Re: [gentoo-user] Wrong domain in e-mail failure messages
On Sunday 11 October 2015 16:19:47 pe...@prh.myzen.co.uk wrote: > Alan McKinnonwrote : > > On 11/10/2015 17:23, Peter Humphrey wrote: > > > On Sunday 11 October 2015 13:33:56 J. Roeleveld wrote: > > >> In your SMTP-server config, did you configure "Send custom hostname to > > >> server"? Also, check the output of " hostname -f ". > > > > > > The SMTP server is at the ISP, so not accessible to me. > > > > > > $ hostname -f > > > wstn.prhnet > > > > > > Any other ideas? > > > > What's in /etc/hosts? > > No mention of localhost. I was wrong. I should have said there's no mention of localnet - there is of course the usual "127.0.0.1 localhost" entry. Serves me right for trying to send e-mail from my mobile phone. -- Rgds Peter
Re: [gentoo-user] Wrong domain in e-mail failure messages
On Sunday 11 October 2015 12:11:07 I wrote: > I've just received a delivery failure message from my ISP, zen.co.uk, saying > it couldn't deliver an e-mail I'd sent. There's only one thing wrong (apart > from the reason for the failure, which is out of my control). It's shown in > the second line of the failure notice: > > Received: from [xx.xx.xx.xx] (helo=wstn.localnet) > > I've bowdlerised the IP, and wstn is the name of this box, but where did it > get localnet from? I've grepped /etc for it, and I've searched my home > directory tree for it. Both searches turned up empty. > > I use KMail, which is set up to send all outgoing mail directly to my ISP > via SMTP; no other box is involved. And I hope my ADSL router isn't > interfering. I think what must have happened is that, in my KMail identity, I'd left the default domain name as it was - just the host part. I've now added the network part to it, and I'll see how that goes. Thanks for the ideas. -- Rgds Peter
[gentoo-user] Re: DNS server packages
Alan McKinnon gmail.com> writes: > > I need to setup DNS primary/secondary systems on gentoo. So right now > > I'm looking for a suggested list of packages to install with Bind, > > iptables and DNSSEC-tools as these (2) gentoo dns servers will only > > run the minimum packages to operate securely? > auth or cache? These are the (2) net facing primary and slave dns servers, just for the few domain names I willauthenticate. They'll be behind a firewall (iptables/dmz) with no internal zone information. Strictly auth, public facing, with DNSsec. The plan is to go slow with manual configuration and and slow add features like a database, as I roll out new auth-DNS servers on newer, embedded hardware (very small very low power, but lots of ram (2G)). So over time the scope will evolve. It's a manual approach to a refresher for me. Eventually one of the auth-dns-slaves will be an arm cluster for performance testing on mesos. (That's a ways off). So also, the iptables rules for such a setup will need to be revisited, dusting off what I use to use. Again, the importance is trying different packages and sniffing the results and examining log files (manually and with scripts) on a log host. So only ports 53 (public/routable net visible and port 22 from a select sets of private ips is all these will need. > First of all, bind is a pain to use. Reason: it's actually a reference > implementation that as usual got forced into production use. It's slower > than it could be because it deals with every possible corner case per RFC. > As an auth server (few queries) it's OK Bind is an old acquaintance of mine:: been a few years, hence the post. I may test/migrate to something else, later. > As a cache (many queries), there are better servers out there. I prefer > unbound. A Caching DNS server for internal usages is another project for another time. It will be totally isolated; still, good to know. > > Also, what is the (nominal) minimum amount of RAM needed to keep all > > routes in ram in these name servers? > I don't understand. DNS servers don't keep routes in memory - routers do > that. Perhaps you mean cached DNS records? > DNS is light on RAM, there are only so many records typical users will > look up. DNS caches not too long ago ran for years problem free with a > puny few hundred MB. It's not something to be worried about. There should be a way to keep all the responses for the zones info they server in ram? I know it often happens without intervention, but surely there are published methods to insure this info is kept "in ram" like bcachefs? Also flushing and ram usage status monitoring, as these auth dns servers will eventually migrate to low power embedded machines where keeping things in ram is critical to performance. 'eix -cC net-dns | grep auth'
[gentoo-user] bcachefs
Hello, Anyone tested/ deployed bcachefs on gentoo yet? @rich added to your btrfs howtos? It looks very, very cool! enjoy, James http://www.linuxveda.com/2015/08/22/linux-gain-new-file-system-bcachefs/
Re: [gentoo-user] bcachefs
On Mon, Oct 12, 2015 at 1:51 PM, Jameswrote: > > Anyone tested/ deployed bcachefs on gentoo yet? > > @rich added to your btrfs howtos? > > It looks very, very cool! My sense is that it could be a while before this becomes usable. >From the list post it doesn't yet support snapshots, or multiple devices, and the disk format isn't stable (which isn't the most important thing, but it is a big milestone). But, I'm all for having more options. It just seems like there is a lot of hype - people talk about it like it is done. I'm not sure at the data model level how it compares to ZFS/btrfs, and what advantages/disadvantages it might have. Obviously it supports bcache, which is something. I'd really like to see something like that become possible with btrfs (without implementing it as a separate layer underneath). -- Rich
Re: [gentoo-user] pm-suspend problem
151012 Alec Ten Harmsel wrote: > On Mon, Oct 12, 2015 at 05:46:00PM -0400, Philip Webb wrote: >> I want to be able to suspend my machine to RAM overnight or when I'm out. > Just curious why : why not just power it off or lock it ? It's not relevant to the problem, but I don't want to switch off the router which connects to my ISP, as it cb a nuisance to reconnect again. No, no further comment re this ! >> The pkg to use seems to be Pm-utils, which I've installed. >> 'pm-suspend' does suspend, but only briefly : >> after 5 s , it restarts automatically & everything is back as before. >> The log file shows this happening quite clearly. >> What am I doing wrong ? Am I using the correct tool ? > What desktop environment are you using ? OpenRC or systemd ? > If you are using a desktop environment, > it should have the suspend functionality built into it. The latter are not DE's : I use Fluxbox + OpenRC. > Do you have support for suspending to RAM compiled into the kernel ? I believe so. Thanks for the prompt response, but this doesn't help much. -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] pm-suspend problem
On Mon, Oct 12, 2015 at 05:46:00PM -0400, Philip Webb wrote: > I want to be able to suspend my machine to RAM overnight or when I'm out. Just curious, you don't need to answer: why? Why not just power it off or lock it? > The pkg to use seems to be Pm-utils, which I've installed. > 'pm-suspend' does suspend, but only briefly : > after 5 s , it restarts automatically & everything is back as before. > The log file shows this happening quite clearly. > > What am I doing wrong ? Am I using the correct tool ? What desktop environment are you using? OpenRC or systemd? Lastly, do you have support for suspending to RAM compiled into the kernel? If you are using a desktop environment, it should have the suspend functionality built into it. If you are using systemd, it should be as simple as a `systemctl suspend`. Alec
Re: [gentoo-user] Re: persistent /run/* ownership/permissions
>>> I have to chown munin:nginx and chmod g+x on directory /run/munin/ >>> after every reboot. The munin list suggests altering the initscript >>> but is there a better way? >> >> There are ways, but I wouldn't call them better. > > The way to do it nowadays would be by placing a file with the content > d /run/munin 0775 munin nginx > into /usr/lib/tmpfiles.d (if done by the distribution) or into > /etc/tmpfiles.d (if this is only needed for your special setup). Will do. Is that leading "d " supposed to be there? Am I creating and editing /etc/tmpfiles.d or /etc/tmpfiles.d/anyfilename ? - Grant >> /run is often a tmpfs so the dir has to be mkdir'ed somehow after reboot >> anyway. The initscript is the perfect place to do it. > > No, it is not the perfect place, because such a thing would > be strange to do if e.g. the initscript is restarted or > started only very late for some reasons (possibly hours > after the system start, if munin is not needed immediately.) > (OK, in /run it is not a security risk, but in world-writable > directories there exist symlink attacks or other bad things > if you create dirs/files too late and with a predictable name. > For dirs, it might be possible if you are *very* careful, > but the obvious "mkdir ...; chown ...; chmod ..." would be a > horrible security failure.) > > Moreover, it is an init-system specific solution > while you can have a general solution. > Meanwhile, at least openrc and systemd both support the > tmpfiles.d subdirectories; I do not know the state of > other init-systems, but it is not hard to extend any > init-system of your choice to support these directories. > In any case, they are more compatible than a solution > which works with only *one* init-system.
[gentoo-user] Re: bcachefs
Rich Freeman gentoo.org> writes: > > Anyone tested/ deployed bcachefs on gentoo yet? > My sense is that it could be a while before this becomes usable. > From the list post it doesn't yet support snapshots, or multiple > devices, and the disk format isn't stable (which isn't the most > important thing, but it is a big milestone). That's why I was thinking to test it out on my new auth DNS servers, I'd try to use it to set on of the slaves (secondary) dns servers. It would not be a critical issue if it failed. > But, I'm all for having more options. It just seems like there is a > lot of hype - people talk about it like it is done. Googling did not find any generic examples (tools?) to format a HD with it, I've also have some ide-CF (compact Flashcards) that look like SSD (low budget) on an old single core amd64 that would be just peachy for this sort of test. Ideas on how to format the HD [1] ? Other tools? > I'm not sure at the data model level how it compares to ZFS/btrfs, and > what advantages/disadvantages it might have. Obviously it supports > bcache, which is something. I'd really like to see something like > that become possible with btrfs (without implementing it as a separate > layer underneath). Well, as I remember it, it was not that you 'stepped forward' to be the go-to dev on btrfs, it that most everyone else, 'stepped back'... or something like that. Still, if the writes using bcachefs can be controlled (batched) then it just might be a hi perform fs for Solid State HD, regardless of how the electronics/gates are set up. I usually use ext2 for those old CF, but I'm feeling adventuresome with bcachefs. Maybe playing around with bcachefs, will illuminate a btrfs pathway. James [1] http://bcache.evilpiepirate.org/
[gentoo-user] pm-suspend problem
I want to be able to suspend my machine to RAM overnight or when I'm out. The pkg to use seems to be Pm-utils, which I've installed. 'pm-suspend' does suspend, but only briefly : after 5 s , it restarts automatically & everything is back as before. The log file shows this happening quite clearly. What am I doing wrong ? Am I using the correct tool ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] Re: DNS server packages
On 12/10/2015 19:43, James wrote: > Alan McKinnon gmail.com> writes: > > >>> I need to setup DNS primary/secondary systems on gentoo. So right now >>> I'm looking for a suggested list of packages to install with Bind, >>> iptables and DNSSEC-tools as these (2) gentoo dns servers will only >>> run the minimum packages to operate securely? >> auth or cache? > > These are the (2) net facing primary and slave dns servers, just for the > few domain names I willauthenticate. They'll be behind a firewall > (iptables/dmz) with no internal zone information. Strictly auth, public > facing, with DNSsec. The plan is to go slow with manual configuration and > and slow add features like a database, as I roll out new auth-DNS servers > on newer, embedded hardware (very small very low power, but lots of ram > (2G)). So over time the scope will evolve. It's a manual approach to a > refresher for me. Eventually one of the auth-dns-slaves will be an arm > cluster for performance testing on mesos. (That's a ways off). > > > So also, the iptables rules for such a setup will need to be revisited, > dusting off what I use to use. Again, the importance is trying different > packages and sniffing the results and examining log files (manually and with > scripts) on a log host. So only ports 53 (public/routable net visible > and port 22 from a select sets of private ips is all these will need. Then you need your chosen name server (bind), your chosen fw ruleset generators (iptables, maybe some other front end) and maybe fail2ban or one of it's friends if you find some port gets hammered. Block all ports except 53 and 22, send all logs to a remote syslogger and trawl through them to your heart's content. All very usual and normal. >> First of all, bind is a pain to use. Reason: it's actually a reference >> implementation that as usual got forced into production use. It's slower >> than it could be because it deals with every possible corner case per RFC. >> As an auth server (few queries) it's OK > > Bind is an old acquaintance of mine:: been a few years, hence the post. > I may test/migrate to something else, later. OK. For a few domains there's no benefit to using something other than what you already know. > >> As a cache (many queries), there are better servers out there. I prefer >> unbound. > > A Caching DNS server for internal usages is another project for another > time. It will be totally isolated; still, good to know. > > >>> Also, what is the (nominal) minimum amount of RAM needed to keep all >>> routes in ram in these name servers? >> I don't understand. DNS servers don't keep routes in memory - routers do >> that. Perhaps you mean cached DNS records? >> DNS is light on RAM, there are only so many records typical users will >> look up. DNS caches not too long ago ran for years problem free with a >> puny few hundred MB. It's not something to be worried about. > > There should be a way to keep all the responses for the zones info they > server in ram? I know it often happens without intervention, but surely > there are published methods to insure this info is kept "in ram" like > bcachefs? > > Also flushing and ram usage status monitoring, as these auth dns servers > will eventually migrate to low power embedded machines where keeping > things in ram is critical to performance. I can't help but feel you are worried about a problem that doesn't exist. It takes lots and lots and lots of zones to get above 1M disk space. How much ram do you think you need? DNS caches are resource intensive (the upper limit on what they cache is the internet) DNS auth servers are not (their upper limit is how many bytes in the zones) and they tend to idle most of the time. Well unless you do silly things like set all TTLs to 1 (or god forbid, 0) and your auth server becomes a cache > > 'eix -cC net-dns | grep auth' > Curiously, Are they better, more easily secured solutions? > > > It's been a hwile for me so a vetting of the packages is the first step > for this minimal, manual setup of the auth-dns servers for a few domain > names:: > > > Bind9, dnssec-tools, iptables:: any other packages relevant/germane > on a amd-default profile [1] ? Yes, that's about it. Add in all the other usual server stuff you like to use - monitoring, logging, notifications, mail, whatever -- Alan McKinnon alan.mckin...@gmail.com