Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, 06.12.10 12:30, Bill Nottingham (nott...@redhat.com) wrote: Michał Piotrowski (mkkp...@gmail.com) said: If systemd will allow us to do that, sure. What's the point here? For example, this doesn't cut down on the number of listening ports, obviously, nor on the requirements for root passwords and potential root login. And if it's started in parallel, I doubt it's a huge drain on resources. For a fast and efficient boot-up two things are crucial: * To start less. * And to start more in parallel. http://0pointer.de/blog/projects/systemd.html IMO start less philosophy is a good thing. Yes. However, I'm leery of adding too many drastic changes that don't have upstream buy-in yet. What's upstream openssh's opinion on socket activation? There's no need to patch ssh. It can do inetd-style socket activation just fine, and has been supporting that upstream since basically its inception. From that I would deduce that upstream is fine with it. systemd supports inetd-style activation too just fine. MacOS X has been installing sshd by default with socket activation enabled, and if they can do that I think we can do that on Fedora, too. (There are cases where socket-activated ssh is not useful, and you want the real-deal with sshd listening itself, but that shouldn't stop us from installing sshd socket-activated by default, since it is easy to switch back to the traditional way.) Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Rahul Sundaram wrote: Socket activation is not mandatory or even a benefit in all cases. Just because we have a patch doesn't mean it is the right one. Upstream might have the foresight and the knowledge to see problems with patches we might not. There might be security implications. It specific cases, we can consider overriding upstream decisions but there should be very strong reasons to do so. Just because a license allows it doesn't make it best practise. It is always useful to get more peer reviews from patches with the expertise in the codebase. Upstream is a good place for that. I believe it is the purpose of a well-integrated distribution to make sure distro-wide features are implemented in ALL packages, irrespectively of upstream projects' (or even individual package maintainers') personal opinions and diverging (from ours) objectives. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Sat, Dec 11, 2010 at 8:11 PM, Kevin Kofler wrote: Rahul Sundaram wrote: Socket activation is not mandatory or even a benefit in all cases. Just because we have a patch doesn't mean it is the right one. Upstream might have the foresight and the knowledge to see problems with patches we might not. There might be security implications. It specific cases, we can consider overriding upstream decisions but there should be very strong reasons to do so. Just because a license allows it doesn't make it best practise. It is always useful to get more peer reviews from patches with the expertise in the codebase. Upstream is a good place for that. I believe it is the purpose of a well-integrated distribution to make sure distro-wide features are implemented in ALL packages, irrespectively of upstream projects' (or even individual package maintainers') personal opinions and diverging (from ours) objectives. Nothing I said contradicts that however it is not just a question of personal's opinions. It is also a question of maintenance (non-upstreamable patches need to be forwarded ported for updates, might have bugs not in the upstream codebase. so your advovacy of abrt reporting bugs upstream is in contradiction ), expertise in the codebase (upstream is more knowledgeable typically). Upstream opinions do matter and we need to care even if we decide on exceptions on some specific cases for good reasons. We have a long standing policy of doing so and it is an important part of what Fedora is. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Bill Nottingham wrote: Right. To do this in systemd implies that you're patching openssh to do socket-based activation... hence why I asked about upstream's opinion on it. Why would we care? It's our goal to have ALL network daemons be socket-activated eventually. This is a distribution-wide feature and as such software MUST be patched to support it. Doing this kind of integration work is what a distribution is for. We need to stop treating upstream like a sacred cow. It is OUR decision as a distribution what we want to ship to our users. The Free licensing of the software we ship explicitly allows us to adapt it to any and all of our needs. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Chris Adams wrote: The only thing you need a firewall by default for is to prevent services that are listening on the network from being accessible. The better solution is to stop having services listen on the network by default. FWIW, this is what Ubuntu has been doing for ages (they call it zero open ports policy), and AFAIK they do not enable iptables by default because of this. That said, zero open ports also got complaints, e.g. because they disabled the CUPS web-based configuration interface to close port 631. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Sat, Dec 11, 2010 at 4:57 AM, Kevin Kofler kevin.kof...@chello.atwrote: Bill Nottingham wrote: Right. To do this in systemd implies that you're patching openssh to do socket-based activation... hence why I asked about upstream's opinion on it. Why would we care? It's our goal to have ALL network daemons be socket-activated eventually. This is a distribution-wide feature and as such software MUST be patched to support it. Socket activation is not mandatory or even a benefit in all cases. Just because we have a patch doesn't mean it is the right one. Upstream might have the foresight and the knowledge to see problems with patches we might not. There might be security implications. It specific cases, we can consider overriding upstream decisions but there should be very strong reasons to do so. Just because a license allows it doesn't make it best practise. It is always useful to get more peer reviews from patches with the expertise in the codebase. Upstream is a good place for that. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, 2010-12-06 at 20:08 -0600, Chris Adams wrote: Once upon a time, Adam Williamson awill...@redhat.com said: On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... The only thing you need a firewall by default for is to prevent services that are listening on the network from being accessible. The better solution is to stop having services listen on the network by default. This was done for sendmail many years ago; why hasn't it been done for other things, such as rpcbind (and RPC services), cups, etc.? These daemons should bind to localhost only unless otherwise configured. In the cups case might be probably reasonable to default to localhost. However for rpcbind it is clearly not so - what's the point of starting things that are mostly needed for NFS when you would be able to mount only NFS provided by the localhost and export it to the localhost only as well. In that sense it is debatable whether we want to have rpcbind ON by default but having it on and bind to localhost only does not make any sense to me. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Once upon a time, Tomas Mraz tm...@redhat.com said: In the cups case might be probably reasonable to default to localhost. However for rpcbind it is clearly not so - what's the point of starting things that are mostly needed for NFS when you would be able to mount only NFS provided by the localhost and export it to the localhost only as well. In that sense it is debatable whether we want to have rpcbind ON by default but having it on and bind to localhost only does not make any sense to me. Mounting remote NFS mounts doesn't require allowing the server to query the local rpcbind, does it? I think you only need to allow remote access to rpcbind if you are exporting filesystems, at which point you are configuring things anyway, so configure rpcbind to listen on the network. I don't think this would be a big deal to require, since today you have to reconfigure the firewall if you are configuring an NFS server. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/7 Tomas Mraz tm...@redhat.com: On Mon, 2010-12-06 at 20:08 -0600, Chris Adams wrote: Once upon a time, Adam Williamson awill...@redhat.com said: On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... The only thing you need a firewall by default for is to prevent services that are listening on the network from being accessible. The better solution is to stop having services listen on the network by default. This was done for sendmail many years ago; why hasn't it been done for other things, such as rpcbind (and RPC services), cups, etc.? These daemons should bind to localhost only unless otherwise configured. In the cups case might be probably reasonable to default to localhost. However for rpcbind it is clearly not so - what's the point of starting things that are mostly needed for NFS when you would be able to mount only NFS provided by the localhost and export it to the localhost only as well. In that sense it is debatable whether we want to have rpcbind ON by default but having it on and bind to localhost only does not make any sense to me. How many users use NFS on desktop? This is not even used on all servers. So the question is - do we want to have NFS by default? I use samba and I don't want to force all users to install it by default. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, Dec 06, 2010 at 08:08:49PM -0600, Chris Adams wrote: Once upon a time, Adam Williamson awill...@redhat.com said: On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... The only thing you need a firewall by default for is to prevent services that are listening on the network from being accessible. The better solution is to stop having services listen on the network by default. This was done for sendmail many years ago; why hasn't it been done for other things, such as rpcbind (and RPC services), cups, etc.? These daemons should bind to localhost only unless otherwise configured. Afaik ntpd, sobby and software written in erlang (e.g. ejabberd) does not support this (completely). Regards Till pgpj5P18mGjYp.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Hi, On 12/06/2010 06:34 AM, Michał Piotrowski wrote: Hi, W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski mkkp...@gmail.com napisał: [..] What services are installed by default when installong form Live GNOME/KDE/etc and DVD? Ok, let's ask the question differently - what services should be run by default to provide working system for desktop user? IMO ssh can be off by default and should be started only if user tries to connect over port 22. Do we really need to install iptables/ip6tables by default (it's in core group)? Do we really need a firewall configured ? Yes we do because of blinkbSECURITY/b/blink I'm sorry but asking if we really need iptables by default is just stupid! Regards, Hans -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
W dniu 6 grudnia 2010 10:43 użytkownik Hans de Goede hdego...@redhat.com napisał: Hi, On 12/06/2010 06:34 AM, Michał Piotrowski wrote: Hi, W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski mkkp...@gmail.com napisał: [..] What services are installed by default when installong form Live GNOME/KDE/etc and DVD? Ok, let's ask the question differently - what services should be run by default to provide working system for desktop user? IMO ssh can be off by default and should be started only if user tries to connect over port 22. Do we really need to install iptables/ip6tables by default (it's in core group)? Do we really need a firewall configured ? Yes we do because of blinkbSECURITY/b/blink I'm sorry but asking if we really need iptables by default is just stupid! LOL :) There are no stupid questions :) On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? Your answer is not satisfactory for me - because not configured firewall has nothing to do with security. In fact, it can only bring false sense of security. Regards, Hans -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, 6 Dec 2010 06:34:45 +0100 Michał Piotrowski mkkp...@gmail.com wrote: Hi, W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski mkkp...@gmail.com napisał: [..] What services are installed by default when installong form Live GNOME/KDE/etc and DVD? Ok, let's ask the question differently - what services should be run by default to provide working system for desktop user? Perhaps we can ask this even more differently: What are you trying to do? Whats your high level goal here? Boot speed? Number of packages installed? IMO ssh can be off by default and should be started only if user tries to connect over port 22. If systemd will allow us to do that, sure. Do we really need to install iptables/ip6tables by default (it's in core group)? Yes, I think so. Either firewall by default, or we need to make sure nothing is running that listens externally to reduce security footprint, IMHO. kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Kevin Fenzi (ke...@scrye.com) said: IMO ssh can be off by default and should be started only if user tries to connect over port 22. If systemd will allow us to do that, sure. What's the point here? For example, this doesn't cut down on the number of listening ports, obviously, nor on the requirements for root passwords and potential root login. And if it's started in parallel, I doubt it's a huge drain on resources. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi ke...@scrye.com napisał: On Mon, 6 Dec 2010 06:34:45 +0100 Michał Piotrowski mkkp...@gmail.com wrote: Hi, W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski mkkp...@gmail.com napisał: [..] What services are installed by default when installong form Live GNOME/KDE/etc and DVD? Ok, let's ask the question differently - what services should be run by default to provide working system for desktop user? Perhaps we can ask this even more differently: What are you trying to do? I'm trying to convert sysvinit scripts to systemd services (as many as possible) Whats your high level goal here? Boot speed? Number of packages installed? I know it will not be possible to convert all sysvinit scripts for F15, but at least we can try to provide full systemd experience for most common configurations. -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/6 Bill Nottingham nott...@redhat.com: Kevin Fenzi (ke...@scrye.com) said: IMO ssh can be off by default and should be started only if user tries to connect over port 22. If systemd will allow us to do that, sure. What's the point here? For example, this doesn't cut down on the number of listening ports, obviously, nor on the requirements for root passwords and potential root login. And if it's started in parallel, I doubt it's a huge drain on resources. For a fast and efficient boot-up two things are crucial: * To start less. * And to start more in parallel. http://0pointer.de/blog/projects/systemd.html IMO start less philosophy is a good thing. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, 6 Dec 2010 18:17:51 +0100 Michał Piotrowski mkkp...@gmail.com wrote: W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi ke...@scrye.com napisał: ...snip... What are you trying to do? I'm trying to convert sysvinit scripts to systemd services (as many as possible) If you're trying to determine what units should be enabled by default, please talk to the Fedora Packaging Comittee. See also: https://fedorahosted.org/fesco/ticket/504 Where fesco decided: Default is off, exceptions exist to allow proper functioning of the os. FPC to document exceptions and process exception requests. FPC was going to work on a exceptions list I think... kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi ke...@scrye.com napisał: On Mon, 6 Dec 2010 18:17:51 +0100 Michał Piotrowski mkkp...@gmail.com wrote: W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi ke...@scrye.com napisał: ...snip... What are you trying to do? I'm trying to convert sysvinit scripts to systemd services (as many as possible) If you're trying to determine what units should be enabled by default, please talk to the Fedora Packaging Comittee. See also: https://fedorahosted.org/fesco/ticket/504 Where fesco decided: Default is off, exceptions exist to allow proper functioning of the os. FPC to document exceptions and process exception requests. FPC was going to work on a exceptions list I think... This list will be useful. Dear FPC people, could you provide this list in the near future? kevin -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Michał Piotrowski (mkkp...@gmail.com) said: If systemd will allow us to do that, sure. What's the point here? For example, this doesn't cut down on the number of listening ports, obviously, nor on the requirements for root passwords and potential root login. And if it's started in parallel, I doubt it's a huge drain on resources. For a fast and efficient boot-up two things are crucial: * To start less. * And to start more in parallel. http://0pointer.de/blog/projects/systemd.html IMO start less philosophy is a good thing. Yes. However, I'm leery of adding too many drastic changes that don't have upstream buy-in yet. What's upstream openssh's opinion on socket activation? Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/6 Bill Nottingham nott...@redhat.com: Michał Piotrowski (mkkp...@gmail.com) said: If systemd will allow us to do that, sure. What's the point here? For example, this doesn't cut down on the number of listening ports, obviously, nor on the requirements for root passwords and potential root login. And if it's started in parallel, I doubt it's a huge drain on resources. For a fast and efficient boot-up two things are crucial: * To start less. * And to start more in parallel. http://0pointer.de/blog/projects/systemd.html IMO start less philosophy is a good thing. Yes. However, I'm leery of adding too many drastic changes that don't have upstream buy-in yet. I understand your POV. What's upstream openssh's opinion on socket activation? Does openssh stands out something special between other demons? Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Michał Piotrowski píše v Po 06. 12. 2010 v 20:22 +0100: 2010/12/6 Bill Nottingham nott...@redhat.com: Does openssh stands out something special between other demons? Actually, it does - for remote installations (sometimes the only option) ssh needs to be running after installation so that the system administrator can connect to it and start configuring it. Other services are not necessary like this. (Yes, the system administrator can write a kickstart script that enables the service after installation. I'm not sure that something we can ask a novice sysadmin to do, however.) Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
I wonder why my server rejected my previous email? -- Wiadomość przekazana dalej -- Od: Michał Piotrowski mkkp...@gmail.com Data: 6 grudnia 2010 20:46 Temat: Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services) Do: Development discussions related to Fedora devel@lists.fedoraproject.org 2010/12/6 Miloslav Trmač m...@volny.cz: Michał Piotrowski píše v Po 06. 12. 2010 v 20:22 +0100: 2010/12/6 Bill Nottingham nott...@redhat.com: Does openssh stands out something special between other demons? Actually, it does - for remote installations (sometimes the only option) ssh needs to be running after installation so that the system administrator can connect to it and start configuring it. Other services are not necessary like this. (Yes, the system administrator can write a kickstart script that enables the service after installation. I'm not sure that something we can ask a novice sysadmin to do, however.) We are talking here about the case when ssh server is started when user connect to 22 port (or other configured). From my POV everything should work as expected. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Michał Piotrowski (mkkp...@gmail.com) said: We are talking here about the case when ssh server is started when user connect to 22 port (or other configured). From my POV everything should work as expected. Right. To do this in systemd implies that you're patching openssh to do socket-based activation... hence why I asked about upstream's opinion on it. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/6 Bill Nottingham nott...@redhat.com: Michał Piotrowski (mkkp...@gmail.com) said: We are talking here about the case when ssh server is started when user connect to 22 port (or other configured). From my POV everything should work as expected. Right. To do this in systemd implies that you're patching openssh to do socket-based activation... hence why I asked about upstream's opinion on it. I wasn't aware that they don't support it. I saw Lennart's http://0pointer.de/public/systemd-units/sshd.socket and I thought that it just works (I didn't tested it yet) Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote: W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi ke...@scrye.com napisał: On Mon, 6 Dec 2010 18:17:51 +0100 Michał Piotrowski mkkp...@gmail.com wrote: W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi ke...@scrye.com napisał: ...snip... What are you trying to do? I'm trying to convert sysvinit scripts to systemd services (as many as possible) If you're trying to determine what units should be enabled by default, please talk to the Fedora Packaging Comittee. See also: https://fedorahosted.org/fesco/ticket/504 Where fesco decided: Default is off, exceptions exist to allow proper functioning of the os. FPC to document exceptions and process exception requests. FPC was going to work on a exceptions list I think... This list will be useful. Dear FPC people, could you provide this list in the near future? Feedback appreciated -- what do you think should be on? What do you think should be off? Right now I think we'd make an exception for ssh (a really big exception since it's a network facing service, even). Dbus and default syslog variant also spring to mind which might be. Those might be able to start defining a category of things needed to run a desktop session or something. iptables, auditd, restorecond sound like keepers -- maybe a category here would be things that add to system security in a default install. For this category we'd want to be careful, do we also want to allow fail2ban or denyhosts to run by default if they're installed? Other categories or specific examples would be good. -Toshio pgpGQ3BnNVXbE.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/7 Toshio Kuratomi a.bad...@gmail.com: On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote: W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi ke...@scrye.com napisał: On Mon, 6 Dec 2010 18:17:51 +0100 Michał Piotrowski mkkp...@gmail.com wrote: W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi ke...@scrye.com napisał: ...snip... What are you trying to do? I'm trying to convert sysvinit scripts to systemd services (as many as possible) If you're trying to determine what units should be enabled by default, please talk to the Fedora Packaging Comittee. See also: https://fedorahosted.org/fesco/ticket/504 Where fesco decided: Default is off, exceptions exist to allow proper functioning of the os. FPC to document exceptions and process exception requests. FPC was going to work on a exceptions list I think... This list will be useful. Dear FPC people, could you provide this list in the near future? Feedback appreciated -- what do you think should be on? What do you think should be off? Right now I think we'd make an exception for ssh (a really big exception since it's a network facing service, even). Ok Dbus and default syslog variant also spring to mind which might be. Ok Those might be able to start defining a category of things needed to run a desktop session or something. iptables, no chance to disable this I guess ip6tables too? auditd, restorecond sound like keepers -- maybe a category here would be things that add to system security in a default install. These are things related to core system security, so should be enabled. For this category we'd want to be careful, do we also want to allow fail2ban or denyhosts to run by default if they're installed? No, other things not related with SELinux (or something that we could call core security subsystem) should be IMHO off by default. Other categories or specific examples would be good. Cron - but should be activated only when cron files exist It seems to me that the list: - ssh - Dbus - syslog - iptables - ip6tables - auditd - restorecond is an absolute minimum to get working system. - udev-post ? - is it needed for F15? - mdmonitor and lvm2-monitor? - are they needed for proper working MD's/LVM's? - network/Networkmanager ? Everything else that is not essential for Fedora security, basic desktop functionality should be IMO off by default. -Toshio -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote: Cron - but should be activated only when cron files exist It seems to me that the list: - ssh - Dbus - syslog - iptables - ip6tables - auditd - restorecond is an absolute minimum to get working system. I don't agree that ssh is required for a working system. A desktop user may never ssh to his/her own machine. (Whether to enable ssh by default is a different question.) -- Matt -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/7 Matt McCutchen m...@mattmccutchen.net: On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote: Cron - but should be activated only when cron files exist It seems to me that the list: - ssh - Dbus - syslog - iptables - ip6tables - auditd - restorecond is an absolute minimum to get working system. I don't agree that ssh is required for a working system. It's required for all systems without display device A desktop user may never ssh to his/her own machine. That's why it should be socket activated as soon as possible (Whether to enable ssh by default is a different question.) -- Matt -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Tue, Dec 07, 2010 at 12:38:07AM +0100, Michał Piotrowski wrote: 2010/12/7 Toshio Kuratomi a.bad...@gmail.com: Those might be able to start defining a category of things needed to run a desktop session or something. iptables, no chance to disable this I'd be more inclined to ask what benefit we have to turning the firewall off vs having a more permissive set of firewall rules by default. AFAIK, turning the firewall on doesn't currently turn on any additional daemon -- it just sets up the defined rules. I guess ip6tables too? Yep. Would you be willing to write up a Packaging Draft and add it to the FPC tracker? If not, I'll bring it up in the Packaging Meeting on Wednesday morning. -Toshio pgp9wWT45IXEf.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Tue, 2010-12-07 at 01:07 +0100, Michał Piotrowski wrote: 2010/12/7 Matt McCutchen m...@mattmccutchen.net: On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote: Cron - but should be activated only when cron files exist It seems to me that the list: - ssh - Dbus - syslog - iptables - ip6tables - auditd - restorecond is an absolute minimum to get working system. I don't agree that ssh is required for a working system. It's required for all systems without display device That is, some servers. It needs to be easy to enable sshd when installing a server, but I don't see a reason to have it enabled by default on desktops. -- Matt -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: There are no stupid questions :) On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Adam Williamson píše v Po 06. 12. 2010 v 17:57 -0800: On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: There are no stupid questions :) On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... It's not quite as clear as that. Yes, the networks are dangerous. But what specifically is the firewall protecting, and what specifically does it prevent? Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On 12/06/2010 05:57 PM, Adam Williamson wrote: On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... Please explain why. What actual service is the firewall rendering in this case? -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Mon, 2010-12-06 at 17:57 -0800, Adam Williamson wrote: On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote: There are no stupid questions :) On most desktop systems firewall is not needed. Many users do not even know how to configure it. In fact I disable it in most of my systems, because there is no real use for it. So I asked a simple question whether there is a need to install iptables by default? On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... We're trying to get beyond that conventional wisdom and look at what services might actually get unintentionally exposed in the absence of a firewall and whether there is some other solution (e.g., don't enable them by default, or bind to localhost). https://lists.fedoraproject.org/pipermail/devel/2010-December/146758.html -- Matt -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Once upon a time, Adam Williamson awill...@redhat.com said: On most laptops, however, which are the most common types of system sold today, a firewall is very definitely needed when you're connecting to hotel networks, public wifi access points... The only thing you need a firewall by default for is to prevent services that are listening on the network from being accessible. The better solution is to stop having services listen on the network by default. This was done for sendmail many years ago; why hasn't it been done for other things, such as rpcbind (and RPC services), cups, etc.? These daemons should bind to localhost only unless otherwise configured. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
2010/12/7 Toshio Kuratomi a.bad...@gmail.com: On Tue, Dec 07, 2010 at 12:38:07AM +0100, Michał Piotrowski wrote: 2010/12/7 Toshio Kuratomi a.bad...@gmail.com: Those might be able to start defining a category of things needed to run a desktop session or something. iptables, no chance to disable this I'd be more inclined to ask what benefit we have to turning the firewall off vs having a more permissive set of firewall rules by default. AFAIK, turning the firewall on doesn't currently turn on any additional daemon -- it just sets up the defined rules. I guess ip6tables too? Yep. Would you be willing to write up a Packaging Draft and add it to the FPC tracker? If not, I'll bring it up in the Packaging Meeting on Wednesday morning. I'm not Fedora developer, I just create service files :) -Toshio -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
On Tue, Dec 07, 2010 at 07:14:16AM +0100, Michał Piotrowski wrote: 2010/12/7 Toshio Kuratomi a.bad...@gmail.com: On Tue, Dec 07, 2010 at 12:38:07AM +0100, Michał Piotrowski wrote: 2010/12/7 Toshio Kuratomi a.bad...@gmail.com: Those might be able to start defining a category of things needed to run a desktop session or something. iptables, no chance to disable this I'd be more inclined to ask what benefit we have to turning the firewall off vs having a more permissive set of firewall rules by default. AFAIK, turning the firewall on doesn't currently turn on any additional daemon -- it just sets up the defined rules. I guess ip6tables too? Yep. Would you be willing to write up a Packaging Draft and add it to the FPC tracker? If not, I'll bring it up in the Packaging Meeting on Wednesday morning. I'm not Fedora developer, I just create service files :) Okay... I doubt we'll nail this down for a while then Here's the ticket I've opened: https://fedorahosted.org/fpc/ticket/41 I have a feeling those categories don't account for everything yet... For instance, readahead, abrtd... look in your /etc/init.d/ directory on F14 and tell me what things that are there could have a justification. -Toshio pgpDQuZiD0y4q.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Hi, W dniu 3 grudnia 2010 09:14 użytkownik Michał Piotrowski mkkp...@gmail.com napisał: [..] What services are installed by default when installong form Live GNOME/KDE/etc and DVD? Ok, let's ask the question differently - what services should be run by default to provide working system for desktop user? IMO ssh can be off by default and should be started only if user tries to connect over port 22. Do we really need to install iptables/ip6tables by default (it's in core group)? -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel