Re: Limit memory consumption of an ad hoc process

[Victor Sudakov]

The Wanderer wrote:
> On 2021-07-05 at 22:42, Victor Sudakov wrote:
> 
> > Greg Wooledge wrote:
> 
> >> And in any case, when you test this stuff, use the subshells.  
> > 
> > Well, my goal is to find a way to limit programs run from cron, PHP's
> > proc_open() etc., not from the interactive shell. What would you advise?
> 
> Is there any reason to think that the ulimit approach wouldn't work in
> that type of context, as well as when invoked from within a shell?

That depends how you are going to *use* the ulimit approach in that type
of context. For example, there is no way to specify ulimit in PHP's
proc_open(), maybe because setrlimit() is OS-specific.

There are other cases when binaries are executed directly, without a
shell, hence the need for a wrapper.

-- 
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet


signature.asc
Description: PGP signature

Re: Limit memory consumption of an ad hoc process

[Victor Sudakov]

Victor Sudakov wrote:
> 
> FreeBSD has a simple way to run some ad-hoc program with memory limits:
> 
> $ limits -m 2G ./mytest
>   memoryuse 2097152 kB
>   vmemoryuse   infinity kB
> $ limits -m 1G ./mytest
>   memoryuse 1048576 kB
>   vmemoryuse   infinity kB
> 
> How do I do the same in Linux (without root permissions)?

The short answer is /usr/bin/prlimit, it's the direct equivalent of
FreeBSD's /usr/bin/limits wrapper.

Thanks to all who replied especially Greg Wooledge!


-- 
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet


signature.asc
Description: PGP signature

Re: Limit memory consumption of an ad hoc process

[Victor Sudakov]

Greg Wooledge wrote:
> On Mon, Jul 05, 2021 at 11:01:25PM -0400, The Wanderer wrote:
> > On 2021-07-05 at 22:42, Victor Sudakov wrote:
> > 
> > > Greg Wooledge wrote:
> > 
> > >> And in any case, when you test this stuff, use the subshells.  
> > > 
> > > Well, my goal is to find a way to limit programs run from cron, PHP's
> > > proc_open() etc., not from the interactive shell. What would you advise?
> > 
> > Is there any reason to think that the ulimit approach wouldn't work in
> > that type of context, as well as when invoked from within a shell?
> 
> Depends on how the cron job is set up.  If the cron job never calls
> bash (but rather, sh) then you can't use bash's ulimit.
> 
> Likewise, I would guess that PHP's proc_open() calls /bin/sh, not bash,
> but you'd have to ask a (more experienced) PHP user.

I suppose PHP's proc_open() does not call any shell at all, it executes
the binary directly. To execute command in a shell, there is
shell_exec() but it does not give access to the executed program's
stdin/stdout.

I think I can call the prlimit wrapper from proc_open() and that should do.

> 
> > > The equivalent of FreeBSD's `/usr/bin/limits` wrapper seems to be
> > > `/usr/bin/prlimit` but I'm really at a loss what limit to specify for
> > > testing (the equivalent of `ulimit -v`). Should be RLIMIT_AS but --as 
> > > crashes prlimit:
> > > 
> > > $ prlimit --as=1048576 /bin/ls
> > > /bin/ls: error while loading shared libraries: libselinux.so.1: failed to 
> > > map segment from shared object
> 
> Sounds like you set it too low.  Remember, setrlimit(2) and prlimit(2)
> say that RLIMIT_DATA is specified in bytes.  This is not the same as
> bash's ulimit.

I've never thought 1MB would be too low for /bin/ls, but it seems you are
right. Over 2MB required for a simple /bin/true!

$ prlimit --as=200 /bin/true
/bin/true: error while loading shared libraries: libc.so.6: failed to map 
segment from shared object
$ prlimit --as=250 /bin/true
$ 

But prlimit works mostly as expected:

$ prlimit --as=1073741824 stress-ng stress-ng --vm 1 --vm-bytes 2G
stress-ng: info:  [19042] defaulting to a 86400 second (1 day, 0.00 secs) run 
per stressor
stress-ng: info:  [19042] dispatching hogs: 1 vm
stress-ng: error: [19044] stress-ng-vm: gave up trying to mmap, no available 
memory
stress-ng: info:  [19042] successful run completed in 10.01s
$

-- 
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet


signature.asc
Description: PGP signature

Re: Limit memory consumption of an ad hoc process

[Greg Wooledge]

On Mon, Jul 05, 2021 at 11:11:06PM -0400, Greg Wooledge wrote:
> > > $ prlimit --as=1048576 /bin/ls
> > > /bin/ls: error while loading shared libraries: libselinux.so.1: failed to 
> > > map segment from shared object
> 
> Sounds like you set it too low.  Remember, setrlimit(2) and prlimit(2)
> say that RLIMIT_DATA is specified in bytes.  This is not the same as
> bash's ulimit.

... and the same for RLIMIT_AS which is probably what you're using.

It would be incredibly useful if the various shell-interface tools
(ulimit, prlimit, and so on) would explicitly say which setrlimit(2)
resource they're actually using, instead of forcing us to guess.

Re: Limit memory consumption of an ad hoc process

[Greg Wooledge]

On Mon, Jul 05, 2021 at 11:01:25PM -0400, The Wanderer wrote:
> On 2021-07-05 at 22:42, Victor Sudakov wrote:
> 
> > Greg Wooledge wrote:
> 
> >> And in any case, when you test this stuff, use the subshells.  
> > 
> > Well, my goal is to find a way to limit programs run from cron, PHP's
> > proc_open() etc., not from the interactive shell. What would you advise?
> 
> Is there any reason to think that the ulimit approach wouldn't work in
> that type of context, as well as when invoked from within a shell?

Depends on how the cron job is set up.  If the cron job never calls
bash (but rather, sh) then you can't use bash's ulimit.

Likewise, I would guess that PHP's proc_open() calls /bin/sh, not bash,
but you'd have to ask a (more experienced) PHP user.

I advised using subshells during testing because you don't want to
irrevocably cripple the shell you're using to launch the tests, as the
OP did earlier.  Once you've screwed up your interactive shell, you have
to throw it away and start over, which is a pain in the ass.

> > The equivalent of FreeBSD's `/usr/bin/limits` wrapper seems to be
> > `/usr/bin/prlimit` but I'm really at a loss what limit to specify for
> > testing (the equivalent of `ulimit -v`). Should be RLIMIT_AS but --as 
> > crashes prlimit:
> > 
> > $ prlimit --as=1048576 /bin/ls
> > /bin/ls: error while loading shared libraries: libselinux.so.1: failed to 
> > map segment from shared object

Sounds like you set it too low.  Remember, setrlimit(2) and prlimit(2)
say that RLIMIT_DATA is specified in bytes.  This is not the same as
bash's ulimit.

Re: Limit memory consumption of an ad hoc process

[The Wanderer]

On 2021-07-05 at 22:42, Victor Sudakov wrote:

> Greg Wooledge wrote:

>> And in any case, when you test this stuff, use the subshells.  
> 
> Well, my goal is to find a way to limit programs run from cron, PHP's
> proc_open() etc., not from the interactive shell. What would you advise?

Is there any reason to think that the ulimit approach wouldn't work in
that type of context, as well as when invoked from within a shell?

> The equivalent of FreeBSD's `/usr/bin/limits` wrapper seems to be
> `/usr/bin/prlimit` but I'm really at a loss what limit to specify for
> testing (the equivalent of `ulimit -v`). Should be RLIMIT_AS but --as 
> crashes prlimit:
> 
> $ prlimit --as=1048576 /bin/ls
> /bin/ls: error while loading shared libraries: libselinux.so.1: failed to map 
> segment from shared object
> $
> $ prlimit --as=1048576 stress-ng
> Segmentation fault
> $

I'm not familiar with prlimit, but just looking at this output and at
the man page, what unit do you think the value of the --as argument is
in? If it's in bytes, then what you're doing here is specirying an
address-space size of only one megabyte, and I don't find it at all
surprising if that's too small for the combination of ls plus its libraries.

On my machine, ls is 144K, and its dependent libraries (as reported by
ldd, and exclusing linux-vdso.so.1 which doesn't seem to be an actual
file in the filesystem) range in size from 19K (libdl) to 1.8M (libc),
for a total of 2.4M. That's more than twice the hypothesized
one-megabyte threshold.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: Limit memory consumption of an ad hoc process

[Victor Sudakov]

Greg Wooledge wrote:

[dd]

> > 
> > 
> > # ulimit -m 1048576 ; stress-ng --vm 1 --vm-bytes 8G
> > stress-ng: info:  [10961] defaulting to a 86400 second (1 day, 0.00 secs) 
> > run per stressor
> > stress-ng: info:  [10961] dispatching hogs: 1 vm
> > 
> > stress-ng is not killed. Swap is not enabled on this test host.
> 
> Perhaps -m is not the correct resource limit for what you're trying to
> achieve.  You've been assuming that it is, but I told you to read
> setrlimit(3) to see what each of them is and what it actually controls.
> 
> >From ulimit's output:
> 
> max memory size (kbytes, -m) unlimited
> 
> >From bash(1):
> 
>   -m The maximum resident set size (many systems do not  honor
>  this limit)
> 
> >From setrlimit(3):
> 
>RLIMIT_RSS
>   This is a limit (in bytes) on the process's  resident  set  (the
>   number of virtual pages resident in RAM).  This limit has effect
>   only in Linux 2.4.x, x < 30, and there  affects  only  calls  to
>   madvise(2) specifying MADV_WILLNEED.
> 
> Perhaps you want "ulimit -v" instead?

You are correct, `ulimit -v` works:

$ ulimit -v 1048576 ; stress-ng --vm 1 --vm-bytes 8G
stress-ng: info:  [11081] defaulting to a 86400 second (1 day, 0.00 secs) run 
per stressor
stress-ng: info:  [11081] dispatching hogs: 1 vm
stress-ng: error: [11083] stress-ng-vm: gave up trying to mmap, no available 
memory
stress-ng: info:  [11081] successful run completed in 10.01s
$ 

> 
> And in any case, when you test this stuff, use the subshells.  

Well, my goal is to find a way to limit programs run from cron, PHP's
proc_open() etc., not from the interactive shell. What would you advise?

The equivalent of FreeBSD's `/usr/bin/limits` wrapper seems to be
`/usr/bin/prlimit` but I'm really at a loss what limit to specify for
testing (the equivalent of `ulimit -v`). Should be RLIMIT_AS but --as 
crashes prlimit:

$ prlimit --as=1048576 /bin/ls
/bin/ls: error while loading shared libraries: libselinux.so.1: failed to map 
segment from shared object
$
$ prlimit --as=1048576 stress-ng
Segmentation fault
$

-- 
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet


signature.asc
Description: PGP signature

mozillla firefox

[diego leon giraldo garcia]

buenas tardes cómo instalo firefox 89.0.2 en debian 10.9 ?habían escrito
sobre la versión 85 pero será el mismo proceso? no basta con apt get
install es un archivo tar.bz2

gracias

Re: the Amazing Poly

[John Hasler]

ellanios82 writes:
> It's a pretty common requirement, as at one time it was the second
> best spam defence (after accepting mail only for named users). Not so
> good now that many ISPs are providing some kind of PTR record.

Some ISPs try to provide a single record for a group of their dynamic
IPs.  They bungle so that lookups fail for some IPs.  And then some
email providers apply that test to their own customers, *even after they
have authenticated*.  Hilarity ensues.

Then there is "probing" the domain in the "From:" line...
-- 
John Hasler 
j...@sugarbit.com
Elmwood, WI USA

Re: Memory allocation failed during fsck of large EXT4 filesystem

[Michael Stone]

On Mon, Jul 05, 2021 at 02:21:05PM -0700, Thomas D. Dean wrote:

On 7/5/21 1:54 PM, Michael Stone wrote:

On Mon, Jul 05, 2021 at 12:53:39PM +0300, IL Ka wrote:

7TB seems like too much for one partition imho.
Consider splitting it into the parts


That's silly. It's 2021; 7TB isn't particularly large and there's no 
value in breaking things into multiple partitions for no reason.




Maybe to have the ability to restore or reinstall the system without 
bothering /home?


I've never found that to be of much practical value. YMMV. Anyway, if 
you have reasons to partition, go for it--but partitioning because a 
filesystem is arbitrarily "too big" isn't a reason. (Especially since, 
in context, it's a logical volume so presumably the OP has already 
decided how to allocate space and if they wanted a separate home they 
could have just made a lv for it.)

Re: Memory allocation failed during fsck of large EXT4 filesystem

[Thomas D. Dean]

On 7/5/21 1:54 PM, Michael Stone wrote:

On Mon, Jul 05, 2021 at 12:53:39PM +0300, IL Ka wrote:

7TB seems like too much for one partition imho.
Consider splitting it into the parts


That's silly. It's 2021; 7TB isn't particularly large and there's no 
value in breaking things into multiple partitions for no reason.




Maybe to have the ability to restore or reinstall the system without 
bothering /home?

Re: Memory allocation failed during fsck of large EXT4 filesystem

[Michael Stone]

On Mon, Jul 05, 2021 at 12:53:39PM +0300, IL Ka wrote:

7TB seems like too much for one partition imho.
Consider splitting it into the parts


That's silly. It's 2021; 7TB isn't particularly large and there's no 
value in breaking things into multiple partitions for no reason.

Re: MTA

[Joe]

On Mon, 5 Jul 2021 16:45:17 +0200
Vincent Lefevre  wrote:

> On 2021-07-05 10:06:24 -0400, Greg Wooledge wrote:

> 
> > A more sensible antispam filter might consider a mismatched reverse
> > to be one potential factor in deciding whether a given message is
> > "spam". In the absence of any other factors, it shouldn't be enough
> > to reject a message.  But if the same message has other risk
> > factors, then together they might be enough to justify that
> > judgment.  
> 
> Unfortunately postfix cannot do that (it just has
> reject_unknown_client_hostname, but otherwise doesn't allow
> the user to control how the information is obtained and used).
> 
Exim4 can either reject or add a warning header, which spamassassin can
be told to look for.

Having said that, I gave up on SA after a couple of months. That really
*was* high-maintenance. I also prefer not to filter on content, as it's
difficult to avoid false positives.

-- 
Joe

Re: MTA

[Joe]

On Mon, 5 Jul 2021 09:23:03 -0400
Polyna-Maude Racicot-Summerside  wrote:


> 
> I was thinking that maybe I should start thinking about hosting my own
> email server. But I wasn't sure if I felt like I had the nerve to do
> so. Some people say it's a lot of maintenance work.
> 

No, it's not a big deal. The only maintenance I do is to try to improve
my anti-spam measures, and that's probably less than half an hour per
year. *After* the mail server was set up and running properly, of
course, and even that doesn't take much work.

*If* you have a static IP address and your ISP is willing to keep the
CIDR block containing it off of blacklists (some ISPs don't care). It
can allegedly be done with a dynamic address, but you not only have to
keep the MX->A record updated, but also the PTR. You may not even have
control of the PTR on a dynamic address. It's more to go wrong, and
there is a chance of delayed mail whenever the address changes. Also,
some mail servers try to identify dynamic addresses and reject SMTP
connections from them. 

If you have a dynamic address, the only safe way is to send through a
smarthost with a good reputation, and many ISPs do not provide them
now. Also, you lose logging of sent mail, which is one of the reasons
for doing it yourself.

-- 
Joe

Re: MTA (corrected)

[Joe]

On Mon, 5 Jul 2021 16:55:44 +0200
Vincent Lefevre  wrote:

> On 2021-07-05 10:32:27 -0400, Polyna-Maude Racicot-Summerside wrote:
> > > What is this 162.213.253.79 IP address?  
> > 
> > The IP address 162.213.253.79 is the dedicated IP I rent from
> > Namecheap.  
> 
> OK.
> 
> >  Can you control its reverse?  
> > >  
> > Good question, I'll need to go back read a bit on networking and DNS
> > management.  
> > > Is cyrania.com a domain that you own?  
> > Yes, I own cyrania.com and polynamaude.com (the domain name used
> > for the email I am sending). I know the SMTP server respond to the
> > name CYRANIA.COM (HELO) but is relaying mail for polynamaude.com
> > too.  
> 
> It seems that you already set up the reverse for 162.213.253.79 since
> it is cyrania.com (your domain).
> 
> You may want to add 162.213.253.79 to the cyrania.com IP addresses,
> but if cyrania.com is used as a www host and 162.213.253.79 shoud
> not be used for this purpose, this is not OK.
> 
> In general, it is better to have a specific FQDN for each IP address.
> For instance, 162.213.253.79 would have nodename.cyrania.com as the
> reverse and nodename.cyrania.com would resolve to 162.213.253.79,
> where nodename is the name obtained with the "uname -n" command.
> 

It's not a big issue. My public FQDN and PTR have no relationship at
all with any email domain I use, and I've never had mail refused for
that reason, over more than fifteen years. I also use a single HELO, and
that only matches one domain. Again, no problem with the other domains.

My mail server doesn't check for matching anywhere, only that a sending
IP address has complementary PTR and FQDN, and that the FQDN and HELO
are resolvable in public DNS, and I think that's a common setup.

-- 
Joe

Re: MTA

[Joe]

On Mon, 5 Jul 2021 09:35:22 -0400
Greg Wooledge  wrote:

> On Mon, Jul 05, 2021 at 09:23:03AM -0400, Polyna-Maude
> Racicot-Summerside wrote:
> > Reporting-MTA: dns; premium58.web-hosting.com
> > 
> > Action: failed
> > Final-Recipient: rfc822;bjoern.ri...@greenbone.net
> > Status: 5.0.0
> > Remote-MTA: dns; mail.greenbone.net
> > Diagnostic-Code: smtp; 550 X-Host-Lookup-Failed: Reverse DNS lookup
> > failed for 162.213.253.79 (failed)  
> 
> unicorn:~$ host 162.213.253.79
> 79.253.213.162.in-addr.arpa domain name pointer cyrania.com.
> unicorn:~$ host cyrania.com.
> cyrania.com has address 172.67.185.109
> cyrania.com has address 104.21.59.235
> cyrania.com has IPv6 address 2606:4700:3031::6815:3beb
> cyrania.com has IPv6 address 2606:4700:3031::ac43:b96d
> cyrania.com mail is handled by 0 _dc-mx.f1202d9a4fb3.cyrania.com.
> 
> Your "reverse" (PTR record for 162.213.253.79) doesn't match.  Which
> is to say, none of the "A" results from cyrania.com. match the
> original IP address of 162.213.253.79.
> 
> Some SMTP receivers may care about that.  Apparently the receiver for
> greenbone.net (whose name is mail.greenbone.net) is one of them.
> 

It's a pretty common requirement, as at one time it was the second best
spam defence (after accepting mail only for named users). Not so good
now that many ISPs are providing some kind of PTR record. But I haven't
deleted the check from my mail server...

-- 
Joe

Microsoft teams in browser

[Paul van der Vlis]

Hallo,

Ik moet wellicht binnenkort een Microsoft teams meeting bijwonen. De 
vorige keer vertelde men me dat ik geen software hoefde te installeren, 
alleen op een link te klikken. Dat heb ik toen gedaan maar het ging niet 
goed, hij bleef maar proberen een connectie te maken, maar die kwam 
niet. We hebben toen telefonisch verder gepraat, maar dat was officieel 
niet geldig. Daarom komen ze nu weer.


Weet iemand of dit werkt zonder closed source software, dus alleen met 
een browser?  Ik heb Chromium 90.0.4430.212 en Firefox 78.11.0esr 
beschikbaar, de browsers in Debian stable dus.


Volgens deze pagina werkt het met Fedora 31 en Chromium 80, zie op het 
eind, "run in browser":

https://www.faschingbauer.me/blog/2020/03/ms-teams-on-linux.html

Iemand ervaring?

Groet,
Paul


--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

Re: the Amazing Poly

[ellanios82]

On 7/5/21 9:58 PM, Nicolas George wrote:

Polyna-Maude Racicot-Summerside (12021-07-05):

There's plenty of word with the prefix "poly".
In some way, we can consider "poly" meaning many different.
Polygon, polykystic...

I'm sure you know that "poly" is "many" in ancient Greek.

Regards,


 &, wiki : Polyphemus :

"Polyphēmus  is the one-eyed giant son of Poseidon and Thoosa in Greek 
mythology, one of the Cyclopes described in Homer's Odyssey. His name 
means "abounding in songs and legends". Polyphemus first appeared as a 
savage man-eating giant in the ninth book of the Odyssey. The satyr play 
of Euripides is dependent on this episode apart from one detail; for 
comic effect, Polyphemus is made a pederast in the play. Later Classical 
writers presented him in their poems as heterosexual and linked his name 
with the nymph Galatea. Often he was portrayed as unsuccessful in these, 
and as unaware of his disproportionate size and musical failings. In the 
work of even later authors, however, he is presented as both a 
successful lover and skilled musician. From the Renaissance on, art and 
literature reflect all of these interpretations of the giant."





 rgds

.

Re: Memory allocation failed during fsck of large EXT4 filesystem

[Stefan Monnier]

Reiner Buehl [2021-07-05 10:21:13] wrote:
> Hi all,
> I have a corrupt EXT4 filesystem where fsck.ext4 fails with the error
> message:
>
> Error storing directory block information (inode=366740508, block=0,
> num=406081): Memory allocation failed
[...]
> The system has 4GB of memory and a 8GB swap partition. The filesystem has
> 7TB. Is there a quick way to enlarge the swap space to help fsck.ext4 to
> finish the repair? I do not have any unused partitions but have space for
> swap on other filesystems if that is possible.

I think you should report this as a bug in e2fsck.  While 7TB is
significantly larger than the partitions I have, 8GB of swap should
still be plenty for that (my first 1TB disk was connected to a machine
with 64MB of RAM (an asus wl-700ge) and fsck was slow but it worked), so
I suspect the error is not in the lack of memory space.


Stefan

Re: the Amazing Poly

[Nicolas George]

Polyna-Maude Racicot-Summerside (12021-07-05):
> There's plenty of word with the prefix "poly".
> In some way, we can consider "poly" meaning many different.
> Polygon, polykystic...

I'm sure you know that "poly" is "many" in ancient Greek.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: Bullseye installation problem

[Felix Miata]

Chris Bell composed on 2021-07-05 18:22 (UTC+0100):

> Machine HP Proliant ML150 with 5GB RAM and currently a single HDD. I normally 
> use a netinst CD created locally from the jigdo image (amd64).
> I have tried to install both basic bullseye rc1 and bullseye rc2 with SSH 
> server several times over the last few days, using different netinst CD's, 
> and 
> each time the installation appears to be faultless until I try to boot the 
> new 
> installation. I just want to be able to login locally, do a small amount of 
> configuration, and then login remotely over the network. The GRUB display is 
> normal, but then the SVGA monitor only shows a single message about

> VMX outside text (disabled by BIOS)

> before the monitor complains that the video is out of range and gives up


Is firmware for your graphics device installed?

Try working around the immediate problem by appending nomodeset to the
kernel command line via E key at Grub menu. For most graphics chips,
nomodeset blocks a requirement of most AMD, Intel and NVidia GPUs X
drivers, enabled KMS, so using it is little but a crutch to enable
reconfiguration and troubleshooting [1].

What is output from
lspci -nnk | grep -A3 VGA

[1]
https://en.opensuse.org/SDB:Nomodeset:_Work_Around_Graphic_Upgrade_&_Installation_Obstacles
-- 
Evolution as taught in public schools is, like religion,
based on faith, not based on science.

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata

Re: the Amazing Poly

[Polyna-Maude Racicot-Summerside]

Hi,

On 2021-07-05 1:45 p.m., ellanios82 wrote:
> 
> "All red wines have something called “polyphenol” in them. The American
> physician Dr. Joseph Mercola reports:
> 
There's plenty of word with the prefix "poly".
In some way, we can consider "poly" meaning many different.
Polygon, polykystic...

>  *
> 
>    Polyphenols are micronutrients with antioxidant activity, found most
>    abundantly in whole foods such as dried spices, fruits, vegetables,
>    red wine, and cocoa.
> 
>  *
> 
>    Polyphenols play an important role in preventing and reducing the
>    progression of diabetes and cancer, as well as neurodegenerative and
>    cardiovascular diseases.
> 
>  *
> 
>    Polyphenols also play an important role as a prebiotic, increasing
>    the ratio of beneficial bacteria in your gut, which is important for
>    health, weight management, and disease prevention"
> 
> 
> 
> 
> 
This was mostly a joke when I said something about myself.
It was more related to the message saying that it can "Be direct and
crude" or something similar.
Because yes, I can go directly to the point and sometime I may have a
lack of courtesy doing so.

Sorry for all the person who may have been offensed.
> 
> 
>  rgds
> 
> .
> 
> 

-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development



OpenPGP_signature
Description: OpenPGP digital signature

re: the Amazing Poly

[ellanios82]

"All red wines have something called “polyphenol” in them. The American 
physician Dr. Joseph Mercola reports:


 *

   Polyphenols are micronutrients with antioxidant activity, found most
   abundantly in whole foods such as dried spices, fruits, vegetables,
   red wine, and cocoa.

 *

   Polyphenols play an important role in preventing and reducing the
   progression of diabetes and cancer, as well as neurodegenerative and
   cardiovascular diseases.

 *

   Polyphenols also play an important role as a prebiotic, increasing
   the ratio of beneficial bacteria in your gut, which is important for
   health, weight management, and disease prevention"






 rgds

.

Bullseye installation problem

[Chris Bell]

Hello,
Machine HP Proliant ML150 with 5GB RAM and currently a single HDD. I normally 
use a netinst CD created locally from the jigdo image (amd64).
I have tried to install both basic bullseye rc1 and bullseye rc2 with SSH 
server several times over the last few days, using different netinst CD's, and 
each time the installation appears to be faultless until I try to boot the new 
installation. I just want to be able to login locally, do a small amount of 
configuration, and then login remotely over the network. The GRUB display is 
normal, but then the SVGA monitor only shows a single message about

VMX outside text (disabled by BIOS)

before the monitor complains that the video is out of range and gives up.
This happens with two different monitors.
I have now installed buster 10.10.0 with KDE into a spare partition with full 
access to the 
rc2 partition (including remote access) so am able to copy any information 
required for a bug report, but what should it be reported to?
My only comment about the 10.10.0 installation so far is that a local monitor 
display apears to show a low definition display, with everything including text 
slightly large on the screen, but it appears to work normally.

-- 
Chris Bell
www.chrisbell.org.uk

Re: MTA (corrected)

[Polyna-Maude Racicot-Summerside]

Hi,

On 2021-07-05 1:07 p.m., Greg Wooledge wrote:
> On Mon, Jul 05, 2021 at 01:00:07PM -0400, Polyna-Maude Racicot-Summerside 
> wrote:
>> On 2021-07-05 12:46 p.m., Greg Wooledge wrote:
>>> unicorn:~$ host _dc-mx.f1202d9a4fb3.cyrania.com.
>>> _dc-mx.f1202d9a4fb3.cyrania.com has address 162.213.253.79
>>> Host _dc-mx.f1202d9a4fb3.cyrania.com not found: 3(NXDOMAIN)
> 
>> What you wrote (dc-mx) is not a underscore.
> 
> Is your mail user agent doing some sort of markdown processing, by
> chance?  Maybe you aren't seeing what's actually being written.  If
> that's the case, it's only adding to your problems.
> 
> The output of "host -t mx cyrania.com." on my machine includes a hostname
> that begins with an underscore.  underscore dee cee hyphen em ex.
> This hostname (including its leading underscore) appears on each of the
> three lines in the quoted text above.
> 
> If you aren't seeing it, then something's wrong.
> 
> If you doubt my output, go ahead and run your own tests, on a machine
> under your own control.
> 

Oh ! Sorry, my mistake.
You get those domain when you run host on your computer but didn't see
them on the dump I've copied here ?

I got it now by simply doing the same operation you did.
I notice something that sound strange...
When I configured my domain, I've said the mail exchange (MX) is
mail.cyrania.com and when I run host -t mx this give me something
different. And the answer start with a underscore like you have noticed.

I'll switch back to using the "plain" DNS offered by my hosting provider
and see what it give out.

I really don't have real need for Cloudflare, except some expectation it
would give a bit more speed to my server thru the work on automatic caching.

I'll send you a message when it's done.
I got a bit of work to do now, will do so later today.

-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development



OpenPGP_signature
Description: OpenPGP digital signature

Re: MTA (corrected)

[Greg Wooledge]

On Mon, Jul 05, 2021 at 01:00:07PM -0400, Polyna-Maude Racicot-Summerside wrote:
> On 2021-07-05 12:46 p.m., Greg Wooledge wrote:
> > unicorn:~$ host _dc-mx.f1202d9a4fb3.cyrania.com.
> > _dc-mx.f1202d9a4fb3.cyrania.com has address 162.213.253.79
> > Host _dc-mx.f1202d9a4fb3.cyrania.com not found: 3(NXDOMAIN)

> What you wrote (dc-mx) is not a underscore.

Is your mail user agent doing some sort of markdown processing, by
chance?  Maybe you aren't seeing what's actually being written.  If
that's the case, it's only adding to your problems.

The output of "host -t mx cyrania.com." on my machine includes a hostname
that begins with an underscore.  underscore dee cee hyphen em ex.
This hostname (including its leading underscore) appears on each of the
three lines in the quoted text above.

If you aren't seeing it, then something's wrong.

If you doubt my output, go ahead and run your own tests, on a machine
under your own control.

Re: MTA (corrected)

[Polyna-Maude Racicot-Summerside]

Hi

On 2021-07-05 12:46 p.m., Greg Wooledge wrote:
> On Mon, Jul 05, 2021 at 10:32:27AM -0400, Polyna-Maude Racicot-Summerside 
> wrote:
>> This is a copy of the dump of my domain name config for CYRANIA.COM
>>
>> ---START
>>
> [snip]
> 
>> cyrania.com. 1   IN  A   162.213.253.79
> 
>> ;; MX Records
>> cyrania.com. 1   IN  MX  0 mail.cyrania.com.
> 
>> cyrania.com. 1   IN  TXT "v=spf1 +ip4:162.213.253.79
>> +include:spf.web-hosting.com +ip4:198.54.120.203 ~all"
> 
> These are not the publically visible DNS records for your domain.
> 
> 
> unicorn:~$ host cyrania.com.
> cyrania.com has address 104.21.59.235
> cyrania.com has address 172.67.185.109
> cyrania.com has IPv6 address 2606:4700:3031::6815:3beb
> cyrania.com has IPv6 address 2606:4700:3031::ac43:b96d
> cyrania.com mail is handled by 0 _dc-mx.f1202d9a4fb3.cyrania.com.
> 
> unicorn:~$ host -t mx cyrania.com.
> cyrania.com mail is handled by 0 _dc-mx.f1202d9a4fb3.cyrania.com.
> 
> unicorn:~$ host -t txt cyrania.com.
> cyrania.com descriptive text "v=spf1 +ip4:162.213.253.79 
> +include:spf.web-hosting.com +include:premium58.web-hosting.com 
> +ip4:198.54.120.203 ~all"
> 
> 
> The SPF record is pretty close, but the others are nowhere near.
> 
> It's also particularly disturbing that your MX record contains an
> underscore.  I've been led to believe that's disallowed in hostnames.
> Attempting to resolve it gives me this error:
> 
The file I published here was a dump done by Cloudflare some time ago.
Maybe I've modified the records since but I doubt it.

> unicorn:~$ host _dc-mx.f1202d9a4fb3.cyrania.com.
> _dc-mx.f1202d9a4fb3.cyrania.com has address 162.213.253.79
> Host _dc-mx.f1202d9a4fb3.cyrania.com not found: 3(NXDOMAIN)
> 
What you wrote (dc-mx) is not a underscore.
Also, I don't think I have such record in my domain (dc-mx) sounds to me
like a Microsoft thing (DC = Domain Controler, MX = Mail Exchange). I
only have a mail. and a MX record.

> Whether that's because of the underscore is unclear to me.
> 
> In any case, you're going to want to find out why your publically visible
> DNS records don't match what you thought they should be.
> 

Thanks, yes there's some part that may be different because some of them
are "proxied" by Cloudflare. So if a request is made to Cloudflare DNS
server, they'll give their own server DNS and this will be followed to
my server.

Cloudlfare offer in their free tier a service that will cache your web
pages and offer a fast service because they own many server closer to
the user (edge type service).

The problem is that the free tier is limited and seems to have
limitation that prevent some type of use. This is one of the reason that
pushes me to disable the Cloudflare on my mail domain name. Anyway, I
don't have a website on those domain and Namecheap is responsible of
their own security so no need for acceleration or DDOS on my side.

I'll let know when I did finish changing from Cloudflare to the standard
name management (DNS) offered by Namecheap. I'll see if this fix part of
my problem (like getting 5 DMARC email for every email I respond on the
list).

Thanks,
Sincerely,


-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development



OpenPGP_signature
Description: OpenPGP digital signature

Re: Limit memory consumption of an ad hoc process

[Greg Wooledge]

On Mon, Jul 05, 2021 at 10:57:03PM +0700, Victor Sudakov wrote:
> Greg Wooledge wrote:
> > One way would be:
> > 
> > (ulimit -m 2097152; ./mytest)
> 
> Is the value in KB or MB? Seems KB.

Please read the documentation.

unicorn:~$ ulimit -a | grep -- -m
max memory size (kbytes, -m) unlimited

> Anyway, the suggested method does not seem to work:
> 
> $ ulimit -m 640 ; stress-ng --vm 1 --vm-bytes 2G
> -bash: ulimit: max memory size: cannot modify limit: Operation not permitted
> stress-ng: info:  [10272] defaulting to a 86400 second (1 day, 0.00 secs) run 
> per stressor
> stress-ng: info:  [10272] dispatching hogs: 1 vm

Have you been omitting the parentheses in your previous testing?

unicorn:~$ (ulimit -m 640; /bin/echo hi)
hi

Setting the resource limit DOWNWARD should always be allowed.  This
particular one is set to infinity by default in Debian, so the only way
setting it to 640 kbytes would be disallowed is if you had previously
set it lower than that.  Which, judging by the lack of parentheses in
your sample call, is a thing you might have done.

You don't want to nuke resources limits in your interactive shell.  That's
what the explicit subshells are for.


On Mon, Jul 05, 2021 at 11:06:31PM +0700, Victor Sudakov wrote:
> Even as root, there is no "Operation not permitted" message, but there
> is no working limit either:
> 
> 
> # ulimit -m 1048576 ; stress-ng --vm 1 --vm-bytes 8G
> stress-ng: info:  [10961] defaulting to a 86400 second (1 day, 0.00 secs) run 
> per stressor
> stress-ng: info:  [10961] dispatching hogs: 1 vm
> 
> stress-ng is not killed. Swap is not enabled on this test host.

Perhaps -m is not the correct resource limit for what you're trying to
achieve.  You've been assuming that it is, but I told you to read
setrlimit(3) to see what each of them is and what it actually controls.

>From ulimit's output:

max memory size (kbytes, -m) unlimited

>From bash(1):

  -m The maximum resident set size (many systems do not  honor
 this limit)

>From setrlimit(3):

   RLIMIT_RSS
  This is a limit (in bytes) on the process's  resident  set  (the
  number of virtual pages resident in RAM).  This limit has effect
  only in Linux 2.4.x, x < 30, and there  affects  only  calls  to
  madvise(2) specifying MADV_WILLNEED.

Perhaps you want "ulimit -v" instead?

And in any case, when you test this stuff, use the subshells.  Or be
prepared to discard and re-spawn a whole lot of terminal windows.

Re: MTA (corrected)

[Greg Wooledge]

On Mon, Jul 05, 2021 at 10:32:27AM -0400, Polyna-Maude Racicot-Summerside wrote:
> This is a copy of the dump of my domain name config for CYRANIA.COM
> 
> ---START
> 
[snip]

> cyrania.com.  1   IN  A   162.213.253.79

> ;; MX Records
> cyrania.com.  1   IN  MX  0 mail.cyrania.com.

> cyrania.com.  1   IN  TXT "v=spf1 +ip4:162.213.253.79
> +include:spf.web-hosting.com +ip4:198.54.120.203 ~all"

These are not the publically visible DNS records for your domain.


unicorn:~$ host cyrania.com.
cyrania.com has address 104.21.59.235
cyrania.com has address 172.67.185.109
cyrania.com has IPv6 address 2606:4700:3031::6815:3beb
cyrania.com has IPv6 address 2606:4700:3031::ac43:b96d
cyrania.com mail is handled by 0 _dc-mx.f1202d9a4fb3.cyrania.com.

unicorn:~$ host -t mx cyrania.com.
cyrania.com mail is handled by 0 _dc-mx.f1202d9a4fb3.cyrania.com.

unicorn:~$ host -t txt cyrania.com.
cyrania.com descriptive text "v=spf1 +ip4:162.213.253.79 
+include:spf.web-hosting.com +include:premium58.web-hosting.com 
+ip4:198.54.120.203 ~all"


The SPF record is pretty close, but the others are nowhere near.

It's also particularly disturbing that your MX record contains an
underscore.  I've been led to believe that's disallowed in hostnames.
Attempting to resolve it gives me this error:

unicorn:~$ host _dc-mx.f1202d9a4fb3.cyrania.com.
_dc-mx.f1202d9a4fb3.cyrania.com has address 162.213.253.79
Host _dc-mx.f1202d9a4fb3.cyrania.com not found: 3(NXDOMAIN)

Whether that's because of the underscore is unclear to me.

In any case, you're going to want to find out why your publically visible
DNS records don't match what you thought they should be.

Re: Memory allocation failed during fsck of large EXT4 filesystem

[Marc Auslander]

On 7/5/2021 4:30 AM, Reiner Buehl wrote:

Hi all,

I have a corrupt EXT4 filesystem where fsck.ext4 fails with the error 
message:


Error storing directory block information (inode=366740508, block=0, 
num=406081): Memory allocation failed


/dev/vg_data/lv_mpg: * FILE SYSTEM WAS MODIFIED *
e2fsck: aborted

/dev/vg_data/lv_mpg: * FILE SYSTEM WAS MODIFIED *

The system has 4GB of memory and a 8GB swap partition. The filesystem 
has 7TB. Is there a quick way to enlarge the swap space to help 
fsck.ext4 to finish the repair? I do not have any unused partitions but 
have space for swap on other filesystems if that is possible.
Are you sure it's not a ulimit issue?  Does the ulimit command return 
unlimited?

Re: Limit memory consumption of an ad hoc process

[Victor Sudakov]

Victor Sudakov wrote:
> > This assumes you're using bash as your shell.
> 
> I am, as you see above. I expect stress-ng to be killed when it tries to
> allocate 2G of memory but it's not happening. Can you reproduce your
> advice?

Even as root, there is no "Operation not permitted" message, but there
is no working limit either:


# ulimit -m 1048576 ; stress-ng --vm 1 --vm-bytes 8G
stress-ng: info:  [10961] defaulting to a 86400 second (1 day, 0.00 secs) run 
per stressor
stress-ng: info:  [10961] dispatching hogs: 1 vm

stress-ng is not killed. Swap is not enabled on this test host.

-- 
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet


signature.asc
Description: PGP signature

Re: Limit memory consumption of an ad hoc process

[Victor Sudakov]

Greg Wooledge wrote:
> On Mon, Jul 05, 2021 at 10:15:19AM +0700, Victor Sudakov wrote:
> > FreeBSD has a simple way to run some ad-hoc program with memory limits:
> > 
> > $ limits -m 2G ./mytest
> >   memoryuse 2097152 kB
> >   vmemoryuse   infinity kB
> > $ limits -m 1G ./mytest
> >   memoryuse 1048576 kB
> >   vmemoryuse   infinity kB
> > 
> > How do I do the same in Linux (without root permissions)?
> 
> One way would be:
> 
> (ulimit -m 2097152; ./mytest)

Is the value in KB or MB? Seems KB. Anyway, the suggested method does not seem 
to work:

$ ulimit -m 640 ; stress-ng --vm 1 --vm-bytes 2G
-bash: ulimit: max memory size: cannot modify limit: Operation not permitted
stress-ng: info:  [10272] defaulting to a 86400 second (1 day, 0.00 secs) run 
per stressor
stress-ng: info:  [10272] dispatching hogs: 1 vm
^C

> 
> This assumes you're using bash as your shell.

I am, as you see above. I expect stress-ng to be killed when it tries to
allocate 2G of memory but it's not happening. Can you reproduce your
advice?

> 
> You never need root privileges to *reduce* one of your resource limits
> to a lower value.  Nor do you need root privs to raise your soft limit
> up to the hard limit.  However, you do need root privs to raise your
> hard limit.
> 

Then, why does it say "cannot modify limit: Operation not permitted" ?

-- 
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet


signature.asc
Description: PGP signature

Re: MTA (corrected)

[Polyna-Maude Racicot-Summerside]

Hi,

On 2021-07-05 10:55 a.m., Vincent Lefevre wrote:
> On 2021-07-05 10:32:27 -0400, Polyna-Maude Racicot-Summerside wrote:
>>> What is this 162.213.253.79 IP address?
>>
>> The IP address 162.213.253.79 is the dedicated IP I rent from Namecheap.
> 
> OK.
> 
>>  Can you control its reverse?
>>>
>> Good question, I'll need to go back read a bit on networking and DNS
>> management.
>>> Is cyrania.com a domain that you own?
>> Yes, I own cyrania.com and polynamaude.com (the domain name used for the
>> email I am sending). I know the SMTP server respond to the name
>> CYRANIA.COM (HELO) but is relaying mail for polynamaude.com too.
> 
> It seems that you already set up the reverse for 162.213.253.79 since
> it is cyrania.com (your domain).
> 
> You may want to add 162.213.253.79 to the cyrania.com IP addresses,
> but if cyrania.com is used as a www host and 162.213.253.79 shoud
> not be used for this purpose, this is not OK.
> 
162.213.253.79 can be used for my web server, it's even the goal.
But Cloudflare proxy service require me to use their own IP (so they can
optimize and cache, plus offer DDOS).

I'll simply disable cloudflare for those domain that I use for email.
I don't host a web server (now a parking page) on the domain I use for
emails.

> In general, it is better to have a specific FQDN for each IP address.
> For instance, 162.213.253.79 would have nodename.cyrania.com as the
> reverse and nodename.cyrania.com would resolve to 162.213.253.79,
> where nodename is the name obtained with the "uname -n" command.
> 

For now it's shared hosting for both email and web server...
I'll give it a try with removing CloudFlare later on today.

-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development



OpenPGP_signature
Description: OpenPGP digital signature

Re: MTA

[John Hasler]

Polyna-Maude Racicot-Summerside writes:
> I agree with you, people who SPAM do have the infrastructure to make
> their domain resolution match, both forward, reverse and possibly
> side-way if there's a need. They have huge amount of resources to do
> so, they may even locate their server farm (physical) in some
> jurisdiction who give them free play and doesn't enforce (or simple
> doesn't have) law regarding the unsolicited mail.

Much of the spam I see comes from hijacked servers and uses a valid
"From:" address that points to that server.  All the headers are valid.
I think that they have realized that the people they target see nothing
odd about

From: Newsguy 
Subject:  Account suspended

Your account has been temporarily suspended.  Click
 to have it reinstated.


No reverse-match checking can catch that.
-- 
John Hasler 
j...@sugarbit.com
Elmwood, WI USA

Re: MTA

[Vincent Lefevre]

On 2021-07-05 10:22:26 -0400, Polyna-Maude Racicot-Summerside wrote:
> What annoy my is that I am paying for a dedicated IP for my server (in
> shared hosting) and I believe it must be a mis-configuration I've done,

Yes, a mis-configuration in your case (see my other mail message).

> I agree with you, people who SPAM do have the infrastructure to make
> their domain resolution match, both forward, reverse and possibly
> side-way if there's a need. They have huge amount of resources to do so,
> they may even locate their server farm (physical) in some jurisdiction
> who give them free play and doesn't enforce (or simple doesn't have) law
> regarding the unsolicited mail.

In particular, snowshoe spamming...

(I blacklist the corresponding IP blocks completely, and check the logs
from time to time. But this is always 100% spam.)

But some spammers also use compromised machines, which normally never
send mail directly, so that some of them are not configured with a
valid reverse. That's why rejecting such suspicious mail may be
useful (I would rather do that combined with countries, e.g. China,
if possible).

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: MTA (corrected)

[Vincent Lefevre]

On 2021-07-05 10:32:27 -0400, Polyna-Maude Racicot-Summerside wrote:
> > What is this 162.213.253.79 IP address?
> 
> The IP address 162.213.253.79 is the dedicated IP I rent from Namecheap.

OK.

>  Can you control its reverse?
> >
> Good question, I'll need to go back read a bit on networking and DNS
> management.
> > Is cyrania.com a domain that you own?
> Yes, I own cyrania.com and polynamaude.com (the domain name used for the
> email I am sending). I know the SMTP server respond to the name
> CYRANIA.COM (HELO) but is relaying mail for polynamaude.com too.

It seems that you already set up the reverse for 162.213.253.79 since
it is cyrania.com (your domain).

You may want to add 162.213.253.79 to the cyrania.com IP addresses,
but if cyrania.com is used as a www host and 162.213.253.79 shoud
not be used for this purpose, this is not OK.

In general, it is better to have a specific FQDN for each IP address.
For instance, 162.213.253.79 would have nodename.cyrania.com as the
reverse and nodename.cyrania.com would resolve to 162.213.253.79,
where nodename is the name obtained with the "uname -n" command.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: MTA

[Vincent Lefevre]

On 2021-07-05 10:06:24 -0400, Greg Wooledge wrote:
> On Mon, Jul 05, 2021 at 03:48:47PM +0200, Vincent Lefevre wrote:
> > On 2021-07-05 09:35:22 -0400, Greg Wooledge wrote:
> > [...]
> > > Your "reverse" (PTR record for 162.213.253.79) doesn't match.  Which is
> > > to say, none of the "A" results from cyrania.com. match the original
> > > IP address of 162.213.253.79.
> > > 
> > > Some SMTP receivers may care about that.
> > [...]
> > 
> > Yes, the reason is that the owner of the IP address can technically
> > put anything for the reverse, in particular a domain he doesn't own.
> > Thus he can put a domain with a good reputation to send spam. That's
> > why antispam software should check that the reverse resolves back to
> > the IP address.
> 
> It's a philosophical argument.  The value stored in the "reverse" is
> only important if you think it's important.  Antispam software may
> choose to consider it irrelevant, or somewhat important, or vitally
> important.

Perhaps I wasn't clear. I mean that antispam software that considers
the reverse in its rules *also* needs to check that the obtained
reverse resolves back to the IP address. It must not blindly trust
the reverse.

> If I'm sending email from 162.213.253.79 but I use b...@microsoft.com as
> my envelope sender address, does it *really* matter whether 162.213.253.79
> has a mismatched reverse lookup?  It's more important to check whether
> microsoft.com considers 162.213.253.79 to be a valid sender.  (And that
> uses SPF or other optional mail-specific information sources.)

This is a different thing, which breaks many mailing-lists.
And it is not reliable in practice (possibly except in scoring).

> Strict reverse-match checking really hurts people who send email
> from home computers, where controlling the reverse is not always easy.

Yes, this is a problem. However, I can notice on my server that
almost all mail with no reverse (or an invalid one) is spam. So
I can understand people who reject such mail.

> Any impact on commercial spammers is negligible, unless the real goal is
> to block bot nets by assuming that anyone with a mismatched reverse is a
> home computer user and is therefore a compromised spam bot, because how
> could anyone on a home computer network ever be a legitimate email sender?

Nowadays, users who do not have the possibility (or do not want) to
control the reverse on their home computer network use a submission
server (their ISP's, a dedicated VM, services like gmail, etc.).

> A more sensible antispam filter might consider a mismatched reverse to
> be one potential factor in deciding whether a given message is "spam".
> In the absence of any other factors, it shouldn't be enough to reject
> a message.  But if the same message has other risk factors, then together
> they might be enough to justify that judgment.

Unfortunately postfix cannot do that (it just has
reject_unknown_client_hostname, but otherwise doesn't allow
the user to control how the information is obtained and used).

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: 2 NIC's

[tomas]

On Mon, Jul 05, 2021 at 04:13:07PM +0200, Nicolas George wrote:
> to...@tuxteam.de (12021-07-05):
> > Yes: ip_forward should be 1.
> 
> Forwarding should not be necessary for connecting on the matching IP
> address. If ethA has IP-A and is connected to net-A and ethB has IP-B
> and is connected to net-B, then forwarding is not necessary to connect
> to IP-A from net-A nor to IP-B from net-B
> 
> Forwarding would  be necessary to connect to IP-A from net-B or IP-B
> from net-A without taking a round trip, but it also requires that the
> router on the networks knows about it.

As I understood the OP, this is the ultimate goal. That said...

> > Besides, and judging from the paragraph quoted above, your box seems
> > to lose the route to the local network (192.168.xxx.xxx) once the
> > other is connected.
> 
> If this is true, then this is the issue and forwarding is irrelevant.

...this has to be taken care of first, definitely :)

Cheers
 - t


signature.asc
Description: Digital signature

Re: Memory allocation failed during fsck of large EXT4 filesystem

[IL Ka]

On Mon, Jul 5, 2021 at 5:17 PM Reiner Buehl  wrote:

> It seems swap is not the solution: Even after adding a 50G swap file, I
> still get the same error message and the swap usage stats from collectd
> show that max swap usage was not more than just 2G.
>
>
btw, do you use 32 or 64bit os?

Re: MTA (corrected)

[Polyna-Maude Racicot-Summerside]

Hi,

> premium58.web-hosting.com is not your SMTP submission server:
>
> $ host premium58.web-hosting.com
> premium58.web-hosting.com has address 198.54.120.203
>
The server premium58.web-hosting.com is hosted by NameCheap and is used
by many of their user as part of their server farm.

All the IP you see in my domain are either the ones used by Namecheap
for my dedicated IP or the IP of one of their server (ftp for example).

The IP that www.cyrania.com or www.polynamaude.com is proxied thru
Cloudflare, so does cyrani.com and polynamaude.com

> What is this 162.213.253.79 IP address?

The IP address 162.213.253.79 is the dedicated IP I rent from Namecheap.


 Can you control its reverse?
>
Good question, I'll need to go back read a bit on networking and DNS
management.
> Is cyrania.com a domain that you own?
Yes, I own cyrania.com and polynamaude.com (the domain name used for the
email I am sending). I know the SMTP server respond to the name
CYRANIA.COM (HELO) but is relaying mail for polynamaude.com too.

>

This is a copy of the dump of my domain name config for CYRANIA.COM

---START

;;
;; Domain: cyrania.com.
;; Exported:   2021-02-05 22:27:25
;;
;; This file is intended for use for informational and archival
;; purposes ONLY and MUST be edited before use on a production
;; DNS server.  In particular, you must:
;;   -- update the SOA record with the correct authoritative name server
;;   -- update the SOA record with the contact e-mail address information
;;   -- update the NS record(s) with the authoritative name servers for
this domain.
;;
;; For further information, please consult the BIND documentation
;; located on the following website:
;;
;; http://www.isc.org/
;;
;; And RFC 1035:
;;
;; http://www.ietf.org/rfc/rfc1035.txt
;;
;; Please note that we do NOT offer technical support for any use
;; of this zone data, the BIND name server, or any other third-party
;; DNS software.
;;
;; Use at your own risk.
;; SOA Record
cyrania.com.3600IN  SOA cyrania.com. root.cyrania.com. 
2036423064 7200
3600 86400 3600

;; A Records
autoconfig.cyrania.com. 1   IN  A   162.213.253.79
autodiscover.cyrania.com.   1   IN  A   162.213.253.79
cpanel.cyrania.com. 1   IN  A   162.213.253.79
cpcalendars.cyrania.com.1   IN  A   162.213.253.79
cpcontacts.cyrania.com. 1   IN  A   162.213.253.79
cyrania.com.1   IN  A   162.213.253.79
ftp.cyrania.com.1   IN  A   198.54.120.212
imap.cyrania.com.   1   IN  A   162.213.253.79
mail.cyrania.com.   1   IN  A   162.213.253.79
pop3.cyrania.com.   1   IN  A   162.213.253.79
smtp.cyrania.com.   1   IN  A   162.213.253.79
webdisk.cyrania.com.1   IN  A   162.213.253.79
webmail.cyrania.com.1   IN  A   162.213.253.79
whm.cyrania.com.1   IN  A   162.213.253.79

;; CNAME Records
www.cyrania.com.1   IN  CNAME   cyrania.com.

;; MX Records
cyrania.com.1   IN  MX  0 mail.cyrania.com.

;; SRV Records
_autodiscover._tcp.cyrania.com. 1   IN  SRV 0 0 443
cpanelemaildiscovery.cpanel.net.
_caldavs._tcp.cyrania.com.  1   IN  SRV 0 0 2080 
premium58.web-hosting.com.
_caldav._tcp.cyrania.com.   1   IN  SRV 0 0 2079 
premium58.web-hosting.com.
_carddavs._tcp.cyrania.com. 1   IN  SRV 0 0 2080 
premium58.web-hosting.com.
_carddav._tcp.cyrania.com.  1   IN  SRV 0 0 2079 
premium58.web-hosting.com.

;; TXT Records
_caldavs._tcp.cyrania.com.  1   IN  TXT "path=/"
_caldav._tcp.cyrania.com.   1   IN  TXT "path=/"
_carddavs._tcp.cyrania.com. 1   IN  TXT "path=/"
_carddav._tcp.cyrania.com.  1   IN  TXT "path=/"
cyrania.com.1   IN  TXT "v=spf1 +ip4:162.213.253.79
+include:spf.web-hosting.com +ip4:198.54.120.203 ~all"

---END

and for polynamaude.com (the domain name I use for this email. I also
have some email on cyrania.com domain too, both hosted by the same server).

---START

;;
;; Domain: polynamaude.com.
;; Exported:   2021-02-05 22:27:48
;;
;; This file is intended for use for informational and archival
;; purposes ONLY and MUST be edited before use on a production
;; DNS server.  In particular, you must:
;;   -- update the SOA record with the correct authoritative name server
;;   -- update the SOA record with the contact e-mail address information
;;   -- update the NS record(s) with the authoritative name servers for
this domain.
;;
;; For further information, please consult the BIND documentation
;; located on the following website:
;;
;; http://www.isc.org/
;;
;; And RFC 1035:
;;
;; http://www.ietf.org/rfc/rfc1035.txt
;;
;; Please note that we do NOT offer technical support for any use
;; of this zone data, the BIND name server, or any other third-party
;; 

Re: MTA

[Polyna-Maude Racicot-Summerside]

Hi Greg,


On 2021-07-05 10:06 a.m., Greg Wooledge wrote:
> On Mon, Jul 05, 2021 at 03:48:47PM +0200, Vincent Lefevre wrote:
>> On 2021-07-05 09:35:22 -0400, Greg Wooledge wrote:
>> [...]
>>> Your "reverse" (PTR record for 162.213.253.79) doesn't match.  Which is
>>> to say, none of the "A" results from cyrania.com. match the original
>>> IP address of 162.213.253.79.
>>>
>>> Some SMTP receivers may care about that.
>> [...]
>>
>> Yes, the reason is that the owner of the IP address can technically
>> put anything for the reverse, in particular a domain he doesn't own.
>> Thus he can put a domain with a good reputation to send spam. That's
>> why antispam software should check that the reverse resolves back to
>> the IP address.
> 
> It's a philosophical argument.  The value stored in the "reverse" is
> only important if you think it's important.  Antispam software may
> choose to consider it irrelevant, or somewhat important, or vitally
> important.
It's a argument that is pretty much impacting our day to day life, so
wouldn't consider this only on the philosophical side.

Probably that most email service provider (like Google, Microsoft and
other who rent the cloud) are suggesting and pushing for the validation
of reverse domain validation. The more people get problem from their
home computer sending email, the more they have possibility to rend
computer on the cloud.

What annoy my is that I am paying for a dedicated IP for my server (in
shared hosting) and I believe it must be a mis-configuration I've done,
possibly also the use of Cloudflare (but my mail server is in plain IP
not behind Cloudflare).

As I also rent a dedicated server (rack) in a data center, with two
dedicated IP, I'm thinking about starting to host the mail server myself.


> 
> If I'm sending email from 162.213.253.79 but I use b...@microsoft.com as
> my envelope sender address, does it *really* matter whether 162.213.253.79
> has a mismatched reverse lookup?  It's more important to check whether
> microsoft.com considers 162.213.253.79 to be a valid sender.  (And that
> uses SPF or other optional mail-specific information sources.)
> 
I agree with you, people who SPAM do have the infrastructure to make
their domain resolution match, both forward, reverse and possibly
side-way if there's a need. They have huge amount of resources to do so,
they may even locate their server farm (physical) in some jurisdiction
who give them free play and doesn't enforce (or simple doesn't have) law
regarding the unsolicited mail.

So reverse matching ain't a big deal for them. There's huge amount of
cash involve so they can build a huge infrastructure to allow them doing
their bad practice.

> Strict reverse-match checking really hurts people who send email
> from home computers, where controlling the reverse is not always easy.
> Any impact on commercial spammers is negligible, unless the real goal is
> to block bot nets by assuming that anyone with a mismatched reverse is a
> home computer user and is therefore a compromised spam bot, because how
> could anyone on a home computer network ever be a legitimate email sender?
> 
I agree that this type of action harm the home user.
Regarding anti-spam, if people who want to go use Netflix using a VPN
can find a way of having their reverse lookup point to a home user
domain then I'm sure every spam based business can find a way to do the
opposite, that is, get their IP resolve to a business / data center
domain name.

> A more sensible antispam filter might consider a mismatched reverse to
> be one potential factor in deciding whether a given message is "spam".
> In the absence of any other factors, it shouldn't be enough to reject
> a message.  But if the same message has other risk factors, then together
> they might be enough to justify that judgment.
> 
Everything is about have a good degree of balance between all the
different attributes. It's the basis of security. If you only rely on
one type of enforcement, people will find a way to go thru and you will
put a undue burden upon a class of user.

-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development



OpenPGP_signature
Description: OpenPGP digital signature

Re: 2 NIC's

[mick crane]

On 2021-07-05 11:44, David wrote:

Dear All,

I am trying to get a thin client running with 2 NIC's and failing.

Due to the age of the thin client I am running Debian 8 i386.

I am trying to get the thin client to run as a proxy server with one
NIC having a local (192.168.xx.xx) address, the other NIC has a public
IP address (80.184.XX.XX).

I've got /etc/network/interfaces configured with the 2 addresses on
eth0 & eth1

If eth0 & eth1 are both connected to the local network I can SSH into
the thin client. If I connect eth1 to the public network I cannot SSH
into the unit, from either addresses.

I have another thin client running a proxy server, but the first NIC is
the built in unit, the other is a USB NIC adapter, the NIC's are called
eth0 & enx00e04c534458. This is enx+MAC address.

I've tried adding routing information to the /etc/network/interfaces
file and adding the MAC addressees as hwaddress ether 00:15:e9:4a:c8:81

Can anybody help me?

David.

daft question but are the NICs the ones you think they are ?
mick
--
Key ID4BFEBB31

Re: Memory allocation failed during fsck of large EXT4 filesystem

[Reiner Buehl]

It seems swap is not the solution: Even after adding a 50G swap file, I
still get the same error message and the swap usage stats from collectd
show that max swap usage was not more than just 2G.

I will now try if the scratch_files stanza makes a difference.

Am Mo., 5. Juli 2021 um 11:50 Uhr schrieb Thomas Schmitt :

> Hi,
>
> Reiner Buehl wrote:
> > Is there a quick way to enlarge the swap space
>
> According to old memories of mine you may create a large, non-sparse file
> as you would do for a virtual disk. E.g. by mkfile (which seems not to be
> in Debian) or qemu-img (from qemu-utils):
>
>   qemu-img create "$swap_file_path" 8G
>
> Set ownership and access rights of "$swap_file_path" so that no
> unprivileged users can spy.
>
> Then you tell the system to use it for swapping
>
>   swapon "$swap_file_path"
>
>
> > fsck.ext4 fails with the error message:
> > Error storing directory block information (inode=366740508, block=0,
> > num=406081): Memory allocation failed
>
> According to
>
> https://codesearch.debian.net/search?q=package%3Ae2fsprogs+Memory+allocation+failed
> this message is emitted if error code EXT2_ET_NO_MEMORY was returned.
> This error code indeed occurs if memory allocating system calls fail.
> In these cases i would expect that more virtual memory could help.
>
>
> 
>
> But i see questionable occurences of EXT2_ET_NO_MEMORY which get triggered
> by bad data. In these cases no extra memory can help:
>
> Halfways correct is its use to mark an insane request for a memory array
> which would exceed the maximum number that can be stored in unsigned long
> integer variables.
>
> There are possible misattributions of that error code if get_icount_el()
> returns 0 to set_inode_count() for reasons of bad data.
>
> https://sources.debian.org/src/e2fsprogs/1.46.2-2/lib/ext2fs/icount.c/?hl=461#L461
>
> https://sources.debian.org/src/e2fsprogs/1.46.2-2/lib/ext2fs/icount.c/?hl=388#L388
> (in line 496 the same return value leads to ENOENT.)
>
> In
>
> https://sources.debian.org/src/e2fsprogs/1.46.2-2/lib/ext2fs/hashmap.c/?hl=33#L33
> i see a potential memory fault by using the calloc(3) return without
> checking it for NULL. (A caller of ext2fs_hashmap_create() would later
> throw EXT2_ET_NO_MEMORY if the program did not crash yet.)
>
> Return value 0 from get_refcount_el() is converted to EXT2_ET_NO_MEMORY
> in ea_refcount_increment(), although get_refcount_el() did not attempt to
> allocate memory.
>
> It stays a riddle from where e2fsprogs links sparse_file_new(). I find it
> only as Android C++ call. Whatever, if it fails then EXT2_ET_NO_MEMORY
> can be returned by its caller io_manager_configure(), which seems not
> restricted to Android.
>
>
> Have a nice day :)
>
> Thomas
>
>

Re: 2 NIC's

[Nicolas George]

to...@tuxteam.de (12021-07-05):
> Yes: ip_forward should be 1.

Forwarding should not be necessary for connecting on the matching IP
address. If ethA has IP-A and is connected to net-A and ethB has IP-B
and is connected to net-B, then forwarding is not necessary to connect
to IP-A from net-A nor to IP-B from net-B

Forwarding would  be necessary to connect to IP-A from net-B or IP-B
from net-A without taking a round trip, but it also requires that the
router on the networks knows about it.

> Besides, and judging from the paragraph quoted above, your box seems
> to lose the route to the local network (192.168.xxx.xxx) once the
> other is connected.

If this is true, then this is the issue and forwarding is irrelevant.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: MTA

[Greg Wooledge]

On Mon, Jul 05, 2021 at 03:48:47PM +0200, Vincent Lefevre wrote:
> On 2021-07-05 09:35:22 -0400, Greg Wooledge wrote:
> [...]
> > Your "reverse" (PTR record for 162.213.253.79) doesn't match.  Which is
> > to say, none of the "A" results from cyrania.com. match the original
> > IP address of 162.213.253.79.
> > 
> > Some SMTP receivers may care about that.
> [...]
> 
> Yes, the reason is that the owner of the IP address can technically
> put anything for the reverse, in particular a domain he doesn't own.
> Thus he can put a domain with a good reputation to send spam. That's
> why antispam software should check that the reverse resolves back to
> the IP address.

It's a philosophical argument.  The value stored in the "reverse" is
only important if you think it's important.  Antispam software may
choose to consider it irrelevant, or somewhat important, or vitally
important.

If I'm sending email from 162.213.253.79 but I use b...@microsoft.com as
my envelope sender address, does it *really* matter whether 162.213.253.79
has a mismatched reverse lookup?  It's more important to check whether
microsoft.com considers 162.213.253.79 to be a valid sender.  (And that
uses SPF or other optional mail-specific information sources.)

Strict reverse-match checking really hurts people who send email
from home computers, where controlling the reverse is not always easy.
Any impact on commercial spammers is negligible, unless the real goal is
to block bot nets by assuming that anyone with a mismatched reverse is a
home computer user and is therefore a compromised spam bot, because how
could anyone on a home computer network ever be a legitimate email sender?

A more sensible antispam filter might consider a mismatched reverse to
be one potential factor in deciding whether a given message is "spam".
In the absence of any other factors, it shouldn't be enough to reject
a message.  But if the same message has other risk factors, then together
they might be enough to justify that judgment.

Re: MTA

[Vincent Lefevre]

On 2021-07-05 09:41:02 -0400, Polyna-Maude Racicot-Summerside wrote:
> Hi,
> 
> On 2021-07-05 9:35 a.m., Greg Wooledge wrote:
> > On Mon, Jul 05, 2021 at 09:23:03AM -0400, Polyna-Maude Racicot-Summerside 
> > wrote:
> >> Reporting-MTA: dns; premium58.web-hosting.com
> >>
> >> Action: failed
> >> Final-Recipient: rfc822;bjoern.ri...@greenbone.net
> >> Status: 5.0.0
> >> Remote-MTA: dns; mail.greenbone.net
> >> Diagnostic-Code: smtp; 550 X-Host-Lookup-Failed: Reverse DNS lookup
> >> failed for 162.213.253.79 (failed)
> > 
> > unicorn:~$ host 162.213.253.79
> > 79.253.213.162.in-addr.arpa domain name pointer cyrania.com.
> > unicorn:~$ host cyrania.com.
> > cyrania.com has address 172.67.185.109
> > cyrania.com has address 104.21.59.235
> > cyrania.com has IPv6 address 2606:4700:3031::6815:3beb
> > cyrania.com has IPv6 address 2606:4700:3031::ac43:b96d
> > cyrania.com mail is handled by 0 _dc-mx.f1202d9a4fb3.cyrania.com.
> > 
> > Your "reverse" (PTR record for 162.213.253.79) doesn't match.  Which is
> > to say, none of the "A" results from cyrania.com. match the original
> > IP address of 162.213.253.79.
> > 
> So is there something I can do on my side ?
> I don't have control over the IMAP/SMTP server (premium58.web-hosting.com).

premium58.web-hosting.com is not your SMTP submission server:

$ host premium58.web-hosting.com
premium58.web-hosting.com has address 198.54.120.203

What is this 162.213.253.79 IP address? Can you control its reverse?

Is cyrania.com a domain that you own?

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: MTA

[Vincent Lefevre]

On 2021-07-05 09:35:22 -0400, Greg Wooledge wrote:
[...]
> Your "reverse" (PTR record for 162.213.253.79) doesn't match.  Which is
> to say, none of the "A" results from cyrania.com. match the original
> IP address of 162.213.253.79.
> 
> Some SMTP receivers may care about that.
[...]

Yes, the reason is that the owner of the IP address can technically
put anything for the reverse, in particular a domain he doesn't own.
Thus he can put a domain with a good reputation to send spam. That's
why antispam software should check that the reverse resolves back to
the IP address.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: MTA

[Polyna-Maude Racicot-Summerside]

Hi,

On 2021-07-05 9:35 a.m., Greg Wooledge wrote:
> On Mon, Jul 05, 2021 at 09:23:03AM -0400, Polyna-Maude Racicot-Summerside 
> wrote:
>> Reporting-MTA: dns; premium58.web-hosting.com
>>
>> Action: failed
>> Final-Recipient: rfc822;bjoern.ri...@greenbone.net
>> Status: 5.0.0
>> Remote-MTA: dns; mail.greenbone.net
>> Diagnostic-Code: smtp; 550 X-Host-Lookup-Failed: Reverse DNS lookup
>> failed for 162.213.253.79 (failed)
> 
> unicorn:~$ host 162.213.253.79
> 79.253.213.162.in-addr.arpa domain name pointer cyrania.com.
> unicorn:~$ host cyrania.com.
> cyrania.com has address 172.67.185.109
> cyrania.com has address 104.21.59.235
> cyrania.com has IPv6 address 2606:4700:3031::6815:3beb
> cyrania.com has IPv6 address 2606:4700:3031::ac43:b96d
> cyrania.com mail is handled by 0 _dc-mx.f1202d9a4fb3.cyrania.com.
> 
> Your "reverse" (PTR record for 162.213.253.79) doesn't match.  Which is
> to say, none of the "A" results from cyrania.com. match the original
> IP address of 162.213.253.79.
> 
So is there something I can do on my side ?
I don't have control over the IMAP/SMTP server (premium58.web-hosting.com).

Would it be better to simply not use Cloudflare (free tier) for the
domain where I am using mail service ?

Because my web server is mostly on polynamaude.ca / polynamaude.org .
It's mostly a parking page for polynamaude.com that I could simply remove.

> Some SMTP receivers may care about that.  Apparently the receiver for
> greenbone.net (whose name is mail.greenbone.net) is one of them.
> 

-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development



OpenPGP_signature
Description: OpenPGP digital signature

Re: MTA

[Greg Wooledge]

On Mon, Jul 05, 2021 at 09:23:03AM -0400, Polyna-Maude Racicot-Summerside wrote:
> Reporting-MTA: dns; premium58.web-hosting.com
> 
> Action: failed
> Final-Recipient: rfc822;bjoern.ri...@greenbone.net
> Status: 5.0.0
> Remote-MTA: dns; mail.greenbone.net
> Diagnostic-Code: smtp; 550 X-Host-Lookup-Failed: Reverse DNS lookup
> failed for 162.213.253.79 (failed)

unicorn:~$ host 162.213.253.79
79.253.213.162.in-addr.arpa domain name pointer cyrania.com.
unicorn:~$ host cyrania.com.
cyrania.com has address 172.67.185.109
cyrania.com has address 104.21.59.235
cyrania.com has IPv6 address 2606:4700:3031::6815:3beb
cyrania.com has IPv6 address 2606:4700:3031::ac43:b96d
cyrania.com mail is handled by 0 _dc-mx.f1202d9a4fb3.cyrania.com.

Your "reverse" (PTR record for 162.213.253.79) doesn't match.  Which is
to say, none of the "A" results from cyrania.com. match the original
IP address of 162.213.253.79.

Some SMTP receivers may care about that.  Apparently the receiver for
greenbone.net (whose name is mail.greenbone.net) is one of them.

MTA

[Polyna-Maude Racicot-Summerside]

Hi,

I'm getting this error when sending message (responding to user on the
mailing list).

Does someone has a small idea where I could start my investigation ?

I'm hosting my mail server on Cloudflare DNS but the MX record is in clear.

The mail server is using a reserved IP and it is serving many domain
name for email.

I was thinking that maybe I should start thinking about hosting my own
email server. But I wasn't sure if I felt like I had the nerve to do so.
Some people say it's a lot of maintenance work.

I don't want to use Google for my domain as a email provider, this is
too costly.

The actual hosting provider I use (Namecheap) does a great job, except
that because it's a shared hosting provider my mail often gets flagged
junk and seem to always raise some problem with DMARC compliance,
possibly relating to the above.

Thanks,

Start of the error message received by "returned mail" :

Reporting-MTA: dns; premium58.web-hosting.com

Action: failed
Final-Recipient: rfc822;bjoern.ri...@greenbone.net
Status: 5.0.0
Remote-MTA: dns; mail.greenbone.net
Diagnostic-Code: smtp; 550 X-Host-Lookup-Failed: Reverse DNS lookup
failed for 162.213.253.79 (failed)


-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development



OpenPGP_signature
Description: OpenPGP digital signature

Re: Fwd: Re: why pdf file at archive.org is so slow to open

[Polyna-Maude Racicot-Summerside]

Hi,

On 2021-07-05 2:34 a.m., to...@tuxteam.de wrote:
> On Mon, Jul 05, 2021 at 06:21:40AM +, Andrew M.A. Cater wrote:
>>
>> Just a polite reminder: however annoyed you feel, insulting each other
>> on list really doesn't help get technical or other points across. 
> 
I totally agree with you Andrew.

Everything that is unrelated to the following can be considered useless:

Technical aspects of a software/hardware
What practice could be considered optimal for a specific case
Arguments to support some technological / methodological choice
References to documents / HOWTO / FAQ / etc...

and so on... ( I'm pretty sure we get the point here).

Yes it does make the reading bloated for other users and may even cause
some people to loose interest in the mailing list.

There may arise situation where it may be opportunistic to engage into
some opinion, if the goal is to make a better community. This is my firm
belief and the message I am responding to, can be considered such a
situation.

There is a point that I never saw being put forward and I think it must
be dealt with, that is credibility.

Same thing over what was the base of the situation here.

If CIA really does infiltrate Adobe Software (or any company) then they
have all the power needed to hide their track. It's not any usual layman
that will have the power to trace back to them, even with all the
willpower he may have.

Also, if such a discovery would be made then I'm convinced that anyone
who has solid proof would share them with either news agency,
investigative journals, etc. Not keep it to oneself, only to be shared
as part of a comment regarding the speed of opening a PDF file.

So this sound to me as a pure fiction based arguments to support one's
conviction against closed source software (Adobe in this case).
Again this make the community of open source user look like a bunch of
nutcracker thinking there's spy everywhere and going back to the 50's -
60's witch hunt.

Or it's a really bad understanding over already published documents
about some of the NSA program...

This also raised doubt about evertything he could say, if someone
doesn't validate info received and make such frivolous claim then how
can I have a sense of trust over small suggestions he's making.

For example that there's a real speed gain of using USB 3.0 for a
webcam. Or that plugging a USB 2.0 device onto a USB 3.0 hub could
reduce the speed for all the device on the hub. Even if the last part if
true, I'll have a doubt over the whole sentence. (I made this one up)


> Thanks, Andrew.
> 
> Folks: if you enjoy slinging mud at each other, fine. But please, do
> it off-list :-)
> 

I dislike to see people ask for help, in good faith they will find it
here and it turn bad for them. And they don't get back on the list...

If having harsh exchange between each other may annoy the continuous
user of the mailing list, then don't be fooled, first time user may get
driver off the mailing list because they get far-reached unrelated
explanation. And those one won't come back telling everyone why they left.

If the goal of this mailing list is also to retain user in the use of
Debian Linux distribution (and possibly derivative) then this shall also
be dealt with.

> I'd add "don't hurt each other", but that's me.
I prefer consensual food fight over mud slinging, plus I always make
sure not to target the eyes.
> 
> Cheers
>  - t
> 
-- 
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development



OpenPGP_signature
Description: OpenPGP digital signature

Re: 2 NIC's

[Greg Wooledge]

On Mon, Jul 05, 2021 at 01:53:19PM +0200, to...@tuxteam.de wrote:
> Could you tell us:
> 
>  - what the netmasks are
>  - the output of "ip route list" (or of "route -n"), best before
>you connect eth1 and after?
> 
> Is your box perhaps requesting (and getting) an IP address via
> DHCP at the moment you connect eth1?

Start by showing us the full /etc/network/interfaces file, please.

There are too many unknowns at this point, starting with the OP's
definition of "thin client", and also including the *actual* configuration
of the two network interfaces.  Are they static, or DHCP?  Did the OP
provide more than one "gateway" line by mistake?  And so on.

Re: 2 NIC's

[Jeremy Ardley]

On 5/7/21 7:53 pm, to...@tuxteam.de wrote:

On Mon, Jul 05, 2021 at 07:38:42PM +0800, Jeremy Ardley wrote:

On 5/7/21 6:44 pm, David wrote:

Dear All,

I am trying to get a thin client running with 2 NIC's and failing.

[...]


If eth0 & eth1 are both connected to the local network I can SSH into
the thin client. If I connect eth1 to the public network I cannot SSH
into the unit, from either addresses.

What is the value of /proc/sys/net/ipv4/ip_forward ?
(and/or ipv6 if necessary)

Yes: ip_forward should be 1.

Besides, and judging from the paragraph quoted above, your box seems
to lose the route to the local network (192.168.xxx.xxx) once the
other is connected.

Could you tell us:

  - what the netmasks are
  - the output of "ip route list" (or of "route -n"), best before
you connect eth1 and after?

Is your box perhaps requesting (and getting) an IP address via
DHCP at the moment you connect eth1?

Cheers
  - t


Another problem could be what IP addresses SSH is listening on.

What does

netstat -lutn

show?

You should see ssh listening on whatever port you are using on both nic 
IP addresses.


Another problem could be the firewall

What does

iptables-save
ip6tables-save

show?
--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: 2 NIC's

[tomas]

On Mon, Jul 05, 2021 at 07:38:42PM +0800, Jeremy Ardley wrote:
> 
> On 5/7/21 6:44 pm, David wrote:
> >Dear All,
> >
> >I am trying to get a thin client running with 2 NIC's and failing.

[...]

> >If eth0 & eth1 are both connected to the local network I can SSH into
> >the thin client. If I connect eth1 to the public network I cannot SSH
> >into the unit, from either addresses.

> What is the value of /proc/sys/net/ipv4/ip_forward ?
> (and/or ipv6 if necessary)

Yes: ip_forward should be 1.

Besides, and judging from the paragraph quoted above, your box seems
to lose the route to the local network (192.168.xxx.xxx) once the
other is connected.

Could you tell us:

 - what the netmasks are
 - the output of "ip route list" (or of "route -n"), best before
   you connect eth1 and after?

Is your box perhaps requesting (and getting) an IP address via
DHCP at the moment you connect eth1?

Cheers
 - t


signature.asc
Description: Digital signature

Re: Limit memory consumption of an ad hoc process

[Greg Wooledge]

On Mon, Jul 05, 2021 at 10:15:19AM +0700, Victor Sudakov wrote:
> FreeBSD has a simple way to run some ad-hoc program with memory limits:
> 
> $ limits -m 2G ./mytest
>   memoryuse 2097152 kB
>   vmemoryuse   infinity kB
> $ limits -m 1G ./mytest
>   memoryuse 1048576 kB
>   vmemoryuse   infinity kB
> 
> How do I do the same in Linux (without root permissions)?

One way would be:

(ulimit -m 2097152; ./mytest)

This assumes you're using bash as your shell.

You might want to review the resource limits and how they work --
see setrlimit(2) for the kernel's documentation.  See "help ulimit"
for bash's brief-form documentation.  The longer documentation is in
the bash(1) man page.

You never need root privileges to *reduce* one of your resource limits
to a lower value.  Nor do you need root privs to raise your soft limit
up to the hard limit.  However, you do need root privs to raise your
hard limit.

Re: 2 NIC's

[Jeremy Ardley]

On 5/7/21 6:44 pm, David wrote:

Dear All,

I am trying to get a thin client running with 2 NIC's and failing.

Due to the age of the thin client I am running Debian 8 i386.

I am trying to get the thin client to run as a proxy server with one
NIC having a local (192.168.xx.xx) address, the other NIC has a public
IP address (80.184.XX.XX).

I've got /etc/network/interfaces configured with the 2 addresses on
eth0 & eth1

If eth0 & eth1 are both connected to the local network I can SSH into
the thin client. If I connect eth1 to the public network I cannot SSH
into the unit, from either addresses.

I have another thin client running a proxy server, but the first NIC is
the built in unit, the other is a USB NIC adapter, the NIC's are called
eth0 & enx00e04c534458. This is enx+MAC address.

I've tried adding routing information to the /etc/network/interfaces
file and adding the MAC addressees as hwaddress ether 00:15:e9:4a:c8:81

Can anybody help me?

David.



What is the value of /proc/sys/net/ipv4/ip_forward ?
(and/or ipv6 if necessary)

If you don't have forwarding you will have problems.
This may not be a solution to your problem but it will eliminate one 
possible problem.



--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

2 NIC's

[David]

Dear All,

I am trying to get a thin client running with 2 NIC's and failing.

Due to the age of the thin client I am running Debian 8 i386.

I am trying to get the thin client to run as a proxy server with one
NIC having a local (192.168.xx.xx) address, the other NIC has a public
IP address (80.184.XX.XX).

I've got /etc/network/interfaces configured with the 2 addresses on
eth0 & eth1

If eth0 & eth1 are both connected to the local network I can SSH into
the thin client. If I connect eth1 to the public network I cannot SSH
into the unit, from either addresses.

I have another thin client running a proxy server, but the first NIC is
the built in unit, the other is a USB NIC adapter, the NIC's are called
eth0 & enx00e04c534458. This is enx+MAC address.

I've tried adding routing information to the /etc/network/interfaces
file and adding the MAC addressees as hwaddress ether 00:15:e9:4a:c8:81

Can anybody help me?

David.

Re: removing modules

[Brian]

On Sun 04 Jul 2021 at 23:53:15 -0500, David Wright wrote:

> On Sun 04 Jul 2021 at 21:12:10 (+0100), Brian wrote:
> > On Sun 04 Jul 2021 at 20:16:25 +0100, Brad Rogers wrote:
> > > On Sun, 4 Jul 2021 19:42:26 +0100 Brian wrote:
> > > >I did specify "as time goes on". Suppose one boots successfully a 100
> > > >times with the new kernel. What need is there for a second kernel on
> > > >the system?
> > > 
> > > Clearly, you haven't understood what Tixy wrote.
> > 
> > Maybe I didn't. But your comment doesn't clarfify anything.
> > Care to add anything worthwhile?
> 
> I think the point that's being made is illustrated by recent upgrades
> to amd64 buster.
> 
> linux-image-4.19.0-16-amd64_4.19.181-1_amd64.deb was issued Mar27,
> then linux-image-4.19.0-17-amd64_4.19.194-1_amd64.deb Jun19.
> 
> So if by Jun22 one was happy with the latter, then you're suggesting
> one remove the former.
> 
> Now on Jun23, linux-image-4.19.0-17-amd64_4.19.194-2_amd64.deb becomes
> available. When you run upgrade, this kernel will overwrite the Jun19
> version. If Jun23 hits a snag when booting, you've got no version 16
> to fall back on.

Thanks. The illustration did the trick.

-- 
Brian.

Re: Memory allocation failed during fsck of large EXT4 filesystem

[Thomas Schmitt]

Hi,

Reiner Buehl wrote:
> Is there a quick way to enlarge the swap space

According to old memories of mine you may create a large, non-sparse file
as you would do for a virtual disk. E.g. by mkfile (which seems not to be
in Debian) or qemu-img (from qemu-utils):

  qemu-img create "$swap_file_path" 8G

Set ownership and access rights of "$swap_file_path" so that no
unprivileged users can spy.

Then you tell the system to use it for swapping

  swapon "$swap_file_path"


> fsck.ext4 fails with the error message:
> Error storing directory block information (inode=366740508, block=0,
> num=406081): Memory allocation failed

According to
  
https://codesearch.debian.net/search?q=package%3Ae2fsprogs+Memory+allocation+failed
this message is emitted if error code EXT2_ET_NO_MEMORY was returned.
This error code indeed occurs if memory allocating system calls fail.
In these cases i would expect that more virtual memory could help.



But i see questionable occurences of EXT2_ET_NO_MEMORY which get triggered
by bad data. In these cases no extra memory can help:

Halfways correct is its use to mark an insane request for a memory array
which would exceed the maximum number that can be stored in unsigned long
integer variables.

There are possible misattributions of that error code if get_icount_el()
returns 0 to set_inode_count() for reasons of bad data.
  
https://sources.debian.org/src/e2fsprogs/1.46.2-2/lib/ext2fs/icount.c/?hl=461#L461
  
https://sources.debian.org/src/e2fsprogs/1.46.2-2/lib/ext2fs/icount.c/?hl=388#L388
(in line 496 the same return value leads to ENOENT.)

In
  
https://sources.debian.org/src/e2fsprogs/1.46.2-2/lib/ext2fs/hashmap.c/?hl=33#L33
i see a potential memory fault by using the calloc(3) return without
checking it for NULL. (A caller of ext2fs_hashmap_create() would later
throw EXT2_ET_NO_MEMORY if the program did not crash yet.)

Return value 0 from get_refcount_el() is converted to EXT2_ET_NO_MEMORY
in ea_refcount_increment(), although get_refcount_el() did not attempt to
allocate memory.

It stays a riddle from where e2fsprogs links sparse_file_new(). I find it
only as Android C++ call. Whatever, if it fails then EXT2_ET_NO_MEMORY
can be returned by its caller io_manager_configure(), which seems not
restricted to Android.


Have a nice day :)

Thomas

Re: Memory allocation failed during fsck of large EXT4 filesystem

[IL Ka]

> Error storing directory block information (inode=366740508, block=0,
> num=406081): Memory allocation failed
>

Try ``scratch_files``
https://manpages.debian.org/buster/e2fsprogs/e2fsck.conf.5.en.html
This stanza controls when e2fsck will attempt to use scratch files to
reduce the need for memory.



> The system has 4GB of memory and a 8GB swap partition. The filesystem has
> 7TB. Is there a quick way to enlarge the swap space to help fsck.ext4 to
> finish the repair?
>
I do not have any unused partitions but have space for swap on other
> filesystems if that is possible.
>

You can create swap on any free partition, see
https://manpages.debian.org/buster/util-linux/mkswap.8.en.html
https://manpages.debian.org/buster/mount/swapon.8.en.html

7TB seems like too much for one partition imho.
Consider splitting it into the parts


>
>

Memory allocation failed during fsck of large EXT4 filesystem

[Reiner Buehl]

Hi all,

I have a corrupt EXT4 filesystem where fsck.ext4 fails with the error
message:

Error storing directory block information (inode=366740508, block=0,
num=406081): Memory allocation failed

/dev/vg_data/lv_mpg: * FILE SYSTEM WAS MODIFIED *
e2fsck: aborted

/dev/vg_data/lv_mpg: * FILE SYSTEM WAS MODIFIED *

The system has 4GB of memory and a 8GB swap partition. The filesystem has
7TB. Is there a quick way to enlarge the swap space to help fsck.ext4 to
finish the repair? I do not have any unused partitions but have space for
swap on other filesystems if that is possible.

Re: Fwd: Re: why pdf file at archive.org is so slow to open

[tomas]

On Mon, Jul 05, 2021 at 06:21:40AM +, Andrew M.A. Cater wrote:
> 
> Just a polite reminder: however annoyed you feel, insulting each other
> on list really doesn't help get technical or other points across. 

Thanks, Andrew.

Folks: if you enjoy slinging mud at each other, fine. But please, do
it off-list :-)

I'd add "don't hurt each other", but that's me.

Cheers
 - t


signature.asc
Description: Digital signature

Re: Fwd: Re: why pdf file at archive.org is so slow to open

[Andrew M.A. Cater]

Just a polite reminder: however annoyed you feel, insulting each other
on list really doesn't help get technical or other points across. 

Anybody can phrase things badly: anybody can get things wrong at times:
everybody can be wrong at times or just be badly informed.
If all else fails: when you read something that punches your buttons, stop,
wait 15 minutes, draft a politer reply - or set that thing aside and
just ignore it or the person who wrote it wihout escalating it.
Sometime, maybe, that person will have something more useful to contribute
that you may benefit from.

Andy - who doesn't always get things right himself.

Andy Cater
[For the Community Team]