Re: buying ssl certificate

[Andy Smith]

Hello,

On Fri, May 26, 2017 at 10:04:42PM +, kc atgb wrote:
> I will have to buy/renew some certificates we have at my job. 
> 
> There are a certain number of certificates providers. The question I have is 
> which one do I have to consider ? 

Domain-validated (i.e. they just check you can receive email at the
domain, or that you can put something int eh domain's DNS) TLS
certificates are all pretty much the same.

Your worst case scenario is that the certificate authority is found
to be hopelessly insecure and is distrusted by one or more major
browsers.

I suggest it is worth your time to get letsencrypt automation
working and just use those, for free.

If you need extended validation for some reason then the costs will
vary, pick any big name. You'd probably know what to do already if
this were a requirement though.

> Recently came to the market some lowcoast ssl certificate providers. Or free 
> ssl providers. What do you think about them ? 

I think the best of the free ones is letsencrypt. 

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: SATA hotplug + mdadm raid

[Andy Smith]

Hi Sam,

It doesn't matter what your devices are called. In fact you are best
advised to avoid use of the /dev/sd* names where possible as these
names may change for reasons other than drives being hotplugged. For
example if your storage controller needs a module to detect drives,
then order of module loading may affect device naming.

Try to use the paths in /dev/disk/by-id/ or similar.

mdadm itself recognises array component devices by its own metadata
so does not care what they are called (as long as you haven't told
mdadm to ignore those device names).

The only thing you might want to check out is whether your BIOS is
going to see a bootloader on the drive it tries to boot from next
time.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Firefox: security vs flexibility or rtfm?

[Andy Smith]

Hi Mark,

I think Mozilla's position is reasonable since if you allow this
sort of thing to remain possible, nobody will fix anything. Broken
software will ship with instructions for the users to "just make an
exception".

Would it be feasible to put a proxy in front of the HTTP-only
service, that consumes HTTP on its backend and exposes HTTPS on its
frontend?

That way, the burden is on the administrator rather than the
end-user, which is probably a fairer division of labour.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Installer: problem installing onto LVM on RAID1

[Andy Smith]

Hi Ron,

On Sun, Apr 09, 2017 at 06:43:32PM +0100, Ron Leach wrote:
> What partitions - I think I mean logical volumes - might I be best
> using for my installation, keeping in mind that I will need to extend
> whatever logical volume houses the 'users-files'?

I think you are making a conceptual error in using the entirety of
your 3TB volume group as a single logical volume (LV) for the root
filesystem.

One of the points of using LVM is that you can resize things later
when you discover more about where the scarcity lies. By allocating
the whole lot on day one, you are forcing yourself into potentially
having to shrink it again later when you want to change something.

If I were you, I'd create several LVs for important filesystems but
start them off pretty small. When they start to get full you can
grow them online.

These days you can have /boot on LVM (or have /boot as part of / and
have that on LVM) and GRUB has no problem booting from it.
Personally, I am old-fashioned; I like booting and the root
filesystem to be simple, so I put /boot and / on separate MD arrays
outside of LVM.

I then have small LVs for interesting filesystems like /var,
/home, /usr/share and application-specific things that I put under
/srv.

Also you can do swap on an LV but as I never need to resize swap, it
is another thing that I tend to keep outside of LVM for simplicity.

> Is using a whole-disk RAID1 a reasonable choice (the kernel raid wiki
> suggests this will work) or would folks on the list recommend
> configuring multiple mds?

Plenty of people would put everything inside one md RAID-1, it is
just personal preference.

The main thing that I think you are doing wrong is fully-allocating
all your volume group on day one, instead of keeping it unallocated
until it is needed.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: if you have no swap in your installation this is what you do??? Why???

[Andy Smith]

Hi,

On Sun, Apr 09, 2017 at 02:58:00PM +, GiaThnYgeia wrote:
> 1 What is the difference functionally of having a swap partition from
> having a swap file?  Is it that you can use a separate physical disk
> that will take the wear and tear of swaping?

As long as the filesystem can support swapfiles then there is no
difference in functionality. You can put swap on a block device that
is from a separate physical device to the rest of your storage, or
in a swap  file on a filesystem that is on a separate physical
device to the rest of your storage, so that isn't a distinguishing
feature. It's just down to whatever is most convenient for you.

> 2 Is swap size relevant to ram, should it be equal, greater, smaller?
> Advantages disadvantages?  I rarely see in a workstation and my/our use
> anywhere close to 4GB being used, it usually maxes out around 2,5GB. No,
> no killing games here, maybe some chess and gnubg. Is it that a Ram of
> 1GB would benefit from 2-4GB swap space while with 16GB or Ram swap
> would never be used?

Opinions differ. More than 1GiB to me seems excessive regardless of
how much RAM you have. If you have 1GiB of data swapped out and you
need it again, it's going to take a really long time, which will
equate to dire performance. You'd be better off getting more memory
in that case.

Here is some useful discussion on the matter:

http://unix.stackexchange.com/a/190521

> 3 chmod 600 for the swapfile.  Why?

So that only the root user may read/write it. Swapped-out data can
contain sensitive information.

> 4 Is "dd bs=1M count=4M" that defines the 4,000Mb of space/size of the 
> file?

That is units of 1024*1024 bytes, 4*1024*1024 times. Or
4*1024*1024*1024*1024 bytes. Or 4TiB. I'm guessing from below that
you meant bs=1K, in which case yes, that's 4GiB. This is all quicker
to test than to ask about though. :)

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: ipv6 apt issue

[Andy Smith]

Hi,

On Tue, Mar 28, 2017 at 01:24:39PM -0500, Matt Zagrabelny wrote:
> I've got a dual stack host and when doing various apt-y things I attempt to
> connect to:
> 
> # apt update
> 0% [Connecting to ftp-chi.osuosl.org (2600:3402:200:227::2)
> 
> but it hangs and doesn't seem to complete its connection.

Well, there must be a connectivity issue between you and
2600:3402:200:227::2. These things happen.

> If I look at my sources lists:
> 
> % grep http /etc/apt/sources.list.d/*.list | sed -e 's/.*http:\/\///' | uniq
> ftp.us.debian.org/debian/ experimental main
> ftp.us.debian.org/debian/ jessie main contrib non-free
> ftp.us.debian.org/debian/ sid main contrib non-free
> ftp.us.debian.org/debian/ stretch main contrib non-free
> 
> I don't have an /etc/apt/sources.list file. To my observation, my host
> should only be connecting ftp.us.debian.org.

apt uses SRV records:

$ dig +short -t SRV _http._tcp.ftp.us.debian.org
0 2 80 ftp-nyc.osuosl.org.
0 1 80 debian.gtisc.gatech.edu.
0 1 80 ftp-chi.osuosl.org.

That's where you're getting the host name ftp-chi.osuosl.org from.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: installer defaults for desktops (was Re: Suggested edit)

[Andy Smith]

Hi Jonathan,

On Fri, Mar 24, 2017 at 10:16:16AM +, Jonathan Dowland wrote:
> On Fri, Mar 24, 2017 at 06:29:35AM +0000, Andy Smith wrote:
> > It can be useful to note the names of people who can't seem to
> > prevent themselves from writing argumentative and massively
> > off-topic responses over and over again. It's a relatively small but
> > vocal list.
> 
> Yes... but,
> 
>  a) the whole list is small and vocal, unfortunately
>  b) killfiling on an individual basis (which I do) does not improve the 
> quality
> of the list for others (nor Debian's reputation)

I completely agree. This small group of people are ruining it for
everyone and it's not something that can be fixed on a mailing list
that doesn't commit to ruthless banning of off-topic postings. :(

It's a pity that the Debian Shapado instance at
https://ask.debian.net didn't take off more than it did (and now
seems to be completely broken). That does at least allow Stack
Overflow-style scoring of answers to keep things mostly on-topic.

There is also the Debian tag on Stack Overflow, though that is of
course hosted on non-free software.

http://stackoverflow.com/questions/tagged/debian

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: installer defaults for desktops (was Re: Suggested edit)

[Andy Smith]

Hello,

On Wed, Mar 22, 2017 at 01:25:20PM +0100, to...@tuxteam.de wrote:
> On Wed, Mar 22, 2017 at 12:16:54PM +, Jonathan Dowland wrote:
> > This thread is a great example of why I really despise debian-user 
> > sometimes.
> > There's no reason to be so hostile, you simply disagree with each other. 
> > This
> > list is too toxic a lot of the time. Please either post friendly and
> > constructively or not at all.
> 
> A pity indeed. Sometimes threads become "rotten": this seems to be an example
> of that. I try to just ignore those.

It can be useful to note the names of people who can't seem to
prevent themselves from writing argumentative and massively
off-topic responses over and over again. It's a relatively small but
vocal list.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: MBR partitioning, and content after partition table but before first partition

[Andy Smith]

Hello,

On Mon, Mar 13, 2017 at 08:36:59PM -0700, David Christensen wrote:
> Is anyone aware of a utility that can walk a file system and replace
> identical files with hard links?

As an alternative to doing this, you could consider using a
filesystem with block-level de-duplication support.

ZFS and btrfs can do this online, though that uses a very large
amount of memory. btrfs and recently XFS can do it offline, which
means that you trigger it at a time of your choosing.

Support in XFS only arrived in kernel version 4.9.1, and is still
marked as experimental. The kernel in jessie-backports right now is
new enough. I did a write up a while ago about experimenting with
this in XFS:

http://strugglers.net/~andy/blog/2017/01/10/xfs-reflinks-and-deduplication/

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: If Linux Is About Choice, Why Then ...

[Andy Smith]

Hello,

On Mon, Mar 13, 2017 at 01:48:28PM -0700, Miles Fidelman wrote:
> That might be because all of those who run servers - the traditional
> realm of Debian - have given up and migrated elsewhere.  We can't
> afford to run a poorly designed load of crap, that takes over one's
> machine, as an init system.

Speaking as someone who has preferred Debian on servers since woody,
I remain happy to run Debian on all my servers and am reasonably
happy with systemd. Any other Linux I could imagine ever switching
to also now runs systemd by default and I would be unlikely to seek
to change that.

I suspect that if you counted every instance of an init system
running "in the cloud", most of them would be systemd. The most
popular OS in the cloud is Ubuntu¹ - with systemd. CoreOS², which
was designed from scratch to be run in the cloud, includes systemd
as a non-optional component.

I am not aware of any mass exodus of server administrators away from
systemd. Quite the opposite in fact, simply because most
distributions switched to it.

It is perfectly okay for someone to dislike systemd, or any other
piece of software, but if you are going to make statements that
appear to be on behalf of all server administrators then I think you
need to show your working.

Cheers,
Andy

¹ http://www.zdnet.com/article/ubuntu-linux-continues-to-rule-the-cloud/

² https://coreos.com/docs/

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: How to restart root sending emails?

[Andy Smith]

Hello,

On Sun, Mar 12, 2017 at 10:49:50PM -0500, David Wright wrote:
> On Mon 13 Mar 2017 at 03:05:31 (+), Andy Smith wrote:
> > On Sun, Mar 12, 2017 at 10:55:05AM +, Sharon Kimble wrote:
> > > In an effort to get gnus to read root emails I've chowned
> > > /var/mail/mail, added myself to the 'mail' group, changed the
> > > permissions of /var/mail/mail, and generally frigged around with it.

[…]

> > I would start by putting the correct ownership and permissions back
> > on /var/mail/mail. It is normally owned by mail:mail with mode 0600.
> 
> It might make it clearer to write:
> /var/mail/foo is owned by foo:mail with mode 0600,
> /var/mail/bar is owned by bar:mail with mode 0600,
> etc.

The file in question was actually /var/mail/mail and if it exists it
will be owned by mail:mail on Debian, though.

> I would just add that I don't think I've ever had mail sent to user
> "mail" by anything, and so I've never observed a file called /var/mail/mail.

It's where mail for root goes to if delivered locally to an mbox
format spool file. At no point does a /var/mail/root get created as
the system won't want to run an MDA as root and this also avoids
having to run an MUA as root to read it.

But best practice is to send root's email to a regular user or list
of users.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: How to restart root sending emails?

[Andy Smith]

Hi Sharon,

On Sun, Mar 12, 2017 at 10:55:05AM +, Sharon Kimble wrote:
> In an effort to get gnus to read root emails I've chowned
> /var/mail/mail, added myself to the 'mail' group, changed the
> permissions of /var/mail/mail, and generally frigged around with it.

That is not a good way to go about achieving this.

A better way to achieve the goal of being able to read emails to
root would be to edit /etc/aliases so that it contains something
like:

root: sharon

where "sharon" is your local user name.

That would cause email for root to be redirected to your username
where you could read it with your usual mail reading software. If
you don't read email locally then you could probably instead send it
to the email address you have used here:

root: boudic...@skimble.plus.com

> So how do I restart root sending logwatch etc again please?

I would start by putting the correct ownership and permissions back
on /var/mail/mail. It is normally owned by mail:mail with mode 0600.

If that doesn't help, try looking at the logs of your mail server
when you expect the emails to be sent. If using exim, that would be
/var/log/exim4/mainlog and /var/log/exim4/paniclog.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: procmail, when were the last rights administered?

[Andy Smith]

On Tue, Mar 07, 2017 at 02:47:42AM +, Andy Smith wrote:
> On Mon, Mar 06, 2017 at 09:29:37PM -0500, Gene Heskett wrote:
> > And what replaces it in the MTA dept?

Oh, and procmail is not an MTA (and neither is maildrop…), but more
correctly a Mail Delivery Agent, but I got what you meant.

Sieve is a mail filtering language that is implemented by multiple
different MDAs, but also some Mail User Agents and Mail Transfer
Agents.

Cheers,
Andy

Re: procmail, when were the last rights administered?

[Andy Smith]

Hi Gene,

On Mon, Mar 06, 2017 at 09:29:37PM -0500, Gene Heskett wrote:
> And what replaces it in the MTA dept?

procmail is still in Debian stretch and if it still works for you
then it should continue to work for you.

More modern alternatives include Sieve:

http://sieve.info/clients

and maildrop:

http://www.courier-mta.org/maildrop/

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

"I remember the first time I made love.  Perhaps it was not love exactly but I
 made it and it still works." — The League Against Tedium

Re: Failing disk advice

[Andy Smith]

Hello,

On Sun, Mar 05, 2017 at 08:38:27PM -0800, David Christensen wrote:
> On 03/05/2017 01:02 PM, Gregory Seidman wrote:
> >I have a disk that is reporting SMART errors.

What are the errors? Some are more serious, some less so.

> >It is an active disk in a (kernel, not hardware) RAID1
> >configuration. I also have a hot spare in the RAID1, and md
> >hasn't decided it should fail the disk and switch to the hot
> >spare. Should I proactively tell md to fail the disk (and let the
> >hot spare take over), or should I just wait until md notices a
> >problem?
> 
> AFAIK desktop disks and "enterprise RAID" disks degrade differently.
> When a desktop disk is having trouble reading a sector, it will retry
> many times before giving up because it is likely the data does not
> exist anywhere else.  But, an enterprise RAID disc will retry only a
> few times and then fail; because the data should exist elsewhere and
> hung reads are intolerable in enterprise environments.

What you're referring to here is SCT Error Recovery Control:

https://en.wikipedia.org/wiki/Error_recovery_control

At one point it was common for it to be a configurable timeout on
most drives, but defaulting to disabled on drive models designed for
desktop use. As you say, the rationale would be that a desktop drive
was probably not in a RAID, so holds the only copy of the data, and
must go to heroic lengths if necessary to read data.

As the drive vendors started being more aggressive about segmenting
their product ranges into "desktop" and "enterprise", they removed
the ability to change the timeout from drives in their desktop ranges.

This has had a very bad side effect for those using desktop drives
in their RAIDs. When SCTERC is not configurable, the timeout is
usually longer than Linux's own block layer timeout. The drive will
be unresponsive for so long that Linux will think the link has died
and reset it or the whole controller. That can cause multiple drives
to be kicked from the MD array though there is nothing wrong with
them, leading to the array becoming inoperable.

This is probably the number one cause of "my array broke and won't
assemble again" posts to linux-raid and so the first question asked
is usually, "what are your timeouts set to?"

It is imperative that anyone using MD RAID checks that their drive
timeouts are set sensibly.

You can check a drive's timeout like this:

# smartctl -l scterc /dev/sda
smartctl 6.4 2014-10-07 r4002 [x86_64-linux-3.16.0-4-amd64] (local build)
Copyright (C) 2002-14, Bruce Allen, Christian Franke, www.smartmontools.org

SCT Error Recovery Control:
   Read: 70 (7.0 seconds)
  Write: 70 (7.0 seconds)

If it comes back like this:

SCT Error Recovery Control:
   Read: Disabled
  Write: Disabled

then it means that SCTERC is supported but disabled, so just needs
setting, like so:

# smartctl -q errorsonly -l scterc,70,70 /dev/sda

but if it comes back like:

Warning: device does not support SCT Error Recovery Control command

then you have a problem as the drive does not support SCTERC and
will likely freeze up for several minutes trying to read a damaged
sector.

If you have drives that don't support SCTERC, and you can't replace
them for ones that do, then your next best course of action is to
increase Linux's own timeouts. 180 seconds seems to be enough:

# echo 180 > /sys/block/sda/device/timeout

The drive will still seem to freeze up for minutes when encountering
an unreadable sector, but Linux will give it longer and you'll avoid
a link/controller reset that could affect other drives.

If you needed to set SCTERC or Linux drive timeout then you must
re-apply those settings at every boot.

> So, if you are using desktop disks in a RAID, you might need to
> manually intervene to compensate for the mismatch.

Adjusting the timeouts is normally all that would be necessary.

If I had a drive that had SCTERC unsupported and it started showing
signs of impending failure, and I had no hot spare, then I'd
probably get a new drive and replace it ASAP just because of the
hassle involved when it does fail. Chances are that failure is going
to happen at an inconvenient time, whereas I could do the
replacement at a time convenient to me.

If, like OP, I had a hot spare in the array then really it is a
no-brainer to me: promote the hot spare then remove the suspect drive.
Since it's a spare there is no time where the array lacks
redundancy. If you wait for the drive to fail then there will be a
period of no redundancy while the spare is brought it.

This does depend on what kind of SMART failure it is though. Some of
them are a concern but do not imply total device failure in the near
future.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: mdraid will no start at boot

[Andy Smith]

Hi basti,

On Mon, Feb 27, 2017 at 10:21:51AM +0100, basti wrote:
> on one of my debian machine i have a error with one md raid.
> 
> There are
> md0 => /
> md1 => /backup
> md2 => /samba
> 
> md2 is not start/assemble after reboot,

I had a similar issue when I did not include the driver for some of
my devices (mpt3sas) in the initramfs:

http://www.spinics.net/lists/raid/msg54466.html
http://www.spinics.net/lists/raid/msg54522.html

There was much back and forth with Neil Brown (former md maintainer and
still developer) because my arrays still should have been assembled
as soon as userland was booted as then mpt3sas was loaded. i.e.
incremental assembly should have kicked in and assembled my arrays
as soon as loading mpt3sas made the devices visible.

Ultimately though it seems that Debian disables this incremental
assembly because of other problems:

http://www.spinics.net/lists/raid/msg54615.html

So I have to stick with my workaround of loading mpt3sas in the
initramfs.

If your problem is not related to that, you'll probably find more
assistance by posting on linux-raid. As you can see, Neil put a lot
of effort into getting to the source of my issue there.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Fstab Problem

[Andy Smith]

Hi Stephen,

On Sun, Feb 19, 2017 at 07:37:50AM -0500, Stephen P. Molnar wrote:
> #

[…]

> #UUID=d65867da-c658-4e35-928c-9dd2d6dd5742  /dev/sdb1 ext4
> errors=remount-ro  0  1
> #UUID=007c1f16-34a4-438c-9d15-e3df601649ba  /dev/sdb2 ext4
> errors=remount-ro  0  1

You've put the device path (e.g. /dev/sdb2) in the second column
instead of the mount point. Since you've specified UUID you don't
need to specify device path.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: DNS hits

[Andy Smith]

Hi Glenn,

On Sat, Feb 11, 2017 at 04:11:13PM -0700, Glenn English wrote:
> Does your DNS answer recursive queries?
> >
> 
> Oh, my lord. I didn't think it did -- I tried to configure BIND to do
> recursion only from my net. I just tried it from an external IP, and sure
> enough, it gave me an address for www.abc.com. But I just saw another
> config option that turns recursion off completely.

If your nameserver offered recursion then it was most likely scanned
and added to a list of such servers, and is now being used to take
part in distributed denial of service attacks.

If the really large amount of traffic that is appearing to come
from relatively few sources at any given time, then you may
actually be taking part in attack on those apparent sources. The
attackers forge a victim's source address and make a DNS query to an
open resolver for a large record, then the resolver sends that
answer back to the forged source. This inflicts a large amount of
traffic on a third party, as there will be potentially many
thousands of open resolvers doing this all at once.

If on the other hand the really large amount of traffic is coming
from hundreds or thousands of different hosts at once then it is
more likely that you are the victim and they are the open resolvers.

If you're facilitating the DDoS then closing your open resolver
should fix it though not immediately, as they won't know that it
stopped working for a while.

Some more information about the denial of service attacks which use
open recursive nameservers:

http://www.securiteam.com/securityreviews/5GP0L00I0W.html

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: archive.debian.org returning 403 Forbidden

[Andy Smith]

Hello,

On Sat, Feb 11, 2017 at 11:23:00PM +, GiaThnYgeia wrote:
> Andy Smith:
> > Took a stab at reporting it to ftpmas...@debian.org for now.

[…]

> ohh ... wait it just came back UP again
> http://archive.debian.org/debian/dists/squeeze/main/binary-amd64/
> It is all there now!

ftpmaster redirected me to debian-mirrors, who I emailed just now.
So maybe it was that or maybe it was just coincidence.

Cheers,
Andy

Re: archive.debian.org returning 403 Forbidden

[Andy Smith]

On Sat, Feb 11, 2017 at 01:18:31PM +, Andy Smith wrote:
> Is this intentional?
> 
> If not, who should the problem be reported to?

Took a stab at reporting it to ftpmas...@debian.org for now.

Cheers,
Andy

archive.debian.org returning 403 Forbidden

[Andy Smith]

Hello,

Some time in the last 24 hours, archive.debian.org started returning
403 Forbidden when used as an APT repository:

$ sudo apt-get update
Ign http://archive.debian.org squeeze Release.gpg
Ign http://archive.debian.org/debian/ squeeze/contrib Translation-en
Ign http://archive.debian.org/debian/ squeeze/contrib Translation-en_GB
Ign http://archive.debian.org/debian/ squeeze/main Translation-en
Ign http://archive.debian.org/debian/ squeeze/main Translation-en_GB
Ign http://archive.debian.org/debian/ squeeze/non-free Translation-en
Ign http://archive.debian.org/debian/ squeeze/non-free Translation-en_GB
Ign http://archive.debian.org squeeze Release
Ign http://archive.debian.org squeeze/main i386 Packages
Ign http://archive.debian.org squeeze/contrib i386 Packages
Ign http://archive.debian.org squeeze/non-free i386 Packages
Err http://archive.debian.org squeeze/main i386 Packages
  403  Forbidden [IP: 2001:630:206:4000:1a1a:0:c13e:ca1c 80]
Err http://archive.debian.org squeeze/contrib i386 Packages
  403  Forbidden [IP: 2001:630:206:4000:1a1a:0:c13e:ca1c 80]
Err http://archive.debian.org squeeze/non-free i386 Packages
  403  Forbidden [IP: 2001:630:206:4000:1a1a:0:c13e:ca1c 80]
W: Failed to fetch 
http://archive.debian.org/debian/dists/squeeze/main/binary-i386/Packages.gz  
403  Forbidden [IP: 2001:630:206:4000:1a1a:0:c13e:ca1c 80]

W: Failed to fetch 
http://archive.debian.org/debian/dists/squeeze/contrib/binary-i386/Packages.gz  
403  Forbidden [IP: 2001:630:206:4000:1a1a:0:c13e:ca1c 80]

W: Failed to fetch 
http://archive.debian.org/debian/dists/squeeze/non-free/binary-i386/Packages.gz 
 403  Forbidden [IP: 2001:630:206:4000:1a1a:0:c13e:ca1c 80]

E: Some index files failed to download, they have been ignored, or old ones 
used instead.


According to:

http://archive.debian.org/README

"The following releases are archived on this site:

Archive  Releases  Directory
Debian   buzz, rex, bo, hamm,
 slink, potato, woody,
 sarge, etch, lenny,
 squeeze   debian/"

however, I am seeing this with lenny and squeeze¹.

Is this intentional?

If not, who should the problem be reported to?

Cheers,
Andy

¹ Yes, these ancient machines should be upgraded. The people that own
  them refuse to and I don't have authority to carry out that work
  at this time.

Re: logrotate - got compressed log

[Andy Smith]

Hi Kamil,

On Sat, Feb 04, 2017 at 10:11:00AM +0100, Kamil Jońca wrote:
> I have logrotate with config (excerpt)
> --8<---cut here---start->8---
> compress

[…]

> And since some days I started to receive *compressed* old syslog files
> :( instead uncompressed ones. 

If you have the "compress" directive there you should expect to get
compressed logs.

> Nothing has happen in configuration.
> The only change was logrotate upgrade, from 3.8.7 to 3.11.0
> Can anyboty confirm that there is difference between these versions?

I can't. As far as I can see you should expect compressed rotated
files with your config, both in 3.8.7 and 3.11.0.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: how to deploy common ssh_config and sshd_config settings on all hosts?

[Andy Smith]

Hi Harald,

On Thu, Feb 02, 2017 at 02:50:09PM +0100, Harald Dunkel wrote:
> On 02/02/17 11:17, Andy Smith wrote:
> > Also through the use of override config files that are included into
> > the main config file, you can avoid being prompted about changes to
> > the main config file. For sshd the config directive is "Include".
> > 
> 
> Are you sure about this?
> 
> root@jessie2:/etc/ssh# /usr/sbin/sshd -d
> /etc/ssh/sshd_config: line 90: Bad configuration option: Include
> /etc/ssh/sshd_config: terminating, 1 bad configuration options

You are right, sorry. It seems "Include" is actually only valid in
ssh_config (not sshd) and then only from the version in testing
currently.

> > This is a classic use case for configuration management. You define
> > your configuration externally, in one authoritative place, and the
> > config management system takes care of applying that config to all
> > your hosts.
> 
> Exactly. The central place in my case is a debian source package. It
> provides binary meta-packages referencing other packages and some
> /etc/service.d/local.conf files, extending the ususal /etc/service.conf
> files provided by the service's binary package.

If you are making your own Debian packages with all of your custom
config already in them, then you could just put them in your own apt
repository and point all your machines there. But you must have
already thought of this so there must be some reason why that
solution is not acceptable…

> > Popular examples are Puppet, Ansible and Chef, all of which are
> > well-supported on Debian. To decide which is best for you will
> > require some independent research as this is a big topic area and
> > hard to generalise.
> 
> They are supported on Debian, but are they supported *by* Debian
> as well? Won't I have to expect conflicts with Debian's dpkg
> infrastructure?

Fundamentally they all just result in changes to config files. It is
no different to you making changes to config files personally,
except it is automated.

You could not really say that Debian does not support you changing
config files. What you could say is that if you do change config
files, and the relevant Debian package comes with config file
changes, then dpkg will interactively ask you what to do.

Probably what's going to happen if you DID interactively accept
config file changes is that your config management system will then
revert the config back to what it thinks it should be, losing Debian
changes.

So, if moving to config management what you would normally do is
examine what the new package version wants to change and then
incorporate those changes in your config management instead.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: how to deploy common ssh_config and sshd_config settings on all hosts?

[Andy Smith]

Hi Harald,

On Thu, Feb 02, 2017 at 09:40:48AM +0100, Harald Dunkel wrote:
> Problem: Deploying a custom ssh authentication scheme common to
> all Debian hosts in the lan appears to be apita, esp. since the
> next openssh upgrade might put the default config files upside
> down again.

When you do an upgrade, apt is smart enough to notice that you have
edited a config file and will ask you if you want to replace your
changes with the new version of the file from the package. You can
also view the differences, etc.

I am not saying this is a solution to your issue, merely pointing
out that the overwrite would not happen silently, so you can take
come comfort in that.

Also through the use of override config files that are included into
the main config file, you can avoid being prompted about changes to
the main config file. For sshd the config directive is "Include".

> What would you consider best practice to keep your ssh hosts (>300)
> in sync wrt the most important config optiones?

This is a classic use case for configuration management. You define
your configuration externally, in one authoritative place, and the
config management system takes care of applying that config to all
your hosts.

Popular examples are Puppet, Ansible and Chef, all of which are
well-supported on Debian. To decide which is best for you will
require some independent research as this is a big topic area and
hard to generalise.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: "No space left on device" error, but df shows plenty of space

[Andy Smith]

Hi Kynn,

On Wed, Feb 01, 2017 at 10:43:37AM -0500, Kynn Jones wrote:
> On Wed, Feb 1, 2017 at 7:24 AM, Andy Smith <a...@strugglers.net> wrote:
> > On Tue, Jan 31, 2017 at 06:42:39PM -0500, Kynn Jones wrote:
> > > Unfortunately, I'll never know what the problem was.
> >
> > Do you use btrfs?
> 
> Not that I'm aware of.  (FWIW, if I run `mount | grep -i btrfs` (as root),
> I get no output.)

Okay, so not a btrfs issue.

> > What does "df -i" report now, after your reboot when things are
> > working?
> 
> # df -i
> Filesystem   Inodes   IUsedIFree IUse% Mounted on
> /dev/sda5  24264704 1464023 228006817% /

…and that doesn't show as being anywhere near full, so it most
likely wasn't that either.

Well I suppose it could have been processes holding open deleted
files, though it would have to have been some really big files in
that case, as your filesystem didn't show as being anywhere near
full.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: What file system to use?

[Andy Smith]

Hi Dennis,

On Wed, Feb 01, 2017 at 02:23:13AM -0600, Dennis Wicks wrote:
> I have several ext? and a few with Reiserfs. Is there a better choice
> than Reiser now?

What are your requirements or typical usage?

> Also, is there any way to convert from my existing
> fs to the recommended one?

I do not think there are any reiserfs conversion programs to anything
else, but the different versions of ext can all be converted to
ext4.

Other than that you're probably going to have to copy it across.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: "No space left on device" error, but df shows plenty of space

[Andy Smith]

Hi Kynn,

On Tue, Jan 31, 2017 at 06:42:39PM -0500, Kynn Jones wrote:
> After the machine rebooted, I was able to run `dpkg-reconfigure ntp`
> without error.
> 
> Unfortunately, I'll never know what the problem was.

Do you use btrfs?

What does "df -i" report now, after your reboot when things are
working?

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: "No space left on device" error, but df shows plenty of space

[Andy Smith]

Hi Kynn,

On Tue, Jan 31, 2017 at 08:01:00AM -0500, Kynn Jones wrote:
> Filesystem 1K-blocks  Used Available Use% Mounted on
> /dev/sda5  381993164 206410036 156155956  57% /

[…]

> # dpkg-reconfigure ntp
> Error: No space left on device
> 
> How can I troubleshoot this problem further?

Does /dev/sda5 have a btrfs filesystem on it? Type "mount" and look
for the "type" part. If so, these problems are common with btrfs;
see btrfs wiki and/or linux-btrfs mailing list:


https://btrfs.wiki.kernel.org/index.php/FAQ#Help.21_Btrfs_claims_I.27m_out_of_space.2C_but_it_looks_like_I_should_have_lots_left.21

If not, could be things like deleted files that are still open (see
"lsof" output, look for "(deleted)". Or maybe ran out of inodes. See
"df -i" out to check that.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: chgrp with user

[Andy Smith]

Hi Xen,

On Thu, Dec 22, 2016 at 06:24:59PM +0100, Xen wrote:
> I am trying to get a webserver to run under my regular user, or at
> least to have the website's files under control of my regular user,
> but the webserver runs as www-data.

You've been shown how to put yourself in the www-data group so that
you can make the files group-writable and still edit them with your
normal user.

Other solutions include:

- Run a separate web server on a high port, so that it can listen on
  this port without needing special privileges. Proxy to this server
  from your main web server that listens on port 80. In this way the
  main web server does not need PHP and touches no files, it just
  listens on port 80 and proxies connections. The other web server
  runs as an unprivileged user and reads the files.

- If using apache, you can make each vhost run as a different
  unprivileged user with a different MPM such as apache2-mpm-itk.
  Other web servers may have similar features.

- You could run PHP under FastCGI which would let you potentially
  run each site's FastCGI server as a different user. Although this
  would mean that every page would have to come through FastCGI
  with no opportunity for simple static file serving.

  Here's an example of php-fpm under nginx on jessie:

  
https://www.howtoforge.com/tutorial/installing-nginx-with-php-fpm-and-mariadb-lemp-on-debian-jessie/

  That example doesn't show how to have different users. This one
  does; it is for Ubuntu but you can pretty easily get the idea:

  
https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Advantages of Debian "backports" over "testing"?

[Andy Smith]

Hi Martin,

On Thu, Dec 08, 2016 at 01:06:55PM +0200, Martin T wrote:
> is it a good practice to prefer latest versions from
> backports(jessie-backports) by default while using stable(jessie)
> distribution?

[…]

> Or is it a better practice to cherry-pick packages from "jessie-backports"?

Personally I only ever cherry-pick from backports because there is
normally a specific package I want, and I don't want the behaviour
of the entire rest of my system to potentially change.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: ssh doesn't work.

[Andy Smith]

Hi,

On Tue, Dec 06, 2016 at 01:33:07PM +0900, EenyMeenyMinyMoa wrote:
> But when I execute either of these commands
> $ ssh -p  testac@192.168.0.5
> $ ssh -p  -l testac -i ~/.ssh/id_rsa_test 192.168.0.5
> , the terminal doesn't resopnd for minutes and finally gives this message.
> ssh: connect to host 192.168.0.5 port : Connection timed out

The settings you've shown seem correct but the above output implies
a lack of connectivity. Have you checked there is no firewall
preventing port  TCP communication?

To list rules:

# iptables -nL 

If that comes up empty, some basic connectivity checks (ping
192.168.0.5 from client) may be useful.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

"I'd be happy to buy all variations of sex to ensure I got what I wanted."
 — Gary Coates (talking about cabling)

Re: mdadm - two questions

[Andy Smith]

Hi Kamil,

On Tue, Nov 29, 2016 at 01:26:55AM +0100, Kamil Jońca wrote:
> My first plan was somehow migrate to RAID10. I thought that is simply
> "raid0 over some raid1 arrays" so it should be legal to use 2*1TB +
> 2*1GB devices and then extend 2*1G => 2*1TB. But it not work that
> way. All devices in linux mdadm raid10 array must be the same, or I'm
> missing something.

In <87d1hnff79.fsf@alfa.kjonca> you said you were hoping to go from
2*1TB to 4*1TB. What's the "2*1TB + 2*1GB" you mention now?

Yes all your devices will need to be the same size. You've already
been advised of a way to go from RAID-1 to RAID-10¹, so if you
really do have a total of four 1TB drives I can't see why you can't
do that.

Your proposed solution…

> So simplest way in my case is to make second device and assign it as PV
> to VG.

…has the advantage of simplicity, and perhaps that you do not need
to reboot² (assuming hot swap insertion of new drives). But really,
if you have four identical drives that you intend to use for the
same purpose it would really be neater and perhaps more performant
to have them all in one RAID-10, wouldn't it? Data will get striped
across four devices instead of two.

If you really do need to make a separate md array and add it to your
VG, you may want to use RAID-10 on it anyway (md RAID-10 works fine
with less than four devices). It is a little bit faster than RAID-1.

The other thing you could try, if forced to use two PVs, is configure
your LVM to stripe extents across both PVs instead of just
allocating them linearly from one PV or another. That would get you
back a bit of the performance.

Cheers,
Andy

¹ Namely:

  0. Have backups in case one of the new drives encounters an error
 during step (6) below.

  1. Make a four device RAID-10 with two missing devices

  2. Copy your data from your existing RAID-1 to the new (degraded)
 RAID-10

  4. Adjust config to make new RAID-10 the real thing that's used

  5. Reboot to test it all

  6. Take a deep breath and consider that after what you're about to
 do, any kind of error on the two devices running your RAID-10
 will result in you needed to go to your backups from step
 (0).

 Kill your RAID-1 and add its devices to your RAID-10, so
 it's not degraded any more.

  7. Breathe out in relief as your data is now on a redundant array
 again.

² You don't need to reboot to go from RAID-1 to RAID-10 as already
  discussed, either, but I think I'd be a bit nervous of the machine
  not booting correctly after I had switched everything over to
  using the new (temporarily degraded) RAID-10, and so I'd want to
  test the full boot process before consigning my working RAID-1 to
  oblivion.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Is preseed.cfg flexible enough?

[Andy Smith]

Hi Richard,

On Sat, Nov 26, 2016 at 06:56:23AM -0600, Richard Owlett wrote:
> Can preseed.cfg handle those and similar in an D.E. agnostic manner?

If you can't find a feature or setting built in to d-i's preseed,
then you can always preseed a program or shell script and run it at
the end of the install:

d-i preseed/late_command/path/to/some/script.sh

So yes ultimately preseed can do anything, with a greater or lesser
degree of effort.

It seems like you have already worked out the commands to type to
fix your issues manually, so you are half way there.

If the problem is how to achieve it globally, regardless of desktop
environment, then I would suggest the question isn't really about
preseed. The first step would be to work out how to do it manually,
and then put it in preseed.cfg.

I'm afraid I don't know how to solve your issues globally without
regard to desktop environment.

Cheers,
Andy

Re: trouble setting up raid1

[Andy Smith]

Hi Bill,

On Sat, Nov 12, 2016 at 10:56:11AM -0800, Bill wrote:
> I'd guess that it's highly unlikely that there's a maximum number of
> Raid partitions, although I could live with it, but why is Partman
> rejecting my overtures?

Can you try switching to the virtual console and setting up the RAID
manually using mdadm commands as you would do on a running server?
If that works then a bug against the installer would probably be
appropriate.

> And BTW is there any way to unlock or back out of a raid setup during
> configuration just in case I need to change something. How can I
> delete a raid device and start over if I have to? fdisk?

I have had partman become massively confused by previous contents of
disks before. I've used wipefs to get rid of signatures so partman
would be happy.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: set domain name in Debian `

[Andy Smith]

Hi,

On Sat, Nov 12, 2016 at 02:00:11AM -0700, Glenn English wrote:
> (Resend. Accidentally sent to a human instead of to the list...)

I responded off-list to Glenn since that one arrived first and I
wasn't sure if Glenn intended the contents of their /etc/hosts to be
private. Later I saw this copy on-list.

> > On Nov 11, 2016, at 11:45 PM, Andy Smith <a...@strugglers.net> wrote:
> > 
> > Okay. So I think we should focus on why "hostname -f" returns the
> > wrong/outdated info. I'm not sure yet.
> > 
> > Out of interest what does "hostname -d" return?
> 
> slsware.dmz

The system thinks Glenn's domain name is "slsware.dmz". Glenn wants it
to be "slsware.org" (I think).

> cat /etc/hostname: srv

Glenn has set the host name to be "srv".

I am 95% confident that the reason that Glenn's system thinks the
FQDN is "www.slsware.dmz" is because the first instance of "srv" in
the /etc/hosts is:

> > 192.168.2.203   www.slsware.dmz wsd srv

"hostname" returns what is in /etc/hostname (unless changed agfter
system startup).

"hostname -f" returns the part up to the first dot from whatever is
returned by resolving "hostname" against /etc/hosts.

"hostname -d" returns the part after the first dot from whatever is
returned by resolving "hostname" against /etc/hosts.

I think that if Glenn placed a line higher up that read:

192.168.2.203   srv.slsware.org srv

then the desired result would be achieved.

I would also add that this is a fairly large hosts file which is
ripe for causing confusion. I would generally recommend keeping
hosts files small, containing only enough information as needed for
bootstrapping, and using DNS for everything else. The rest of the
systems on the Internet (and maybe intranet) will be using DNS, and
it is desirable for there to be one source of truth.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: set domain name in Debian `

[Andy Smith]

Hi Glenn,

On Fri, Nov 11, 2016 at 11:13:02PM -0700, Glenn English wrote:
> > On Nov 11, 2016, at 9:58 PM, Andy Smith <a...@strugglers.net> wrote:
> > After you have done that, what command are you using which shows you
> > the old/incorrect values?
> 
> Mostly hostname - f. That's what I've used in a number if shell
> scripts, and it's always worked (on systems who've been labeled by
> the installer).

Okay. So I think we should focus on why "hostname -f" returns the
wrong/outdated info. I'm not sure yet.

Out of interest what does "hostname -d" return? Should be just the
domain name part, so I expect it to say the wrong thing here. And
what is the contents of /etc/hostname and /etc/hosts?

I'm assuming you have actually rebooted at least once after changing
/etc/hostname and /etc/hosts, yes?

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: set domain name in Debian `

[Andy Smith]

Hi Glenn,

On Fri, Nov 11, 2016 at 01:27:28PM -0700, Glenn English wrote:
> I have to change the domain name of a Jessie server I'm working on. How do 
> you do it? (Aside from putting the FQDN in /etc/hostname, which kinda works.)

I normally put the short name in /etc/hostname and then the:

 

in /etc/hosts. That works for me both for setting initial host name
and FQDN, and for changing it later.

After you have done that, what command are you using which shows you
the old/incorrect values?

Note that the domain part comes from name resolution, so will
involve /etc/hosts and potentially DNS or other name services you
have configured in /etc/nsswitch.conf.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: wheezy, cannot change the address of eth1

[Andy Smith]

Hello,

On Fri, Nov 11, 2016 at 09:13:26PM +, Darac Marjal wrote:
> To cut a long story short, you can't add a default route if you already
> have one (well, technically you can, but you'd need to provide more
> information). You probably have a default route sending traffic over eth0.

Yes, I concur. He needs to remove the "gateway" line from his eth1
stanza as he does not need another default route going out of that
interface.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: dd - proper use or more suitable program

[Andy Smith]

Hi Richard,

On Fri, Nov 11, 2016 at 03:31:21PM -0600, Richard Owlett wrote:
> How big might the logfile be when trying to recover a known flaky 300
> GB drive. I've lots of space? Some convienient, some not.

TL;DR: this depends on how many bad sectors you expect to find. If
the number is likely to be low then the map file should be a matter
of kilobytes in size.

I've never looked into this before as it's never been an issue for
me, but looking at:


https://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html#Mapfile-structure

The header of the map file looks like:

 # Mapfile. Created by GNU ddrescue version 1.21
 # Command line: ddrescue -d -c18 /dev/fd0 fdimage mapfile
 # Start time:   2015-07-21 09:37:44
 # Current time: 2015-07-21 09:38:19
 # Copying non-tried blocks... Pass 1 (forwards)
 # current_pos  current_status
 0x0012 ?
 #  possize  status

…which is 304 bytes.

After that there is one line for each range of blocks depending on
their status (finished, not tried yet, failed etc).

I am thinking that the absolute worst case in terms of maximal
number of lines in this file would be if every other sector were
failed, so you'd have an alternating sequence of:

0x  0x0001  +
0x0001  0x0001  -
0x0002  0x0001  +
0x0003  0x0001  -

for the entire device. That's 52 bytes for every two blocks.

The default block size is 512 bytes in ddrescue, so two blocks
covers 1024 bytes of your device.

If your device is 300 gigabytes in size—and I'll assume that is SI
power of ten giga- (not binary power of two gibi-) as is common with
drive manufacturers, so 300,000,000,000 bytes—then that's
300,000,000,000 / 1,024 = 292,968,750. That times 54 bytes is
15,820,312,500 bytes. Or 14.73GiB. Plus a ~304 byte header.

As far as I can see that is the absolute worst case and for a more
realistic scenario of a device with only a couple of bad sectors
you'd be looking at mere kilobytes of map file size.

For example, if merely 1% of the sectors were bad (and I would
suggest that even that would represent a catastrophically damaged
device that you will find very difficult to extract any sense out
of) then you'd still only be looking at a map file with 5,859,375
bad blocks in it (5,859,375 bad sectors out of 585,937,500 total
512-byte sectors in a 300,000,000,000 byte device). This would
require 5,859,376 different ranges in the map file, with each range
being 27 bytes, so 27 * 5,859,376 = 158,203,152 bytes = 150.9MiB.

I doubt you will see 5.9 million bad sectors on your 300G drive!

Basically whenever my destination has had noticeably more space than
the source device I haven't spared a thought to this so have never
worked it out before. I think the above is correct but look forward
to a correction from anyone who knows better.

Also do note that should you run out of space when writing the map
file, you still have the map file that has been written to date, so
you can extricate yourself from the situation and rerun ddrescue,
safe in the knowledge that it will pick up from where it got to.

If you are expecting serious numbers of bad sectors then your most
precious resource may actually be time. ddrescue tries REALLY HARD
to read a bad sector with each try potentially taking 2 or more
minutes. So on the hypothetical "1% broken" drive with 5.9 million
bad sectors, a single pass could take upwards of 10 million minutes
(19 years). And sometimes multiple passes are required to read a bad
sector.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: dd - proper use or more suitable program

[Andy Smith]

Hi Richard,

On Fri, Nov 11, 2016 at 10:49:37AM -0600, Richard Owlett wrote:
> I was considering using dd to copy the entire drive to a *SINGLE*
> partition of a 1 TB drive with the intention making a "byte perfect"
> of of the defective drive to a new 300 GB drive at a later time to
> then attempt "data rescue". Partitions other than the first are
> evidently readable.
> 
> Suggestions/comments please.

You are better off using GNU ddrescue for taking images of
possibly-failing devices.

Amongst other issues, dd will either give up or produce zeroes when
it encounters problems whereas ddrescue will keep track of where it
was unable to read and keep trying.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: What is the correct way to configure networking card on a Debian 8.6 Jessie server?

[Andy Smith]

Hi Ronnie,

On Fri, Oct 14, 2016 at 05:24:14PM +0100, Ronnie Jorgensen wrote:
> Just installed Debian 8.6 with Cinnamon desktop i am seem to have
> some network config problems. I also had the same on another server
> without a desktop environment.

Either using /etc/network/interfaces or NetworkManager are equally
valid, have their trade-offs and different people prefer different
things. So you need to decide which you're going to use.

You mentioned in the subject line that this is a server. Currently
on a server personally I would not have any GUI installed, there
would be no Networkmanager and I would be using
/etc/network/interfaces. But you do have a GUI installed obviously,
so perhaps you have different goals and priorities.

> first of all the /etc/network/interfaces does not seem to show eth0
> by default? although network works fine. i can nslookup google.com
> and ping google.com etc.

If NetworkManager is installed then it will work even with an empty
/etc/network/interfaces. In fact specifying interfaces in
/etc/network/interfaces should stop NetworkManager from controlling
them.

> So then i configured /etc/network/interface but now the network
> manager (GUI) still says wired network is DHCP managed?

Please show us the entire content of your /etc/network/interfaces.

Have you rebooted the server or restarted NetworkManager since you
made those changes?

If /etc/NetworkManager/NetworkManager.conf exists, please show us
the entire content of that, too.

> Also do i edit /etc/resolv.conf to set name servers or what? I tried
> but now my dns lookup no longer function.

Please show us your /etc/resolv.conf.

> Hoping someone can point me in the direction of some material i can read.

First decide if you would like your networking to be managed by
NetworkManager or /etc/network/interfaces, or if you'd like both to
work then which interfaces should be managed by what.

You may find the following links helpful:

https://wiki.debian.org/NetworkManager
https://wiki.debian.org/NetworkConfiguration

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Linux source address selection (Was Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.)

[Andy Smith]

Hi rhkramer,

On Sun, Oct 09, 2016 at 04:23:45PM -0400, rhkra...@gmail.com wrote:
> I'm not the OP, and I'm sort of piggybacking and going somewhat (or a lot?) 
> OT,

In that case it would be good to change the subject of the email.
I've done so here.

> but I am curious about how old inet4 (right term?) and the new
> inet6 addresses interact.

As the address family for IPv4 is "inet" (vs "inet6"), you could say
"inet", but then it may not be so obvious that you were intending to
make a distinction between IPv4 and IPv6. So, perhaps "inet4" is not
so bad, or IPv4. Some go as far as to say "legacy". :)

> When I do ifconfig, I see that eth0 has both a 32 bit (e.g., 192.168.1.19) 
> and 
> an inet6 address assigned.

On Linux, it would be best to get used to using the "ip" command
rather than "ifconfig". Issuing an "ip address" command will get you
all the configured addresses of the various families.

> Can anybody point me to a fairly short document that explains things like 
> which gets used under what circumstances

If we restrict the domain of this question to source address
selection then reading around from this point may help:

http://linux-ip.net/html/routing-saddr-selection.html

> does one have precedence over the other,

Clearly if there is just one inet address and one inet6 address,
then which will be chosen depends on which family the destination
address comes from. i.e., if the destination is an inet6 address
then the source address will have to be an inet6 address as well,
otherwise no communication will be possible¹.

If the destination address has been directly specified then that's
simple enough to predict.

Usually though, we are just dealing with host names that we wish to
communicate with. A host name is going to be presented to the
system's hostname resolution system, which may return a result from
/etc/hosts or some other database. More usually though it's going to
go out to DNS.

The DNS may contain both A (IPv4) and  (IPv6) addresses with no
regard as to whether the client actually has a source address of the
matching family. That is, if you had a host with only inet6
addresses and you did a DNS query, you would still receive A records
as answers. If amongst the answers there were no  records then
you'd have no way to communicate with the destination when the
application tried to do that.

It's the getaddrinfo() function of GNU libc that decides which
destination address to select for use. You can find more details
about that with "man getaddrinfo".

By default, if there are both inet and inet6 family addresses to
choose from, getaddrinfo will choose the inet6 one. So, if your host
has at least one configured global inet6 address then your
applications will tend to try to connect to inet6 destination
addresses, where available.

You can configure getaddrinfo's address selection in /etc/gai.conf.
A very common desire is to prefer inet addresses over inet6 ones,
and so on Debian the configuration required to do that is shown in
/etc/gai.conf commented out.

An application can be told to use a specific source address, but it
is more common for applications to be allowed to use any address. In
that case for inet it will generally be a reasonably simple case of
using the routing table to determine which source address is
"closest" to the destination.

For example, suppose you have an interface that has the addresses
192.168.1.1/24 and 192.168.1.175/25 on it. When attempting to
communicate with 192.168.1.180 the routing table will show that this
is in the same network as 192.168.1.175/25 and that that is the most
specific address.

When it comes to inet6 it can get a bit more complicated, especially
as it is much more common to have several inet6 addresses, and
you've got whole new concepts like privacy addresses and deprecated
addresses. But, it's all covered by RFC 6724, and this may help as a
summary:

http://biplane.com.au/blog/?p=22

> do they both use DNS,

As hopefully made clear by the above, it is not the addresses on
your system which "use DNS". It's more like your system uses DNS,
and the DNS may contain both inet and inet6 addresses, thus your
system decides which to communicate with based on which families of
address you have.

> and similar things which might let me make sense of the situation?

Hopefully that helped. It's quite a large topic, so some reading
will be required in many places to fully understand it.

Cheers,
Andy

¹ This ignores the various translation mechanisms that may in place
  to allow IPv4 networks and IPv6 networks to inter-operate. These
  can involve various kinds of NAT and DNS rewriting. Look into
  things like "NAT64" and "DNS64" for more information about these.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: A minimalist network

[Andy Smith]

Hi Richard,

On Fri, Aug 19, 2016 at 07:41:56AM -0500, Richard Owlett wrote:
> As I had said in last paragraph of
> https://lists.debian.org/debian-user/2016/08/msg00609.html :
> "Why would I be interested in ssh as both machines are sitting on my
> desk and _neither_ will be connected to the internet when ethernet
> connection is live?"

If you ever have a need to administer the Linux machine while not being
in front of it then you will probably find this easiest over ssh.
Yes, you could argue that you do not need the encryption features of
ssh since the data only goes over this short cable inside your home,
but really, ssh is so ubiquitous that it's probably not worth using
any different solution.

If remote (and remote may include things like, over wifi from
another room in your house) administration is never going to be
something you do, as you'll be doing all work from the physical
keyboard of the machine, then maybe ssh is something you don't need
to run. Running ssh also allows file transfer with scp or sftp.

>From what I can tell you haven't actually got IP connectivity going
yet though, so perhaps talk of ssh is premature. Perhaps get
networking working before you consider which networking applications
you're going to install.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

"The electric guitar - like making love - is much improved by a little
 feedback, completely ruined by too much." — The League Against Tedium

Re: A minimalist network

[Andy Smith]

Hi Richard,

On Wed, Aug 17, 2016 at 05:27:13PM -0500, Richard Owlett wrote:
> The WinXP machine no longer reported a disconnected cable.
> The Jessie Mate machine now reported it was attempting to establish a
> connection.
> 
> IOW both machines recognized a PHYSICAL connection.
> *NOTHING MORE*

>From what I can gather of the thread, both of your machines have
gigabit interfaces. That's good as it means the Auto-MDIX feature is
virtually guaranteed be supported¹. So, you need not worry whether
your cable is crossover or not.

All you need to do now is statically configure both machines to be
in the same IP network. It does not really matter what numbers you
choose as long as they are valid, but convention dictates that you
should use one of the private networks as listed in RFC1918:

https://en.wikipedia.org/wiki/Private_network

As you are only going to have two machines on this network you could
a /30. In fact given there won't be a default gateway host you could
probably get away with a /31. But there is no need to make life
confusing: you can just use a /24, so your network has use of all of
the last octet of the address, e.g. 192.168.1.*.

So, let's say you did choose 192.168.1.0/24. Just configure one
machine as 192.168.1.1 and the other as 192.168.1.2 with a netmask
on both of 255.255.255.0. If either of them insists on needing a
default gateway you can just put the IP of the other machine there.

Your Debian machine is probably saying that it's "attempting to
establish a connection" because it has detected that you've plugged
in an Ethernet cable that has carrier (has the electrical properties
of a working Ethernet network), and is now trying to automatically
configure that interface with DHCP.

That's most likely going to fail because you don't have a DHCP
server on your "network"—unless you *did* happen to have a DHCP
server running on one of those two machines.

Since this setup is very limited and isn't going to change, I would
just statically configure the network on both machines. Setting up a
DHCP server would be just one more thing to learn.

Once your network is working you can use the same tools that you use
over the internet to transfer files over your local network. So,
things like scp, sftp and so on. If your purpose in direct
connection is to have a secure link that needs no encryption and
you're satisfied that it needs no encryption², then you could get
faster transfers with tools like netcat.

Cheers,
Andy

¹ Auto-MDIX is OPTIONAL in the 1000Base-T standard so it is possible
  that some gigabit NIC would not support it, but I have never seen
  one that doesn't, even really cheap ones.

² A lot of times just because you have a private link between
  machines still wouldn't make it safe to ignore encryption, because
  if the cable goes somewhere where you don't have 24/7 vision then
  it's trivial for someone to attach something that passively sniffs
  it. But, it sounds like this is a setup in the home where that is
  perhaps too paranoid.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: How to blocks clients between them in subnet

[Andy Smith]

Hello,

On Mon, Jul 18, 2016 at 01:26:42PM +0100, Darac Marjal wrote:
> (you can't assume that eth0 talks to 192.168.1.0/24 and eth1 talks
> to 192.168.2.0/24, for example). It's not impossible, but needs a
> bit more care.

ebtables could enforce that but I agree it is much more hassle than
physical separation, or a switch with different ports and vlans.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

> I'd be interested to hear any (even two word) reviews of their sofas…
Provides seating.— Andy Davidson

Re: nosh and redo have moved

[Andy Smith]

Hello,

On Fri, Aug 05, 2016 at 07:52:54PM +0200, Andre Majorel wrote:
> In a nutshell, Virgin Media shut http://homepage.ntlworld.com/
> down without warning.

A poster child for the virtues of serving content you care about
under a domain name you control (as much as one can control a domain
name).

Cheers,
Andy

Re: w, who, finger, last, and netstat and ipv6

[Andy Smith]

Hi Michael,

On Sun, Jul 24, 2016 at 12:08:34AM +0100, Michael Grant wrote:
> > > % who
> > > mgrant   pts/12016-07-18 06:15 (2a00:S.1)
> >
> > I type "who" on Debian jessie and I do get the full IPv6 address:
> >
> > $ who
> > andy pts/62016-07-23 01:42 (2001:ba8:1f1:f019::2)

[…]

> How odd that you are getting completely different results from me.

I've just noticed the :S.1 at the end of your output. That means
you're running from within GNU Screen. I get the same sort of
truncation when doing "who" from within GNU Screen so that probably
answers that.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: w, who, finger, last, and netstat and ipv6

[Andy Smith]

On Sat, Jul 23, 2016 at 01:53:07AM +, Andy Smith wrote:
> On Fri, Jul 22, 2016 at 11:57:32PM +0100, Michael Grant wrote:
> > netstat does a little better still but not much:
> > 
> > tcp6   0   2640 2600:3c00:::9:22 2a00:23c4:6d10:4d:36663
> > ESTABLISHED 12345/sshd: mgrant
> 
> "--wide" works for me.
> 
> $ netstat --protocol inet6 --wide
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address   Foreign Address State 
>  
> tcp6   0164 2001:ba8:1f1:f02c::2:ssh bitfolk.com:60756   
> ESTABLISHED

Oh, that is showing the local host's own v6 address, not the place I
was coming from. Add "--numeric-hosts" to get that. It isn't
truncated for me as long as I use "--wide".

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: w, who, finger, last, and netstat and ipv6

[Andy Smith]

Hi Michael,

On Fri, Jul 22, 2016 at 11:57:32PM +0100, Michael Grant wrote:
> Why is it w, who, and finger truncate an ipv6 address just after the first
> 4 characters of the address (the first :)?

It isn't a great answer but I'm guessing the honest one is that it's
because they come from a time before IPv6 and may not have been
updated in the best way since then.

> % who
> mgrant   pts/12016-07-18 06:15 (2a00:S.1)

I type "who" on Debian jessie and I do get the full IPv6 address:

$ who
andy pts/62016-07-23 01:42 (2001:ba8:1f1:f019::2)
$ who --version
who (GNU coreutils) 8.23
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Joseph Arceneaux, David MacKenzie, and Michael Stone.

> % w
>  18:37:31 up 4 days, 12:26,  4 users,  load average: 0.05, 0.07, 0.05
> USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
> mgrant   pts/12a00:S.1 Mon064days  0.02s  0.02s /bin/bash

Using the PROCPS_FROMLEN as documented in the man page, I can
increase the width of the "FROM" column:

$ PROCPS_FROMLEN=32 w
 01:46:09 up 97 days, 10:48,  6 users,  load average: 0.09, 0.08, 0.06
USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU 
WHAT
andy pts/62001:ba8:1f1:f019::2 01:420.00s  0.16s  0.00s 
w
$ w --version
w from procps-ng 3.3.9

> %  finger
> Login NameTty  Idle  Login Time   Office Office
> Phone
> mgrantMichael Grant   pts/1  4d  Jul 18 06:15 (2a00:S.1)

I don't have "finger" installed, so will leave investigation of that
one to someone else.

> The 'last' command does a little better, it truncates at 16 characters:
> 
> mgrant   pts/02a00:23c4:6d10:4 Fri Jul 22 18:04:00 2016   still
> logged in

Using the "-a" option to put the hostname/IP at the end does allow
it to be of arbitrary length:

$ last -a
andy pts/6Sat Jul 23 01:42   still logged in2001:ba8:1f1:f019::2

> 
> netstat does a little better still but not much:
> 
> tcp6   0   2640 2600:3c00:::9:22 2a00:23c4:6d10:4d:36663
> ESTABLISHED 12345/sshd: mgrant

"--wide" works for me.

$ netstat --protocol inet6 --wide
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address   Foreign Address State  
tcp6   0164 2001:ba8:1f1:f02c::2:ssh bitfolk.com:60756   ESTABLISHED

> This seems so basic.  Could all of these programs except tcpdump be broken
> with respect to displaying ipv6 addresses?

It didn't seem that hard to find this info from looking at the
relevant man pages…

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: Hot swapping failed disk /dev/sda in RAID 1 array

[Andy Smith]

Hi Urs,

On Tue, Jul 19, 2016 at 04:01:39PM +0200, Urs Thuermann wrote:
> 2. Can I hotplug the new drive and rebuild the RAID array?

It should work, if your SATA port supports hotplug. Plug the new
drive in and see if the new device node appears. If it does then
you're probably good to go.

You can dump out the partition table from an existing drive with
something like:

# sfdisk -d /dev/sdb > sdb.out

And then partition the new drive the same with something like:

# sfdisk /dev/sdc < sdb.out

(assuming sdb is your working existing drive and sdc is the device
node of the new drive)

Then add the new device to the md with something like:

# mdadm /dev/md0 --add /dev/sdc1

(assuming your array is md0; adjust to suit)

At that point /proc/mdstat should show a rebuild taking place.

If you run into difficulty try asking on the linux-raid mailing list
- it's very good for support and it's best to ask there before doing
anything that you have the slightest doubt about!

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: How to blocks clients between them in subnet

[Andy Smith]

Hi Pol,

On Mon, Jul 18, 2016 at 02:18:03PM +0200, Pol Hallen wrote:
> I've a network 192.168.2.0/24 connected by routing to 192.168.1.0/24
> 
> I'd like blocks clients on 192.168.2.0/24 between then in same network.
> 
> So, client1 can go to 192.168.1.0/24 but can't see other clients in
> 192.168.2.0/24. And so for all clients.

I'm having difficulty visualising what you're asking. Depending on
what the IP address of client1 is it could be a very different
question. You say "client1 […] can't see other clients in
192.168.2.0/24" so I will have to assume that client1 is also in
192.168.2.0/24. But then it isn't clear why you mention the other
192.168.1.0/24 network at all.

Anyway, if your problem is that you have multiple hosts in the
same layer 3 network (192.168.1.0/24) but you don't want them to
talk to each other: Presumably they are all connected to the same
switch(es), which may have layer 3 firewalling capabilities, but
these will be of no use since they won't see the layer 3 traffic
like a router does.

In an ideal world you'd use VLANs and have the different switch
ports in different networks. Note that just putting hosts in
different networks won't be enough; it would stop them talking to
devices outside their network by default, but they could just add a
static route themselves.

Your switch may have layer 2 firewalling capabilities. If your
switch is actually a Linux box then it certainly does have layer 2
firewalling; this is provided by a thing called ebtables.

After you've put all interfaces of your switch in a software bridge
it can be as simple as:

# ebtables -P FORWARD DROP

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: /etc/init.d/networking does not start everything in /etc/network/interfaces

[Andy Smith]

Hi Gene,

On Tue, May 17, 2016 at 03:12:45PM -0400, Gene Heskett wrote:
> Configuring interface eth1=eth1 (inet)
> run-parts --verbose /etc/network/if-pre-up.d
> run-parts: executing /etc/network/if-pre-up.d/wireless-tools
> run-parts: executing /etc/network/if-pre-up.d/wpasupplicant
> ip addr add 192.168.1.3/255.255.255.0 broadcast 192.168.1.255   dev 
> eth1 label eth1
> RTNETLINK answers: File exists
> Failed to bring up eth1.
> run-parts --verbose /etc/network/if-up.d
> run-parts: executing /etc/network/if-up.d/avahi-autoipd
> run-parts: executing /etc/network/if-up.d/avahi-daemon
> run-parts: executing /etc/network/if-up.d/clamav-freshclam-ifupdown
> run-parts: executing /etc/network/if-up.d/mountnfs
> run-parts: executing /etc/network/if-up.d/ntpdate
> run-parts: executing /etc/network/if-up.d/openssh-server
> run-parts: executing /etc/network/if-up.d/upstart
> run-parts: executing /etc/network/if-up.d/wpasupplicant
> done.
> 
> It makes no attempt to shut down eth1, so of course it exists.
> 
> Here is the REAL bug.

I think this problem is quite likely to be as a result of the things
you did in the earlier thread, where you were manually setting eth1
up with ifconfig.

It is a known deficiency of ifupdown that it doesn't know the state
of the system unless it made those state changes itself. It did not
do anything to eth1 because you hadn't earlier told it to manage
eth1. So when it came to shut down all interfaces it didn't do
anything with eth1. And then later when it tries to configure it, it
finds it is already configured.

I think that possibly you could return things to a state that
ifupdown can cope with by either rebooting, or by manually removing
the IP address from eth1 and setting it down:

# ip addr del 192.168.1.3/24 dev eth1
# ip link set down dev eth1

Then assuming eth1 is correctly configured in
/etc/network/interfaces (which you have not yet shown us in full, so
we don't know for sure), I would think that ifup -a and ifdown -a
would work as expected.

But, is this not now all academic since the task you needed this
interface for is done?

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting


signature.asc
Description: Digital signature

Re: need to make an eth0:1 net interface

[Andy Smith]

Hi Gene,

On Mon, May 16, 2016 at 09:09:15PM -0400, Gene Heskett wrote:
> On Monday 16 May 2016 15:55:33 Brian wrote:
> > On Mon 16 May 2016 at 14:45:12 -0400, Gene Heskett wrote:
> > > Thanks for the interest Andy, but I got it working and its been
> > > re-installed in place of the router that wasn't properly blocking
> > > stuff.

It's always good to know what the problem actually was, and the
solution, neither of which was clear from your initial email.

> > So what was the ":1" about? And did it play any part in your solution?
> > It was, after all, a feature of your of your original message.
> >
> > Glad you got it working in some unknown way.
> 
> That was an attempt to make use of the eth0 interface by adding the :1 
> that responded to the usual 192.168.1.X block of addresses.

Okay, so I did guess correctly that your problem was in being able
to talk to a device that was on 192.168.1.1 when your own network
does not include that IP address.

> That of course did NOT work.

There's no reason why that way couldn't be made to work, so if
anyone else is trying to do this in that way in future, don't be
discouraged.

> So, I wound up with this in /etc/network/interfaces:
> iface eth0 inet static
> address 192.168.71.3
> netmask 255.255.255.0
> gateway 192.168.71.1
> 
> iface eth1 inet static
> address 192.168.1.3
> netmask 255.255.255.0
> gateway 192.168.1.1

Assuming you do actually have an eth1 (most people don't, and even
one Ethernet device is getting rarer, as more things go to
wifi-only), again there is no reason why this shouldn't work.
Although this doesn't look like a full interfaces file as it is
missing "auto eth0" and "auto eth1".

> But the networking script in /etc/init.d, true to its word, would not 
> bring up eth1 on a restart, so that required an "sudo ifconfig eth1 up", 
> followed by a 'sudo ifconfig -a' which then returned:

ifconfig is deprecated and we should really be using the "ip"
command now, though as you've found ifconfig can still be made to
work.

It appears in your case that restarting networking has done
*something* as your eth1 interface has the address and
netmask you set in the interfaces file, but wasn't actually brought
up. Your subsequent ifconfig commands bring up the interface and
then display all interfaces and we then see it is configured
correctly:

> eth1  Link encap:Ethernet  HWaddr 00:1f:c6:63:07:97  
>   inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
>   UP BROADCAST MULTICAST  MTU:1500  Metric:1
>   RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000 
>   RX bytes:0 (0.0 B)  TX bytes:38903 (37.9 KiB)

So, I think we could have made it work with /etc/network/interfaces
alone.

I suspect that the entire thing could have been achieved with:

# ip address add 192.168.1.3/24 dev eth0

to begin with.

> Everything but ARP is happy.  It doesn't seem to me as if ARP has to 
> query and refresh the whole network every 30 seconds with a new batch of 
> who-has #.#.#.#, tell 192.168.71.1 queries.

Adjusting ARP timers may be too low-level a feature for a consumer
router. You may have to reinstall it with Open-WRT or similar to get
access to those settings. Myself, I'd probably just not worry about
it if everything else is working, as the traffic is minimal. :)

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting


signature.asc
Description: Digital signature

Re: need to make an eth0:1 net interface

[Andy Smith]

Hi Gene,

On Sun, May 15, 2016 at 07:38:46PM -0400, Gene Heskett wrote:
> Do we have a utility that makes it easy to add a :1 to an existing eth0 
> interface?

It depends what exactly you are trying to achieve.

If you just want to add an additional IP address to an interface
then you can do that in /etc/network/interfaces:


https://wiki.debian.org/NetworkConfiguration#Multiple_IP_addresses_on_one_Interface

If it's only for temporary use then you can add it to the running
configuration with the "ip" command but perhaps let's not get into
that until it's clear what you're trying to do.

> I need to reconfigure a router from scratch.

It is unclear why this requires you to add an extra IP address to
your local machine. Is this perhaps because you are trying to reach
the new router's admin interface which is on an IP address in a
different network, such as 192.168.1.1? I am only guessing.

> I've manually added it, but I'm pinging myself when I ping it, as in no 
> effect on the ping when the newer router is unplugged. Either cat5 or 
> power.

If pinging a local interface, the packets will not leave your
machine. What outcome were you expecting?

> Or, another possibility is this mobo has 2 ethernet ports, is it possible 
> to setup a totally separate network on eth1?  If so how?

You can configure eth1 in /etc/network/interfaces as a separate
network, with a different range, etc.

> Tutelage needed obviously.

More details first, I think.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting


signature.asc
Description: Digital signature

Re: Jessie unable to install DEB

[Andy Smith]

Hi Frank,

On Sun, May 15, 2016 at 10:32:06AM -0400, Frank Pikelner wrote:
> When I try to run "deb" by itself as sudo or as root I get
> 
> " bash: deb: command not found"
> 
> Am I missing something obvious?

At no point in my email, nor in the link I provided, does it tell you
to run a command called "deb", so yes I do think you are missing
something obvious.

Can you explain why you feel you need to run a command called "deb"?

Have you tried following the instructions in the link I provided?

The link again is: http://backports.debian.org/Instructions/

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting


signature.asc
Description: Digital signature

Re: Jessie unable to install DEB

[Andy Smith]

Hi Frank,

On Sun, May 15, 2016 at 09:52:37AM -0400, Frank Pikelner wrote:
> I'm trying to install DEB so that I can install backports and get
> letsencrypt going.

At no point on:

http://backports.debian.org/Instructions/

does it mention installing a [package called "deb". What
instructions are you referring to that tell you to install a package
called "deb"?

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting


signature.asc
Description: Digital signature

Re: Shell - escapes

[Andy Smith]

Hello,

On Tue, May 10, 2016 at 11:18:06AM +0200, Die Optimisten wrote:
> How can I escape a ' inside '...'
> e.g. perl -e 'print '$ and a' '# I don't want to use "

You can't, so if it were me I would use one of perl's alternatives
for single-quoted strings, such as:

perl -e 'print q{$ and a} '

http://perldoc.perl.org/perlop.html#Quote-and-Quote-like-Operators

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

> The optimum programming team size is 1.
Has Jurassic Park taught us nothing? — pfilandr


signature.asc
Description: Digital signature

Re: ghost partition

[Andy Smith]

Hi Haines,

On Mon, May 09, 2016 at 06:43:59AM -0400, Haines Brown wrote:
> I had been inserting a sequence of USB keys to see what was on them, and
> pretty sure the sde1 interface was used at some point. But no keys are
> inserted at present. I also just did a cross installation onto an

[…]

>   $ ls -la /sys/block/sde
>   lrwxrwxrwx 1 root root 0 May  9 05:30 /sys/block/sde ->
>   
> ../devices/pci:00/:00:14.0/usb1/1-3/1-3.3/1-3.3:1.0/host7/target7:0:0/
>  \
> 7:0:0:1/block/sde

So it seems like sde is/was a USB block device.

I had thought that the "sde1" in your ncdu output was some sort of
header representing the / device, but having installed ncdu and run
it myself I am inclined to agree with Juergen that it is actually a
file.

> Juergen suggested deleting /dev/sde1 it after backing it up. That was my
> first inclination, but kinda hard to do if /dev/sde1 is not visible.

In your ncdu output it looked like you ran it while / was your
current directory, and the output it gave was just "sde1", not
"/dev/sde1". So have a look for the file /sde1.

Perhaps you have tried to write an image to a USB key at /dev/sde1
but done a typo and actually written to /sde1, thus creating that
file?

Certainly if I do this:

$ sudo du if=/dev/zero of=/sde1 bs=1M count=100
$ sudo ncdu -rx /

then I end up with a line of output that looks like what you
provided.

So, are you sure there is not just a regular file at /sde1 (not in
/dev)?

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting


signature.asc
Description: Digital signature

Re: ghost partition

[Andy Smith]

Hi Haines,

On Sun, May 08, 2016 at 07:48:16PM -0400, Haines Brown wrote:
> # ncdu -rx /
>   425.5MiB [##]  sde1 
>  $
>   198.3MiB [  ] /lib
>   193.8MiB [  ] /mnt
>   ...

I am not familiar with ncdu but looking at its manual page, -x means
"do not cross filesystem boundaries" so I would expect that it
thinks that /dev/sde1 is your root filesystem.

> $ mount | grep sde
> [nothing]

Note that this could be a false negative because mount's idea of the
device for your root may not match reality, e.g. mount may think of
the device as an LVM volume, label path (/dev/disk/by-label/…) or
UUID path (/dev/disk/by-uuid/…).

> How can I remove what has attached itself to /dev/sde1?

I think we first have to work out what it is. What is the output of
the following commands?

$ cat /proc/mounts
$ ls -la /sys/block/sde
# blockdev --report /dev/sde
# blockdev --report /dev/sde1
$ grep sde1 /var/log/dmesg

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Please consider the environment before reading this e-mail.
 — John Levine


signature.asc
Description: Digital signature

Re: TCP/IP over Bluetooth

[Andy Smith]

Hi Peter,

On Fri, Apr 22, 2016 at 08:27:38PM -0700, pe...@easthope.ca wrote:
> …TCP/IP inside PPP on a Bluetooth connection is hypthetically
> possible.
> 
> Has anyone tried it with a debian system on one end at least?

Yes; around 4 years ago I used to occasionally pair my Nokia E90 and
use it as a Bluetooth network device. That was with NetworkManager
under GNOME. I seem to recall it was detected without me needing to
configure anything (apart from the pairing), and it mostly worked,
although it was quite slow.

Since then I've switched to an Android phone and find either USB
tether or wifi access point performs better and are more reliable. I
see it still offers Bluetooth tethering but I've never wanted to
use it.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

> The optimum programming team size is 1.
Has Jurassic Park taught us nothing? — pfilandr

Re: searching for hosts in domain local

[Andy Smith]

Hi Dan,

On Sat, Apr 16, 2016 at 11:56:11PM -0700, Dan Hitt wrote:
> On Sat, Apr 16, 2016 at 10:42 PM, Andy Smith <a...@strugglers.net> wrote:
> > What doesn't work about it?
> 
> It has no effect.
> 
> So, if i do
> ping second_host
> i get "unknown host" from ping.

OK. So all the hosts on your local network are getting .local as a
domain name by suggestion of the DHCP server, but do you have a DNS
server anywhere that is serving those names, or are you putting
everything in /etc/hosts?

I have done some tests on my own machines and I find that if I add
"local." to my search line in /etc/resolv.conf it does seem to
generate a DNS query for whatever.local. I do not have a DNS server
that is serving the .local zone though, so it gives me NXDOMAIN. Of
course if I would add google.com to my search list then a query for
say, "mail" would turn into "mail.google.com" and I'd get an answer.

So I wonder how your DNS is set up.

If you are relying on the ISP-supplied router to serve DNS for names
it is giving out by DHCP, well, some would and some wouldn't. You
could check by running DNS diagnostic tools such as "dig" against
the IP address of your router, e.g.:

dig -t a second-host.local @192.168.0.1

where "second-host.local" is what you want to look up, "192.168.0.1"
is the IP address of your router and the "-t a" is asking for
answers of type A: IPv4 address. If that gave an NXDOMAIN answer
then there isn't any configuration mistake on your side, it's just
that your router is not acting as a DNS server for that zone.

(By the way, underscores are not permitted in Internet host names,
so your "first_host" and "second_host" examples are not good, but I
am guessing they were merely examples.)

> Given this, is there any way to change the network's name?

Although .local is reserved for mDNS, I think that unless you
actually use mDNS you should be okay. As I say, I put ".local" in my
search list and then saw DNS queries going out for those names so it
probably doesn't interfere with (normal, unicast) DNS.

> Is there any way to reload the dhclient.conf file without restarting dhclient?

These settings only take effect when you get a new lease or renew an
existing one. So I think the answer is no. Is getting a new lease
problematic? Normally on a DHCP network you don't tend to care if
your IP address changes… (if you do care, you can get the DHCP
server to give you the same one each time, but in your case that'd
be a setting in the router which you don't manage).

> This seems perplexing to me, because i'm not unhappy with any of the
> ips i'm getting, i just want to be able to refer to hosts by shorter names.

The issue is that these are different concepts and different
services here, although they seem related and in your case are being
provided by the same black box. The black box tells you your IP
address and your host name and your domain name, so it seems logical
that it should be able to also serve DNS for that zone, but it is
not always the case.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: searching for hosts in domain local

[Andy Smith]

Hi Dan,

On Sat, Apr 16, 2016 at 10:14:29PM -0700, Dan Hitt wrote:
> I would like to drop the '.local' because it's an extra six characters
> with absolutely no value.
> 
> In principle, i think it should be possible to by just adding
>  search local
> to my /etc/resolv.conf, but this absolutely does not work.  (I imagine that
> local is a really magic name in some contexts but not very magic in others.)

You may need to use "local." with a dot at the end.

What doesn't work about it?

".local" TLD is kind of special so you may find problems anyway -
it's used for multicast DNS (Avahi). You may be better off picking a
different domain for your local network.

> Furthermore, /etc/resolv.conf doesn't want to be written, as it
> says it is generated automatically, so even if it worked, it wouldn't
> be such a good solution.

You can override the domain search list that your DHCP server
provides by editing /etc/dhcp/dhclient.conf and putting in either:

supersede domain-name "local."

or:

prepend domain-name "local."

or:

append domain-name "local."

Depending upon whether you want to have *only* your search domains,
your search domains *first*, or your search domains *last*,
respectively.

See man dhclient.conf for more info.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: btrfs: mixing raid0 and raid1 - How?

[Andy Smith]

Hi Matthias,

On Sat, Apr 16, 2016 at 08:15:43PM +0200, Matthias Bodenbinder wrote:
> I am using Mint LMDE2 with debian backports. So I do have kernel 
> 4.4+71~bpo8+1 running.
> btrfs tools are from debian stable, which has version 3.17. I am wondering if 
> it would make sense to also get the tools from the backports repo which has 
> version 4.4-1~bpo8+1. 
> 
> I understand from your message that I should do that. Right?

You definitely need btrfs-tools newer than 3.17 owing to a number of
bugs that have been fixed. In your position if I was running a
kernel from backports then I would also want btrfs-tools from
backports, yes.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: btrfs: mixing raid0 and raid1 - How?

[Andy Smith]

Hello,

On Sat, Apr 16, 2016 at 01:35:20PM +0200, Luis Felipe Tabera Alonso wrote:
> Still btrfs is quite young, I am not sure if there are serious issues in 
> 3.17, 
> I would make some experiments before actual use.

If you are going to use btrfs I would consider it essential to be
subscribed to the linux-btrfs mailing list. You will also need to
use a much newer kernel than 3.17, and you will need to commit to
continuing to use newer kernels for some time yet.

I mention this because you need to be aware that you may still hit
issues where you need the help of linux-btrfs and that there is a
need to use newer kernels than you will find packaged in Debian
stable.

I do myself run btrfs at home and I thought I had a stable
combination of kernel version and userland tools (btrfs-tools), but
when I came to need to replace a dead device I found that subsequent
developments in btrfs meant I needed a newer btrfs-tools, and that
in turn meant I needed a newer kernel.

If the idea of having to upgrade kernel and some userland tools in
order to recover from a simple situation of a dead device does not
appeal to you then btrfs may not yet be for you. Things like this
are why I do not yet run it in production.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: VPN over IPv6

[Andy Smith]

Hi Philippe,

On Thu, Apr 14, 2016 at 07:42:06PM -0500, Philippe Clérié wrote:
> This morning, on my Planet Debian feed, I saw a post from someone
> using OpenVPN on IPv6. I thought it somewhat strange since I believe
> IPv6 essentially removes the need for VPN. So what might be a use
> case for VPN over IPv6?

I can't comment on the blog author's motivations as I haven't seen
the article you mention, but a VPN is useful any time you need to
join your network to another network in a secure and authenticated
manner. It doesn't really matter what protocols are in use on either
side—could even be something exotic and non-IP that you end up
running over the link.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

> I'd be interested to hear any (even two word) reviews of their sofas…
Provides seating.— Andy Davidson

Re: PXE install

[Andy Smith]

Hi Ethan,

On Thu, Apr 07, 2016 at 11:50:57PM -0400, Ethan Rosenberg wrote:
> Dear List -
> 
> After a little bit of searching the problem causing the "no boot
> filename found" error is the lack of a PXE server.

Please back up a bit and tell us what exactly you're trying to do,
what works and what doesn't.

You seem to have attached a dhclient config file but that isn't
correct for doing PXE boot. To do PXE boot you would normally add an
entry to your local network's DHCP server, and run a tftp server
that serves the netboot archive.

So, how far in doing that did you get?

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: No ext4 in netinstall debian wheezy

[Andy Smith]

Hi Jonas,

On Tue, Apr 05, 2016 at 03:21:10PM +0300, jonas wrote:
> I`m trying to install debian wheezy 64bit via pxe and i`m using
> netinstall image (i have installed a lot of servers via that pxe and
> first time i got this problem) and in manual partitioning i cant find
> filesystem ext4, i have added print screen url.

I had the same problem back in February. Do you need to download an
up to date netboot.tar.gz?


http://strugglers.net/~andy/blog/2016/02/05/your-debian-netboot-suddenly-cant-do-ext4/

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: What is cisco-sccp?

[Andy Smith]

Hi Gábor,

On Sun, Apr 03, 2016 at 09:04:44PM +0200, Gábor Hársfalvi wrote:
> How could I know what program uses the port 2000?

You keep asking "how can I get rid of it?" and "how can I close it?"
and "why is it in Debian?" but you haven't yet shown us why you
think you have something related to cisco-sccp running on your
computer.

You say you did the netstat and/or lsof command suggested earlier.
Its lack of output suggests you have nothing listening on port 2000
TCP and so are not running cisco-ssp software. There's a few reasons
why that could give a false positive, but before we go there we need
to know what prompted you to ask these questions.

So, please be clear: what are you seeing that makes you think you
actually have something related to cisco-ssp running on your
computer?

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: HWRAID

[Andy Smith]

Hi,

This is more of a debian-user question as it is off-topic on
debian-project. I've sent a copy there.

On Fri, Mar 25, 2016 at 05:50:56PM +0200, bortunadr...@gmail.com wrote:
> Is there any chance to install Debian8 over hardware raid 10 ?  If
> true please give a list of compatible cards. 

It would be a long list as it would be pretty much any RAID card
supported by the Linux kernel without the need for proprietary
firmware.

Specifically I have had no problems with the 3ware and now LSI RAID
cards, although it has been a few years since I installed with one
(switched to SSDs and md RAID).

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

Re: GNOME 3, how do you ensure windows are grouped in the dash?

[Andy Smith]

Hello,

On Wed, Mar 09, 2016 at 11:36:18AM +0100, Sven Arvidsson wrote:
> On Wed, 2016-03-09 at 10:17 +0000, Andy Smith wrote:
> > It would be a real shame if this could not be achieved with
> > arbitrary applications, as I find urxvt a lot faster than
> > gnome-terminal. :(
> 
> Interesting, g-t has been considered to be very fast:
> http://martin.ankerl.com/2007/09/01/comprehensive-linux-terminal-performance-comparison/

To be honest, so is my experience with urxvt vs gnome-terminal. Oh
well, I will switch to gnome-terminal for now and see how I get on.

Cheers,
Andy

Re: GNOME 3, how do you ensure windows are grouped in the dash?

[Andy Smith]

Hi Sven,

On Wed, Mar 09, 2016 at 11:05:14AM +0100, Sven Arvidsson wrote:
> On Wed, 2016-03-09 at 09:18 +, Liam O'Toole wrote:
> No surprise as gnome-terminal is well integrated with GNOME :)
> 
> But xterm also have its windows grouped in the shell. Hmm...
> 
> I examined the window hints set by xterm and urxvt (with xprop) and
> urxvt does not set WM_CLIENT_LEADER that the shell needs for grouping:
> 
> https://groups.google.com/forum/#!topic/comp.lang.tcl/HQ479-XYwy8

The annoying thing is, if I start one urxvt and then open multiple
others from within it by typing urxvt inside it then all of them are
grouped. But if I start multiple urxvt from different .desktop
files, they are each separate. So I'm not sure that it actually
anything wrong with urxvt.

Cheers,
Andy

Re: GNOME 3, how do you ensure windows are grouped in the dash?

[Andy Smith]

Hello,

On Wed, Mar 09, 2016 at 09:18:52AM +, Liam O'Toole wrote:
> On 2016-03-09, Andy Smith <a...@strugglers.net> wrote:
> > The thing is, I really like urxvt! And I really like having one
> > urxvt window for each host, using screen to have multiple sessions
> > within each one.
> 
> That is exactly my workflow. I achieve it using gnome-terminal

It would be a real shame if this could not be achieved with
arbitrary applications, as I find urxvt a lot faster than
gnome-terminal. :(

Cheers,
Andy

GNOME 3, how do you ensure windows are grouped in the dash?

[Andy Smith]

Hi,

I'm experimenting with moving to GNOME 3 from Unity but there is a
particular behaviour I'm having trouble replicating and although
it's a small thing, I don't think I can live without it.

My workflow generally results in me having many (15+) rxvt-unicode
terminal windows each connected to different remote hosts, and a
couple of browser windows.

On Unity I provide myself with easy access to the different urxvt
launchers by making each one a different .desktop file in
~/.local/share/applications/

For example, ~/.local/share/applications/remotehost-foo.desktop:

[Desktop Entry]
Comment=Terminal on foo
Terminal=false
Name=foo
Exec=urxvt -T foo -e autossh -M 0 foo.example.com
Type=Application
Icon=utilities-terminal
StartupNotify=true
StartupWMClass=RemoteHosts

I can launch this by hitting the super key and starting to type
"foo". This application will appear in the dash as I type. If I
launch it again, or launch a different one, they will appear grouped
together under a single terminal icon on the launcher bar. I would
be able to select between them by right clicking on the single
terminal icon on the launcher bar.

I tried to set up the same thing on GNOME 3. It almost works.
Hitting super and starting to type indeed finds the applications,
but each one shows as its own icon on the dash while running. If I
carry on this way then my dash will be full of terminal icons that
are difficult to select between.

I tried changing StartupWMClass to "urxvt". That does not allow me
to launch multiple applications; the search finds the application,
but selecting it just brings the existing window to focus without
launching a new one.

I found one workaround, which was to make a single .desktop file
that has many alternate actions. Like this:

[Desktop Entry]
Comment=Terminals
Terminal=false
Name=urxvt
Exec=urxvt -T localhost
Type=Application
Icon=utilities-terminal
StartupNotify=true
Actions=foo;bar;

[Desktop Action foo]
name=foo
Comment=Terminal on foo
Exec=urxvt -T foo -e autossh -M 0 foo.example.com

[Desktop Action bar]
name=bar
Comment=Terminal on bar
Exec=urxvt -T bar -e autossh -M 0 bar.example.com

Basically one alternate action for each host I often connect to. I
would then launch them by hitting super, beginning to type urxvt,
right clicking on the icon that appears and selecting the correct
action. Multiple windows now do group under urxvt on the dash.

Downsides:

- Can't search for the application by its host name
- Have to select correct host from a huge list of actions

Those are pretty big downsides for that workaround.

I am aware that I could change my workflow. I could use one terminal
with screen or tmux or similar to have a different window on each
host. I know I could use terminator to have multiple terminal
windows inside one window. Or I could use a tabbed terminal emulator
like gnome-terminal.

The thing is, I really like urxvt! And I really like having one
urxvt window for each host, using screen to have multiple sessions
within each one.

So, does anyone know how to make GNOME 3's dash group multiple
windows under the one icon?

Perhaps this is not the best forum for asking GNOME 3 questions. I
had a search around and couldn't find any official GNOME support
channels though. If there's a better place please do let me know.

Cheers,
Andy

Re: Is it possible to conduct a Debian install over wifi (iwlwifi)?

[Andy Smith]

Hi Brian,

On Mon, Mar 07, 2016 at 10:46:47AM +, Brian wrote:
> 1. Stop at the 'Detect network hardware' stage and switch to a console.
> 
> 2. Unpack the .deb for the firmware you want:
> 
> ar -x /cdrom/pool/non-free/f/firmware-nonfree/

Because I was using the non-free firmware installers, the firmware
was already present in /lib/firmware and still the (jessie
net-)installer did not ask for it.

In my other follow-up I mentioned that a daily d-i stretch ISO
(again of the unofficial non-free firmware variety) did actually
work as far as wifi firmware was concerned, but bombed out with a
package conflict. It turns out that switching to the console and
doing "apt-get install -f" as it suggested did resolve that and the
install was able to proceed.

I have ended up with a successful install of stretch, entirely
installed over wifi, which is very encouraging.

I'm undecided whether to stay on testing though, so I might yet end
up trying a few different things to get stable installed…

Cheers,
Andy

Re: Is it possible to conduct a Debian install over wifi (iwlwifi)?

[Andy Smith]

Hello,

On Mon, Mar 07, 2016 at 03:39:26AM +, Andy Smith wrote:
> As per
> http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/
> I wrote an ISO of the current amd64 netinst including non-free
> firmware to a USB and booted from it.
> 
> At no point does it tell me that it requires additional firmware. It
> also does not load iwlwifi or any of the associated wifi modules.

An off-list response said they had more success with a daily
installer image.

I tried out:


http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/stretch_di_alpha5/amd64/iso-cd/

and indeed this now correctly says it requires firmware. It finds and
configures the wlan device and is able to download things through
wifi.

Unfortunately this of course attempts to install stretch. That
wouldn't be so bad but this fails during "Select and install
software" with:

pkgsel: checking for (security) updates to the base system
in-target: Reading package lists...
in-target:
in-target: Building dependency tree...
in-target:
in-target: reading state information...
in-target: You might want to run 'apt-get -f install' to correct these.
in-target: The following packages have unmet dependencies:
in-target:  ifupdown : Breaks: systemd (< 228-3~) but 228-2+b1 is installed
in-target:  systemd : Depends: libsystemd0 (= 228-2+b1) but 229-2 is installed
in-target: E: Unmet dependencies. Try using -f.
in-target: dpkg: dependency problems prevent configuration of systemd:
in-target:  systemd depends on libsystemd0 (= 228-2+b1); however:
in-target:   Version of libsystemd0:amd64 on system is 229-2.
in-target:  ifupdown (0.8.10) breaks systemd (<< 228-3~) and is installed.
in-target:   Version of systemd to be configured is 228-2+b1.

I don't fancy unpicking problems like this on testing, so for now I
think I'll go back and see if there are any daily installer images
for jessie that work with regard to wifi firmware.

At least I know now that it is possible.

Cheers,
Andy

Is it possible to conduct a Debian install over wifi (iwlwifi)?

[Andy Smith]

Hi,

I've got a ThinkPad X1 Carbon gen 4 which I'd like to try installing
Debian on. Preferably stable, but I'll try with testing if
necessary.

The machine has an Intel 8260 wifi which will require non-free
firmware. Although it has an eth0 (e1000e), physically using that
requires an adaptor, so that is not an option.

As per
http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/
I wrote an ISO of the current amd64 netinst including non-free
firmware to a USB and booted from it.

At no point does it tell me that it requires additional firmware. It
also does not load iwlwifi or any of the associated wifi modules.

So, given this is a netinst installer I am unable to proceed.

I tried dropping to a shell and doing "modprobe iwlwifi". Although
this appeared to load the module without error (lsmod shows it), it
did not result in a wlan0 network device appearing.

Is there any way to force the debian-installer to realise it needs
to load firmware for this wifi device? I have a feeling that it is
seeing there is an eth0 and giving up at that point, assuming that
is good enough.

All of my online research so far just shows instructions that say
that the installer will ask for firmware if it thinks it needs it.

Is it even possible to do a Debian install over wifi alone?

I've booted an Ubuntu live environment and the wifi does work there,
so am pretty sure it's just a driver/firmware issue.

Cheers,
Andy

Reports of (Debian?) Linux kernel 2.6.32 livelocking when notified of leap second

[Andy Smith]

Hello,

Has anyone been seeing this sort of thing in the last 22-ish hours?

http://serverfault.com/questions/403732/anyone-else-experiencing-high-rates-of-linux-server-crashes-today

I've run adjtimex -p on all of my servers and they're all reporting
status 17, which as far as I can tell means they've already been sent
adjtimex()by ntpd and will add a leap second at midnight.

As I understand the reports so far, the livelock would happen at the
point where ntpd sends the adjtime(), soif they haven't locked
already then they aren't going to.

Cheers,
Andy


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120630215221.gp3...@bitfolk.com

Re: Re: 3dm2 and iceweasel/firefox 10 - Connection reset

[Andy Smith]

Hi,

On Mon, May 21, 2012 at 03:53:52PM +0400, Андрей Александрович wrote:
 На firefox 8.0 тоже распространяется :(

I've no idea about most of what you're saying, but based on the only
words I can understand I am guessing you're having problems with the
3ware 3dm2 web interface ever since you upgraded firefox.

I've had this before myself. A flaw in the SSL handling of most web
browsers was discovered and so they fixed it.  Unfortunately 3dm2
can only talk broken SSL which no modern browser accepts any more.
For a long time there was no solution and so I got used to using
tw_cli instead.

According to http://kb.lsi.com/KnowledgebaseArticle16625.aspx it
looks like LSI have finally put out new 3dm2 binaries, though I
haven't yet tried them.

Hope that helps,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting


signature.asc
Description: Digital signature

Re: cross-connecting console ports?

[Andy Smith]

Hi Miles,

On Mon, May 17, 2010 at 04:59:38PM -0400, Miles Fidelman wrote:
 Short of buying a remote KVM, it occurs to me that it might be possible  
 to cross-connect the serial ports on the two computers - using a terminal 
 program on one, to access the other, and vice versa.

This works fine; I do it all the time when testing hardware.

 Has anybody done this?  Any suggestions on where to start - both re.  
 cabling (USB vs. serial cross-over), and/or software?

These days it becomes easier to have a bunch of USB ports than a
bunch of serial ports, so USB/serial converters are cheap and useful
and I've yet to find one that doesn't just work under Debian.

I used to use minicom, but lately I use screen /dev/ttyUSB0 9600
or whatever.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting


signature.asc
Description: Digital signature

Re: Expanding subnets

[Andy Smith]

Hi kj,

On Wed, Jun 03, 2009 at 09:35:15AM +0100, kj wrote:
 I need to feed subnets into a database in the format 192.168.0.% or 
 192.168.%.%

Whenever I find myself trying to do something like this, I stop and
consider if my database design is optimal.

You can store an IPv4 address as a 32-bit unsigned integer, and you
can store an IPv4 network as one of those together with a prefix
between 0 and 32.  You can then do operations on these.

However...

 which means, for example, 192.168.0.0/23 should break down into:
 
 192.168.0.%
 192.168.1.%
 
 Does anyone know of a way to convert this?

Perl's Net::Netmask module helps:

$ perl -MNet::Netmask -e '$block = new Net::Netmask(192.168.0.0/23); print 
join(\n, $block-enumerate(24)), \n;'
192.168.0.0
192.168.1.0

After adding some validation, you could replace the trailing '.0'
with '.%'.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting

 I have just recently purchased a Feathercraft Big Kahuna kayak
 does it have a heater?
Of course not.  Everyone knows you can't have your kayak and heat it.
  -- James Fidell


signature.asc
Description: Digital signature

Re: Encrypting incoming messages with GnuPG

[Andy Smith]

Hi Harry,

On Sat, May 09, 2009 at 11:14:14AM +0100, Harry Rickards wrote:
 I was wondering if anyone knew of a way, perhaps using /etc/aliases, so
 that all incoming mail addressed to my username (hrickards) is encrypted
 with *my* public key, so that when I read it only I can read it using
 *my* private key. If the mail was signed or encrypted beforehand, it
 could then be decrypted with my private key as usual.

Have you considered just using an encrypted filesystem?

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: mdadm Raid1 Striped Reads

[Andy Smith]

Hi,

On Wed, Mar 12, 2008 at 05:16:31PM -0400, Douglas A. Tutty wrote:
 On Wed, Mar 12, 2008 at 01:24:53PM -0500, Sam Leon wrote:
  Is there anyway to get mdadm to stripe disk reads in raid1?  Some of the 
  documentation I read makes me think that it does this by default but in 
  my tests it is not
 
 I'd like to know too.  It doesn't on my Etch box.

I believe that a single process's reads always come from one of the
disks.  You can have multiple readers using multiple disks, so it
still provides a benefit.

You could try using RAID-10 on 2 disks (this will work for Linux
md's implementation) to see if that will stripe it for even one
process's reads.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: named server question

[Andy Smith]

Hi Chloe,

On Mon, Jan 14, 2008 at 11:33:39AM -0500, chloe K wrote:
 Hi all
 
 What is the rescurive client?

Your machine is the dns client (or libraries in its OS are).  The
resolver(s) it has configured should be recursive in that they will
recursively ask questions of other nameservers.

The option controlling this is allow-recursion which you normally
put in /etc/bind/named.conf.options.  You should give it an acl to
say who can recurse (giving recursive access to the whole Internet
is generally a bad idea).

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: Apache2 Still Dying

[Andy Smith]

Hi Raquel,

On Wed, Nov 07, 2007 at 07:56:45PM -0800, Raquel wrote:
 I ran mtest86+ and the memory checked out ... no errors.
 
 I ran strace /usr/sbin/apache2 and can see no errors.

Once it dies, what happens if you do a ps to find the running
apache children (by default running under username www-data) and
strace one of them with strace -p?

If the output is large, please could you upload it somewhere and
post a link to that?

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: (solved)Re: Can I resize partition?

[Andy Smith]

Hi Serena,

On Fri, Nov 09, 2007 at 06:22:17PM -0800, Serena Cantor wrote:
 Sorry, my memory fails.
 
 After entering fdisk, I find free disk space is just before /dev/sda2, not 
 after it.
 
 It seems that I can't resize it. Thanks anyway!

It isn't much use to you right now, but you may want to consider
using LVM in future to avoid these issues.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: repeated rejection of lookups of bad name

[Andy Smith]

Hi Ross,

On Sun, Nov 11, 2007 at 10:47:13AM -0800, Ross Boylan wrote:
 A few days ago I received a message with a return path of
 [EMAIL PROTECTED]
 exim4's data ACL rejected the message.

[...]

 Since then, every hour at 2 minutes after the hour I get the
 named[]: unexpected RCODE (REFUSED) resolving
 'palmcoastcondo.com/TXT/IN': ::1#53
 message.
 
 Googling indicates this means that a DNS query is going to ::1, which I
 think is IPv6 for localhost, and the DNS server (which is mine) is
 rejecting the query.

I believe that your DNS server is reporting an error code it is
receiving from the auth. servers for palmcoastcondo.com.

 Why is this happening?  That is,
 1. why is the query being generated every hour?  The timing seems to
 coincide with hourly runs of logcheck.

It is probably being checked by spamassassin's URIBL module as it
appears in email going to you.

 2. why is it looking for ::1#53 as the DNS server?  I have not
 configured bind9 to accept queries on ::1.  So the question isn't why
 it's being rejected, but why that location is being queried.

I imagine that your named is listening on all interfaces.  What is
in /etc/resolv.conf?

 3. How can I stop these queries?

There are several ways.  For example you could:

- stop receiving email with that domain name in it.

- Turn off URIBL queries

but instead I would recommend ignoring it, and taking steps to make
ignoring it easier.

 Also, my logcheck rules aren't filtering th unexpected RCODE messages
 out.  I suspect they should, but the reason will probably be clear by
 inspecting them.

Usually when I have problems like this with logcheck it is because
the message also matches something in the violations files, which
are positive matches.  I would take a guess at REFUSED being in
/etc/logcheck/violations.d/logcheck.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: (solved)Re: Can I resize partition?

[Andy Smith]

Hi,

On Mon, Nov 12, 2007 at 02:43:25PM +0800, H.H. Ding wrote:
 Will I lost all my data if one of my physical partitions in LV failed?

The short answer you are probably loking for is Yes, maybe.  At
least some.  This isn't what LVM is for.  Use RAID.  The longer
answer is:

LVs don't have physical partitions, volume groups (VGs) do.  If
physical volume (partition) fails then you will not be able to
activate the VG that it is part of (which may contain many LVs, some
or all or which have data on the failed PV).

At this point you have a few nasty options.  You could run vgreduce
--removemissing which will delete any LV that has any data on the
failed PV.  That would allow you to activate the VG again so that
the LVs that did not have any data on the failed PV would work
again.

Alternatively you could do some tricks with replacing a failed PV
with a null device that never stores or returns any data.  This may
allow you to ring up the VG and its LVs and get a copy of data with
holes in where the failed PV was.

The idea is to not ever get into the position of having a VG with
failed PVs.  LVM is not for redundancy, it is purely volume
management.  You should use redundant block devices underneath LVM
for that, such as software RAID (MD).  A failed MD component device
is not exposed to LVM at all.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: how to read http mails in mutt mail reader (vim)?

[Andy Smith]

Hi Jim,

On Sun, Nov 04, 2007 at 07:31:53PM +1100, hce wrote:
 I've just installed mutt in Debian, one problem is there are some
 mails from news lists with HTTP format, it was fine when I use Mozilla
 mail reader, but with mutt and vim, I could not read the HTTP format
 mails. One solution I can think of is to use lynx, but I don't know
 how to config mutt with lynx. How do you handle this issue?

If you mean HTML, there was a post to Planet Debian on this subject
just yesterday:

http://cord.de/blog/index.php?entry=entry071103-141719

I do it that way too.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: Quota Headache

[Andy Smith]

Hi Brian,

On Wed, Oct 31, 2007 at 09:22:41AM +, Brian Platt wrote:
 I'm having bit of a nightmare trying to get quota to work with
 directadmin and debian sarge Server is VPS  /etc/fstab
 shows/dev/xvda1 / ext3 rw,noatime 0 1/dev/xvdb1 none swap defaults
 0 0I tried adding usrquota,grpquota but it didn't work. Is it
 meant to go after noatime? ie rw,noatime,usrquota,grpquota I've
 installed quota via apt-get.  dmesg shows VFS: Disk quotas
 dquot_6.5.1 Any help ie a quick idiots guide would be appriciated.

What is the output of the mount command for you right now?

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: Connect to remote CVS server

[Andy Smith]

Hi Rocky,

On Thu, Nov 01, 2007 at 01:11:54AM -, rockymaxsource wrote:
 Can any of you tell me how to use SSH to connect to remote CVS
 repository with user name and password please?

Set the CVS_RSH variable to 'ssh' and then use :ext:username as your
username in the cvs root specification.  For example:

$ export CVS_RSH='ssh'
$ cvs -d :ext:[EMAIL PROTECTED]:/data/cvs checkout some_module

This checks out the module some_module, from the cvsroot of
/data/cvs, on the host strugglers.net, over ssh, authenticating as
user andy.

See
http://cvsbook.red-bean.com/cvsbook.html#Accessing%20A%20Repository
for more information.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: raid1 mdadm v's lvm

[Andy Smith]

Hi Alex,

On Wed, Oct 17, 2007 at 08:53:09PM +1000, Alex Samad wrote:
 Interesting, I have a habit though of keeping root out of LVM,
 very easy to get access to root in emergency  when its a raid1
 parition

Agree.

However, I personally use a much smaller root, say 1G or less, and
then have /usr, /var (and possibly some others depending on the
purpose of the machine) inside LVM.

I have avoided LVM mirroring because as far as I am aware the
machine would not come up entirely without human intervention if a
drive would be lost - please correct me if I am wrong there..

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: lvreduce - no such file or directory?

[Andy Smith]

Hi Andy,

On Sun, Oct 07, 2007 at 05:52:28PM +0100, Andy Hardy wrote:
 Wesley J. Landaker wrote:
  On Sunday 07 October 2007 07:46:42 Andy Hardy wrote:
  debian:/home/andy# lvreduce -v -r -L -50g /dev/debian/home
  Finding volume group debian
  Executing: fsadm check /dev/debian/home (null)
fsadm: execlp failed: No such file or directory
fsadm failed: 2
  debian:/home/andy#
  
  You don't give it a device, you give it a vg and lv name, so:
  
  $ lvreduce -v -r -L -50g debian/home
 
 I get the same error.

Indeed, both ways should work.

  But you'd better be sure you've already shrunk the *filesystem* itself, or 
  you're going to lose all of your data.
 
 Isn't the -r (resizefs) supposed to do this?

My copy of lvreduce as distributed with etch does not have this
option.  Try reducing the filesystem with resize2fs first, then
doing lvreduce without the -r.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: postgres install fails on sid

[Andy Smith]

Hi John,

On Sun, Oct 07, 2007 at 06:05:42PM +, John Masters wrote:
 I've chmod 666 /dev/null and now postgres installs OK. However I
 hesitate to go further as this server is on a VPS. Could that be why the
 perms were not set properly?

I can think of no reason why anyone would provision a server of any
sort with a /dev/null that is a regular file, so I suspect a mistake
somewhere.  Also I suspect it has not been in that state for a long
time, as so many things redirect their output to /dev/null that it
would quickly grow to fill the filesystem.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: Nagios For Debian

[Andy Smith]

Hi,

Firstly please do not hijack other threads.  If you want to start a
new thread, do it as a new email.

On Fri, Oct 05, 2007 at 08:17:02AM -0600, Joel Roberts wrote:
 Is anyone else using Nagios on Debian Etch?

I am.

 I've got it set up for monitoring Linux and Windows servers, but
 the check_snmp plugin won't compile. The Nagios FAQ says it must
 be missing SNMP packages, but Synaptic reports they're all
 installed.

You don't need to compile anything.  The check_snmp plugin works
fine straight out of the nagios-standard-plugins package.

 Checking the list of Nagios Plugins for the Debian install, I don't even
 see check_snmp listed any more. I have MRTG up and running on the same
 box, so I know at least the SNMP packages needed for MRTG are there.

$ dpkg -L nagios-plugins-standard | grep snmp
/usr/lib/nagios/plugins/check_snmp
/usr/share/nagios-plugins/templates-standard/snmp.cfg

If you're having problems with it then I suggest running it by hand
from the command line to see what is going on.
/usr/lib/nagios/plugins/check_snmp --help will give you some usage
hints.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: SNMP Issues on Debian Etch

[Andy Smith]

Hi,

On Fri, Oct 05, 2007 at 09:22:35AM -0600, Joel Roberts wrote:
 When I try to run the snmpwalk command, I'm told it doesn't exist.
 Has this been taken out of Debian Etch or is it in some other
 package?

$ apt-file search bin/snmpwalk
snmp: usr/bin/snmpwalk

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: can ping only with sudo

[Andy Smith]

Hi David,

On Sat, Oct 06, 2007 at 05:46:58PM -0700, David Fox wrote:
 On 10/6/07, tom arnall [EMAIL PROTECTED] wrote:
  lately i inadvertently did 'chmod 777 -R /dev' on my system (as root, of
  course!). now i find that to ping anyone i have to do it as sudo, else i 
  get:
 
  ping: icmp open socket: Operation not permitted
 
 Something is odd indeed.
 
 I attempted to run an strace (sometimes those can be useful to see
 what devices and files it is trying to read - look at access() and
 open() functions in particular) but I get the same error as you if I
 try to do an strace on ping. Otherwise, ping runs normally.

I believe this is because it won't run setuid under strace.  As Tom
says in the other reply, the OP's problem is most likely that
/bin/ping has lost its setuid bit.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: unable to install mysql (lamp) (post-installation script returned error exit status 1)

[Andy Smith]

Hi Jabka,

On Sat, Sep 29, 2007 at 06:38:14PM +0200, Jabka Atu wrote:
 Sep 29 18:34:30 acerium mysqld[16628]: 070929 18:34:30 [ERROR] Can't
 start server: Bind on TCP/IP port: Cannot assign requested address
 Sep 29 18:34:30 acerium mysqld[16628]: 070929 18:34:30 [ERROR] Do you
 already have another mysqld server running on port: 3306 ?

So, please check if there is already a mysqld running.  You might
want to use ps, netstat -an, and/or lsof -p pid.

Also please can you post your /etc/mysql/my.cnf file.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: how to compile a xen dom0 kernel the debian way

[Andy Smith]

Hi Jonas,

On Fri, Sep 07, 2007 at 04:33:43AM +0200, Jonas Meurer wrote:
 
 hello,
 
 i would like to give xen a try, but i didn't manage to compile a dom0
 host kernel yet.

Do you need to?  What is wrong with Debian's xen kernels?

 that's because i would like to use a recent linux kernel (2.6.20 at
 least), build it the debian way (with make-kpkg), and as well build
 some external modules (nvidia-legacy-96xx, ivtv) with module-assistent
 for it.

You can't use a kernel.org kernel, as the xen feature is a patch
developed external to the mainline kernel.

You can use the normal Debian kernel source and compile like you
would normally, making sure to select the xen patch.

This will result in a kernel you can use with module-assistant.  But
you can use module-assistant with the stock debian xen kernel so I
am not clear as tp why you need to do this.

 so how do you compile a xen dom0 host-kernel? is it possible with recent 
 kernel sources, and where do i find the corresponding xen patches?

They come with Debian's kernel source.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: how to compile a xen dom0 kernel the debian way

[Andy Smith]

Hi Jonas,

On Sun, Sep 09, 2007 at 03:03:09PM +0200, Jonas Meurer wrote:
 On 09/09/2007 Andy Smith wrote:
  Hi Jonas,
 
 Hey Andi,
 
   i would like to give xen a try, but i didn't manage to compile a dom0
   host kernel yet.
  
  Do you need to?  What is wrong with Debian's xen kernels?
 
 I don't think that there's anything wrong with debian's default kernels,
 but I always use a selfcompiled kernel, and I'dd like to learn howto
 compile a xen dom0 kernel as well.

Okay.  Well It has been a long time (6 months+) since I did this as
these days the stock debian xen kernels are fine for me, but..

  You can use the normal Debian kernel source and compile like you
  would normally, making sure to select the xen patch.
 
 Unfortunately, this simply doesn't work. If I run 'make menuconfig' in
 debians linux-source-2.6.22 sources, I don't get any xen options in
 the submenu 'processor-type and features'.

So you have also installed linux-patch-debian-* and then done:

$ sudo make-kpkg --added-patches xen clean
$ sudo make-kpkg --added-patches xen kernel-image

?

Also back when I did it, this bug was present and needed the
described workaround:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382699

That is what I mean by making sure to select the xen patch.  It's
the same process as used for making your own linux-vserver kernel.

If you still have problems I would recommend the debian xen package
mailing list.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB


signature.asc
Description: Digital signature

Re: A sane way to merge config file differences during package installation?

[Andy Smith]

Hi,

On Sun, Sep 02, 2007 at 11:55:05AM +0200, Richard Hartmann wrote:
 Configuration file `/etc/sysctl.conf'
  == Modified (by you or by a script) since installation.
  == Package distributor has shipped an updated version.
What would you like to do about it ?  Your options are:
 Y or I  : install the package maintainer's version
 N or O  : keep your currently-installed version
   D : show the differences between the versions
   Z : background this process to examine the situation
  The default action is to keep your current version.
 *** sysctl.conf (Y/I/N/O/D/Z) [default=N] ?
 
 What I would want is something like
 
 M: merge files interactively
 
 which would then call vimdiff, probably via $DIFF_EDITOR
 or some other variable if something like it does already exist.

I'd like that too.  At the moment I just hit Z to suspend and then
do vimdiff manually.

Cheers,
Andy


signature.asc
Description: Digital signature