Re: [gentoo-user] Wrong domain in e-mail failure messages

[Peter Humphrey]

On Sunday 11 October 2015 16:19:47 pe...@prh.myzen.co.uk wrote:
> Alan McKinnon  wrote :
> > On 11/10/2015 17:23, Peter Humphrey wrote:
> > > On Sunday 11 October 2015 13:33:56 J. Roeleveld wrote:
> > >> In your SMTP-server config, did you configure "Send custom hostname to
> > >> server"? Also, check the output of " hostname -f ".
> > > 
> > > The SMTP server is at the ISP, so not accessible to me.
> > > 
> > > $ hostname -f
> > > wstn.prhnet
> > > 
> > > Any other ideas?
> > 
> > What's in /etc/hosts?
> 
> No mention of localhost.

I was wrong. I should have said there's no mention of localnet - there is of 
course the usual "127.0.0.1 localhost" entry.

Serves me right for trying to send e-mail from my mobile phone.

-- 
Rgds
Peter

Re: [gentoo-user] Wrong domain in e-mail failure messages

[Peter Humphrey]

On Sunday 11 October 2015 12:11:07 I wrote:

> I've just received a delivery failure message from my ISP, zen.co.uk, saying
> it couldn't deliver an e-mail I'd sent. There's only one thing wrong (apart
> from the reason for the failure, which is out of my control). It's shown in
> the second line of the failure notice:
> 
>   Received: from [xx.xx.xx.xx] (helo=wstn.localnet)
> 
> I've bowdlerised the IP, and wstn is the name of this box, but where did it
> get localnet from? I've grepped /etc for it, and I've searched my home
> directory tree for it. Both searches turned up empty.
> 
> I use KMail, which is set up to send all outgoing mail directly to my ISP
> via SMTP; no other box is involved. And I hope my ADSL router isn't
> interfering.

I think what must have happened is that, in my KMail identity, I'd left the 
default domain name as it was - just the host part. I've now added the network 
part to it, and I'll see how that goes.

Thanks for the ideas.

-- 
Rgds
Peter

[gentoo-user] Re: DNS server packages

[James]

Alan McKinnon  gmail.com> writes:


> > I need to setup DNS primary/secondary systems on gentoo. So right now 
> > I'm looking for a suggested list of packages to install with Bind, 
> > iptables and DNSSEC-tools as these (2) gentoo dns servers will only 
> > run the minimum packages to operate securely?
> auth or cache?

These are the (2) net facing primary and slave dns servers, just for the
few domain names I willauthenticate. They'll be behind a firewall
(iptables/dmz) with no internal zone information.  Strictly auth, public
facing, with DNSsec. The plan is to go slow with manual configuration and
and slow add features like a database, as I roll out new auth-DNS servers
on newer, embedded hardware (very small very low power, but lots of ram
(2G)). So over time the scope will evolve. It's a manual approach to a
refresher for me.  Eventually one of the auth-dns-slaves will be an arm
cluster for performance testing on mesos. (That's a ways off).


So also, the iptables rules for such a setup will need to be revisited,
dusting off what I use to use. Again, the importance is trying different
packages and sniffing the results and examining log files (manually and with
scripts) on a log host. So only ports 53 (public/routable net visible
and port 22 from a select sets of private ips is all these will need.


> First of all, bind is a pain to use. Reason: it's actually a reference
> implementation that as usual got forced into production use. It's slower
> than it could be because it deals with every possible corner case per RFC.
> As an auth server (few queries) it's OK

Bind is an old acquaintance of mine:: been a few years, hence the post.
I may test/migrate to something else, later.

> As a cache (many queries), there are better servers out there. I prefer
> unbound.

A Caching DNS server for internal usages is another project for another
time. It will be totally isolated; still, good to know.


> > Also, what is the (nominal) minimum amount of RAM needed to keep all  
> > routes in ram in these  name servers?
> I don't understand. DNS servers don't keep routes in memory - routers do
> that. Perhaps you mean cached DNS records?
> DNS is light on RAM, there are only so many records typical users will
> look up. DNS caches not too long ago ran for years problem free with a
> puny few hundred MB. It's not something to be worried about.

There should be a way to keep all the responses for the zones info they
server in ram?  I know it often happens without intervention, but surely
there are published methods to insure this info is kept "in ram" like bcachefs?

Also flushing and ram usage status monitoring, as these auth dns servers
will eventually migrate to low power embedded machines where keeping 
things in ram is critical to performance.

'eix -cC net-dns | grep auth'   

[gentoo-user] bcachefs

[James]

Hello,
Anyone tested/ deployed bcachefs on gentoo yet?

@rich  added to your btrfs howtos?

It looks very, very cool!


enjoy,
James



http://www.linuxveda.com/2015/08/22/linux-gain-new-file-system-bcachefs/

Re: [gentoo-user] bcachefs

[Rich Freeman]

On Mon, Oct 12, 2015 at 1:51 PM, James  wrote:
>
> Anyone tested/ deployed bcachefs on gentoo yet?
>
> @rich  added to your btrfs howtos?
>
> It looks very, very cool!

My sense is that it could be a while before this becomes usable.

>From the list post it doesn't yet support snapshots, or multiple
devices, and the disk format isn't stable (which isn't the most
important thing, but it is a big milestone).

But, I'm all for having more options.  It just seems like there is a
lot of hype - people talk about it like it is done.

I'm not sure at the data model level how it compares to ZFS/btrfs, and
what advantages/disadvantages it might have.  Obviously it supports
bcache, which is something.  I'd really like to see something like
that become possible with btrfs (without implementing it as a separate
layer underneath).

-- 
Rich

Re: [gentoo-user] pm-suspend problem

[Philip Webb]

151012 Alec Ten Harmsel wrote:
> On Mon, Oct 12, 2015 at 05:46:00PM -0400, Philip Webb wrote:
>> I want to be able to suspend my machine to RAM overnight or when I'm out.
> Just curious why : why not just power it off or lock it ?

It's not relevant to the problem,
but I don't want to switch off the router which connects to my ISP,
as it cb a nuisance to reconnect again.  No, no further comment re this !

>> The pkg to use seems to be Pm-utils, which I've installed.
>> 'pm-suspend' does suspend, but only briefly :
>> after  5 s , it restarts automatically & everything is back as before.
>> The log file shows this happening quite clearly.
>> What am I doing wrong ?  Am I using the correct tool ?
> What desktop environment are you using ?  OpenRC or systemd ?
> If you are using a desktop environment,
> it should have the suspend functionality built into it.

The latter are not DE's : I use Fluxbox + OpenRC.

> Do you have support for suspending to RAM compiled into the kernel ?

I believe so.

Thanks for the prompt response, but this doesn't help much.

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatchassdotutorontodotca

Re: [gentoo-user] pm-suspend problem

[Alec Ten Harmsel]

On Mon, Oct 12, 2015 at 05:46:00PM -0400, Philip Webb wrote:
> I want to be able to suspend my machine to RAM overnight or when I'm out.

Just curious, you don't need to answer: why? Why not just power it off
or lock it?

> The pkg to use seems to be Pm-utils, which I've installed.
> 'pm-suspend' does suspend, but only briefly :
> after  5 s , it restarts automatically & everything is back as before.
> The log file shows this happening quite clearly.
> 
> What am I doing wrong ?  Am I using the correct tool ?

What desktop environment are you using? OpenRC or systemd? Lastly, do
you have support for suspending to RAM compiled into the kernel?

If you are using a desktop environment, it should have the suspend
functionality built into it. If you are using systemd, it should be as
simple as a `systemctl suspend`.

Alec

Re: [gentoo-user] Re: persistent /run/* ownership/permissions

[Grant]

>>> I have to chown munin:nginx and chmod g+x on directory /run/munin/
>>> after every reboot.  The munin list suggests altering the initscript
>>> but is there a better way?
>>
>> There are ways, but I wouldn't call them better.
>
> The way to do it nowadays would be by placing a file with the content
> d /run/munin 0775 munin nginx
> into /usr/lib/tmpfiles.d (if done by the distribution) or into
> /etc/tmpfiles.d (if this is only needed for your special setup).


Will do.  Is that leading "d " supposed to be there?

Am I creating and editing /etc/tmpfiles.d or /etc/tmpfiles.d/anyfilename ?

- Grant


>> /run is often a tmpfs so the dir has to be mkdir'ed somehow after reboot
>> anyway. The initscript is the perfect place to do it.
>
> No, it is not the perfect place, because such a thing would
> be strange to do if e.g. the initscript is restarted or
> started only very late for some reasons (possibly hours
> after the system start, if munin is not needed immediately.)
> (OK, in /run it is not a security risk, but in world-writable
> directories there exist symlink attacks or other bad things
> if you create dirs/files too late and with a predictable name.
> For dirs, it might be possible if you are *very* careful,
> but the obvious "mkdir ...; chown ...; chmod ..." would be a
> horrible security failure.)
>
> Moreover, it is an init-system specific solution
> while you can have a general solution.
> Meanwhile, at least openrc and systemd both support the
> tmpfiles.d subdirectories; I do not know the state of
> other init-systems, but it is not hard to extend any
> init-system of your choice to support these directories.
> In any case, they are more compatible than a solution
> which works with only *one* init-system.

[gentoo-user] Re: bcachefs

[James]

Rich Freeman  gentoo.org> writes:



> > Anyone tested/ deployed bcachefs on gentoo yet?

> My sense is that it could be a while before this becomes usable.
> From the list post it doesn't yet support snapshots, or multiple
> devices, and the disk format isn't stable (which isn't the most
> important thing, but it is a big milestone).

That's why I was thinking to test it out on my new auth DNS servers, I'd try
to use it to set on  of the slaves (secondary) dns servers. It would not
be a critical issue if it failed.


> But, I'm all for having more options.  It just seems like there is a
> lot of hype - people talk about it like it is done.

Googling did not find any generic examples (tools?) to format a HD with it,
I've also have some ide-CF (compact Flashcards) that look like SSD (low
budget) on an old single core amd64 that would be just peachy for this sort
of test.

Ideas on how to format the HD [1] ?  Other tools? 

> I'm not sure at the data model level how it compares to ZFS/btrfs, and
> what advantages/disadvantages it might have.  Obviously it supports
> bcache, which is something.  I'd really like to see something like
> that become possible with btrfs (without implementing it as a separate
> layer underneath).


Well, as I remember it, it was not that you 'stepped forward' to be the
go-to dev on btrfs, it that most everyone else, 'stepped back'... or
something like that. Still, if the writes using bcachefs can be controlled
(batched) then it just might be a hi perform fs for Solid State HD,
regardless of how the electronics/gates are set up.  I usually use ext2 for
those old CF, but I'm feeling adventuresome with bcachefs. Maybe playing
around with bcachefs, will illuminate a btrfs pathway.


James

[1] http://bcache.evilpiepirate.org/

[gentoo-user] pm-suspend problem

[Philip Webb]

I want to be able to suspend my machine to RAM overnight or when I'm out.
The pkg to use seems to be Pm-utils, which I've installed.
'pm-suspend' does suspend, but only briefly :
after  5 s , it restarts automatically & everything is back as before.
The log file shows this happening quite clearly.

What am I doing wrong ?  Am I using the correct tool ?

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatchassdotutorontodotca

Re: [gentoo-user] Re: DNS server packages

[Alan McKinnon]

On 12/10/2015 19:43, James wrote:
> Alan McKinnon  gmail.com> writes:
> 
> 
>>> I need to setup DNS primary/secondary systems on gentoo. So right now 
>>> I'm looking for a suggested list of packages to install with Bind, 
>>> iptables and DNSSEC-tools as these (2) gentoo dns servers will only 
>>> run the minimum packages to operate securely?
>> auth or cache?
> 
> These are the (2) net facing primary and slave dns servers, just for the
> few domain names I willauthenticate. They'll be behind a firewall
> (iptables/dmz) with no internal zone information.  Strictly auth, public
> facing, with DNSsec. The plan is to go slow with manual configuration and
> and slow add features like a database, as I roll out new auth-DNS servers
> on newer, embedded hardware (very small very low power, but lots of ram
> (2G)). So over time the scope will evolve. It's a manual approach to a
> refresher for me.  Eventually one of the auth-dns-slaves will be an arm
> cluster for performance testing on mesos. (That's a ways off).
> 
> 
> So also, the iptables rules for such a setup will need to be revisited,
> dusting off what I use to use. Again, the importance is trying different
> packages and sniffing the results and examining log files (manually and with
> scripts) on a log host. So only ports 53 (public/routable net visible
> and port 22 from a select sets of private ips is all these will need.

Then you need your chosen name server (bind), your chosen fw ruleset
generators (iptables, maybe some other front end) and maybe fail2ban or
one of it's friends if you find some port gets hammered.

Block all ports except 53 and 22, send all logs to a remote syslogger
and trawl through them to your heart's content. All very usual and normal.


>> First of all, bind is a pain to use. Reason: it's actually a reference
>> implementation that as usual got forced into production use. It's slower
>> than it could be because it deals with every possible corner case per RFC.
>> As an auth server (few queries) it's OK
> 
> Bind is an old acquaintance of mine:: been a few years, hence the post.
> I may test/migrate to something else, later.

OK. For a few domains there's no benefit to using something other than
what you already know.

> 
>> As a cache (many queries), there are better servers out there. I prefer
>> unbound.
> 
> A Caching DNS server for internal usages is another project for another
> time. It will be totally isolated; still, good to know.
> 
> 
>>> Also, what is the (nominal) minimum amount of RAM needed to keep all  
>>> routes in ram in these  name servers?
>> I don't understand. DNS servers don't keep routes in memory - routers do
>> that. Perhaps you mean cached DNS records?
>> DNS is light on RAM, there are only so many records typical users will
>> look up. DNS caches not too long ago ran for years problem free with a
>> puny few hundred MB. It's not something to be worried about.
> 
> There should be a way to keep all the responses for the zones info they
> server in ram?  I know it often happens without intervention, but surely
> there are published methods to insure this info is kept "in ram" like 
> bcachefs?
> 
> Also flushing and ram usage status monitoring, as these auth dns servers
> will eventually migrate to low power embedded machines where keeping 
> things in ram is critical to performance.

I can't help but feel you are worried about a problem that doesn't
exist. It takes lots and lots and lots of zones to get above 1M disk
space. How much ram do you think you need?

DNS caches are resource intensive (the upper limit on what they cache is
the internet)
DNS auth servers are not (their upper limit is how many bytes in the
zones) and they tend to idle most of the time. Well unless you do silly
things like set all TTLs to 1 (or god forbid, 0) and your auth server
becomes a cache

> 
> 'eix -cC net-dns | grep auth'
> Curiously, Are they better, more easily secured solutions?
> 
> 
> It's been a hwile for me so a vetting of the packages is the first step
> for this minimal, manual setup of the auth-dns servers for a few domain 
> names::
> 
> 
> Bind9, dnssec-tools, iptables:: any other packages relevant/germane
> on a amd-default profile [1] ?

Yes, that's about it.
Add in all the other usual server stuff you like to use - monitoring,
logging, notifications, mail, whatever


-- 
Alan McKinnon
alan.mckin...@gmail.com