[gentoo-user] Postgres gem not found by cron job

[Michael Orlitzky]

I feel like I should be able to solve this one, but it started after my 
last world update so maybe someone else has had a similar problem.


We have a ruby script called 'mailshears' on our mail server that cleans 
up orphaned users and domains every night. The main script,


  /root/src/mailshears/bin/mailshears

includes a class,

  require 'src/postfixadmin_db'

which in turn requires the postgres library from ruby-postgres:

  require 'postgres'

I don't think there's anything fancy going on here. All of the required 
packages are installed, and the script runs fine when I execute it 
manually. For example, both of the following work:


  cd /root/src/mailshears/bin/
  ./mailshears

  cd /
  export PATH=/sbin:/bin:/usr/sbin:/usr/bin
  export HOME=/
  /root/src/mailshears/bin/mailshears

(That last one mimics my crontab.) The problem is, whenever the nightly 
cron job runs, the 'postgres' library can't be found. I get mailed this 
every night:


  /root/src/mailshears/bin/../src/postfixadmin_db.rb:1:in `require': no
  such file to load -- postgres (LoadError)
from /root/src/mailshears/bin/../src/postfixadmin_db.rb:1
from /etc/cron.daily/01mailshears:35:in `require'
from /etc/cron.daily/01mailshears:35

The path /etc/cron.daily/01mailshears is simply a symlink to 
/root/src/mailshears/bin/mailshears, and of course, if I execute that 
symlink manually, it runs fine.


What's different between my root environment and the one in which cron 
runs (with respect to ruby and its gems)? Where should I start looking?

Re: [gentoo-user] Postgres gem not found by cron job

[Michael Orlitzky]

On 08/11/2010 03:16 PM, Bill Longman wrote:



What's different between my root environment and the one in which cron
runs (with respect to ruby and its gems)? Where should I start looking?


No direct answer, sorry, Michael.

You might want to use:

  /bin/bash -l -x -c /root/src/mailshears/bin/mailshears

to at least help debug it.



Thanks for the tip. The cron environment was missing 
"RUBYOPT=-rauto_gem" -- adding it fixed the problem.


Dark magic, whatever it does.

Re: [gentoo-user] Graphite causing trouble

[Michael Orlitzky]

On 01/05/12 11:05, Peter Humphrey wrote:
> On Thursday 05 January 2012 15:56:41 I wrote:
> 
>> On Thursday 05 January 2012 15:14:17 I wrote:
>> > I still get the same errors. What can I try next?
>>
> 
>> What I did try was revdep-rebuild. The only package it wanted to rebuild
>> was krita, so I thought what-the-hell and let it try. It worked. So now
>> emerging is working again.
> 
>  
> 
> Wait - only some things compile; others still throw up the error. I'm
> confused as well now.

If you just want your machine to work properly, you should probably
`emerge -e --keep-going world` until it does. Make sure graphite/lto are
disabled.

If it looks unrecoverable, you can probably unpack a stage3 over your
existing system and then update it.

Re: [gentoo-user] Re: Graphite causing trouble

[Michael Orlitzky]

On 01/06/12 11:55, Peter Humphrey wrote:
> 
> To get things compiling I removed all signs of graphite. I'm not sure
> whether it's worth the trouble of putting it back in again. Thoughts,
> anyone?
> 

On the one hand, it's kind of fun and educational to have something
break in a novel way so that you can figure out how to fix it.

On the other hand, those things only break when you have something
important to do.

I try to keep my laptop in good shape, and then do the unspeakable to my
desktop machine at home. If I ever need to do something urgently (fill
out a spreadsheet to apply for a scholarship) and something is broken
(libreoffice can't find libhahakissyournightgoodbye.so.1) I can always
walk into the living room and do it on the laptop.

Re: [gentoo-user] Re: Is it possible to move from hardened profile?

[Michael Orlitzky]

On 01/14/2012 04:56 PM, walt wrote:

On 01/14/2012 01:05 PM, czernitko wrote:

Hello, I wonder whether it is possible to convert hardened desktop
box into box with non-hardened profile? I guess I would have to
recompile world with vanilla compiler (no hardening) and compile
gentoo-sources kernel (no prob with those), but how can I get clean,
non-hardened profile for portage (if it is even possible)?


Short answer:  I have no idea :)  But I'd like to ask why you want to
dump the hardened profile.  Is there a significant disadvantage to
the hardening?  I've been wanting for awhile to try hardening but I'm
basically to lazy to Just Do It(TM).



Virtualization is iffy if you're not careful which options you enable in 
the kernel.


Rarely, an upstream developer will do something weird in his code and it 
will break an unstable package.


They say the nvidia drivers don't work, but they do anyway.

Chances are, you won't notice any difference, but you'll gain a tiny bit 
of peace of mind.

Re: [gentoo-user] Re: Is it possible to move from hardened profile?

[Michael Orlitzky]

On 01/15/2012 08:36 AM, Tanstaafl wrote:



Virtualization is iffy if you're not careful which options you enable in
the kernel.


I've been meaning to as a similar (but reverse) question - which I'll do
in a separate thread later, but...

Your reference to 'virtualizationis iffy' above... do you mean if you
are going to run VMs on a hardened HOST? Or run a hardened machine as a
VM? I had a problem trying to switch my Linode VM to the hardened
profile, and ended up giving up on it...



I was talking about a hardened host. Fortunately, newer kernels will 
have a preset "virtualization" profile that you can select to set only 
the safe options. See this thread for the announcement:


http://archives.gentoo.org/gentoo-hardened/msg_4bfe029213c94d7ee59cdf8f3f38.xml

I personally have never run a hardened guest, but in that post he 
alludes to the fact there may also be issues there, "...but in some

cases applies even for the guest."

In either case, you would want to stick to the stable kernels, since new 
problems do crop up occasionally as new features are introduced.

Re: [gentoo-user] RUBYOPT="-rauto_gem"

[Michael Orlitzky]

On 01/15/2012 05:24 PM, Hilco Wijbenga wrote:

Hi all,

The dev-ruby/rubygems ebuild adds "-rauto_gem" to the global RUBYOPT.
This breaks my own scripts so I have removed it from /etc/env.d. So
far, so good.

I just tried upgrading dev-ruby/json and it failed because I did not
have RUBYOPT set. Obviously, the "fix" was easy but now I'm wondering
... is this really the best approach?

It does not seem like a good idea that the rubygems ebuild sets
RUBYOPT and subsequent (Ruby Gems related) emerges break without it.
Would it not be simpler and more reliable if ebuilds that need it
simply execute "export RUBYOPT=..." prior to running? Why does it have
to be in the global environment, forcing it on every user?

If there is a requirement for this to be in the global environment,
what is the consequence of unsetting RUBYOPT in my own .bashrc (or
similar)? Is that "safe"? Or does that break something that I simply
haven't noticed yet?



(1) I don't know much about ruby packaging

(2) Keeping (1) in mind, I agree with you

(3) You're asking the wrong people

Try asking on the -dev list, or filing a bug. They'll just close it if 
it's considered invalid.


This bit me once long ago: ruby scripts running from cron don't have 
their RUBYOPT set, so scripts that normally work "magically" fail. Since 
I never set RUBYOPT myself, I didn't expect it to be set. Of course, I 
just forgot to require rubygems in my script.

Re: [gentoo-user] Resurrecting a Gentoo install

[Michael Orlitzky]

On 01/20/12 18:58, Grant wrote:
>> OK, so the install is old and portage has dependencies, right?
>>
>> emerge -pvDuN portage
>>
>> will get you closer. However this is probably best covered using
>> Neil's suggestion of
>>
>> emerge -pvDuN @system
> 
> I can't even get started:
> 

Do you have some idea of what config files are important on the machine?
You can always extract a stage3 at the root. That basically installs the
latest @system for you, with the massive caveat that you won't have
CONFIG_PROTECTion.

Re: [gentoo-user] Strange outbound requests

[Michael Orlitzky]

On 01/20/2012 07:12 PM, Grant wrote:

If the machine is running linux, then 'watch "lsof -n|grep TCP|grep
3680"' as root is a sloppy but effective way to find it. There's
probably some way to set up a firewall rule on the host in question
that logs out the user and (possibly) PID of the connection, but I
don't know.


"lsof -i" is easier, it only shows network connections :)

catching it when it happens (if it is very briefly connected) could be
hard with lsof... Maybe setup a tarpit firewall rule on that box so
the connection stays open for a long time.


The connections are only attempted a few times throughout the day.  Is
a tarpit firewall rule the only way to do this?  Can anyone tell me
what package 'watch' belongs to if that would work?



`watch` isn't going to help too much unless you're looking at it. Append 
the output to some log file instead. I chose netstat because its output 
looked easier to parse with a stupid regexp.


  while true; do
netstat -antp | grep ':993 ' >> mystery.log;
sleep 1;
  done;

You'll want to change the port -- I tested to make sure that was really 
logging my Thunderbird connections.

Re: [gentoo-user] Resurrecting a Gentoo install

[Michael Orlitzky]

On 01/20/2012 09:42 PM, Grant wrote:

# emerge -avDuN system
[snip]
!!! All ebuilds that could satisfy ">=sys-auth/pambase-20081028" have
been masked.
!!! One of the following masked packages is required to complete your
request:
- sys-auth/pambase-20101024-r1 (masked by: EAPI 4)
- sys-auth/pambase-20101024 (masked by: EAPI 3)


USE="-pam" emerge @system will avoid that particular block, although it
may only get you as far as the next one.


I seem to get an error like this from whatever I try to emerge.  Is
untarring a stage3 my only option?

- Grant



You don't have to do the entire stage3 at once,

  http://tinderbox.dev.gentoo.org/

has precompiled packages for the major arches and profiles. You could 
try to replace just pambase, pam, python, etc. -- whatever's giving you 
trouble.


This was not my first recommendation because I've managed to break e.g. 
`tar` and `cp` before in the attempt at which point you have two rescues 
to attempt.

Re: [gentoo-user] Resurrecting a Gentoo install

[Michael Orlitzky]

On 01/20/2012 11:48 PM, Grant wrote:


You don't have to do the entire stage3 at once,

  http://tinderbox.dev.gentoo.org/

has precompiled packages for the major arches and profiles. You could try to
replace just pambase, pam, python, etc. -- whatever's giving you trouble.

This was not my first recommendation because I've managed to break e.g.
`tar` and `cp` before in the attempt at which point you have two rescues to
attempt.


The errors I'm getting seem to be complaining about emerging ebuilds
with a higher EAPI number than my portage has.  Should I just install
the latest portage binary package?  If so, how should I do that?



All of those tinderbox tarballs are just archives to be extracted in /. 
For portage specifically, I'd follow the guide that Dale posted, since 
it takes care not to clobber your configs.

Re: [gentoo-user] Strange outbound requests

[Michael Orlitzky]

On 01/22/2012 12:54 PM, Grant wrote:


`watch` isn't going to help too much unless you're looking at it. Append the
output to some log file instead. I chose netstat because its output looked
easier to parse with a stupid regexp.

  while true; do
netstat -antp | grep ':993 '>>  mystery.log;
sleep 1;
  done;

You'll want to change the port -- I tested to make sure that was really
logging my Thunderbird connections.


I'm still getting the blocked outbound requests to port 3680 on my
firewall and I'm running the above script (changed 993 to 3680) on the
local system indicated by SRC in the firewall log, but mystery.log
remains empty.  I tested the script with other ports and it seems to
be working fine.

Also the MAC indicated in the firewall log is 14 blocks long and the
local system in question has a MAC address 6 blocks long according to
ifconfig, but the 6 blocks from ifconfig do match 6 of the blocks
reported by the firewall.

Does this make sense to anyone?



Are you running it as root? If not, you could be missing some connections.

I also typed the 't' in netstat out of habit -- that limits the output 
to tcp connections. You can remove it to catch the UDP ones.

Re: [gentoo-user] Strange outbound requests

[Michael Orlitzky]

On 01/22/2012 02:29 PM, Grant wrote:


Since my local firewall is rejecting the outbound requests, the time
elapsed between the request and the block should be very short.  Is it
possible the 'sleep 1' portion of the script is causing the failure to
log the connection request?  The outbound connection is only attempted
a few times per day.  If so, how would you recommend fixing that?


If the firewall is being nice and rejecting the connection, then yeah, 
it could be opening/closing in under a second. `sleep` doesn't require 
an integer[1], so you can probably have it sleep for 0.1s or something 
like that.




I'm also wondering if there is a command I could run on the
router/firewall machine that would log something from the outbound
request.  Even if the information logged isn't useful, it would be
nice to see a confirmation of the outbound requests logged from
somewhere besides the firewall.


What kind of firewall is it? Can you update the rules? If so, make it 
silently drop outbound connections instead of rejecting them; that way, 
the connection will hang open for a little bit.




[1] This is probably a bash-ism, but it works here.

Re: [gentoo-user] «-»: [gentoo-user] distcc - amd64 and x86

[Michael Orlitzky]

On 02/05/2012 01:46 PM, Dale wrote:


It does the same for portages work space too.  I have portages work
directory on tmpfs and I always have to mount with the size=12g option
so that LOo will even start.

Thing is, it rarely uses more than 4Gbs or so.  Is there a way to
disable this mess?  I got the space for my compile.  I really don't need
the checks.  Another reason for the question, the OP could add a ungodly
amount of swap and just listen the hard drive heads sing.

Dale

:-)  :-)



I_KNOW_WHAT_I_AM_DOING="yes" will disable it. The prerequisite check is 
done in check-reqs.eclass, so setting it in make.conf should disable 
prereq checking for all packages if you're OK with the voided warranty.

Re: [gentoo-user] Default settings in /etc/rc.conf

[Michael Orlitzky]

On 02/05/2012 03:01 PM, Alan McKinnon wrote:


You cannot trust the commented examples in rc.conf to be the defaults.
I reckon they are just that - typical examples.

If you search through rc.conf for the word "default" you find quite a
few cases where the text says what the default is and the example is
something different. In other words, the default is, um, not actually
documented anywhere.

This is a bit of a fail actually as you now have to fiddle with
settings, make them this, reboot, make them that, reboot, see what the
difference is. Sloppy maintenance if you ask me.

I'd advise you to file a bug (feature request) asking for the defaults
to be clearly documented where someone other than the principle dev can
find them.



You guys already did this thread:

http://archives.gentoo.org/gentoo-user/msg_513fd0fbcdf0fc95f5561684e80301f8.xml

Re: [gentoo-user] Syntax for set files

[Michael Orlitzky]

On 02/07/12 15:08, Alan McKinnon wrote:
> On Tue, 7 Feb 2012 13:46:04 -0600
> Paul Hartman  wrote:
> 
>> On Tue, Feb 7, 2012 at 12:36 PM, Alan McKinnon
>>  wrote:
>>> Anyone know a link to documentation on what the syntax is in
>>> portage's set files? I once had a skimpy doc (since lost) that
>>> described operators like + - / that let you add, remove and replace
>>> named atoms in a set file.
>>
>> Portage documentation, Part I Chapter 2 "Package Set Configuration"
>> should have more than you ever wanted to know about sets. :) Emerge
>> portage with USE="doc" if you don't already have it in
>> /usr/share/doc/portage*/html/.
> 
> Ah, that explains it. I have USE=-doc set globally and it never occurred
> to me to enable it for portage :-) I have only a few packages where
> USE=doc is enabled. I'd always sorta assumed the real docs were on a
> wiki somewhere :-)
> 

I tried to look for these a few days ago and did the same thing. Someone
should really put up a webpage titled "Portage package sets
documentation" that says "try checking /usr/share/doc/portage".

Re: [gentoo-user] Re: Recommended VPN Tunnel client?

[Michael Orlitzky]

On 02/10/12 11:46, Pandu Poluan wrote:
> 
> On Feb 10, 2012 10:08 PM, "Mick"  > wrote:
>>
>> > >
>> > > The need: a VPN client that:
>> > > + can selectively send packets fulfilling a criteria (in this
> case, dest=
>> > > IP address of internal server)*
>>
>> As far as I know typical VPNs require the IP address (or FQDN) of the VPN
>> gateway.  If yours changes because ISP A goes down then the tunnel
> will fail
>> and be torn down.

I must have missed the original message. OpenVPN can do this. Just
specify multiple "remote vpn.example.com" lines in your client configs,
one for each VPN server.

It also handles updating the routing table for you. Rather than match
"IP address of internal server," it will match "IP address on internal
network" and route through the VPN automatically.

Re: [gentoo-user] Re: Recommended VPN Tunnel client?

[Michael Orlitzky]

On 02/10/12 13:05, Pandu Poluan wrote:
> 
> No, no, no. What I meant was running TCP and UDP *on top of* OpenVPN
> (which uses UDP).
> 
> HAproxy seems to be able to perform its magic with TCP connections.
> 

I was about to say that we use it over UDP, but... we don't. We have a
small number of clients, maybe ten(?) that use the VPN for remote
administration.

UDP is recommended, references[1] are easy to google. Why we're running
it over TCP I don't know. I must have had a good reason =)

It performs fine anyway, but now I'm considering flipping it to UDP to
see what happens. At least I'll be in the office when it breaks.



[1] http://sites.inka.de/sites/bigred/devel/tcp-tcp.html

Re: [gentoo-user] Re: Recommended VPN Tunnel client?

[Michael Orlitzky]

On 02/10/12 13:36, Michael Orlitzky wrote:
> 
> UDP is recommended, references[1] are easy to google. Why we're running
> it over TCP I don't know. I must have had a good reason =)

Oh my school blocks outgoing UDP. Running on TCP/443 allows me to
connect from their network.

Re: [gentoo-user] RFC : fast copying of a whole directory tree

[Michael Orlitzky]

On 02/13/12 05:49, Helmut Jarausch wrote:
> 
> I've written a small Python program which outputs the file names in
> i-node order. If this is fed into tar or cpio nearly no seeks are 
> required during copying.

What makes you think the inodes are sequential on-disk?


> But it's correctness for backing up data is critical.
> Therefore I'd like to ask for comments.

You're nuts =)

Seriously though, use cp, tar, or rsync. They've seen years of use by
millions of people. All of the remaining bugs are sufficiently insidious
that you'll never hit them. The same probably isn't true for your script!

Re: [gentoo-user] ebuild for a fee?

[Michael Orlitzky]

On 02/16/12 22:47, Pandu Poluan wrote:
> 
> On Feb 17, 2012 10:13 AM, "Grant"  > wrote:
>>
>> I'd like to pay to have an ebuild built.  Can anyone recommend a way
>> to get in touch with a good person for the job?
>>
>> - Grant
>>


Diego seems to be mad about the same things I am on a regular basis:

  http://www.flameeyes.eu/hire-me

Re: [gentoo-user] Re: alternative to thunderbird?

[Michael Orlitzky]

On 02/19/12 11:02, Grant Edwards wrote:
> On 2012-02-18, Grant  wrote:
> 
>> I just switched from firefox to chromium (thanks to you guys) and I'm
>> loving it.  What would you recommend for getting away from
>> thunderbird?  I'm looking for something simple and minimal.
> 
> mutt
> 

I loved mutt, but "search in subfolders" is really not an optional feature.

Re: [gentoo-user] This Connection is Untrusted: WAS: Firefox-10.0.1 fails to compile on x86

[Michael Orlitzky]

On 02/24/12 02:45, Florian Philipp wrote:
> 
> Let's not forget that whenever you are presented with that warning, it
> could also be a man-in-the-middle attack. Therefore just clicking on
> "Accept" on every site is about the stupidest thing you can do.
> 
> I'm unsure how the warning looks when you have previously accepted a
> normally untrusted certificate on that site and now it is different
> (which could be an indication of MITM). I hope there is a big red flashy
> warning but I doubt it.
> 

Not if the certificate is "valid."

The only sane way to handle certificates with parties you've never met
(i.e. every website) is the SSH method: you accept that, no matter what,
there's always going to be one opportunity for a man-in-the-middle
attack. The first time you connect, you save the remote server's
certificate. If it changes, freak out.

The certificate patrol extension does this:

  http://patrol.psyced.org/

With it, self-signed certificates become more secure than CA-signed ones.

Re: [gentoo-user] This Connection is Untrusted: WAS: Firefox-10.0.1 fails to compile on x86

[Michael Orlitzky]

On 02/27/12 13:43, Florian Philipp wrote:
> 
> Just a small follow-up: A neat server-sided trick I didn't know until
> now is HTTP Strict Transport Security [1]. It prevents users from
> clicking away SSL warnings and prevents mixed content.
> 
> [1] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> 
> Regards,
> Florian Philipp

This is nice, although, as with all nice things, it doesn't work in
Internet Explorer.

We try to hack together the same effect using Apache's mod_rewrite and
redirects, but it's hard to get right. Most off-the-shelf web apps (e.g.
Wordpress) do their best to thwart you.

Re: [gentoo-user] Pay for a hardened VM image

[Michael Orlitzky]

On 03/03/2012 03:21 PM, Tanstaafl wrote:

On 2012-03-02 3:51 PM, Tanstaafl  wrote:

Would anyone here be interested in being paid to create a hardened VM
image for me that will run on a Microsoft Hyper-V host?

If so, what would you be willing to do this for?

Feel free to email me directly...


No one has a template they can use to simply clone me a ready to go
hardened VM?

Or interested in earning a little money?



It's probably the "Microsoft Hyper-V" part that's scaring people away. 
You can do a hardened install in a few hours with KVM or VirtualBox, but 
I don't want to,


  a) Figure out how Hyper-V works, and where to get it
  b) Find a spare machine
  c) Install a copy of Windows for testing

Re: [gentoo-user] GLSA management

[Michael Orlitzky]

On 03/06/12 13:32, Grant wrote:
> I've been checking this daily for a while:
> 
> http://www.gentoo.org/security/en/glsa/index.xml
> 
> but every time there's a vulnerability in a package I know I have
> installed, my installed version is unaffected.  If I emerge world
> daily, do I need to check on GLSA's?
> 

Does glsa-check still work? It's part of gentoolkit.

Re: [gentoo-user] Fwd: Re: PATCH: "postfix start" master initialization status

[Michael Orlitzky]

On 03/07/12 10:24, Eliezer Croitoru wrote:
> when this patch is going to get into the portage??
> thanks
> Eliezer

It looks like Eray applied it to postfix-2.10_pre20120305-r1, in the
tree right now.

Re: [gentoo-user] How can I trigger kernel panic?

[Michael Orlitzky]

On 03/14/12 14:23, Jarry wrote:
> Hi,
> 
> my question might seem silly, but I have reason for it:
> I have heard there is way to auto-reboot linux after kernel
> panic using "kernel.panic=" in /etc/sysctl.conf.
> 
> This might come handy as my server is far from me and I do
> not have any remote console. But I would like to test it
> and see if it works (first on my desktop).
> 
> So my question is: Can I somehow deliberately trigger
> "kernel panic" (or "kernel oops")?

If you want to test the auto-reboot, try appending root=/dev/random to
the command line.

Re: [gentoo-user] Apache upgrade to 2.4 error AH00027: Buggy authn provider failed to set user

[Michael Orlitzky]

On 04/03/12 02:40, Adam Carter wrote:
> I've just upgraded to 2.4 and am using mod_access_compat, so I can use
> the existing auth config in the short term. I've fixed a few things
> and now the daemon loads cleanly, however, when i try to get the
> anonymously available front page, it returns a 500 and error.log
> shows;
> 
> [Tue Apr 03 16:13:33.595505 2012] [core:error] [pid 20896:tid
> 139858125358848] [client u.x.y.z:16567] AH00027: Buggy authn provider
> failed to set user for /
> 
> At a password protected directory (there's an .htaccess) it also
> returns 500 and the log is;
> [Tue Apr 03 16:15:50.244851 2012] [core:alert] [pid 20895:tid
> 139858125358848] [client u.x.y.z:20702] /blah/blah/.htaccess: Invalid
> command 'Require', perhaps misspelled or defined by a module not
> included in the server configuration
> 
> Shouldn't "Require" from the .htaccess file be recognised by
> mod_access_compat? Any ideas about the AH00027 error?
> 

https://bugs.gentoo.org/show_bug.cgi?id=410607

Re: [gentoo-user] *Simple* guide to implementing digest-auth combined with IP based whitelist?

[Michael Orlitzky]

On 04/03/12 15:06, Tanstaafl wrote:
> I've never had a need to protect a site like this so am totally new to
> it...
> 
> I've been reading, and everything says that digest-auth is preferred to
> basic-http-auth (yes, I know that this isn't a very sophisticated level
> of protection, but it is all we need for this site), but is there also a
> way to whitelist certain static IP address so people on those don't get
> prompted for a username/password?
> 
> Thanks for any pointers to tfm...
> 

>From http://httpd.apache.org/docs/2.2/mod/core.html#satisfy,

  For example, if you wanted to let people on your network have
  unrestricted access to a portion of your website, but require that
  people outside of your network provide a password, you could use a
  configuration similar to the following:

See also:

  http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html

for the "Allow from..." docs.

Re: [gentoo-user] Problem with RAID1

[Michael Orlitzky]

On 04/19/12 14:20, Mike Diehl wrote:
> 
> My question is, "which one?"  Usually I get a [UU] on a good RAID, and an _ 
> for the failed drive.  That would indicate that sda3 has failed.  However, 
> sdb3 is marked with an (F), which I've never seen before.  
> 
> Which drive should I replace?

You can use smartctl to pull the S/N off the drive.

  backup2 ~ # smartctl -i /dev/sda
  smartctl 5.42 2011-10-20 r3458 [x86_64-linux-3.2.2-hardened-r1]
  (local build)
  Copyright (C) 2002-11 by Bruce Allen,
  http://smartmontools.sourceforge.net

  === START OF INFORMATION SECTION ===
  Model Family: Western Digital Caviar Blue Serial ATA
  Device Model: WDC WD2500AAKS-61L9A0
  Serial Number:WD-WMAV2JE70517
  ...


> Also, why did I get an I/O error?  Shouldn't my RAID have just failed over 
> silently?

Short answer: lots of things can go wrong. It might be as simple as
removing the failing drive from the array. But it doesn't matter, back
up the un-failed disk right now if there's anything important on it.
*Then* play around to get the array working again.

Re: [gentoo-user] How to find the MAC address

[Michael Orlitzky]

On 04/19/12 15:40, Alex Schuster wrote:
> Hi there!
> 
> How am I supposed to find the MAC address of an ethernet interface? I used
> to call ifconfig and grep for HWaddr, but this does not work any more.
> 
> I found the 'old-output' USE flag for sys-apps/net-tools, which brings
> back the old behaviour in order not to break old scripts, but I'd like to
> know what the new method is that scripts should use.

`ip link`

Learning a new command for something so fundamental was annoying, but
now I'm much happier.

Re: [gentoo-user] How to find the MAC address

[Michael Orlitzky]

On 04/19/12 16:40, Alex Schuster wrote:
> 
> Thanks, that's a nice one. But can I expect this command to be available
> per default on typical Linux distributions? Some other systems I have
> access to have it, but here on Gentoo it belongs to sys-apps/iproute2,
> which depends on nothing I have installed, I do not even know why I
> emerged it in the first place. So maybe I better use ifconfig which is
> always available, although sometimes in /bin and sometimes in /sbin, and
> I have to check the output to see which version it is.
> 

Gentoo prefers it over net-tools, and a few of the conf files mention
that, which explains how it could have wound up installed.

(Google says) iproute2 was introduced to replace net-tools around the
time of kernel-2.2, and (I says) they're needed to do anything remotely
complicated with the networking stack. So, they're probably pretty
standard these days.

Re: [gentoo-user] Postgres suddenly can't access files in its /etc directory

[Michael Orlitzky]

On 04/23/12 09:21, nap...@squareownz.org wrote:
> I'm unsure if I should be posting this to the -hardened mailing list as
> I'm using the hardened profile but all of a sudden I'm getting a rather
> strange error when trying to start postgres.
> 
> # /etc/init.d/postgresql-9.1 start
>  * Caching service dependencies ...  [ ok 
> ]
>  * The following file(s) are not readable by 'postgres':
>  * /etc/postgresql-9.1/postgresql.conf
>  * /etc/postgresql-9.1/pg_ident.conf
>  * /etc/postgresql-9.1/pg_hba.conf
>  * HINT: Try: 'chmod 644 /etc/postgresql-9.1/*.conf'
>  * ERROR: postgresql-9.1 failed to start
> 
> That's what I'm getting when I attempt to start it and I don't seem to have 
> modified anything.
> 
> Looking into the init script I can see it's doing su postgres -c "test -r 
> /etc/postgresql-9.1/pg_hba.conf" and the like but the output of:
>   su postgres -c "test -r /etc/postgresql-9.1/pg_hba.conf" || echo "fail" 
> is fail... so I'm quite at a loss as to what could be going on here. All of 
> the files are owned by postgres, have the correct permissions (I ran chmod 
> 644 as it hinted) and it should be able to traverse to the directory as 
> everything has the execute bit from /etc onwards.
> 

You can `su postgres` and then try to read the files yourself. That
should reveal the problem.

Re: [gentoo-user] Postgres suddenly can't access files in its /etc directory

[Michael Orlitzky]

On 04/23/12 11:44, nap...@squareownz.org wrote:
>>
>> You can `su postgres` and then try to read the files yourself. That
>> should reveal the problem.
>>
> 
> Interestingly I can't `su postgres` even though I have set it a shell,
> thanks for the tip though, I'm getting closer!

You can also try `su - postgres` which will attempt to switch to
postgres's home directory. Is that readable/executable?

Re: [gentoo-user] Postgres suddenly can't access files in its /etc directory

[Michael Orlitzky]

On 04/24/12 05:31, nap...@squareownz.org wrote:
> On Tue, Apr 24, 2012 at 06:27:22AM +0100, Graham Murray wrote:
>> nap...@squareownz.org writes:
>>
>>> Postgres doesn't have a home directory and if I create one and chown it
>>> postgres:postgres I still can't do anything. I'm totally at a loss here.
>>
>> Postgres should have a home directory - /var/lib/postgresql
>>
>> If you run su - postgres, this is the directory you should be in.
>>
> Ah okay, I've changed it back to this then. I do indeed enter there now.
> I've emerged it without threads or pam as I suspected it may have been
> either of them but that hasn't seemed to solve much of anything.
> 
> The current error I'm getting is:
> # /etc/init.d/postgresql-9.1 start
>  * Starting PostgreSQL ...
>  * start-stop-daemon: did not create a valid pid in
>  * `/var/lib/postgresql/9.1/data/postmaster.pid'
>  * Check the PostgreSQL 9.1 log for a detailed explanation of the
>  * above error.[ !! ]
> 
> Which is what happens when start-stop-daemon fails to execute its
> command. I'm not entirely sure what start-stop-daemon is or what
> permissions it may need or be missing so I'm about to look into that.
> 

Is everything under (and including) /var/lib/postgresql owned by
postgres:postgres?

  ~ # ls /var/lib/postgresql/9.1
  total 4.0K
  drwx-- 13 postgres postgres 4.0K 2012-04-23 18:58 data

  ~ # ls /var/lib/postgresql/9.1/data/
  total 1.2M
  -rw--- 1 postgres postgres4 2012-02-14 00:14 PG_VERSION
  drwx-- 7 postgres postgres 4.0K 2012-04-23 10:31 base
  drwx-- 2 postgres postgres 4.0K 2012-04-23 18:59 global
  drwx-- 2 postgres postgres 4.0K 2012-02-14 00:14 pg_clog
  drwx-- 4 postgres postgres 4.0K 2012-02-14 00:14 pg_multixact
  drwx-- 2 postgres postgres 4.0K 2012-04-23 18:58 pg_notify
  drwx-- 2 postgres postgres 4.0K 2012-02-14 00:14 pg_serial
  drwx-- 2 postgres postgres 4.0K 2012-04-24 09:57 pg_stat_tmp
  drwx-- 2 postgres postgres 4.0K 2012-04-20 13:42 pg_subtrans
  drwx-- 2 postgres postgres 4.0K 2012-02-14 00:14 pg_tblspc
  drwx-- 2 postgres postgres 4.0K 2012-02-14 00:14 pg_twophase
  drwx-- 3 postgres postgres 4.0K 2012-04-23 11:36 pg_xlog
  -rw--- 1 postgres postgres 1.1M 2012-04-24 09:55 postmaster.log
  -rw--- 1 postgres postgres  134 2012-04-23 18:58 postmaster.opts
  -rw--- 1 postgres postgres   92 2012-04-23 18:58 postmaster.pid

Re: [gentoo-user] fetch restriction bypass

[Michael Orlitzky]

On 04/30/12 14:20, james wrote:
> Hello,
> 
> OK so I have java that I must use, but it is 
> "fetch restricted" becasue of Oracle being
> an a_hole.
> 
> However, I do not have time to manually bypass the fetch restrction
> every time the file needs to be updated, as I manage
> too many different gentoo systems.

As far as I know, for legal reasons, Gentoo doesn't provide an automated
way to violate the upstream license (no matter how asinine).

You'll have to script something.

Re: [gentoo-user] Re: fetch restriction bypass

[Michael Orlitzky]

On 04/30/12 14:50, Michael Mol wrote:
> On Mon, Apr 30, 2012 at 2:42 PM, James  wrote:
>> Michael Mol  gmail.com> writes:
>>
>>
>>> Use a network-mounted distfiles directory on a common file server?
>>> That way, once you've downloaded it once, for any system, the package
>>> is right there for the rest.
>>
>>
>> Well I do not use NFS or such, but, I do scp the restricted files around.
>> My environment is such that it is partitions and systems moved around
>> too frequently (used remotely) to use a dist file system.
>>
>> So, I'd like to bypass the fetch restrictions all together...
>> one and for all; any other ideas?
> 
> Patch Portage? Having a local patch like that would depend on whether
> or not the Portage ebuild supported particular hooks, but I don't
> remember the specifics.

Won't help because the tarball location isn't in the ebuild. You have to
go to the webpage to find it.

You can patch the ebuild every time, but that takes the same amount of
work (on each machine) as wget .

Re: [gentoo-user] fetch restriction bypass

[Michael Orlitzky]

On 04/30/12 14:44, Michael Mol wrote:
> 
> Does the ebuild for portage support user-supplied patches?
> 

It doesn't look like it, but you can always hack it with,

  post_src_unpack() {
  cd "${S}"
  epatch_user
  }

in your ~/.bashrc.

Re: [gentoo-user] Re: fetch restriction bypass

[Michael Orlitzky]

On 04/30/12 14:45, James wrote:
> Michael Orlitzky  orlitzky.com> writes:
> 
> 
>> You'll have to script something.
> 
> OK? Any examples or pseudo code
> that outlines how to do this?
> 
> Surely, it's been done before?
> 
> maybe something in CPAN?

You said you're already using scp to move things around; I think that's
as good as it's going to get if you don't want to share distfiles.

It's not as easy as just bypassing the fetch restriction. Neither the
ebuild nor portage know where the upstream tarball is; the only thing in
the ebuild is a link to the webpage.

If you can settle on one machine to offer up its own distfiles folder,
you might be able to overlay that onto each machine with UnionFS.
Multiple DISTDIRs would also work but don't seem to exist. There was a
patch way back in 2003:

> http://archives.gentoo.org/gentoo-dev/msg_4c28fe3b3ff086d022734f20c3aca9a0.xml

Re: [gentoo-user] Re: fetch restriction bypass

[Michael Orlitzky]

On 04/30/2012 02:45 PM, James wrote:
> Michael Orlitzky  orlitzky.com> writes:
> 
> 
>> You'll have to script something.
> 

I gave this a serious shot, but it's not easy.

First, you can override the ebuild environment:

  $ cat /etc/portage/bashrc
  if [ "${EBUILD_PHASE}" == "clean" ] && [ "${PN}" == "sun-jdk" ]; then
  ...

You can parse out the important stuff from the ebuild. This sets JDK_URI
to the value contained in the ebuild:

  eval `"${GREP}" JDK_URI= "${EBUILD}"`

And you can even parse the URL out of the HTML file pretty easily with a
regular expression. But, unfortunately, they're checking for cookies:

  $ wget http://download.oracle.com/otn-pub/java/jdk/6u31-b04/jdk-
 6u31-linux-x64.bin
  ...
  HTTP request sent, awaiting response... 302 Moved Temporarily
  Location: http://download.oracle.com/errors/download-fail-1505220.html

And, the cookies don't get set in a normal HTTP request. So you can't
just `curl $JDK_URI` and save the cookies.

It looks like the URL that sets the cookies is created by that
javascript lightbox code, so you need to be able to evaluate JS, get
that URL, hit the page, and save its cookies before you're allowed to
download the file.

Finally, the cookies are dynamic, and not something like let_me_in=True.
So maybe it's still possible, but scp is looking a lot better right now.

Re: [gentoo-user] Re: fetch restriction bypass

[Michael Orlitzky]

On 04/30/2012 09:40 PM, Michael Orlitzky wrote:
> 
> And, the cookies don't get set in a normal HTTP request.

For this to make sense, you probably want to read, "HTML request."

Re: [gentoo-user] convert wmv to mp4?

[Michael Orlitzky]

On 05/01/2012 11:52 AM, Mark Knecht wrote:
> I'm looking around on the web for ways to convert wmv files to mp4. So
> far the most common solution seems to be ffmpeg but when I try that it
> doesn't seem to understand the video files. The most common type of
> comment people give is that this should be straight forward if 32-bit
> codecs are installed. I'm running 64-bit and don't see what flags I
> might need to set to get that?
> 

Can you play the WMV?

The "wmv" extension usually indicates an ASF container, and the ASF
container can have DRM. I see them every once in a while, and
ffmpeg/mplayer have no idea what to do with them.

Re: [gentoo-user] Setting default user environments in /etc/profile.d/

[Michael Orlitzky]

On 05/01/2012 02:11 PM, Stroller wrote:
> So /etc/profile contains the following message:
> 
> # You should override these in your ~/.bashrc (or equivalent) for per-user
> # settings.  For system defaults, you can add a new file in /etc/profile.d/.
> export EDITOR=${EDITOR:-/bin/nano}
> export PAGER=${PAGER:-/usr/bin/less}
> 
> Therefore I have created a plain text file /etc/profile.d/essential_defaults
> 

First of all, use `eselect pager` =)

The reason this isn't working is that the comment at the top of
/etc/profile fails to mention this:

  for sh in /etc/profile.d/*.sh ; do
[ -r "$sh" ] && . "$sh"
  done
  unset sh

So it looks like you need to add a ".sh" extension.

Re: [gentoo-user] gem install linecache19 fails

[Michael Orlitzky]

On 05/16/12 08:57, 1126 wrote:
> Hello, 
> 
> I do need the ruby-gem linecache19-0.5.12. Usually, there are two ways to 
> install a gem, right? Via emerge and via gem install. But here, only one way 
> works. dev-ruby/linecache only builds the 
> ruby18-version 
> of 
> this gem, so I'm stuck with gem install. But gem install fails with the 
> following error:
> 
> trace_nums.c:(.text+0x22): undefined reference to `ruby_current_thread'
> 
> 
> I am using ruby-1.9.3p194, but tried with different versions as well. 
> 
> Does anyone have a clue what I can do to solve the problem and get 
> linecache19-0.5.12 installed?
> 
> Thanks in advance,
> 
> Christian.
> 

Relevant:

  http://bugs.gentoo.org/show_bug.cgi?id=398455

Other people seem to have had the same problem. Try the git version,
it's somewhat more likely to work considering the last commit was
"updated for Ruby 1.9.3":

  https://github.com/mark-moseley/linecache

Re: [gentoo-user] Outgoing emails don't seem to be encrypted with TLS through

[Michael Orlitzky]

On 05/18/12 13:32, nap...@squareownz.org wrote:
> postfix Reply-To:
> 
> All of my incoming emails are coming through postfix, eg that last
> email left this beauty in the log: postfix/smtpd[13698]: Anonymous
> TLS connection established from pigeon.gentoo.org[208.92.234.80]:
> TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)
> 
> I'm a bit lost as to how to get my mails to *send* encrypted though.
> 
> Is there a setting in main.cf that I'm missing?
> 
> Thank you!

The "smtp" one is for outgoing, while "smtpd" is incoming:

  smtp_tls_security_level = may
  smtpd_tls_security_level = may

But they'll only work with other servers that support it.

Re: [gentoo-user] Re: Understanding new ruby dependencies

[Michael Orlitzky]

On 05/22/2012 09:10 PM, Chris Stankevitz wrote:
> 
> How was I supposed to learn the "proper" way of dealing with this
> RUBY-related system change?

The way I learned was by watching the emerge output:

  $ emerge -pv dev-ruby/rails

  These are the packages that would be merged, in order:

  Calculating dependencies... done!
  [ebuild  N ] app-admin/eselect-rails-0.16  2 kB
  [ebuild  N ] dev-ruby/tmail-1.2.7.1-r2  USE="-debug -doc -test"
  RUBY_TARGETS="ruby18 -jruby -ree18" 436 kB

and wondering, "RUBY_TARGETS, what the hell is that?"

I'm sure there's a proper way, but that's the way I've discovered all of
the USE_EXPAND variables. LINGUAS was the first, then I noticed
ALSA_CARDS, APACHE2_MODULES, XFCE_PLUGINS...

The default list can be found in,

  /usr/portage/profiles/base/make.defaults

Re: [gentoo-user] {OT} hire a programmer or company?

[Michael Orlitzky]

On 05/27/2012 05:18 PM, Alan McKinnon wrote:
> 
> You need an existing development house with a reputation to uphold,
> located in the same city as you.

Without getting into the (book-length) details, I'll +1 this.

Re: [gentoo-user] {OT} hire a programmer or company?

[Michael Orlitzky]

On 05/29/12 09:58, Michael Mol wrote:
> 
> I'd probably suggest reading The Mythical Man-Month.
> 
> http://en.wikipedia.org/wiki/The_Mythical_Man-Month
> 
> 

As long as we're suggesting books, this is one of my favorites:

  http://en.wikipedia.org/wiki/Peopleware:_Productive_Projects_and_Teams

At worst it's an entertaining read.

Re: [gentoo-user] ~gcc-4.7.0

[Michael Orlitzky]

On 05/29/12 06:26, Hinnerk van Bruinehsen wrote:
> - hardened-sources: the neccessary gcc-plugins don't work because they
> can't find the right symbols because gcc-4.7 is normally compiled with
> g++ which mangles the symbols. Don't know how to work around that,
> though it seems to be possible to compile gcc-4.7 with gcc - I just
> don't know how

There's a progress report on this in the latest meeting log:

  http://archives.gentoo.org/gentoo-hardened/txtZMdHjDUoGa.txt

Re: [gentoo-user] what's wrong with pulseaudio?

[Michael Orlitzky]

On 06/01/12 10:19, Canek Peláez Valdés wrote:
> 
> If after all this you are still getting the .pulse directory in /,
> then I have no idea how is getting in there.
> 
> Regards.

Maybe it isn't the reboot that's triggering it. In my crontab, I have,

  HOME=/

Maybe a cron job (running as root) is triggering the creation in $HOME,
which is temporarily set to / ?

Re: [gentoo-user] {OT} online documents, create/manage/display

[Michael Orlitzky]

On 06/06/12 11:32, Grant wrote:
> What would you guys recommend for something in portage or an overlay
> which will allow me to create and manage documents in a browser, and
> display those documents to authenticated users in a browser?  apache2
> could handle the authentication and display.  Hopefully something
> really easy to set up and maintain?
> 
> - Grant
> 

Google docs? Can you give some examples of how you'd like it to work?

Re: [gentoo-user] [OT] Screenshot but as video ?

[Michael Orlitzky]

On 06/06/12 13:26, meino.cra...@gmx.de wrote:
> Hi,
> 
> I am looking for an application with which I can grab videos
> from what I am doing on my desktop (will be used for a kind
> of tutorial). The video should be playable under windows also.
> 
> 
> What is a recommended application for that purpose ?
> 

media-video/recordmydesktop

Re: [gentoo-user] Apache server setup

[Michael Orlitzky]

On 06/09/2012 05:59 AM, Peter Humphrey wrote:
> On Friday 08 June 2012 22:01:08 Paul Hartman wrote:
>> On Fri, Jun 8, 2012 at 1:21 PM, Peter Humphrey 
>  wrote:
>>> $ cat .htaccess
>>> RewriteEngine on
>>>
>>> RewriteCond %{HTTP_REFERER} !^http://tideswellmvc.co.uk/.*$
>>>  [NC] RewriteCond %{HTTP_REFERER} !^http://tideswellmvc.co.uk$
>>>  [NC] RewriteCond %{HTTP_REFERER}
>>> !^http://www.tideswellmvc.co.uk/.*$ [NC]
>>> RewriteCond %{HTTP_REFERER} !^http://www.tideswellmvc.co.uk$
>>>  [NC] RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]
>>>
>>> Options +Includes
>>
>> I suspect this particular error ("Options not allowed here") is
>> because this .htaccess is running in a user home directory, and
>> Options +Includes can't be set by a user. You may need to declare
>> that in your apache httpd.conf "Directory" section for that path,
>> rather than in the .htaccess file.
> 
> Hmm. Sounds plausible. Maybe I'll have to put it back into /var/www/... 
> and try to work out why I can't see images there.
> 
> Thanks for your help Paul.
> 

If you want to allow overrides in an htaccess, you'll need at least,

  
Options +SymLinksIfOwnerMatch
AllowOverride FileInfo Options
  

in the main config or your vhost config.

The Gentoo config modularizes by default, but you don't have to use it
if you don't want to. Almost everything under /etc/apache2/modules.d is
disabled by default unless you enable it in /etc/conf.d/apache2.

Named virtual hosts are also disabled by default if I remember
correctly, so you should be able to just stick stuff in httpd.conf or
00_default_settings.conf and have it take effect if you don't want to do
anything fancy.

Almost everything "different" about the Gentoo config comes from these
two lines at the bottom of httpd.conf:

  Include /etc/apache2/modules.d/*.conf
  Include /etc/apache2/vhosts.d/*.conf

which do exactly what you'd expect.

Re: [gentoo-user] Apache server setup

[Michael Orlitzky]

On 06/10/2012 09:58 PM, Michael Orlitzky wrote:
> 
> If you want to allow overrides in an htaccess, you'll need at least,
> 
>   
> Options +SymLinksIfOwnerMatch
> AllowOverride FileInfo Options
>   
> 
> in the main config or your vhost config.
> 

Ugh. If you want to allow *rewrites* in htaccess...

Re: [gentoo-user] Apache server setup

[Michael Orlitzky]

On 06/11/12 12:54, Peter Humphrey wrote:
> OK, I've added that to 00_default_settings.conf. I'm not sure whether I 
> need rewrites though.
> 

Your htaccess had some rewrite rules, that's why I suggested it.


> The fog is beginning to clear. Thanks.
> 
> I still can't get server-side includes to work though. Modules.d/*.conf 
> don't include a suitable module. I've added "-D INCLUDE" to APACHE2_OPTS 
> in /etc/conf.d/apache2.conf but it seems not to be enough.

We have this working here.. let's see.

First of all, I see you have the mime module compiled; that's good. Is
it enabled? You should have,

  LoadModule mime_module modules/mod_mime.so

in httpd.conf.

Once the mime module is enabled, everything in
modules.d/00_mod_mime.conf will be processed (it's conditional on the
existence of the mime module).

Then, you should add or uncomment the following in 00_mod_mime.conf:

  # Filters allow you to process content before it is sent to the
  # client
  #
  # To parse .shtml files for server-side includes(SSI):
  # (You will also need to add "Includes" to the "Options"
  # directive.)
  AddType text/html .shtml
  AddOutputFilter INCLUDES .shtml

That will enable server-side includes in *.shtml files, assuming you
also add "Includes" to the relevant "Options" directive.

If you need server-side includes for other types of files, it isn't
recommended[1], but you can add additional "AddOutputFilter" directives
for each type of file you'd like SSI to work with.



[1] http://httpd.apache.org/docs/2.2/howto/ssi.html

Re: [gentoo-user] Adding a use flag: hwdb

[Michael Orlitzky]

On 06/11/2012 07:30 PM, Chris Stankevitz wrote:
> On Mon, Jun 11, 2012 at 1:26 AM, Alex Schuster  wrote:
>> I think Chris' question is more about why he has to manually activate
>> this USE flag, as it seems to be necessary anyway, in his case.
> 
> Alex,
> 
> Yes this is correct.  I see now I was far too wordy in the OP and
> thank you for your terse translation!
> 
> Typically when I solve a "gentoo system problem" by adding modifying
> package.use, I am doing something wrong.  (e.g. ruby_targets_ruby19).
> 
> I gather that the udev/hwdb/udisk case is an exception.  The "correct
> way" to solve this "gentoo system problem" is to "echo sys-fs/udev
> hwdb >> /etc/portage/package.use"

Portage doesn't know what you want to do, so it does the safe thing and
lets you decide. Either,

  a) You want USE="-hwdb", in which case emerging udisks is a mistake.

  b) You want to emerge udisks, in which case USE="-hwdb" is a mistake.

The autounmask feature allows you to make (b) the default if that's what
you want.

The ruby_targets_ruby19 thing is a good example of where you may not
want that behavior by default. Something was screwed up, people noticed
it, and the devs ultimately fixed it. The most-correct thing to do was
nothing (i.e. wait).

Re: [gentoo-user] Adding a use flag: hwdb

[Michael Orlitzky]

On 06/12/2012 12:29 AM, Chris Stankevitz wrote:
> Michael,
> 
> On Mon, Jun 11, 2012 at 7:22 PM, Michael Orlitzky  
> wrote:
>> Portage doesn't know what you want to do, so it does the safe thing and
>> lets you decide. Either,
> 
> Somewhat tongue-in-cheek:
> 
> I don't know either.  I don't want udev, udisks, hwdb or even know
> what they are.  Somebody else wants all that stuff on my system
> (gentoo profile or the gentoo handbook author) and I wish that person
> would have addressed emerge's concerns WRT use flags.
> 

I understand, but somewhere along the line, you installed something that
needs udisks, and udisks needs udev with USE="hwdb" set. If you went to
install that thing now (whatever it was), you would be faced with a
choice: enable USE="hwdb", or don't install the thing.

Maybe USE="hwdb" should be default for udev, who knows. Sometimes USE
flags are basically essential like git with USE="perl" and the devs will
make them default. Other times, the flag may do something stupid but
another package requires it anyway. In that case, you don't want the
flag on by default, and so you're still stuck with a choice.

If you *always* want it to just emerge the thing, enable the
autounmask-write feature.


> I didn't know what RUBY was or why it was on my system or who wanted
> it or whether that person wanted ruby_targets_ruby19 or RUBY_TARGETS
> or whatever.  Me "waiting" would require 1) that I knew RUBY was a
> "temporary problem" that would be fixed in the future [I assumed it
> was not... just like hwdb] and 2) that I not perform an emerge
> sync/world.

When I `emerge -puDN world` and something looks like it's going to be a
big pain in the ass, I just ignore it for a few days and `emerge -uN1'
the rest of the packages a few at a time. Often it gets fixed (or
obsoleted) before I have to deal with it.

Re: [gentoo-user] Re: Adding a use flag: hwdb

[Michael Orlitzky]

On 06/12/12 05:45, Chris Stankevitz wrote:
> On Tuesday, June 12, 2012, Neil Bothwick wrote:
> 
> you really shouldn't complain about being given choices...
> 
> 
> I apologize, it was no my intention to complain.  In the future I will
> make a decision and not complain.  Thank you to everyone for your
> assistance!

No one is forced to reply, so I say complain away =)

Re: [gentoo-user] iftop and 'ipv6' USE-flag

[Michael Orlitzky]

On 06/13/12 05:11, v...@ukr.net wrote:
>   Hello!
>   During a recent upgrade, I noticed that 'net-analyzer/iftop'  now
> needs 'net-libs/libpcap' with the 'ipv6' USE flag. It seemed strange to
> me and I decided to ask here. Does 'iftop' really needs IPv6? Can't it
> be optional?

It's an upstream bug, if they consider it one. From the Gentoo ChangeLog:

  30 May 2012; Lars Wendler  iftop-
  1.0_pre2.ebuild:
  Non-maintainer commit: We need libpcap with ipv6 support or else iftop
  doesn't work at all.

I downloaded the latest iftop tarball and,

  1  There is no ./configure option for ipv6

  2  Compiling it against libpcap without ipv6 support works, but it
 crashes at runtime:

   $ sudo ./iftop
   ...
   set_filter_code: ip6 not supported

Re: [gentoo-user] iftop and 'ipv6' USE-flag

[Michael Orlitzky]

On 06/13/12 12:02, v...@ukr.net wrote:
> On Wed, 13 Jun 2012 10:11:45 -0400
> Michael Orlitzky  wrote:
>>
>> It's an upstream bug, if they consider it one. From the Gentoo
>> ChangeLog:
>> ...
>>
>   Hm... That's bad.
> 

Agreed. I reported it upstream and opened a bug:

  https://bugs.gentoo.org/show_bug.cgi?id=421003

Re: [gentoo-user] the xen-source on gentoo

[Michael Orlitzky]

On 06/16/12 21:35, 赵佳晖 wrote:
> I want to install the xen on gentoo . But i find the xen-source
> version is 2.6.38 . So i don't want to use it. Can i use my
> gentoo-source 3.2.12 with a patch?
> 


"Linux 3.0 (and later) can run as guest (domU) and as host (dom0). All
necessary backends (and frontends) are in the upstream kernel." [1]


[1] http://wiki.xensource.com/xenwiki/XenParavirtOps

Re: [gentoo-user] [OT] Anybody really understand the gnu autotools?

[Michael Orlitzky]

On 06/19/2012 04:40 PM, walt wrote:
> I'm trying to build an xfce4 applet that's not in portage. For
> reasons I don't understand there are some standard gnome headers
> that don't get pulled in during the configure process, like orbit,
> libbonobo and libbonoboui.
> 
> I edited the autoconf.in to check for those standard libraries,
> and it did partly work.  The generated makefiles now have correct
> entries like LIBBONOBO_CFLAGS.
> 
> The problem is that those flags are never used during the compile
> phase. So, anyone know how make that extra step happen?

(no, nobody really understands autotools)

Is the applet publicly-available? If the build system isn't broken, it
should all just work.

If you cloned a git repository, you probably need to run autogen.sh
first (and have xfce4-dev-tools installed). Otherwise, just ./configure
&& make should do it.

Got a link? If it works with 4.10, I can just make an ebuild for it.

Re: [gentoo-user] Re: [OT] Anybody really understand the gnu autotools?

[Michael Orlitzky]

On 06/19/2012 06:38 PM, walt wrote:
>>
>> Got a link? If it works with 4.10, I can just make an ebuild for it.
> 
> Thank to you and Ezequiel for the quick replies :)
> 
> git://git.xfce.org/panel-plugins/xfce4-xfapplet-plugin
> 

Well, I basically recreated this:

http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/xfce-extra/xfce4-xfapplet-plugin/xfce4-xfapplet-plugin-0.1.0.ebuild?revision=1.10

and went to open a bug for it.

The good news is, I wound up with basically the same ebuild: I only had
an additional dependency on libxfce4util.

The bad news is, it probably isn't going to work for much longer --
that's why it got removed. It does compile on my machine though.

Re: [gentoo-user] Re: [OT] Anybody really understand the gnu autotools?

[Michael Orlitzky]

On 06/19/12 21:03, walt wrote:
> 
> Thanks.  Is your bug report with gentoo or xfce.org?
> 
> I notice that the git repo has commits as recently as last month.
> Maybe some heroic xfce dev will update the package to gnome3 for
> me :)
> 

I didn't open one; I searched for closed 'xfapplet' bugs and realized
there was already an ebuild in the tree but it was removed.

It doesn't look like there's anything new to release:

  http://git.xfce.org/panel-plugins/xfce4-xfapplet-plugin/log/

All of the commits in the last few years have been translations and
permission bit twiddling.

There is an XFCE bug open for it:

  https://bugzilla.xfce.org/show_bug.cgi?id=7963

but I wouldn't get my hopes up if I were you. It sounds like the way
Gnome 3 does things is incompatible with the panel applet concept. Of
course, you can always keep your own copy of gnome-panel-2.x and its
applets around. But it might be better to file a feature request to
implement whichever panel applet you want for XFCE.

Re: [gentoo-user] Apache server setup

[Michael Orlitzky]

On 06/24/2012 01:47 PM, Peter Humphrey wrote:
> # Added by PRH:
> AddType text/html .shtml
> AddOutputFilter INCLUDES .shtml
> 
> Options +SymLinksIfOwnerMatch +Includes +IncludesNoExec
> 
> 
> ...
> 
> That is indeed my working guide. Many thanks for your help so far.

No problem. This is the error you need to fix:

> [Sun Jun 24 18:38:29 2012] [warn] [client 192.168.2.6] mod_include: 
> Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed

I see above that you've already tried to set "Options +Includes" on the
directory, but for some reason it isn't working. You'll have to look for
it, but I can make an educated guess.

When including the various conf files, apache does them in alphabetical
(or numerical, in this case) order. The modules.d directory will be
included first, and then vhosts.d directory because that's the order
specified in httpd.conf:

  Include /etc/apache2/modules.d/*.conf
  ...
  Include /etc/apache2/vhosts.d/*.conf

The alphabetical/numerical order is (probably) just whatever order the
shell glob returns.

When you specify "Options +Foo" for a directory, you're saying, "take
whatever the current options are for this directory, and add Foo to
those." My guess: you specify some options for,

  /var/www/localhost/htdocs

in,

  /etc/apache2/modules.d/00_default_settings.conf

and then later, specify *different* options for the same directory. The
latter ones take precedence, or wipe out the old ones completely if you
didn't use plus/minus signs.

Either modify the other,

  

entry to use plus/minus signs, or just add the "Options Includes" there.

Re: [gentoo-user] Apache server setup

[Michael Orlitzky]

On 06/25/2012 07:36 PM, Peter Humphrey wrote:
> 
> Good guess, but no cigar :-)
> 
> I think (hope) I've found it:
> http://en.gentoo-wiki.com/wiki/Apache2/Virtual_Hosts
> makes it clear that a subdomain's definition must /precede/ the domain's 
> definition. I was doing it the other way around, it seeming obviously 
> logical to me: define the whole first, then refine the parts. I didn't even 
> consider the alternative. On the other hand this is vhost definition; is 
> the reasoning the same?

It is extraordinarily late here, but I don't think that remedy #2 makes
sense.

When you make a request to apache, you connect to an IP address (and
port), and send a hostname; for example, "www.example.com". If any of
the virtual hosts on that IP address (and port) answer to that hostname
via "ServerName www.example.com" or "ServerAlias www.example.com", then
that's the website you'll get. Otherwise, you get the default vhost on
that IP/port. This will be whatever vhost was defined first on that
IP/port (see unexpected result #1, but it works on IP/port combinations,
not the entire machine).

The fact that one hostname may be a subdomain of another should be
irrelevant, but ask me again in the morning... In any case, your current
configuration has to be pretty close to working -- you just need to
figure out why "Options Includes" isn't kicking in.

Re: [gentoo-user] Apache server setup

[Michael Orlitzky]

On 06/26/12 10:42, Peter Humphrey wrote:
> 
> One decision that will have consequences is where in /var/www to put 
> mysite. Should it be in /var/www/mysite/htdocs, in 
> /var/www/localhost/mysite or in /var/www/localhost/htdocs/mysite? What 
> I've read so far suggests that it doesn't matter, but I'm damn sure if I 
> put it in the wrong place I'll suffer for it. And what ownership should 
> mysite's files have? My user is in the apache group on the server.
> 
> Many thanks for your help.
> 

We're using e.g. /var/www/com/example/www -- basically the website's
hostname in reverse, stored under /var/www.

With lots of sites it's nice to split them up like that. With fewer,
it's probably cleaner to use /var/www/$hostname. It's unimportant; you
can always move the directory and change the path in the conf files.
Apache can do a graceful reload quickly even with hundreds of sites.

I will second the mpm-itk suggestion if you're looking to go all-out.
It's a good compromise between running everything as 'apache' (unsafe)
and giving each website it's own apache process (resource-intensive).

In any case, once you know what user apache is running as (either
'apache' with mpm-prefork, or whatever else), it needs:

  * Execute access on all directories up to and including the document
root

  * Read access on any files its going to serve.

  * For PHP, write access to the temp/session directories and read
access to anything you installed in /usr/share/php

  * For (fast)cgi, execute permissions on the scripts you want to run.

Re: [gentoo-user] Grub2 and is the upgrade a tooth puller.

[Michael Orlitzky]

On 06/29/12 10:57, Mike Gilbert wrote:
>>
>> No, handbook only discusses grub (not grub2) and lilo.
>>
>> Which is sad; I'd love to use stuff like grub2 and {ext,sys}linux.
>> It'd be sweet to make things more easily convertible to netboot or
>> cdrom-boot scenarios.
> 
> We will add some instructions to the handbook when grub:2 is
> stabilized. The docs team doesn't want to do it before then.
> 

This makes sense, because people only do stable installs.

Re: [gentoo-user] PDF: convert to grayscale

[Michael Orlitzky]

On 02/08/11 08:50, Nuno J. Silva wrote:
> Does anyone know a tool (other than ghostscript) that is able to convert
> a PDF (or postscript) to grayscale?

A laserjet? =)

Re: [gentoo-user] mdadm --monitor & email

[Michael Orlitzky]

On 02/13/2011 11:04 AM, Mark Knecht wrote:
> Hi,
>I'm curious about setting up my compute server to monitor RAID
> array status and have it email me information at my GMail account.
> Does anyone have info on setting this up on Gentoo? In general I'm
> following:
> 
> http://en.gentoo-wiki.com/wiki/RAID/Software
> 
> but it seems there are a few holes in my understanding.
> 
> 1) In the /etc/mdadm.conf file I see the following:
> 
> #
> # When used in --follow (aka --monitor) mode, mdadm needs a
> # mail address and/or a program.  This can be given with "mailaddr"
> # and "program" lines to that monitoring can be started using
> #mdadm --follow --scan & echo $! > /var/run/mdadm
> # If the lines are not found, mdadm will exit quietly
> #MAILADDR r...@mydomain.tld
> #PROGRAM /usr/sbin/handle-mdadm-events
> 
> - Easy enough to change my email address, but how does it get mailed?
> Is this what ssmtp is for? ssmtp is installed as a dependency of sudo,
> but I don't use it explicitly. Do I have to have a real domain in my
> name to get GMail to accept this?

mdadm will use the sendmail command on your system. If you have ssmtp
installed, that's probably where your sendmail came from (I think all
providers of /usr/(s)bin/sendmail are mutually exclusive).

ssmtp usually needs some place to send the message; you can configure it
with the credentials of either your gmail or ISP account. It will
probably still send from root@localhost or whatever, but if you
authenticate with a username/password your ISP or gmail should accept it
just fine.


> - Currently have have no program called
> /usr/sbin/handle-mdadm-events. Is this just a placeholder for whatever
> program I choose as a mailer, or is this intended as some program that
> takes real action in case of a problem?

Placeholder, just an example of what you would put after the PROGRAM
directive.


> 2) I'm making the assumption that running rc-update add mdadm boot, as
> shown in the link above, is the way to get this started once
> configured properly?

The RAID will start automatically, mdadm just monitors it. So either
boot or default is fine.


> 3) I note that the test command listed in the link above doesn't work:
> 
> c2stable ~ # mdadm -Fslt
> mdadm: option -l not valid in monitor mode
> c2stable ~ #
> 
> 4) Assuming I do get this working, while testing can i have the
> program email me every 60 minutes whether things are good or bad, just
> to test that it's actually working and getting results?

I don't think you can get it to mail you when it's happy, but you can
simulate a failure:

  http://tldp.org/HOWTO/Software-RAID-HOWTO-6.html#ss6.3

Re: [gentoo-user] mdadm --monitor & email

[Michael Orlitzky]

On 02/13/2011 01:37 PM, Mark Knecht wrote:
> 
> I'll read through the links you posted to look at creating a test
> case. From the page you posted above I'm trying this at the command
> line:
> 
> mdadm --monitor --mail=markkne...@gmail.com --delay=1800 /dev/md126
> 
> but I assume you think it won't do anything unless there's a problem
> found. Do those options properly belong in /etc/conf.d/mdadm.conf as
> the file itself seems to indicate?

I usually only define the MAILADDR in mdadm.conf. Everything else is
automagic. If you really need to mess with the delay, though, it would
go in /etc/conf.d/mdadm (you probably don't):

  --delay
 Give a delay in seconds.  mdadm polls the md arrays and then waits
 this many seconds before polling again. The  default  is  60
 seconds. Since 2.6.16, there is no need to reduce this as the
 kernel alerts mdadm immediately when there is any change.


> mark@c2stable ~ $ cat /etc/conf.d/mdadm
> # /etc/conf.d/mdadm: config file for /etc/init.d/mdadm
> 
> # Misc options to pass to mdadm in monitor mode.
> # For more info, run `mdadm --monitor --help` or see
> # the mdadm(8) manpage.
> 
> MDADM_OPTS="--syslog"
> mark@c2stable ~ $
> 
> Also, I have many RAIDs. Do they all get appended to the same monitor
> command, or when started as a daemon does mdadm --monitor actually
> monitor all RAIDs? (If you know...)

If you run mdadm yourself, I think you need to either specify --scan or
enumerate the md devices yourself. The gentoo init script passes --scan
for you, though, so mdadm will figure out what md devices you have all
by itself.

Re: [gentoo-user] mdadm --monitor & email

[Michael Orlitzky]

On 02/13/2011 01:45 PM, Mark Knecht wrote:
> 
> I think I'm there except maybe for kicking off some sort of regular
> tests of the arrays vs waiting for things to fail.

Any mdadm test is going to pass up until the point that it doesn't,
which is when you'd get the alert email anyway =)

If you want advance notice of disk problems, smartmontools is probably
your best bet.

Re: [gentoo-user] Ebuild hacking howto

[Michael Orlitzky]

On 02/25/2011 08:13 AM, James wrote:
> Hello,
> 
> Is the link below the best "howto" guide as to using
> an existing ebuild to hack a new ebuild? JFFNMS has
> been languishing despite repeated requests for a version
> bump; so I'm taking the plunge and going to update it
> on one of my systems.
> 
> http://en.gentoo-wiki.com/wiki/Creating_an_Updated_Ebuild
> 
> 
> Also, I found this guide:
> 
> http://devmanual.gentoo.org/
> and 
> man 5 ebuild
> 
> 
> Any other documents I should reference before
> attempinging to update an ebuild on my own
> person overlay dir?
> 
> Comments and ideas are most welcome
> 

This has some good information:

  http://overlays.gentoo.org/proj/sunrise/wiki/CodingStandards

and like it says at the bottom, many projects will have their own
development documentation.

Aside from that, help is always (well, when the devs are awake)
available on IRC:

  #gentoo-dev-help (what it says)
  #gentoo-sunrise (most people here are writing/reviewing ebuilds)

Re: [gentoo-user] How can I move running proces to background & out of screen?

[Michael Orlitzky]

On 03/01/11 13:56, Jarry wrote:
> Hi,
> is there any way to move running (already started) process
> to background, and disconnect it from screen/terminal
> so that I could log off (without terminating the process)?
> 
> Sometimes I start updating my server, but it keeps running
> for long time, and I would like to log out but I can not.
> 
> I know, I could have started it with:
> nohup emerge -uv gcc &
> 
> But I forgot to do it that way, and now I'm sitting, watching
> messages scrolling in my shell. So is there any way to do
> this nohup-trick on running process?
> 
> Jarry

See,


http://blog.nelhage.com/2011/01/reptyr-attach-a-running-process-to-a-new-terminal/

Combine with GNU Screen to achieve what you want.

(I'll do an ebuild for reptyr in the next week or so if nobody beats me
to it.)

Re: [gentoo-user] How can I move running proces to background & out of screen?

[Michael Orlitzky]

On 03/01/11 16:07, Neil Bothwick wrote:
> On Tue, 01 Mar 2011 14:12:31 -0500, Michael Orlitzky wrote:
> 
>> (I'll do an ebuild for reptyr in the next week or so if nobody beats me
>> to it.)
> 
> It looks like somebody already has :)
> 
> % eix reptyr
> * app-misc/reptyr [1]
>  Available versions:  (~)
>  Description: Reparent a running program to a new terminal
> 
> [1] "foo-overlay" layman/foo-overlay
> 
> 

(Does anyone commit to portage any more?)

I didn't realize there was no release tagged. I'll ask the author if he
would tag a version epsilon>0 so that it's easier to keyword.

Re: [gentoo-user] Switching to a hardened profile and back again

[Michael Orlitzky]

On 03/15/2011 02:05 PM, Grant wrote:
> A dev is asking me to switch to a hardened profile in order to test a
> fix.  I'm happy to go through the process, but is there a chance my
> laptop could be unusable after the switch?  If that happens I'll be in
> real trouble.  Will I be able to switch back to a non-hardened profile
> afterward?  I plan to follow this guide:
> 
> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
> 
> BTW, are emerge -e world and emerge -e system both necessary?  I
> thought emerge -e world would rebuild everything.

Switching to hardened is safe. The switch back should be, too, although
I haven't personally tried it. (Why would you switch back?)

You emerge system first, and then world so that your world is built by a
hardened toolchain. When you compile gcc/glibc with USE=hardened, it
gives them super powers.

Re: [gentoo-user] Switching to a hardened profile and back again

[Michael Orlitzky]

On 03/15/2011 03:20 PM, Grant wrote:
>>> A dev is asking me to switch to a hardened profile in order to test a
>>> fix.  I'm happy to go through the process, but is there a chance my
>>> laptop could be unusable after the switch?  If that happens I'll be in
>>> real trouble.  Will I be able to switch back to a non-hardened profile
>>> afterward?  I plan to follow this guide:
>>>
>>> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
>>>
>>> BTW, are emerge -e world and emerge -e system both necessary?  I
>>> thought emerge -e world would rebuild everything.
>>
>> Switching to hardened is safe. The switch back should be, too, although
>> I haven't personally tried it. (Why would you switch back?)
> 
> I originally had my laptop on a hardened profile (I think it was a
> couple laptops back) but there were so many problems I eventually gave
> up.  I remember doing a lot of system reinstalling as I switched
> profiles around.  I don't have time to reinstall my system right now
> so I'm trying to be sure I can switch to hardened (and from hardened
> if necessary) without reinstalling.

If you don't run a hardened kernel, "sudo gcc-config 5" (assuming 5 is
the vanilla gcc on your machine...) will switch you back to the vanilla
gcc. No need to switch profiles or recompile anything.


>> You emerge system first, and then world so that your world is built by a
>> hardened toolchain. When you compile gcc/glibc with USE=hardened, it
>> gives them super powers.
> 
> Would 'emerge gcc glibc && emerge -e world' have the same affect?

There are a couple of other packages you're supposed to re-emerge along
with gcc and glibc. Binutils was one, but I don't remember the whole
list. Just suck it up and spend the extra hour to re-emerge system; that
way, you're sure you haven't missed anything.

Re: [gentoo-user] Switching to a hardened profile and back again

[Michael Orlitzky]

On 03/15/2011 04:28 PM, Grant wrote:
> A dev is asking me to switch to a hardened profile in order to test a
> fix.  I'm happy to go through the process, but is there a chance my
> laptop could be unusable after the switch?  If that happens I'll be in
> real trouble.  Will I be able to switch back to a non-hardened profile
> afterward?  I plan to follow this guide:
>
> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile
>
> BTW, are emerge -e world and emerge -e system both necessary?  I
> thought emerge -e world would rebuild everything.

 Switching to hardened is safe. The switch back should be, too, although
 I haven't personally tried it. (Why would you switch back?)
>>>
>>> I originally had my laptop on a hardened profile (I think it was a
>>> couple laptops back) but there were so many problems I eventually gave
>>> up.  I remember doing a lot of system reinstalling as I switched
>>> profiles around.  I don't have time to reinstall my system right now
>>> so I'm trying to be sure I can switch to hardened (and from hardened
>>> if necessary) without reinstalling.
>>
>> If you don't run a hardened kernel, "sudo gcc-config 5" (assuming 5 is
>> the vanilla gcc on your machine...) will switch you back to the vanilla
>> gcc. No need to switch profiles or recompile anything.
> 
> I do run a hardened kernel, but you're saying if I switch to gcc-5 I
> should be able to test for a crash that was previously exhibited under
> a hardened profile?
> 

I think (completely unscientifically) that most of the day-to-day
problems are caused by the hardening features in the kernel rather than
by GCC's hardening features.

When you compile a hardened GCC, you also get the vanilla, unhardened
GCC installed. So if you see e.g. a compile failure using hardened GCC,
you can just switch to the vanilla GCC to see if that fixes it. On my
machine,

  $ sudo gcc-config -l
   [1] x86_64-pc-linux-gnu-4.4.5 *
   [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
   [3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp
   [4] x86_64-pc-linux-gnu-4.4.5-hardenednossp
   [5] x86_64-pc-linux-gnu-4.4.5-vanilla

it's the fifth option.

Summary: if you have problems on hardened, you can always switch to
vanilla GCC and reboot to a non-hardened kernel. You don't have to
recompile anything or switch profiles again.

Re: [gentoo-user] Re: qemu-kvm black screen and infinite loop on startup

[Michael Orlitzky]

On 04/06/2011 07:45 AM, Kfir Lavi wrote:
> 
> When I run qemu -no-kvm things work as expected under hardened kernel.
> Using regular kernel (none hardened) qemu works ok.
> So, the problem is running qemu under hardened kernel.
> 
> If someone have some input, I'll be happy to hear it.
> 

I am a long-time user of qemu/kvm under hardened. It works off and on.

I don't have any scientific advice for you, only this: if you ever find
a combination of kernel/qemu that works, *don't change anything*.

[gentoo-user] Gentoo/FBSD

[Michael Orlitzky]

Has anyone successfully set up a Gentoo/FBSD system in the
somewhat-recent past? I'd like to do some testing, but all of the
install docs are out of date.

I'd appreciate a thirty-second overview of how you did it.

Re: [gentoo-user] [OT] PHP memory problem

[Michael Orlitzky]

On 04/13/2011 02:42 PM, Dan Johansson wrote:
> I know this is Off-topic but I also know there are a lot of smart people 
> "lurking" on this list.
> 
> I have a PHP-script that does not run from a web-server but directly in a 
> shell. When I run it I get the following error:
> 
> # ./dj.php
> PHP Fatal error:  Allowed memory size of 100663296 bytes exhausted (tried to 
> allocate 104 bytes) in /usr/local/scripts/includes/dj.inc on line 79
> Allowed memory size of 100663296 bytes exhausted (tried to allocate 24 bytes)
> 
> My scripts starts with:
> #!/usr/bin/php
>  
> ini_set('memory_limit', '4192M');
> 
> include "dj.inc";
> 
> And in php.ini I have:
> memory_limit = 1G  ; Maximum amount of memory a script may consume
> 
> Why does PHP not honor my memory limits?
> I have set 1GB in php.ini and 4192MB (I know that is more then 1GB) and the 
> scripts fails at 100663296 bytes (~ 96MB). I have also tried with other 
> memory 
> settings but I always end up with with the failure at ~96MB. The host has 
> enough RAM (32GB) to support the script.
> 
> Any suggestions on how to solve the issue (short of rewriting the script in C 
> or C++)?

The use of 'G' as a unit was only "recently" added, in PHP 5.1.0. Try
using 'M' instead, and multiplying by 1024.

I would also suggest using a number under 4 gigabytes, as you risk
overflowing a 32-bit integer. Does '3072M' work?

Re: [gentoo-user] Gentoo/FBSD

[Michael Orlitzky]

On 04/14/2011 10:38 AM, Fredrik Andersson wrote:
> Is the Handbook outdated? I dont know if I have ever seen it be out of
> date..
> 
> http://www.gentoo.org/doc/en/handbook/
> 

The handbook is fine, but doesn't cover the FreeBSD install. I was
almost able to do it by finding a FreeBSD 8.x live CD pulling down an
8.x stage 3 tarball, but too much of @system is broken for me to do
anything after the chroot.

Can't install boot0 because Perl is broken, so I try grub. But first, I
have to fix xz-utils so that I can unpack it. But first, I have to fix
binutils because ld crashes building a new xz-utils. But first, I have
to fix GCC because it can't build binutils. But first, I have to fix
glibc so that GCC works. But firFORGET IT I'M GOING OUTSIDE.

Re: [gentoo-user] [OT] PHP memory problem

[Michael Orlitzky]

On 04/15/2011 11:26 AM, Dan Johansson wrote:
> On Thursday 14 April 2011 03.12:34 Michael Orlitzky wrote:
>> On 04/13/2011 02:42 PM, Dan Johansson wrote:
>>> I know this is Off-topic but I also know there are a lot of smart people
>>> "lurking" on this list.
>>>
>>> I have a PHP-script that does not run from a web-server but directly in a
>>> shell. When I run it I get the following error:
>>>
>>> # ./dj.php
>>> PHP Fatal error:  Allowed memory size of 100663296 bytes exhausted (tried
>>> to allocate 104 bytes) in /usr/local/scripts/includes/dj.inc on line 79
>>> Allowed memory size of 100663296 bytes exhausted (tried to allocate 24
>>> bytes)
>>>
>>> My scripts starts with:
>>> #!/usr/bin/php
>>> >>
>>> ini_set('memory_limit', '4192M');
>>>
>>> include "dj.inc";
>>>
>>> And in php.ini I have:
>>> memory_limit = 1G  ; Maximum amount of memory a script may consume
>>>
>>> Why does PHP not honor my memory limits?
>>> I have set 1GB in php.ini and 4192MB (I know that is more then 1GB) and
>>> the scripts fails at 100663296 bytes (~ 96MB). I have also tried with
>>> other memory settings but I always end up with with the failure at
>>> ~96MB. The host has enough RAM (32GB) to support the script.
>>>
>>> Any suggestions on how to solve the issue (short of rewriting the script
>>> in C or C++)?
>>
>> The use of 'G' as a unit was only "recently" added, in PHP 5.1.0. Try
>> using 'M' instead, and multiplying by 1024.
>>
>> I would also suggest using a number under 4 gigabytes, as you risk
>> overflowing a 32-bit integer. Does '3072M' work?
> 
> Thanks, that was it. Changing 4G to 4192M in pnp.ini did solve the issue.
> 
> Regards,

Life lesson: if you ever have a PHP problem and think, "there's no way
that's the problem, nobody is that retarded." That's probably the problem =)

Re: [gentoo-user] Auto-Rebuild md RAID Arrays?

[Michael Orlitzky]

On 04/19/11 17:05, Andrew Wilkinson wrote:
> Hello All,
> 
> I am in the research phase of building a Gentoo-based backup/NAS target
> using md software RAID or (maybe) btrfs or zfs.  One thing that I am not
> finding much info about is any facility for automatically rebuilding an
> array when a new, matching drive is inserted.  At this stage, the plan
> is to use four identical drives in a RAID10-style setup.
> 
> Is any here aware of the right way to configure this?

mdadm expects you to know the drive name (e.g. /dev/sdX) of the drive
you'd like to operate on. If you are real confident,

a) in your scripting abilities
b) that the new drive will have the same name as the replaced drive

then you could write a script that removes all failed drives on startup
(there's an mdadm --manage command that does that) and adds the new ones
in their place.

I probably wouldn't risk it unless you're going to mail the box to
Alaska and it would be a great inconvenience to do manually. If someone
accidentally switches two SATA cables your script could wind up doing
some damage.

Btrfs and ZFS I can't speak to.

Re: [gentoo-user] You have no world file

[Michael Orlitzky]

On 04/20/2011 11:35 AM, Dan Cowsill wrote:
> Hi list,
> 
> I've been having a strange issue every so often.  I'll do a world update
> (emerge -uDNav, etc) and that will proceed nicely, installing new
> packages and suchlike.  I'll then do a little bit of the old emerge -pcv
> to check for dangling packages and I will get the following:
> 
> !!! You have no world file.
> !!! Proceeding is likely to break your installation.
> 
> Portage will then politely inform me that it needs to remove 190
> packages and I thank FSM I added -p.
> 
> So!  Googling that little tidbit produced nothing meaningful.  What's
> the story?  Gremlins?
> 

Basically. Do you have a world file (/var/lib/portage/world)? If not,
why not? Is /var or one of its subdirectories mounted separately? Hard
drive going bad? Do you see gremlins anywhere?

Permissions on /var/lib/portage should be drwxrws--- root:portage

/var/lib/portage/world should be -rw-r--r-- root:portage

Re: [gentoo-user] You have no world file

[Michael Orlitzky]

On 04/20/2011 12:15 PM, Dan Cowsill wrote:
> On Wed, Apr 20, 2011 at 8:55 AM, Michael Orlitzky  <mailto:mich...@orlitzky.com>> wrote:
> 
> On 04/20/2011 11:35 AM, Dan Cowsill wrote:
> > Hi list,
> >
> > I've been having a strange issue every so often.  I'll do a world
> update
> > (emerge -uDNav, etc) and that will proceed nicely, installing new
> > packages and suchlike.  I'll then do a little bit of the old
> emerge -pcv
> > to check for dangling packages and I will get the following:
> >
> > !!! You have no world file.
> > !!! Proceeding is likely to break your installation.
> >
> > Portage will then politely inform me that it needs to remove 190
> > packages and I thank FSM I added -p.
> >
> > So!  Googling that little tidbit produced nothing meaningful.  What's
> > the story?  Gremlins?
> >
> 
> Basically. Do you have a world file (/var/lib/portage/world)? If not,
> why not? Is /var or one of its subdirectories mounted separately? Hard
> drive going bad? Do you see gremlins anywhere?
> 
> Permissions on /var/lib/portage should be drwxrws--- root:portage
> 
> /var/lib/portage/world should be -rw-r--r-- root:portage
> 
> 
> File's there, permissions are correctly set, the filesystem isn't
> mounted separately and according to smartctl, the hard drive is doing
> quite well.  I'm at a loss!

You can try introducing trolls to fight the gremlins. If the smell gets
too strong, orcs will keep the trolls in check. Gold starts
disappearing? Dragons should do the trick. When you run out of
princesses... try memtest.

Re: [gentoo-user] You have no world file

[Michael Orlitzky]

On 04/26/11 10:31, Dan Cowsill wrote:
> 
> Why I love this list in one thread.
> 
> Anyway, just an update on the situation.  As far as I can tell, this
> 'you have no world file' error only shows up when i'm doing a
> --depclean.  Also, it is intermittent.  Right now, -pcv works just fine
> and reports the correct number of packages to be removed (zero).  I'm
> not sure what breaks this, or if it will be broken in the future.
> 
> At this point, I'm not terribly worried about the whole thing, but I am
> rather curious.
> 

Well, the "You have no world" message only shows up in one place.

/usr/lib/portage/pym/_emerge/actions.py:

  psets = root_config.setconfig.psets
  ...
  selected_set = psets['selected']
  ...
  if not selected_set:
writemsg_level("!!! You have no world file.\n",
   level=logging.WARNING, noiselevel=-1)


The 'psets' variable gets set in /usr/lib/portage/pym/_emerge/main.py:

  setconfig.psets['selected'] =
WorldSelectedSet(root_config.settings['EROOT'])

and that WorldSelectedSet class is defined in,

  /usr/lib/portage/pym/portage/_sets/files.py


If you *really* want to know what's going on, you could throw some debug
statements in main.py whenever the 'psets' variable gets set. That way
you can at least see which file it's looking for.

I'm not a doctor but it's probably perfectly safe.

Re: [gentoo-user] [OT] Script to crack gpg passphrase

[Michael Orlitzky]

On 04/28/2011 10:04 AM, Mick wrote:
> This finds the passphrase and prints it out on the terminal.  However, its
> success depends on the dictionary file I use.  Also, it's not particularly
> fast ...
> 
> Any idea how I can create a dictionary file?  I've used apg but it's 
> too random.  :-)
> 
> I have been given something like 6 passphrases that may have been used.  The
> problem is that at the time of creation the passphrase was typed in
> incorrectly (twice!)  So I would need to use some method of generating a
> dictionary with potential typos of these known passphrases (pretty much how
> the rephrase application works).  What is a good way to generate such a file
> by imputing a range of candidate characters?
> 
> Finally, is there a way or parallelising the run so that it speeds up?
> 

If you know the actual passphrase is "close" to some known passphrase,
read up on the concept of Levenshtein distance:

  http://en.wikipedia.org/wiki/Levenshtein_distance

If you can define a function that computes all passwords of Levenshtein
distance 1 from a given password, then you can run that function twice
to get the password of distance 2,3... Three or four is probably a good
place to stop.

Then you can take those six known passwords, and compute all words of
distance 1,2,3 from all of them. Stick those in a list, and try them.

Re: [gentoo-user] rdate stopped working, and I just upgraded to baselayout 2

[Michael Orlitzky]

On 05/11/2011 08:09 PM, Walter Dnes wrote:
> On Wed, May 11, 2011 at 10:49:44PM +0100, Mick wrote
> 
>> I recall that not all ntp servers respond to rdate - perhaps the
>> server(s) you tried have changed their configuration?
> 
>   Finally found one... nist1-ny.ustiming.org
> 
>   I'm in Toronto Canada, and New York City is about as close as it gets
> to me.  Your message implies that there is some other program to get
> time from a server.  Is it ntpd?
> 

Most people (made-up statistic) use NTP. There are a couple of different
implementations available; I personally think openntpd is the easiest to
configure if you don't have chronic (pun extremely intended) time issues.

Re: [gentoo-user] site:www.gentoo.org (compile phase)...die "econf failed"

[Michael Orlitzky]

On 05/15/2011 06:29 PM, Felix Miata wrote:
> http://fm.no-ip.com/Tmp/Linux/G/ has system info, bash_history, and logs from 
> my 7th attempt to install from the beginning, using 
> http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?full=1 as the battle 
> plan.
> 
> Among the 8 attempts, once I used the 0514 portage, twice I used the 0507 
> portage, and the rest I used the 0511 portage. I'm surprised I ever got a 
> kernel, networking, and mc working on the first try, because I've been unable 
> to get anything except kernel sources to emerge since the first attempt. 
> Every other emerge attempt has generated either "ERROR:...(compile phase)..." 
> or "ERROR:...(configure phase)...", plus 'die "econf failed"'.
> 
> At this point I have to believe there's a Gentoo bug(s) I'm hitting rather 
> than mistakes following instructions. I've put in most of the past 5 days 
> trying, and have to quit real soon unless I get a whole lot better help. I'm 
> sure I've used up my quota of better efficiency just trying to get started, 
> and need to get back to normal life soon.

Purge ccache entirely from your system, it's bad news. Then `source
/etc/profile && env-update`.

Re: [gentoo-user] site:www.gentoo.org (compile phase)...die "econf failed"

[Michael Orlitzky]

On 05/15/2011 09:25 PM, Adam Carter wrote:
> 
> Purge ccache entirely from your system, it's bad news. Then `source
> /etc/profile && env-update`.
> 
> 
> AFAIK i've never had a problem with ccache. I've been using it for years
> on two different systems.
> 
> The OP's probably appears to be that he has ccache in FEATURES but its
> not installedas Mick stated 16 hours ago.

I meant that like when I tell my friends with the crippling alcoholism,
"get rid of the motorcycle, it's bad news."

ccache is installed, judging by his bash history. It doesn't appear to
be in FEATURES. It's easier to solve this one with a chainsaw than with
a scalpel.

Re: [gentoo-user] site:www.gentoo.org (compile phase)...die "econf failed"

[Michael Orlitzky]

On 05/15/2011 06:29 PM, Felix Miata wrote:
> http://fm.no-ip.com/Tmp/Linux/G/ has system info, bash_history, and logs from 
> my 7th attempt to install from the beginning, using 
> http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?full=1 as the battle 
> plan.
> 
> Among the 8 attempts, once I used the 0514 portage, twice I used the 0507 
> portage, and the rest I used the 0511 portage. I'm surprised I ever got a 
> kernel, networking, and mc working on the first try, because I've been unable 
> to get anything except kernel sources to emerge since the first attempt. 
> Every other emerge attempt has generated either "ERROR:...(compile phase)..." 
> or "ERROR:...(configure phase)...", plus 'die "econf failed"'.
> 
> At this point I have to believe there's a Gentoo bug(s) I'm hitting rather 
> than mistakes following instructions. I've put in most of the past 5 days 
> trying, and have to quit real soon unless I get a whole lot better help. I'm 
> sure I've used up my quota of better efficiency just trying to get started, 
> and need to get back to normal life soon.


Ugh:

  http://fm.no-ip.com/Tmp/Linux/G/bash_profile

I'm guessing you forgot to `source ~/.bash_profile` after you commented
out the line,

  #export "CC=ccache gcc"

Re: [gentoo-user] site:www.gentoo.org (compile phase)...die "econf failed"

[Michael Orlitzky]

On 05/15/2011 09:43 PM, Michael Orlitzky wrote:
> On 05/15/2011 06:29 PM, Felix Miata wrote:
>> http://fm.no-ip.com/Tmp/Linux/G/ has system info, bash_history, and logs 
>> from 
>> my 7th attempt to install from the beginning, using 
>> http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?full=1 as the battle 
>> plan.
>>
>> Among the 8 attempts, once I used the 0514 portage, twice I used the 0507 
>> portage, and the rest I used the 0511 portage. I'm surprised I ever got a 
>> kernel, networking, and mc working on the first try, because I've been 
>> unable 
>> to get anything except kernel sources to emerge since the first attempt. 
>> Every other emerge attempt has generated either "ERROR:...(compile 
>> phase)..." 
>> or "ERROR:...(configure phase)...", plus 'die "econf failed"'.
>>
>> At this point I have to believe there's a Gentoo bug(s) I'm hitting rather 
>> than mistakes following instructions. I've put in most of the past 5 days 
>> trying, and have to quit real soon unless I get a whole lot better help. I'm 
>> sure I've used up my quota of better efficiency just trying to get started, 
>> and need to get back to normal life soon.
> 
> 
> Ugh:
> 
>   http://fm.no-ip.com/Tmp/Linux/G/bash_profile
> 
> I'm guessing you forgot to `source ~/.bash_profile` after you commented
> out the line,
> 
>   #export "CC=ccache gcc"
> 

In fact, re-sourcing won't even help unless you set CC="something else".

Try `unset CC`.

Re: [gentoo-user] Inkscape-0.48.1-r1 really sloooooow

[Michael Orlitzky]

On 05/20/2011 08:49 AM, Mick wrote:
> Hi All,
> 
> I installed inkscape-0.48.1-r1 on a x86 machine.  For a few
> seconds/minutes after opening an svg image rendering is fast as
> expected, but soon it gets bogged down to the point of seeing the
> image being rendered in slow motion, a row at a time if e.g. I scroll
> up or down the page.  Only 20% of RAM (of 3G total) is being used at
> the time, so I'm guessing this could be something to do with the ATI
> video card?
> 
> Other graphics apps open at the same time (e.g. Gimp) do not have such
> problems rendering graphics (albeit not svg).
> 
> Before I post loads of info which may be unnecessary, have you come
> across anything similar and how can I troubleshoot it?
> 
> PS.  I unmasked 0.48.1-r1 because 0.48.0 was even worse.

I don't suppose you have a ton of fonts installed? I've had Inkscape
lock up for like 5 minutes at a time when it was loading the font list
(either at startup or when opening the text dialog).

Re: [gentoo-user] Where be the hardened Stage3?

[Michael Orlitzky]

On 06/03/11 09:28, Pandu Poluan wrote:
> Anyone knows why current-stage3/ no longer has the hardened stage3 tarballs?
> 
> Rgds,


Try this for now?

  http://gentoo.osuosl.org/releases/amd64/autobuilds/

Re: [gentoo-user] Cleaning redundant configuration files

[Michael Orlitzky]

Nobody wants portage to delete modified config files. Some people might
think they do, but they don't: they just don't know it yet.

See also: condoms, seatbelts.

Re: [gentoo-user] Where be the hardened Stage3?

[Michael Orlitzky]

On 06/03/2011 01:01 PM, Pandu Poluan wrote:
> -original message- Subject: Re: [gentoo-user] Where be the hardened
> Stage3? From: Michael Orlitzky  Date:
> 2011-06-03 23:05
> 
>> On 06/03/11 09:28, Pandu Poluan wrote:
>>> Anyone knows why current-stage3/ no longer has the hardened
>>> stage3 tarballs?
>>> 
>> 
>> Try this for now?
>> 
>> http://gentoo.osuosl.org/releases/amd64/autobuilds/
>> 
> 
> Thanks, found that when I spelunked into the deep underbelly of the
> intarwebz :)
> 
> The question still remains, though: Why not in current-stage3/ ? Any
> serious technical issues that'll kill my puppies?
> 
> (Lest I be misunderstood: if it's the council's decision, I'm not for
> nor against the decision. Just curious, is all.)
> 

I asked on the hardened list and haven't heard anything for a few days.
We might just have to wait until someone notices and fixes it.

Re: [gentoo-user] to USE loop-aes or not to USE loop-aes, that is the confusion

[Michael Orlitzky]

On 06/14/11 11:46, meino.cra...@gmx.de wrote:

> What is the difference of 
> USE=loop-aes
> and
> USE=crypt?
> 
> Why are the versions oscillate that way?
> 
> HELP ! :)
> 
> Thank you very much for any hint in advance!:)

Maybe helpful:

  http://dev.c1pher.net/index.php/2011/06/loop-aes-should-it-be-treecleaned/

Re: [gentoo-user] Portknock before Postfix delivery?

[Michael Orlitzky]

On 07/03/2011 09:31 PM, Pandu Poluan wrote:
> I'm just wondering...
> 
> I'm implementing an email gateway using postfix. The gateway lives as
> a VM in my ISP, and it will deliver 'accepted' emails to the company's
> email server which lives in the DMZ. The email server's port is
> shifted to a non-25 external port number.
> 
> So far so good. However, a portscanner might still be able to detect
> which port is open and attempt deliveries there.
> 
> So, the question: Is it possible to configure the system in some way
> so that Postfix will first perform a portknocking before attempting
> delivery to the internal mail server?
> 
> If that is not possible, what solution would you recommend to 'harden'
> the non-25 mail port?

What defines an "accepted" email? If they will all be coming from one or
more pre-defined hosts, just add them to mynetworks:

  mynetworks = 
  smtpd_recipient_restrictions = permit_mynetworks, reject

If they could be coming from anywhere, you can either configure SASL
(easier) or certificate-based authentication (harder). I suppose you
could set up a VPN that lands them within $mynetworks, too.