Re: [gentoo-user] systemd-networkd: simpler config for my network
Am 15.04.2014 20:25, schrieb Stefan G. Weichinger: > Tom Gundersen, one of the main coders said "IPv6 support is so far very > basic (you can set static IPv6 addresses, and that's it). We plan to > support it fully in the future though." > > -> https://plus.google.com/+TomGundersen/posts/8d1tzMJWppJ > > Maybe things developed since then. I took the opportunity and asked Tom myself (we were in contact last week due to my questions around my KVM-related network-setup). Some quotes out of his reply, I showed him this thread for a start. -> > Am 15.04.2014 19:25, schrieb Pavel Volkov: >>> Not yet, but it seems weird to have DHCP= for DHCPv4 and not to have any >>> options (DHCPv6/SLAAC/unconfigured) for IPv6. Only Address= for static >>> address. > > Currently, the only IPv6 support we have is static addresses and > whatever the kernel provides natively. The reason for this is just > lack of hours in the day, and it is definitely on the TODO. We expect > to have DHCPv6 soon, but the patches have not yet been posted. Any > further assistance in the form of patches or testing would be greatly > appreciated of course. > >>> Here is another problem. I need to issue this command: >>> "ip token set ::2/64 dev br0" >>> 1. after the bridge device is created >>> 2. before IP address is configured on it > > This seems like a useful feature and should be simple to implement. > Can't promise to work on that any time soon though, but, again, > patches would be appreciated. > >>> netctl still seems a lot more capable than systemd-networkd... > > Yes, we still have a lot of features left on our TODO. Things are > >>> And netctl runs separate services (line netctl@eth0.service) for >>> separate interfaces unlike systemd-networkd, you can create more custom >>> deps on top of it. > > That is also true, but this was a conscious choice from our side. Most > of the deps (as the token use-case you mentioned above) are sorted out > by networkd internally (when support is added), so the config remains > purely declarative. Moreover, exposing network state simply as systemd > units is not really powerful enough, as we probably want much more > fine-grained status information (if an interface is up, if it has a > link-local address assigned, a routable address assigned, if the > global internet is reachable etc, etc.). We have therefore taken the > approach of exposing this info (and more, such as DHCP leases and > their associated information) through a C library. The plan is to > obviously also add a dbus API. > >> And it is not meant to be a drop-in replacement for big guns like >> gnome-networkmanager or netctl, but just a simple tool for static setups. > > True, we target mainly static setups (i.e., ones where you don't > usually change the network configuration at run-time, though you may > still use dynamic configuration such as DHCP of course). However, we > still have a lot more features we need/want before we are done > >> Maybe things developed since then. > > Not really. I have been working mostly on IPv4 so far, but Patrik > Flykt from Intel is hard at work on DHCPv6, so that should be coming > along soon. > > Cheers, > > Tom So IPv6 isn't yet much supported as you noticed, right. Interesting anyway, isn't it? Best, Stefan
[gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
Hi all, I've taken this opportunity to prod the boss to let me buy some real certs for our few self-hosted mail services. Until now, we've used self-signed certs. My question is, what exactly is the correct procedure for doing this? Also, do I still need to do the step I've been seeing: Step: 2 Delete SSL key set Now, make out a list of websites that are equipped with SSL certificates. After that, delete all SSL keys, private and CSR key Finally, create a new private key and CSR key for each of your website. However, remember that your keys should be of 2048-bit key length. ? Or will simply replacing my self-signed certs with the new real ones be good enough? Thanks
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 16, 2014, at 13:52, Tanstaafl wrote: > Hi all, > > I've taken this opportunity to prod the boss to let me buy some real certs > for our few self-hosted mail services. Until now, we've used self-signed > certs. > > My question is, what exactly is the correct procedure for doing this? > > Also, do I still need to do the step I've been seeing: > > Step: 2 > > Delete SSL key set > >Now, make out a list of websites that are equipped with SSL >certificates. >After that, delete all SSL keys, private and CSR key >Finally, create a new private key and CSR key for each of your >website. However, remember that your keys should be of 2048-bit key >length. > > ? Depends on your security model. RSA 2048-bit should be sufficient for most people. Although it is totally possible to create 16384-bit key. Just remember to use random data and a trust worthy keygenerator. They both have been know to be tampered by some agencies :) > > Or will simply replacing my self-signed certs with the new real ones be good > enough? No it will not. Keys are te ones that have been compromised. You need to create new keys. With those keys you need to create certificate request. Then you send that request to certificate authority for signing and publishing in their crl. When you receive the signed certificate you can start using it with your key. Never send your key to CA or expect to get a key from them. There are also other algorithms the RSA. And also if you wan't to get PFS you will need to consider your setup, certificate and security model. -- -Matti
Re: [gentoo-user] re: nVidia GeForce 210 and nvidia-drivers-334.21-r3
On 04/15/2014 04:18 AM, Michael Orlitzky wrote: > On 04/14/2014 07:39 AM, Alexander Kapshuk wrote: >> I've had to replace my GPU today. Prior to attempting to start X with >> the new GPU in, I thought I'd pull in the latest updates and reboot the >> system. X wouldn't start as a result. I've googled for answers, but >> haven't found a solution so far. > Nvidia dropped support for the GeForce 210 in their 334 series. It's > still there in the 331 series, though, if you want to downgrade. > > Same thing happened to me a while ago with my old 7800GT. I don't have > any reason to buy a new GPU, so I switched to nouveau. > > Reference: http://www.nvidia.com/object/unix.html (pick a version, and > hit "Supported Products"). > > > Thanks for your response. Apologies for the delay in replying. After googling a bit more I did figure that the problem was with the proprietary driver I was using. I did try downgrading to some of these drivers, but to no avail, unless I did something wrong in the process: /usr/portage/x11-drivers/nvidia-drivers/nvidia-drivers-304.121.ebuild /usr/portage/x11-drivers/nvidia-drivers/nvidia-drivers-331.49-r3.ebuild /usr/portage/x11-drivers/nvidia-drivers/nvidia-drivers-331.49.ebuild /usr/portage/x11-drivers/nvidia-drivers/nvidia-drivers-331.67.ebuild What I ended up doing was using the x11-drivers/xf86-video-nouveau-1.0.10 driver. I set these up in my kernel .config: CONFIG_DRM_NOUVEAU=y CONFIG_NOUVEAU_DEBUG=5 CONFIG_NOUVEAU_DEBUG_DEFAULT=3 CONFIG_DRM_NOUVEAU_BACKLIGHT=y Enabled nouveau and disabled nvidia in make.conf: egrep 'nvidia|nouveau' /etc/portage/make.conf USE="$USE -nvidia consolekit pam policykit udisks upower acpi lm_sensors" VIDEO_CARDS="nouveau" And ran: emerge --ask --changed-use --deep @world The new driver's been running OK so far. Playing videos via vlc/mplayer seems to run smooth. Some youtube videos are a bit choppy, and/or delayed though. Not sure if it's the nouveau driver to blame or the fact that I've got 1 Gb of RAM onboard. Should I have enabled the nouveau USE flag globally in make.conf like I previously did for nvidia, or is that not necessary? If there is something else I should be doing, or something I overlooked, I'd appreciate anyone letting me know. Thanks.
Re: [gentoo-user] foo2zjs make install error
On Tue, 15 April 2014, at 1:06 pm, Dutch Ingraham wrote: > ... > I should have included this in my first post: "locate foomatic-rip" > returns, on both installations: > > /usr/libexec/cups/filter/foomatic-rip > /usr/share/man/man1/foomatic-rip.1.bz2 > > I cannot run foomatic-rip manually. This is perhaps a nitpick, but `locate` doesn't show us that foomatic-rip is installed on your system, only that it was installed last time updatedb was run. I'm not actually familiar with foomatic-rip, but I'd assume that it's an executable of some sort. Don't you get an error message if you try running `/usr/libexec/cups/filter/foomatic-rip`? What are the permissions on the file? In another post you've stated that you have 2 other machines which are not showing the same problem - compare with them. Stroller.
[gentoo-user] app-admin/mcelog daily cronjob?
I set up a new machine a couple of months ago, and for some time I've been getting an email each day: Subject: Cron test -x /usr/sbin/run-crons && /usr/sbin/run-crons fopen: Permission denied Taking a look at /etc/cron.daily/ shows only one odd one out: $ sudo ls -lh /etc/cron.daily/ total 16K -rwxr-xr-x 1 root root 180 Feb 4 20:28 logrotate -rwxr-xr-x 1 root root 196 Mar 3 09:48 man-db -rw-r--r-- 1 root root 141 Apr 16 14:09 mcelog -rwxr-xr-x 1 root root 1.3K Feb 4 23:53 mlocate I *assume* that mcelog is the cron job which is causing this error, although the error message is not much to go on. It doesn't have execute permissions set, though, so that's what leads me towards this (tentative) conclusion. I dunno, running it manually gives a different error: $ sudo /etc/cron.daily/mcelog sudo: /etc/cron.daily/mcelog: command not found $ Nevertheless, when I look at the http://mcelog.org/ homepage, specified in the package description, it says: Traditionally mcelog was run as a cronjob, but this usage is deprecated now. The modern way to run it is to start it at boot up time and run it always as a daemon. I tried unmerging app-admin/mcelog and the cron.daily file is removed; then remerging (the latest stable version - 1.0_pre3_p20130621-r1) and it's reinstalled with the same permissions. So I guess my question is: is this a bug with the app-admin/mcelog package? I've got another system which isn't showing this problem, and mcelog is not installed. And the system *seems* to be running just fine, despite the assertion at mcelog.or that "mcelog is required by … Linux kernels … to log machine checks and should run on all Linux systems that need error handling." On the system which is showing this problem, app-admin/mcelog is in the world file - and it was before I started investigating this problem (I know this because I have a clone of that system which I took a few weeks ago), although I don't recall ever choosing to install it. What is mcelog, and why do I need it, please? Stroller.
Re: [gentoo-user] re: nVidia GeForce 210 and nvidia-drivers-334.21-r3
On 04/16/2014 09:14 AM, Alexander Kapshuk wrote: > > The new driver's been running OK so far. > Playing videos via vlc/mplayer seems to run smooth. > Some youtube videos are a bit choppy, and/or delayed though. Not sure if > it's the nouveau driver to blame or the fact that I've got 1 Gb of RAM > onboard. It may be from the RAM/CPU if the video is high-resolution. Nouveau still has to do a lot of things in software that the proprietary driver does in hardware. If sys-process/htop shows 100% CPU or RAM usage, that's probably it. To rule out the network you can try net-misc/youtube-dl. > Should I have enabled the nouveau USE flag globally in make.conf like I > previously did for nvidia, or is that not necessary? Not necessary (there's no nouveau USE flags at the moment).
Re: [gentoo-user] re: nVidia GeForce 210 and nvidia-drivers-334.21-r3
On 04/16/2014 05:06 PM, Michael Orlitzky wrote: > On 04/16/2014 09:14 AM, Alexander Kapshuk wrote: >> The new driver's been running OK so far. >> Playing videos via vlc/mplayer seems to run smooth. >> Some youtube videos are a bit choppy, and/or delayed though. Not sure if >> it's the nouveau driver to blame or the fact that I've got 1 Gb of RAM >> onboard. > It may be from the RAM/CPU if the video is high-resolution. Nouveau > still has to do a lot of things in software that the proprietary driver > does in hardware. If sys-process/htop shows 100% CPU or RAM usage, > that's probably it. To rule out the network you can try net-misc/youtube-dl. > > >> Should I have enabled the nouveau USE flag globally in make.conf like I >> previously did for nvidia, or is that not necessary? > Not necessary (there's no nouveau USE flags at the moment). > > Understood. Thanks. I'll check those options out.
Re: [gentoo-user] app-admin/mcelog daily cronjob?
On Wed, 16 Apr 2014 14:39:16 +0100 Stroller wrote: > What is mcelog, and why do I need it, please? Machine check exception logger; iotw, it logs hardware errors. -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
[gentoo-user] Raspberry Pi & Gentoo?
Hi Gentoo-users, I have read all articles about Raspberry Pi on Gentoo-wiki, but want to ask: Is anybody here really using Gentoo on RPi? Is it usable? I have a chance of free housing for my RPi so I thought I give it a try, using RPi as backup-DNS/MX (and watchdog) for my primary server. Right now I'm facing two questions: 1. What is better to use as OS-storage: USB-stick or SD-card? I have read horror stories about SD-cards being fried/bricked quite frequently so I'm a little scared. But I never found single post about problems with USB-stick... 2. What distro? Right now I'm using Gentoo on all my servers but I'm not sure it is the best option for this puppy (Gentoo puts quite high demands on filesystem). If I redirect all the compilation work to other "mature" server (distcc/crossdev), can I use even Gentoo? Or is Raspbian still the better choice? BR, Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] app-admin/mcelog daily cronjob?
On Wed, 16 April 2014, at 3:44 pm, Tom Wijsman wrote: > On Wed, 16 Apr 2014 14:39:16 +0100 > Stroller wrote: > >> What is mcelog, and why do I need it, please? > > Machine check exception logger; iotw, it logs hardware errors. Ok, ignoring everything else that I wrote in my previous message, that this package appears to be generating daily errors… your contention is that I don't need it, because my other machine is running fine without it? Stroller.
Re: [gentoo-user] Raspberry Pi & Gentoo?
On Wed, 16 April 2014, at 4:34 pm, Jarry wrote: > … > 1. What is better to use as OS-storage: USB-stick or SD-card? > I have read horror stories about SD-cards being fried/bricked > quite frequently so I'm a little scared. But I never found > single post about problems with USB-stick... In terms of frying/bricking USB sticks are just the same kind of flash memory as in SD-cards, surely? Both are $8 for 16GB of storage, so wear / failure is only a concern if the server is to be inaccessible. Stroller.
Re: [gentoo-user] app-admin/mcelog daily cronjob?
On Wed, 16 Apr 2014 16:39:22 +0100 Stroller wrote: > > On Wed, 16 April 2014, at 3:44 pm, Tom Wijsman > wrote: > > > On Wed, 16 Apr 2014 14:39:16 +0100 > > Stroller wrote: > > > >> What is mcelog, and why do I need it, please? > > > > Machine check exception logger; iotw, it logs hardware errors. > > Ok, ignoring everything else that I wrote in my previous message, > that this package appears to be generating daily errors… > > your contention is that I don't need it, because my other machine is > running fine without it? There is no such indication in that reply. That is up to you to decide. -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
Re: [gentoo-user] Raspberry Pi & Gentoo?
On 16-Apr-14 17:46, Stroller wrote: On Wed, 16 April 2014, at 4:34 pm, Jarry wrote: … 1. What is better to use as OS-storage: USB-stick or SD-card? I have read horror stories about SD-cards being fried/bricked quite frequently so I'm a little scared. But I never found single post about problems with USB-stick... In terms of frying/bricking USB sticks are just the same kind of flash memory as in SD-cards, surely? Both are $8 for 16GB of storage, so wear / failure is only a concern if the server is to be inaccessible. But not every flash-memory is the same. Are you sure SD and USB are about the same? I thought USB-sticks were a little higher (comparable with CF, which is surely more reliable than SD)... Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] Raspberry Pi & Gentoo?
On Wed, 16 Apr 2014 17:34:54 +0200 Jarry wrote: > Hi Gentoo-users, > > I have read all articles about Raspberry Pi on Gentoo-wiki, > but want to ask: Is anybody here really using Gentoo on RPi? Yes. > Is it usable? Depends on your goal. > I have a chance of free housing for my RPi so I thought I give > it a try, using RPi as backup-DNS/MX (and watchdog) for my > primary server. Should work. > Right now I'm facing two questions: > > 1. What is better to use as OS-storage: USB-stick or SD-card? > I have read horror stories about SD-cards being fried/bricked > quite frequently so I'm a little scared. But I never found > single post about problems with USB-stick... As suggested in the other reply; both if you can, SD otherwise. As it is faster than USB as USB is sharing the same interface as Ethernet. Just make sure you get something serious from a good brand. > 2. What distro? Right now I'm using Gentoo on all my servers > but I'm not sure it is the best option for this puppy (Gentoo > puts quite high demands on filesystem). If I redirect all the > compilation work to other "mature" server (distcc/crossdev), > can I use even Gentoo? Or is Raspbian still the better choice? The nice thing about Gentoo is that you can make things minimal, the worst thing about Gentoo is that it takes a ton of compile time; so, it somewhat depends on your goal. Try different and see what you like. When you plan to do Gentoo, spend some time on avoiding much writes to the SD card if possible; put /var/tmp/portage on external drive, etc... -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
Re: [gentoo-user] app-admin/mcelog daily cronjob?
On Wed, 16 April 2014, at 4:52 pm, Tom Wijsman wrote: > > There is no such indication in that reply. That is up to you to decide. Well, I posted here looking for useful answers and perhaps a full explanation (like, of how this is needed beyond the system logger), not vapid one-liners. I guess I'll just file a vapid-one bug that my Gentoo system is generating these cron messages, rather than first trying to come to a understanding of the cause. Would that make the developers' lives easier? Stroller.
Re: [gentoo-user] app-admin/mcelog daily cronjob?
On 16/04/2014 18:14, Stroller wrote: > > On Wed, 16 April 2014, at 4:52 pm, Tom Wijsman wrote: >> >> There is no such indication in that reply. That is up to you to decide. > > Well, I posted here looking for useful answers and perhaps a full explanation > (like, of how this is needed beyond the system logger), not vapid one-liners. > > I guess I'll just file a vapid-one bug that my Gentoo system is generating > these cron messages, rather than first trying to come to a understanding of > the cause. Would that make the developers' lives easier? > > Stroller. > > > > mce is Machine Check Exception; it's a hardware trickery that watches for and records faults in hardware. Consider something like Dell's fancy monitoring softwares, the results don't magically appear in syslog - you use Dell's client app to query the hardware, figure out what the bits means then you can look-see what is going on. mcelog is sort of in the same class of software, but it's a generic interface. You don't *have* to use it, the machines will run just fine without it. You will lack some monitoring though that could be useful - that's your call. As for the cron job files, by all means file a bug. At a minimum you'll get an answer as to what the dev thinks about that deprecation status. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] app-admin/mcelog daily cronjob?
On Wed, 16 Apr 2014 17:14:27 +0100 Stroller wrote: > > On Wed, 16 April 2014, at 4:52 pm, Tom Wijsman > wrote: > > > > There is no such indication in that reply. That is up to you to > > decide. > > Well, I posted here looking for useful answers You need it when you need it; iotw, what keeps you from your decision? (http://blog.stackoverflow.com/2010/11/qa-is-hard-lets-go-shopping/) > and perhaps a full explanation (like, of how this is needed beyond > the system logger), not vapid one-liners. For a system to log a source it needs a logger that logs that source. > I guess I'll just file a vapid-one bug that my Gentoo system is > generating these cron messages, rather than first trying to come to a > understanding of the cause. Would that make the developers' lives > easier? If it is a bug to you, up to you to decide, then feel free to file it. -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
Re: [gentoo-user] Raspberry Pi & Gentoo?
On Wednesday 16 Apr 2014 17:34:54 Jarry wrote: > 2. What distro? Right now I'm using Gentoo on all my servers > but I'm not sure it is the best option for this puppy (Gentoo > puts quite high demands on filesystem). If I redirect all the > compilation work to other "mature" server (distcc/crossdev), > can I use even Gentoo? Or is Raspbian still the better choice? I found distcc hard work when I was installing Gentoo on my Atom box, so I NFS-exported its package directory to a 32-bit chroot on my workstation, did all the emerging etc. there, including building binary packages, then emerge -k on the Atom installed the system with minimum fuss. It's not too hard to keep the portage setup in step, once you understand what bdeps are :-( -- Regards Peter
Re: [gentoo-user] Raspberry Pi & Gentoo?
Hey, some time ago I wrote an article about how to install Gentoo on a Raspberry Pi: https://blog.ramses-pyramidenbau.de/?p=188 Maybe this is interesting for you. There's also a precompiled bootable image available for download. Regards Ralf On 04/16/2014 07:11 PM, Peter Humphrey wrote: > On Wednesday 16 Apr 2014 17:34:54 Jarry wrote: > >> 2. What distro? Right now I'm using Gentoo on all my servers >> but I'm not sure it is the best option for this puppy (Gentoo >> puts quite high demands on filesystem). If I redirect all the >> compilation work to other "mature" server (distcc/crossdev), >> can I use even Gentoo? Or is Raspbian still the better choice? > I found distcc hard work when I was installing Gentoo on my Atom box, so I > NFS-exported its package directory to a 32-bit chroot on my workstation, did > all the emerging etc. there, including building binary packages, then > emerge -k on the Atom installed the system with minimum fuss. > > It's not too hard to keep the portage setup in step, once you understand what > bdeps are :-( >
Re: [gentoo-user] Raspberry Pi & Gentoo?
2014-04-16 12:57 GMT-03:00 Tom Wijsman : > > ... > > When you plan to do Gentoo, spend some time on avoiding much writes to > the SD card if possible; put /var/tmp/portage on external drive, etc... > > Having a few systems now, all running Gentoo, I use to mount a NFS /usr/portage from a central server, where all portage and "distfiles" are stored for all systems. And on some that do use a flash DOM, I plug a common hard disk and mount "/var" to it while emerge'ing. A NFS mount would do if the network is fast enough. And "distcc" always helps. Francisco
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On 4/16/2014 7:14 AM, Matti Nykyri wrote: On Apr 16, 2014, at 13:52, Tanstaafl wrote: Or will simply replacing my self-signed certs with the new real ones be good enough? No it will not. Keys are te ones that have been compromised. You need to create new keys. With those keys you need to create certificate request. Then you send that request to certificate authority for signing and publishing in their crl. When you receive the signed certificate you can start using it with your key. Never send your key to CA or expect to get a key from them. Ok, thanks... But... if I do this (create a new key-pair and CR), will this immediately invalidate my old ones (ie, will my current production server stop working until I get the new certs installed)? I'm guessing not (or else there would be a lot of downtime for lots of sites involved) - but I've only ever done this once (created the key-pair, CR and self-signed keys) a long time ago, so want to make sure I don't shoot myself in the foot... I have created new self-=signed certs a couple of times since creating the original key-pair+CR, but never created a new key-pair/CR... There are also other algorithms the RSA. And also if you wan't to get PFS you will need to consider your setup, certificate and security model. What is PFS?
[gentoo-user] Re: Raspberry Pi & Gentoo?
Jarry gmail.com> writes:
> >> 1. What is better to use as OS-storage: USB-stick or SD-card?
> > Both are $8 for 16GB of storage, so wear / failure is only a concern if
the server is to be inaccessible.
> But not every flash-memory is the same. Are you sure SD and
> USB are about the same? I thought USB-sticks were a little
> higher (comparable with CF, which is surely more reliable
> than SD)...
I've got some minimalized Gentoo servers, 586 vintage, still running
on the original SD cards. I used "quality" cards, vintage 2006. The
trick I found was to run the -Os small kernel and keep everything in ram,
if that is possible. Also use ext2 file system, as it is better on
minimal hardware. NFS mount busy stuff to other drives across the net.
ROCK Solid. as minimalized gentoo servers on SD for a 8 years now.
If you build on Rpi, it's at least a minimal system, or it can be set
up as a pure embedded system:
# uname -r
2.6.25-hardened-r7
cat /proc/meminfo
MemTotal: 254224 kB
MemFree:222112 kB
Buffers: 2080 kB
Cached: 19808 kB
SwapCached: 0 kB
Active: 14872 kB
Inactive:10616 kB
/dev/hda1 /boot ext2 noatime 1 2
/dev/hda2 none swap sw 0 0
/dev/hda3 / ext2 noatime 0 1
hdparm -i /dev/hda
/dev/hda:
Model=SanDisk SDCFB-4096, FwRev=HDX 4.03, SerialNo=003416B2397F2159
Config={ HardSect NotMFM Removeable DTR>10Mbs nonMagnetic }
RawCHS=7964/16/63, TrkSize=0, SectSize=576, ECCbytes=4
BuffType=DualPort, BuffSize=1kB, MaxMultSect=4, MultSect=4
CurCHS=7964/16/63, CurSects=8027712, LBA=yes, LBAsects=8027712
IORDY=no, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}
PIO modes: pio0 pio1 pio2 pio3 pio4
DMA modes: mdma0 mdma1 mdma2
AdvancedPM=no
Drive conforms to: Unspecified: ATA/ATAPI-4
If you got the time to LEARN, gentoo as an embedded system if far
superior than a gentoo minimalized server, such as the above dinosaur.
You need to be *reasonable* with what you ask your Rpi to do; imho.
ps, be nice to Neil, Alan and the other old farts on this list, as we
all have very old toys we rarely talk about.. I.E. nothing new
in *nix, it's all just colorful and recycled, imho.
hth,
James
[gentoo-user] Re: Raspberry Pi & Gentoo?
Ralf ramses-pyramidenbau.de> writes: > https://blog.ramses-pyramidenbau.de/?p=188 Very cool! > >> 2. What distro? Right now I'm using Gentoo on all my servers > >> but I'm not sure it is the best option for this puppy (Gentoo > >> puts quite high demands on filesystem). If I redirect all the > >> compilation work to other "mature" server (distcc/crossdev), > >> can I use even Gentoo? Or is Raspbian still the better choice? > > I found distcc hard work when I was installing Gentoo on my Atom box, > > so I NFS-exported its package directory to a 32-bit chroot on my > >> workstation, did all the emerging etc. there, including building binary > >> packages, then emerge -k on the Atom installed the system with minimum > >> fuss. Ok so, on these small arm systems, what we have is the consolidation of the embedded world and the *nix world view of things. It may be best and easy for you to purchase (relatively) cheap hardware, downlaod and existing easy distro and run your application; benchmarking with relevant goals in mind. Traditional embedded folks look at the primary algorithms and apps that will run on an embedded processor/ram and maybe go one size larger on the resources. Tightly constrained. Arm processors come in a myriad of sizes and features. Personally, if your stuck on Rpi, I ask around in those forums as to which arm_board you should use for your goals. Stay with non-mechanical drive/mem as it's rather dumb to put a mechanical drive with a sub-100-watt embedded board, from an energy consumption perspective, imho. http://archlinuxarm.org/platforms/armv6/raspberry-pi http://www.anandtech.com/show/7724/it-begins-amd-announces-its-first-arm-based-server-soc-64bit8core-opteron-a1100 https://www.gentoo.org/proj/en/base/embedded/handbook/ http://www.raspberrypi.org/forums/viewtopic.php?f=7&t=2321 Just a few links to get you started on proper research. hth, James
[gentoo-user] WEFT Why Every F Time ?
HOwdy, So, using gmail as my front end to read gentoo user I see this quite a lot now: "weft didn't produce an output." But when from the Gmane interface I select "followup" it shows the message the previous poster wrote. Strange. Googling I found: http://www.pressure.to/qda/ Which says version 2.0 was only release in alpha and 1.x is deprecated. (Hello Lars, what's your plan?) Is there another easy to use front end read/post to gentoo-user? (Please do not say NNTP) curiously James
Re: [gentoo-user] WEFT Why Every F Time ?
On 16/04/2014 23:31, James wrote: > HOwdy, > > So, using gmail as my front end to read gentoo user I see > this quite a lot now: > > "weft didn't produce an output." > > But when from the Gmane interface I select "followup" > it shows the message the previous poster wrote. Strange. > > Googling I found: http://www.pressure.to/qda/ > > Which says version 2.0 was only release in alpha > and 1.x is deprecated. > > (Hello Lars, what's your plan?) > > Is there another easy to use front end read/post to gentoo-user? > > (Please do not say NNTP) I never could get the hang of reading mail in a browser I'm still very olde skool in these matters, so: Subscribe directly to gentoo-user and pop your mail from gmail in a regular mail client? -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] foo2zjs make install error
On 04/16/2014 09:14 AM, Stroller wrote: > > On Tue, 15 April 2014, at 1:06 pm, Dutch Ingraham wrote: >> ... >> I should have included this in my first post: "locate foomatic-rip" >> returns, on both installations: >> >> /usr/libexec/cups/filter/foomatic-rip >> /usr/share/man/man1/foomatic-rip.1.bz2 >> >> I cannot run foomatic-rip manually. > > This is perhaps a nitpick, but `locate` doesn't show us that foomatic-rip is > installed on your system, only that it was installed last time updatedb was > run. > > I'm not actually familiar with foomatic-rip, but I'd assume that it's an > executable of some sort. Don't you get an error message if you try running > `/usr/libexec/cups/filter/foomatic-rip`? What are the permissions on the > file? In another post you've stated that you have 2 other machines which are > not showing the same problem - compare with them. > > Stroller. > > > Good point, but updatedb is run after every update, so daily or thereabouts. I can execute foomatic-rip (but only with the full path - there is no separate command, which makes sense since it is not located in a /bin dir, I suppose). No errors on any of the three installs. (Note it is not really completing its job on the subject machine, as without the foo2zjs driver and accompanying firmware, I can't print. But it is responding with appropriate questions about whether my printer is configured or not.) The permission for foomatic-rip is -rwxr-xr-x 1 root root, so shouldn't be a problem - user is in the lp group anyway. And you're correct, comparing the three is what I've been trying to do. I've re-build a few packages to make sure all cups- and foomatic-related packages have the same USE flags. Also have run all clean-up scripts, like perl-cleaner, python-updater, revdep-rebuild, etc. foo2zjs (either from source or the gentoo package) still refuses to make install. I guess I'll keep playing. Thanks for your help.
Re: [gentoo-user] Raspberry Pi & Gentoo?
On 04/16/14 23:46, Stroller wrote: > > On Wed, 16 April 2014, at 4:34 pm, Jarry wrote: >> … >> 1. What is better to use as OS-storage: USB-stick or SD-card? >> I have read horror stories about SD-cards being fried/bricked >> quite frequently so I'm a little scared. But I never found >> single post about problems with USB-stick... > > In terms of frying/bricking USB sticks are just the same kind of flash memory > as in SD-cards, surely? > > Both are $8 for 16GB of storage, so wear / failure is only a concern if the > server is to be inaccessible. > > Stroller. > > One for playing videos recorded on a myth system (nfs mount) - original 4G raspian SD overwritten with gentoo one used for low power storage (32gb SD) for a security camera ... stage the images on the rpi, power down the big stuff at night and when available move the files into the main storage (all automated). Both have been running since the first rpi model B's stated shipping with the only problem being the ext4 filesystem I chose to use (yuk) BillK
[gentoo-user] Get bridge working for xen
Hi all! :) I'm following the gentoo wiki [1]. I can't find any mistake on config files, but network does not work :/. I don't have any xen configuration (or domU) yet. I'm just trying to get a bridge with functional network on my domain0. I attach my /etc/conf.d/net When I try to ping, with any iface, to to outside, or even to the getaway, it says host unreachable. Also, the system delays on load the system. It takes like 30 sec more, and conky get stuck (I use it to take data like IP, getway, dns, etc..). I hope can help me please, I need to get this working :/ Thank you! You all are the best!! Bye! Sorry if my english is not the best :/ [1] https://wiki.gentoo.org/wiki/Xen#Networking_on_Unpriviledged_Domains config_enp3s0="192.168.1.2 netmask 255.255.255.0 brd 192.168.1.255" routes_enp3s0="default via 192.168.1.1" bridge_xenbr0="enp3s0" config_xenbr0="192.168.1.100 netmask 255.255.255.0 brd 192.168.1.255" routes_xenbr0="default gw 192.168.1.1"
Re: [gentoo-user] Get bridge working for xen
On Thu, Apr 17, 2014 at 9:31 AM, Facu Curti wrote: > Hi all! :) > > I'm following the gentoo wiki [1]. I can't find any mistake on config > files, but network does not work :/. > > I don't have any xen configuration (or domU) yet. I'm just trying to get a > bridge > with functional network on my domain0. > > I attach my /etc/conf.d/net > > When I try to ping, with any iface, to to outside, or even to the getaway, it > says host > unreachable. Also, the system delays on load the system. It takes like > 30 sec more, and conky get stuck (I use it to take data like IP, getway, > dns, etc..). > > I hope can help me please, I need to get this working :/ > > Thank you! You all are the best!! Bye! > > Sorry if my english is not the best :/ > > [1] https://wiki.gentoo.org/wiki/Xen#Networking_on_Unpriviledged_Domains and what is your current network situation and your config (in /etc/conf.d/net) ? Just for reference, here is my config. the IP on br0 is got from DHCP, everything else should be similar. modules="iproute2" # optional config_eth0="null" dns_servers_br0="192.168.1.136" config_br0="dhcp" # change this line if your network config is static brctl_br0="setfd 0 sethello 10 stp off" bridge_br0="eth0" rc_net_br0_need="net.eth0" rc_net_eth0_provide="!net" -- Silence is golden.
Re: [gentoo-user] Get bridge working for xen
On Thu, Apr 17, 2014 at 09:54:46AM +0800, AR wrote: > On Thu, Apr 17, 2014 at 9:31 AM, Facu Curti wrote: > > Hi all! :) > > > > I'm following the gentoo wiki [1]. I can't find any mistake on config > > files, but network does not work :/. > > > > I don't have any xen configuration (or domU) yet. I'm just trying to get a > > bridge > > with functional network on my domain0. > > > > I attach my /etc/conf.d/net > > > > When I try to ping, with any iface, to to outside, or even to the getaway, > > it says host > > unreachable. Also, the system delays on load the system. It takes like > > 30 sec more, and conky get stuck (I use it to take data like IP, getway, > > dns, etc..). > > > > I hope can help me please, I need to get this working :/ > > > > Thank you! You all are the best!! Bye! > > > > Sorry if my english is not the best :/ > > > > [1] https://wiki.gentoo.org/wiki/Xen#Networking_on_Unpriviledged_Domains > > and what is your current network situation and your config (in > /etc/conf.d/net) ?> My /etc/conf.d/net is: config_enp3s0="192.168.1.2 netmask 255.255.255.0 brd 192.168.1.255" routes_enp3s0="default via 192.168.1.1" And ifconfig: enp3s0: flags=4163 mtu 1500 inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255 ether ac:22:0b:c1:dc:de txqueuelen 1000 (Ethernet) RX packets 4630 bytes 4343241 (4.1 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4923 bytes 686607 (670.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 0 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > Just for reference, here is my config. > > the IP on br0 is got from DHCP, everything else should be similar. > > modules="iproute2" # optional > > config_eth0="null" > > dns_servers_br0="192.168.1.136" > > config_br0="dhcp" # change this line if your network config is static > brctl_br0="setfd 0 sethello 10 stp off" > bridge_br0="eth0" > > rc_net_br0_need="net.eth0" > rc_net_eth0_provide="!net" > I will try this config. I need an static ip, but I can do this from router configuring the dhcp server. So, it is not a problem. I bring news in a few minutes > -- > Silence is golden. Thank you!
Re: [gentoo-user] Get bridge working for xen
No. This not works. :/
[gentoo-user] Re: HP printing query
On 04/15/2014 04:07 PM, Philip Webb wrote: > I ran into a problem trying to print yesterday -- solved for now -- , > but would like to simplify things for the next occasion. > > What appears to have happened is that when I updated Hplip + Cups, > one of them created a new printer, so that the list now appears as : > > Deskjet_2510Automatically setup by HPLIP >HP Deskjet 2510 Series hpijs, 3.13.9 Paused - "Filter failed" > Deskjet_2510_2 Deskjet_2510_2 >HP Deskjet 2510 Series hpijs, 3.13.9Idle > > I had the Vim plug-in 'prtdialog' + Kwrite + LO set to use the former, > but needed to change them all to the latter to get the printer to respond. > > Is this something I have to allow for whenever I update those pkgs ? > I can delete the old one as root, but can I rename the new one ? >From years of frustrating bug-hunting I've learned that I need to delete and re-create my cups printers each and every time I update cups. I always reinstall my printer(s) with hp-setup, not with any cups tools. That routine may not be necessary but it's always been sufficient :)
Re: [gentoo-user] Raspberry Pi & Gentoo?
On Wed, Apr 16, 2014 at 6:44 PM, William Kenworthy wrote: > > On 04/16/14 23:46, Stroller wrote: > > > > On Wed, 16 April 2014, at 4:34 pm, Jarry wrote: > >> … > >> 1. What is better to use as OS-storage: USB-stick or SD-card? > >> I have read horror stories about SD-cards being fried/bricked > >> quite frequently so I'm a little scared. But I never found > >> single post about problems with USB-stick... > > > > In terms of frying/bricking USB sticks are just the same kind of flash > > memory as in SD-cards, surely? > > > > Both are $8 for 16GB of storage, so wear / failure is only a concern if the > > server is to be inaccessible. > > > > Stroller. > > > > > > One for playing videos recorded on a myth system (nfs mount) - original > 4G raspian SD overwritten with gentoo > one used for low power storage (32gb SD) for a security camera ... stage > the images on the rpi, power down the big stuff at night and when > available move the files into the main storage (all automated). > > Both have been running since the first rpi model B's stated shipping > with the only problem being the ext4 filesystem I chose to use (yuk) > > BillK > > > I'm curious about trying out f2fs on the rpi. What's the general consensus on using it at this point in time? I know it's still very new, but I haven't read about anything with regard to stability. -- Alecks Gates
Re: [gentoo-user] app-admin/mcelog daily cronjob?
On Wed, 16 Apr 2014 14:39:16 +0100 Stroller wrote: > Taking a look at /etc/cron.daily/ shows only one odd one out: > > $ sudo ls -lh /etc/cron.daily/ > total 16K > -rwxr-xr-x 1 root root 180 Feb 4 20:28 logrotate > -rwxr-xr-x 1 root root 196 Mar 3 09:48 man-db > -rw-r--r-- 1 root root 141 Apr 16 14:09 mcelog > -rwxr-xr-x 1 root root 1.3K Feb 4 23:53 mlocate I don't think cron will attempt to execute anything in cron.daily that doesn't have execute perms, so the error probably isn't coming from mcelog. -- Randy Barlow pgpWmMYljOr98.pgp Description: PGP signature
Re: [gentoo-user] HP printing query
Philip Webb schrieb am 16.04.2014 01:07: > I ran into a problem trying to print yesterday -- solved for now -- , > but would like to simplify things for the next occasion. > > What appears to have happened is that when I updated Hplip + Cups, > one of them created a new printer, so that the list now appears as : > > Deskjet_2510Automatically setup by HPLIP >HP Deskjet 2510 Series hpijs, 3.13.9 Paused - "Filter failed" > Deskjet_2510_2 Deskjet_2510_2 >HP Deskjet 2510 Series hpijs, 3.13.9Idle > > I had the Vim plug-in 'prtdialog' + Kwrite + LO set to use the former, > but needed to change them all to the latter to get the printer to respond. > > Is this something I have to allow for whenever I update those pkgs ? > I can delete the old one as root, but can I rename the new one ? > Just for your information I have removed the auto-configuration [1] of hplip printers done by udev rules. There was as well an upgrade and an uninstall tool which I have removed as well. This are things which should be done by the user/admin. As mentioned on the wiki page for hplip [2] at every upgrade the recommended action is to delete all print queues and recreate them again, either with hp-setup or the cups web interface. [1] *hplip-3.14.3 (07 Mar 2014) 07 Mar 2014; Daniel Pielmeier +hplip-3.14.3.ebuild: Version bump. This version adds a patch which removes the update and uninstall python scripts as well as the auto-configuration/plug-in installation related stuff from the udev rules. This should fix Gentoo bug #434830 (Upstream bug https://bugs.launchpad.net/hplip/+bug/1080353). [2] https://wiki.gentoo.org/wiki/HPLIP -- Regards Daniel Pielmeier signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Apr 16, 2014, at 20:56, Tanstaafl wrote: > On 4/16/2014 7:14 AM, Matti Nykyri wrote: >> On Apr 16, 2014, at 13:52, Tanstaafl wrote: >>> Or will simply replacing my self-signed certs with the new real ones be >>> good enough? > >> No it will not. Keys are te ones that have been compromised. You need >> to create new keys. With those keys you need to create certificate >> request. Then you send that request to certificate authority for >> signing and publishing in their crl. When you receive the signed >> certificate you can start using it with your key. Never send your key >> to CA or expect to get a key from them. > > Ok, thanks... > Ok... This is the second time I'm writing this message. Last time my rotten battery of my rotten apple died while it was sending the message. That drove me to despair and i had sleep on it before retrying :/ > But... if I do this (create a new key-pair and CR), will this immediately > invalidate my old ones (ie, will my current production server stop working > until I get the new certs installed)? No. Your cert is valid as described in the cert fields: not valid before, not valid after. You should never have two different valid certificates for the same propose. So it is the jobs of the CA to set the revoke bit on the old certificate when issuing a new one. > I'm guessing not (or else there would be a lot of downtime for lots of sites > involved) - but I've only ever done this once (created the key-pair, CR and > self-signed keys) a long time ago, so want to make sure I don't shoot myself > in the foot... The same here. Now this heartbleed got me updating everything. There are a few very good tutorials... And if you skim back this list there was a really good post on certs like two weeks ago. > I have created new self-=signed certs a couple of times since creating the > original key-pair+CR, but never created a new key-pair/CR... First you need to create parameters for your keys. If using elliptic key use: openssl ecparam This is not necessary for all types of keys. And usually most of these commands can be combined but I try to separate them so you get the full picture. Then create keys: openssl genpkey Then make CR: openssl req After this the job is handled by the CA... So you for self signed cert. for a real cert you just send the CR to the CA. CA will then sign your cert: openssl ca And publish your cert: openssl ca -gencrl For this CAcert is needed of course. If you just want a self signed cert you can create your own CAcert by creating keys and self-signed cert by: openssl genpkey openssl req -x509 Then sign and publish your CR with your CAcert using openssl ca-utility. About security.. Your CA keys should never ever be on a computer that is online. If they were and would have been compromised by heartbleed for example we would be having a true catastrophe at the moment. Still it is suggested that you encrypt your CAcert keys. >> There are also other algorithms the RSA. And also if you wan't to get >> PFS you will need to consider your setup, certificate and security >> model. > > What is PFS? PFS = perfect forward secrecy. Meaning that the exposure of your cert keys will not compromise the content of past transmissions that have been recorded by your adversary. This is offered by certain cipher suites. So you really need to consider what algorithms and what ciphers you wish to use with you SSL servers and choose certificates and parameters that will do the job. DHE and ECDHE will provide PFS. I dont know enough about cryptography to truly say what to trust. Someone should correct me if my assumptions are false... But I have come to a conclusion that DHE is compromised by NSA. So I would not use it. DH and ECDH do not provide PFS. Using PFS gives you a performance penalty but increase security. DH uses DHparams to do the key exchange. Openssl will reuse these params across different connection to boost performance. It needs to be explicitly told not to if this is desired. This again increases security but degrades performance. For the cert I would use elliptic cryptography. I trust NSA has not poisoned this algorithm... But can you be sure? Anyways making things secure you need to trust that you have truly random data and there are no vulnerabilities in you key generators... It is really hard to make sure of this. It requires you to be a true pro. -Matti
Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones
On Wednesday 16 Apr 2014 18:56:57 Tanstaafl wrote: > On 4/16/2014 7:14 AM, Matti Nykyri wrote: > > On Apr 16, 2014, at 13:52, Tanstaafl wrote: > >> Or will simply replacing my self-signed certs with the new real ones be > >> good enough? > > > > No it will not. Keys are te ones that have been compromised. You need > > to create new keys. With those keys you need to create certificate > > request. Then you send that request to certificate authority for > > signing and publishing in their crl. When you receive the signed > > certificate you can start using it with your key. Never send your key > > to CA or expect to get a key from them. > > Ok, thanks... > > But... if I do this (create a new key-pair and CR), will this > immediately invalidate my old ones (ie, will my current production > server stop working until I get the new certs installed)? You have not explained your PKI set up. Creating a new private key and CSR is just another private key and CSR. If you replace either the private CA key on the server, or any of its certificates chain, but leave the path in your vhosts pointing to the old key/certificate that no longer exist you will of course break the server. Apache will refuse to restart and warn you about borked paths. > I'm guessing not (or else there would be a lot of downtime for lots of > sites involved) - but I've only ever done this once (created the > key-pair, CR and self-signed keys) a long time ago, so want to make sure > I don't shoot myself in the foot... Yes, better be safe with production machines. However, don't take too long because your private key(s) are potentially already compromised. > I have created new self-=signed certs a couple of times since creating > the original key-pair+CR, but never created a new key-pair/CR... > > > There are also other algorithms the RSA. And also if you wan't to get > > PFS you will need to consider your setup, certificate and security > > model. > > What is PFS? http://en.wikipedia.org/wiki/Forward_secrecy I'm no mathematical genius to understand cryptography at anything more than a superficial level, but I thought that ECDS, that PFS for TLS depends on, was compromised from inception by the NSA? Perhaps only some ECDS were, I am not really sure. I remember reading somewhere (was it Schneier?) that RSA is probably a better bet these days. I'd also appreciate some views from the better informed members of the list because there's a lot of FUD and tin hats flying around in the post Snowden era. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
