hasuse abi_x86_32 | wc -l and get '279'. Maybe I missed someting on how to determine the pacakges installed that have 'abi_x86_32' set ? >*/* -abi_x86_32 This is all set up as specified (has been for some time). I guess I cannot get ride of the 32bit libs? What did I miss? profile :: [1] default/linux/amd64/13.0 * on a minimized lxde workstation. Should I even be trying to rid this system of 32 bit libs? I just had to get rid of the global flag setting for 'nsplugin' to get everything to update.
[gentoo-user] Re: How to get rid of 32bits libraries
On 17/01/16 10:32, Helmut Jarausch wrote: Hi, I'd like to get rid of all 32bits libraries. There are only two packages which I'd like to keep and which need some 32bits libraries. That's dev-util/android-sdk-update-manager and app-text/acroread both of which I use only occasionally. Look in your make.conf and see if ABI_X86 is defined there. If yes, delete it. Then, in your package.use, at the very top, the first line should be: */* -abi_x86_32 This disables the "abi_x86_32" USE flag on all packages that have it. You can then add the "abi_x86_32" USE flag to individual packages on a per-needed basis. If your package.use is a directory, make sure to put that line on a file that's looked up first (for example "000-abi", the zeroes in front will make sure this file is parsed first). Then: emerge -auDN --with-bdeps=y @world should take care of doing the needed rebuilds. Is it possible to install this on /usr/local in such a way that it doesn't interfere with my standard Gentoo installation on /usr? Not sure what you mean with "interfere." Why would it interfere with anything? If there's file collisions, portage will point them out to you.
[gentoo-user] cannot boot system whose root is zfs
Hi. Using dracut and systemd I am having a terrible time trying to boot a system whose root file system is zfs, along with some other datasets I have created in the pool. the zfs module does load, but it cannot find the pool. It gets to the sysroot.mount service and dies. I think the problem seems to have something to do with how I specify the root parameter in the kernel command line. The pool has a dataset called root with the bootfs parameter. I tried specifying root=rpool/root rootfstype=zfs, but no joy. I also tried root=ZFS=rpool/root but that didn't work either. I also tried root=ZFS:rpool/root but that didn't work either. I found those possibilities on the net, at least two of them inthe various gentoo wikis. Also, I want to be sure I am using the correct ffstab entry -- I have rpool/root / zfs defaults 0 0 and similar. At the point where it dies, dracut has not imported the pool and importing and mounting it works, but the boot will not continue. I am using kernel 4.1.15 and 6.5.3 zfs components. Thanks in advance for any suggestions. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] {OT} Allow work from home?
lee wrote: > Rich Freeman writes: > > > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: > >> Suppose you use a VPN connection. How do does the client > >> (employee) secure their own network and the machine they're using > >> to work remotely then? > > > > Poorly, most likely. Your data is probably not nearly as important > > to them as their data is, and most people don't take great care of > > their own data. > > That's not what I meant to ask. Assume you are an employee supposed > to work from home through a VPN connection: How do you protect your > LAN? Depends on the VPN connection. If you use an OpenVPN client on your PC then it is sufficient to use a well configured firewall (ufw, iptables or whatever) on this PC. If you use a VPN gateway then you could configure this gateway (or a firewall behind) in a way that it blocks incoming connections from the VPN tunnel. IMHO there is no more risk to use a VPN connection than with any other Internet connection. -- Regards wabe
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 17, 2016 at 7:26 PM, lee wrote: > Rich Freeman writes: > >> However, while an RDP-like solution protects you from some types of >> attacks, it still leaves you open to many client-side problems like >> keylogging. I don't know any major corporation that lets people RDP >> into their applications in general. > > What do they use instead? > As I mentioned in my previous email - they just hand all their employees laptops. Control the hardware, control the software, control the security... -- Rich
Re: [gentoo-user] {OT} Allow work from home?
"J. Roeleveld" writes: > On 17 January 2016 18:35:20 CET, Mick wrote: > [...] >>I use the icaclient provided by Citrix to access my virtual desktop at >>work, >>but have never tried to set up something similar at home. What >>opensource >>software would I need for this? Is there a wiki somewhere to follow? > > I'd love to do this myself as well. > > Citrix sells the full package as 'XenDesktop'. To do it yourself you need a > VMserver (Xen or similar) and a remote desktop tool that hooks into the VM > display. (Spice or VNC) > > Then you need some way of authenticating users and providing access to the > client software. > [...] You would have a full VM for each user? That would be a huge waste of resources, plus having to take care of a lot of VMs, plus having to buy a lot of Windoze licenses and taking about a week to install the updates after installing a VM. Add to that that the xen host goes down at random time intervals (because the sending queue of the network card times out for reasons that cannot be determined) which can be as long as a day, a week or even up to three weeks, and you are likely to become a rather unhappy administrator. Try kvm instead, and you'll find that it's impossible to migrate the VMs from xen to to kvm when you want to use virtio drivers because you can't install them on an existing Windoze VM. Then there's the question how well vnc or spice connections work over a VPN that goes over the internet. It's not like the employees could get reliable internet connections with sufficient bandwidth, not to mention that the company would have to get one in the first place, which isn't much easier to get, if any. It might work in theory. How would it be feasible in practise?
Re: [gentoo-user] {OT} Allow work from home?
Rich Freeman writes: > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: >> Suppose you use a VPN connection. How do does the client (employee) >> secure their own network and the machine they're using to work remotely >> then? > > Poorly, most likely. Your data is probably not nearly as important to > them as their data is, and most people don't take great care of their > own data. That's not what I meant to ask. Assume you are an employee supposed to work from home through a VPN connection: How do you protect your LAN? > [...] >> What's the Linux equivalent of RDP sessions? Some sort of VNC seems to >> usually require a lot of bandwidth, and I wouldn't know how to run it as >> a service so that someone could just start a client (like rdesktop) and >> log in to the server as they can do with Windoze servers. --- I only >> found x11rdp which appears to be incompatible with current X servers. > > There is stuff like xtogo and other NX-like technologies, but the > trend seems to be towards client-side rendering which makes them > perform about as well as VNC. I mostly gave up on it ages ago - it > was fairly fragile to keep working as well. I do know one of the > maintainers - perhaps it has gotten better in recent years. > > However, while an RDP-like solution protects you from some types of > attacks, it still leaves you open to many client-side problems like > keylogging. I don't know any major corporation that lets people RDP > into their applications in general. What do they use instead? This sounds as if it's basically impossible to work from a remote location, at least when Linux comes into it at some point. > [...]
Re: [gentoo-user] {OT} Allow work from home?
On Sunday 17 Jan 2016 13:10:42 Rich Freeman wrote: > On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld wrote: > > I would prefer a method that is independent of OS used. And provides > > server side limitations with regards to filesharing and clipboard access. > x2go is just X11, so it should be OS-independent as long as you have a > client/server for it. It just logs in as the appropriate user on the > remote host, so access beyond that is whatever you'd get if you just > logged in on a console. > > Now, I can't vouch for how many OSes anybody has bothered to implement it > on. I am not sure what Grant's requirements are, but I would think that devs will require their own desktop environment and OS instance, rather than x2go's shared OS. Instead of a remote display presentation layer, how could one setup a fully virtualised desktop? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 17, 2016 at 1:03 PM, J. Roeleveld wrote: > > I would prefer a method that is independent of OS used. And provides server > side limitations with regards to filesharing and clipboard access. > x2go is just X11, so it should be OS-independent as long as you have a client/server for it. It just logs in as the appropriate user on the remote host, so access beyond that is whatever you'd get if you just logged in on a console. Now, I can't vouch for how many OSes anybody has bothered to implement it on. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On 17 January 2016 18:59:36 CET, Rich Freeman wrote: >On Sun, Jan 17, 2016 at 12:35 PM, Mick >wrote: >> I use the icaclient provided by Citrix to access my virtual desktop >at work, >> but have never tried to set up something similar at home. What >opensource >> software would I need for this? Is there a wiki somewhere to follow? >> > >There might be something newer, but something along the line of x2go >is what you'd want. It just tunnels over ssh (with a built-in ssh >client) and runs an X server on the remote host which the clients >connect to (you can just launch xfce or whatever for your DM - I'd >avoid anything with fancy 3D), and then it compresses the X11 protocol >and does the presentation on your local workstation. The X server can >provide immediate replies to clients on its side so that the effects >of latency are greatly diminished. But, if you launch something like >chromium be prepared to watch the screen paint since it uses >client-side rendering. All you'll get is big blobs of images sent >over the wire for that window. However, for anything rendered >server-side you'll get a very interactive experience since the >component on your workstation can do much of the rendering >independently of the actual X11 server, which operates on a delay. X2go and similar works like RDP for windows allowing multiple users on the same host. I would prefer a method that is independent of OS used. And provides server side limitations with regards to filesharing and clipboard access. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 17, 2016 at 12:35 PM, Mick wrote: > I use the icaclient provided by Citrix to access my virtual desktop at work, > but have never tried to set up something similar at home. What opensource > software would I need for this? Is there a wiki somewhere to follow? > There might be something newer, but something along the line of x2go is what you'd want. It just tunnels over ssh (with a built-in ssh client) and runs an X server on the remote host which the clients connect to (you can just launch xfce or whatever for your DM - I'd avoid anything with fancy 3D), and then it compresses the X11 protocol and does the presentation on your local workstation. The X server can provide immediate replies to clients on its side so that the effects of latency are greatly diminished. But, if you launch something like chromium be prepared to watch the screen paint since it uses client-side rendering. All you'll get is big blobs of images sent over the wire for that window. However, for anything rendered server-side you'll get a very interactive experience since the component on your workstation can do much of the rendering independently of the actual X11 server, which operates on a delay. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On 17 January 2016 18:35:20 CET, Mick wrote: >On Sunday 17 Jan 2016 16:51:00 J. Roeleveld wrote: >> On Sunday, January 17, 2016 10:46:38 AM Rich Freeman wrote: >> > On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld >wrote: >> > > Actually, there are several large corporations that use RDP-like >> > > technologies. Although those are called "VDI" and usually use >XenDesktop >> > > on the server side and "icaclient" on the client. >> > > Runs through HTTPS and apart from keyloggers and screenloggers, >there is >> > > not much that can be done. >> > > Using 2-factor authentication (RSA-type keys or similar) they're >pretty >> > > secure. >> > >> > Yeah, I would agree with that. I've set up a few thin client >citrix >> > boxes ages ago. These days I'd say the web is the bigger trend, >and I >> > agree that 2-factor can greatly reduce the impact of keylogging. >One >> > of the nice things with one of the SaaS applications we're using at >> > work is that if we're having connection issues I can just wake up >my >> > console on my home PC next to my VPN'ed laptop and see if the >> > application is accessible with a complete different route (suffice >it >> > to say I sometimes dread using the office LAN for this reason - >I've >> > seen file transfers go faster over the VPN than the local WiFi). >> > >> > But, if you're still stuck with win32 applications Citrix is >certainly >> > a solution. I was thinking it might take over the corporate >desktop >> > until everything started moving more towards the web. >> >> XenDesktop is actually a lot nicer than the classical "Citrix". >> You end up with a full VM rather than a multi-user hack on top of a >single >> user OS. >> >> I prefer to work using VDI/icaclient than with the company supplied >laptops. >> Especially since my own laptop and desktop is nicer to type with and >the >> screen is better quality... >> >> -- >> Joost > >I use the icaclient provided by Citrix to access my virtual desktop at >work, >but have never tried to set up something similar at home. What >opensource >software would I need for this? Is there a wiki somewhere to follow? I'd love to do this myself as well. Citrix sells the full package as 'XenDesktop'. To do it yourself you need a VMserver (Xen or similar) and a remote desktop tool that hooks into the VM display. (Spice or VNC) Then you need some way of authenticating users and providing access to the client software. I have not been able to set all that up myself yet, but it is on my wish/todo list. Ideally, I'd like an affordable XenDesktop licencing scheme for a few simultaneous users. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] {OT} Allow work from home?
On Sunday 17 Jan 2016 16:51:00 J. Roeleveld wrote: > On Sunday, January 17, 2016 10:46:38 AM Rich Freeman wrote: > > On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld wrote: > > > Actually, there are several large corporations that use RDP-like > > > technologies. Although those are called "VDI" and usually use XenDesktop > > > on the server side and "icaclient" on the client. > > > Runs through HTTPS and apart from keyloggers and screenloggers, there is > > > not much that can be done. > > > Using 2-factor authentication (RSA-type keys or similar) they're pretty > > > secure. > > > > Yeah, I would agree with that. I've set up a few thin client citrix > > boxes ages ago. These days I'd say the web is the bigger trend, and I > > agree that 2-factor can greatly reduce the impact of keylogging. One > > of the nice things with one of the SaaS applications we're using at > > work is that if we're having connection issues I can just wake up my > > console on my home PC next to my VPN'ed laptop and see if the > > application is accessible with a complete different route (suffice it > > to say I sometimes dread using the office LAN for this reason - I've > > seen file transfers go faster over the VPN than the local WiFi). > > > > But, if you're still stuck with win32 applications Citrix is certainly > > a solution. I was thinking it might take over the corporate desktop > > until everything started moving more towards the web. > > XenDesktop is actually a lot nicer than the classical "Citrix". > You end up with a full VM rather than a multi-user hack on top of a single > user OS. > > I prefer to work using VDI/icaclient than with the company supplied laptops. > Especially since my own laptop and desktop is nicer to type with and the > screen is better quality... > > -- > Joost I use the icaclient provided by Citrix to access my virtual desktop at work, but have never tried to set up something similar at home. What opensource software would I need for this? Is there a wiki somewhere to follow? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] {OT} Allow work from home?
On Sunday, January 17, 2016 10:46:38 AM Rich Freeman wrote: > On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld wrote: > > Actually, there are several large corporations that use RDP-like > > technologies. Although those are called "VDI" and usually use XenDesktop > > on the server side and "icaclient" on the client. > > Runs through HTTPS and apart from keyloggers and screenloggers, there is > > not much that can be done. > > Using 2-factor authentication (RSA-type keys or similar) they're pretty > > secure. > > Yeah, I would agree with that. I've set up a few thin client citrix > boxes ages ago. These days I'd say the web is the bigger trend, and I > agree that 2-factor can greatly reduce the impact of keylogging. One > of the nice things with one of the SaaS applications we're using at > work is that if we're having connection issues I can just wake up my > console on my home PC next to my VPN'ed laptop and see if the > application is accessible with a complete different route (suffice it > to say I sometimes dread using the office LAN for this reason - I've > seen file transfers go faster over the VPN than the local WiFi). > > But, if you're still stuck with win32 applications Citrix is certainly > a solution. I was thinking it might take over the corporate desktop > until everything started moving more towards the web. XenDesktop is actually a lot nicer than the classical "Citrix". You end up with a full VM rather than a multi-user hack on top of a single user OS. I prefer to work using VDI/icaclient than with the company supplied laptops. Especially since my own laptop and desktop is nicer to type with and the screen is better quality... -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 17, 2016 at 10:27 AM, J. Roeleveld wrote: > > Actually, there are several large corporations that use RDP-like technologies. > Although those are called "VDI" and usually use XenDesktop on the server side > and "icaclient" on the client. > Runs through HTTPS and apart from keyloggers and screenloggers, there is not > much that can be done. > Using 2-factor authentication (RSA-type keys or similar) they're pretty > secure. > Yeah, I would agree with that. I've set up a few thin client citrix boxes ages ago. These days I'd say the web is the bigger trend, and I agree that 2-factor can greatly reduce the impact of keylogging. One of the nice things with one of the SaaS applications we're using at work is that if we're having connection issues I can just wake up my console on my home PC next to my VPN'ed laptop and see if the application is accessible with a complete different route (suffice it to say I sometimes dread using the office LAN for this reason - I've seen file transfers go faster over the VPN than the local WiFi). But, if you're still stuck with win32 applications Citrix is certainly a solution. I was thinking it might take over the corporate desktop until everything started moving more towards the web. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Sunday, January 17, 2016 07:27:45 AM Rich Freeman wrote: > On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: > > Suppose you use a VPN connection. How do does the client (employee) > > secure their own network and the machine they're using to work remotely > > then? > > Poorly, most likely. Your data is probably not nearly as important to > them as their data is, and most people don't take great care of their > own data. > > As I mentioned in my other post, there might be some exceptions if > you're dealing with highly-skilled IT security employees or something > like that, but most people don't take nearly the level of care with > their clients as you're probably going to want them to. > > > What's the Linux equivalent of RDP sessions? Some sort of VNC seems to > > usually require a lot of bandwidth, and I wouldn't know how to run it as > > a service so that someone could just start a client (like rdesktop) and > > log in to the server as they can do with Windoze servers. --- I only > > found x11rdp which appears to be incompatible with current X servers. > > There is stuff like xtogo and other NX-like technologies, but the > trend seems to be towards client-side rendering which makes them > perform about as well as VNC. I mostly gave up on it ages ago - it > was fairly fragile to keep working as well. I do know one of the > maintainers - perhaps it has gotten better in recent years. > > However, while an RDP-like solution protects you from some types of > attacks, it still leaves you open to many client-side problems like > keylogging. I don't know any major corporation that lets people RDP > into their applications in general. Actually, there are several large corporations that use RDP-like technologies. Although those are called "VDI" and usually use XenDesktop on the server side and "icaclient" on the client. Runs through HTTPS and apart from keyloggers and screenloggers, there is not much that can be done. Using 2-factor authentication (RSA-type keys or similar) they're pretty secure. -- Joost
Re: [gentoo-user] {OT} Allow work from home?
On Sun, Jan 17, 2016 at 6:38 AM, lee wrote: > Suppose you use a VPN connection. How do does the client (employee) > secure their own network and the machine they're using to work remotely > then? Poorly, most likely. Your data is probably not nearly as important to them as their data is, and most people don't take great care of their own data. As I mentioned in my other post, there might be some exceptions if you're dealing with highly-skilled IT security employees or something like that, but most people don't take nearly the level of care with their clients as you're probably going to want them to. > What's the Linux equivalent of RDP sessions? Some sort of VNC seems to > usually require a lot of bandwidth, and I wouldn't know how to run it as > a service so that someone could just start a client (like rdesktop) and > log in to the server as they can do with Windoze servers. --- I only > found x11rdp which appears to be incompatible with current X servers. There is stuff like xtogo and other NX-like technologies, but the trend seems to be towards client-side rendering which makes them perform about as well as VNC. I mostly gave up on it ages ago - it was fairly fragile to keep working as well. I do know one of the maintainers - perhaps it has gotten better in recent years. However, while an RDP-like solution protects you from some types of attacks, it still leaves you open to many client-side problems like keylogging. I don't know any major corporation that lets people RDP into their applications in general. It sounds like Grant is concerned enough about his application to restrict logins to a specific IP (presumably it uses SSL and sign-ons as well). If you care THAT much about where valid users can connect from, I don't see why you'd just let them VPN into your LAN running who-knows-what-rootkit on their workstations. If you're truly 100% web-based I'd just go the chromebook route. If not, I'd issue laptops that you control with full-disk encryption, and you can then set them up however you need to. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
Mick writes: > On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote: >> On 16/01/2016 06:17, Grant wrote: >> > I'm considering allowing some employees to work from home but I'm >> > concerned about the security implications. Currently everybody shows up >> > and logs into their locked down Gentoo system and from there is able to >> > access the company webapps which are restricted to the office IP >> > address. I guess I would have to allow webapp access from any IP for >> > those users and trust that their computer is secure? Should that not be >> > scary? >> > >> > - Grant >> >> I have experience in this area. I work at ISPs where working from home >> is routine and required for overnight standby. >> >> You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers >> the security levels you need. Use the Layer3 routing option that uses >> tun drivers (not tap) and issue the certificates to the users yourself. >> Then allow your servers to accept connections from the VPN range as well >> as the internal office range >> >> As for the security levels of their personal machines, tell them what >> you require and from that point on you really have to trust your people >> so be security aware and with the program. > > Some other alternatives and thoughts to solutions already proposed are: > > 1. Only allow access through the office firewall and webapp servers to the > IP > addresses of your employees. This would only work if your employees have > static IP addresses and are few in number - otherwise you are creating an > administrative burden. I assume that the client connection to the webapp > server will be over some secure protocol, e.g. SSH, SSL/TLS. Otherwise, > you'll need an encrypted tunnel (see below). > > 2. Instead of OpenVPN which has been recommended I suggest that you take a > look at IPSec with IKEv2. IPSec + IKEv2 provides higher throughout because > encryption/decryption is performed in the kernel, rather than userspace and > because it allows for multi-threading, which last time I looked OpenVPN does > not. In addition, IKEv2 employs the MOBIKE protocol which allows mobile > client roaming. Changing client IP addresses is handled automatically, > without having to restart manually the VPN session. All this said, if your > use case has low throughput demand then OpenVPN would work fine. In both > cases, use strong encryption. > > 3. If you go with OpenVPN, following Alan's suggestion to use tun instead of > tap, I should add that if you have deployed MSWindows or other clients and > services with non-IP protocols, then you'll probably need a tap bridge to > make > sure that all services can get through. The client machines will then become > part of your LAN. Depending on client numbers you may need more than one > VLAN > segment and multiple OpenVPN servers. > > 4. An easier and simpler alternative may be to run SSH SOCKS proxy on the > server and proxychains on the clients. Any software run with proxychains on > the client will be tunnelled via SSH to the server and from a network > perspective will be connected to the office LAN. Webapps should be able to > run quite efficiently in this way and connect to the LAN server. Public key > authentication and an SSH high port should keep pests away. Suppose you use a VPN connection. How do does the client (employee) secure their own network and the machine they're using to work remotely then? What's the Linux equivalent of RDP sessions? Some sort of VNC seems to usually require a lot of bandwidth, and I wouldn't know how to run it as a service so that someone could just start a client (like rdesktop) and log in to the server as they can do with Windoze servers. --- I only found x11rdp which appears to be incompatible with current X servers. Then there's LTSP. Letting aside that there are no thin clients with sufficient graphics performance: would it be possible to do that over a VPN connection, provided that the VPN connection doesn't put the rest of the network on the client side at risk? Having that said, I'm finding OpenVNC anything but easy to set up. How is that with IPsec and IKEv2? Proxychains sounds interesting. Is it possible to run rdesktop through that?
Re: [gentoo-user] (Re-) Configuring X11 with two graphic cards (NVidia)
meino.cra...@gmx.de writes: > Hi, > > previously there were two graphic cards installed in my Gentoo box: > > Geforce GT 430 > Geforce GT 560TI > > The first was used for desktop purposes only and the second was used > only by Blender as "render engine". > > Then the Geforce GT 560TI went crazy and died and had to change it > with another one, a Geforce GTX 960. > > I grepped through /etc and checked for "560" and similiar to find > things which need to be changed. > > Reboot. > > Rendering runs now faster, which means that Blender has found its > new "render engine". But... > > The GUI of Blender starts lagging... > > The desktop "feels" the same...but I cannot tell, whether it is > supported by the first or second graphics card, since the 960 may > be capable to handle both...dont know for shure. > > Nvidia settings recognizes both cards...from the thermal readings > I would guess, that the GTX 960 is definetly used for rendering > purposes...but I think using the desktop will not heat up either > card...;) > > Is there any way to check, whether the current setup is working as > wanted (GTX 480 for desktop only, GTX 960 for rendering only) and > whether to "full power of the GTX 960" is available for rendering? > > I cannot get rid of the feeling, that I am driving with brakes on Doesn't nvidia-settings show to which display the cards sync? Did you specify which card is to be used by the X server? Does it hurt to remove the GT 430? There is worlds of difference between a GT 430 and a GTX 960. When you compare these two cards, you may find that running the 430 isn't worth the electricity it costs, unless you get it for free or almost free. You may also get the impression that your whole desktop, or at least your web browser, is slow when you go from the 960 back to the 430 :) I think I'd just remove the 430 and see how it goes. If you're then happy with the performance, there's no need to put the 430 back.
[gentoo-user] Kmail2 with standalone PostgreSQL - first impressions
Some initial impressions after 3 weeks of daily usage: 1. Sometimes akonadi does not start when I start Kmail. The kmail window is greyed out with the message "The Akonadi personal information management service is not running. This application cannot be used without it." The greyed out area has a button to 'Start' Akonadi in the middle of it. If I click 'Start' Akonadi starts and the Kmail application window is accessible again. During that time the Kmail application has no problem connecting to the mail server and downloading messages, as I can see from the progress bar, but nevertheless Akonadi stops me accessing the application. 2. As I read, delete, reply, at some point kmail will sync its Gmail Inbox. Although I have purposefully deleted most of my 120k+ messages sync'ing still causes kmail to freeze when trying to display a new message (not yet downloaded), showing a blue window in the preview pane with the message: "Retrieving folder contents. Please wait ..." 20 or more seconds later folder syncing is finished and the content of the message I have selected displays, but I find this disruptive and annoying.[A] 3. I noticed that sometimes when I delete a message on Gmail, it ends up in the Local Trash/Wastebin folder, not Gmail's. I think that this happens when I delete something *while* the Gmail account is being sync'ed. 4. When I shutdown kmail and then shutdown the PC, it takes 3 or more minutes to shutdown, instead of a few seconds. This is what the postgres logs show: === STATEMENT: BEGIN LOG: received smart shutdown request LOG: autovacuum launcher shutting down LOG: received fast shutdown request LOG: aborting any active transactions FATAL: terminating connection due to administrator command FATAL: terminating connection due to administrator command FATAL: terminating connection due to administrator command [snip ...] FATAL: terminating connection due to administrator command FATAL: terminating connection due to administrator command LOG: shutting down LOG: database system is shut down LOG: database system was shut down at 2016-01-04 07:33:24 GMT === I'm guessing this is caused by akonadi not exiting gracefully, because when I stop akonadi first shutdown is snappy again. 5. When I create a draft message, save it (on the IMAP server draft folder) and then save it once more, a second draft message is created on the server. The second message has my signature added twice at the bottom of it. If I open to edit and save as draft a message a number of times I end up with multiple messages and multiple signatures (in the last draft). Sending a previously draft message does not clear it out of the draft folder. 6. Intermittent connectivity because of an unreliable wireless connection does not seem to affect Kmail. When the connection comes back up it will continue where it left off. 7. Perhaps most importantly I have not yet had a database corruption, lost any messages, or have any major gripes to cause me to regret moving over to Kmail2. My 4G RAM and a 6 year old 1st generation i7 do not seem to be a constraint in running Kmail2. I noticed once/twice postgres and akonadi taking up 40% of CPU time each, but otherwise the PC functioned properly at the time. However, it is worth mentioning that I have disabled the Baloo indexer, without any noticeable adverse effect. None of the above bugs/features are show stoppers for me. Given my experience to date I have to say that Kmail2 on a quad core CPU and at least 4G RAM is usable, unless the above bugs/features would annoy you. I have yet to perform a postgres update and should read up on this, because last time I updated a postgresql database was more than 8 years ago - things have changed since. Thank you again Joost for your help and advice in getting Kmail2 + postgresql configured. You acted as a trigger for me to move off Kmail1, in the nick of time, because an older P4 box with Kmail1 is now having blockers updating KDEPIM. :-) [A] I still have a large number (c.5000) of unread messages in my Inbox and it is this folder which is causing most delays during sync. I will mark all of them as read or delete what I do not wish to keep soon, to see if this makes any difference in the sync'ing delays I am experiencing. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] How to get rid of 32bits libraries
Hi, I'd like to get rid of all 32bits libraries. There are only two packages which I'd like to keep and which need some 32bits libraries. That's dev-util/android-sdk-update-manager and app-text/acroread both of which I use only occasionally. Is it possible to install this on /usr/local in such a way that it doesn't interfere with my standard Gentoo installation on /usr? Many thanks for some hints, Helmut
