Re: [gentoo-user] {OT} Allow work from home?
"J. Roeleveld"writes: > On Tuesday, January 19, 2016 11:22:02 PM lee wrote: >> "J. Roeleveld" writes: >> > [...] >> > If disk-space is considered too expensive, you could even have every VM >> > use >> > the same base image. And have them store only the differences of the disk. >> > eg: >> > 1) Create a VM >> > 2) Snapshot the disk (with the VM shutdown) >> > 3) create a new VM based on the snapshot >> > >> > Repeat 2 and 3 for as many clones you want. >> > >> > Most installs don't change that much when dealing with standardized >> > desktops. >> How does that work? IIUC, when you created a snapshot, any changes you >> make to the snapshotted (or how that is called) file system are being >> referenced by the snapshot which you can either destroy or abandon. >> When you destroy it, the changes you made are being applied to the >> file system you snapshotted (because someone decided to use a very >> misleading terminology), and when you abandon it, the changes are thrown >> away and you end up with the file system as it was before the snapshot >> was created. >> >> In any case, you do not get multiple versions (which only reference the >> changes made) of the file system you snapshotted but only one current >> version. >> >> Do you need to use a special file system or something which provides >> this kind of multiple copies when you make snapshots? > > I use LVM for this. > > Steps are simple: > 1) Create a LV (lv_1) > 2) Create and install a VM using this LV (lv_1) > 3) Stop the VM > 4) Create multiple snapshots based on lv_1 (slv_1a, slv_1b, ..) > 5) Create multiple VMs using the snapshots (vm1a -> slv_1a, vm1b, > slv_1b,.) > > Start the VMs > > This way you can overcommit on the actual diskspace as only changes are > taking > up diskspace. > If you force everyone on the same base-image, the differences should not be > too > large. I don't use lvm anymore. It requires you to have unused space in the same VG to make a snapshot (which, of course, I didn't have), and when you need to move a volume from one machine to another, you're screwed because you can't get the volume out of the volume group other than moving it to a different media after attaching this media to the VG and detaching it after the move. Moving the volume to the new machine is likewise a pita. I lost a whole VM when I did that, and I have no idea what might have happened to it. I did copy it, and yet it somehow disappeared. > If you also force users to store files on a shared filesystem, it shouldn't > be > too much of a difficulty to occasionally move everyone to a new base-image > when > the updates are causing the snapshots to grow too much. How do you force users to do that? I tried that with some windoze 7 VMs, and according to the rules, users are not allowed to save anything on their desktops, and nonetheless they can do that. The installed applications also create data in the disk space of the VM. Their MUAs do that, for example, and you may find users who have accumulated over 300GB for email storage. Make the disk read-only, and the VM probably won't even start.
Re: [gentoo-user] {OT} Allow work from home?
"J. Roeleveld"writes: > On Wednesday, January 20, 2016 01:46:29 AM lee wrote: >> "J. Roeleveld" writes: >> > On Tuesday, January 19, 2016 01:46:45 AM lee wrote: >> >> "J. Roeleveld" writes: >> >> > On Monday, January 18, 2016 02:02:27 AM lee wrote: >> >> >> "J. Roeleveld" writes: > >> >> > >> >> > Yes >> >> > >> >> >> That would be a huge waste of resources, >> >> > >> >> > Diskspace and CPU can easily be overcommitted. >> >> >> >> Overcommitting disk space sounds like a very bad idea. Overcommitting >> >> memory is not possible with xen. >> > >> > Overcommitting diskspace isn't such a bad idea, considering most installs >> > never utilize all the available diskspace. >> >> When they do not use it anyway, there is no reason to give it to them in >> the first place. And when they do use it, how do the VMs handle the >> problem that they have plenty disk space available, from their point of >> view, while the host which they don't know about doesn't allow them to >> use it? > > 1 word: Monitoring. > When you overcommit any resource, you need to put monitoring in place. > Then you also need to ensure you have the ability to increase that resource > when required. So you more or less frequently shrink your VMs back when the monitoring informs you that you need to do that? Isn't it more reasonable not to overcommit but to increase the resource when required? >> Besides, overcommitting disk space means to intentionally create a setup >> which involves that the host can run out of disk space easily. That is >> not something I would want to create for a host which is required to >> function reliably. > > The host should not crash when a VM does or when the storage assigned to VMs > fills up. > If it does, go back to the drawing board and fix your design. I didn't say that the host would crash. I wouldn't consider a VM which is bound to run out of disk space as reliable, especially when it is bound run out of disk space because other VMs which are also bound to run out of disk space use the disk space which the VM would need that's running out. >> And how much do you need to worry about the security of the VMs when you >> build in a way for the users to bring the whole machine, or at least >> random VMs, down by using the disk space which has been assigned to >> them? The users are somewhat likely to do that even unintentionally, >> the more the more you overcommit. > > See comment about monitoring. > If all your users tend to fill up all available diskspace, you obviously can > not overcommit on diskspace. Have you ever seen a disk that doesn't fill up, the larger the disk, the more it fills? >> > Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At >> > least, I seem to remember reading that somewhere) >> >> That would be a nice feature. > > For VDIs, I might consider using it. > But considering most OSs tend to fill up all available memory with caches, I > expect performance issues. It depends on how you use it. >> >> >> plus having to take care of a lot of VMs, >> >> > >> >> > Automated. >> >> >> >> Like how? >> > >> > How do you manage a large amount of physical machines? >> > Just change physical to VMs and do it the same. >> > With VMs you have more options for automation. >> >> Individually, in lack of a better way. Per user when it comes to >> setting up their MUAs and the like, in lack of any better way. It >> doesn't make a difference if it's a VM or not, provided that you have >> remote access to the machine. > > This is where management tools come into play. (Same methods apply to > physical > and virtual) > > When talking MS Windows, domains with their policies are very useful. Couple > that with WSUS for the patching and software distribution tools for the > additional software installs, and you have a very nice setup. I don't like what they call "domains". They tend to get in the way, and when you want to take a machine out of one, all the users need to be set up anew. Is WSUS of any use without domains? If it is, I should take a look at it. > For Linux, I would recommend tools like Ansible or Puppet to control the > software on the machines. Does it really have an advantage over logging in remotely? > For any OS, I would prevent my users from installing random software. And > what > is installed, would be mostly pre-configured out-of-the-box. And how do you preconfigure everything for each user? It would sure be nice if I could, say, install seamonkey and have every existing and new user set up they way they are supposed to be set up without having to do that for every user individually, on a number of VMs. >> When you one VM for many users, you install the MUA only once, and when >> you need to do updates, you do them only once. When you have many VMs, >> like one for each user, you have to install and update many times, once >> on each VM. >
Re: [gentoo-user] {OT} Allow work from home?
Rich Freemanwrites: > On Tue, Jan 19, 2016 at 5:08 PM, lee wrote: >> >> BTW, is it as easy to give a graphics card to a container as it is to >> give it a network card? > > I've never tried it, but I'd think that the container could talk to a > graphics card. Maybe ... it's really easy with network cards. >> What if you have a container for each user who >> somehow logs in remotely to an X session? Do (can) you run X sessions >> that do not have a console and do not need a (dedicated) graphics card >> (just for users logging in remotely)? > > You don't need to even have a graphics card to serve X11 via vnc or > nx. You could probably serve them even if your only server console > was a serial console. Just run x11vnc or whatever it is called - it > is an X server whose only framebuffer is a VNC session. I think NX > uses the same server, but I'd have to check. Of course, you wouldn't > have 3D accelleration with this server, not that you'd be using it > over NX/VNC. That might be a problem when you want to use kde or gnome? And I thought vnc sends a copy of what is displayed on the screen, so if you were running a program that renders something on the screen and uses/requires a graphics card for that, you should be able to see what it renders. If you can't see that, vnc is of very limited use. How does RDP deal with this?
Re: [gentoo-user] {OT} Allow work from home?
Rich Freemanwrites: > On Tue, Jan 19, 2016 at 5:22 PM, lee wrote: >> "J. Roeleveld" writes: >> >> How does that work? IIUC, when you created a snapshot, any changes you >> make to the snapshotted (or how that is called) file system are being >> referenced by the snapshot which you can either destroy or abandon. >> When you destroy it, the changes you made are being applied to the >> file system you snapshotted (because someone decided to use a very >> misleading terminology), and when you abandon it, the changes are thrown >> away and you end up with the file system as it was before the snapshot >> was created. >> >> In any case, you do not get multiple versions (which only reference the >> changes made) of the file system you snapshotted but only one current >> version. >> >> Do you need to use a special file system or something which provides >> this kind of multiple copies when you make snapshots? >> > > And that is exactly what zfs and btrfs provide. Snapshots are full > citizens. If I create a snapshot of a directory in btrfs it is > essentially indistinguishable from running cp -a on the directory, > except the snapshot takes only seconds to create almost entirely > regardless of size, and takes almost no space until changes are made. > Later I can delete the snapshot, or delete the original, or keep both > indefinitely making changes to either. Hm, I must be misunderstanding snapshots entirely. What happens when you remove a snapshot after you modified the "original" /and/ the snapshot? You destroy at least one of them, so you can never get rid of the snapshot in a non-destructive way? My understanding is that when you make a snapshot, you get a copy that doesn't change which you can somehow use to make backups. When the backup is finished, you can remove the snapshot, and the changes that were made in the meantime are not lost --- unless you decide to throw them away when removing the snapshot, in which case you get a rollback. To make things more complicated, I've seen zfs refusing to remove a snapshot and saying that something is recursive (IIRC), and it didn't make any sense anymore. So I left everything as it was because I didn't want to loose data, and a while later, I removed this very same snapshot without getting issues as before. Weird behaviour makes snapshots rather scary, so I avoid them now. There seems to be some sort of relationship between a snapshot and the "original" which limits what you can do with a snapshot, like the snapshot is somehow attached to the "original". At least that makes some sense to me because no real copy is created when you make a snapshot. But how do you detach a snapshot from the "original" so that you could savely modify both?
Re: [gentoo-user] {OT} Allow work from home?
Alec Ten Harmselwrites: > On Tue, Jan 19, 2016 at 10:56:21PM +0100, lee wrote: >> Alec Ten Harmsel writes: >> > >> > Depends on how the load is. Right now I have a 500GB HDD at work. I use >> > VirtualBox and vagrant for testing various software. Every VM in >> > VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time. >> > Add in all the other stuff on my system, which includes a 200GB dataset, >> > and the disk is overcommitted. Of course, none of the VirtualBox disks >> > use anywhere near 50GB. >> >> True, that's for testing when you do know that the disk space will not >> be used and have no trouble when it is. When you have the VMs in >> production and users (employees) using them, you don't know when they >> will run out of disk space and trouble ensues. > > Almost. Here is an equal example: I am an admin on an HPC cluster. We > have a shared Lustre filesystem that people store work files in while > they are running jobs. It has around 1PB of capacity. As strange as this > may sound, this filesystem is overcommitted (we have 20,000 cores, > that's only 52GB per core, not even close to enough for more than half a > year of data accumulation). Unused data is deleted after 90 days, which > is why it can be overcommitted. Why do you need to overcommit in the first place when you don't need that much disk space anyway? And it only works because you "shrink" the disk space used by deleting data. > Extending this to a more realistic example without automatic data > deletion is trivial. Imagine you are a web hosting provider. You allow > each client unlimited disk space, so you're automatically overcommitted. > In the aggregate, even though one client may increase their usage > extremely quickly, total usage rises slowly, giving you more than enough > time to increase the storage capacity of whatever backing filesystem is > hosting their files. I'm a customer of such a provider that used to do that, and they stopped giving their customers unlimited disk space years ago. I guess they found out that they can't possibly keep up with the demand, at least not without charging more. >> > All Joost is saying is that most resources can be overcommitted, since >> > all the users will not be using all their resources at the same time. >> >> How do you overcommit disk space and then shrink the VMs automatically >> when disk usage gets lower again? >> > > Sorry, my previous example was bad, since the normal strategy is to > expand when necessary as far as I know. See above. Well, that's exactly the problem. Once a VM has grown, it won't shrink automatically, which soon breaks the overcommitment.
Re: [gentoo-user] {OT} Allow work from home?
On Thu, Jan 21, 2016 at 4:35 PM, leewrote: > And I thought vnc sends a copy of what is displayed on the screen, so if > you were running a program that renders something on the screen and > uses/requires a graphics card for that, you should be able to see what > it renders. If you can't see that, vnc is of very limited use. How > does RDP deal with this? VNC sends a copy of what is in the framebuffer, which may or may not be displayed on a physical screen. You can have a framebuffer on a machine that has no display outputs at all. You can have 10,000 different framebuffers running on the PC you're working on right now assuming you have the RAM for it. I haven't set this up recently, but I believe that's basically what x2go does out of the box (except it uses NX instead of VNC). RDP is capable of functioning without physical console attached. Consumer versions of windows may block doing much of this for licensing reasons, but certainly at work we've had 20+ users connected a single citrix server at once. -- Rich
Re: [gentoo-user] {OT} Allow work from home?
On Thu, Jan 21, 2016 at 5:00 PM, leewrote: > Hm, I must be misunderstanding snapshots entirely. > Well, in the case of zfs/btrfs you are. Different implementations have different snapshotting features. > What happens when you remove a snapshot after you modified the > "original" /and/ the snapshot? You destroy at least one of them, so you > can never get rid of the snapshot in a non-destructive way? If you remove a snapshot it goes away. If you remove the original it goes away. There isn't anything strange going on. With btrfs I can do this: btrfs su create a touch a/file btrfs su snap a b touch b/file2 echo "hello" >> a/file a now contains file with the text hello in it. b now contains file which is empty and file2 which is empty. If I delete a then it disappears. If I delete b then it disappears. They exist completely independently of each other. In btrfs the command "btrufs su snap a b" is somewhat equivalent to "cp -a a b" unless you look at what is going on closely. The main difference is that the first command takes almost zero time to execute, and consumes little additional space. This is true even if a is a directory containing a million text files or 10TB of video. Snapshots in btrfs just look like directories. They're subvolumes, and only subvolumes can be snapshotted. I imagine that zfs is slightly different, but with the same overall concept. > My understanding is that when you make a snapshot, you get a copy that > doesn't change which you can somehow use to make backups. You can certainly use snapshots to make backups. The snapshot is already a backup, though stored on the same media. > When the > backup is finished, you can remove the snapshot, and the changes that > were made in the meantime are not lost --- unless you decide to throw > them away when removing the snapshot, in which case you get a rollback. With btrfs at least there is no way to rollback a snapshot. You can of course just "mv a a.old ; mv b a ; btrfs su del a.old" and now your snapshot has replaced the original copy (aside from any files which happen to be open). > > To make things more complicated, I've seen zfs refusing to remove a > snapshot and saying that something is recursive (IIRC), and it didn't > make any sense anymore. So I left everything as it was because I didn't > want to loose data, and a while later, I removed this very same snapshot > without getting issues as before. Weird behaviour makes snapshots > rather scary, so I avoid them now. I couldn't tell you what that means. Perhaps you discovered a bug. Btrfs should always allow you to remove a subvolume (including one created as a snapshot). I believe they can be removed if they're in use, and the effect is similar to removing a file that is in use. > There seems to be some sort of relationship between a snapshot and the > "original" which limits what you can do with a snapshot, like the > snapshot is somehow attached to the "original". At least that makes > some sense to me because no real copy is created when you make a > snapshot. But how do you detach a snapshot from the "original" so that > you could savely modify both? > In btrfs there is no relationship between a snapshot and the original subvolume, other than them happening to share the same tree nodes initially. It isn't unlike what happens in git when you create a new branch. You end up with a new reference pointing to the same commit and everything below that is shared between the two branches initially. If you touch one file then most of trees/blobs between the branches are still shared, but the modified blob and all of its parent trees are now separated. Btrfs does mark snapshots as snapshots for some reason, but other than a yes/no flag snapshots are the same as any subvolume. They're not linked in any way to the original and there is no straightforward way to tell where a snapshot came from (well, other than either comparing it against all the other subvolumes, ideally looking for shared tree nodes). -- Rich
Re: [gentoo-user] What is forcing the qt4 USE flag?
On Friday 22 Jan 2016 21:04:48 Nikos Chantziaras wrote: > I have a weird problem. I have an ebuild where either qt4 or qt5 can be > enabled. They are both disabled by default and I have to choose which > one I want. The ebuild does that with: > >IUSE="qt4 qt5" >REQUIRED_USE="^^ ( qt4 qt5 )" > > I'm on the plasma profile which enabled qt5 automatically. However, > portage complains: > >The following REQUIRED_USE flag constraints are unsatisfied: >exactly-one-of ( qt4 qt5 ) > > The qt4 USE flag is enabled. I can't see where. I didn't enable it > anywhere in any of my /etc/portage/* files. If I emerge with: > >USE="-qt4" emerge package > > then it works. So I have to explicitly disable the qt4 USE flag even > though I didn't enable it in the first place. > > Can someone enlighten me? euse -I qt4 should provide some pointers. It may be your desktop profile? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: {OT} Allow work from home?
>> The answer to this may be an obvious "yes" but I've never done it so I'm >> not sure. Can I route requests from machine C through machine A only >> for my domain name, and not involve A for C's other internet requests? >> If so, where is that configured? > > While ZT can be used to route requests between networks, but it is mainly > used to talk directly between clients. If A wants to talk to C over ZT, > it uses C's ZT IP address. > > Here's a snippet from ifconfig on this machine, whch may help it make > sense to you > > wlan0: flags=4163mtu 1500 > inet 192.168.1.6 netmask 255.255.255.0 broadcast 192.168.1.255 > ether c4:8e:8f:f7:55:c9 txqueuelen 1000 (Ethernet) > > zt0: flags=4163 mtu 2800 > inet 10.252.252.6 netmask 255.255.255.0 broadcast 10.252.252.255 > > To talk to this computer from another of my machines over ZT I would use > the 10.252... address. If you tried that address, you'd get nowhere as > you are not connected to my network. So if 10.252.252.6 were configured as a router, could I join your ZT network and use iptables to route my example.com 80/443 requests to 10.252.252.6, thereby granting me access to my web apps which are configured to only allow your machine's WAN IP? The first couple paragraphs here make it sound like a centralized SaaS as far as the setup phase of the connection: https://www.zerotier.com/blog/?p=577 Is it possible (easy?) to run your own "core node" and so not interact with the official core nodes at all? - Grant
[gentoo-user] What is forcing the qt4 USE flag?
I have a weird problem. I have an ebuild where either qt4 or qt5 can be enabled. They are both disabled by default and I have to choose which one I want. The ebuild does that with: IUSE="qt4 qt5" REQUIRED_USE="^^ ( qt4 qt5 )" I'm on the plasma profile which enabled qt5 automatically. However, portage complains: The following REQUIRED_USE flag constraints are unsatisfied: exactly-one-of ( qt4 qt5 ) The qt4 USE flag is enabled. I can't see where. I didn't enable it anywhere in any of my /etc/portage/* files. If I emerge with: USE="-qt4" emerge package then it works. So I have to explicitly disable the qt4 USE flag even though I didn't enable it in the first place. Can someone enlighten me?
[gentoo-user] Re: {OT} Allow work from home?
Am Wed, 20 Jan 2016 01:46:29 +0100 schrieb lee: > The time before, it wasn't > a VM but a very slow machine, and that also took a week. You can have > the fastest machine on the world and Windoze always manages to bring > it down to a slowness we wouldn't have accepted even 20 years ago. This is mainly an artifact of Windows updates destroying locality of data pretty fast and mainly a problem when running on spinning rust. DLLs and data files needed for booting or starting specific software become spread wide across the hard disk. Fragmentation isn't the issue here - NTFS is pretty good at keeping it low. Still, the right defragmentation tool will help you: I always recommend staying away from the 1000 types of "tuning tools", they actually make it worse and take away your chance of properly optimizing the on-disk file layout. And I always recommend using MyDefrag and using its system disk defrag profile to reorder the files in your hard disk. It takes ages the first time it runs but it brings back your system to almost out of the box boot and software startup time performance. It uses some very clever ideas to place files into groups and into proper order - other than using file mod and access times like other defrag tools do (which even make the problem worse by doing so because this destroys locality of data even more). But even SSDs can use _proper_ defragmentation from time to time for increased lifetime and performance (this is due to how the FTL works and because erase blocks are huge, I won't get into detail unless someone asks). This is why mydefrag also supports flash optimization. It works by moving as few files as possible while coalescing free space into big chunks which in turn relaxes pressure on the FTL and allows to have more free and continuous erase blocks which reduces early flash chip wear. A filled SSD with long usage history can certainly gain back some performance from this. -- Regards, Kai Replies to list-only preferred.
Re: [gentoo-user] What is forcing the qt4 USE flag?
On Fri, 22 Jan 2016 19:45:29 +, Mick wrote: > > Can someone enlighten me? > > euse -I qt4 > > should provide some pointers. It may be your desktop profile? If so, it should show up in "emerge --info | grep qt4". I am using default/linux/amd64/13.0/desktop/plasma/systemd and both qt4 and qt5 are enabled by default. -- Neil Bothwick When you go to court you are putting yourself in the hands of 12 people that were not smart enough to get out of jury duty. pgpF2ZUR6BrIJ.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: {OT} Allow work from home?
On Fri, 22 Jan 2016 11:51:45 -0800, Grant wrote: > > To talk to this computer from another of my machines over ZT I would > > use the 10.252... address. If you tried that address, you'd get > > nowhere as you are not connected to my network. > So if 10.252.252.6 were configured as a router, could I join your ZT > network and use iptables to route my example.com 80/443 requests to > 10.252.252.6, thereby granting me access to my web apps which are > configured to only allow your machine's WAN IP? You don't need a bridge in a network to join it. If I want you to join it, I give you the network ID and you simply join it, although you can't actually connect to it until I authorise the connection. However, if this machine were configured as a bridge, then once you had joined my network you would have access to all of my LAN, rather like an OpenVPN connection. It seems that the man difference between this and a traditional VPN is that all of the setup work is done on the one computer, connecting extra clients is just a matter of connecting them to the network. Note that I haven't actually tried this, every machine on my LAN that I want to be able to connect to is running ZT so is directly accessible. > Is it possible (easy?) to run your own "core node" and so not interact > with the official core nodes at all? It is definitely possible, and you skip the "only ten clients for free" limit as that only applies to using their servers. Once again, it isn't something I've tried yet, but it is on my list of "things to do when I find some time". I'm quite happy using their discovery servers so this would be only an exercise in trying it "because I can". -- Neil Bothwick MUPHRY'S LAW: The principle that any criticism of the writing of others will itself contain at least one grammatical error. pgpW52yseiUCN.pgp Description: OpenPGP digital signature
[gentoo-user] Re: {OT} Allow work from home?
Am Fri, 22 Jan 2016 00:52:30 +0100 schrieb lee: > Is WSUS of any use without domains? If it is, I should take a look at > it. You can use it with and without domains. What domains give you through GPO is just automatic deployment of the needed registry settings in the client. You can simply create a proper .reg file and deploy it to the clients however you like. They will connect to WSUS and receive updates you control. No magic here. -- Regards, Kai Replies to list-only preferred.
Re: [gentoo-user] Re: {OT} Allow work from home?
On Thu, 21 Jan 2016 17:18:27 -0800, Grant wrote: > > There is ZeroTier as a replacement for OpenVPN, and Syncthing for > > syncing. Both are P2P solutions and you can run your own discovery > > servers if you don't want any traffic going through a 3rd party > > (although they don't send data through the servers). > > > > I've no idea whether that would meet your security criteria but it > > certainly fulfils the "easier than OpenVPN" one. It will take only a > > few minutes to install and setup using the public servers, although, > > as I said, your network is never public, so you can check whether > > they do what you want. Then you can look at hosting your own server > > for security. > > > > https://www.zerotier.com/ > > https://syncthing.net/ > Zerotier looks especially interesting. Can I have machine A listen for > Zerotier connections, have machine B connect to machine A via Zerotier, > have machine C connect to machine A via Zerotier, and rsync push from B > to C? You set up a network and the machines all connect to that network, so A, B and C can all talk to each other. > Does connecting two machines via Zerotier involve any security > considerations besides those involved when connecting those machines to > the internet? In other words, is it a simple network connection or are > other privelages involved with that connection? Connections are encrypted, handled by the ZeroTier protocols, but otherwise it behaves like a normal network connection. > Can I somehow require the Zerotier connection between machines A and C > in order for C to pass HTTP basic authentication on my web server which > resides elsewhere? Maybe I can route all traffic from machine C to my > web server through C's Zerotier connection to A and lock down basic > authentication on my web server to machine A? Your ZeroTier connections are on a separate network, you pick an address block when you set up the network but that network is only accessible to other machines connected to your ZeroTier network. You can have ZT allocate addresses within that block, it's not dynamic addressing because one a client is given an address, it always gets the same address, or you can specify the address for each client. So you can include an address requirement in your .htaccess to ensure connections are only allowed from your ZT network. -- Neil Bothwick furbling, v.: Having to wander through a maze of ropes at an airport or bank even when you are the only person in line. -- Rich Hall, "Sniglets" pgpklv_NXtiAS.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: {OT} Allow work from home?
On Fri, 22 Jan 2016 07:52:12 -0500, Rich Freeman wrote: > My understanding is that ZT does not support routing of any kind. > Traffic destined to a ZT peer goes directly to that peer, and that's > it. You can't route over ZT and onto a subnet on a remote peer's > network, or from one peer to another, or anything like that. You can set up one machine on a LAN as a bridge, that then connects your ZT clients to the LAN, much like a traditional VPN. -- Neil Bothwick I used to have a handle on life, then it broke. pgp7GPkC8pqjF.pgp Description: OpenPGP digital signature
[gentoo-user] Re: {OT} Allow work from home?
> > > Zerotier looks especially interesting. Can I have machine A listen for > > Zerotier connections, have machine B connect to machine A via Zerotier, > > have machine C connect to machine A via Zerotier, and rsync push from B > > to C? > > You set up a network and the machines all connect to that network, so A, > B and C can all talk to each other. > > > Does connecting two machines via Zerotier involve any security > > considerations besides those involved when connecting those machines to > > the internet? In other words, is it a simple network connection or are > > other privelages involved with that connection? > > Connections are encrypted, handled by the ZeroTier protocols, but > otherwise it behaves like a normal network connection. > > > Can I somehow require the Zerotier connection between machines A and C > > in order for C to pass HTTP basic authentication on my web server which > > resides elsewhere? Maybe I can route all traffic from machine C to my > > web server through C's Zerotier connection to A and lock down basic > > authentication on my web server to machine A? > > Your ZeroTier connections are on a separate network, you pick an address > block when you set up the network but that network is only accessible to > other machines connected to your ZeroTier network. You can have ZT > allocate addresses within that block, it's not dynamic addressing because > one a client is given an address, it always gets the same address, or you > can specify the address for each client. So you can include an address > requirement in your .htaccess to ensure connections are only allowed from > your ZT network. > The answer to this may be an obvious "yes" but I've never done it so I'm not sure. Can I route requests from machine C through machine A only for my domain name, and not involve A for C's other internet requests? If so, where is that configured? BTW, how did you find ZT? Pity there's no ebuild yet. - Grant
Re: [gentoo-user] Re: {OT} Allow work from home?
On Fri, Jan 22, 2016 at 7:29 AM, Grantwrote: > > The answer to this may be an obvious "yes" but I've never done it so I'm not > sure. Can I route requests from machine C through machine A only for my > domain name, and not involve A for C's other internet requests? If so, > where is that configured? > > BTW, how did you find ZT? Pity there's no ebuild yet. > My understanding is that ZT does not support routing of any kind. Traffic destined to a ZT peer goes directly to that peer, and that's it. You can't route over ZT and onto a subnet on a remote peer's network, or from one peer to another, or anything like that. So, ZT isn't even capable of routing internet traffic right now, so none of it will go over ZT. For other VPNs it is all IP and routing works however you define it on either side. You can make a VPN your default route, or not, etc. You can do whatever iproute2/iptables/etc allows on linux hosts. I imagine windows is a bit less flexible but I'm sure you can define which interface is the default route. -- Rich
Re: [gentoo-user] Re: {OT} Allow work from home?
On Fri, 22 Jan 2016 04:29:00 -0800, Grant wrote: > The answer to this may be an obvious "yes" but I've never done it so I'm > not sure. Can I route requests from machine C through machine A only > for my domain name, and not involve A for C's other internet requests? > If so, where is that configured? While ZT can be used to route requests between networks, but it is mainly used to talk directly between clients. If A wants to talk to C over ZT, it uses C's ZT IP address. Here's a snippet from ifconfig on this machine, whch may help it make sense to you wlan0: flags=4163mtu 1500 inet 192.168.1.6 netmask 255.255.255.0 broadcast 192.168.1.255 ether c4:8e:8f:f7:55:c9 txqueuelen 1000 (Ethernet) zt0: flags=4163 mtu 2800 inet 10.252.252.6 netmask 255.255.255.0 broadcast 10.252.252.255 To talk to this computer from another of my machines over ZT I would use the 10.252... address. If you tried that address, you'd get nowhere as you are not connected to my network. Set up a network and play with it. It costs nothing to set up a network with up to 10 clients. The main benefit is that it is so easy to administer and add new clients. If you use it between two machines in the same LAN, the traffic doesn't go outside of the LAN, so it works at more or less the same speed. > BTW, how did you find ZT? Pity there's no ebuild yet. Someone mentioned it during a talk at Liverpool LUG. It wasn't the topic of the talk, he just used it to grab something from his home network to answer a question. An ebuild would be nice, but the installer script works perfectly here, both for systemd and openrc systems. -- Neil Bothwick In the 60's people took acid to make the world weird. Now the world is weird and people take Prozac to make it normal. pgp9qNW4XkBZc.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Shutdown through systemctl as a normal user
On Sat, Jan 16, 2016 at 1:34 PM, lukashwrote: > Hi all, > > I'm reading on the internet that systemctl poweroff should work for > normal user if he is the only one logged in, he is logged in locally > and his session is active. I seem to be meeting these conditions: > > # loginctl >SESSIONUID USER SEAT > 2 1000 lukash seat0 > > $ loginctl show-session 2 > Id=2 > User=1000 > Name=lu > Timestamp=Sat 2016-01-16 17:27:30 CET > TimestampMonotonic=9614418 > VTNr=7 > Seat=seat0 > Display=:0 > Remote=no > Service=lightdm > Desktop=awesome > Scope=session-2.scope > Leader=529 > Audit=2 > Type=x11 > Class=user > Active=yes > State=active > IdleHint=no > IdleSinceHint=0 > IdleSinceHintMonotonic=0 > > But invoking the command gives me: > > $ systemctl poweroff > Failed to set wall message, ignoring: Access denied > Failed to power off system via logind: Access denied > Failed to start poweroff.target: Access denied > > How is this supposed to work on Gentoo? Make sure you have USE=policykit set for sys-apps/systemd.
[gentoo-user] Re: What is forcing the qt4 USE flag?
On 23/01/16 09:21, Michael Palimaka wrote: On 01/23/2016 06:04 AM, Nikos Chantziaras wrote: I have a weird problem. I have an ebuild where either qt4 or qt5 can be enabled. They are both disabled by default and I have to choose which one I want. The ebuild does that with: IUSE="qt4 qt5" REQUIRED_USE="^^ ( qt4 qt5 )" I'm on the plasma profile which enabled qt5 automatically. However, portage complains: The following REQUIRED_USE flag constraints are unsatisfied: exactly-one-of ( qt4 qt5 ) The qt4 USE flag is enabled. I can't see where. I didn't enable it anywhere in any of my /etc/portage/* files. If I emerge with: USE="-qt4" emerge package then it works. So I have to explicitly disable the qt4 USE flag even though I didn't enable it in the first place. Can someone enlighten me? Which package is it? We can add an entry to the Plasma profile's package.use to avoid the REQUIRED_USE. It's my own ebuilds (in an overlay.) I wasn't setting either USE flag in the ebuilds at all and this spooked me. Turns out it's the parent profile of the plasma profile doing this. What would be really nice to have in portage is if the profiles were able to say "if qt4 and qt5 are both supported but mutually exclusive, prefer qt5 unless the user or the ebuild itself has specified otherwise". But I guess it would be hairy to implement that. (It would help with other such USE flags as well, not just qt4 vs qt5.)
[gentoo-user] Re: What is forcing the qt4 USE flag?
On 22/01/16 21:45, Mick wrote: On Friday 22 Jan 2016 21:04:48 Nikos Chantziaras wrote: I have a weird problem. I have an ebuild where either qt4 or qt5 can be enabled. They are both disabled by default and I have to choose which one I want. The ebuild does that with: IUSE="qt4 qt5" REQUIRED_USE="^^ ( qt4 qt5 )" I'm on the plasma profile which enabled qt5 automatically. However, portage complains: The following REQUIRED_USE flag constraints are unsatisfied: exactly-one-of ( qt4 qt5 ) The qt4 USE flag is enabled. I can't see where. I didn't enable it anywhere in any of my /etc/portage/* files. If I emerge with: USE="-qt4" emerge package then it works. So I have to explicitly disable the qt4 USE flag even though I didn't enable it in the first place. Can someone enlighten me? euse -I qt4 should provide some pointers. It may be your desktop profile? Yep, it's the parent profile of the plasma profile. This results in both qt4 and qt5 being set.
[gentoo-user] Re: What is forcing the qt4 USE flag?
On 01/23/2016 06:04 AM, Nikos Chantziaras wrote: > I have a weird problem. I have an ebuild where either qt4 or qt5 can be > enabled. They are both disabled by default and I have to choose which > one I want. The ebuild does that with: > > IUSE="qt4 qt5" > REQUIRED_USE="^^ ( qt4 qt5 )" > > I'm on the plasma profile which enabled qt5 automatically. However, > portage complains: > > The following REQUIRED_USE flag constraints are unsatisfied: > exactly-one-of ( qt4 qt5 ) > > The qt4 USE flag is enabled. I can't see where. I didn't enable it > anywhere in any of my /etc/portage/* files. If I emerge with: > > USE="-qt4" emerge package > > then it works. So I have to explicitly disable the qt4 USE flag even > though I didn't enable it in the first place. > > Can someone enlighten me? > > > Which package is it? We can add an entry to the Plasma profile's package.use to avoid the REQUIRED_USE.
[gentoo-user] spike-community-overlay
Well this one is new to me. Googling reveals the spike linux distro is a version of Sabayon, which is based on gentoo. So 'eix -R cassandra' :: dev-db/cassandra [5] Available versions: 0.6.1 ~0.7.0-r2 ~2.0.7 ~2.0.10 ~2.1.3 ~2.12 {doc ELIBC="FreeBSD"} Homepage:http://cassandra.apache.org/ [5] "spike-community-overlay" layman/spike-community-overlay Does anyone have experience with any spike overlays? Are they of good quality? It seems they have the latest ebuild-release of the cassandra of all the ebuilds, but that not close to the latest release (3.2.1). All comments are welcome; if there is no 3.x ebuild anywhere, I guess I'll try my hand at an EAPI-6 ebuild for cassandra. James http://cassandra.apache.org/
[gentoo-user] Re: {OT} Allow work from home?
Neil Bothwick digimed.co.uk> writes: > > The answer to this may be an obvious "yes" but I've never done it so I'm > > not sure. Can I route requests from machine C through machine A only > > for my domain name, and not involve A for C's other internet requests? > > If so, where is that configured? >From what I read, 10 nodes or less are free. I'd be willing to participate as a remote node so a small group of gentoo users can figured this out and document some example configurations, as it seems to be very interesting and useful. Additionally, a custom set of iptables rules or a bridge-filter would be keen information to add to a gentoo wiki page on this topic, imho. This could also be a wonderful way for proxy-maintainers to hang in a group and work more closely on things like digesting EAPI-6 and teaming up on more complex ebuild issues. It does like sound fun! James
Re: [gentoo-user] {OT} Allow work from home?
leewrote: > Rich Freeman writes: > > > On Tue, Jan 19, 2016 at 5:22 PM, lee wrote: > >> "J. Roeleveld" writes: > >> > >> How does that work? IIUC, when you created a snapshot, any changes you > >> make to the snapshotted (or how that is called) file system are being > >> referenced by the snapshot which you can either destroy or abandon. > >> When you destroy it, the changes you made are being applied to the > >> file system you snapshotted (because someone decided to use a very > >> misleading terminology), and when you abandon it, the changes are thrown > >> away and you end up with the file system as it was before the snapshot > >> was created. > >> > >> In any case, you do not get multiple versions (which only reference the > >> changes made) of the file system you snapshotted but only one current > >> version. > >> > >> Do you need to use a special file system or something which provides > >> this kind of multiple copies when you make snapshots? > >> > > > > And that is exactly what zfs and btrfs provide. Snapshots are full > > citizens. If I create a snapshot of a directory in btrfs it is > > essentially indistinguishable from running cp -a on the directory, > > except the snapshot takes only seconds to create almost entirely > > regardless of size, and takes almost no space until changes are made. > > Later I can delete the snapshot, or delete the original, or keep both > > indefinitely making changes to either. > > Hm, I must be misunderstanding snapshots entirely. > > What happens when you remove a snapshot after you modified the > "original" /and/ the snapshot? You destroy at least one of them, so you > can never get rid of the snapshot in a non-destructive way? > > My understanding is that when you make a snapshot, you get a copy that > doesn't change which you can somehow use to make backups. When the > backup is finished, you can remove the snapshot, and the changes that > were made in the meantime are not lost --- unless you decide to throw > them away when removing the snapshot, in which case you get a rollback. > > To make things more complicated, I've seen zfs refusing to remove a > snapshot and saying that something is recursive (IIRC), and it didn't > make any sense anymore. So I left everything as it was because I didn't > want to loose data, and a while later, I removed this very same snapshot > without getting issues as before. Weird behaviour makes snapshots > rather scary, so I avoid them now. > > There seems to be some sort of relationship between a snapshot and the > "original" which limits what you can do with a snapshot, like the > snapshot is somehow attached to the "original". At least that makes > some sense to me because no real copy is created when you make a > snapshot. But how do you detach a snapshot from the "original" so that > you could savely modify both? In zfs you can clone the snapshot and it will be independent, but I am new at zfs, so check it out. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com