Re: making Debian secure by default

2024-03-28 Thread Andy Smith
Hi,

On Thu, Mar 28, 2024 at 12:22:57PM -0400, Lee wrote:
> For heavens sake, the man page says
> 
>Traditionally, write access is allowed by default.  However,  as  users
>become  more  conscious  of various security risks, there is a trend to
>remove write access by default, at least for the primary  login  shell.
>To  make  sure  your ttys are set the way you want them to be set, mesg
>should be executed in your login scripts.
> 
> Clearly at least the man page writer realized there was a threat there
> _and chose not to remove the threat_ !?

For context, that was likely written by someone a decade or more
ago, someone who did not have responsibility for any other part of
Linux. Since that time even the parts that were in charge of setting
terminal permissions might have changed implementation and
maintainers several times.

It's not that they chose not to keep the rest of the system
consistent with their opinion, it's more likely that they could not.

Documentation and integration is perpetually out of date in Linux.
Also no one can agree on which documentation is canonical, and very
few people read any of it. I'm just as guilty as anyone: having no
use for "wall" or "mesg" for decades, I hadn't read its man page and
didn't notice that terminals were group-writeable.

> Is there really nothing better than sudo find /  files with uid or gid perms> and try to figure out which of those
> program are not necessary?

I don't think there is, no. After finding each of those things you
would need to do some research on each one. Those that are
particularly worrisome probably already do have some notes
somewhere.

> $ sudo crontab -l
>...
>  47  4  *  *  *  (apt update >> apt-update.log 2>/dev/null) && \
>   (apt list --upgradable 2>/dev/null |\
>   egrep -v '^Listing' >| /etc/motd)

You may like to look in to "apticron-systemd" for a systemd timer
that does the above. (drop the "-systemd" if you prefer a cron job
equivalent)

apticorn is mentioned in the Debian Administrator's Handbook which
is worth a read even though it only covers up to Debian 11.


https://www.debian.org/doc/manuals/debian-handbook/sect.regular-upgrades.en.html

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: making Debian secure by default

2024-03-28 Thread Andy Smith
Hi,

On Thu, Mar 28, 2024 at 05:21:21PM +0100, Michel Verdier wrote:
> On 2024-03-28, Marc SCHAEFER wrote:
> >> Apparently the root of the security issue is that wall is a setguid 
> >> program?
> >
> > a) wall must be able to write to your tty, which is not possible
> >if wall is not installed setguid OR if people have sane permissions
> >on their terminals (e.g. set to mesg n)
> 
> Found in /etc/login.defs :

Is login.defs actually used by modern Debian with PAM? I seem to
recall lots of things in there are controlled by PAM instead now.

Looking at all of my sessions, the terminal file for all of them is
group writeable despite "TTYPERM 0600" being in /etc/login.defs.

$ ls -la $(tty)
crw--w 1 andy tty 136, 0 Mar 28 16:33 /dev/pts/0
$ mesg
is y
$ mesg n
$ ls -la $(tty)
crw--- 1 andy tty 136, 0 Mar 28 16:34 /dev/pts/0

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: making Debian secure by default

2024-03-28 Thread Andy Smith
Hello,

On Thu, Mar 28, 2024 at 11:24:08AM -0400, Greg Wooledge wrote:
> On Thu, Mar 28, 2024 at 01:30:32PM +0000, Andy Smith wrote:
> > https://www.debian.org/doc/manuals/debian-handbook/
> > 
> > This has a chapter on security, so possibly it would be appropriate
> > to mention "m,esg n" there.
> 
> A more proactive endeavor would be to document known best practices
> on the wiki.

Personally I'll read the handbook before the wiki, but I'm fairly
confident that the vast majority of users will read neither. 

Which leads me to ask OP which hardening documents have they
actually already read, and would the advice be suitable for those?

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: making Debian secure by default

2024-03-28 Thread Andy Smith
On Thu, Mar 28, 2024 at 12:28:56AM -0400, Lee wrote:
> On Wed, Mar 27, 2024 at 10:07 PM Andy Smith wrote:
> >
> > Hi,
> >
> > On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote:
> > > I just saw this advisory
> > >   Escape sequence injection in util-linux wall (CVE-2024-28085)
> > > https://seclists.org/fulldisclosure/2024/Mar/35
> > > where they're talking about grabbing other users sudo password.
> >
> > It doesn't work by default on Debian as it relies on
> > command-not-found automatically running on the user's input.
> > command-not-found can be installed, however…
> >
> > > oof.  Are there instructions somewhere on how to make Debian secure by 
> > > default?
> >
> > Between the fact that "secure" means different things to different
> > people and that this advisory was only released a few hours ago, I
> > don't think you can reasonably expect documentation to already be
> > published for your standard of "secure".
> 
> You snipped the bit from the man page about users becoming more more
> conscious of various security risks & removing write access by
> default.

It's just an opinion by the author of the man page.

I'm just not sure that you'll find any "hardening" guide that will
specifically say "disable writing to your terminal as there might be
a bug in a binary that is setgid tty" before yesterday's reveal that
there is such a bug in "wall".

The more general advice to audit every setuid/setgid binary is more
likely to be present.

> Considering how long it takes something to migrate into stable I'm
> guessing that man page is pretty old.  So I don't think it's
> unreasonable to expect some kind of secure by default installation
> option.

I wouldn't be surprised if the man page is 10 years old. Linux
distributions do not tend to be that internally consistent. Lots of
weird things get put into man pages by their authors and
distributions don't always feel obliged to obey all of them;
sometimes they are even conflicting between each other.

Things are more coherent in BSD land, where the base system is
developed alongside the kernel, by the same people.

I do agree with you though that "mesg n" would be a much better
default and it's a shame we worked that out by seeing a ten year old
bug revealed.

It might be worth submitting a wishlist bug to Debian. I'm not
entirely sure of which package but I suppose "util-linux" would make
sense since that's where "mesg" comes from. It could ask for a shell
snippet in profile.d to set the default to "n" in the name of
security, and reference this CVE.

If the maintainer of util-linux doesn't agree, then the next thing
I'd try is a bug against the Debian Administrator's Handbook:

https://www.debian.org/doc/manuals/debian-handbook/

This has a chapter on security, so possibly it would be appropriate
to mention "m,esg n" there.

> > As you've never heard of "mesg" and probably don't use "wall" I
> > doubt you will have any issues chmod 0 /usr/bin/wall and then
> > setting it immutable¹ with chattr +i.
> 
> I suppose that's one way.  I'd rather uninstall it.

Problem is it's part of "bsdutils" so that would uninstall the whole
package and all its other tools.

A divert (man dpkg-divert) ciuld be used to remove the binary, but I
prefer chmod 0 and immutable as a less drastic approach.

There is also the issue that the user's terminal remains writeable by
processes in "tty" group - all that's been achieved is to stop one
program that has a known bug from doing so. There could be others,
and we've established that most users probably do not want or need
other users to write to their terminals. So "mesg n" is still a good
idea.

Thanks,
]Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: making Debian secure by default

2024-03-27 Thread Andy Smith
Hello,

On Thu, Mar 28, 2024 at 07:37:13AM +0800, jeremy ardley wrote:
>   Some distros, like Debian, do not seem to have a command like
>   command-not-found by default.

[…]

> Which implies that Debian is secure by default against this particular
> exploit

I suspect if OP is worried about users potentially falling for a
fake sudo password prompt then OP is probably not happy about all
the other possibilities around putting arbitrary text on a user's
terminal.

Also as mentioned, command-not-found is packaged in Debian…

Getting rid of the "wall" command seems reasonable for most people.
It's been almost 30 years since I used it for anything useful.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: making Debian secure by default

2024-03-27 Thread Andy Smith
Hi,

On Wed, Mar 27, 2024 at 05:30:50PM -0400, Lee wrote:
> I just saw this advisory
>   Escape sequence injection in util-linux wall (CVE-2024-28085)
> https://seclists.org/fulldisclosure/2024/Mar/35
> where they're talking about grabbing other users sudo password.

It doesn't work by default on Debian as it relies on
command-not-found automatically running on the user's input.
command-not-found can be installed, however…

> oof.  Are there instructions somewhere on how to make Debian secure by 
> default?

Between the fact that "secure" means different things to different
people and that this advisory was only released a few hours ago, I
don't think you can reasonably expect documentation to already be
published for your standard of "secure".

There is a general push to get rid of setuid/setgid binaries. A lot
of "hardening" guides will suggest looking for setuid/setgid
binaries and deciding if you really need them.

As you've never heard of "mesg" and probably don't use "wall" I
doubt you will have any issues chmod 0 /usr/bin/wall and then
setting it immutable¹ with chattr +i.

You could put a call to "mesg n" into a file in /etc/profile.d so
that all users execute it.

Thanks,
Andy

¹ The next update of bsdutils will complain it can't write that file.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: debian12: something destroys /etc/network/interfaces at boot

2024-03-26 Thread Andy Smith
Hello,

On Tue, Mar 26, 2024 at 06:33:42PM +0100, Steffen Dettmer wrote:
> I changed a gateway on a remote site using /etc/network/interfaces by
> changing gateway. However, at reboot some old gateway IP reappears. I
> really hate when some magic knows better than an explicitly set value.
> What happens here? How can I get rid of this? It is 100% reproducible.
> 
> I have no clue where the wrong 2.43 comes from.

Is this actually Debian?

I have vague memories of someone else asking something like this
before, and at the time I wasn't aware of any software packaged in
Debian that alters the user's /etc/network/interfaces file. I think
in that case it turned out to not actually be Debian.

I also think that there is some Debian packaging rule about one
package not altering the config file of another package unless by
co-operation between the maintainers, so if this does actually turn
out to be Debian there might be bugs to report.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: seeding /dev/random from a security key

2024-03-25 Thread Andy Smith
Hi,

On Mon, Mar 25, 2024 at 09:24:23PM +0100, Björn Persson wrote:
> Does anyone know of another way to obtain random data from devices of
> this kind?

I have some EntropyKeys and some OneRNGs. I have the rngd packaged
in Debian feeding /dev/random from them.

This had an actual noticeable effect in Debian 9 and earlier, but
since the reworking of Linux's random subsystem I cannot demonstrate
any benefit unless I disable all use of the RDRAND CPU instruction.

EntropyKey is a dead product that can no longer be obtained but
OneRNG is still in production. On their mailing list however, there
is a recent discussion about whether there any point. The conclusion
seems to be "not really". Thread starts here:

http://lists.ourshack.com/pipermail/discuss/2024-March/000797.html

The thread covers how to make rngd feed /dev/random from a OneRNG in
Debian 12, but it is no longer possible to tell if that does
anything useful.

I most likely will not be replacing these devices when they fail.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Redis license change

2024-03-22 Thread Andy Smith
Hi,

On Fri, Mar 22, 2024 at 07:00:40AM +0100, Micke Nordin wrote:
> What will Debian do with regard to the Redis announcement that
> they will go proprietary[0]?

There isn't really any choice as it's no longer free software. So at
best it gets moved into non-free I suppose (it is still source
available) if anyone has the will. It seems likely that the
maintainer will not have the will to see it moved to non-free. You'd
have to ask them.

As for what if anything replaces it, it is more down to if anyone
has the will and interest to package things. I expect there'll be
some alternatives packaged, since it's a popular use case.

> Fedora seems to be moving fast to get rid of Redis[1] and maybe we
> should start thinking about this too?

It won't require much thinking. 

It's not a matter for debate whether it qualifies for the main
archive - it doesn't.

> Redict is a very new project, and a direct result of the license
> change. The KeyDB project have been a round for a while and is in
> heavy use by Snapchat, but does not see a heavy invetment in time
> from them, so development is quite slow.

When it comes to Debian it's more about will anyone put in the work.
There is no central authority saying, "the project needs to replace
Redis. Let us select XYZ as its replacement." — as there might be
in, say, Fedora, where FESCo would make decisions like that. Debian
doesn't work that way.

There is no barrier to both KeyDB and Redict being packaged, other
than there being maintainers to do it.

You may like to submit a Request For Packaging bug for one or both,
though again, may not get very far unless someone is already
interested in doing it.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



THAT obvious troll thread

2024-03-22 Thread Andy Smith
Slow clap for everyone who replied to THAT obvious troll thread and
quoted it for the archives. Your first day on the Internet is it?

I had already gone to the trouble of reporting it and Debian
postmasters had kindly removed the objectionable post from the web
archive, but now in your wisdom you've gone and added it back in by
replying to it. With your name attached, for the world to see.

Maybe you would like to visit:

https://lists.debian.org/debian-user/2024/03/thrd2.html

scroll to the bottom, click on the problem emails and use the report
as spam button in the top right corner and hope for the best.

Next time, please think about it.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: After installing no access to the installed system.

2024-03-18 Thread Andy Smith
Hi,

On Mon, Mar 18, 2024 at 01:40:44PM -0500, Nicholas Geovanis wrote:
> On Mon, Mar 18, 2024 at 12:48 PM Thomas Schweikle 
> wrote:
> > 1. Download debian live-CD/DVD from:
> > https://cdimage.debian.org/debian-cd/current/amd64/iso-hybrid/debian-live-12.5.0-amd64-xfce.iso
> > or
> > https://ftp.gwdg.de/debian-cd/12.5.0-live/amd64/iso-hybrid/debian-live-12.5.0-amd64-xfce.iso

[…]

> Is it possible that the hard-drive is not working correctly?
> It seems that all of those symptoms point to an un-writable hard-drive.

I think OP is actually booting the live media they installed from
and expecting it to be their installed system.

I don't know why their bootloader ends up misconfigured.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: After installing no access to the installed system.

2024-03-18 Thread Andy Smith
Hi,

On Mon, Mar 18, 2024 at 05:31:24PM +0100, Marco Moock wrote:
> Am 18.03.2024 um 16:17:55 Uhr schrieb Thomas Schweikle:
> > It seems the installer fails silently at some point, after having
> > installed all packages. Maybe it fails installing grub?
> 
> This doesn't explain the users not being set up.

Given that this is a live media, is it possible that by leaving the
disc in, the OP is in fact booting the live environment not the one
they installed? This might explain no users and "wrong" locale.

I've never used Debian live media so I am just guessing.

I think it may have installed but something is wrong with the
bootloader setup.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

2024-03-15 Thread Andy Smith
Hi,

On Sat, Feb 24, 2024 at 10:52:17PM +, Andrew M.A. Cater wrote:
> I think the discussion might usefully stop at this point before it
> degenerates to more heat than light (as is the way of most discussions
> eventually - call it an application of mailing list entropy :) ) 

Three weeks on and some have made essentially the same statements
three times over by now.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

2024-03-14 Thread Andy Smith
Hi,

On Thu, Mar 14, 2024 at 04:18:26PM -0600, Charles Curley wrote:
> Interesting. My logcheck instance works just fine, andmakes no such
> complaints. However, my
> /etc/logcheck/logcheck.logfiles.d/syslog.logfiles has them commented
> out.

You are probably using the journald support as configured in
/etc/logcheck/logcheck.logfiles.d/journal.logfiles.

> # (If your system does not use a syslog daemon you
> # can comment these lines out)
> # /var/log/syslog
> # /var/log/auth.log
> root@issola:~# 
> 
> So you might do the same.

OP would also want to check the journal.logfiles file I mentioned
above to check that it is actually set up to read from journald.

Good to know that logcheck has patterns for matching journald logs
though.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Bookworm, fail2ban and sshd

2024-03-14 Thread Andy Smith
Hi,

On Thu, Mar 14, 2024 at 04:01:54PM -0600, Charles Curley wrote:
> I'm trying to set fail2ban up on bookworm. It refuses to run with the
> default configuration (sshd only), reporting:
> 
> Failed during configuration: Have not found any log file for sshd jail

I think you want to set "backend = journald" in
/etc/fail2ban/jail.conf or its usual local override, but I have not
tested this as I still use rsyslogd.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

2024-03-14 Thread Andy Smith
Hi,

On Thu, Mar 14, 2024 at 11:25:52AM -0700, John Conover wrote:
> Email from logcheck(1) contains:
> 
> E: File could not be read: /var/log/syslog
> E: File could not be read: /var/log/auth.log
> 
> which do not exist in bookworm 12.5.
> 
> The offending file:
> 
> /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
> 
> contains both filenames.

You haven't asked a question so I shall attempt to read your mind
and divine that you are wishing to know why there is a logcheck file
that refers to log files that don't exist.

The reason is that as of Debian 12, a syslogd is not installed by
default and logging is handled by systemd-journald. There is a file
in the logcheck package for reading the systemd journal:

/etc/logcheck/logcheck.logfiles.d/journal.logfiles

If you intend to do that you are meant to uncomment what is in that
one and comment what is in
/etc/logcheck/logcheck.logfiles.d/syslog.logfiles.

If your intent is to have logcheck read syslog files than you first
need to install a syslogd. As others have mentioned, rsyslogd is
popular on Debian and was installed by default on previous releases.
There are others.

I don't recall what logcheck does by default as regards commenting
in these files. Probably you haven't changed anything and those
files come as you have presented here. If so then it may be worth a
bug report since logcheck does support reading from the journal yet
apparently defaults to not doing so.

Though that may be a big job as I think all the sample pattern files
for logcheck are still geared towards rsyslogd's format, not
journald's.

Myself, I still use logcheck with rsyslogd on Debian 12.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Spam from the list?

2024-03-08 Thread Andy Smith
Hello,

On Fri, Mar 08, 2024 at 02:16:07AM +, Tim Woodall wrote:
> And some dkim seems setup with the intention that it should not be used
> for mailinglusts:
> 
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=dow.land;
> s=20210720;
> h=From:In-Reply-To:References:Subject:To:Message-Id:Date:
> Content-Type:Content-Transfer-Encoding:Mime-Version:Sender:Reply-To:Cc:
> Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
> Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
> List-Subscribe:List-Post:List-Owner:List-Archive;

So the thing is that the RFC for DKIM specifies a list of headers to
sign and those include ones commonly used by mailing list software
so as soon as one of those mails goes through list software, the DKIM
signatures get broken. And sadly because that is what is suggested
in the RFC, that is also the default setting of Exim in Debian.

As a result heaps of messages don't make it through mailing lists
with DKIM intact even when the list operator makes some effort to
allow it to work (e.g. avoids adding footers or subject tags, just
passes the mail through, like debian-user does).

> AFAICT, it's a problem at the originator causing failures, either
> something wrong with dkim setup or too strict set of headers.

Yes. But I think a person whose receiving system outright rejects on
DKIM failure might spend their whole lives tracking down and
contacting the operators of sending systems to educate them about
DKIM, only to be mostly met with disagreement, lack of
understanding, or silence. Which is why I argue that at present it
isn't a good idea to just reject all DKIM failures like OP's mailbox
provider appears to be doing.

That sort of setup would only be suitable for someone who doesn't
really use email, except for "transactional" mails (password
reminders, OTP, etc.) and one-way newsletters. Which admittedly is
probably the majority of users - but not OP!

> I shall be checking what this does when it gets back to me. One of the
> problems with dkim is that you assume it still works, it's hard to know
> what others actually see...

Adding DMARC and a reporting address gets you far more unwelcome
insight into what others do. 

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Spam from the list?

2024-03-07 Thread Andy Smith
Hi,

On Thu, Mar 07, 2024 at 09:44:51AM +0100, Hans wrote:
> --- sninp ---
> 
> Authentication-Results: mail35c50.megamailservers.eu; spf=none 
> smtp.mailfrom=lists.debian.org
> Authentication-Results: mail35c50.megamailservers.eu;
>   dkim=fail reason="signature verification failed" (2048-bit key) 
> header.d=debian.org header.i=@debian.org header.b="pDp/TPD5"
> Return-Path: 
> Received: from bendel.debian.org (bendel.debian.org [82.195.75.100])
>   by mail35c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id 
> 425I9ZEK112497
>   for ; Tue, 5 Mar 2024 18:09:37 +
> 
> --- snap ---
> 
> White mails get the dkim=pass and spam mails got dkim=fail (as you see above).

A great many legitimate emails will fail DKIM so it is not a great
idea to reject every email that does so. I don't think that you are
going to have a good time using Internet mailing lists while your
mail provider rejects mails with invalid DKIM, so if I were you I'd
work on fixing that rather than trying to get everyone involved to
correctly use DKIM.

In this specific example your problem is that a mail came through
the Debian bug tracking system (which pretends to be the original
sender) and on the way out was DKIm signed by debian.org and then
went through Debian's list servers. Somewhere in there the DKIM
signature was broken.

I don't rate your chances of getting the operators of
bugs.debian.org and lists.debian.org to agree to preserve DKIM since
I know at least some of them are severely opposed to DKIM.

Your mailbox provider really should not be rejecting everything that
has a broken DKIm signature. This email from me will probably have a
broken DKIM signature.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: electrons/the Internet doesn't like question authority niggahs?, or is it that I like to eat raw garlic, ...

2024-03-04 Thread Andy Smith
Hi,

On Mon, Mar 04, 2024 at 10:37:28AM -0600, Albretch Mueller wrote:
> spend days on end reading, coding and thinking about Math?

Please could you rephrase your entire email to only contain
coherent, direct questions at least tenuously about Debian.

If this results in an empty email, this is an indication that this
mailing list was not the correct place to send it to in the first
place.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: DNSSEC status of deb.debian.org

2024-03-03 Thread Andy Smith
Hi,

On Sun, Mar 03, 2024 at 09:39:42AM +, Andre Rodier wrote:
> I was checking the Debian domain, and noticed that it is DNSSEC compliant.
> 
> However, when I check "deb.debian.org", the DNS validation fails.

Things in the debian.org domain are responding correctly with DNSSEC
but deb.debian.org is a CNAME to debian.map.fastlydns.net, and
*that* domain doesn't (yet?) use DNSSEC.

$ delv deb.debian.org
; fully validated
deb.debian.org. 3600IN  CNAME   debian.map.fastlydns.net.
deb.debian.org. 3600IN  RRSIG   CNAME 8 3 3600 20240405180549 
20240225172415 59788 debian.org. 
YnRgyoBEdwn9PHKTN9pIHNp+VyY+J0hripSOOV7feEsJmgfJwwslnsTR 
pC0QTkKZQlNflC2sPGqAc5/sKSHHGkHdKYemVCH7IcDTKOZ6wilVUlvT 
zumWhTZDk+ntLoptwmDblI6emnj8z8wimiFuyGv3+bU16RbdzdFvMdQI 
Ys9Ldyz6eQSMMyD58OwpiwDxFWjns92iUb05VB+yLeVeFwQ9uvJW1lZa 
oASmDhoyNijntU9UjA6h/Bzx6ZJvLHlE

; unsigned answer
debian.map.fastlydns.net. 30IN  A   146.75.74.132

> After checking the status using Verisign
> (https://dnssec-debugger.verisignlabs.com/deb.debian.org), I understand
> Debian is using a CDN (Content Delivery Network).
> 
> Is there a stable domain we can use that doesn't rely on a CDN, please ?

I am left to wonder what problem(s) you are trying to avoid by "not
relying on a CDN", but you can just use a different mirror.

But note that Debian mirrors are operated by many diverse
organisations and individuals, most of which probably aren't Debian
developers. Debian itself has no legal entity; SPI, inc only deals
with some financial matters, so trying to form a notion of any kind
of legislative or administrative control structure is difficult.

Or to put it another way, if it bothers you that responsibility for
operation of a mirror passes outside of the people who control the
debian.org zone, I have bad news for you.

For example, if you chose ftp.uk.debian.org…

$ delv ftp.uk.debian.org
; fully validated
ftp.uk.debian.org.  300 IN  CNAME   debian.hands.com.
ftp.uk.debian.org.  300 IN  RRSIG   CNAME 8 4 300 20240401002934 
20240220235036 59788 debian.org. 
Pu+9FflqjMDfCjNxUoQy32dA5X3atU92LH3hozdZcDk3ZZwtyqcAoA6x 
IZSLZEzJvXa6+gTd3P0pOib+rIoypUYz47OulgYTWqQdLILtV3cRMVxU 
hf+z5xOYmOzzwSKAuI7iho4PNCmChccyfFdc3p4nKtciQmyWYbUeNJRu 
s83Ki0YEdvgMP+74HCwH6BNUEFhCuYFeDc+XWTzwg55EDSAmyMdXU9rl 
BRfpyCg4VU0NeJMFGci5sxKooAwbstvs

; unsigned answer
debian.hands.com.   14030   IN  A   78.129.164.123

…you again end up at something that doesn't use DNSSEC. It isn't a
CDN though, so maybe you like it more (?).

I haven't gone through all of the mirrors to see if there are any
ones that use DNSSEC. I wouldn't be surprised if there were some,
but again, I don't know what your threat model is so I'm not
suggesting this matters.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: {OT] Mailing lists etc for postmasters

2024-03-01 Thread Andy Smith
Hi,

On Fri, Mar 01, 2024 at 11:00:13AM +, Gareth Evans wrote:
> https://support.google.com/a/answer/81126?hl=en#requirements-5k=%2Crequirements-for-sending-or-more-messages-per-day%2Crequirements-for-all-senders
> 
> mentions DMARC in requirements for all senders:
> 
> "Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC 
> quarantine enforcement policy, and impersonating Gmail From: headers might 
> impact your email delivery."

Talks about gmail's own use of DMARC, not the sender's.

> Can a "DMARC quarantine enforcement policy" operate, if the sender
> doesn't use DMARC?  This idea seems to relate more to SPF than
> anything?

gmail's own policy is quarantine so if you send from somewhere that
isn't gmail, while pretending to be from a gmail property, gmail
indicates that it wishes¹ for your email to be quarantined by the
recipient.

Thanks,.
Andy

¹ Even receiving sites that process DMARC sometimes don't carry out
  the DMARC author's wishes. As a common example that most of us
  will have seen, Mailman mailing lists will often just selectively
  rewrite the headers.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: {OT] Mailing lists etc for postmasters

2024-03-01 Thread Andy Smith
Hi,

On Fri, Mar 01, 2024 at 01:42:07AM +, Gareth Evans wrote:
> I have somehow only just discovered that Gmail, Apple and Yahoo
> are introducing, or have recently introduced, DMARC requirements
> for senders.

Just for the record, the Authentication part of DMARC is done with
SPF and/or DKIM; the large mailbox providers actually (since 1 Feb)
require *either* SPF *or* DKIM passes, or both if you are a bulk
sender (thousands of mails per day).

DMARC itself remains optional (but recommended) and once taken
separately from SPF and DKIM is mainly a reporting mechanism.

> I am subscribed to mailop (though don't read it as often as I
> should!) but from a mail search there doesn't seem to have been
> anything there about this recently.

This has been discussed at length on mailop since well back in 2023.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: where are the crontab files in Trixie?

2024-02-28 Thread Andy Smith
Hi,

On Wed, Feb 28, 2024 at 04:47:59PM +0100, Kamil Jońca wrote:
> Andy Smith  writes:
> > Once you enable lingering for a user, that user's timers will
> > trigger all the time.
> 
> IIRC lingered user cannot be "normal" with session and so on. Am I
> wrong? 

How do you mean? On several machines I have linger enabled for my
main user, and timers run when I am not logged in.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: where are the crontab files in Trixie?

2024-02-28 Thread Andy Smith
Hi,

On Wed, Feb 28, 2024 at 05:49:58AM +0100, Kamil Jońca wrote:
> With cron, regular user can set up his/her jobs wihtout using admin
> credentials, and these jobs will be triggered regardless of being logged
> in. Is it possible with systemd timers?

Once you enable lingering for a user, that user's timers will
trigger all the time.

https://wiki.archlinux.org/title/Systemd/User#Automatic_start-up_of_systemd_user_instances

I haven't yet found anything that I could do with cron that I can't
do with systemd timers, though sometimes the behaviour of cron where
it emails you the output (if any) is very convenient and is tricky
(but not impossible) to replicate with systemd timers.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: where are the crontab files in Trixie?

2024-02-28 Thread Andy Smith
Hello,

On Tue, Feb 27, 2024 at 02:58:13PM -0500, Greg Wooledge wrote:
> I don't foresee real cron going away any time soon.

If you today install bookworm base system and select no packages,
the only reason why you get cron is because logrotate depends upon
it. If you do not need logrotate then you can also remove cron, and
nothing complains.

It seems likely that at some point logrotate will become optional
(because of journald) or that logrotate will get a systemd timer, at
which point cron wouldn't be installed on a base install unless
there is some other package dependency.

On this list we already saw a post from someone who did not have
cron installed. Initially I thought that was a rather bold
modification by their hosting provider, but it turned out that they
really did have no package that depended upon cron.

So as far as Debian is concerned I do see it as fairly inevitable
that cron soon doesn't get installed on many systems and
increasingly becomes a curiosity, but since it will have to stick
around until the last package stops shipping (only) a cron job,
arguably it still remains in the archive for a very long time yet.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: SOLVED Re: Disk corruption and performance issue.

2024-02-26 Thread Andy Smith
Hi,

On Mon, Feb 26, 2024 at 06:25:53PM +, Tim Woodall wrote:
> Feb 17 17:01:49 xen17 vmunix: [3.802581] ata1.00: disabling queued TRIM 
> support
> Feb 17 17:01:49 xen17 vmunix: [3.805074] ata1.00: disabling queued TRIM 
> support
> 
> 
> from libata-core.c
> 
>  { "Samsung SSD 870*",  NULL, ATA_HORKAGE_NO_NCQ_TRIM |
>   ATA_HORKAGE_ZERO_AFTER_TRIM |
>   ATA_HORKAGE_NO_NCQ_ON_ATI },
> 
> This fixed the disk corruption errors at the cost of dramatically
> reducing performance. (I'm not sure why because manual fstrim didn't
> improve things)

That's interesting. I have quite a few of these drives and haven't
noticed any problems. What kernel version introduced the above
workarounds?

$ sudo lsblk -do NAME,MODEL
NAME MODEL
sda  SAMSUNG_MZ7KM1T9HAJM-5
sdb  SAMSUNG_MZ7KM1T9HAJM-5
sdc  Samsung_SSD_870_EVO_4TB
sdd  Samsung_SSD_870_EVO_4TB
sde  ST4000LM016-1N2170
sdf  ST4000LM016-1N2170
sdg  SuperMicro_SSD
sdh  SuperMicro_SSD

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: medically smart watches

2024-02-26 Thread Andy Smith
Hi,

On Mon, Feb 26, 2024 at 12:24:34PM +0100, hw wrote:
> How does the watch you got measure blood sugar?  Doesn't that require
> a blood sample?

Some of them claim to extrapolate it from sweat, others claim to be
able to estimate it from shining near-infrared at the blood vessels
that are near the surface. Neither method has yet proven to be
accurate, which is why they aren't certified as a medical device in
UK.

You can learn all about it by searching "non-invasive blood glucose
monitoring"

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: debian installer network console

2024-02-24 Thread Andy Smith
HI Matt,

On Sat, Feb 24, 2024 at 05:40:31PM -0600, Matt Zagrabelny wrote:
> Does anyone know how to switch to a different virtual console (tty) over a
> network console on a debian install?

I haven't tested this but when doing an install over serial console,
the installer runs in GNU Screen so it is possible to switch to the
different terminal by the usual Screen key combinations, e.g. ctrl-a
then space. This was not obvious to me for many years.

Perhaps it is the same on the network console?

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



I think we can't disappear ifenslave documentation just yet (Was Re: Inclusive terminology (instead of master/slave) for network bonding/LACP)

2024-02-24 Thread Andy Smith
Hello,

On Sat, Feb 24, 2024 at 10:52:17PM +, Andrew M.A. Cater wrote:
> If anyone wants to remove the references to ifenslave and
> substitute others, that's entirely fine.

I really don't think in this specific case it would be a good idea
to remove all mention of ifenslave because:

- The current Ethernet bonding support in ifupdown requires
  ifenslave. If you don't install ifenslave, you can't set up a bond
  interface from /etc/network/interfaces except by avoiding the
  actual syntax there for that purpose and doing it with direct
  commands executed by *-up/down hooks.

- Even if it was possible, vast majority of people using bonded
  Ethernets have it done with ifenslave, so it needs at least a
  mention in order that people can understand what they already have.

- ifenslave is a tiny part of the issue. It's fundamental to the
  bonding driver and same terminology will be seen in its
  configuration and in its status output in /proc/net/bonding, e.g:

$ cat /proc/net/bonding/bond0 
Ethernet Channel Bonding Driver: v5.10.0-0.deb10.16-amd64

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Peer Notification Delay (ms): 0

Slave Interface: eth0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 1
Permanent HW addr: 00:25:90:5c:f7:ea
Slave queue ID: 0

Slave Interface: eth1
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 1
Permanent HW addr: 00:25:90:5c:f7:eb
Slave queue ID: 0

As I've already mentioned though, if anyone finds time to
investigate the teaming driver then it would be really nice to see a
wiki article on that and perhaps a link to that from the existing
one on bonded Ethernets.

So in summary, I don't think ifenslave can actually be purged from
history, but some useful steps could possibly be taken towards its
deprecation - first involving actually documenting the new thing.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

2024-02-24 Thread Andy Smith
Hi,

On Sun, Feb 25, 2024 at 09:17:15AM +1100, Zenaan Harkness wrote:
> On 2/24/24, Andy Smith  wrote:
> > On Sat, Feb 24, 2024 at 01:35:14PM +1100, Zenaan Harkness wrote:
> >> I wrote:
> >> > You seem by now to have ignored multiple messages where it was made
> >> > clear that the work was already done.
> >>
> >> Assuming we care about the most rapid healing possible for those who
> >> are actually triggered by certain words in one or another language,
> >> there is a valid position to consider that is to increase, not
> >> decrease, exposure to and therefore the broader usage of, triggering
> >> words.
> >>
> >> If we care about healing wounds, we ought not remove the catalysts to
> >> that healing.
> >
> > I did wonder how long it would take for someone to go from, "it's
> > terrible that you activists are MAKING someone do this POINTLESS
> > non-technical work!" to "no one should use this thing someone did in
> > their own free time because it's bad, actually, for non-technical
> > reasons!"
> 
> Except "no one should use this thing someone did in their own free
> time because it's bad, actually, for non-technical reasons!" is not
> what I said.

Oh, okay. So what is it exactly about what the developers of the
teaming driver have done with regard to not using so-called
"non-inclusive terminology" that you consider to have been a
mistake?

I thought that was the exact topic of conversation here, and the
above was you saying that it shouldn't be removed but should in fact
be left there as some sort of "shock treatment" but apparently I
have misunderstood you.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Postel's Law (Was Re: Inclusive terminology (instead of master/slave) for network bonding/LACP)

2024-02-24 Thread Andy Smith
Hi,

On Sat, Feb 24, 2024 at 04:54:12PM +, Alain D D Williams wrote:
> I sometimes think that something similar to Postel's Law but applied to human
> interactions would be useful. However that is wishful thinking

The basic assumption that people mean well is how con artists and
high pressure sales tactics have operated since the dawn of
communication ("Oh, you can't afford the vacuum cleaner? I really
shouldn't, but let me just call my boss because I really want to
help you…").

Although at least with con artists there is the other thing of
"can't con an honest John".

I'm not saying DON'T give people the benefit of the doubt, but just
always be aware that when you do there will be people who take
advantage of that.

Turning back more to protocol design, we have spent decades walking
back Postel's Law as we find more and more ways that being liberal
in what our software accepts is untenable in the face of a hostile
Internet.


Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: medically smart watches

2024-02-24 Thread Andy Smith
Hi,

On Sat, Feb 24, 2024 at 10:03:16AM -0500, gene heskett wrote:
> As most of you know I'm a DM-II, but the recent shortage of trulicity, a
> weekly self administerd shot that helps regulate one's blood guclose levels
> has got us scrambling for alternatives.  So a month back I bought one of the
> so called smart watches that purports to monitor blood sugar.

I'm having some difficulty translating your words and acronyms but I
think I got the gist that you're type II diabetic and have bought a
watch for glucose monitoring?

I'm also a type II diabetic and am interested in glucose monitoring
but everything I have read about the watches says they are terribly
inaccurate for this. I can't even buy one here in UK because it
would be classed as a medical device, that cannot show it works for
its intended purpose; these things are therefore only available for
grey import.

So I wouldn't bother and I don't intend to help someone do such an
unwise thing even if I had the faintest idea how you would bypass
the phone pairing needs of some random IoT garbage.

As an aside, not even the 2 week sensors that impale your upper arm
and stay affixed are accurate for me, though I know they are for
most as they actually are approved. So it's daily finger prick for
me for the foreseeable.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

2024-02-23 Thread Andy Smith
Hi,

On Sat, Feb 24, 2024 at 01:35:14PM +1100, Zenaan Harkness wrote:
> I wrote:
> > You seem by now to have ignored multiple messages where it was made
> > clear that the work was already done.
> 
> Assuming we care about the most rapid healing possible for those who
> are actually triggered by certain words in one or another language,
> there is a valid position to consider that is to increase, not
> decrease, exposure to and therefore the broader usage of, triggering
> words.
> 
> If we care about healing wounds, we ought not remove the catalysts to
> that healing.

I did wonder how long it would take for someone to go from, "it's
terrible that you activists are MAKING someone do this POINTLESS
non-technical work!" to "no one should use this thing someone did in
their own free time because it's bad, actually, for non-technical
reasons!"

Meanwhile I'd just appreciate hearing from actual users of it, since
I might be one, one day.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

2024-02-23 Thread Andy Smith
Hi,

On Fri, Feb 23, 2024 at 09:26:09PM +0100, Ralph Aichinger wrote:
> in my /etc/interfaces there is now:
> 
> auto bond0
> iface bond0 inet static
> address 10.0.16.2/24
> bond-slaves en0 en1
> bond-mode 4
> bond-miimon 100
> bond-downdelay 200
> bond-updelay 200
> bond-lacp-rate 1
> bond-xmit-hash-policy layer3+4
> 
> which seems to work (I could not test throughput yet, because
> I am waiting for cables).
> 
> If I do this, does "ifupdown" use "ifenslave" or does it
> use "ip link set" as described here:

Last time I looked was in Debian 10 (buster) and there it does still
call ifenslave. ifupdown won't be able to bring up bond0 if
ifenslave isn't present on the system. You can verify it with "ifup
-v bond0" to see what commands it uses (assuming your networking was
down to start with, so that this would work).

> Also, above still(?) contains "bond-slaves en0 en1" so if this is
> a new implementation, is there still some terminology change to be
> expected? Or can I replace bond-slaves with something else in the
> current Debian bookworm?

What you describe is still the bonding driver, just without the use
of the "ifenslave" command. The very first reply to you in this
thread was from me pointing you at the teaming driver.

…which I have never used nor yet tried to use. But it *is* meant to
replace/succeed the bonding driver.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

2024-02-23 Thread Andy Smith
Hello,

On Fri, Feb 23, 2024 at 06:14:02PM +0100, Mariusz Gronczewski wrote:
> Dnia 2024-02-23, o godz. 14:50:12
> fxkl4...@protonmail.com napisał(a):
> > too many people have nothing constuctive to do
> > so they spend there days stirring the pile
> > idle hands and all that
> 
> Yeah like asking other people to do changes because they want to be
> activists on internet but can't bother to put effort to do anything
> that actually helps anyone.

You seem by now to have ignored multiple messages where it was made
clear that the work was already done.

One more time: a successor to the Ethernet bonding driver already
exists and has for more than 10 years. In a time before some people
decided to get very worked up about inclusive language, it just
happens to avoid the terminology we're talking about.

Again, all I see are people getting very upset, accusing others of
being "woke" and "activists", but somehow they are the ones making
all the noise.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

2024-02-23 Thread Andy Smith
Hi,

On Thu, Feb 22, 2024 at 11:19:16AM +0100, Ralph Aichinger wrote:
> I know this is a loaded topic. I really don't want to discuss the
> political aspects of the "why",

No surprise that there are a lot of people in this thread with very
strong feelings that they simply must tell us about, even though you
asked them not to, and very little to say on the actual technical
facts they claim to care about. 

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

2024-02-23 Thread Andy Smith
Hi,

On Fri, Feb 23, 2024 at 10:33:08AM +0100, Mariusz Gronczewski wrote:
> It would *literally* break every single script that checks the status
> of bonding config in system, as it is all just plain text.

Unless a different driver was made instead. Which is what actually
happened.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

2024-02-23 Thread Andy Smith
Hi,

On Fri, Feb 23, 2024 at 12:14:10PM +0100, Mariusz Gronczewski wrote:
> Dnia 2024-02-23, o godz. 11:25:25
> Roger Price  napisał(a):
> > On Fri, 23 Feb 2024, Marco Moock wrote:
> > > The only package I am aware of that changed some terms is sendmail.
> > >  
> > 
> > With the publication of RFC 9271 "UPS Management Protocol", the nut
> > packages (Network UPS Tools) did a vocabulary cleanup

[…]

> Did you looked up what actually changed and thought about implications
> vs changing kernel interfaces or did you just google for random tidbit
> of which project did waste time on that ?

Roger is responding to a statement of there being no other, with the
info that there is at least one other.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Meeting with the Development Team

2024-02-22 Thread Andy Smith
Hi,

On Thu, Feb 22, 2024 at 08:40:32AM +, Ray Galt wrote:
> I would like to reach out to the decision-maker in the IT
> environment within your company.

I will be surprised if Ray is subscribed and reading this as Ray's
message was basically spam (a cold contact with very little research
behind it).

It may be worth generally noting that the Debian project is not a
company and cannot buy any services itself. Other legal entities
such as SPI inc enter into contracts on behalf of Debian where
necessary.

And of course, Debian is probably pretty comfortable managing its
own IT functions and anyone who has any ideas about how they can be
improved will be expected to join in — as a volunteer — not pitch a
commercial solution.

> May I present what we can do for you?

Ask not what Debian can buy from you, Ray, but what you can freely
contribute to Debian. 

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Inclusive terminology (instead of master/slave) for network bonding/LACP

2024-02-22 Thread Andy Smith
Hi,

On Thu, Feb 22, 2024 at 11:19:16AM +0100, Ralph Aichinger wrote:
> I know this is a loaded topic. I really don't want to discuss the
> political aspects of the "why", but just want to know the facts, i.e.
> how far this has been progressed in Debian.

As Debian is not itself upstream for most of the software it
distributes, it is going to rely on upstream projects to make these
changes. I am not aware of any coordinated effort in Debian to find
instances of this terminology and propose changes upstream.

That sort of project-wide consensus is hard to achieve in Debian
(even on non-controversial topics) so I wouldn't be surprised if
Debian Developers who are interested in this would not get further
by just proposing the changes to upstream projects themselves as
individuals.

So then, if you spot such terminology in use somewhere there is
nothing stopping you from having a look at their issue tracker to
see if there is already an issue in place about that and possibly
propose changes yourself.

> Is there anything planned to get "master/slave" terminology out of
> network bonding/LACP in Debian (or Linux kernel or whoever decides
> this terminology)?

The Ethernet bonding driver is a kernel module. It is quite old
(decades) and hasn't seen much development recently, I think because
it is generally considered complete.

There has been a replacement/successor for the Ethernet bonding
driver for some time — the teaming driver — which does away with the
older terminology as well as providing a few other improvements:

https://libteam.org/

However I must confess that despite having bonded Ethernets on all
my works servers (with ifenslave for userland control) I personally
have never spent the time to convert to libteam and I rarely see
other examples of people having done so.

I think possibly a reason for this is that the Ethernet bonding
driver was considered complete a long time ago and the purely
technical improvements of the teaming driver are quite small or
niche, so few people see the need to change. I have used the bonding
driver since before the teaming driver existed, so there's been some
inertia against me learning a new thing.

It would be good to see more use and examples for libteam to help
people like me¹ feel more confident in switching.

If you proceed with it, how about making a page on the Debian
wiki?

Thanks,
Andy

¹ Although in my specific case we are actually in the middle of
  switching to a BGP architecture where each server BGP peers and
  all traffic is routed at layer 3, not switched at layer 2. Each
  server's individual Ethernet interfaces are being broken out and
  bonding will not be used at all any more. The redundancy of
  network will come from BGP.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Determining which file is at a given LBA offset; was: HDD error: Current_Pending_Sector

2024-02-21 Thread Andy Smith
Hi,

On Tue, Feb 20, 2024 at 07:53:38PM -0500, Default User wrote:
> Note: I occurs to me that another idea would be to simply delete all
> files from the "bad" drive, then rsync everything fresh from the "good"
> drive back onto the "bad" drive.  

You can do it in one step with rsync --delete … which will delete
anything that doesn't exist on the source.

> IIUC, that would the cause the "bad" sector to be retired, and replaced
> by a "good" sector. 

Yes, a lot of the time a new write is successful and when it's not
it will be remapped. As long as the remapped sector count doesn't
keep going up I'd be fairly comfortable in continuing to use the
drive (assuming backups exist) s while longer.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Timer doing apt update

2024-02-20 Thread Andy Smith
Hello,

On Tue, Feb 20, 2024 at 07:44:55AM -0500, Greg Wooledge wrote:
>This thing has no configuration file by default; you have to read the
>comments in the software itself to figure out what it does.

Or, say, the Debian Administrator's Handbook.

https://www.debian.org/doc/manuals/debian-handbook/sect.regular-upgrades.en.html

The configuration options are also described in the man page for
apt.conf.

https://manpages.debian.org/bookworm/apt/apt.conf.5.en.html#PERIODIC_AND_ARCHIVES_OPTIONS

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Timer doing apt update

2024-02-20 Thread Andy Smith
Hi,

On Tue, Feb 20, 2024 at 08:52:09AM +0100, Erwan David wrote:
> I use KDE, and I do not know wether discover does an update by itself. I do
> not thind any setting about this

I think it is very likely that KDE has an equivalent to GNOME, which
does the equivalent of "apt update" every day and then notifies you
about available package upgrades.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Timer doing apt update

2024-02-20 Thread Andy Smith
Hi,

On Tue, Feb 20, 2024 at 10:17:17AM +0100, Michael wrote:
> i very much dislike the fact that my systems do things i am not aware of.

I think one of the purposes of a Linux distribution is to pull
together a collection of disparate software of their choosing and
make default decisions for their users.

I find it hard to believe that you bother to delve into the
behaviour of your system in most other ways, but suddenly you've
become aware of a systemd timer and now it's a problem for you. None
of this is hidden. You've been able to read this script and work out
how it works.

Do you also build your own kernels so you can personally sign off on
every kernel config choice, or do you trust the Debian kernel team's
ideas about what should be built in, modularised or not available at
all?

For me it's a problem when things can't be customised. I expect
default choices to be made but I don't expect to agree with 100% of
them. That's OK.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Timer doing apt update

2024-02-19 Thread Andy Smith
Hi,

On Mon, Feb 19, 2024 at 10:21:24PM -0500, Greg Wooledge wrote:
> Does anyone know when these things changed, and why on earth nobody
> knew about it?!  Did I miss a section in the release notes or something?

Why are you shocked by this? Most of it is disabled by default (no
update / upgrade / unattended-upgrade). You have to set things like
APT::Periodic::Update-Package-Lists to 1.

It's been there since Debian 9 (stretch) IIRC.

The handbook has stuff about it.

https://debian-handbook.info/browse/stable/sect.regular-upgrades.html

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: red SATA cables "notoriously bad"?

2024-02-19 Thread Andy Smith
Hi,

On Mon, Feb 19, 2024 at 10:06:23PM -0500, gene heskett wrote:
> Andy, look at that CET after my name in the sig, that stands for Certified
> Electronics Tachnician.

There isn't a polite way to say this really but unfortunately I am
unable to take you seriously as you've posted so many outright
incorrect assertions to this mailing list in the past.

I can list off my qualifications and experience and still be told
pretty often that I don't know what I am talking about, and sometimes
I probably don't, so let's leave it at that.

Regards,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: red SATA cables "notoriously bad"?

2024-02-19 Thread Andy Smith
Hello,

On Mon, Feb 19, 2024 at 08:16:49PM -0500, Felix Miata wrote:
> > I've never heard of this. I did a bit of searching around and all I
> > can find is assertions that cable colour doesn't matter for SATA. I
> > can't seem to find anything about red pigment damaging the copper.
> > Have you got a reference so I can learn more?
> 
> Don't you ever read Gene Heskett posts?

Ah I see:

https://lists.debian.org/debian-user/2023/06/msg00103.html

Stefan: Can you point to any evidence?

Gene: Just my own life [segue to story from 1970]

The usual story.

Yeah I skipped that thread the first time around owing to its
subject line containing "urban legends".

> consider searching this very list's archives.

Moments of my life I will never get back, and no more authoritative
sources unfortunately!

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Timer doing apt update

2024-02-19 Thread Andy Smith
Hi,

On Mon, Feb 19, 2024 at 08:35:18PM +0100, Erwan David wrote:
> Sorry il was packagekit, I made a mistake while writing.

If it's packagekit then isn't it going to be some part of your
desktop environment? Which desktop environment are you using?

GNOME will download updates and prompt you to install. To disable this open
"GNOME software",m burger menu, "Update Preferences".

The default behaviour of GNOME Software is to only download upgrades when on an
unmetered connection so if you are using GNOME and this is what is happening,
then as Max says telling NetworkManager that your connection is metered should
stop it.

> I disable the timers, thanks

I don't think it's any of the systemd timers or unattended-upgrades.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



red SATA cables "notoriously bad"? (Was Re: Orphaned Inode Problem)

2024-02-19 Thread Andy Smith
Hi,

On Mon, Feb 19, 2024 at 04:12:44PM -0300, Eike Lantzsch ZP5CGE / KY4PZ wrote:
> The notorious red SATA cables - I threw them out long ago. The red
> pigment eats up the fine copper threads, changing the impedance of the
> cable and eventually making false contact before failing completely.

I've never heard of this. I did a bit of searching around and all I
can find is assertions that cable colour doesn't matter for SATA. I
can't seem to find anything about red pigment damaging the copper.
Have you got a reference so I can learn more?

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Timeshift / Back In Time - How do they work

2024-02-18 Thread Andy Smith
Hi,

On Mon, Feb 19, 2024 at 10:52:16AM +1100, Keith Bainbridge wrote:
> I said sometime in this thread that timeshift (and Back in Time) use hard
> links to create progressive copies of the system. The more I think about how
> hard links reportedly work, I reckon it can't be simply hard links.

I can tell you how hardlinks work but I can't tell you how
Timeshift or Back In Time work as I have never used them. So you
might want to alter your subject line, because your email goes on
only to ask how these solutions work

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-17 Thread Andy Smith
Hi,

On Sat, Feb 17, 2024 at 12:46:25AM -0500, gene heskett wrote:

[38 lines of irrelevance snipped out of a 71 line email]

> I've printed drawers to fill those slots.  The top slot has a bpi-m5 in it,
> the bottom slot has a 5 volt 10 amp psu in it. slot 2 will have 2 of those
> nearly 4T SSD's in a 2 drive adapter, with full disk partitions on them, so
> obviously I should name the top one as "si-pwr-s2t". the bottom one then s/b
> si-pwr-s2b
> slot-3 then s/b si-pwr-s3t and si-pwr-s3b.
> slot-4 then is giga-s4t1 and giga-s4t2. ditto for the bottom one. named
> giga-s4b1 and giga-s4b2.  1 partition to hold amanda's database and one to
> serve as amanda's holding disk.
> 
> Whats so meaningless to you that you can't see the utility in that?

I've got no issue with putting a drive identifier on the physical
caddy/drawer that holds that drive. I do it myself. You have not
ever before in this thread mentioned this, so neither I nor anyone
else has objected to it.

What I question the value of, is putting a drive identifier into a
partlabel when the id of the partition will contain all of the same
information.

I have also asked you several times what it is you intend to do
with that information in the context of a RAID array or LVM LV and
you haven't yet been able to tell me. The closest you have come so
far is saying, "I want to identify a drive when the array has
problems". As you don't specify what those problems might be, all I
am able to say to that is that you can either find the problem
device from your logs or by listing the devices in the array/LV, and
from there map to exact model and serial number from what's in the
/dev/disk/by-id/.

Now, I understand that you have multiple drives that have the same
model and serial number. I accept that if you're going to use
multiple of these in the same machine then that makes using by-id/
impossible. I've advised that I would never use multiple of these in
the same machine because they are broken and will likely cause other
problems further down the line.

So if you want to say: despite the duplicate serial number issue I
am determined to use multiple of these drives, so by-id/ is useless
to me and I will instead replicate that info in partlabels and use
/dev/disk/by-partlabel/, then okay! I don't agree with that course
of action, but it is at least a cogent argument. So say if that's
the case and we can just move on.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-16 Thread Andy Smith
Hello,

On Fri, Feb 16, 2024 at 03:46:54PM -0500, Stefan Monnier wrote:
> FWIW, my crystal ball says "30s => software timeout rather than hardware
> problem"

Back in a previous thread Gene was saying that it's only evident
when some GUI app brings up a file requester to load or save
something so that was my thought too. In particular that it might be
doing some kind of failed network activity looking for network
shares or something.

The thing is, we've also seen Gene's computers with strange things
like syntax errors in /etc/nsswitch.conf and /etc/hosts, avahi bits
manually rm'd, resolv.conf whacked with chattr +i and so on, so
it's also no surprise to me that this is difficult to debug.

David's suggestion of starting with a minimal install might be the
only way to do it.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-16 Thread Andy Smith
Hello,

On Fri, Feb 16, 2024 at 02:02:59PM -0600, David Wright wrote:
> On Fri 16 Feb 2024 at 14:48:12 (+), Andy Smith wrote:
> > No, because it's a filesystem label for the ext4 fs created on
> > /dev/sdz1. If sdz1 is turned into an LVM Physical Volume, there
> > won't be an ext4 filesystem on it any more. If sdz1 is turned into a
> > member of an MD array, there won't be an ext4 filesystem on it any
> > more. The labels go with the filesystem.
> 
> It isn't a filesystem LABEL.

Oh dear, I am lost. I don't use gparted but at least one person in
this thread has said that Gene created a filesystem label not a
partition name, and Gene doesn't know which he created, so I've gone
from guessing partition name to fs label and now back to partition
name again.

I'm totally willing to believe that you know what you've created
there though, so fair enough.

> > You've not yet been clear about what you want, but from what little
> > information you have provided you've been told multiple times by
> > multiple people that filesystem labels won't help.
>↑
> 
> … which would be moot if only Gene could create partition PARTLABELs
> successfully.

Sure, but we still don't know what Gene is trying to do or why
partition names would be useful to him so I am kind of sceptical
that this leads anywhere.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-16 Thread Andy Smith
Hi,

On Thu, Feb 15, 2024 at 08:44:26PM -0500, gene heskett wrote:
> On 2/15/24 15:45, Andy Smith wrote:
> > MD RAID isn't the only way to achieve redundancy. You also haven't
> > explained why you need LVM. Depending on your needs, maybe a
> > filesystem with redundancy and volume management features in it
> > would be better. Like btrfs or zfs.
> May I miss-understood the wiki, xfs is stated as not being complete for
> linux, a zfx is I think commercial?
> Can you update that?

I'd rather not try to explain XFS and ZFS to you when it's not even
clear what you're trying to achieve. In all likelihood you will not
need to use either XFS or ZFS.

Also we can't correct a wiki article without knowing what it is…

> the gui access delay (30+ seconds) problems I have did NOT go away
> when I moved /home off the raid to another SSD

More evidence that those problems had nothing to do with RAID or the
storage devices you used in your RAID, but is something broken in
your desktop software setup. Unfortunately I have no idea how to
debug that.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-16 Thread Andy Smith
Hi,

On Fri, Feb 16, 2024 at 01:32:26AM -0500, gene heskett wrote:
> On 2/15/24 16:20, David Wright wrote:
> ># gdisk -l /dev/sdz
> >GPT fdisk (gdisk) version 1.0.3
> > 
> >Partition table scan:
> >  MBR: protective
> >  BSD: not present
> >  APM: not present
> >  GPT: present
> > 
> >Found valid GPT with protective MBR; using GPT.
> >Disk /dev/sdb: 3907029168 sectors, 1.8 TiB
> >Model: Desktop
> >Sector size (logical/physical): 512/512 bytes
> >Disk identifier (GUID): A1093790-9A1A-4A7E-A807-B9CC6F7CF77E
> >Partition table holds up to 128 entries
> >Main partition table begins at sector 2 and ends at sector 33
> >First usable sector is 34, last usable sector is 3907029134
> >Partitions will be aligned on 2048-sector boundaries
> >Total free space is 2014 sectors (1007.0 KiB)
> > 
> >Number  Start (sector)End (sector)  Size   Code  Name
> >   12048  3907029134   1.8 TiB 8300  Lulu01
> >#
> > .
> And this "partition" name survives?

No, because it's a filesystem label for the ext4 fs created on
/dev/sdz1. If sdz1 is turned into an LVM Physical Volume, there
won't be an ext4 filesystem on it any more. If sdz1 is turned into a
member of an MD array, there won't be an ext4 filesystem on it any
more. The labels go with the filesystem.

> and can be unique?

I don't know what that means to you or why it is useful.

> and can be used in a mount cmd?

Once the RAID and/or LVM is set up and a filesystem put on it, that
filesystem can be mounted by label just like any filesystem can, but
that filesystem may have multiple devices underneath it owing to the
fact that it's on RAID and/or LVM, so there is no information you
can put in its label that will tell you anything about those
underlying devices.

> if all 3 questions above can be answered with a yes is the answer
> I've been trying to squeeze out all along.

You've not yet been clear about what you want, but from what little
information you have provided you've been told multiple times by
multiple people that filesystem labels won't help.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-16 Thread Andy Smith
Hello,

On Fri, Feb 16, 2024 at 01:16:59AM -0500, gene heskett wrote:
> On 2/15/24 16:20, Andy Smith wrote:
> > Suppose you have the MD array /dev/md42. What are you conceptually
> > wanting to do with that in relation to labels of some kind? What
> > information is it that you want?
> > 
> > Support you have LVM logical volume /dev/myvg/mylv. What are you
> > conceptually wanting to do with that in relation to labels of some
> > kind? What information is it that you want?
> > 
> I want to know with absolute certainty, with of the 4 drives in that raid10,
> actually has a belly ache. When it has a belly ache.

So this is an example of you moving the goal posts. You started off
by saying you needed to identify something just from the array
device name, but now you say you need to identify which drive in the
array has a problem (exact problem not specified).

The /proc/mdstats file shows all the devices that are in all the MD
arrays. Any time the kernel has problems with a device it logs the
name of the actual device (not the array etc.) in the system log. If
the problems are bad enough then the MD driver notices and removes
the device from the array.

This is normal-looking content of /proc/mdstat:

$ cat /proc/mdstat 
Personalities : [raid1] [linear] [multipath] [raid0] [raid6] [raid5] [raid4] 
[raid10] 
md1 : active raid1 sda3[1] nvme0n1p3[0]
  243316736 blocks super 1.2 [2/2] [UU]
  bitmap: 1/2 pages [4KB], 65536KB chunk

Where it says [UU] it would say [_U] or [U_] if one of those devices
had been removed, and in the list of devices the one that's failed
would have an (F) after it.

But I'm fairly sure that in all your posts about your RAID-10 people
have been through this with you multiple times, so this must not
actually be the information that you are after.

Furthermore I do not understand how your idea of labelling drives
(or partitions or filesystems) would ever give you this information
even if it had worked.

If you mean that you have system logs that say for example that
sda1 has problems, and you want to find out what sda1 actually is,
well I already showed you one way: by looking in /dev/disk/by-id/.
There's also "smartctl -i /dev/sda", and others have posted other
ways.

If you don't mean that, then tell us what actual information you are
starting from, and what you hope to get from there. "My array has
problems, how do I find the problem drive within it" is too vague
because we don't know what "my array has problems" actually means.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-15 Thread Andy Smith
Hi,

On Thu, Feb 15, 2024 at 03:59:30PM -0500, gene heskett wrote:
> Now the question remains howinhell do I put a label on a drive
> such that it does survive making a raid or lvm device with it? To
> not have a way to id its the drive in slot n of a multislot rack
> stops me in my tracks.

Given that an MD RAID array or a LVM Logical Volume may be spread
across many different underlying storage devices, the question
doesn't make sense. Due to the fact that filesystems go on block
devices, and RAID arrays and LVM LVs can be block devices, a
filesystem label in that instance would represent possibly multiple
underlying storage devices. So step back and tell us what are you
actually trying to achieve, rather than insisting on your X solution
to your Y problem.

Suppose you have the MD array /dev/md42. What are you conceptually
wanting to do with that in relation to labels of some kind? What
information is it that you want?

Support you have LVM logical volume /dev/myvg/mylv. What are you
conceptually wanting to do with that in relation to labels of some
kind? What information is it that you want?

> Particularly with these gigastones, I 5 of them but when all are plugged in
> there are only 3 becauae there are 2 pairs of matching serial numbers in the
> by-id output,  by-id sees all 5 drives, but udev see's only the unique
> serial numbers. gparted can change the devices blkid, getting a new one from
> rng so while you all think that's the greatest thing since bottled beer, I
> know better.

Once you explain what information you're trying to get when you
start with an LVM or MD device, I can probably advise how to get it,
but just to make clear: I don't think it's a good idea to continue
to use such broken devices. We don't need to debate that since I
know you've been posting about that a lot and clearly have decided
to push ahead. I just think you haven't seen the end of the problems
with that issue.

Regards,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-15 Thread Andy Smith
Hi,

On Thu, Feb 15, 2024 at 03:19:54PM -0500, gene heskett wrote:
> On 2/15/24 11:21, Andy Smith wrote:
> > You asked if "labels" would survive their associated partition being
> > put into LVM.
> > 
> > I said, "yes if you mean partition names, no if you mean filesystem
> > labels".
> > 
> I'm still confused and it is not all the well clarified by looking at
> gparted, a shot of which I posted.

This could all be answered easily if you'd just post the copy-paste
of your terminal scrollback for what you actually did. Hopefully you
don't now object to me asking what you meant since apparently even
you do not know if you mean partition names or filesystem labels.
>From what you posted it now sounds like labels on the ext4
filesystems that you created.

What you're trying to do (LVM on MD RAID?) is quite complicated and
you clearly don't have much experience in this area. That's okay but
it does mean that you're likely to make a lot of mistakes with a
thing that holds your data, so you need to be prepared for that.

For example, you mentioned only as an aside that you intended to get
two more drives and put the four of them into an LVM, but you did
not know that this would blow away the filesystems already on the
drives, and that this would not by itself provide you with any
redundancy. So if you hadn't said anything and I hadn't questioned
this, you could well have spent a lot of time creating something
that isn't correct and needs to be torn down again, possibly with
data loss.

Again that's okay — we learn by experimentation — but you're going
to have to prepare yourself for doing this over again many times.
And I also want to reiterate that you're going to have questions,
and that is good, but if we here on this list are not to be driven
insane by the ambiguities and misunderstandings, please, please,
PLEASE post logs of the commands you type on this adventure when you
ask them.

Please.

> > If you have questions, ask them.
> > 
> Like which version of a raid is the best at tolerating a failed drive, which
> give he best balance between redundancy and capacity.

This is a complex subject. Before we get into it, what are you
trying to achieve? Like, what is your end goal with these four
drives?

MD RAID isn't the only way to achieve redundancy. You also haven't
explained why you need LVM. Depending on your needs, maybe a
filesystem with redundancy and volume management features in it
would be better. Like btrfs or zfs.

Given the problems you had with MD RAID in the past I still maintain
that you'd likely be better off just getting a storage appliance of
some kind.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-15 Thread Andy Smith
Hello,

On Thu, Feb 15, 2024 at 05:32:34PM +, debian-u...@howorth.org.uk wrote:
> Andy Smith  wrote:
> > Do remember that this mailing lists does not accept attachments (and
> > very few mailing lists in general do), so any time you are tempted
> > to send a photo to a mailing list it is probably an error. We did
> > not see whatever it was, but it doesn't sound relevant.
> 
> FWIW, the photo that Gene attached was certainly attached to the mail
> that the list sent to me, so I suppose that this list does permit
> attachments, at least in some circumstances.

Oh yes you're right, I see it too now I've looked properly!

So now I actually think Gene means a filesystem label?

Sigh, this really does not need to be this difficult.

Anyway I see that the image of gparted says there's an ext4
filesystem there. So, Gene: when you put those partitions into LVM
(when you make them LVM Physical Volumes) the filesystems on them
will be trashed, and so will the filesystem labels.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-15 Thread Andy Smith
Hi,

On Wed, Feb 14, 2024 at 09:56:07PM -0500, gene heskett wrote:
> > On 2/14/24 19:48, Andy Smith wrote:
> > > I hope you are putting a level of redundancy under that LVM or are
> > > using the redundancy features of LVM (which you need to go out of
> > > your way to do). Otherwise by default what you'll have is not
> > > redundant and a device failure will lose at least the contents of
> > > that device, possibly more.
> > > 
> You pique my curiosity because this is going to be my backup system, but not
> a syllable about how to do it. You tell me its fine 3 paragraphs up. then
> tell me lvcreate will wipe it out.  I'm asking for answers, not more
> connumdrums..

You've split your reply to my mail across three different emails and
now you're replying to a part about redundancy, but asking questions
about something completely different, all while referring to bits
that are not proximal to where your text is, so it's unclear to me
exactly what you are asking about.

You asked if "labels" would survive their associated partition being
put into LVM.

I said, "yes if you mean partition names, no if you mean filesystem
labels".

To my implied question about your redundancy plans (if any), you
then complain that I have not given you "a syllable about how to do
it". Do *what*? I don't yet know what your plans are in that regard.
If you have questions, ask them.

Regards,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-15 Thread Andy Smith
Hi,

On Wed, Feb 14, 2024 at 08:48:31PM -0500, gene heskett wrote:
> On 2/14/24 19:48, Andy Smith wrote:
> > On Wed, Feb 14, 2024 at 05:09:02PM -0500, gene heskett wrote:
> > > I have made 1 full partiton om each one, a labeled those partitions  as
> > > SiPwr_0 and SiPwr_1
> > 
> > Please show us the command you used¹ to do that, so we know what
> > exactly you are talking about, because as previously discussed
> > there's a lot of different things that you like to call "partition
> > labels".
> 
> This is what gparted calls a "partition label"

Okay, thanks for clarifying. This, or preferably a copy-paste of the
actual parted command session would suffice.

I don't know what the relevance is of the rest of the following
paragraph - your life story is not required and you were not accused
of lying, just asked to clarify.

Do remember that this mailing lists does not accept attachments (and
very few mailing lists in general do), so any time you are tempted
to send a photo to a mailing list it is probably an error. We did
not see whatever it was, but it doesn't sound relevant.

> and certainly does not need a 4.5 megabyte camera image to see. or
> even a 50k screen snap. Taking this screenshot was a pita, because
> the gparted window disappears behind the terminal screen when you
> click on take another shot, so you have to quit, then find the
> gparted on the tool bar to bring it back to the front, then move
> it and the terminal so its not totally hidden. Then rerun
> spectacle again waste a click bringing it fwd, then 30 seconds
> later the spectacal instructions finally show up and after 5
> minutes of screwing around, finally get the screen shot attached
> to prove I'm not lieing.

Regards,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-15 Thread Andy Smith
Hi,

On Wed, Feb 14, 2024 at 09:06:43PM -0500, gene heskett wrote:
> On 2/14/24 19:48, Andy Smith wrote:
> > But your chosen partition names don't make a lot of sense to me.
> > You've picked names based on the type/manufacturer of device so you
> > may as well have just used the names from /dev/disk/by-id/… which
> > already have that information and are already never going to change.
> > I don't know why you want to complicate matters.
> 
> Will the by-id string fit in the space reserved for a label?

I doubt it, but what would be the point of doing that? The device ID
conveys all the same information that you're putting in the
partition name.

> I dare you to find the disk that udev calls sdc in the above wall of text.

$ ls -l /dev/disk/by-id | grep sdb1
lrwxrwxrwx 1 root root 10 Jan 17 02:49 
ata-SAMSUNG_MZ7KM1T9HAJM-5_S2HNNAAGA00863-part1 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Jan 17 02:49 wwn-0x5002538c00066800-part1 -> 
../../sdb1

Thus, partition 1 of sdb1 is on partition 1 of
/dev/disk/by-id/ata-SAMSUNG_MZ7KM1T9HAJM-5_S2HNNAAGA00863.
Information already held by the kernel; no need to duplicate it in a
GPT partition name or anywhere else.

There are many other ways to retrieve the same information; that was
the first that sprang to mind but I would not use that in a script
because it's basically parsing ls (a big no-no).

If you'd simply state what you're trying to achieve then 99.9% of
all your posts wouldn't be massive X/Y problems.

> Why can't you understand that I want a unique label for all of this stuff
> that is NOT a wall of HEX numbers no one can remember.  Its not mounted, so
> blkid does NOT see it.

See above. You're welcome.

I note that you still haven't responded with the exact command you
used to set these "labels", so at this point we still do not know
exactly what you mean and I have to proceed assuming you meant GPT
partition name. A simple request that would enable us to help you
better, ignored.

Regards,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: f3tools vs Silicon Power 4T drive

2024-02-14 Thread Andy Smith
Hi,

On Wed, Feb 14, 2024 at 05:09:02PM -0500, gene heskett wrote:
> I have made 1 full partiton om each one, a labeled those partitions  as
> SiPwr_0 and SiPwr_1

Please show us the command you used¹ to do that, so we know what
exactly you are talking about, because as previously discussed
there's a lot of different things that you like to call "partition
labels".

If we take that literally that would be a GPT partition name, but
you've used this same terminology before and meant a filesystem
label.

> My only question it will those partition names survive lvcreating an 11T lvm
> out of these and 2 more 2T gigastones.

Assuming you meant partition name the first time as well, nothing
you do other than a disk wipe or re-name should alter those
partition names.

But your chosen partition names don't make a lot of sense to me.
You've picked names based on the type/manufacturer of device so you
may as well have just used the names from /dev/disk/by-id/… which
already have that information and are already never going to change.
I don't know why you want to complicate matters.

If instead you put filesystems on these partitions and labelled
*those*, well, no, LVM goes under filesystems so those filesystems
and their labels (and contents) are not long for this world.

> I have not dealt with an lvm in about 15+ years trying it once
> when it first came out with a high disaster rating then.

I hope you are putting a level of redundancy under that LVM or are
using the redundancy features of LVM (which you need to go out of
your way to do). Otherwise by default what you'll have is not
redundant and a device failure will lose at least the contents of
that device, possibly more.

Regards,
Andy

¹ and while you are there, maybe a post-it note with "I will show
  the exact command I used any time I write to debian-user" stuck to
  the top of the display of the screen you use to compose emails
  would help, because basically every thread you post here lacks
  that information.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Does "LC_ALL=C" work on all shells?

2024-02-13 Thread Andy Smith
Hi,

On Tue, Feb 13, 2024 at 07:29:37PM -0500, Gremlin wrote:
> Upon investigation, I can not determine which package
> /etc/default/locale belongs too.

dpkg -S and apt-file will only find files that are actually shipped
in packages. Files that are created or used by maintainer scripts
but not actually shipped by a package will not be found by these
commands.

You can look in all the maintainer scripts to see where it's
mentioned:

$ grep -r /etc/default/locale /var/lib/dpkg/info

which leads me to believe it may be most relevant to the "locales"
package, but this does not enlighten us to how any particular entry
may have been added to that file.

I guess at some point something called update-locale with LC_ALL=C
or something.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Debian bookworm: reboot required

2024-02-12 Thread Andy Smith
Hi,

On Mon, Feb 12, 2024 at 11:49:18AM +0100, Klaus Singvogel wrote:
> in the past Debian Distributions there were two files in the system, when a 
> reboot was necessary:
>   /run/reboot-required  /run/reboot-required.pkgs

These files are created by the postinst script of individual Debian
packages. See for example the output of:

$ grep reboot-required /var/lib/dpkg/info/*

> I installed today a new kernel under Debian Bookworm, which
> requires a reboot, but this system lacks of both files. They
> aren't present.

None of my kernel-related packages have a postinst that creates
these files, so I'm not sure that installing a kernel package has
ever done that.

I think if you install the unattended-upgrades package it will
create those files after a kernel upgrade. I do not use that, which
is why I see nothing cresting those files. Perhaps you have that
installed elsewhere but not on this machine.

> How can I find out, if there is a system reboot necessary, in a
> similar way, as it was possible in the past?

Are you thinking of update-notifier-common which used to be installed
by default but was removed entirely in Debian jessie? An approximate
replacement for this is the package "reboot-notifier".

On the same theme there is also "needrestart" which will tell you
which daemons need to be restarted after libraries have been
upgraded.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: hexchat being discontinued?

2024-02-11 Thread Andy Smith
Hello,

On Sun, Feb 11, 2024 at 11:58:10AM -0500, Default User wrote:
> I can't really say what it is I like about hexchat and dislike about
> other IRC clients, except to say that it just seems to work the way my
> brain does. 

Which other ones have you used that you do not like, then?

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Mixing HDD and SSD in lvm

2024-02-11 Thread Andy Smith
Hi,

On Sun, Feb 11, 2024 at 11:00:07AM +0100, Kamil Jońca wrote:
> ID# ATTRIBUTE_NAME  FLAGSVALUE WORST THRESH FAIL RAW_VALUE
> 246 Total_LBAs_Written  -O--CK   100   100   000-14380174325
> [...]
> --8<---cut here---end--->8---
> 
> Do I unterstand correctly, that to have TB written I should take
> "Total_LBAs_Written"
> and divide it by 1024*1024*2 ?

In theory yes. The raw value of attribute 246 is supposed to be the
number of LBAs written where an LBA is the logical sector size, in
your case 512 bytes. However, I have a number of devices where 246
is not in units of 512 bytes. Aside from the usual 512b I have seen
units of

- 512,000 bytes
- 1GiB (!)
- 1MiB
- 32MiB

So your process is correct but you will want to check what units
your drives actually increment in. If possible, write a known
quantity to one of them and see how much it goes up by.

The documentation for your drives may also let you know this, or let
you know another SMART attribute you can use for this purpose.

> 2nd question.
> I have read about "trim/discard" operations in SSD context  and I am not
> sure how to setup these here.

These days just don't do anything. There is a systemd timer called
fstrim.timer on default Debian that activates periodically and does
offline discard on every mounted filesystem, and this is probably
the best way. You can instead put "discard" in the mount options of
most filesystems and then they will do online discard as they go,
but there is not usually any need to do this.

Also LVM has a discard option. It is on by default and all this does
is trigger a discard when you remove an LV. Again that is best left
on by default.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: find and it uncommon syntax - grrrrrrrrr

2024-02-10 Thread Andy Smith
Hello,

On Sat, Feb 10, 2024 at 06:03:39PM -0500, gene heskett wrote:
> On 2/10/24 15:55, Greg Wooledge wrote:
> > find . -iname 'bpim5*shelf.scad'
> 
> Thank you Greg, it worked and 4 more copies are under construction now, but
> why is this not in the man page? Mind boggling.

Why can Gene not locate "iname" when it's right there in the "find"
man page? Mind boggling.

Why can Gene not type "how do I use GNU find to find a file by
name" into a web search engine and read any of the several links on
the first page of results? Mind boggling.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: find and it uncommon syntax - grrrrrrrrr

2024-02-10 Thread Andy Smith
Hello,

On Sat, Feb 10, 2024 at 03:46:09PM -0500, gene heskett wrote:
> I have misplaced file someplace in /home/gene.
> its name is bpim5*shelf.scad
> As usual it outputs 100,000 filenames, none of which is the one I am looking
> for. How in heck do you shut this thing up so it only spits out
> /the/path/to/the/file its looking for it it even found it?

Gene and his inability as usual to show us what he has tried and the
output he got - gr

> And where do I put that as an alias, in my .bashrc?

find is an extremely flexible command that can do a lot of different
queries so to get any sort of meaningful answer to this you'd have
to show us what exactly you tried.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Things I don't touch with a 3.048m barge pole: USB storage (Was Re: Unidentified subject!)

2024-02-08 Thread Andy Smith
Hello,

On Thu, Feb 08, 2024 at 04:22:49PM -0500, Gremlin wrote:
> On Thu, Feb 08, 2024 at 08:43:17PM +0000, Andy Smith wrote:
> > I really do mean all forms of USB that come over a USB port.
> 
> That line was meant to read
> 
> I really do mean all forms of storage that come over a USB port.
> 
> Changing the goal post now are we.

Erm no, it was a simple mistaken repetition of the word "USB" that I
only noticed when I read it back. It would be clearly very difficult
to refuse to use any kind of USB device at all! I have been
consistently talking about storage devices.

You have been very clear that you do not agree though, so let's just
agree to disagree.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Things I don't touch with a 3.048m barge pole: USB storage (Was Re: Unidentified subject!)

2024-02-08 Thread Andy Smith
Hello,

On Thu, Feb 08, 2024 at 04:00:01PM -0500, Gremlin wrote:
> I have been using USB attached HDDs and SSDs for 10 years now and
> have never had one unexpectedly go off line.  Your postings
> suggest you don't know what your talking about.

Okay then. Despite this uncharitable comment, I do still wish you
what I consider to be continued good fortune!

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Things I don't touch with a 3.048m barge pole: USB storage (Was Re: Unidentified subject!)

2024-02-08 Thread Andy Smith
On Thu, Feb 08, 2024 at 03:56:19PM -0500, Gremlin wrote:
> On 2/8/24 15:43, Andy Smith wrote:
> > I wouldn't have much issue with taking a USB drive out of its caddy
> > to get the SATA drive from inside, except that it would have to be
> > an amazingly good deal to make it worth voiding the warranty, so I
> > generally wouldn't bother.
> 
> Why would it void the warranty?  I put it in the caddy

I mean the USB drives that come as a sealed unit that you can
sometimes find a lot cheaper than the same model SATA drive that is
actually inside them. Some people do enjoy taking those apart to get
the SATA drive out.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Things I don't touch with a 3.048m barge pole: USB storage (Was Re: Unidentified subject!)

2024-02-08 Thread Andy Smith
On Thu, Feb 08, 2024 at 08:43:17PM +, Andy Smith wrote:
> I really do mean all forms of USB that come over a USB port.

That line was meant to read

I really do mean all forms of storage that come over a USB port.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Things I don't touch with a 3.048m barge pole: USB storage (Was Re: Unidentified subject!)

2024-02-08 Thread Andy Smith
Hello,

On Thu, Feb 08, 2024 at 02:20:59PM -0500, Jeffrey Walton wrote:
> On Thu, Feb 8, 2024 at 11:57 AM Ralph Aichinger  wrote:
> > How does a breaking USB disk differ from a breaking SATA disk?
> 
> I may be mistaken, but I believe AS is talking about USB thumb drives,
> SDcards and the like. I don't think he's talking about external SSD's
> and NVME's over USB. But I don't want to put words in his mouth.

I really do mean all forms of USB that come over a USB port.

I wouldn't have much issue with taking a USB drive out of its caddy
to get the SATA drive from inside, except that it would have to be
an amazingly good deal to make it worth voiding the warranty, so I
generally wouldn't bother.

If I need directly attached storage I'd much rather explore options
like SAS and eSATA, or even networked storage, before I would ever
consider USB for a permanent installation.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Things I don't touch with a 3.048m barge pole: USB storage (Was Re: Unidentified subject!)

2024-02-08 Thread Andy Smith
Hello,

On Thu, Feb 08, 2024 at 05:40:54PM +0100, Ralph Aichinger wrote:
> On Thu, 2024-02-08 at 15:36 +0000, Andy Smith wrote:
> > I learned not to go there a long time ago and have seen plenty of
> > reminders along the way from others' misfortunes to not ever go
> > there again myself.
> 
> How does a breaking USB disk differ from a breaking SATA disk?

In my experience it happens more often and also brings with it
frequent issues of poor performance and other reliability issues
like just dropping off the USB bus. There is almost always a better
way.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Things I don't touch with a 3.048m barge pole: USB storage (Was Re: Unidentified subject!)

2024-02-08 Thread Andy Smith
Hello,

On Fri, Feb 09, 2024 at 12:23:45AM +0700, Max Nikulin wrote:
> On 08/02/2024 22:36, Andy Smith wrote:
> > On Wed, Feb 07, 2024 at 03:30:29PM -0500, gene heskett wrote:
> > > [629241.074187] scsi host37: usb-storage 1-2:1.0
> > 
> > USB storage is for phones and cameras etc, not for serious
> > computing.
> 
> Do you mean that a proper backup drive should use uas (USB Attached Storage)
> instead of usb-storage driver?

No, I just mean I advise to never ever use storage that comes to you
via a USB port for anything you care about.

I might consider it okay for temporary shifting of data about, but I
would never use it as part of a permanent setup without fully
expecting one day to find it just not working. But then that is also
how I feel about any storage device. It's just worse when USB is
added to the mix.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Things I don't touch with a 3.048m barge pole: USB storage (Was Re: Unidentified subject!)

2024-02-08 Thread Andy Smith
Hi,

On Thu, Feb 08, 2024 at 11:14:24AM -0500, Gremlin wrote:
> On 2/8/24 10:36, Andy Smith wrote:
> > USB storage is for phones and cameras etc, not for serious
> > computing. Many people will disagree with that statement and say
> > they use it all the time and it is fine. They will keep saying that
> > until it isn't fine, and then they'll be in a world of hurt.
> > 
> 
> LOL,  So my main desktop a raspberry pi 4 is not serious computing? Or is it
> that my name server, web server email server which is a raspberry pi 4 not
> serious computing?

Not in my opinion, no¹, but I don't mind at all if you don't agree
and I also wish you the best of ongoing luck!

Thanks,
Andy

¹ Of course, sometimes you just have a device that only has USB and
  there's no way around it. If I have to go there, I try to make it
  serious by preparing for the storage of those devices to just
  disappear one day and take steps to minimise the downtime lost to
  that.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Things I don't touch with a 3.048m barge pole: USB storage (Was Re: Unidentified subject!)

2024-02-08 Thread Andy Smith
Hello,

On Wed, Feb 07, 2024 at 03:30:29PM -0500, gene heskett wrote:
> [629241.074187] scsi host37: usb-storage 1-2:1.0

USB storage is for phones and cameras etc, not for serious
computing. Many people will disagree with that statement and say
they use it all the time and it is fine. They will keep saying that
until it isn't fine, and then they'll be in a world of hurt.

I learned not to go there a long time ago and have seen plenty of
reminders along the way from others' misfortunes to not ever go
there again myself.

> Looks like a reasonable facsimile of a 2T disk to me.

Good luck.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Home UPS recommendations (Was Re: rsync --delete vs rsync --delete-after)

2024-02-08 Thread Andy Smith
Hello,

On Sun, Jan 28, 2024 at 06:55:04PM +, Andy Smith wrote:
> So, I must admit, I am quite tempted by BX1600MI which would cost me
> about £183. The equivalent spec in the Pro range is more than twice
> this price.

[ TL;DR: While free software like apcupsd or nut support all APC
  models that you can buy today, APC (Schneider Electric) the
  company only supports its own Windows-only Powerchute and won't do
  a warranty claim unless you can run that. I therefore question the
  device's suitability to a Linux environment. ]

Just as an update, I bought the APC Back-UPS BX1600MI and while
superficially it seems fine, using "apcupsd" and/or "nut" it reports
a constant stream of short-lived (less than 1 second) battery
detach/re-attach and powerfail/restore events.

The unit itself doesn't show any audible or visual alarm but as
these events are sub-second in duration I don't know if they are
just too quick for that.

Someone on the apcupsd mailing list thinks I have a faulty UPS or
battery and should get a replacement.

APC refuses to proceed with a warranty claim because they don't
support apcupsd or nut, only their own proprietary Powerchute. They
won't proceed unless I can get Powerchute to show these events or a
failed self-test. I can't do that because I don't have any Windows
machines. I do not overly want to buy a Windows licence, run it
in a VM and pass USB through to that VM just to try this.

While in theory if I had heeded the warnings about Back-UPS being of
lesser quality I might have bought a more expensive model that
wasn't faulty (or at least did not have this problem, whatever it
is), I am disappointed to learn that APC will not proceed with
warranty claims unless you can run some Windows software, which puts
me off the entire product range.

Having said that, I don't need to do a warranty claim. As it was
only purchased a couple of weeks ago, consumer law allows me to
return it to the seller as faulty whether they accept that or not,
so I'll likely do that. It's just disappointing and a lot more
hassle.

Thanks,
Andy



Re: Mixing HDD and SSD in lvm

2024-02-06 Thread Andy Smith
Hi,

On Tue, Feb 06, 2024 at 12:18:26PM +0100, Kamil Jońca wrote:
> My main concern is if speed differences between SSD and HDD in one lvm
> can make any problems.

The default allocation policy for LVM ("normal") is to use an
arbitrary PV that has space. So this means that unless you say so,
you will not know which PV the extents for any given LV will go to.
Assuming you create an LV that is not larger than an entire PV, all
of it will end up on one or the other and will have the same
performance profile.

If you don't like that you can specify which PV to put it on, at
lvcreate time.

If you tell LVM to stripe extents between the two PVs then it will
not cause a problem, but I expect performance to be impacted,
possibly capped at that of the slowest PV.

Do check your device's sector size. I have been having problems
with mixed 512 vs 4K devices. That is only when the 4K device is
formatted to only do 4K though; most "Advanced Format" devices can
do both 512b and 4K.

If you are trying to do tiered storage you may have more luck with
dm-cache, zfs, bcache or (the only recently upstreamed) bcachefs.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Mixing HDD and SSD in lvm

2024-02-06 Thread Andy Smith
Hi,

On Tue, Feb 06, 2024 at 11:03:03AM +0100, Basti wrote:
> If you use mdadm for RAID you can mark the slower disk as 'write-mostly' to
> get more read speed.

Both (MD) RAID-1 and RAID-10 will work this out by themselves, by
the way, and tend to read from the fastest device.

I have benchmarked this. With very fast enterprise NVMe as the
faster device and consumer SATA SSD as the slower "write-mostly", I
wasn't able to detect much benefit from using "write-mostly", i.e.
MD already chose to read mostly from the NVMe.

When pairing any kind of SSD with HDD, the difference was more
dramatic and "write-mostly" did have noticeable beneficial effect,
though not huge. Again, MD by itself chose to read from the SSD even
without "write-mostly".

I hypothesise that this is because MD picks the mirror device with
the lowest outstanding request count, and that is often going to be
the flash-based device.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Mixing HDD and SSD in lvm

2024-02-06 Thread Andy Smith
Hi,

On Tue, Feb 06, 2024 at 09:04:13AM +0100, Hans wrote:
> I am not sure, if it is possible, to do same in LVM. As far as I know, LVM 
> must also set the corrct devicenames in correct order, mustn't it?

Neither LVM nor MD will have a problem with member devices changing
their device path as they both put their own metadata onto the
devices and use that to detect them.

If you have set a filter in lvm.conf to only look at certain
devices, you might want to be aware of the full range of names that
can happen, though.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-02-03 Thread Andy Smith
Hi,

On Fri, Feb 02, 2024 at 02:41:38PM +0100, Franco Martelli wrote:
> There is an alternative to hardware RAID if you want a Linux RAID: you can
> disable UEFI in the BIOS and delete the ESP as I did when I bought my gaming
> PC several years ago.

I have storage devices which legacy BIOS cannot see for booting
purposes. In past years these would require an "option ROM", Today,
they require UEFI firmware. They aren't exotic devices; just
enterprise NVMe.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-01-31 Thread Andy Smith
Hi,

On Tue, Jan 30, 2024 at 09:50:23PM +0100, hw wrote:
> On Mon, 2024-01-29 at 23:53 +0000, Andy Smith wrote:
> > I think you should read it again until you find the part where it
> > clearly states what the problem is with using MD RAID for this. If
> > you still can't find that part, there is likely to be a problem I
> > can't assist with.
> 
> That there may be a problem doesn't automatically mean that you need a
> bunch of scripts.

This is getting quite tedious.

Multiple people have said that there is a concern that UEFI firmware
might write to an ESP, which would invalidate the use of software
RAID for the ESP.

Multiple people have suggested instead syncing ESP partitions in
userland. If you're going to do that then you'll need a script to do
it.

I don't understand what you find so difficult to grasp about this.
If it's that you have some other proposal for solving this, it would
be helpful for you to say so, instead of just repeating "why do you
need scripts, you don't need scripts", because if you just repeat
that, all I can do is repeat what I've already said until I become
bored and stop.

If your suggested solution is "use hardware RAID", no need to repeat
that one though: I see you said it in a few other messages, and that
suggestions has been received. Assume the conversation continues
amongst people who don't like that suggestion.

Otherwise, I don't think anyone knows what you have spent several
messages trying to say. All we got was, "you don't need scripts".

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-01-29 Thread Andy Smith
Hi,

On Mon, Jan 29, 2024 at 05:28:56PM +0100, hw wrote:
> On Sun, 2024-01-28 at 21:55 +0000, Andy Smith wrote:
> > On Sun, Jan 28, 2024 at 09:09:17PM +0100, hw wrote:
> > > On Sun, 2024-01-28 at 17:32 +, Andy Smith wrote:
> > > > If someone DOES want a script option that solves that problem, a
> > > > couple of actual working scripts were supplied in the link I gave to
> > > > the earlier thread:
> > > > 
> > > > https://lists.debian.org/debian-user/2020/11/msg00455.html
> > > > https://lists.debian.org/debian-user/2020/11/msg00458.html
> > > 
> > > Huh?  Isn't it simpler to use mdraid RAID1 to keep the UEFI partitions
> > > in sync without extra scripts needed?
> > 
> > Could you read the first link above.
> 
> I did, and it doesn't explain why you would need a bunch of scripts.

I think you should read it again until you find the part where it
clearly states what the problem is with using MD RAID for this. If
you still can't find that part, there is likely to be a problem I
can't assist with.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Stop packagekitd from downloading updates

2024-01-28 Thread Andy Smith
Hello,

On Sun, Jan 28, 2024 at 04:42:18PM -0500, Greg Wooledge wrote:
> On Sun, Jan 28, 2024 at 04:31:02PM -0500, Stefan Monnier wrote:
> > I self-inflicted this by installing [unattended-upgrades] so many years ago?
> 
> It's a dependency of some/most(?) desktop environments, I think.  I
> doubt you installed it by name and forgot.

I do not have it installed on my recently-install Debian 12 / GNOME
desktop.

I do have packagekit though, which includes this config file:

$ cat /etc/apt/apt.conf.d/20packagekit 
// THIS FILE IS USED TO INFORM PACKAGEKIT THAT THE UPDATE-INFO MIGHT HAVE 
CHANGED

// Whenever dpkg is called we might have different updates
// i.e. if an user removes a package that had an update
DPkg::Post-Invoke {
"/usr/bin/test -e 
/usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && 
/usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call 
--system --dest org.freedesktop.PackageKit --object-path 
/org/freedesktop/PackageKit --timeout 4 --method 
org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo 
> /dev/null";
};

// When APT's cache is updated (i.e. apt-cache update)
APT::Update::Post-Invoke-Success {
"/usr/bin/test -e 
/usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && 
/usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call 
--system --dest org.freedesktop.PackageKit --object-path 
/org/freedesktop/PackageKit --timeout 4 --method 
org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo 
> /dev/null";
};

So I think probably that unattended-upgrades is downloading Stefan's packages
and then poking packagekit over DBUS to make the GNOME tell Stefan about it.
Which also explains the warning when packagekit is disabled.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-01-28 Thread Andy Smith
Hello,

On Sun, Jan 28, 2024 at 09:09:17PM +0100, hw wrote:
> On Sun, 2024-01-28 at 17:32 +0000, Andy Smith wrote:
> > If someone DOES want a script option that solves that problem, a
> > couple of actual working scripts were supplied in the link I gave to
> > the earlier thread:
> > 
> > https://lists.debian.org/debian-user/2020/11/msg00455.html
> > https://lists.debian.org/debian-user/2020/11/msg00458.html
> 
> Huh?  Isn't it simpler to use mdraid RAID1 to keep the UEFI partitions
> in sync without extra scripts needed?

Could you read the first link above.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-01-28 Thread Andy Smith
Hello,

On Sun, Jan 28, 2024 at 09:03:50PM +0100, hw wrote:
> Show me any installer for Linux distributions that handles this
> sufficently without further ado.

That was the question I posed several posts back: what do people do
for redundant ESP.

> When you don't use btrfs, you have either hardware RAID or
> mdraid.

…or zfs or bcachefs or no redundancy at all…

> With mdadm RAID, it isn't much better than with btrfs since
> without further ado, you still don't have redundant UEFI
> partitions.

As mentioned, people do try it, and we don't yet have any reports
of catastrophe.

I'm not sure I am brave enough though.

> With btrfs and mdadm RAID, it's basically worse because you have
> to deploy another variant of software RAID in addition to the
> software built into btrfs.

I see, so this is basically a philosophical objection. You already
have software that provides redundancy (btrfs), but since UEFI
firmware can't read it and insists that ESP be vfat, it would mean
providing redundancy another way. This need to have two means of
redundancy is an affront to you.

In practical terms, having md driver just for a small ESP array is
not going to be a big deal, but just the idea of configuring this
extra form of redundancy, having that extra driver loaded etc., is
unpleasant.

> So at least for boot disks, I'll go for hardware RAID whenever
> possible, especially with btrfs, until this problem is fixed.  Or do
> you have a better option?

Right, so your answer is hardware RAID. If you're happy with that,
that's great, but I've left hardware RAID behind nearly ten years
ago and this issue isn't enough for me to welcome it back. Though it
leaves a bad taste, I still would rather go with either syncing ESPs
by script or putting ESP in MD RAID and hoping firmware never write
to it.

I just wondered if there were more options (yet).

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Home UPS recommendations (Was Re: rsync --delete vs rsync --delete-after)

2024-01-28 Thread Andy Smith
Hi,

Thanks, this is very useful.

On Sun, Jan 28, 2024 at 06:58:08PM +0100, hw wrote:
> However, stay away from their cheap models as seen on this[1] picture
> (Back UPS).  They work and you can replace the batteries yourself even
> though you're not supposed to.  It's a minimum basic device.  It may
> be on ok option if you're on a budget.  Their batteries last about 3
> years.

So, I must admit, I am quite tempted by BX1600MI which would cost me
about £183. The equivalent spec in the Pro range is more than twice
this price.

Although the battery is not strictly user-replaceable, I watched
some videos on the task and it seems pretty easily doable.

Something for me to think on.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-01-28 Thread Andy Smith
Hi,

Keeping all this context because I don't actually see how the
response matches the context and so I might have missed something…

On Sun, Jan 28, 2024 at 11:54:05AM -0500, Dan Ritter wrote:
> hw wrote: 
> > How is btrfs going to deal with this problem when using RAID?  Require
> > hardware RAID?
> > 
> > Having to add mdadm RAID to a setup that uses btrfs just to keep efi
> > partitions in sync would suck.
> 
> You can add hooks to update-initramfs or update-grub.
> 
> To a first approximation:
> 
> firstbootpart = wwn-0x5006942feedbee1-part1
> extrabootparts = wwn-0x5004269deafbead-part1\
>  wwn-0x5001234adefabe-part1 \
>  wwn-0x5005432faebeeda-part1
> 
> for eachpart in $extrabootparts ; \
>   do cp /dev/disk/by-id/$firstbootpart /dev/disk/by-id/$eachpart; done

I realise that the above is pseudocode, but I have some issues with
it, namely:

a) I don't see what this has to do with btrfs, the subject of the
   message you are replying to. Then again, I also did not see what
   btrfs had to do with the thing that IT was replying to, so
   possibly I am very confused.

b) My best interpretation of your message is that it solves the "how
   to keep ESPs in sync" question, but if it is intended to do that
   then you may as well have just said "just keep the ESPs in sync",
   because what you wrote is literally something like:

   cp /dev/disk/by-id/wwn-0x5002538d425560a4-part1 
/dev/disk/by-id/wwn-0x5002538d425560b5-part1

   which …is rather like a "now draw the rest of the owl" sort of
   response given that it doesn't literally work and most of the job
   is in reworking that line of pseudocode into something that will
   actually work.

If someone DOES want a script option that solves that problem, a
couple of actual working scripts were supplied in the link I gave to
the earlier thread:

https://lists.debian.org/debian-user/2020/11/msg00455.html
https://lists.debian.org/debian-user/2020/11/msg00458.html

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-01-28 Thread Andy Smith
Hi,

On Sun, Jan 28, 2024 at 05:17:14PM +0100, hw wrote:
> Ok if Andy and you are right, you could reasonably boot machines with
> an UEFI BIOS when using mdadm RAID :)

I've been doing it for more than two decades, though not with UEFI.

> How is btrfs going to deal with this problem when using RAID?  Require
> hardware RAID?
> 
> Having to add mdadm RAID to a setup that uses btrfs just to keep efi
> partitions in sync would suck.

ESP have to be vfat so why are you bringing up btrfs?

If you want to use btrfs, use btrfs. UEFI firmware isn't going to
care as long as your ESP is not inside that.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Postponed publickey before Accepted publickey - what's happening there then?

2024-01-27 Thread Andy Smith
Hi,

On Sat, Jan 27, 2024 at 09:55:16AM +, Michael Kjörling wrote:
> On 27 Jan 2024 08:12 +, from a...@strugglers.net (Andy Smith):
> > This only happens when I log in as root using a public key, i.e.
> > 
> > ssh -i /path/to/pubkey r...@t.example.com
> 
> According to https://access.redhat.com/solutions/20057 this can happen
> in cases where multiple authentication methods are tried. You should
> be able to confirm this by adding -v to your ssh command line and
> looking for authentication methods that are not your presumably
> intended publickey.

The only authentication methods that are tried are publickey, it's
just that it seems it tries several public keys that won't work
first:

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/andy/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering ED25519 public key: andy@jameson
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering RSA public key: /home/andy/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering RSA public key: /home/andy/.ssh/foo_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug1: Authentication succeeded (publickey).
Authenticated to t.example.com ([2001:db8:0:1f1::13]:922).

(/home/andy/.ssh/foo_rsa being what was specified on the ssh command
line with -i)

Presumably if there WERE no working public keys then it would get
around to trying another method, but publickey is offered first.

If I do:

$ ssh -o IdentitiesOnly=yes -i ~/.ssh/foo_rsa r...@t.example.com

then only that single public key is offered and there is no message
about publickey being postponed, so that must be it.

Though I still wonder why it bopthers to log anything about
publickey being postponed in the first place.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: AW: AW: su su- sudo dont work

2024-01-27 Thread Andy Smith
Hello,

On Sat, Jan 27, 2024 at 11:05:30AM +0100, Thomas Schmitt wrote:
> Andy Smith wrote:
> > It is hard to understand how what Michael/Sophie/Tobias does can in
> > any way be "fun" for them, though maybe that is just our lack of
> > understanding.
> 
> I expressed my suspicion of a "Hurz" performance in
>   https://lists.debian.org/debian-user/2023/05/msg00100.html

Okay, but it seems to me that watching an audience try to take a
nonsense opera seriously is a bit more sophisticated and has scope
for amusement, unlike for example an endless stream of mispastes and
misunderstandings about "sudo" and "su".

But I guess what one finds amusing can have a very wide variability…

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: AW: AW: su su- sudo dont work

2024-01-27 Thread Andy Smith
Hi Hans,

On Sat, Jan 27, 2024 at 10:23:09AM +0100, Hans wrote:
> I see this exactly as you and are watching this list for may years.

I'm not sure who you're replying to as you've removed those details,
though I may guess from your In-Reply-To header which doesn't point
to a list message. You haven't replied to an off-list (personal)
mail back onto the list have you? Be careful there!

> But since the beginning, I had the suspicion, that someone just
> wants to make fun with us.

It is hard to understand how what Michael/Sophie/Tobias does can in
any way be "fun" for them, though maybe that is just our lack of
understanding.

Either they are incredibly confused by Linux or they are pretending
to be for reasons beyond my understanding. Whatever the case, I
don't think I have ever seen one of their threads result in a
positive resolution.

It's probably best to not assume that what we don't understand is
hostile and/or an AI experiment. Even so, that doesn't mean it is
possible to help.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Postponed publickey before Accepted publickey - what's happening there then?

2024-01-27 Thread Andy Smith
Hi,

I typically have logcheck send me anomalous logs. In the last week,
all Debian 10 machines (I know, I know, upgrade needed) started
logging this whenever I logged in from a particular other host by
SSH:

2024-01-27T07:59:42.003881+00:00 t.example.com sshd[12319]: Postponed publickey 
for root from 2001:db8:1f1:f0c2::2 port 37032 ssh2 [preauth]
2024-01-27T07:59:42.01+00:00 t.example.com sshd[12319]: Accepted publickey 
for root from 2001:db8:1f1:f0c2::2 port 37032 ssh2: RSA 
SHA256:iC8C78UYVJdr+bsqV1hbtBFuft6KHi0b8i308Zn0C9o
2024-01-27T07:59:42.020718+00:00 t.example.com sshd[12319]: 
pam_unix(sshd:session): session opened for user root by (uid=0)
2024-01-27T07:59:42.033599+00:00 t.example.com systemd-logind[1729]: New 
session 18604 of user root.

(host names and IPv6 addresses are made up as not relevant here)

As you can see, this login was successful. What I had not seen
before was the line:

2024-01-27T07:59:42.003881+00:00 t.example.com sshd[12319]:
Postponed publickey for root from 2001:db8:1f1:f0c2::2 port
37032 ssh2 [preauth]

This only happens when I log in as root using a public key, i.e.

ssh -i /path/to/pubkey r...@t.example.com

(though in reality a script doing this, but I can replicate the same
when doing it manually). The "postponed" line doesn't happen when I
log in by key as my own user.

What is actually happening there to cause that line to be logged
then?

Is it possibly something to do with my ssh-agent having another key
that would allow that to work, but it waits to use the key
specified on the ssh command line?

I am not aware of any change made in the last week or two that would
cause this to start happening, although I did reboot the client host
(2001:db8:1f1:f0c2::2 here) in that time frame so possibly my
ssh-agent environment has changed in some way.

Thanks,
]Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-01-26 Thread Andy Smith
Hello,

On Fri, Jan 26, 2024 at 04:50:00PM +0100, hw wrote:
> How do you make the BIOS read the EFI partition when it's on mdadm
> RAID?

If MD superblock is at a part of device not used by filesystem (e.g.
the end) and it is a RAID-1, each member device is indistinguishable
from FAT filesystem without RAID for naive software in read-only
mode. This is also how grub boots MD RAID-1 before Grub understood
MD RAID.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Home UPS recommendations (Was Re: rsync --delete vs rsync --delete-after)

2024-01-26 Thread Andy Smith
Hi,

On Fri, Jan 26, 2024 at 04:11:39PM +0100, hw wrote:
> I've never had issues with any UPS due to self tests.  The batteries
> need to be replaced when they are worn out.  How often that is
> required depends on the UPS and the conditions it is working in,
> usually every 3--5 years.

Out of interest what brand of UPS do you recommend for home use that
has easily-replaceable batteries every 3–5 years? For a load of
about 300W.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-01-26 Thread Andy Smith
Hello,

On Fri, Jan 26, 2024 at 08:40:42AM -0500, gene heskett wrote:
> On 1/26/24 08:19, Tim Woodall wrote:
> > Hardware raid that the bios cannot subvert is obviously one solution.
> > 
> Is nearly the only solution,

If the problem to be solved is defined as redundancy for the ESP,
there are a bunch of solutions as already discussed. All of them
come with upsides and downsides. The downsides of hardware RAID for
this, for me, are too big.

> [hardware RAID] needs to have a hard specified format that
> guarantees 100% compatibility across all makers

If that happened, mdadm could support it, and then I would continue
to use mdadm. In fact it already has happened, in that Intel came up
with a standard for its "fake RAID" data layout and mdadm does
support it already. But of course, none of the other vendors of
hardware RAID took that on.


https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/rst-linux-paper.pdf

It has also been pointed out that there is no technical reason why
EFI firmware can't support MD RAID, since MD is open source.

But on the whole, we can't wait around for any of that to happen.

> full intentions of locking the customer to only their product.

There was a time when hardware RAID was really the only game in
town, and the ability it gave to lock in the customer was just the
cost of doing business.

That time has passed, but I don't think the UEFI firmware developers
are interested in helping out.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-01-26 Thread Andy Smith
Hello,

On Fri, Jan 26, 2024 at 01:18:53PM +, Tim Woodall wrote:
> Hardware raid that the bios cannot subvert is obviously one solution.

These days the different trade-offs for HW RAID are IMHO worse. I
left it behind in 2014 and don't intend to go back. 

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



Re: Automatically installing GRUB on multiple drives

2024-01-26 Thread Andy Smith
Hello,

On Fri, Jan 26, 2024 at 10:09:53AM +0100, Nicolas George wrote:
> Andy Smith (12024-01-26):
> > The "firmware may write to it" thing was raised as a concern by a
> > few people,but always a theoretical one from what I could see.
> 
> Now that I think a little more, this concern is not only unconfirmed,
> it is rather absurd. The firmware would never write in parts of the
> drive that might contain data.

I suppose my concern with that is that a firmware developer might
feel justified in poking about in the ESP, which they might consider
is there "for them".

I have seen quite a few first hand reports of motherboard firmware
that writes empty GPT when it sees a drive with no GPT, which I had
previously considered unthinkable, so I do worry about trusting in
the firmware developers.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



  1   2   3   4   5   6   7   8   9   10   >