Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:

> On Tuesday, January 19, 2016 11:22:02 PM lee wrote:
>> "J. Roeleveld"  writes:
>> > [...]
>> > If disk-space is considered too expensive, you could even have every VM
>> > use
>> > the same base image. And have them store only the differences of the disk.
>> > eg:
>> > 1) Create a VM
>> > 2) Snapshot the disk (with the VM shutdown)
>> > 3) create a new VM based on the snapshot
>> > 
>> > Repeat 2 and 3 for as many clones you want.
>> > 
>> > Most installs don't change that much when dealing with standardized
>> > desktops.
>> How does that work?  IIUC, when you created a snapshot, any changes you
>> make to the snapshotted (or how that is called) file system are being
>> referenced by the snapshot which you can either destroy or abandon.
>> When you destroy it, the changes you made are being applied to the
>> file system you snapshotted (because someone decided to use a very
>> misleading terminology), and when you abandon it, the changes are thrown
>> away and you end up with the file system as it was before the snapshot
>> was created.
>> 
>> In any case, you do not get multiple versions (which only reference the
>> changes made) of the file system you snapshotted but only one current
>> version.
>> 
>> Do you need to use a special file system or something which provides
>> this kind of multiple copies when you make snapshots?
>
> I use LVM for this.
>
> Steps are simple:
> 1) Create a LV (lv_1)
> 2) Create and install a VM using this LV (lv_1)
> 3) Stop the VM
> 4) Create multiple snapshots based on lv_1 (slv_1a, slv_1b, ..)
> 5) Create multiple VMs using the snapshots (vm1a -> slv_1a, vm1b, 
> slv_1b,.)
>
> Start the VMs
>
> This way you can overcommit on the actual diskspace as only changes are 
> taking 
> up diskspace.
> If you force everyone on the same base-image, the differences should not be 
> too 
> large.

I don't use lvm anymore.  It requires you to have unused space in the
same VG to make a snapshot (which, of course, I didn't have), and when
you need to move a volume from one machine to another, you're screwed
because you can't get the volume out of the volume group other than
moving it to a different media after attaching this media to the VG and
detaching it after the move.  Moving the volume to the new machine is
likewise a pita.  I lost a whole VM when I did that, and I have no idea
what might have happened to it.  I did copy it, and yet it somehow
disappeared.

> If you also force users to store files on a shared filesystem, it shouldn't 
> be 
> too much of a difficulty to occasionally move everyone to a new base-image 
> when 
> the updates are causing the snapshots to grow too much.

How do you force users to do that?  I tried that with some windoze 7
VMs, and according to the rules, users are not allowed to save anything
on their desktops, and nonetheless they can do that.  The installed
applications also create data in the disk space of the VM.  Their MUAs
do that, for example, and you may find users who have accumulated over
300GB for email storage.  Make the disk read-only, and the VM probably
won't even start.

Re: [gentoo-user] {OT} Allow work from home?

[lee]

"J. Roeleveld"  writes:

> On Wednesday, January 20, 2016 01:46:29 AM lee wrote:
>> "J. Roeleveld"  writes:
>> > On Tuesday, January 19, 2016 01:46:45 AM lee wrote:
>> >> "J. Roeleveld"  writes:
>> >> > On Monday, January 18, 2016 02:02:27 AM lee wrote:
>> >> >> "J. Roeleveld"  writes:
>
>> >> > 
>> >> > Yes
>> >> > 
>> >> >> That would be a huge waste of resources,
>> >> > 
>> >> > Diskspace and CPU can easily be overcommitted.
>> >> 
>> >> Overcommitting disk space sounds like a very bad idea.  Overcommitting
>> >> memory is not possible with xen.
>> > 
>> > Overcommitting diskspace isn't such a bad idea, considering most installs
>> > never utilize all the available diskspace.
>> 
>> When they do not use it anyway, there is no reason to give it to them in
>> the first place.  And when they do use it, how do the VMs handle the
>> problem that they have plenty disk space available, from their point of
>> view, while the host which they don't know about doesn't allow them to
>> use it?
>
> 1 word: Monitoring.
> When you overcommit any resource, you need to put monitoring in place.
> Then you also need to ensure you have the ability to increase that resource 
> when required.

So you more or less frequently shrink your VMs back when the monitoring
informs you that you need to do that?  Isn't it more reasonable not to
overcommit but to increase the resource when required?

>> Besides, overcommitting disk space means to intentionally create a setup
>> which involves that the host can run out of disk space easily.  That is
>> not something I would want to create for a host which is required to
>> function reliably.
>
> The host should not crash when a VM does or when the storage assigned to VMs 
> fills up.
> If it does, go back to the drawing board and fix your design.

I didn't say that the host would crash.  I wouldn't consider a VM which
is bound to run out of disk space as reliable, especially when it is
bound run out of disk space because other VMs which are also bound to
run out of disk space use the disk space which the VM would need that's
running out.

>> And how much do you need to worry about the security of the VMs when you
>> build in a way for the users to bring the whole machine, or at least
>> random VMs, down by using the disk space which has been assigned to
>> them?  The users are somewhat likely to do that even unintentionally,
>> the more the more you overcommit.
>
> See comment about monitoring.
> If all your users tend to fill up all available diskspace, you obviously can 
> not overcommit on diskspace.

Have you ever seen a disk that doesn't fill up, the larger the disk, the
more it fills?

>> > Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At
>> > least, I seem to remember reading that somewhere)
>> 
>> That would be a nice feature.
>
> For VDIs, I might consider using it.
> But considering most OSs tend to fill up all available memory with caches, I 
> expect performance issues.

It depends on how you use it.

>> >> >> plus having to take care of a lot of VMs,
>> >> > 
>> >> > Automated.
>> >> 
>> >> Like how?
>> > 
>> > How do you manage a large amount of physical machines?
>> > Just change physical to VMs and do it the same.
>> > With VMs you have more options for automation.
>> 
>> Individually, in lack of a better way.  Per user when it comes to
>> setting up their MUAs and the like, in lack of any better way.  It
>> doesn't make a difference if it's a VM or not, provided that you have
>> remote access to the machine.
>
> This is where management tools come into play. (Same methods apply to 
> physical 
> and virtual)
>
> When talking MS Windows, domains with their policies are very useful. Couple 
> that with WSUS for the patching and software distribution tools for the 
> additional software installs, and you have a very nice setup.

I don't like what they call "domains".  They tend to get in the way, and
when you want to take a machine out of one, all the users need to be set
up anew.

Is WSUS of any use without domains?  If it is, I should take a look at
it.

> For Linux, I would recommend tools like Ansible or Puppet to control the 
> software on the machines.

Does it really have an advantage over logging in remotely?

> For any OS, I would prevent my users from installing random software. And 
> what 
> is installed, would be mostly pre-configured out-of-the-box.

And how do you preconfigure everything for each user?  It would sure be
nice if I could, say, install seamonkey and have every existing and new
user set up they way they are supposed to be set up without having to do
that for every user individually, on a number of VMs.

>> When you one VM for many users, you install the MUA only once, and when
>> you need to do updates, you do them only once.  When you have many VMs,
>> like one for each user, you have to install and update many times, once
>> on each VM.
>

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Tue, Jan 19, 2016 at 5:08 PM, lee  wrote:
>>
>> BTW, is it as easy to give a graphics card to a container as it is to
>> give it a network card?
>
> I've never tried it, but I'd think that the container could talk to a
> graphics card.

Maybe ... it's really easy with network cards.

>> What if you have a container for each user who
>> somehow logs in remotely to an X session?  Do (can) you run X sessions
>> that do not have a console and do not need a (dedicated) graphics card
>> (just for users logging in remotely)?
>
> You don't need to even have a graphics card to serve X11 via vnc or
> nx.  You could probably serve them even if your only server console
> was a serial console.  Just run x11vnc or whatever it is called - it
> is an X server whose only framebuffer is a VNC session.  I think NX
> uses the same server, but I'd have to check.  Of course, you wouldn't
> have 3D accelleration with this server, not that you'd be using it
> over NX/VNC.

That might be a problem when you want to use kde or gnome?

And I thought vnc sends a copy of what is displayed on the screen, so if
you were running a program that renders something on the screen and
uses/requires a graphics card for that, you should be able to see what
it renders.  If you can't see that, vnc is of very limited use.  How
does RDP deal with this?

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Rich Freeman  writes:

> On Tue, Jan 19, 2016 at 5:22 PM, lee  wrote:
>> "J. Roeleveld"  writes:
>>
>> How does that work?  IIUC, when you created a snapshot, any changes you
>> make to the snapshotted (or how that is called) file system are being
>> referenced by the snapshot which you can either destroy or abandon.
>> When you destroy it, the changes you made are being applied to the
>> file system you snapshotted (because someone decided to use a very
>> misleading terminology), and when you abandon it, the changes are thrown
>> away and you end up with the file system as it was before the snapshot
>> was created.
>>
>> In any case, you do not get multiple versions (which only reference the
>> changes made) of the file system you snapshotted but only one current
>> version.
>>
>> Do you need to use a special file system or something which provides
>> this kind of multiple copies when you make snapshots?
>>
>
> And that is exactly what zfs and btrfs provide. Snapshots are full
> citizens.  If I create a snapshot of a directory in btrfs it is
> essentially indistinguishable from running cp -a on the directory,
> except the snapshot takes only seconds to create almost entirely
> regardless of size, and takes almost no space until changes are made.
> Later I can delete the snapshot, or delete the original, or keep both
> indefinitely making changes to either.

Hm, I must be misunderstanding snapshots entirely.

What happens when you remove a snapshot after you modified the
"original" /and/ the snapshot?  You destroy at least one of them, so you
can never get rid of the snapshot in a non-destructive way?

My understanding is that when you make a snapshot, you get a copy that
doesn't change which you can somehow use to make backups.  When the
backup is finished, you can remove the snapshot, and the changes that
were made in the meantime are not lost --- unless you decide to throw
them away when removing the snapshot, in which case you get a rollback.

To make things more complicated, I've seen zfs refusing to remove a
snapshot and saying that something is recursive (IIRC), and it didn't
make any sense anymore.  So I left everything as it was because I didn't
want to loose data, and a while later, I removed this very same snapshot
without getting issues as before.  Weird behaviour makes snapshots
rather scary, so I avoid them now.

There seems to be some sort of relationship between a snapshot and the
"original" which limits what you can do with a snapshot, like the
snapshot is somehow attached to the "original".  At least that makes
some sense to me because no real copy is created when you make a
snapshot.  But how do you detach a snapshot from the "original" so that
you could savely modify both?

Re: [gentoo-user] {OT} Allow work from home?

[lee]

Alec Ten Harmsel  writes:

> On Tue, Jan 19, 2016 at 10:56:21PM +0100, lee wrote:
>> Alec Ten Harmsel  writes:
>> >
>> > Depends on how the load is. Right now I have a 500GB HDD at work. I use
>> > VirtualBox and vagrant for testing various software. Every VM in
>> > VirtualBox gets a 50GB hard disk, and I generally have 7 or 8 at a time.
>> > Add in all the other stuff on my system, which includes a 200GB dataset,
>> > and the disk is overcommitted. Of course, none of the VirtualBox disks
>> > use anywhere near 50GB.
>> 
>> True, that's for testing when you do know that the disk space will not
>> be used and have no trouble when it is.  When you have the VMs in
>> production and users (employees) using them, you don't know when they
>> will run out of disk space and trouble ensues.
>
> Almost. Here is an equal example: I am an admin on an HPC cluster. We
> have a shared Lustre filesystem that people store work files in while
> they are running jobs. It has around 1PB of capacity. As strange as this
> may sound, this filesystem is overcommitted (we have 20,000 cores,
> that's only 52GB per core, not even close to enough for more than half a
> year of data accumulation).  Unused data is deleted after 90 days, which
> is why it can be overcommitted.

Why do you need to overcommit in the first place when you don't need
that much disk space anyway?  And it only works because you "shrink" the
disk space used by deleting data.

> Extending this to a more realistic example without automatic data
> deletion is trivial. Imagine you are a web hosting provider. You allow
> each client unlimited disk space, so you're automatically overcommitted.
> In the aggregate, even though one client may increase their usage
> extremely quickly, total usage rises slowly, giving you more than enough
> time to increase the storage capacity of whatever backing filesystem is
> hosting their files.

I'm a customer of such a provider that used to do that, and they stopped
giving their customers unlimited disk space years ago.  I guess they
found out that they can't possibly keep up with the demand, at least not
without charging more.

>> > All Joost is saying is that most resources can be overcommitted, since
>> > all the users will not be using all their resources at the same time.
>> 
>> How do you overcommit disk space and then shrink the VMs automatically
>> when disk usage gets lower again?
>> 
>
> Sorry, my previous example was bad, since the normal strategy is to
> expand when necessary as far as I know. See above.

Well, that's exactly the problem.  Once a VM has grown, it won't shrink
automatically, which soon breaks the overcommitment.

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Thu, Jan 21, 2016 at 4:35 PM, lee  wrote:
> And I thought vnc sends a copy of what is displayed on the screen, so if
> you were running a program that renders something on the screen and
> uses/requires a graphics card for that, you should be able to see what
> it renders.  If you can't see that, vnc is of very limited use.  How
> does RDP deal with this?

VNC sends a copy of what is in the framebuffer, which may or may not
be displayed on a physical screen.  You can have a framebuffer on a
machine that has no display outputs at all.  You can have 10,000
different framebuffers running on the PC you're working on right now
assuming you have the RAM for it.  I haven't set this up recently, but
I believe that's basically what x2go does out of the box (except it
uses NX instead of VNC).

RDP is capable of functioning without physical console attached.
Consumer versions of windows may block doing much of this for
licensing reasons, but certainly at work we've had 20+ users connected
a single citrix server at once.

-- 
Rich

Re: [gentoo-user] {OT} Allow work from home?

[Rich Freeman]

On Thu, Jan 21, 2016 at 5:00 PM, lee  wrote:
> Hm, I must be misunderstanding snapshots entirely.
>

Well, in the case of zfs/btrfs you are.  Different implementations
have different snapshotting features.

> What happens when you remove a snapshot after you modified the
> "original" /and/ the snapshot?  You destroy at least one of them, so you
> can never get rid of the snapshot in a non-destructive way?

If you remove a snapshot it goes away.  If you remove the original it
goes away.  There isn't anything strange going on.

With btrfs I can do this:

btrfs su create a
touch a/file
btrfs su snap a b
touch b/file2
echo "hello" >> a/file

a now contains file with the text hello in it.  b now contains file
which is empty and file2 which is empty.

If I delete a then it disappears.  If I delete b then it disappears.
They exist completely independently of each other.

In btrfs the command "btrufs su snap a b" is somewhat equivalent to
"cp -a a b" unless you look at what is going on closely.  The main
difference is that the first command takes almost zero time to
execute, and consumes little additional space.  This is true even if a
is a directory containing a million text files or 10TB of video.

Snapshots in btrfs just look like directories.  They're subvolumes,
and only subvolumes can be snapshotted.  I imagine that zfs is
slightly different, but with the same overall concept.

> My understanding is that when you make a snapshot, you get a copy that
> doesn't change which you can somehow use to make backups.

You can certainly use snapshots to make backups.  The snapshot is
already a backup, though stored on the same media.

> When the
> backup is finished, you can remove the snapshot, and the changes that
> were made in the meantime are not lost --- unless you decide to throw
> them away when removing the snapshot, in which case you get a rollback.

With btrfs at least there is no way to rollback a snapshot.  You can
of course just "mv a a.old ; mv b a ; btrfs su del a.old" and now your
snapshot has replaced the original copy (aside from any files which
happen to be open).

>
> To make things more complicated, I've seen zfs refusing to remove a
> snapshot and saying that something is recursive (IIRC), and it didn't
> make any sense anymore.  So I left everything as it was because I didn't
> want to loose data, and a while later, I removed this very same snapshot
> without getting issues as before.  Weird behaviour makes snapshots
> rather scary, so I avoid them now.

I couldn't tell you what that means.  Perhaps you discovered a bug.

Btrfs should always allow you to remove a subvolume (including one
created as a snapshot).  I believe they can be removed if they're in
use, and the effect is similar to removing a file that is in use.

> There seems to be some sort of relationship between a snapshot and the
> "original" which limits what you can do with a snapshot, like the
> snapshot is somehow attached to the "original".  At least that makes
> some sense to me because no real copy is created when you make a
> snapshot.  But how do you detach a snapshot from the "original" so that
> you could savely modify both?
>

In btrfs there is no relationship between a snapshot and the original
subvolume, other than them happening to share the same tree nodes
initially.  It isn't unlike what happens in git when you create a new
branch.  You end up with a new reference pointing to the same commit
and everything below that is shared between the two branches
initially.  If you touch one file then most of trees/blobs between the
branches are still shared, but the modified blob and all of its parent
trees are now separated.

Btrfs does mark snapshots as snapshots for some reason, but other than
a yes/no flag snapshots are the same as any subvolume.  They're not
linked in any way to the original and there is no straightforward way
to tell where a snapshot came from (well, other than either comparing
it against all the other subvolumes, ideally looking for shared tree
nodes).

-- 
Rich

Re: [gentoo-user] What is forcing the qt4 USE flag?

[Mick]

On Friday 22 Jan 2016 21:04:48 Nikos Chantziaras wrote:
> I have a weird problem. I have an ebuild where either qt4 or qt5 can be
> enabled. They are both disabled by default and I have to choose which
> one I want. The ebuild does that with:
> 
>IUSE="qt4 qt5"
>REQUIRED_USE="^^ ( qt4 qt5 )"
> 
> I'm on the plasma profile which enabled qt5 automatically. However,
> portage complains:
> 
>The following REQUIRED_USE flag constraints are unsatisfied:
>exactly-one-of ( qt4 qt5 )
> 
> The qt4 USE flag is enabled. I can't see where. I didn't enable it
> anywhere in any of my /etc/portage/* files. If I emerge with:
> 
>USE="-qt4" emerge package
> 
> then it works. So I have to explicitly disable the qt4 USE flag even
> though I didn't enable it in the first place.
> 
> Can someone enlighten me?

euse -I qt4

should provide some pointers.  It may be your desktop profile?

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Re: {OT} Allow work from home?

[Grant]

>> The answer to this may be an obvious "yes" but I've never done it so I'm
>> not sure.  Can I route requests from machine C through machine A only
>> for my domain name, and not involve A for C's other internet requests?
>> If so, where is that configured?
>
> While ZT can be used to route requests between networks, but it is mainly
> used to talk directly between clients. If A wants to talk to C over ZT,
> it uses C's ZT IP address.
>
> Here's a snippet from ifconfig on this machine, whch may help it make
> sense to you
>
> wlan0: flags=4163  mtu 1500
> inet 192.168.1.6  netmask 255.255.255.0  broadcast 192.168.1.255
> ether c4:8e:8f:f7:55:c9  txqueuelen 1000  (Ethernet)
>
> zt0: flags=4163  mtu 2800
> inet 10.252.252.6  netmask 255.255.255.0  broadcast 10.252.252.255
>
> To talk to this computer from another of my machines over ZT I would use
> the 10.252... address. If you tried that address, you'd get nowhere as
> you are not connected to my network.


So if 10.252.252.6 were configured as a router, could I join your ZT
network and use iptables to route my example.com 80/443 requests to
10.252.252.6, thereby granting me access to my web apps which are
configured to only allow your machine's WAN IP?

The first couple paragraphs here make it sound like a centralized SaaS
as far as the setup phase of the connection:

https://www.zerotier.com/blog/?p=577

Is it possible (easy?) to run your own "core node" and so not interact
with the official core nodes at all?

- Grant

[gentoo-user] What is forcing the qt4 USE flag?

[Nikos Chantziaras]

I have a weird problem. I have an ebuild where either qt4 or qt5 can be 
enabled. They are both disabled by default and I have to choose which 
one I want. The ebuild does that with:


  IUSE="qt4 qt5"
  REQUIRED_USE="^^ ( qt4 qt5 )"

I'm on the plasma profile which enabled qt5 automatically. However, 
portage complains:


  The following REQUIRED_USE flag constraints are unsatisfied:
  exactly-one-of ( qt4 qt5 )

The qt4 USE flag is enabled. I can't see where. I didn't enable it 
anywhere in any of my /etc/portage/* files. If I emerge with:


  USE="-qt4" emerge package

then it works. So I have to explicitly disable the qt4 USE flag even 
though I didn't enable it in the first place.


Can someone enlighten me?

[gentoo-user] Re: {OT} Allow work from home?

[Kai Krakow]

Am Wed, 20 Jan 2016 01:46:29 +0100
schrieb lee :

> The time before, it wasn't
> a VM but a very slow machine, and that also took a week.  You can have
> the fastest machine on the world and Windoze always manages to bring
> it down to a slowness we wouldn't have accepted even 20 years ago.

This is mainly an artifact of Windows updates destroying locality of
data pretty fast and mainly a problem when running on spinning rust.
DLLs and data files needed for booting or starting specific
software become spread wide across the hard disk. Fragmentation isn't
the issue here - NTFS is pretty good at keeping it low. Still, the
right defragmentation tool will help you: I always recommend staying
away from the 1000 types of "tuning tools", they actually make it worse
and take away your chance of properly optimizing the on-disk file
layout. And I always recommend using MyDefrag and using its system disk
defrag profile to reorder the files in your hard disk. It takes ages
the first time it runs but it brings back your system to almost out of
the box boot and software startup time performance. It uses some very
clever ideas to place files into groups and into proper order - other
than using file mod and access times like other defrag tools do (which
even make the problem worse by doing so because this destroys locality
of data even more).

But even SSDs can use _proper_ defragmentation from time to time for
increased lifetime and performance (this is due to how the FTL works
and because erase blocks are huge, I won't get into detail unless
someone asks). This is why mydefrag also supports flash optimization.
It works by moving as few files as possible while coalescing free space
into big chunks which in turn relaxes pressure on the FTL and allows to
have more free and continuous erase blocks which reduces early flash
chip wear. A filled SSD with long usage history can certainly gain back
some performance from this.

-- 
Regards,
Kai

Replies to list-only preferred.

Re: [gentoo-user] What is forcing the qt4 USE flag?

[Neil Bothwick]

On Fri, 22 Jan 2016 19:45:29 +, Mick wrote:

> > Can someone enlighten me?  
> 
> euse -I qt4
> 
> should provide some pointers.  It may be your desktop profile?

If so, it should show up in "emerge --info | grep qt4". I am using
default/linux/amd64/13.0/desktop/plasma/systemd and both qt4 and qt5 are
enabled by default.


-- 
Neil Bothwick

When you go to court you are putting yourself in the hands of 12 people
that were not smart enough to get out of jury duty.


pgpF2ZUR6BrIJ.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: {OT} Allow work from home?

[Neil Bothwick]

On Fri, 22 Jan 2016 11:51:45 -0800, Grant wrote:

> > To talk to this computer from another of my machines over ZT I would
> > use the 10.252... address. If you tried that address, you'd get
> > nowhere as you are not connected to my network.  

> So if 10.252.252.6 were configured as a router, could I join your ZT
> network and use iptables to route my example.com 80/443 requests to
> 10.252.252.6, thereby granting me access to my web apps which are
> configured to only allow your machine's WAN IP?

You don't need a bridge in a network to join it. If I want you to join
it, I give you the network ID and you simply join it, although you can't
actually connect to it until I authorise the connection.

However, if this machine were configured as a bridge, then once you had
joined my network you would have access to all of my LAN, rather like an
OpenVPN connection. It seems that the man difference between this and a
traditional VPN is that all of the setup work is done on the one
computer, connecting extra clients is just a matter of connecting them to
the network.

Note that I haven't actually tried this, every machine on my LAN that I
want to be able to connect to is running ZT so is directly accessible.

> Is it possible (easy?) to run your own "core node" and so not interact
> with the official core nodes at all?

It is definitely possible, and you skip the "only ten clients for
free" limit as that only applies to using their servers. Once again, it
isn't something I've tried yet, but it is on my list of "things to do
when I find some time". I'm quite happy using their discovery servers so
this would be only an exercise in trying it "because I can".


-- 
Neil Bothwick

MUPHRY'S LAW: The principle that any criticism of the writing of others
will itself contain at least one grammatical error.


pgpW52yseiUCN.pgp
Description: OpenPGP digital signature

[gentoo-user] Re: {OT} Allow work from home?

[Kai Krakow]

Am Fri, 22 Jan 2016 00:52:30 +0100
schrieb lee :

> Is WSUS of any use without domains?  If it is, I should take a look at
> it.

You can use it with and without domains. What domains give you through
GPO is just automatic deployment of the needed registry settings in the
client.

You can simply create a proper .reg file and deploy it to the clients
however you like. They will connect to WSUS and receive updates you
control.

No magic here.

-- 
Regards,
Kai

Replies to list-only preferred.

Re: [gentoo-user] Re: {OT} Allow work from home?

[Neil Bothwick]

On Thu, 21 Jan 2016 17:18:27 -0800, Grant wrote:

> > There is ZeroTier as a replacement for OpenVPN, and Syncthing for
> > syncing. Both are P2P solutions and you can run your own discovery
> > servers if you don't want any traffic going through a 3rd party
> > (although they don't send data through the servers).
> >
> > I've no idea whether that would meet your security criteria but it
> > certainly fulfils the "easier than OpenVPN" one. It will take only a
> > few minutes to install and setup using the public servers, although,
> > as I said, your network is never public, so you can check whether
> > they do what you want. Then you can look at hosting your own server
> > for security.
> >
> > https://www.zerotier.com/
> > https://syncthing.net/  

> Zerotier looks especially interesting.  Can I have machine A listen for
> Zerotier connections, have machine B connect to machine A via Zerotier,
> have machine C connect to machine A via Zerotier, and rsync push from B
> to C?

You set up a network and the machines all connect to that network, so A,
B and C can all talk to each other.

> Does connecting two machines via Zerotier involve any security
> considerations besides those involved when connecting those machines to
> the internet?  In other words, is it a simple network connection or are
> other privelages involved with that connection?

Connections are encrypted, handled by the ZeroTier protocols, but
otherwise it behaves like a normal network connection. 

> Can I somehow require the Zerotier connection between machines A and C
> in order for C to pass HTTP basic authentication on my web server which
> resides elsewhere?  Maybe I can route all traffic from machine C to my
> web server through C's Zerotier connection to A and lock down basic
> authentication on my web server to machine A?

Your ZeroTier connections are on a separate network, you pick an address
block when you set up the network but that network is only accessible to
other machines connected to your ZeroTier network. You can have ZT
allocate addresses within that block, it's not dynamic addressing because
one a client is given an address, it always gets the same address, or you
can specify the address for each client. So you can include an address
requirement in your .htaccess to ensure connections are only allowed from
your ZT network.


-- 
Neil Bothwick

furbling, v.:
Having to wander through a maze of ropes at an airport or bank
even when you are the only person in line.
-- Rich Hall, "Sniglets"


pgpklv_NXtiAS.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: {OT} Allow work from home?

[Neil Bothwick]

On Fri, 22 Jan 2016 07:52:12 -0500, Rich Freeman wrote:

> My understanding is that ZT does not support routing of any kind.
> Traffic destined to a ZT peer goes directly to that peer, and that's
> it.  You can't route over ZT and onto a subnet on a remote peer's
> network, or from one peer to another, or anything like that.

You can set up one machine on a LAN as a bridge, that then connects your
ZT clients to the LAN, much like a traditional VPN.


-- 
Neil Bothwick

I used to have a handle on life, then it broke.


pgp7GPkC8pqjF.pgp
Description: OpenPGP digital signature

[gentoo-user] Re: {OT} Allow work from home?

[Grant]

>
> > Zerotier looks especially interesting.  Can I have machine A listen for
> > Zerotier connections, have machine B connect to machine A via Zerotier,
> > have machine C connect to machine A via Zerotier, and rsync push from B
> > to C?
>
> You set up a network and the machines all connect to that network, so A,
> B and C can all talk to each other.
>
> > Does connecting two machines via Zerotier involve any security
> > considerations besides those involved when connecting those machines to
> > the internet?  In other words, is it a simple network connection or are
> > other privelages involved with that connection?
>
> Connections are encrypted, handled by the ZeroTier protocols, but
> otherwise it behaves like a normal network connection.
>
> > Can I somehow require the Zerotier connection between machines A and C
> > in order for C to pass HTTP basic authentication on my web server which
> > resides elsewhere?  Maybe I can route all traffic from machine C to my
> > web server through C's Zerotier connection to A and lock down basic
> > authentication on my web server to machine A?
>
> Your ZeroTier connections are on a separate network, you pick an address
> block when you set up the network but that network is only accessible to
> other machines connected to your ZeroTier network. You can have ZT
> allocate addresses within that block, it's not dynamic addressing because
> one a client is given an address, it always gets the same address, or you
> can specify the address for each client. So you can include an address
> requirement in your .htaccess to ensure connections are only allowed from
> your ZT network.
>


The answer to this may be an obvious "yes" but I've never done it so I'm
not sure.  Can I route requests from machine C through machine A only for
my domain name, and not involve A for C's other internet requests?  If so,
where is that configured?

BTW, how did you find ZT?  Pity there's no ebuild yet.

- Grant

Re: [gentoo-user] Re: {OT} Allow work from home?

[Rich Freeman]

On Fri, Jan 22, 2016 at 7:29 AM, Grant  wrote:
>
> The answer to this may be an obvious "yes" but I've never done it so I'm not
> sure.  Can I route requests from machine C through machine A only for my
> domain name, and not involve A for C's other internet requests?  If so,
> where is that configured?
>
> BTW, how did you find ZT?  Pity there's no ebuild yet.
>

My understanding is that ZT does not support routing of any kind.
Traffic destined to a ZT peer goes directly to that peer, and that's
it.  You can't route over ZT and onto a subnet on a remote peer's
network, or from one peer to another, or anything like that.

So, ZT isn't even capable of routing internet traffic right now, so
none of it will go over ZT.

For other VPNs it is all IP and routing works however you define it on
either side.  You can make a VPN your default route, or not, etc.  You
can do whatever iproute2/iptables/etc allows on linux hosts.  I
imagine windows is a bit less flexible but I'm sure you can define
which interface is the default route.

-- 
Rich

Re: [gentoo-user] Re: {OT} Allow work from home?

[Neil Bothwick]

On Fri, 22 Jan 2016 04:29:00 -0800, Grant wrote:

> The answer to this may be an obvious "yes" but I've never done it so I'm
> not sure.  Can I route requests from machine C through machine A only
> for my domain name, and not involve A for C's other internet requests?
> If so, where is that configured?

While ZT can be used to route requests between networks, but it is mainly
used to talk directly between clients. If A wants to talk to C over ZT,
it uses C's ZT IP address.

Here's a snippet from ifconfig on this machine, whch may help it make
sense to you

wlan0: flags=4163  mtu 1500
inet 192.168.1.6  netmask 255.255.255.0  broadcast 192.168.1.255
ether c4:8e:8f:f7:55:c9  txqueuelen 1000  (Ethernet)

zt0: flags=4163  mtu 2800
inet 10.252.252.6  netmask 255.255.255.0  broadcast 10.252.252.255

To talk to this computer from another of my machines over ZT I would use
the 10.252... address. If you tried that address, you'd get nowhere as
you are not connected to my network.

Set up a network and play with it. It costs nothing to set up a network
with up to 10 clients. The main benefit is that it is so easy to
administer and add new clients. If you use it between two machines in the
same LAN, the traffic doesn't go outside of the LAN, so it works at more
or less the same speed.

> BTW, how did you find ZT?  Pity there's no ebuild yet.

Someone mentioned it during a talk at Liverpool LUG. It wasn't the topic
of the talk, he just used it to grab something from his home network to
answer a question. An ebuild would be nice, but the installer script
works perfectly here, both for systemd and openrc systems.


-- 
Neil Bothwick

In the 60's people took acid to make the world weird.
Now the world is weird and people take Prozac to make it normal.


pgp9qNW4XkBZc.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Shutdown through systemctl as a normal user

[Mike Gilbert]

On Sat, Jan 16, 2016 at 1:34 PM, lukash  wrote:
> Hi all,
>
> I'm reading on the internet that systemctl poweroff should work for
> normal user if he is the only one logged in, he is logged in locally
> and his session is active. I seem to be meeting these conditions:
>
> # loginctl
>SESSIONUID USER SEAT
>  2   1000 lukash   seat0
>
> $ loginctl show-session 2
> Id=2
> User=1000
> Name=lu
> Timestamp=Sat 2016-01-16 17:27:30 CET
> TimestampMonotonic=9614418
> VTNr=7
> Seat=seat0
> Display=:0
> Remote=no
> Service=lightdm
> Desktop=awesome
> Scope=session-2.scope
> Leader=529
> Audit=2
> Type=x11
> Class=user
> Active=yes
> State=active
> IdleHint=no
> IdleSinceHint=0
> IdleSinceHintMonotonic=0
>
> But invoking the command gives me:
>
> $ systemctl poweroff
> Failed to set wall message, ignoring: Access denied
> Failed to power off system via logind: Access denied
> Failed to start poweroff.target: Access denied
>
> How is this supposed to work on Gentoo?

Make sure you have USE=policykit set for sys-apps/systemd.

[gentoo-user] Re: What is forcing the qt4 USE flag?

[Nikos Chantziaras]

On 23/01/16 09:21, Michael Palimaka wrote:

On 01/23/2016 06:04 AM, Nikos Chantziaras wrote:

I have a weird problem. I have an ebuild where either qt4 or qt5 can be
enabled. They are both disabled by default and I have to choose which
one I want. The ebuild does that with:

   IUSE="qt4 qt5"
   REQUIRED_USE="^^ ( qt4 qt5 )"

I'm on the plasma profile which enabled qt5 automatically. However,
portage complains:

   The following REQUIRED_USE flag constraints are unsatisfied:
   exactly-one-of ( qt4 qt5 )

The qt4 USE flag is enabled. I can't see where. I didn't enable it
anywhere in any of my /etc/portage/* files. If I emerge with:

   USE="-qt4" emerge package

then it works. So I have to explicitly disable the qt4 USE flag even
though I didn't enable it in the first place.

Can someone enlighten me?



Which package is it? We can add an entry to the Plasma profile's
package.use to avoid the REQUIRED_USE.


It's my own ebuilds (in an overlay.) I wasn't setting either USE flag in 
the ebuilds at all and this spooked me. Turns out it's the parent 
profile of the plasma profile doing this.


What would be really nice to have in portage is if the profiles were 
able to say "if qt4 and qt5 are both supported but mutually exclusive, 
prefer qt5 unless the user or the ebuild itself has specified 
otherwise". But I guess it would be hairy to implement that. (It would 
help with other such USE flags as well, not just qt4 vs qt5.)

[gentoo-user] Re: What is forcing the qt4 USE flag?

[Nikos Chantziaras]

On 22/01/16 21:45, Mick wrote:

On Friday 22 Jan 2016 21:04:48 Nikos Chantziaras wrote:

I have a weird problem. I have an ebuild where either qt4 or qt5 can be
enabled. They are both disabled by default and I have to choose which
one I want. The ebuild does that with:

IUSE="qt4 qt5"
REQUIRED_USE="^^ ( qt4 qt5 )"

I'm on the plasma profile which enabled qt5 automatically. However,
portage complains:

The following REQUIRED_USE flag constraints are unsatisfied:
exactly-one-of ( qt4 qt5 )

The qt4 USE flag is enabled. I can't see where. I didn't enable it
anywhere in any of my /etc/portage/* files. If I emerge with:

USE="-qt4" emerge package

then it works. So I have to explicitly disable the qt4 USE flag even
though I didn't enable it in the first place.

Can someone enlighten me?


euse -I qt4

should provide some pointers.  It may be your desktop profile?


Yep, it's the parent profile of the plasma profile. This results in both 
qt4 and qt5 being set.

[gentoo-user] Re: What is forcing the qt4 USE flag?

[Michael Palimaka]

On 01/23/2016 06:04 AM, Nikos Chantziaras wrote:
> I have a weird problem. I have an ebuild where either qt4 or qt5 can be
> enabled. They are both disabled by default and I have to choose which
> one I want. The ebuild does that with:
> 
>   IUSE="qt4 qt5"
>   REQUIRED_USE="^^ ( qt4 qt5 )"
> 
> I'm on the plasma profile which enabled qt5 automatically. However,
> portage complains:
> 
>   The following REQUIRED_USE flag constraints are unsatisfied:
>   exactly-one-of ( qt4 qt5 )
> 
> The qt4 USE flag is enabled. I can't see where. I didn't enable it
> anywhere in any of my /etc/portage/* files. If I emerge with:
> 
>   USE="-qt4" emerge package
> 
> then it works. So I have to explicitly disable the qt4 USE flag even
> though I didn't enable it in the first place.
> 
> Can someone enlighten me?
> 
> 
> 

Which package is it? We can add an entry to the Plasma profile's
package.use to avoid the REQUIRED_USE.

[gentoo-user] spike-community-overlay

[James]

Well this one is new to me. Googling reveals the spike linux distro
is a version of Sabayon, which is based on gentoo.


So 'eix -R cassandra' ::

dev-db/cassandra [5]
 Available versions:  0.6.1 ~0.7.0-r2 ~2.0.7 ~2.0.10 ~2.1.3 ~2.12 {doc
ELIBC="FreeBSD"}
 Homepage:http://cassandra.apache.org/
[5] "spike-community-overlay" layman/spike-community-overlay


Does anyone have experience with any spike overlays? Are they of good quality?

It seems they have the latest ebuild-release of the cassandra of all the
ebuilds, but that not close to the latest release (3.2.1).
All comments are welcome; if there is no 3.x ebuild anywhere, I guess
I'll try my hand at an EAPI-6 ebuild for cassandra.


James

http://cassandra.apache.org/

[gentoo-user] Re: {OT} Allow work from home?

[James]

Neil Bothwick  digimed.co.uk> writes:


> > The answer to this may be an obvious "yes" but I've never done it so I'm
> > not sure.  Can I route requests from machine C through machine A only
> > for my domain name, and not involve A for C's other internet requests?
> > If so, where is that configured?

>From what I read, 10 nodes or less are free. I'd be willing to participate
as a remote node so a small group of gentoo users can figured this out and 
document some example configurations, as it seems to be very interesting and
useful. Additionally, a custom set of iptables rules or a bridge-filter
would be keen information to add to a gentoo wiki page on this topic, imho.


This could also be a wonderful way for proxy-maintainers to hang in a group
and work more closely on things like digesting EAPI-6 and teaming up on
more complex ebuild issues. It does like sound fun! 


James

Re: [gentoo-user] {OT} Allow work from home?

[covici]

lee  wrote:

> Rich Freeman  writes:
> 
> > On Tue, Jan 19, 2016 at 5:22 PM, lee  wrote:
> >> "J. Roeleveld"  writes:
> >>
> >> How does that work?  IIUC, when you created a snapshot, any changes you
> >> make to the snapshotted (or how that is called) file system are being
> >> referenced by the snapshot which you can either destroy or abandon.
> >> When you destroy it, the changes you made are being applied to the
> >> file system you snapshotted (because someone decided to use a very
> >> misleading terminology), and when you abandon it, the changes are thrown
> >> away and you end up with the file system as it was before the snapshot
> >> was created.
> >>
> >> In any case, you do not get multiple versions (which only reference the
> >> changes made) of the file system you snapshotted but only one current
> >> version.
> >>
> >> Do you need to use a special file system or something which provides
> >> this kind of multiple copies when you make snapshots?
> >>
> >
> > And that is exactly what zfs and btrfs provide. Snapshots are full
> > citizens.  If I create a snapshot of a directory in btrfs it is
> > essentially indistinguishable from running cp -a on the directory,
> > except the snapshot takes only seconds to create almost entirely
> > regardless of size, and takes almost no space until changes are made.
> > Later I can delete the snapshot, or delete the original, or keep both
> > indefinitely making changes to either.
> 
> Hm, I must be misunderstanding snapshots entirely.
> 
> What happens when you remove a snapshot after you modified the
> "original" /and/ the snapshot?  You destroy at least one of them, so you
> can never get rid of the snapshot in a non-destructive way?
> 
> My understanding is that when you make a snapshot, you get a copy that
> doesn't change which you can somehow use to make backups.  When the
> backup is finished, you can remove the snapshot, and the changes that
> were made in the meantime are not lost --- unless you decide to throw
> them away when removing the snapshot, in which case you get a rollback.
> 
> To make things more complicated, I've seen zfs refusing to remove a
> snapshot and saying that something is recursive (IIRC), and it didn't
> make any sense anymore.  So I left everything as it was because I didn't
> want to loose data, and a while later, I removed this very same snapshot
> without getting issues as before.  Weird behaviour makes snapshots
> rather scary, so I avoid them now.
> 
> There seems to be some sort of relationship between a snapshot and the
> "original" which limits what you can do with a snapshot, like the
> snapshot is somehow attached to the "original".  At least that makes
> some sense to me because no real copy is created when you make a
> snapshot.  But how do you detach a snapshot from the "original" so that
> you could savely modify both?

In zfs you can clone the snapshot and it will be independent, but I am
new at zfs, so check it out.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

 John Covici
 cov...@ccs.covici.com