Re: [gentoo-user] Re: update gentoo without network [SOLVED]

[Raffaele BELARDI]

Neil Bothwick wrote:
> On Mon, 18 Jan 2016 19:39:50 +0100, Raffaele BELARDI wrote:
>
>> Just tested, it works:
>>
>> 1. cp -a /var/db/pkg from system A to removable media
>> 2. chroot ; emerge-webrsync ; emerge --fetchonly -uDvN world
>> 3. cp -a /usr/portage from removable media to system A
>> 4. next week, goto 1
>
> Interesting, that's worthy of an entry in the wiki for anyone else
> looking to maintain a Gentoo system without Internet access. I would
> suggest that you update portage within the chroot. What you are doing is
> lying to portage about what is actually installed, that shouldn't be a
> problem most of the time given what you are using it for, but different
> versions of portage on the two systems may cause problems at some time in
> the future.

Good suggestion about portage update.
I'll check how to create a wiki entry.

raffaele

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 12:22 AM,   wrote:
>
> I'm an absolute windows noop. I only use it for graphics work. I even
> didn't know that such a kind of file sharing is possible with it. :-)
>

No worries - I think that is a great place to be.  However, it is
useful to understand what ideas are out there, since some of them are
actually good ones.

The foundation of these kinds of features in windows is that their
user IDs are essentially GUIDs (a combination of an authentication
server and a unique ID I believe):
https://en.wikipedia.org/wiki/Security_Identifier

This is in contrast to a linux UID, which is just a small number.  You
might be UID 0 on your box, and I'm UID on mine.  The UID of the
administrator account of every windows box out there is unique.  That
avoids all kinds of issues, like the whole nfs root-is-nobody design.
You can "chown" a windows file to a UID which isn't native to the
machine - the machine would authenticate anybody trying to read it
against the machine that assigned the UID.

It isn't perfect, but it seems like a better foundation for this sort of thing.

>
> That's right. I think that the effort and the outlay to implement all
> these features into Linux is relative high. It seems that no vendor
> is willing to assume such a financial risk.
>
> Maybe it is time for another crowd founding campaign? ;-)
>

Well, changing how user IDs would be a big task (as far as I'm aware).

However, the bit about Bitlocker isn't actually.  You just need to use
trusted grub, some vanilla kernel config options, and probably some
logic in the initramfs and userspace.  There is already a linux
solution for TPM at every layer of the boot chain, which allows a
userspace program in an initramfs to store an encryption key in the
TPM and retrieve it only if the boot chain isn't tampered with.  You
just need to put together the pieces.

I could probably hack something together in a few days.  The trick is
getting it to survive things like kernel updates and for it to be
robust.  You need to ensure that anything that legitimately changes
your boot chain updates all the settings in the TPM so that on the
next boot the keys are still delivered.  Otherwise your drive becomes
unreadable, and difficult to recover (well, unless you escrow the
encryption keys somewhere, which you certainly can do).

-- 
Rich

[gentoo-user] Re: {OT} Allow work from home?

[Kai Krakow]

Am Tue, 19 Jan 2016 19:39:26 + (UTC)
schrieb Grant Edwards :

> On 2016-01-19, Mick  wrote:
> 
> > As far as I understand it RDP is different to VNC, in the sense that
> > instead of sending every pixel down the line it only sends
> > compressed semantic information *about* a desktop component
> > (e.g. the start button, a control signal, etc.) and the client
> > interprets this locally as a button or a control command. It is also
> > using caching to minimise retransmission.
> 
> I don't think so.  AFAICT, RDP (a-la Windows) and VNC both do exaclty
> the same thing: they send display pixel info to be displayed.  They
> try to optimize the process by only sending deltas and by using
> various compression schemes, but they're both doing the basically the
> same thing.  RDP also has a bunch of other stuff to support things
> like audio, printer, filesystem, and serial/prallel port redirection
> that I don't think VNC ever had.  But the display/mouse/keyboard part
> of it works pretty much the same.

Well, RDP indeed sends bitmaps. But it can do it a lot more intelligent
and desktop aware than VNC. First, it supports bitmap caching and can
reuse bitmaps which were already sent - which in itself is quite a good
compression for usual desktop content. It also supports a wide variety
of compression types. It can also encode the fact that bitmaps have
moved thus only require sending the background of a window which was
moved - and can reuse bitmaps from the cache.

RDP also can detect and send content as a video stream. It also
supports sending graphical desktop effects using 3d acceleration and
transparency.

It also knows of glyphs (font rendering) which thus have not to be sent
as bitmaps (which due to font smoothing may not be compressible well).

Xfreerdp is a nice implementation which implements almost all those
features. I was able to use it to smoothly operate a remote Windows
desktop with Aero effects enabled. The latency was very low, the
experience was almost the same as working physically in front of the
machine. Of course, the remote end has to have a sufficiently new RDP
server implementation (like Windows 8 or Server 2012). It also
supports folder, printer, sound, and port redirection. It may also
support the new Windows RDP UDP transport which works more like a video
stream encoder and sacrifies immediate image quality for low latency. I
haven't tried it with xfreerdp. In Windows, it is very nice for high
latency links where it catches up image quality after 1 or 2 seconds or
so.

There's also demos where you can remotely play Diablo 3 on Windows using
a Linux RDP client - with low latency, sound and good image quality. I
doubt VNC could do that although the claim "basically the same". [1]

VNC just cannot do it. It even sometimes does not transfer small screen
updates like a blinking cursor - let alone the mouse pointer only
following on clicks. It also doesn't support catching up better image
quality in a deferred way to keep latency low. It's either slow, or
visually unpleasing at best. It's also annoying that it's bound to the
physical screen resolution of the remote machine. VNC was only good
back in WinXP times, when RDP was not much more than VNC in terms of
screen content transfer, and network links were generally much slower
than today, and VNC had some intelligent compression algos in contrast
to RDP. VNC just doesn't seem to be able to make use of low latency and
high bandwidth links - it still feels sluggish and slow. It's probably a
protocol implementation issue (not streaming and synchronous).

Given that, I'd say: No, it's _not_ "basically" the same. RDP is just
much more than simple bitmap transfer - even if we exclude advanced
features like sound, file transfer, clipboard sharing etc and stick to
the common features.

BTW: As far as I know, a wayland display server will be able to expose
an RDP framebuffer which you could connect to from Windows RDP clients,
and should also support smooth desktop effects and video encoding at
some time in the future. I followed that topic for a while but given
the fact that wayland is just not there yet, making it impossible for
me to use it on my daily desktop, I've given up on that. I'll try to
get back to that later. But as far as I understood, unlike Windows RDP,
a wayland RDP framebuffer does not mirror a physical screen - it just a
virtual framebuffer.

[1]: https://www.youtube.com/watch?v=RUXYuj9S1v8

-- 
Regards,
Kai

Replies to list-only preferred.

[gentoo-user] Why we no Heroku?

[Daniel Quinn]

I wanted to start fiddling with Heroku , so
naturally the first thing I tried was

|$ eix heroku |

…but alas there was nothing. So I poked around their site to see how one
might install their client manually and the instructions

are the typically horrifying:

|# wget -qO- https://toolbelt.heroku.com/install.sh | sh |

The thing is, a quick look at what that || sh| is actually doing isn’t
all that terrifying. Basically it untars a bunch of ruby scripts into a
directory and then puts the path to the |heroku| “binary” (a ruby
script) in your $PATH. Surely, this is a good candidate for an ebuild, yes?

So I thought I’d ask: am I missing something, or is this really as easy
as it looks? Is this just waiting for someone to write an ebuild?
Bugzilla has nothing
 about it, but I
can’t believe that Heroku use hasn’t come up before in Gentoo land.
Surely there must be some web developers / ops people who would like to
use Heroku stuff from Gentoo…. right?

​

Re: [gentoo-user] emerge libxcb fails

[karl]

Alec Ten Harmsel:
> On Tue, Jan 19, 2016 at 10:05:49PM +0100, k...@aspodata.se wrote:
> > Alec: Ten Harmsel:
> > > On Tue, Jan 19, 2016 at 08:01:19PM +0100, k...@aspodata.se wrote:
> > > > I'm getting
> > > > 
> > > >  Makefile:1318: recipe for target 'xinput.c' failed
> > > > 
> > > > when emerging x11-libs/libxcb-1.11.1, logs etc.:
> > > > 
> > > >  http://turkos.aspodata.se/tmp/gentoo/
> > > 
> > > I can't read build.log - 403 permission denied.
> > 
> > Ok, fixed. I did not check emerge's log permission.
> 
> In general (someone else, correct me if I'm wrong) this list would much
> rather have you attach a compressed build.log when you mail in the
> problem. That way, there is no chance of permissions problems, and years
> from now, the logs will still be here for posterity.

They were kindof big, so I didn't want to swamp the mailing list.

> The problem is a python script that runs in the build process has a
> KeyError. I did notice that for you, that python script is running on
> files in `/usr/local/share/xcb', while it runs on files in
> `/usr/share/xcb' on mine. These are a part of the `x11-proto/xcb-proto'
> package. Do you have a version of xcb-proto installed in /usr/local? It
> is possible that the libxcb configure script is picking an old version
> of xcb-proto that is installed in `/usr/local' over the correct version
> installed in `/usr'.

Yes, that's probably it, thanks for the look.

> I would recommend removing `/usr/local/share/xcb' and trying to install
> libxcb again.

I mv'ed /usr/local/share but it didn't help.

Is there some make clean or similar for emerge, tried --fail-clean a 
couple of times, but that didn't help. Perhaps if I change some use var
and run emerge -auDN @system, would that help. Well that would be a
thing for tomorrow.

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57

Re: [gentoo-user] emerge libxcb fails

[karl]

Alec: Ten Harmsel:
> On Tue, Jan 19, 2016 at 08:01:19PM +0100, k...@aspodata.se wrote:
> > I'm getting
> > 
> >  Makefile:1318: recipe for target 'xinput.c' failed
> > 
> > when emerging x11-libs/libxcb-1.11.1, logs etc.:
> > 
> >  http://turkos.aspodata.se/tmp/gentoo/
> 
> I can't read build.log - 403 permission denied.

Ok, fixed. I did not check emerge's log permission.

> > I get similar errors with:
> > 
> >  emerge =libxcb-1.10
> >  emerge =libxcb-1.9.1
> > 
> > Have anyone seen anything similar, maybe there something missing here ?
> 
> Nope, installed fine here.

Ok, I'll try from X git sources tomorrow.
Thanks for your answer anyhow.

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 2:32 PM, Grant  wrote:
>
> I'm sorry, I meant can I lock down access to my web stuff so that a
> particular user can only come from a particular device (or from any
> device containing a key).
>

It looks like this hasn't been widely implemented, but it looks like
they do have the ability to generate TPM-backed client certificates
which could then be used for authentication (and you can set a policy
to auto-authenticate using the certificate).  It looks like you need
to use an extension to generate the key and csr, and load the
certificate.  Google wrote an extension that does this for active
directory, but for any other certificate authority it looks like you
basically have to write your own (and probably publish it as FOSS).

So, the idea would be that you'd provision the device and then log
into it.  The device would auto-install the certificate installer and
then you'd run that extension to load a certificate and mark it for
use for all users on the device.  Then any user on that device could
authenticate using the certificate.  The key would be stored in the
TPM and would never leave the device, and wiping the device would
destroy the key.

You mentioned GPG keys, and this stuff is all RSA-backed, but SSL
client certificates don't use GPG itself.  All of this is FOSS as far
as I can tell.  All browsers can load and use client certificates, but
the advantage of a chromebook is that the key can be generated by the
TPM and never leave it.

-- 
Rich

Re: [gentoo-user] Why we no Heroku?

[Alan McKinnon]

On 20/01/2016 00:44, Daniel Quinn wrote:
> I wanted to start fiddling with Heroku , so
> naturally the first thing I tried was
> 
> |$ eix heroku |
> 
> …but alas there was nothing. So I poked around their site to see how one
> might install their client manually and the instructions
> 
> are the typically horrifying:
> 
> |# wget -qO- https://toolbelt.heroku.com/install.sh | sh |
> 
> The thing is, a quick look at what that || sh| is actually doing isn’t
> all that terrifying. Basically it untars a bunch of ruby scripts into a
> directory and then puts the path to the |heroku| “binary” (a ruby
> script) in your $PATH. Surely, this is a good candidate for an ebuild, yes?
> 
> So I thought I’d ask: am I missing something, or is this really as easy
> as it looks? Is this just waiting for someone to write an ebuild?
> Bugzilla has nothing
>  about it, but I
> can’t believe that Heroku use hasn’t come up before in Gentoo land.
> Surely there must be some web developers / ops people who would like to
> use Heroku stuff from Gentoo…. right?
> 
> ​


Some folks have worked on it but for whatever reason ebuilds never made
it to the tree. The goddess has this to say:

https://www.google.com/search?q=gentoo+ebuild+heroku=utf-8=utf-8

Or maybe they did and got tree cleaned. Search the old cvs Attic and see
what used to be there.



-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] Re: *dev-less gentoo

[karl]

Alec McKinnon:
> On 19/01/2016 18:51, k...@aspodata.se wrote:
...
> > I have had no pain useing an old plain /dev. What's the pain ?
> take a machine running a desktop. Plug in a usb printer. Where's your node?

To find that out I'd investigate /sys/bus/usb, either directly or via 
usb-devices or some other program. I guess "some other program" is
probably udev or similar for you, it might not be for me.

If it is a usb disk, I just look at the output of sg_map -x -i, and then
decide what to do.

> That's the whole point of a dynamic dev manager, it responds to devices
> changes that occur on normal modern machines and does TheRightThing(tm)
> - currently defined as whatever the dev-manager config tells it to do.

Ok, I don't have any usb printer, all my printers are network connected 
and do handle postscript and lpd.

And my "dev-manager" tells the system to do nothing till the owner of 
the system tells it to do so, which is the right thing for me.
The right thing might be something else for you.

> I'm having a hard time thinking what kind of machine you have in this
> day and age that can do mail and also does not need a dynamic device
> maanger. Please enlighten us, or are you perhaps using MAKEDEV?

Please be aware of that I'm not impling anything about anyone else than 
me och don't ridicule me.

To do mail, all you have to have is a network connection, a mail 
program and a mail server to relay through. All of that has been done 
for ages without any program like udev. So I don't understand why you 
have any problem understanding how that is done, or why you choose such
an example.

And I don't use MAKEDEV, the dev-nodes are already there, there is no
need to create them again. What's the fuss ?

...
> Sounds like you made one mistake once and that has now become the world
> for you. Almost no-one else here has reported dynamic dev managers make
> "everything just stop working". What you will hear is lots of whinging
> about udev - actually it's whinging about udev's maintainers cleverly
> disguised as whinging about the software - but as a class of software
> they all get the job done and do it well.

No, I did not do the mistake, the upgrade program or the udev 
installer did. And since udev (or something related to it) mounts
something on /dev, which makes it in practice inpossible to unmount.
So if udev do not fill up the new fs correctly, the system is hosed,
yea, unless I value running mknod by hand and from memory.
That very problem I had is probably fixed by now. But I don't see the
need to get exposed to it again. If udev had used e.g. /udev and
populated that dir seperately from /dev, I would not have that special
problem. udev seems to be hardcoded to /dev, but other similar program
are more malleable in this regard, and if need arises I wouldn't 
hesitate to test them.

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57

Re: [gentoo-user] emerge libxcb fails

[Alec Ten Harmsel]

On Tue, Jan 19, 2016 at 10:05:49PM +0100, k...@aspodata.se wrote:
> Alec: Ten Harmsel:
> > On Tue, Jan 19, 2016 at 08:01:19PM +0100, k...@aspodata.se wrote:
> > > I'm getting
> > > 
> > >  Makefile:1318: recipe for target 'xinput.c' failed
> > > 
> > > when emerging x11-libs/libxcb-1.11.1, logs etc.:
> > > 
> > >  http://turkos.aspodata.se/tmp/gentoo/
> > 
> > I can't read build.log - 403 permission denied.
> 
> Ok, fixed. I did not check emerge's log permission.

In general (someone else, correct me if I'm wrong) this list would much
rather have you attach a compressed build.log when you mail in the
problem. That way, there is no chance of permissions problems, and years
from now, the logs will still be here for posterity.

The problem is a python script that runs in the build process has a
KeyError. I did notice that for you, that python script is running on
files in `/usr/local/share/xcb', while it runs on files in
`/usr/share/xcb' on mine. These are a part of the `x11-proto/xcb-proto'
package. Do you have a version of xcb-proto installed in /usr/local? It
is possible that the libxcb configure script is picking an old version
of xcb-proto that is installed in `/usr/local' over the correct version
installed in `/usr'.

I would recommend removing `/usr/local/share/xcb' and trying to install
libxcb again.

Alec

[gentoo-user] Re: {OT} Allow work from home?

[Grant Edwards]

On 2016-01-19, Mick  wrote:

> As far as I understand it RDP is different to VNC, in the sense that
> instead of sending every pixel down the line it only sends
> compressed semantic information *about* a desktop component
> (e.g. the start button, a control signal, etc.) and the client
> interprets this locally as a button or a control command. It is also
> using caching to minimise retransmission.

I don't think so.  AFAICT, RDP (a-la Windows) and VNC both do exaclty
the same thing: they send display pixel info to be displayed.  They
try to optimize the process by only sending deltas and by using
various compression schemes, but they're both doing the basically the
same thing.  RDP also has a bunch of other stuff to support things
like audio, printer, filesystem, and serial/prallel port redirection
that I don't think VNC ever had.  But the display/mouse/keyboard part
of it works pretty much the same.

-- 
Grant Edwards   grant.b.edwardsYow! I hope something GOOD
  at   came in the mail today so
  gmail.comI have a REASON to live!!

Re: [gentoo-user] sound stopped working [media-sound/pulseaudio-7.1]

[Alexander Kapshuk]

On Tue, Jan 19, 2016 at 7:10 PM, Alec Ten Harmsel 
wrote:

> I use pulseaudio without ALSA, for what it's worth. I also don't use VLC
> or mplayer.
>

That's interesting. I didn't know one could use pulseaudio with ALSA left
out.

I set the global USE flag to '-alsa' in '/etc/portage/make.conf' and ran
'emerge -aU' to see what would be pulled in/unmerged. Here's a list of
packages emerge wanted to pull in:
Calculating dependencies  . ...  done!
[ebuild  N ] media-plugins/gst-plugins-x-0.10.36-r1
[ebuild  N ] media-plugins/gst-plugins-xvideo-0.10.36-r1
[ebuild  N ] media-plugins/gst-plugins-vorbis-0.10.36-r1
[ebuild  N ] media-plugins/gst-plugins-ogg-0.10.36-r1
[ebuild  N ] media-libs/gst-plugins-bad-0.10.23-r2  USE="nls orc"
[ebuild  N ] media-libs/faad2-2.7-r3  USE="-digitalradio -static-libs"
[ebuild  N ] media-sound/cdparanoia-3.10.2-r6  USE="-static-libs"
[ebuild   R] net-misc/rdesktop-1.8.3  USE="-alsa*"
[ebuild  N ] media-libs/gst-plugins-ugly-0.10.19-r1  USE="nls orc"
[ebuild  N ] media-libs/gst-plugins-good-0.10.31-r1  USE="nls orc"
[ebuild  N ] media-plugins/gst-plugins-resindvd-0.10.23-r1
[ebuild  N ] media-plugins/gst-plugins-dts-0.10.23-r1  USE="orc"
[ebuild  N ] media-plugins/gst-plugins-faad-0.10.23-r2
[ebuild  N ] media-plugins/gst-plugins-xvid-0.10.23-r1
[ebuild  N ] media-plugins/gst-plugins-cdparanoia-0.10.36-r1
[ebuild  N ] media-plugins/gst-plugins-a52dec-0.10.19-r1  USE="orc"
[ebuild  N ] media-plugins/gst-plugins-x264-0.10.19-r1
[ebuild  N ] media-plugins/gst-plugins-mad-0.10.19-r1
[ebuild  N ] media-plugins/gst-plugins-flac-0.10.31-r1
[ebuild  N ] media-plugins/gst-plugins-dvdread-0.10.19-r1
[ebuild  N ] media-plugins/gst-plugins-pulse-0.10.31-r1
[ebuild  N ] media-plugins/gst-plugins-ffmpeg-0.10.13_p201211-r5
USE="orc -libav"
[ebuild  N ] media-plugins/gst-plugins-mpeg2dec-0.10.19-r1
[ebuild   R] media-video/mplayer-1.2_pre20150214-r1  USE="-alsa*"
[ebuild  N ] media-plugins/gst-plugins-meta-0.10-r10  USE="X a52 aac
cdda dts dvd ffmpeg flac mp3 mpeg ogg pulseaudio vorbis x264 xv xvid -alsa
-dv -dvb -http -jack -lame -libass -libvisual -mms -modplug -musepack -opus
-oss -taglib -theora -v4l -vcd -vpx -wavpack"
[ebuild   R] xfce-extra/xfce4-mixer-4.11.0  USE="-alsa*"
[ebuild   R] media-video/vlc-2.2.1-r1  USE="-alsa*"

Is this what you use, 'media-pugins/gst-plugins'?


>
> On Tue, Jan 19, 2016 at 06:33:41PM +0200, Alexander Kapshuk wrote:
> > Recently, sound has stopped working on one of my Gentoo systems. I have
> > checked the kernel, package and pulseaudio set-ups across all of my
> systems
> > in an attempt to pin down the problem, but so far to no avail. The sound
> > works fine on the other systems I have.
>
> Are they any changes you just made that may have caused the problem? Do
> all the systems have the same configuration?
>

I did not make any changes to alsa, or pulse audio that I'm aware of. Just
been pulling in whatever updates portage had for me on a regular bases.
Running a 4.4.0-vanilla kernel on all my systems, so that can't be the
culprit.


>
> >
> > Having 'alsa-sink' enabled, generates the following output in
> > '/var/log/messages'.
> > # grep 'Jan 19.*pulseaudio' /var/log/messages
> > Jan 19 17:58:23 box1 pulseaudio[3686]: [pulseaudio] module.c: Failed to
> > load module "module-alsa-sink" (argument: ""): initialization failed.
> > Jan 19 17:58:23 box1 pulseaudio[3686]: [pulseaudio] main.c: Module load
> > failed.
> > Jan 19 17:58:23 box1 pulseaudio[3686]: [pulseaudio] main.c: Failed to
> > initialize daemon.
> > Jan 19 17:58:23 box1 pulseaudio[3638]: [pulseaudio] main.c: Daemon
> startup
> > failed.
> > Jan 19 17:58:23 box1 pulseaudio[3706]: [pulseaudio] module.c: Failed to
> > load module "module-alsa-sink" (argument: ""): initialization failed.
> > Jan 19 17:58:23 box1 pulseaudio[3706]: [pulseaudio] main.c: Module load
> > failed.
> > Jan 19 17:58:23 box1 pulseaudio[3706]: [pulseaudio] main.c: Failed to
> > initialize daemon.
> > Jan 19 17:58:23 box1 pulseaudio[3703]: [pulseaudio] main.c: Daemon
> startup
> > failed.
> > Jan 19 17:58:23 box1 pulseaudio[3719]: [pulseaudio] module.c: Failed to
> > load module "module-alsa-sink" (argument: ""): initialization failed.
> > Jan 19 17:58:23 box1 pulseaudio[3719]: [pulseaudio] main.c: Module load
> > failed.
> > Jan 19 17:58:23 box1 pulseaudio[3719]: [pulseaudio] main.c: Failed to
> > initialize daemon.
> > Jan 19 17:58:23 box1 pulseaudio[3716]: [pulseaudio] main.c: Daemon
> startup
> > failed.
> >
> > My sound card details are.
> > lspci -k
> > ...
> > 00:1b.0 Audio device: Intel Corporation 82801I (ICH9 Family) HD Audio
> > Controller (rev 02)
> > Subsystem: Gigabyte Technology Co., Ltd 82801I (ICH9 Family) HD Audio
> > Controller
> > Kernel driver in use: snd_hda_intel
> > ...
>
> Have you looked at dmesg and/or any ALSA logs to see why ALSA-related
> stuff can't be 

Re: [gentoo-user] emerge libxcb fails

[Alec Ten Harmsel]

On Tue, Jan 19, 2016 at 08:01:19PM +0100, k...@aspodata.se wrote:
> I'm getting
> 
>  Makefile:1318: recipe for target 'xinput.c' failed
> 
> when emerging x11-libs/libxcb-1.11.1, logs etc.:
> 
>  http://turkos.aspodata.se/tmp/gentoo/

I can't read build.log - 403 permission denied.

> I get similar errors with:
> 
>  emerge =libxcb-1.10
>  emerge =libxcb-1.9.1
> 
> Have anyone seen anything similar, maybe there something missing here ?

Nope, installed fine here.

Alec

Re: [gentoo-user] sound stopped working [media-sound/pulseaudio-7.1]

[Alec Ten Harmsel]

On Tue, Jan 19, 2016 at 09:57:18PM +0200, Alexander Kapshuk wrote:
> On Tue, Jan 19, 2016 at 7:10 PM, Alec Ten Harmsel 
> wrote:
> 
> > I use pulseaudio without ALSA, for what it's worth. I also don't use VLC
> > or mplayer.
> >
> 
> That's interesting. I didn't know one could use pulseaudio with ALSA left
> out.

I am not extremely familiar with how sound works, to be honest. I do
have the 'alsa' USE flag set on pulseaudio. Here are the modules I have
loaded in /etc/pulse/default.pa:

module-always-sink
module-augment-properties
module-card-restore
module-default-device-restore
module-detect
module-device-restore
module-filter-apply
module-filter-heuristics
module-intended-roles
module-native-protocol-tcp auth-ip-acl=127.0.0.1
module-native-protocol-unix
module-position-event-sounds
module-rescue-streams
module-role-cork
module-stream-restore
module-suspend-on-idle
module-switch-on-port-available
module-udev-detect

> I set the global USE flag to '-alsa' in '/etc/portage/make.conf' and ran
> 'emerge -aU' to see what would be pulled in/unmerged. Here's a list of
> packages emerge wanted to pull in:
> Calculating dependencies  . ...  done!
> [ebuild  N ] media-plugins/gst-plugins-x-0.10.36-r1
> [ebuild  N ] media-plugins/gst-plugins-xvideo-0.10.36-r1
> [ebuild  N ] media-plugins/gst-plugins-vorbis-0.10.36-r1
> [ebuild  N ] media-plugins/gst-plugins-ogg-0.10.36-r1
> [ebuild  N ] media-libs/gst-plugins-bad-0.10.23-r2  USE="nls orc"
> [ebuild  N ] media-libs/faad2-2.7-r3  USE="-digitalradio -static-libs"
> [ebuild  N ] media-sound/cdparanoia-3.10.2-r6  USE="-static-libs"
> [ebuild   R] net-misc/rdesktop-1.8.3  USE="-alsa*"
> [ebuild  N ] media-libs/gst-plugins-ugly-0.10.19-r1  USE="nls orc"
> [ebuild  N ] media-libs/gst-plugins-good-0.10.31-r1  USE="nls orc"
> [ebuild  N ] media-plugins/gst-plugins-resindvd-0.10.23-r1
> [ebuild  N ] media-plugins/gst-plugins-dts-0.10.23-r1  USE="orc"
> [ebuild  N ] media-plugins/gst-plugins-faad-0.10.23-r2
> [ebuild  N ] media-plugins/gst-plugins-xvid-0.10.23-r1
> [ebuild  N ] media-plugins/gst-plugins-cdparanoia-0.10.36-r1
> [ebuild  N ] media-plugins/gst-plugins-a52dec-0.10.19-r1  USE="orc"
> [ebuild  N ] media-plugins/gst-plugins-x264-0.10.19-r1
> [ebuild  N ] media-plugins/gst-plugins-mad-0.10.19-r1
> [ebuild  N ] media-plugins/gst-plugins-flac-0.10.31-r1
> [ebuild  N ] media-plugins/gst-plugins-dvdread-0.10.19-r1
> [ebuild  N ] media-plugins/gst-plugins-pulse-0.10.31-r1
> [ebuild  N ] media-plugins/gst-plugins-ffmpeg-0.10.13_p201211-r5
> USE="orc -libav"
> [ebuild  N ] media-plugins/gst-plugins-mpeg2dec-0.10.19-r1
> [ebuild   R] media-video/mplayer-1.2_pre20150214-r1  USE="-alsa*"
> [ebuild  N ] media-plugins/gst-plugins-meta-0.10-r10  USE="X a52 aac
> cdda dts dvd ffmpeg flac mp3 mpeg ogg pulseaudio vorbis x264 xv xvid -alsa
> -dv -dvb -http -jack -lame -libass -libvisual -mms -modplug -musepack -opus
> -oss -taglib -theora -v4l -vcd -vpx -wavpack"
> [ebuild   R] xfce-extra/xfce4-mixer-4.11.0  USE="-alsa*"
> [ebuild   R] media-video/vlc-2.2.1-r1  USE="-alsa*"
> 
> Is this what you use, 'media-pugins/gst-plugins'?

Sorry, I misled you. I do not have any software configured to use ALSA
as far as I know, but pulseaudio is configured with the 'alsa' USE flag
as I mentioned above.

> > >
> > > My sound card details are.
> > > lspci -k
> > > ...
> > > 00:1b.0 Audio device: Intel Corporation 82801I (ICH9 Family) HD Audio
> > > Controller (rev 02)
> > > Subsystem: Gigabyte Technology Co., Ltd 82801I (ICH9 Family) HD Audio
> > > Controller
> > > Kernel driver in use: snd_hda_intel
> > > ...
> >
> > Have you looked at dmesg and/or any ALSA logs to see why ALSA-related
> > stuff can't be initialized? Intel hardware and drivers have always
> > treated me well, so this is strange.
> >
> 
> '/var/log/dmesg' has this:
> [1.361704] ALSA device list:
> [1.361991]   No soundcards found.
> 
> While 'aplay -l | grep HDA' says this:
> card 1: Intel [HDA Intel], device 0: ALC662 rev1 Analog [ALC662 rev1 Analog]
> card 1: Intel [HDA Intel], device 1: ALC662 rev1 Digital [ALC662 rev1
> Digital]
> 

Hmmm, strange that the model numbers are different between aplay and
lspci. Do any of your other machines have the same hardware, and do
lspci and aplay report the same stuff?

Alec

Re: [gentoo-user] Re: *dev-less gentoo

[Alan McKinnon]

On 19/01/2016 18:51, k...@aspodata.se wrote:
> James:
>>   aspodata.se> writes:
> I found a workaround in the sys-fs/static-dev package.
>>
>> Interesting read :: bgo #107875
> 
> I'm new to gentoo, is there some special semantic to the "bgo #" ?
> 
 Let's be clear: static-dev is NOT a workaround. It is a full proper
 solution for the case when a dynamic device node solution is not 
 desired.
>> Well, I can think of embedded (linux) systems, a lock-down server and
>> machine(s) loaded up with (NFV) Network Function Virtuals, as prime examples
>> where a static dev is very useful; albeit a management pain if one is not
>> careful. This is a very interesting topic for me.
> 
> I have had no pain useing an old plain /dev. What's the pain ?


take a machine running a desktop. Plug in a usb printer. Where's your node?

That's the whole point of a dynamic dev manager, it responds to devices
changes that occur on normal modern machines and does TheRightThing(tm)
- currently defined as whatever the dev-manager config tells it to do.

I'm having a hard time thinking what kind of machine you have in this
day and age that can do mail and also does not need a dynamic device
maanger. Please enlighten us, or are you perhaps using MAKEDEV?

> 
 Of course it means you have to mknod every device you need yourself. But
 you know that going in right?
>>
>>> Yes (though I alreade have a /dev from before).
>>
>> For explicit clarity, you've got a "/dev" from using dev-manager on the
>> system previously, and now you desire to switch to a static-dev? (Why ?)
>>  Or did you derive from scratch (or other means) a '/dev' for a specific
>> need you are working on by design, historical example etc?
> 
> No, I never used udev et al on my boxes, there has simply been no need.
> 
>> I apologize in advance, but this thread intersects some critical new
>> thinking on systems cluster formation. I have ran into a small group of
>> extraordinary coders that are building a Hi Performance Cluster out of C,
>> Rust and a minimized static-dev.  So I am very curious as to your specific
>> and detailed motives for this 'static-dev'. If a private note is warranted,
>> feel encourage for that type of response. If this unbounded curiosity of
>> mine is unwelcome, you have my deepest apologies.
> 
> I never had any compelling reason to let some daemon with mess with
> /dev. And I have had a compelling reason to avoid it, when doing an
> "usual" stable dist-upgrade of Debian lenny to squeze (I think), Debian
> installed udev per default and everything just stopped working. And
> that darn thing wouldn't uninstall and /dev wouldn't unmount to get
> back my /dev-entries. So udev have only giving me pain and no gain.
> The only thing dynamic theese days are usb. Usb disks I can handle
> manually, usb kbd/mouse has always worked. I usually don't use more
> than one keyboard so I don't really need xkb, nor do I need something
> to autodetect keyboard layout, since I change it to something else 
> anyhow. And udev woun't detect my serial mouse anyhow... so much for
> that.
> 
> That said, if I would like to test some "dev-manager" (except myself)
> than I'd look into something that behaves nicely, like mdev (busybox)
> or vdev (https://github.com/jcnelson/vdev.git).

Sounds like you made one mistake once and that has now become the world
for you. Almost no-one else here has reported dynamic dev managers make
"everything just stop working". What you will hear is lots of whinging
about udev - actually it's whinging about udev's maintainers cleverly
disguised as whinging about the software - but as a class of software
they all get the job done and do it well.

-- 
Alan McKinnon
alan.mckin...@gmail.com

[gentoo-user] emerge libxcb fails

[karl]

I'm getting

 Makefile:1318: recipe for target 'xinput.c' failed

when emerging x11-libs/libxcb-1.11.1, logs etc.:

 http://turkos.aspodata.se/tmp/gentoo/

I get similar errors with:

 emerge =libxcb-1.10
 emerge =libxcb-1.9.1

Have anyone seen anything similar, maybe there something missing here ?

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

>> If that's the case then it sounds like 2FA doesn't really provide any
>> extra assurance.  It's another layer but if the machine is hacked then
>> it sounds like it becomes a very thin layer.
>>
>> I'd most like to allow the remote employee to use their own computer,
>> but is there any way to have reasonable assurance that a remote
>> attacker can't log into my web stuff if the employee's computer is
>> compromised?
>>
>> With a Chromebook, how can I be assured that the employee is only able
>> to log into my web stuff with the Chromebook?
>>
>
> It looks like this is possible to do with a Google Apps account:
> https://www.google.com/intl/en/chrome/business/devices/features-management-console.html
> https://support.google.com/chrome/a/answer/2657289
> https://support.google.com/chrome/a/answer/1375678
>
> You can control who can log in, and what sites they can visit (just
> blacklist * and then whitelist specific sites).  Schools commonly use
> this so that they don't have to deal with kids visiting sites of ill
> repute.  You can also control application/extension installation.


I'm sorry, I meant can I lock down access to my web stuff so that a
particular user can only come from a particular device (or from any
device containing a key).


> It looks like you can also use remote attestation if your application
> supports it which prevents access from a tampered device even if it
> has the right credentials/etc.  (That's the whole "trusted/treacherous
> computing" thing.)  You could in theory have security such that your
> application works with single-sign-on but doesn't work unless
> connected to using a trusted device (but I'd have to do more research
> on that).


It seems like that would be necessary in my case or the remote
employee might prefer working from their own device instead of using
the Chromebook.  Can I somehow require something like a PGP key in
order to authenticate successfully in a browser?

- Grant

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 9:02 AM, Grant  wrote:
>
> If that's the case then it sounds like 2FA doesn't really provide any
> extra assurance.  It's another layer but if the machine is hacked then
> it sounds like it becomes a very thin layer.
>
> I'd most like to allow the remote employee to use their own computer,
> but is there any way to have reasonable assurance that a remote
> attacker can't log into my web stuff if the employee's computer is
> compromised?
>
> With a Chromebook, how can I be assured that the employee is only able
> to log into my web stuff with the Chromebook?
>

It looks like this is possible to do with a Google Apps account:
https://www.google.com/intl/en/chrome/business/devices/features-management-console.html
https://support.google.com/chrome/a/answer/2657289
https://support.google.com/chrome/a/answer/1375678

You can control who can log in, and what sites they can visit (just
blacklist * and then whitelist specific sites).  Schools commonly use
this so that they don't have to deal with kids visiting sites of ill
repute.  You can also control application/extension installation.

It looks like you can also use remote attestation if your application
supports it which prevents access from a tampered device even if it
has the right credentials/etc.  (That's the whole "trusted/treacherous
computing" thing.)  You could in theory have security such that your
application works with single-sign-on but doesn't work unless
connected to using a trusted device (but I'd have to do more research
on that).

The one thing you will have to be careful about is printing.  They can
only print to PDF, or to cloud print.  I'm not sure if that is an
issue for your use case.

I've never used it personally, but it is apparently quite popular with
schools.  I'd suggest looking into it.  The service isn't free - you
need google apps to make it work.  However, it sounds like it is
relatively cheap.  I'd certainly be interested in hearing from anybody
who knows more about it, but if I had a small business that was purely
web-based I'd strongly consider a solution like this.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Tuesday 19 Jan 2016 08:42:07 J. Roeleveld wrote:
> On Tuesday, January 19, 2016 01:57:38 AM lee wrote:
> > Rich Freeman  writes:
> > > On Sun, Jan 17, 2016 at 7:26 PM, lee  wrote:
> > >> Rich Freeman  writes:
> > >>> However, while an RDP-like solution protects you from some types of
> > >>> attacks, it still leaves you open to many client-side problems like
> > >>> keylogging.  I don't know any major corporation that lets people RDP
> > >>> into their applications in general.
> > >> 
> > >> What do they use instead?
> > > 
> > > As I mentioned in my previous email - they just hand all their
> > > employees laptops.  Control the hardware, control the software,
> > > control the security...
> > 
> > I mean instead of rdp.  It's a simple solution which works really well
> > on a LAN with Windoze.  What's the equivalent that works with Linux?
> > 
> > I wouldn't try it over an internet connection, though, it requires too
> > much bandwidth.
> 
> RDP works over an internet connection, even when running it through a VPN
> using a dodgy wifi link over a busy road and a slowish ADSL link.
> 
> VNC also, but only when reducing the quality of the display a lot.
> 
> Not tried other methods yet.
> 
> --
> Joost

As far as I understand it RDP is different to VNC, in the sense that instead 
of sending every pixel down the line it only sends compressed semantic 
information *about* a desktop component (e.g. the start button, a control 
signal, etc.) and the client interprets this locally as a button or a control 
command. It is also using caching to minimise retransmission.

In some sense it is similar with x2go's NoMachine's NX technology (caching and 
compressing) but as far as I know NX is not as 'intelligent' as RDP.  It just 
sends X protocol data with synchronous round trips and although cached and 
compressed it is not as efficient as the latest versions of RDP.

In many companies MSWindows desktops have been virtualised (XenDesktop) 
running on MSWindows (VM) Servers and accessed using thin-clients, or with 
BYOD remotely, using icaclient as a browser plugin, or a desktop client 
application (Citrix Receiver).  The OS is a standardised MSWindows image and 
an individual user's profile (with all their personal settings, approved apps, 
policy settings, etc.) are loaded whenever a desktop instance boots up and the 
customer logs in.

I'm guessing that the Citrix Receiver is using RDP for MSWindows, but I don't 
really know.  It feels quite efficient when I use it, even over slow bandwidth 
connections.

In any case, the opensource equivalent to this is what I was suggesting Grant 
may find useful and it can work over VPN if required, although the session 
between client and server is encrypted over SSL anyway.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

>> You can use apache client authentication with SSL certificates only.  Of
>> course you will need to create a self-signed CA, which you will use to create
>> the web server public/private key pair and also sign each client's 
>> certificate
>> and upload it along with your CA certificate to the user's browser.  This
>> explains the principle:
>>
> Now, a solution a more traditional desktop is to use an SSL key stored
> on a smartcard, which I'm sure Diego has blogged about on
> planet.gentoo.org as he is into those.  That has all the advantage of
> the TPM as far as key security goes.  However, you're still vulnerable
> to xss and keyloggers and such.


Is an SSL key stored on a smartcard better than a TOTP password?  They
seem roughly equivalent to me.  I don't think either would restrict
access by device.

- Grant

Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:

> On Tuesday, January 19, 2016 01:46:45 AM lee wrote:
>> "J. Roeleveld"  writes:
>> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
>> >> "J. Roeleveld"  writes:
>> >> > On 17 January 2016 18:35:20 CET, Mick 
>> >> > wrote:
>> >> > 
>> >> > [...]
>> >> > 
>> >> >>I use the icaclient provided by Citrix to access my virtual desktop at
>> >> >>work,
>> >> >>but have never tried to set up something similar at home.  What
>> >> >>opensource
>> >> >>software would I need for this?  Is there a wiki somewhere to follow?
>> >> >>
>> >> > I'd love to do this myself as well.
>> >> > 
>> >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you
>> >> > need
>> >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into
>> >> > the
>> >> > VM display. (Spice or VNC)
>> >> > 
>> >> > Then you need some way of authenticating users and providing access to
>> >> > the
>> >> > client software. [...]
>> >> 
>> >> You would have a full VM for each user?
>> > 
>> > Yes
>> > 
>> >> That would be a huge waste of resources,
>> > 
>> > Diskspace and CPU can easily be overcommitted.
>> 
>> Overcommitting disk space sounds like a very bad idea.  Overcommitting
>> memory is not possible with xen.
>
> Overcommitting diskspace isn't such a bad idea, considering most installs 
> never utilize all the available diskspace.

When they do not use it anyway, there is no reason to give it to them in
the first place.  And when they do use it, how do the VMs handle the
problem that they have plenty disk space available, from their point of
view, while the host which they don't know about doesn't allow them to
use it?

Besides, overcommitting disk space means to intentionally create a setup
which involves that the host can run out of disk space easily.  That is
not something I would want to create for a host which is required to
function reliably.

And how much do you need to worry about the security of the VMs when you
build in a way for the users to bring the whole machine, or at least
random VMs, down by using the disk space which has been assigned to
them?  The users are somewhat likely to do that even unintentionally,
the more the more you overcommit.

> Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At 
> least, I seem to remember reading that somewhere)

That would be a nice feature.

>> >> plus having to take care of a lot of VMs,
>> > 
>> > Automated.
>> 
>> Like how?
>
> How do you manage a large amount of physical machines?
> Just change physical to VMs and do it the same.
> With VMs you have more options for automation.

Individually, in lack of a better way.  Per user when it comes to
setting up their MUAs and the like, in lack of any better way.  It
doesn't make a difference if it's a VM or not, provided that you have
remote access to the machine.

When you one VM for many users, you install the MUA only once, and when
you need to do updates, you do them only once.  When you have many VMs,
like one for each user, you have to install and update many times, once
on each VM.

>> >> plus having to buy  a lot of Windoze licenses
>> > 
>> > Volume licensing takes care of that.
>> 
>> expensive
>
> Depends on the requirements. It's cheaper then a few hundred seperate windows 
> licenses.

It's still more expensive than one, or than a handful, isn't it?

>> >> and taking about a week to install the updates
>> >> after installing a VM.
>> > 
>> > Never heard of VM templates?
>> 
>> It still takes a week to put the updates onto the template.
>
> Last time I had to fully reinstall a windows machine it took me a day to do 
> all the updates. Microsoft even has server software that will keep them 
> locally and push them to the clients.

That would be useful to have.  Where could I download that?

Last time I installed a VM, it took a week until the updates where
finally installed, and you have to check on it every now and then to
find out if it's even doing anything at all.  The time before, it wasn't
a VM but a very slow machine, and that also took a week.  You can have
the fastest machine on the world and Windoze always manages to bring it
down to a slowness we wouldn't have accepted even 20 years ago.

>> >> Add to that that the xen host goes down at
>> >> random time intervals (because the sending queue of the network card
>> >> times out for reasons that cannot be determined) which can be as long as
>> >> a day, a week or even up to three weeks, and you are likely to become a
>> >> rather unhappy administrator.
>> > 
>> > Sorry, but I consider that a bug in your hardware. If it's really that
>> > unstable, replace it.
>> > I've been running Xen enabled servers for nearly 15 years. Never had
>> > issues
>> > like that. If it were truly that unstable, it wouldn't be gaining
>> > popularity.
>> The hardware has already been replaced, and the problem persists.  Other
>> 

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Mon, Jan 18, 2016 at 9:45 PM, Alec Ten Harmsel
>  wrote:
>>
>> All Joost is saying is that most resources can be overcommitted, since
>> all the users will not be using all their resources at the same time.
>>
>
> Don't want to sound like a broken record, but this is precisely why
> containers are so attractive.  You can set hard limits wherever you
> want, but otherwise absolutely everything can be
> over-comitted/shared/etc to the degree you desire.  They're just
> processes and namespaces and cgroups and so on.  You just have to be
> willing to live with whatever kernel is running on the host.  Of
> course, it isn't a solution for Windows, and there aren't any mature
> VDI-oriented solutions I'm aware of.  However, running as non-root in
> a container should be very secure so there is no reason it couldn't be
> done.  I just spun up a new container yesterday to test out burp
> (alas, ago beat me to the stablereq) and the server container is using
> all of 54M total / 3M RSS (some of that because I like to run sshd and
> so on inside).  I can afford to run a LOT of those.

Yes, I prefer containers over xen and kvm.  They are easy to set up,
have basically no overhead, no noticeable performance impact or loss,
and handing over devices, like a network card, to a container is easy
and painless.  Unfortunately, as you say, you can't use them when you
need Windoze VMs.

BTW, is it as easy to give a graphics card to a container as it is to
give it a network card?  What if you have a container for each user who
somehow logs in remotely to an X session?  Do (can) you run X sessions
that do not have a console and do not need a (dedicated) graphics card
(just for users logging in remotely)?

Having a container for each user would be much less painful than having
a VM for each user.  That brings back the question what to use when you
want to log in remotely to an X session ...

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Alec Ten Harmsel  writes:

> On Tue, Jan 19, 2016 at 01:46:45AM +0100, lee wrote:
>> "J. Roeleveld"  writes:
>> 
>> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
>> >> "J. Roeleveld"  writes:
>> >> > On 17 January 2016 18:35:20 CET, Mick  wrote:
>> >> > 
>> >> > [...]
>> >> > 
>> >> >>I use the icaclient provided by Citrix to access my virtual desktop at
>> >> >>work,
>> >> >>but have never tried to set up something similar at home.  What
>> >> >>opensource
>> >> >>software would I need for this?  Is there a wiki somewhere to follow?
>> >> >>
>> >> > I'd love to do this myself as well.
>> >> > 
>> >> > Citrix sells the full package as 'XenDesktop'. To do it yourself you 
>> >> > need
>> >> > a VMserver (Xen or similar) and a remote desktop tool that hooks into 
>> >> > the
>> >> > VM display. (Spice or VNC)
>> >> > 
>> >> > Then you need some way of authenticating users and providing access to 
>> >> > the
>> >> > client software. [...]
>> >> 
>> >> You would have a full VM for each user?
>> >
>> > Yes
>> >
>> >> That would be a huge waste of resources,
>> >
>> > Diskspace and CPU can easily be overcommitted.
>> 
>> Overcommitting disk space sounds like a very bad idea.  Overcommitting
>> memory is not possible with xen.
>> 
>
> Depends on how the load is. Right now I have a 500GB HDD at work. I use
> VirtualBox and vagrant for testing various software. Every VM in
> VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time.
> Add in all the other stuff on my system, which includes a 200GB dataset,
> and the disk is overcommitted. Of course, none of the VirtualBox disks
> use anywhere near 50GB.

True, that's for testing when you do know that the disk space will not
be used and have no trouble when it is.  When you have the VMs in
production and users (employees) using them, you don't know when they
will run out of disk space and trouble ensues.

> All Joost is saying is that most resources can be overcommitted, since
> all the users will not be using all their resources at the same time.

How do you overcommit disk space and then shrink the VMs automatically
when disk usage gets lower again?

Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:


> [...]
> If disk-space is considered too expensive, you could even have every VM use 
> the same base image. And have them store only the differences of the disk.
> eg:
> 1) Create a VM
> 2) Snapshot the disk (with the VM shutdown)
> 3) create a new VM based on the snapshot
>
> Repeat 2 and 3 for as many clones you want.
>
> Most installs don't change that much when dealing with standardized desktops.

How does that work?  IIUC, when you created a snapshot, any changes you
make to the snapshotted (or how that is called) file system are being
referenced by the snapshot which you can either destroy or abandon.
When you destroy it, the changes you made are being applied to the
file system you snapshotted (because someone decided to use a very
misleading terminology), and when you abandon it, the changes are thrown
away and you end up with the file system as it was before the snapshot
was created.

In any case, you do not get multiple versions (which only reference the
changes made) of the file system you snapshotted but only one current
version.

Do you need to use a special file system or something which provides
this kind of multiple copies when you make snapshots?

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 6:26 PM, Mick  wrote:
>
> You can use apache client authentication with SSL certificates only.  Of
> course you will need to create a self-signed CA, which you will use to create
> the web server public/private key pair and also sign each client's certificate
> and upload it along with your CA certificate to the user's browser.  This
> explains the principle:
>
> If a user certificate is lost of feared compromised, you revoke it with your
> CA and upload the CRL to the server.

The problem is, how would you know?  In a traditional browser
(including Mozilla and Chrome on anything but a Chromebook) the key
associated with the certificate is stored in a file on disk.  Sure, it
might be encrypted with a hand-typed password, but those passwords are
not hard to brute force, and susceptible to keyloggers anyway.  Those
keys also are unencrypted in RAM while in use.  If something stole a
copy of your key, you'd likely never know.

But, I agree they can be revoked if you discover the issue.

Now, a solution a more traditional desktop is to use an SSL key stored
on a smartcard, which I'm sure Diego has blogged about on
planet.gentoo.org as he is into those.  That has all the advantage of
the TPM as far as key security goes.  However, you're still vulnerable
to xss and keyloggers and such.

Sorry to nitpick.  I'd love to see more linux-based options for an
ultra-secure platform.  It is impressive that Google managed to
commercialize one - you can accomplish quite a lot with FOSS tools if
you put the time into it.

-- 
Rich

Re: [gentoo-user] Why we no Heroku?

[Neil Bothwick]

On Tue, 19 Jan 2016 22:44:44 +, Daniel Quinn wrote:

> I wanted to start fiddling with Heroku , so
> naturally the first thing I tried was
> 
> |$ eix heroku |  
> 
> …but alas there was nothing.

% eix -R heroku
* dev-util/heroku-client [1]
 Available versions:  (~)-r1
 Homepage:http://heroku.com
 Description: Client tools for heroku

[1] "vaca" layman/vaca


-- 
Neil Bothwick

All things being equal, fat people use more soap.


pgpp303zq3MdC.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 5:22 PM, lee  wrote:
> "J. Roeleveld"  writes:
>
> How does that work?  IIUC, when you created a snapshot, any changes you
> make to the snapshotted (or how that is called) file system are being
> referenced by the snapshot which you can either destroy or abandon.
> When you destroy it, the changes you made are being applied to the
> file system you snapshotted (because someone decided to use a very
> misleading terminology), and when you abandon it, the changes are thrown
> away and you end up with the file system as it was before the snapshot
> was created.
>
> In any case, you do not get multiple versions (which only reference the
> changes made) of the file system you snapshotted but only one current
> version.
>
> Do you need to use a special file system or something which provides
> this kind of multiple copies when you make snapshots?
>

And that is exactly what zfs and btrfs provide. Snapshots are full
citizens.  If I create a snapshot of a directory in btrfs it is
essentially indistinguishable from running cp -a on the directory,
except the snapshot takes only seconds to create almost entirely
regardless of size, and takes almost no space until changes are made.
Later I can delete the snapshot, or delete the original, or keep both
indefinitely making changes to either.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Mick]

On Tuesday 19 Jan 2016 17:46:27 Rich Freeman wrote:
> On Tue, Jan 19, 2016 at 2:32 PM, Grant  wrote:
> > I'm sorry, I meant can I lock down access to my web stuff so that a
> > particular user can only come from a particular device (or from any
> > device containing a key).
> 
> It looks like this hasn't been widely implemented, but it looks like
> they do have the ability to generate TPM-backed client certificates
> which could then be used for authentication (and you can set a policy
> to auto-authenticate using the certificate).  It looks like you need
> to use an extension to generate the key and csr, and load the
> certificate.  Google wrote an extension that does this for active
> directory, but for any other certificate authority it looks like you
> basically have to write your own (and probably publish it as FOSS).
> 
> So, the idea would be that you'd provision the device and then log
> into it.  The device would auto-install the certificate installer and
> then you'd run that extension to load a certificate and mark it for
> use for all users on the device.  Then any user on that device could
> authenticate using the certificate.  The key would be stored in the
> TPM and would never leave the device, and wiping the device would
> destroy the key.
> 
> You mentioned GPG keys, and this stuff is all RSA-backed, but SSL
> client certificates don't use GPG itself.  All of this is FOSS as far
> as I can tell.  All browsers can load and use client certificates, but
> the advantage of a chromebook is that the key can be generated by the
> TPM and never leave it.

You can use apache client authentication with SSL certificates only.  Of 
course you will need to create a self-signed CA, which you will use to create 
the web server public/private key pair and also sign each client's certificate 
and upload it along with your CA certificate to the user's browser.  This 
explains the principle:

http://wiki.cacert.org/HELP/9


Ditto with the VPN connection - should you still want to use VPN.

If a user certificate is lost of feared compromised, you revoke it with your 
CA and upload the CRL to the server.

However, this won't do away with XSS, or other similar attack vectors if the 
users are not careful with their browsing habits.

This won't resolve problems with lost laptops and the like either, so previous 
suggestions for disk encryption, or chromebooks apply, if this is a 
considerable risk with your users.
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

>> > I'm sorry, I meant can I lock down access to my web stuff so that a
>> > particular user can only come from a particular device (or from any
>> > device containing a key).
>>
> You can use apache client authentication with SSL certificates only.  Of
> course you will need to create a self-signed CA, which you will use to create
> the web server public/private key pair and also sign each client's certificate
> and upload it along with your CA certificate to the user's browser.  This
> explains the principle:
>
> http://wiki.cacert.org/HELP/9
>
>
> Ditto with the VPN connection - should you still want to use VPN.


Let me see if I'm following.  I could create a certificate and point
the browser to it in config and configure my web server to require the
certificate for HTTP basic authentication?  Can I require a
username/password along with the certificate?  Can I require the
certificate only for certain users?


> If a user certificate is lost of feared compromised, you revoke it with your
> CA and upload the CRL to the server.
>
> However, this won't do away with XSS, or other similar attack vectors if the
> users are not careful with their browsing habits.


Can you give me an example?


> This won't resolve problems with lost laptops and the like either, so previous
> suggestions for disk encryption, or chromebooks apply, if this is a
> considerable risk with your users.


No sensitive data on the client systems.  They're actually auto-wiped daily.

- Grant

Re: [gentoo-user] {OT} Allow work from home?

[Alec Ten Harmsel]

On Tue, Jan 19, 2016 at 10:56:21PM +0100, lee wrote:
> Alec Ten Harmsel  writes:
> >
> > Depends on how the load is. Right now I have a 500GB HDD at work. I use
> > VirtualBox and vagrant for testing various software. Every VM in
> > VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time.
> > Add in all the other stuff on my system, which includes a 200GB dataset,
> > and the disk is overcommitted. Of course, none of the VirtualBox disks
> > use anywhere near 50GB.
> 
> True, that's for testing when you do know that the disk space will not
> be used and have no trouble when it is.  When you have the VMs in
> production and users (employees) using them, you don't know when they
> will run out of disk space and trouble ensues.

Almost. Here is an equal example: I am an admin on an HPC cluster. We
have a shared Lustre filesystem that people store work files in while
they are running jobs. It has around 1PB of capacity. As strange as this
may sound, this filesystem is overcommitted (we have 20,000 cores,
that's only 52GB per core, not even close to enough for more than half a
year of data accumulation).  Unused data is deleted after 90 days, which
is why it can be overcommitted.

Extending this to a more realistic example without automatic data
deletion is trivial. Imagine you are a web hosting provider. You allow
each client unlimited disk space, so you're automatically overcommitted.
In the aggregate, even though one client may increase their usage
extremely quickly, total usage rises slowly, giving you more than enough
time to increase the storage capacity of whatever backing filesystem is
hosting their files.

> > All Joost is saying is that most resources can be overcommitted, since
> > all the users will not be using all their resources at the same time.
> 
> How do you overcommit disk space and then shrink the VMs automatically
> when disk usage gets lower again?
> 

Sorry, my previous example was bad, since the normal strategy is to
expand when necessary as far as I know. See above.

Alec

Re: [gentoo-user] Why we no Heroku?

[Alec Ten Harmsel]

On Tue, Jan 19, 2016 at 10:44:44PM +, Daniel Quinn wrote:
> I wanted to start fiddling with Heroku , so
> naturally the first thing I tried was
> 
> |$ eix heroku |
> 
> …but alas there was nothing. So I poked around their site to see how one
> might install their client manually and the instructions
> 
> are the typically horrifying:
> 
> |# wget -qO- https://toolbelt.heroku.com/install.sh | sh |
> 
> The thing is, a quick look at what that || sh| is actually doing isn’t
> all that terrifying. Basically it untars a bunch of ruby scripts into a
> directory and then puts the path to the |heroku| “binary” (a ruby
> script) in your $PATH. Surely, this is a good candidate for an ebuild, yes?

Yup, seems pretty good. Probably doable with a very simple ebuild, since
all its dependencies are already in the portage tree.

> So I thought I’d ask: am I missing something, or is this really as easy
> as it looks? Is this just waiting for someone to write an ebuild?

Well, the heroku client seems to be moving in the same direction as
vagrant[1], although hasn't gone nearly as far yet. In the heroku
gemspec, there is a post install message that warns gem install is
deprecated. I'm not terribly familiar with ruby, but it looks like it
should still be installable from source.

> Bugzilla has nothing
>  about it, but I
> can’t believe that Heroku use hasn’t come up before in Gentoo land.

I can. Ruby is not nearly as well supported in Gentoo as python is. An
average ruby developer wanting to use the heroku client would most
likely already be using either rbenv or rvm already, and would probably
run `gem install heroku' without even looking if an ebuild exists. My
roommate certainly would do this; he runs Gentoo, but solely uses
bundler and rbenv to manage ruby stuff (except for installing the
interpreter itself).

Alec

[1] vagrant used to be installable as a gem (and therefore not terrible
to package), but then the authors decided that it would be way to
difficult to support all these people with all these versions of
different libraries, so they would make it difficult to manually package
and only ship installers with bundled deps.

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 5:08 PM, lee  wrote:
>
> BTW, is it as easy to give a graphics card to a container as it is to
> give it a network card?

I've never tried it, but I'd think that the container could talk to a
graphics card.

> What if you have a container for each user who
> somehow logs in remotely to an X session?  Do (can) you run X sessions
> that do not have a console and do not need a (dedicated) graphics card
> (just for users logging in remotely)?

You don't need to even have a graphics card to serve X11 via vnc or
nx.  You could probably serve them even if your only server console
was a serial console.  Just run x11vnc or whatever it is called - it
is an X server whose only framebuffer is a VNC session.  I think NX
uses the same server, but I'd have to check.  Of course, you wouldn't
have 3D accelleration with this server, not that you'd be using it
over NX/VNC.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Tue, Jan 19, 2016 at 7:18 PM, Grant  wrote:
>
> Is an SSL key stored on a smartcard better than a TOTP password?  They
> seem roughly equivalent to me.  I don't think either would restrict
> access by device.
>

They'd be roughly equivalent, especially if the TOTP is backed by a smartcard.

-- 
Rich

Re: [gentoo-user] Re: How to get rid of 32bits libraries

[Dale]

Nikos Chantziaras wrote:
> On 18/01/16 12:00, Dale wrote:
>> Neil Bothwick wrote:
>>> On Mon, 18 Jan 2016 09:12:23 +, Neil Bothwick wrote:
>>>
 equery hasuse checks which packages respect the given USE flag, it
 pays
 no attention to whether it is actually set. Try

 emerge -evp world | grep 'ABI_X86=32'
>>> Sorry, that should be
>>>
>>> emerge -evp world | grep 'ABI_X86="32'
>>>
>>>
>>
>>
>> Yep.  That one works better.
>
> How does it work "better" if all it does is expand to an "abi_x86_32"
> USE flag? :-/
>
>
>


It works better because the first command he posted wouldn't return
hits.  It has a missing character, more precisely, the quote mark before
32.  One thing about grep, if you grep for something that isn't typed
correctly, it gives you nothing or something that is not what you were
looking for.  lol 

Dale

:-)  :-)

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Tuesday, January 19, 2016 11:22:02 PM lee wrote:
> "J. Roeleveld"  writes:
> > [...]
> > If disk-space is considered too expensive, you could even have every VM
> > use
> > the same base image. And have them store only the differences of the disk.
> > eg:
> > 1) Create a VM
> > 2) Snapshot the disk (with the VM shutdown)
> > 3) create a new VM based on the snapshot
> > 
> > Repeat 2 and 3 for as many clones you want.
> > 
> > Most installs don't change that much when dealing with standardized
> > desktops.
> How does that work?  IIUC, when you created a snapshot, any changes you
> make to the snapshotted (or how that is called) file system are being
> referenced by the snapshot which you can either destroy or abandon.
> When you destroy it, the changes you made are being applied to the
> file system you snapshotted (because someone decided to use a very
> misleading terminology), and when you abandon it, the changes are thrown
> away and you end up with the file system as it was before the snapshot
> was created.
> 
> In any case, you do not get multiple versions (which only reference the
> changes made) of the file system you snapshotted but only one current
> version.
> 
> Do you need to use a special file system or something which provides
> this kind of multiple copies when you make snapshots?

I use LVM for this.

Steps are simple:
1) Create a LV (lv_1)
2) Create and install a VM using this LV (lv_1)
3) Stop the VM
4) Create multiple snapshots based on lv_1 (slv_1a, slv_1b, ..)
5) Create multiple VMs using the snapshots (vm1a -> slv_1a, vm1b, 
slv_1b,.)

Start the VMs

This way you can overcommit on the actual diskspace as only changes are taking 
up diskspace.
If you force everyone on the same base-image, the differences should not be too 
large.

If you also force users to store files on a shared filesystem, it shouldn't be 
too much of a difficulty to occasionally move everyone to a new base-image when 
the updates are causing the snapshots to grow too much.

--
Joost

Re: [gentoo-user] {OT} Allow work from home?

[J. Roeleveld]

On Wednesday, January 20, 2016 01:46:29 AM lee wrote:
> "J. Roeleveld"  writes:
> > On Tuesday, January 19, 2016 01:46:45 AM lee wrote:
> >> "J. Roeleveld"  writes:
> >> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
> >> >> "J. Roeleveld"  writes:

> >> > 
> >> > Yes
> >> > 
> >> >> That would be a huge waste of resources,
> >> > 
> >> > Diskspace and CPU can easily be overcommitted.
> >> 
> >> Overcommitting disk space sounds like a very bad idea.  Overcommitting
> >> memory is not possible with xen.
> > 
> > Overcommitting diskspace isn't such a bad idea, considering most installs
> > never utilize all the available diskspace.
> 
> When they do not use it anyway, there is no reason to give it to them in
> the first place.  And when they do use it, how do the VMs handle the
> problem that they have plenty disk space available, from their point of
> view, while the host which they don't know about doesn't allow them to
> use it?

1 word: Monitoring.
When you overcommit any resource, you need to put monitoring in place.
Then you also need to ensure you have the ability to increase that resource 
when required.

> Besides, overcommitting disk space means to intentionally create a setup
> which involves that the host can run out of disk space easily.  That is
> not something I would want to create for a host which is required to
> function reliably.

The host should not crash when a VM does or when the storage assigned to VMs 
fills up.
If it does, go back to the drawing board and fix your design.

> And how much do you need to worry about the security of the VMs when you
> build in a way for the users to bring the whole machine, or at least
> random VMs, down by using the disk space which has been assigned to
> them?  The users are somewhat likely to do that even unintentionally,
> the more the more you overcommit.

See comment about monitoring.
If all your users tend to fill up all available diskspace, you obviously can 
not overcommit on diskspace.

> > Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At
> > least, I seem to remember reading that somewhere)
> 
> That would be a nice feature.

For VDIs, I might consider using it.
But considering most OSs tend to fill up all available memory with caches, I 
expect performance issues.

> >> >> plus having to take care of a lot of VMs,
> >> > 
> >> > Automated.
> >> 
> >> Like how?
> > 
> > How do you manage a large amount of physical machines?
> > Just change physical to VMs and do it the same.
> > With VMs you have more options for automation.
> 
> Individually, in lack of a better way.  Per user when it comes to
> setting up their MUAs and the like, in lack of any better way.  It
> doesn't make a difference if it's a VM or not, provided that you have
> remote access to the machine.

This is where management tools come into play. (Same methods apply to physical 
and virtual)

When talking MS Windows, domains with their policies are very useful. Couple 
that with WSUS for the patching and software distribution tools for the 
additional software installs, and you have a very nice setup.

For Linux, I would recommend tools like Ansible or Puppet to control the 
software on the machines.

For any OS, I would prevent my users from installing random software. And what 
is installed, would be mostly pre-configured out-of-the-box.

> When you one VM for many users, you install the MUA only once, and when
> you need to do updates, you do them only once.  When you have many VMs,
> like one for each user, you have to install and update many times, once
> on each VM.

Management tools.

> > Depends on the requirements. It's cheaper then a few hundred seperate
> > windows licenses.
> 
> It's still more expensive than one, or than a handful, isn't it?

The same cost applies to running physical boxes instead of VMs.

> > Last time I had to fully reinstall a windows machine it took me a day to
> > do
> > all the updates. Microsoft even has server software that will keep them
> > locally and push them to the clients.
> 
> That would be useful to have.  Where could I download that?
> 
> Last time I installed a VM, it took a week until the updates where
> finally installed, and you have to check on it every now and then to
> find out if it's even doing anything at all.  The time before, it wasn't
> a VM but a very slow machine, and that also took a week.  You can have
> the fastest machine on the world and Windoze always manages to bring it
> down to a slowness we wouldn't have accepted even 20 years ago.

Google for "WSUS".
It's been around for a very long time now (since 2005).

> >> The hardware has already been replaced, and the problem persists.  Other
> >> machines of identical hardware that don't run xen don't show any issues.
> > 
> > I still say the hardware is buggy. With replacing, I meant replace it with
> > different hardware, not a different version of the same buggy stuff.

[gentoo-user] Re: How to get rid of 32bits libraries

[Nikos Chantziaras]

On 18/01/16 15:31, Helmut Jarausch wrote:

If possible, I'd like to install any packages with abs_x86_32 which are 
required for  dev-util/android-sdk-update-manager  and app-text/acroread
with a different PREFIX, such as /usr/local .
Is that possible?


There is exactly zero reason to do that, so no, there's no option for 
that. It might be possible by modifying the ebuild, but you're on your 
own. No one tried this, since it's not needed.


Distro-maintained packages always go in /usr, user-maintained packages 
go in /usr/local. There is no reason to break that convention.

Re: [gentoo-user] {OT} Allow work from home?

[Grant]

> In any case, if you aren't going to own the client hardware, you
> basically are going to have to assume it is vulnerable since nobody
> maintains their PCs well.  That means keyboard sniffing, cookie
> stealing, and so on.  If you're web-based a hostile browser could just
> open another session in the background after the user authenticates
> (2-factor or otherwise) and do whatever it wants to.  Granted, I don't
> know if anything is out in the wild which actually does this, and it
> would probably need to be somewhat targeted to work (unless somebody
> has a rootkit that just lets them interactively fire up another
> browser on a VNC display or something using the same browser session).


If that's the case then it sounds like 2FA doesn't really provide any
extra assurance.  It's another layer but if the machine is hacked then
it sounds like it becomes a very thin layer.

I'd most like to allow the remote employee to use their own computer,
but is there any way to have reasonable assurance that a remote
attacker can't log into my web stuff if the employee's computer is
compromised?

With a Chromebook, how can I be assured that the employee is only able
to log into my web stuff with the Chromebook?

- Grant

[gentoo-user] Re: {OT} Allow work from home?

[Nikos Chantziaras]

On 16/01/16 06:17, Grant wrote:

I'm considering allowing some employees to work from home but I'm
concerned about the security implications.  Currently everybody shows up
and logs into their locked down Gentoo system and from there is able to
access the company webapps which are restricted to the office IP
address.  I guess I would have to allow webapp access from any IP for
those users and trust that their computer is secure?  Should that not be
scary?


I've set up such systems using OpenVPN, as others have suggested.

One thing to look out for, is to make sure that the setup only tunnels 
traffic to your servers, not ALL traffic. Otherwise, all traffic from 
your people is going to be tunneled through your network (Netflix, 
torrents, porn, everything else your people are doing at home.)

[gentoo-user] Re: How to get rid of 32bits libraries

[Nikos Chantziaras]

On 18/01/16 12:00, Dale wrote:

Neil Bothwick wrote:

On Mon, 18 Jan 2016 09:12:23 +, Neil Bothwick wrote:


equery hasuse checks which packages respect the given USE flag, it pays
no attention to whether it is actually set. Try

emerge -evp world | grep 'ABI_X86=32'

Sorry, that should be

emerge -evp world | grep 'ABI_X86="32'





Yep.  That one works better.


How does it work "better" if all it does is expand to an "abi_x86_32" 
USE flag? :-/

Re: [gentoo-user] Re: How to get rid of 32bits libraries

[Neil Bothwick]

On Tue, 19 Jan 2016 14:23:56 +0200, Nikos Chantziaras wrote:

> >>> equery hasuse checks which packages respect the given USE flag, it
> >>> pays no attention to whether it is actually set. Try
> >>>
> >>> emerge -evp world | grep 'ABI_X86=32'  
> >> Sorry, that should be
> >>
> >> emerge -evp world | grep 'ABI_X86="32'

> > Yep.  That one works better.  
> 
> How does it work "better" if all it does is expand to an "abi_x86_32" 
> USE flag? :-/

Because it uses the output from emerge, which respects the currently set
USE flags, instead of that from equery hasuse, which does not. 


-- 
Neil Bothwick

... Never say anything more predictive than "Watch this!"


pgpoiuOE_ZpWj.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: *dev-less gentoo

[Neil Bothwick]

On Tue, 19 Jan 2016 16:06:26 + (UTC), James wrote:

> > > Let's be clear: static-dev is NOT a workaround. It is a full proper
> > > solution for the case when a dynamic device node solution is not 
> > > desired.  
> 
> Well, I can think of embedded (linux) systems, a lock-down server and
> machine(s) loaded up with (NFV) Network Function Virtuals, as prime
> examples where a static dev is very useful; albeit a management pain if
> one is not careful. This is a very interesting topic for me.

Whatever your setup, you need something to manage your entries in /dev.
That's why there is a dependency on the dev-manager/virtual. What you use
is up to you: udev, eudev, systemd, devfsd, busybox or doing it manually,
is up to you. That's why any of those satisfy the dev-manager virtual.
That's why Alan said that static-dev is not a work around, it is a valid
choice that sets up a limited number of static nodes that you then manage
yourself. You are the dev-manager.


-- 
Neil Bothwick

Don't judge a book by its movie.


pgpsuCuIO7vT_.pgp
Description: OpenPGP digital signature

[gentoo-user] Re: *dev-less gentoo

[James]

  aspodata.se> writes:


> > > I found a workaround in the sys-fs/static-dev package.

Interesting read :: bgo #107875

> > Let's be clear: static-dev is NOT a workaround. It is a full proper
> > solution for the case when a dynamic device node solution is not 
> > desired.

Well, I can think of embedded (linux) systems, a lock-down server and
machine(s) loaded up with (NFV) Network Function Virtuals, as prime examples
where a static dev is very useful; albeit a management pain if one is not
careful. This is a very interesting topic for me.


> > Of course it means you have to mknod every device you need yourself. But
> > you know that going in right?

> Yes (though I alreade have a /dev from before).

For explicit clarity, you've got a "/dev" from using dev-manager on the
system previously, and now you desire to switch to a static-dev? (Why ?)
 Or did you derive from scratch (or other means) a '/dev' for a specific
need you are working on by design, historical example etc?


I apologize in advance, but this thread intersects some critical new
thinking on systems cluster formation. I have ran into a small group of
extraordinary coders that are building a Hi Performance Cluster out of C,
Rust and a minimized static-dev.  So I am very curious as to your specific
and detailed motives for this 'static-dev'. If a private note is warranted,
feel encourage for that type of response. If this unbounded curiosity of
mine is unwelcome, you have my deepest apologies.


curiously,
James

Re: [gentoo-user] Re: *dev-less gentoo

[Alec Ten Harmsel]

On Tue, Jan 19, 2016 at 05:51:11PM +0100, k...@aspodata.se wrote:
> James:
> >   aspodata.se> writes:
> > > > > I found a workaround in the sys-fs/static-dev package.
> > 
> > Interesting read :: bgo #107875
> 
> I'm new to gentoo, is there some special semantic to the "bgo #" ?

bgo == https://bugs.gentoo.org

Alec

Re: [gentoo-user] Re: *dev-less gentoo

[karl]

James:
>   aspodata.se> writes:
> > > > I found a workaround in the sys-fs/static-dev package.
> 
> Interesting read :: bgo #107875

I'm new to gentoo, is there some special semantic to the "bgo #" ?

> > > Let's be clear: static-dev is NOT a workaround. It is a full proper
> > > solution for the case when a dynamic device node solution is not 
> > > desired.
> Well, I can think of embedded (linux) systems, a lock-down server and
> machine(s) loaded up with (NFV) Network Function Virtuals, as prime examples
> where a static dev is very useful; albeit a management pain if one is not
> careful. This is a very interesting topic for me.

I have had no pain useing an old plain /dev. What's the pain ?

> > > Of course it means you have to mknod every device you need yourself. But
> > > you know that going in right?
> 
> > Yes (though I alreade have a /dev from before).
> 
> For explicit clarity, you've got a "/dev" from using dev-manager on the
> system previously, and now you desire to switch to a static-dev? (Why ?)
>  Or did you derive from scratch (or other means) a '/dev' for a specific
> need you are working on by design, historical example etc?

No, I never used udev et al on my boxes, there has simply been no need.

> I apologize in advance, but this thread intersects some critical new
> thinking on systems cluster formation. I have ran into a small group of
> extraordinary coders that are building a Hi Performance Cluster out of C,
> Rust and a minimized static-dev.  So I am very curious as to your specific
> and detailed motives for this 'static-dev'. If a private note is warranted,
> feel encourage for that type of response. If this unbounded curiosity of
> mine is unwelcome, you have my deepest apologies.

I never had any compelling reason to let some daemon with mess with
/dev. And I have had a compelling reason to avoid it, when doing an
"usual" stable dist-upgrade of Debian lenny to squeze (I think), Debian
installed udev per default and everything just stopped working. And
that darn thing wouldn't uninstall and /dev wouldn't unmount to get
back my /dev-entries. So udev have only giving me pain and no gain.
The only thing dynamic theese days are usb. Usb disks I can handle
manually, usb kbd/mouse has always worked. I usually don't use more
than one keyboard so I don't really need xkb, nor do I need something
to autodetect keyboard layout, since I change it to something else 
anyhow. And udev woun't detect my serial mouse anyhow... so much for
that.

That said, if I would like to test some "dev-manager" (except myself)
than I'd look into something that behaves nicely, like mdev (busybox)
or vdev (https://github.com/jcnelson/vdev.git).

Regards,
/Karl Hammar

---
Aspö Data
Lilla Aspö 148
S-742 94 Östhammar
Sweden
+46 173 140 57

[gentoo-user] sound stopped working [media-sound/pulseaudio-7.1]

[Alexander Kapshuk]

Recently, sound has stopped working on one of my Gentoo systems. I have
checked the kernel, package and pulseaudio set-ups across all of my systems
in an attempt to pin down the problem, but so far to no avail. The sound
works fine on the other systems I have.

Hopefully, someone on the list will shed some light on what might be the
problem, or how to further troubleshoot it.

Here is some details.

% grep '^[^#.]' /etc/pulse/default.pa
load-module module-device-restore
load-module module-stream-restore
load-module module-card-restore
load-module module-augment-properties
load-module module-switch-on-port-available
load-module module-alsa-sink
load-module module-udev-detect
load-module module-detect
load-module module-jackdbus-detect channels=2
load-module module-bluetooth-policy
load-module module-bluetooth-discover
load-module module-esound-protocol-unix
load-module module-native-protocol-unix
load-module module-gconf
load-module module-default-device-restore
load-module module-rescue-streams
load-module module-always-sink
load-module module-intended-roles
load-module module-suspend-on-idle
load-module module-console-kit
load-module module-systemd-login
load-module module-position-event-sounds
load-module module-role-cork
load-module module-filter-heuristics
load-module module-filter-apply

With 'load-module module-alsa-sink' enabled, pulseaudio will not start.
% ps uxwww | grep  -c '[p]ulse'
0

Having 'alsa-sink' enabled, generates the following output in
'/var/log/messages'.
# grep 'Jan 19.*pulseaudio' /var/log/messages
Jan 19 17:58:23 box1 pulseaudio[3686]: [pulseaudio] module.c: Failed to
load module "module-alsa-sink" (argument: ""): initialization failed.
Jan 19 17:58:23 box1 pulseaudio[3686]: [pulseaudio] main.c: Module load
failed.
Jan 19 17:58:23 box1 pulseaudio[3686]: [pulseaudio] main.c: Failed to
initialize daemon.
Jan 19 17:58:23 box1 pulseaudio[3638]: [pulseaudio] main.c: Daemon startup
failed.
Jan 19 17:58:23 box1 pulseaudio[3706]: [pulseaudio] module.c: Failed to
load module "module-alsa-sink" (argument: ""): initialization failed.
Jan 19 17:58:23 box1 pulseaudio[3706]: [pulseaudio] main.c: Module load
failed.
Jan 19 17:58:23 box1 pulseaudio[3706]: [pulseaudio] main.c: Failed to
initialize daemon.
Jan 19 17:58:23 box1 pulseaudio[3703]: [pulseaudio] main.c: Daemon startup
failed.
Jan 19 17:58:23 box1 pulseaudio[3719]: [pulseaudio] module.c: Failed to
load module "module-alsa-sink" (argument: ""): initialization failed.
Jan 19 17:58:23 box1 pulseaudio[3719]: [pulseaudio] main.c: Module load
failed.
Jan 19 17:58:23 box1 pulseaudio[3719]: [pulseaudio] main.c: Failed to
initialize daemon.
Jan 19 17:58:23 box1 pulseaudio[3716]: [pulseaudio] main.c: Daemon startup
failed.

My sound card details are.
lspci -k
...
00:1b.0 Audio device: Intel Corporation 82801I (ICH9 Family) HD Audio
Controller (rev 02)
Subsystem: Gigabyte Technology Co., Ltd 82801I (ICH9 Family) HD Audio
Controller
Kernel driver in use: snd_hda_intel
...

The kernel config options enabled for HDA are.
% grep '^[^#].*HDA' /usr/src/linux/.config
CONFIG_SND_HDA=y
CONFIG_SND_HDA_INTEL=y
CONFIG_SND_HDA_HWDEP=y
CONFIG_SND_HDA_CODEC_REALTEK=y
CONFIG_SND_HDA_CODEC_ANALOG=y
CONFIG_SND_HDA_CODEC_SIGMATEL=y
CONFIG_SND_HDA_CODEC_VIA=y
CONFIG_SND_HDA_CODEC_HDMI=y
CONFIG_SND_HDA_CODEC_CIRRUS=y
CONFIG_SND_HDA_CODEC_CONEXANT=y
CONFIG_SND_HDA_CODEC_CA0110=y
CONFIG_SND_HDA_CODEC_CA0132=y
CONFIG_SND_HDA_CODEC_CMEDIA=y
CONFIG_SND_HDA_CODEC_SI3054=y
CONFIG_SND_HDA_GENERIC=y
CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
CONFIG_SND_HDA_CORE=y
CONFIG_SND_HDA_PREALLOC_SIZE=2048

% equery -q u media-sound/pulseaudio-7.1 | grep +
+X
+alsa
+alsa-plugin
+asyncns
+bluetooth
+caps
+dbus
+gdbm
+glib
+gtk
+ipv6
+orc
+ssl
+tcpd
+udev
+webrtc-aec


With the set-up above, I still have sound when playing video content in my
web browser, via Adobe Flash Player.

Playing videos using VLC, or Mplayer does not work.

With 'load-module module-alsa-sink' commented out, pulseaudio is able to
start.

% ps uxwww | grep  '[p]ulse'
sasha 3694  0.1  0.2 182496 10164 ?Sl   18:15   0:00
/usr/bin/pulseaudio --start --log-target=syslog
sasha 3713  0.0  0.2 166112  9988 ?Ssl  18:15   0:00
xfce4-volumed-pulse

But still no sound, when playing videos using a media player, or in the web
browser using Adobe Flash Player.


Thanks.

Re: [gentoo-user] Shutdown through systemctl as a normal user

[lukash]

On Mon, 2016-01-18 at 14:56 -0800, Willie Matthews wrote:
> On Mon, 18 Jan 2016 23:31:39 +0100
> lukash  wrote:
> 
> > On Mon, 2016-01-18 at 20:00 +0100, waben...@gmail.com wrote:
> > > lukash  wrote:
> > >   
> > > > Hi all,
> > > > 
> > > > I'm reading on the internet that systemctl poweroff should work
> > > > for normal user if he is the only one logged in, he is logged
> > > > in
> > > > locally
> > > > and his session is active. I seem to be meeting these
> > > > conditions:
> > > > 
> > > > # loginctl
> > > >    SESSIONUID USER SEAT
> > > >  2   1000 lukash           seat0
> > > > 
> > > > $ loginctl show-session 2
> > > > Id=2
> > > > User=1000
> > > > Name=lu
> > > > Timestamp=Sat 2016-01-16 17:27:30 CET
> > > > TimestampMonotonic=9614418
> > > > VTNr=7
> > > > Seat=seat0
> > > > Display=:0
> > > > Remote=no
> > > > Service=lightdm
> > > > Desktop=awesome
> > > > Scope=session-2.scope
> > > > Leader=529
> > > > Audit=2
> > > > Type=x11
> > > > Class=user
> > > > Active=yes
> > > > State=active
> > > > IdleHint=no
> > > > IdleSinceHint=0
> > > > IdleSinceHintMonotonic=0
> > > > 
> > > > But invoking the command gives me:
> > > > 
> > > > $ systemctl poweroff
> > > > Failed to set wall message, ignoring: Access denied
> > > > Failed to power off system via logind: Access denied
> > > > Failed to start poweroff.target: Access denied
> > > > 
> > > > How is this supposed to work on Gentoo?
> > > > 
> > > > Thanks in advance,
> > > > Lukas  
> > > 
> > > IIRC "CONFIG_AUDIT" and "CONFIG_HAVE_ARCH_AUDITSYSCALL" must be
> > > set
> > > in the kernel configuration. But as I don't use this method I
> > > cannot
> > > say this for sure.  
> > 
> > Thanks. But I've got those in my kernel already...
> > 
> > > --
> > > Regards
> > > wabe
> > >   
> > 
> 
> Try this https://wiki.archlinux.org/index.php/allow_users_to_shutdown
> ,
> I think you might be happy with it. I don't have systemd personally
> so
> I don't have any experience with it. From what I read on the wiki,
> this will be an easy fix.
> 
> Instead of using users in the "Users without sudo privileges"
> section, I
> think you can also use groups without the hostname. All you would
> have
> to do is make a group that you would like to be able to shutdown or
> whatever with the computer.
> 

Thank you, but I wanted to make the systemd-logind path work instead of
the sudo magic which I find kinda hackish.

I think my system meets the requirements, although I am not so sure
when 'it should work' is mentioned in various places, whether it is
supposed there are (for example) some polkit rules present in the
system (of which I didn't find any on my gentoo box).

The wiki link you mentioned does lead to some more information about
the permission checking which I'll investigate when I have more time.
But otherwise, short of installing Arch somewhere and have a look if
there's anything present that could make this work I am clueless :(

Cheers,
Lukas

Re: [gentoo-user] sound stopped working [media-sound/pulseaudio-7.1]

[Alec Ten Harmsel]

I use pulseaudio without ALSA, for what it's worth. I also don't use VLC
or mplayer.

On Tue, Jan 19, 2016 at 06:33:41PM +0200, Alexander Kapshuk wrote:
> Recently, sound has stopped working on one of my Gentoo systems. I have
> checked the kernel, package and pulseaudio set-ups across all of my systems
> in an attempt to pin down the problem, but so far to no avail. The sound
> works fine on the other systems I have.

Are they any changes you just made that may have caused the problem? Do
all the systems have the same configuration?

> 
> Having 'alsa-sink' enabled, generates the following output in
> '/var/log/messages'.
> # grep 'Jan 19.*pulseaudio' /var/log/messages
> Jan 19 17:58:23 box1 pulseaudio[3686]: [pulseaudio] module.c: Failed to
> load module "module-alsa-sink" (argument: ""): initialization failed.
> Jan 19 17:58:23 box1 pulseaudio[3686]: [pulseaudio] main.c: Module load
> failed.
> Jan 19 17:58:23 box1 pulseaudio[3686]: [pulseaudio] main.c: Failed to
> initialize daemon.
> Jan 19 17:58:23 box1 pulseaudio[3638]: [pulseaudio] main.c: Daemon startup
> failed.
> Jan 19 17:58:23 box1 pulseaudio[3706]: [pulseaudio] module.c: Failed to
> load module "module-alsa-sink" (argument: ""): initialization failed.
> Jan 19 17:58:23 box1 pulseaudio[3706]: [pulseaudio] main.c: Module load
> failed.
> Jan 19 17:58:23 box1 pulseaudio[3706]: [pulseaudio] main.c: Failed to
> initialize daemon.
> Jan 19 17:58:23 box1 pulseaudio[3703]: [pulseaudio] main.c: Daemon startup
> failed.
> Jan 19 17:58:23 box1 pulseaudio[3719]: [pulseaudio] module.c: Failed to
> load module "module-alsa-sink" (argument: ""): initialization failed.
> Jan 19 17:58:23 box1 pulseaudio[3719]: [pulseaudio] main.c: Module load
> failed.
> Jan 19 17:58:23 box1 pulseaudio[3719]: [pulseaudio] main.c: Failed to
> initialize daemon.
> Jan 19 17:58:23 box1 pulseaudio[3716]: [pulseaudio] main.c: Daemon startup
> failed.
> 
> My sound card details are.
> lspci -k
> ...
> 00:1b.0 Audio device: Intel Corporation 82801I (ICH9 Family) HD Audio
> Controller (rev 02)
> Subsystem: Gigabyte Technology Co., Ltd 82801I (ICH9 Family) HD Audio
> Controller
> Kernel driver in use: snd_hda_intel
> ...

Have you looked at dmesg and/or any ALSA logs to see why ALSA-related
stuff can't be initialized? Intel hardware and drivers have always
treated me well, so this is strange.

Alec

P.S. Is there a particular reason you are using pulseaudio as a layer
above ALSA? If not, you might just use PA in my opinion.