Re: [gentoo-user] Re: Why does bind-tools 9.18 depend on bind?

2024-10-27 Thread Eray Aslan
On Sat, Oct 26, 2024 at 11:42:32AM +0100, Peter Humphrey wrote:
> On Saturday 26 October 2024 09:10:44 BST Eray Aslan wrote:
> > fwiw, net-dns/unbound is a good choice for a resolver even if you are
> > running in a systemd environment.
> 
> Interesting. I run dnsmasq here; would unbound be better, or less good? I've 
> had no trouble with dnsmasq - it just does the job.

I should have qualified that statement. Sorry. dnsmasq is optimized and
arguably a better choice for client systems, esp with intermittent
internet access (phones, laptops etc). And I find unbound to be a better
choice for server environments.

Since I am familiar with unbound, I tend to use it everywhere but that
is just personal choice.

-- 
Eray



Re: [gentoo-user] Re: Why does bind-tools 9.18 depend on bind?

2024-10-26 Thread Eray Aslan
On Fri, Oct 25, 2024 at 01:53:05PM -, Grant Edwards wrote:
> On 2024-10-25, Michael Orlitzky  wrote:
> > BIND may actually be the least bad option.
> 
> Indeed.

Seconded. I find that net-dns/bind is good for authoritative dns servers
and for its tools so it tends to get installed even on laptops. Gentoo
does not start daemons on install so really no need to have a fragile
separate package only for bind provided tools.

fwiw, net-dns/unbound is a good choice for a resolver even if you are
running in a systemd environment.

-- 
Eray
> 
> 
> 
> 



Re: [gentoo-user] postfix: /etc/postfix/aliases or /etc/mail/aliases ?

2021-07-11 Thread Eray Aslan
On Mon, Jul 12, 2021 at 01:21:14PM +1000, Adam Carter wrote:
> The location is currently configured in main.cf;
> # postconf alias_maps
> alias_maps = hash:/etc/postifix/aliases

That's a non-default value.  /etc/mail/aliases is the gentoo default.
Changing the default is fine but you need to let postfix create the db
file as well if you want to use /etc/postfix as your aliases location.

> And looks like the installer puts the original alias file there too, so I
> assume my config is per the default config;
> # qlist postfix | grep aliases
> /etc/postfix/aliases

yes postfix-install command places aliases file - along with a few
others - into standart configuration directory.  It is somewhat of an
hassle to remove them as other commands expect at least some of them to
be present.

> But this;
> # grep aliases /lib/systemd/system/postfix.service
> ExecStartPre=-/usr/bin/newaliases
> ReadWritePaths=-/etc/mail/aliases.db
> 
> Suggests that /etc/mail is the correct location, so i'm wondering if i
> missed an update to postfix.service. Can a postfix user please check their
> ReadWritePaths to see if it's /etc/mail/aliases.db or
> /etc/postfix/aliases.db ? Cheers.

Two options:
1/ use dafaults, i.e. /etc/mail/aliases
2/ use a custom location but then change postfix.service to give r/w
access to the new aliases.db location

I'd go with option #1 if you do not have a strong preference either way.

-- 
Eray



Re: [gentoo-user] tips on running a mail server in a cheap vps provider run but not-so-trusty admins?

2020-08-24 Thread Eray Aslan
On Sat, Aug 22, 2020 at 09:17:56PM +0100, Ashley Dixon wrote:
> On Sat, Aug 22, 2020 at 04:15:38AM +, Caveman Al Toraboran wrote:
> > just to double check i got you right.  due to
> > flushing the buffer to disk, this would mean that
> > mail's throughput is limited by disk i/o?
[...]
> When an M.T.A.  encounters mail, the content of the mail will first exist in 
> the
> M.T.A.'s local memory, in a buffer.  Before  sending  an  "OK"  to  the  
> sending
> server, it should first make an attempt to write it to disk, through  an  
> fwrite
> (stdio) or write (POSIX) call.  At that point, it is, in  theory,  the  
> kernel's
> choice if and when it  is  _actually_  written  to  disk,  but  if  one  of  
> the
> aforementioned functions return a success code, the M.T.A. has done its bit, 
> and
> can consider the message "safely stored".

true and yes given a sink willing to accept your throughput, an mta is
generally disk i/o bound

-- 
Eray



Re: [gentoo-user] Ansible, puppet and chef

2014-09-17 Thread Eray Aslan
On Tue, Sep 16, 2014 at 10:43:18PM +0200, Alan McKinnon wrote:
> Puppet seems to me a good product for a large site with 1000 hosts.
> Not so much for ~20 or so.

I find that for a few machines, puppet is overkill.  For a lot of
machines, puppet can become unmanageable - with puppet master and
security being the culprit.

We have used puppet a lot but recently settled on salt (strictly
speaking not my decision so cannot really compare it with ansible) and
we are happy with the outcome.  You might want to consider
app-admin/salt as well.

-- 
Eray



Re: [gentoo-user] Re: Secure DNS servers

2014-06-17 Thread Eray Aslan
On Mon, Jun 16, 2014 at 07:57:31PM +, James wrote:
> Any guidance of those?

When I have a choice, I go with nsd for authoritive and with unbound for
recursive dns servers.  Bind is also a popular alternative.

> Anyone and Everyone is encouraged to "chime in" on dns server

Try to seperate your authorative and recursive dns servers.

Learn to use dig.

On Mon, Jun 16, 2014 at 02:49:39PM -0400, Michael Orlitzky wrote:
>   iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED
>   \
> -j ACCEPT

Careful with conntrack.  It is OK for a home/hobby server.  For a high
volume dns server, you don't want to reach conntrack limits before you
reach the limits of your dns software - which are usually much higher.
A stateful firewall for a dns server is not always a good choice - do
not make it easier to DoS.

-- 
Eray Aslan 



Re: [gentoo-user] ssmtp alternatives: msmtp vs. dma

2012-12-04 Thread Eray Aslan
On 12/5/12 7:28 AM, Grant wrote:
> I was setting up ssmtp but I realized it isn't being maintained and
> there are a couple of alternatives called msmtp and dma.  Can anyone
> recommend one of these over the other?

msmtp and nullmailer are good choices as light weight MTAs.  I hope to
change the default mta from ssmtp to one of them in semi-near future
(probably nullmailer now that it has TLS/SSL support).

-- 
Eray Aslan 



Re: [gentoo-user] courier-imap cannot find courier-authlib

2012-11-02 Thread Eray Aslan
On Fri, Nov 02, 2012 at 08:05:34AM -0400, Mike Edenfield wrote:
> Is anyone else seeing this problem, or know how to make it go away?

Should be fixed in =courier-authlib-0.65.0-r2.  In the meantime, try -r1
with the static-libs USE flag.

-- 
Eray



Re: [gentoo-user] GSSIAPIKeyExchange is not supportd on OpenSSH_5.9p1

2012-09-05 Thread Eray Aslan
On Wed, Sep 5, 2012 at 12:06 PM, Ali Gholami  wrote:
> .ssh/config: Bad configuration option: GSSAPIKeyExchange

That config option needs a separate patch which has been around for
ages but upstream OpenSSH maintainers are being an arse^H^H^H^H
uncooperative.  Sadly, Gentoo decided not to ship it anymore.  See:

https://bugs.gentoo.org/show_bug.cgi?id=115553

-- 
Eray



Re: [gentoo-user] newaliases - unsupported map type: hash

2012-08-30 Thread Eray Aslan
On Fri, Aug 31, 2012 at 3:06 AM, Joseph  wrote:
> I just upgraded to postfix-2.9.3 and not getting any local mail.
>
> When I type "newaliases" I get:
> postalias: fatal: unsupported map type: hash

Do not turn off the berkdb USE flag if your setup uses hash or btree
lookups.  There is a warning in the ebuild output for -berkdb.  Please
let me know if it did not work for you.

Eray



Re: [gentoo-user] HEADS UP - postfix-2.9.0 is broken

2012-02-06 Thread Eray Aslan
On Mon, Feb 06, 2012 at 06:51:51PM +0100, Andrea Conti wrote:
> Luckily the error messages are informative enough... but let's say that
> a word of caution in the emerge message would have been welcomed.

There is a warning printed if you emerged without the berkdb flag when
you upgraded from 



Re: [gentoo-user] HEADS UP - postfix-2.9.0 is broken

2012-02-06 Thread Eray Aslan
On Tue, Feb 07, 2012 at 01:58:33PM +0700, Pandu Poluan wrote:
> S... I'm still on 2.8.7. Is it safe to upgrade to 2.9.0-r1 ?

Yes, it should be OK as long as you run etc-update/dispatch-conf/similar
after the upgrade.  Postfix daemons now live under /usr/libexec/postfix
(not under /usr/lib{,64)/postfix).  Adjust your main.cf accordingly.
I'll add a warning to the ebuild.

-- 
Eray Aslan 



Re: [gentoo-user] netqmail blocks maildrop requiered by qmail-scanner.

2011-08-20 Thread Eray Aslan
On Thu, Aug 18, 2011 at 08:47:08PM -0700, fe...@crowfix.com wrote:
> Someone told me to set -tools for maildrop in package.use.  I looked
> up what that does but forget now, so presumably it's not terribly
> important on my system.  Still puzzling.

maildrop, netqmail, courier-imap all install the same file(s) leading to a
file collision.  See bug #61116 for the gory details.  Basically, with
-tools, we do not intall them.

Tying conflicting files to a USE flag does not make me happy either but
it was better than status quo.  An argument can be made though to not
enable the tools flag by default.

-- 
Eray Aslan 


signature.asc
Description: Digital signature


Re: [gentoo-user] drbd primary standalone ...

2011-07-12 Thread Eray Aslan
On 2011-07-12 2:50 PM, Stefan G. Weichinger wrote:
> Where should I add "drbdadm primary all" to the init-scripts to fix that
> temporarily?

Usually it is the resource manager's (such as pacemaker) job to decide
which node becomes primary.  If you are not using one, you might want to
check become-primary-on directive in drbd.conf

-- 
Eray Aslan 



Re: [gentoo-user] Circular blockage

2011-03-28 Thread Eray Aslan
On Mon, Mar 28, 2011 at 11:16:48PM +0100, Peter Humphrey wrote:
> How do I get out of this?

Re-sync your tree.  Temp breakage when virtual/mta was added to the
tree.  Sorry about that.

-- 
Eray



Re: [gentoo-user] Re: OT: advice sought on new laptop for Gentoo

2010-09-07 Thread Eray Aslan
On 07.09.2010 15:29, Alan McKinnon wrote:
> I figure that just like a top-grade mechanic should be looking at SnapOns or 
> similar in his toolbox, this here sysadmin also needs high quality tools. My 
> chief tool is my notebook.

It's the weight not the price that is the deciding factor us.  I guess
depends on how much traveling you do.  There is no one final ultimate
answer.  It depends.  Labeling low res solutions as "cheap crap" was
uncalled for.

-- 
Eray



Re: [gentoo-user] configure error - how to debug

2010-07-06 Thread Eray Aslan
On 06.07.2010 18:55, Helmut Jarausch wrote:
> ./configure: line 14859: test: too many arguments
> 
> Looking at this line it shows
>  if test $ax_python_header != no; then

Wild guess (since you did not mention which ebuild):

quote the variable and try again, i.e. something like

- if test $ax_python_header != no; then
+ if test "$ax_python_header" != no; then

-- 
Eray



Re: [gentoo-user] Two openvpn tunnels... and /etc/init.d et al.

2010-07-05 Thread Eray Aslan
On 06.07.2010 08:17, Steve wrote:
> What's the recommended gentoo way to launch two openvpn instances?  (I
> assume that's what's required...)

$ ls -l /etc/init.d/openvpn*
-rwxr-xr-x 1 root root 4198 Feb 17 08:31 /etc/init.d/openvpn
lrwxrwxrwx 1 root root7 Mar  1 12:28 /etc/init.d/openvpn-interoffice
-> openvpn
$ ls -l /etc/openvpn/*.conf
-rw-r--r-- 1 root root 10356 Mar  1 15:32
/etc/openvpn/openvpn-interoffice.conf
-rw-r--r-- 1 root root 10351 Mar  4 23:10 /etc/openvpn/openvpn.conf

i.e. make a soft link to openvpn init script and make a seperate conf
file with the same name as the new init script in your config directory
(usually /etc/openvpn).  Init script starts openvpn with the correct
config file.

-- 
Eray



Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure

2010-05-18 Thread Eray Aslan
On Tue, May 18, 2010 at 08:57:58PM +0200, Stefan G. Weichinger wrote:
> Am 18.05.2010 19:57, schrieb Jan Engelhardt:
> Ok, I see. So my current setup with one disk only and SSL-generated
> keyfile does not add security but flexibility (being able to switch
> passwords more quickly).

Keep the keyfile in a usb-stick if you can.  Decrypting the hard disk
will require both the usb-stick and the password, i.e. two factor
authentication.

-- 
Eray



Re: [gentoo-user] {OT} hardening SSL without rejecting users

2010-04-26 Thread Eray Aslan
On 27.04.2010 05:19, Grant wrote:
> I've been advised to harden my SSL in the following ways:
> 
> 1. disable SSL 2.0

Agreed.  There is no need to support SSL 2.0 anymore.

> 2. disable use of SSL ciphers which offer either weak or no encryption

For maximum compatibility, support AES, RC4 and 3DES (and up).  There is
no need to support weaker ciphers.

> 3. disable anonymous SSL ciphers

Correct.  There is no need except in emergencies (actual
interoperability problems with mandatory TLS destinations).  But it
should be the default anyway.

In general, try to
* use a private key that is at least 2048 bits long
* do not offer ciphers below 128 bits
* do not support SSLv2
* do not offer anonymous Deffie Hellmann (ADH)
* generate new keys for each certificate (do not reuse keys)
* support/offer TLS 1.0 and better

-- 
Eray



Re: [gentoo-user] custom package make options?

2010-04-18 Thread Eray Aslan
On Sun, Apr 18, 2010 at 02:46:58PM -0400, David Mehler wrote:
> I've got a box with two processors so i have MAKEOPTS set to -j2. One
> package gnome breaks during compile under these circumstances so am
> wanting to install it and only it with MAKEOPTS set to -j1 i'm
> thinking i have to put a file somewhere to pass custom make options to
> emerge gnome, but not sure where.

echo 'MAKEOPTS="-j1"' >> /etc/portage/env/$CATEGORY/$PN

for example:
echo 'MAKEOPTS="-j1"'>/etc/portage/env/gnome-extra/evolution-data-server

-- 
Eray



Re: [gentoo-user] STARTTLS verification problem

2010-04-10 Thread Eray Aslan
On 10.04.2010 19:04, Mick wrote:
> On Saturday 10 April 2010 16:32:37 Eray Aslan wrote:
>> On 10.04.2010 18:12, Robin Atwood wrote:
>>> That's very interesting, I have puzzled about STARTTLS stuff for years!
>>> How do I make sendmail trust the CAs?
>>
>> This is neither necessary nor recommended for TLS.
> 
> Why would that be?

Who do you trust and for what?  Adding various third party CA
certificates, i.e. using a PKI infrastructure for SMTP for the general
public:

Pros:
None

Cons:
* If you ever do certificate based access control, you will be in
for a surprise.
* MTA's TLS codes are well known for the more populer ones.
However, code paths that deal with a lot of CA certs are seldom used.
There might be corner cases.

On a more general note, please ask yourself "Do I really need a PKI?"
and avoid PKI if you can.  It is a mess and is not the way forward.

-- 
Eray



Re: [gentoo-user] STARTTLS verification problem

2010-04-10 Thread Eray Aslan
On 10.04.2010 18:12, Robin Atwood wrote:
> That's very interesting, I have puzzled about STARTTLS stuff for years! How 
> do 
> I make sendmail trust the CAs?

This is neither necessary nor recommended for TLS.

> define(`CERT_DIR',`/etc/mail/certs')
> define(`confCACERT_PATH',`CERT_DIR')
> define(`confCACERT',`CERT_DIR/cacert.pem')
> define(`confSERVER_CERT',`CERT_DIR/cert.pem')
> define(`confSERVER_KEY',`CERT_DIR/key.pem')
> define(`confCLIENT_CERT',`CERT_DIR/cert.pem')
> define(`confCLIENT_KEY',`CERT_DIR/key.pem')

These 3 files (cacert.pem, cert.pem, key.pem) are for your own server.
It has been awhile since I used sendmail, but adding CA certificates to
CACERT_PATH should make sendmail trust them.

Again, this is contrary to "best practices".  Do not trust third party
CA certificates unnecessarily.  It might come back and bite you.

-- 
Eray



Re: [gentoo-user] STARTTLS verification problem

2010-04-10 Thread Eray Aslan
On 10.04.2010 11:08, Mick wrote:
> Apr  9 21:45:47 my_box sendmail[4013]: STARTTLS=client, 
> relay=smtp.comcast.net, version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-
> AES256-SHA, bits=256/256
> 
> Any idea why this is happening?

Nothing to worry about.  It just means you do not trust the certificate
issuer for smtp.comcast.net.  For smtp delivery, this is perfectly fine.
 See below:

$ openssl s_client -connect smtp.comcast.net:25 -starttls smtp
[...]
SSL-Session:
[...]
Verify return code: 20 (unable to get local issuer certificate)

versus when I tell it to trust some CAs (including verisign) on the
local machine:

openssl s_client -connect smtp.comcast.net:25 -starttls smtp -CApath
/etc/ssl/certs/
[...]
SSL-Session:
[...]
Verify return code: 0 (ok)

-- 
Eray



Re: [gentoo-user] Which IPSEC to go?

2010-01-26 Thread Eray Aslan
On 24.01.2010 23:38, Konstantinos Agouros wrote:
> since I am a while out of the game of doing ipsec with Linux:
> What's the way to go? Strongswan/Openswan or ipsec-tools for kame/racoon.
> 
> Emerge -p gave me some ~ for ipsec-tools while openswan goes without.
> 
> Any input welcome. I need this for a road warrior setup.

Assuming you will want to support windows clients as well, openswan and
openvpn are the populer choices.  There has been some mention of
questionable code quality for openswan so you might want to check if
openvpn fits your needs first.

Personally, I would stay away from kame/racoon.

-- 
Eray



Re: [gentoo-user] Devicekit - especially just for Dale

2010-01-17 Thread Eray Aslan
On Sun, Jan 17, 2010 at 09:39:27AM -0600, Dale wrote:
>  From my understanding, isn't the same guy doing devicekit that did 
> hal?  I'm not saying it won't be better because it should be.  From what 
> I read a good while back, he learned a lot about the pitfalls of hal.  
> He, most likely, will know best how to do it differently this time.

It is usually done right in the third version.  First one too small,
second one too big, third one just right :)

I think it is called "Second System Effect"

I guess we will see if it is.

-- 
Eray



Re: [gentoo-user] Quick quesition regarding "linux-2.6.31.x" and "gentoo-sources-2.6.31-rx"

2009-11-19 Thread Eray Aslan
On Thu, Nov 19, 2009 at 03:49:19PM -0500, Marcus Wanner wrote:
> I was just wondering if a package such as "gentoo-sources-2.6.31-r6" 
> uses kernel 2.6.31.6, or just 2.6.31. I have been digging through 
> timestamps and the like for a while, but I just can't figure it out.

http://sources.gentoo.org/viewcvs.py/linux-patches/genpatches-2.6/tags/

-- 
Eray



Re: [gentoo-user] strange cron messages...

2009-11-17 Thread Eray Aslan
On 17.11.2009 17:08, Neil Bothwick wrote:
>>> You wouldn't miss a log messsage by sending a SIGHUP to your mail
>>> server, the logger would keep running.
>> When syslog-ng cannot process messages for whatever reason, it will
>> buffer them.  When the buffer is full, it will drop the messages.  There
>> is no need to add to the load and increase message loss probability with
>> SIGHUP (think of a central log server).
> 
> How does sending a SIGHUP to smtpd increase the load on the syslog server?

Ugh, smtpd?  Where did that come from?  There was no mention of smtpd in
the thread.

Hectic day at work? :)

-- 
Eray





Re: [gentoo-user] strange cron messages...

2009-11-17 Thread Eray Aslan
On 17.11.2009 10:59, Neil Bothwick wrote:
>>> Then how do you get the server to use the new logfile names each
>>> day/week?
>> It creates and uses a new file each hour/day/etc.  Perhaps, you missed
>> the file(...) directive?
> 
> I didn't miss it. My question was how to you get the process to USE the
> new file. Unless you SIGHUP the process, it will continue using the
> config in pace when it started.

Last sentence is correct.  What you are missing is that the config says
to start a new file each day/hour/etc.  syslog-ng does not evaluate the
file() expression once at startup and then treat it as a constant.

# ls /var/log/HOSTS/north/|tail -n5
north.2009.07.log.gz
north.2009.08.log.gz
north.2009.09.log.gz
north.2009.10.log.gz
north.2009.11.log

There was no SIGHUP involved.

>>> You only need to send a SIGHUP to the server using that log
>>> facility, so syslog would not be affected in your example.
>> I can't parse this.  The point is avoiding SIGHUP so that we do not miss
>> any log messages.
> 
> You wouldn't miss a log messsage by sending a SIGHUP to your mail server,
> the logger woulsd keep running.

When syslog-ng cannot process messages for whatever reason, it will
buffer them.  When the buffer is full, it will drop the messages.  There
is no need to add to the load and increase message loss probability with
SIGHUP (think of a central log server).

-- 
Eray



Re: [gentoo-user] strange cron messages...

2009-11-16 Thread Eray Aslan
On 16.11.2009 14:46, Neil Bothwick wrote:
> On Mon, 16 Nov 2009 09:05:18 +0200, Eray Aslan wrote:
> 
>> - No need to logrotate with time based filenames.  Hence, no need to
>> "kill -HUP" the syslog daemon.  No missed logs.
> 
> Then how do you get the server to use the new logfile names each
> day/week?

It creates and uses a new file each hour/day/etc.  Perhaps, you missed
the file(...) directive?  Reposting for your reference:

destination mail {
file("/var/log/mail/$YEAR/$MONTH/$DAY/$HOUR"
[...]

> You only need to send a SIGHUP to the server using that log
> facility, so syslog would not be affected in your example.

I can't parse this.  The point is avoiding SIGHUP so that we do not miss
any log messages.

OP asked how one manages log files without logrotate and the answer is
with time based file names.  It has the additional benefit of avoiding
SIGHUP.

-- 
Eray



Re: [gentoo-user] strange cron messages...

2009-11-16 Thread Eray Aslan
On 16.11.2009 10:08, Graham Murray wrote:
> Eray Aslan  writes:
> 
>> - No need to logrotate with time based filenames.  Hence, no need to
>> "kill -HUP" the syslog daemon.  No missed logs.
> 
> But you still need some system (eg tmpwatch) to delete old log files
> otherwise the disk will (eventually) fill with log files. Logrotate
> automatically handles the number of/how long to keep logs.

If you want to be complete, you compress old log files, transfer them to
the central log server and delete them when they are old enough.  These
are done with a few trivial scripts run via cron.

If that seems like too much work for questionable benefit, by all means
use logrotate.

-- 
Eray



Re: [gentoo-user] strange cron messages...

2009-11-16 Thread Eray Aslan
On 15.11.2009 13:45, Mick wrote:
> On Saturday 14 November 2009 16:53:24 Alex Schuster wrote:
>> I assume you are using logrotate, and have the /etc/logrotate.d/kernel
>> file? I guess the 'compytruncate' is misspelled and should be
>> 'copytruncate'. And 'endscript' is used after using 'prerotate' or
>> 'postrotate', which you probably do not have.
>>
>> Something like that, I never used logrotate by myself. See the man page
>> for more information.
> 
> Hmm ... how do you keep your log files under control?

Use time-based file names.  For syslog-ng something like:

destination mail {
file("/var/log/mail/$YEAR/$MONTH/$DAY/$HOUR"
template("$ISODATE $HOST $MSG\n") template_escape(no)
owner("root") group("log") perm(0640)
dir_owner("root") dir_group("log")
dir_perm(02750) create_dirs(yes));
};
destination msgs {
file("/var/log/msgs/$YEAR/$MONTH/$DAY/$HOUR"
template("$ISODATE $HOST $MSG\n") template_escape(no)
owner("root") group("log") perm(0640)
dir_owner("root") dir_group("log")
dir_perm(02750) create_dirs(yes));
};

source local { unix-dgram("/dev/log"); pipe("/proc/kmsg");
internal(); };
filter mail { facility(mail); };
filter notmail { not facility(mail); };
log { source(local); filter(mail); destination(mail); };
log { source(local); filter(notmail); destination(msgs); };


Important points:
- "unix-dgram" is good
- Use template() to determine the format
- No need to logrotate with time based filenames.  Hence, no need to
"kill -HUP" the syslog daemon.  No missed logs.
- Easier to get the log files to a central server with time based
filenames.
- "log" group is for transfering the log files to a central server

-- 
Eray



Re: [gentoo-user] Migration to baselayout2 / openrc

2009-10-11 Thread Eray Aslan
On 10.10.2009 13:01, meino.cra...@gmx.de wrote:
>  On gentoo web I found this: 2.  
>   Migration to OpenRC 
>   Migration to OpenRC is fairly straightforward; it will be pulled in
>   as part of your regular upgrade process by your package manager.

PPP startup scripts still do not work with openrc.  Just a heads up in
case you use them.

-- 
Eray



Re: [gentoo-user] {OT} zflashpoint for Linux? (SSD performance "accelerator")

2009-08-09 Thread Eray Aslan
On 09.08.2009 16:13, Florian Philipp wrote:
[..]
> When you think about the situation, laptop-mode might actually make the
> situation worse. You see, it was originally developed to help HDDs
> staying in standby for longer periods by delaying writes until a read
> action causes the drive to spin up or some period of time has passed.
> 
> At this point, all writes should happen in one short burst. However,
> with slow SSDs, these bursts might actually cause the stuttering you
> experience. This is especially true when the writes delay a read action.
> I'm not sure whether the disk scheduler prefers reads over writes but it
> certainly would help.

Reads do get higher priority by default.  They are synchronous afterall.
 Problem usually occurs when reads get interspersed with random writes,
i.e. when start you getting lots of seeks.

But good SSDs don't care.  Only HDDs do.  And maybe bad SSDs, too.

> There is no need to keep an SSD idle as there is no kind of standby like
> HDDs have.[1] Therefore I think a better solution would be treating
> write actions as batch jobs: You do them only when there is nothing
> better to do (i.e. no read action). Until then, you keep them in a large
> write cache.

It is not that easy (it never is?).  There are a lot of trade-offs as
can be witnessed by the variety and complexity of the disk schedulers.

> I'm not sure if there is such a system, yet. Maybe you should try out
> XFS as it already implements a very aggressive write cache. I'd be very
> interested in benchmarks for Ext4 vs. XFS on slow SSDs
> but I wouldn't bet on seeing one soon. I suppose simulating and
> measuring such a usage pattern isn't a simple task.

Well, work with email (email causes a lot of filesystem syncs typically)
while dd'ing a big file repeatedly in the background.  Should be close
enough.  Both latency (stutters) and throughput are important.

-- 
Eray



Re: [gentoo-user] emerge --update --newuse too eager?

2009-07-13 Thread Eray Aslan
On 13.07.2009 10:11, Helmut Jarausch wrote:
> would anybody please be so kind to explain to me how
> emerge --update --newuse --deep @system @world
> works.
> 
> E.g. it wants to  re-emerge sys-devel/gcc because of the
> "new use flag nptl"  according to
> 
> [ebuild   R   ] sys-devel/gcc-4.4.0  USE="nptl%*" 
> [ebuild   R   ] sys-devel/gcc-4.3.3-r2  USE="nptl%*" 
> 
> But, looking at the corresponding ebuild files they don't
> use (IUSE or other) such a use flag.
> But why then does emerge want to rebuild those packages.?

nptl USE flag comes from toolchain.eclass.  Almost all the work for the
ebuild is done in the toolchain.eclass for gcc.

nptl flag was recently added to enable thred local storage for
nptl/uclibc users:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/eclass/toolchain.eclass?r1=1.400&r2=1.401

-- 
Eray



Re: [gentoo-user] Machine doesn't respond to broadcast ping.

2009-06-24 Thread Eray Aslan
On 25.06.2009 07:34, Stroller wrote:
> I've got one machine here on the LAN which isn't responding to broadcast
> ping. Any idea why not?

You need to set icmp_echo_ignore_broadcasts to 0.  Default is 1, mainly
for dos prevention:

# sysctl net.ipv4.icmp_echo_ignore_broadcasts=0

-- 
Eray



Re: [gentoo-user] [postfix - bug?] error in master.cf - problem with restart

2009-06-22 Thread Eray Aslan
On 22.06.2009 13:02, Marcin Niskiewicz wrote:
> I noticed that when someone makes an error in master.cf
>  (for example write anything at the beginning of the
> file) and then restart postfix there is a problem:
> 
> postfix is stopped (that's ok), then it should be started but it isn't
> (in log something like
> postfix/master[1649]: fatal: /etc/postfix/master.cf :
> line 4: bad transport type:
> ==)
> and there is no error shown on console ( echo $? - shows 0 )
> 
> and then when we try to restart (or start) postfix again - we can't -
> unless we delete /var/lib/init.d/started/postfix file (it's not deleted
> while restarting)
> 
> is it a bug or we're doing sth wrong?!

Postfix init script just calls postfix(1) which calls postfix-script
which calls master(8).  Exit codes do not get back to the terminal.

Use postfix status to check whether the mail system is running.

-- 
Eray



Re: Tweaks for SSDs [Was: [gentoo-user] [ot] no more inodes]

2009-05-30 Thread Eray Aslan
On Sat, May 30, 2009 at 02:40:34PM +0100, Neil Bothwick wrote:
> On Sat, 30 May 2009 12:06:04 +0200, Florian Philipp wrote:
> 
> > Delaying commits with ext4 and/or laptop-mode will reduce the wear-down
> > of your SSD but it might as well freeze your system when the actual
> > commit takes place because these things tend to have a terribly low
> > write performance.
> 
> That may explain the pauses I get from time to time. Maybe shortening the
> commit period will help.

Couple of points regarding the pauses, SSDs, schedulers and ext3/ext4:

* try ext4 with its delayed allocation. It should help with pauses
* ext3 with data=writeback should help.  Some security implications with
data=writeback tho.  So be careful if it is not a single user machine.
* Deadline scheduler has more throughput than CFQ or anticipatory but it
is totally unusable under load
* A lot of patches to ext3 and ext4 for a/m pauses and SSDs.  Some made
it to kernel 2.6.30 I believe.
* Try CFQ and NOOP as schedulers for SSDs for now.  After the above
patches, CFQ should be the better choice.

Basically, a lot of changes to ext3/ext4 and schedulers at the moment.
I would wait for at least kernel 2.6.31 before trying alternatives and
making decisions.
 
> Or I could try btrfs, which has an ssd mount option.

Ugh.  Even on-disk format is not finalized yet.

-- 
Eray



Re: [gentoo-user] 'if echo hello' in .bashrc

2009-05-08 Thread Eray Aslan
On 08.05.2009 17:10, Alan McKinnon wrote:
>>>if echo hello|grep --color=auto l >/dev/null 2>&1; then
>>>  export GREP_OPTIONS='--color=auto' GREP_COLOR='1;32'
>>>fi
>>>
>>> to ~/.bashrc
>>>
>>> Why does he echo hello, please?
>> Some greps (like BSD one) might not support '--color' option, so "echo
>> hello|grep --color=auto l" will return error code, skipping if clause,
>> and won't break grep operation by adding an unsupported option.
> 
> except that STDERR is combined with STDOUT and sent to /dev/null so the 
> script 
> will never get it, the if is always true and the entire check is redundant. 
> Better would be
> 
> if echo hello|grep --color=auto l >/dev/null ; then

No.  We do not want any output from echo|grep.  We just want the exit
code so that the following export statement gets executed iff grep
returns with no errors.

-- 
Eray




Re: [gentoo-user] autorespond

2009-04-29 Thread Eray Aslan
On 29.04.2009 14:30, Neil Bothwick wrote:
>> In fact, all that's needed is already there (just the other way round,
>> though): every list I'm subscribed to adds a "Precedence" header field
>> (with values of "bulk" or "list") to the messages. A sane auto-responder
>> will not send replies to messages containing this header field.
> 
> Good idea, I'll rewrite the procmail rules I use... not that I'm going
> on holiday for a while :(

You should check not only "Precedence: Bulk" headers but "List:"
headers, "Auto-Submitted:" headers, "owner-foo" envelopes,
"foo-request@" envelopes, "Precedence: Junk" headers ...

See RFC 3834 for recommendations:
http://www.ietf.org/rfc/rfc3834.txt

-- 
Eray



Re: [gentoo-user] Re: eliminating packages/ebuilds from the portage tree

2009-04-09 Thread Eray Aslan
On Thu, Apr 09, 2009 at 11:32:22AM +0200, Alan McKinnon wrote:
> > > is there a good reason to remove them, instead of masking?
> >
> > If you like spending half a day masking hundreds and hundreds of
> > packages using an inflated package.mask, then no, there's no good reason :)
> 
> The OP said "a couple of packages", so package.mask is the best bet.

Give OP the benefit of doubt that he might know what he is asking and
why.

> PORTAGE_RSYNC_EXTRA_OPTS is probably not the best way - if one of those 
> packages is in a DEPEND that is needed somewhere, portage will throw a hissy 
> fit about missing stuff. If masked, at least you get a parseable error message

# mv /usr/portage/dev-libs/apr /tmp/
# emerge -va apache

These are the packages that would be merged, in order:

Calculating dependencies... done!

emerge: there are no ebuilds to satisfy "=dev-libs/apr-1*".
(dependency required by "www-servers/apache-2.2.10" [ebuild])
(dependency required by "apache" [argument])

Does look like an informative message to me rather than a hissy fit.

-- 
Eray



Re: [gentoo-user] eliminating packages/ebuilds from the portage tree

2009-04-08 Thread Eray Aslan
On Thu, Apr 09, 2009 at 12:52:18AM -0400, Valmor de Almeida wrote:
> There are a couple of packages (ebuilds) in the portage tree that I 
> would like to eliminate completely from my system and not get them back 
> after an emerge --sync. Is this possible?

You can exclude part of the tree with PORTAGE_RSYNC_EXTRA_OPTS in
/etc/make.conf:

http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=3&chap=5

-- 
Eray



Re: [gentoo-user] eselect-news

2009-04-07 Thread Eray Aslan
On Tue, Apr 07, 2009 at 12:21:12PM -0500, Dale wrote:
> Just to make sure my light bulb is burning correctly, after I upgrade I
> can see the message or after I sync and use eselect the message will
> appear?  I'm trying to figure out if the horse is in front of the cart
> or behind it.  o_O

After sync, you will get a reminder that there is a news item.  Then you
"eselect news list" to see what it is.

Pretty neat if you ask me.

-- 
Eray



Re: [gentoo-user] Kernel update messed up console encoding

2009-02-28 Thread Eray Aslan
On 28.02.2009 12:34, Florian v. Savigny wrote:
[...]
> I'll follow your suggestion and re-post the problem on gentoo-user-de,
> although I think running into that sort of problem might happen to
> anybody who uses a European language other than English (one of those
> covered by iso-8859-1, more precisely), so comments here are still
> welcome! But who still sometimes uses the console, except me?

A lot of people use the console.  I certainly do.  But I, and I would
assume majority of console users, switched to UTF-8 quiet some time ago
as was suggested earlier in the thread.  Hence, the lack of useful advice.

Good luck.
-- 
Eray



Re: [gentoo-user] Commenting out multiple lines in vim

2009-02-12 Thread Eray Aslan
On 13.02.2009 07:48, Stroller wrote:
> On 13 Feb 2009, at 00:53, Philip Webb wrote:
>> 090212 Stroller quoted:
>>> In vim, you can just select the rectangular region with Ctrl-v,
>>> then type "I#".  This will insert # in each line at the same
>>> column.
>>
>> If you want to comment a series of lines  m-n , it's quicker to do :
>>
>>  :m,ns/^/#/
> 
> I saw similar comments in my Google searches, but I am flummoxed how one
> could find it so.
> 
> Is it only on my keyboard that forward-slash is a "lower-case" character
> that is accessed *without* the shift key deployed?
> 
> How do you know m & n?

Column and line numbers are shown on the lower right part of the screen.

> Surely it's easier just to highlight the lines?

Not when you are working with the keyboard most of the time.  Taking
your hands off the keyboard to use the mouse is time consuming and
becomes rather annoying.

-- 
Eray



Re: [gentoo-user] Postfix and Domainkeys

2009-01-14 Thread Eray Aslan
On 14.01.2009 06:24, Jason Carson wrote:
>> On 12.01.2009 00:13, Jason Carson wrote:
>>> Greetings,
>>>
>>> I am trying to setup postfix with domainkeys. I installed dk-milter and
>>> ran the following as I was told to do after emerging it ...
>> DomainKeys is deprecated and is replaced by DKIM.  You are much better
>> off using mail-filter/dkim-milter.  If you are using amavisd-new with
>> your postfix, I suggest you use amavisd-new to check and sign your mail
>> and do not use milters at all.
> 
> Can I use both dk-milter and dkim-milter simultaneously?

Yes you can use both simultaneously.  First sign with domainkeys and
then with DKIM.

-- 
Eray



Re: [gentoo-user] Postfix and Domainkeys

2009-01-12 Thread Eray Aslan
On 12.01.2009 17:33, Jason Carson wrote:
[...]
> I don't understand what this part below means...
> 
> Make sure you add these parameters to your dk-filter command line:
> -b sv -d your-domain.com -H -s /etc/mail/dk-filter/default.private
> -S default
> 
> I tried the following two commands with no luck
> 
> dk-filter -b sv -d jasoncarson.ca -H -s
> /etc/mail/dk-filter/default.private -S default
> 
> ...and...
> 
>  /etc/init.d/dk-filter -b sv -d jasoncarson.ca -H -s
> /etc/mail/dk-filter/default.private -S default
> 
> ...any other suggestions or am I doing something wrong?

It's been awhile but:

Make the necessary changes:
vi /etc/mail/dk-filter/dk-filter.conf

and start the milter:
/etc/init.d/dk-filter start

-- 
Eray



Re: [gentoo-user] Postfix and Domainkeys

2009-01-12 Thread Eray Aslan
On 12.01.2009 00:13, Jason Carson wrote:
> Greetings,
> 
> I am trying to setup postfix with domainkeys. I installed dk-milter and
> ran the following as I was told to do after emerging it ...

DomainKeys is deprecated and is replaced by DKIM.  You are much better
off using mail-filter/dkim-milter.  If you are using amavisd-new with
your postfix, I suggest you use amavisd-new to check and sign your mail
and do not use milters at all.

[...]
>  * After you configured your MTA, publish your key by adding this TXT
> record to your domain:
>  *   default._domainkey   IN   TXT  "g=; k=rsa; t=y; o=~; p=keygoeshere"
> 
>  * t=y signifies you only test the DK on your domain.
>  * See the DomainKeys specification for more info.
> 
> but I don't understand what this part mean...

You need to publish your public key in your DNS server so that others
can check your signature.

> * Make sure you add these parameters to your dk-filter command line:
>  *   -b sv -d your-domain.com -H -s /etc/mail/dk-filter/default.private -S
> default
> 
> ...Anyone know what to do?

You need to read up on DKIM (or domainkeys if you want to go that way).
 Links below should get you started:

http://www.dkim.org/
http://en.wikipedia.org/wiki/DomainKeys
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
http://www.postfix.org/MILTER_README.html

-- 
Eray



Re: [gentoo-user] kernel linux-2.6.27-gentoo-r7 won't load network!

2009-01-06 Thread Eray Aslan
On 06.01.2009 12:14, Steven Susbauer wrote:
> Dirk Heinrichs wrote:
>> Am Dienstag, 6. Januar 2009 02:56:28 schrieb Denis:
>>> I have Intel network hardware that
>>> runs on the E1000 driver
>>
>> Did you try e1000e?
>>
>> Bye...
>>
>> Dirk
> 
> e1000e had been disabled in 2.6.27 versions, was it put back in by -r7?

Supposed to be back in 2.6.27-r1.  Can't check at the moment tho.

http://bugs.gentoo.org/show_bug.cgi?id=238489

-- 
Eray




Re: [gentoo-user] kerberos use flag

2008-11-08 Thread Eray Aslan
On 08.11.2008 17:27, Allan Gottlieb wrote:
> Today's emerge --ask --verbose --deep --tree --newuse --update world
> turned up a bunch of reinstalls due to -kerberos*.
> 
> I have not changed make.conf.  Did some profile change?
> Output from emerge --info is below.

Kerberos was removed from desktop profile.

It should not have been a global use flag anyway.  Good call from the
dev team.  Do we really want  to turn kerberos on for all packages that
support it?

http://archives.gentoo.org/gentoo-dev/msg_dff704cd21b8b72dca61a4f16363502f.xml



Re: [gentoo-user] Circular blocks after last night's sync?

2008-10-28 Thread Eray Aslan
On Tue, Oct 28, 2008 at 03:09:00PM -0400, Allan Gottlieb wrote:
> I have unmerged all the files involved in the blockage
> 
> allan Mail # emerge --ask --unmerge e2fsprogs e2fsprogs-libs ss com_err
> 
> >>> These are the packages that would be unmerged:
> 
> --- Couldn't find 'e2fsprogs' to unmerge.
> 
> --- Couldn't find 'e2fsprogs-libs' to unmerge.
> 
> --- Couldn't find 'ss' to unmerge.
> 
> --- Couldn't find 'com_err' to unmerge.
> 
> >>> No packages selected for removal by unmerge
> 
> But when I do an emerge world I still get the blockage
> (I previously tried emerge -1 e2fsprogs, which brought in
> e2fsprogs-libs, but still gave the blockage shown below).

Careful with the unmerges.  Check the following for the gory details and
possible work arounds:

http://bugs.gentoo.org/show_bug.cgi?id=234907
http://bugs.gentoo.org/show_bug.cgi?id=244511

Such a mess.

-- 
Eray



Re: [gentoo-user] recover from disk crash lvm2 group

2008-08-02 Thread Eray Aslan
On 02.08.2008 15:02, Albert Hopkins wrote:
> On Sat, 2008-08-02 at 12:49 +0300, Eray Aslan wrote:
[...]
>> One of the disks in a 3-disk lvm2 group crashed.  I would like to
>> continue with the remaining 2 disks.  How to remove the non-functioning
>> disk from the group and re-create the volume with 2 disks?  I have backups.
[...]
> The lvm(8) man page lists the --partial flag.  A quick Google search
> reveals:
> 
> vgchange -ay --partial

Grr, it does indeed.  For the archives, also had to use vgreduce with
--removemissing flag.

Sorry and thank you for the quick response.

Eray



[gentoo-user] recover from disk crash lvm2 group

2008-08-02 Thread Eray Aslan
Hello,

One of the disks in a 3-disk lvm2 group crashed.  I would like to
continue with the remaining 2 disks.  How to remove the non-functioning
disk from the group and re-create the volume with 2 disks?  I have backups.

# vgremove home_vol
  Couldn't find device with uuid 'D0HvzD-Vw9B-40Vd-NSn1-RW0d-SlVF-pM4jOH'.
  Couldn't find all physical volumes for volume group home_vol.
  Couldn't find device with uuid 'D0HvzD-Vw9B-40Vd-NSn1-RW0d-SlVF-pM4jOH'.
  Couldn't find all physical volumes for volume group home_vol.
  Couldn't find device with uuid 'D0HvzD-Vw9B-40Vd-NSn1-RW0d-SlVF-pM4jOH'.
  Couldn't find all physical volumes for volume group home_vol.
  Couldn't find device with uuid 'D0HvzD-Vw9B-40Vd-NSn1-RW0d-SlVF-pM4jOH'.
  Couldn't find all physical volumes for volume group home_vol.
  Volume group "home_vol" not found

# vgscan
  Reading all physical volumes.  This may take a while...
  Couldn't find device with uuid 'D0HvzD-Vw9B-40Vd-NSn1-RW0d-SlVF-pM4jOH'.
  Couldn't find all physical volumes for volume group home_vol.
  Couldn't find device with uuid 'D0HvzD-Vw9B-40Vd-NSn1-RW0d-SlVF-pM4jOH'.
  Couldn't find all physical volumes for volume group home_vol.
  Couldn't find device with uuid 'D0HvzD-Vw9B-40Vd-NSn1-RW0d-SlVF-pM4jOH'.
  Couldn't find all physical volumes for volume group home_vol.
  Couldn't find device with uuid 'D0HvzD-Vw9B-40Vd-NSn1-RW0d-SlVF-pM4jOH'.
  Couldn't find all physical volumes for volume group home_vol.
  Volume group "home_vol" not found

Thank you
Eray



Re: [gentoo-user] Gentoo router for multiple ISPs?

2008-04-12 Thread Eray Aslan

On 12.04.2008 21:11, Mark Knecht wrote:

Hi all,
   I need to get a second ISP line into the house. I currently have a
cable modem but it goes down once in a while and my work requires
higher reliability so I was thinking of getting a DSL line to
supplement it. I'd like to investigate creating some sort of
firewall/router that could do the following:


1. Load balancing is easy.  Just read up on it.  http://lartc.org/ is a 
good start.  Basically, you will have to modify your iptables and 
routing table rules.


2. Check the time extension of iptables.  Also many services and daemons 
have in built facility for day and time based access control. For 
example xinetd offers data and time based access control.  You might 
want to go that route depending on what service you want to control.


3. Automatic failover is the hard part.  AFAIK, Linux can determine if 
the next hop is down and do automatic switch over.  But if you have a 
problem further down the line, kernel won't detect it.  For DSL, you 
might want to use your modem as a bridge and connect directly with PPP 
to your ISP so that you can detect if the link goes down (that seems to 
be most common case).  I do not know if the same is possible with cable 
modems as I have not used one in a long time.  Another alternative is to 
run a cron job that pings a certain host(s) on the internet and 
depending on the result adjusts the routing the table accordingly.


HTH
--
Eray


1) Load balance between the two lines during the day. I get download
speeds of about 6Mb/S from my current Cable Modem and supposedly about
3Mb/S from the DSL. I'd like to get something like 8-9Mb/S aggregate
from the two together if possible.

2) I need rules that keep certain machines off of the cable modem
during specific hours.

3) I MUST have some sort of AUTOMATIC switch over such that if one
line goes down the second line takes over and runs everything while at
the same time informing me that a line is down. This machine must be
able to test, once a minute or faster, that both lines are up and take
action immediately if something is wrong. It must then correct if the
down line comes back up.

4) I can either use this same machine as a firewall or I can simply
hook it to my existing LinkSys since I'll still need wireless to get
around the house. I figure I'll run the LinkSys inside this Gentoo
machine anyway. I figure I'll want a firewall on this machine since it
will be directly on the net anyway.

   Are features like this available in some sort of package from portage?

   Note that I'd be perfectly happy buying some box for less than
$100-$200 that could do all of this automatically but I haven't found
one yet.

Thanks,
Mark

--
gentoo-user@lists.gentoo.org mailing list



Re: [gentoo-user] Gentoo on the server side

2007-12-01 Thread Eray Aslan
On 01.12.2007 09:03, Alan wrote:
> This used to be a debian system and was moved over to gentoo about 4
> years ago when I had been spending lots of time with gentoo on my
> desktop at home.  I like gentoo, however I would exercise caution if
> you're deploying on "real" systems.  

We have also moved from binary distros to Gentoo a few years ago.
Basically it was a choice between linux (gentoo) and *BSD.

[...]
> The less updates, the
> less surprises and the less chance you'll somehow accidently break
> someone's site doing a simple update late some night.  Gentoo is still a
> fairly moving target in this respect.

Agree with the moving target bit.

> I think the secret is that if you run with gentoo you have to be
> prepared to upgrade EVERYTHING fairly often, and not bit by bit if
> you're uncomfortable with something it might be upgrading. 

I find that there are really two relatively pain-free upgrade policies
for a production system.  Either upgrade fairly often or "forklift
upgrade" i.e. remove the old server and intall the new one.

> And yes, I do plan to just bit the bullet and backup, upgrade everything 
> and then deal with any upgrade "pains" as they come.  Just not sure
> quite when :)

Good luck :)

-- 
Eray
-- 
[EMAIL PROTECTED] mailing list



[gentoo-user] Netfilter TRACE target?

2007-11-18 Thread Eray Aslan
How do you get the TRACE target to work in iptables?

north ~ # /sbin/iptables -t raw -A PREROUTING -j TRACE
iptables v1.3.8: Couldn't load target
`TRACE':/lib/iptables/libipt_TRACE.so: cannot open shared object file:
No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

Sure enough, libipt_TRACE.so is not there:

north ~ # ls -la /lib/iptables/*TRACE*
ls: cannot access /lib/iptables/*TRACE*: No such file or directory

TRACE is enables in the kernel config and extensions use flag is enabled
for iptables:
north ~ # uname -r
2.6.23-gentoo-r1
north ~ # zgrep NETFILTER /proc/config.gz
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_BRIDGE_NETFILTER=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
# CONFIG_NETFILTER_XT_TARGET_DSCP is not set
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_TRACE=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
north ~ # emerge -vp iptables
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] net-firewall/iptables-1.3.8-r2  USE="extensions -imq
-ipv6 -l7filter -static" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB

Any ideas? Thank you
-- 
Eray
-- 
[EMAIL PROTECTED] mailing list



Re: [gentoo-user] how do you keep up with system administration?

2007-05-30 Thread Eray Aslan
On 30.05.2007 10:21, Neil Bothwick wrote:
> This runs in the early hours, so I can read it whenever it suits me during
> the day and apply the changes as I want. I run testing, so frequent
> updating is a good thing; with a stable system, weekly would be fine, but
> the longer you leave it the more work is involved.

I find that there are 2 problem-free approaches to updating.  Either you
update frequently or you "forklift" update the server, i.e. get the
server out of the server room and install a new machine.

-- 
Eray
-- 
[EMAIL PROTECTED] mailing list



Re: [gentoo-user] IMAP server recommendations.

2007-05-16 Thread Eray Aslan
On 17.05.2007 06:52, Josh Helmer wrote:
> I was just looking for some opinions.  I am replacing my current mail server. 
>  
> Right now I am using courier-imap and I am happy with it.   The only thing 
> that concerns me is that I have heard grumblings that courier has some 
> security issues.   I was just curious which IMAP server other people would 
> recommend or perhaps if I am best off just sticking with what I know.  My 
> current setup is very simple.  My only real requirements are SSL and maildir 
> support.   I connect using either Kmail or Thunderbird.

We recently switched from courier-imap to dovecot (imaps only maildir
support with Thunderbird and squirrelmail as mail clients).  Peak load
went from 10-12 to about 1 and response is much better especially on big
folders.  If your server is not heavily used, I suggest that you stick
with what you know.  Otherwise, you can give dovecot a try.

-- 
Eray



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-user] mysql emerge error

2007-04-20 Thread Eray Aslan
On 20.04.2007 11:06, Eray Aslan wrote:
>> [...]
>> make[4]: Entering directory 
>> `/var/tmp/portage/dev-db/mysql-5.0.38/work/mysql/innobase/trx'
>> Makefile:251: .deps/trx0purge.Po: No such file or directory
>> make[4]: *** No rule to make target `.deps/trx0purge.Po'.  Stop.
>> make[4]: Leaving directory 
>> `/var/tmp/portage/dev-db/mysql-5.0.38/work/mysql/innobase/trx'
>> make[3]: *** [all-recursive] Error 1
>> make[3]: Leaving directory 
>> `/var/tmp/portage/dev-db/mysql-5.0.38/work/mysql/innobase'
>> make[2]: *** [all] Error 2
>> make[2]: Leaving directory 
>> `/var/tmp/portage/dev-db/mysql-5.0.38/work/mysql/innobase'
>> make[1]: *** [all-recursive] Error 1
>> make[1]: Leaving directory `/var/tmp/portage/dev-db/mysql-5.0.38/work/mysql'
>> make: *** [all] Error 2

Sorry for replying to my own email.  mysql-5.0.34 builds fine.  Bugged
5.0.38: http://bugs.gentoo.org/show_bug.cgi?id=175331

-- 
Eray
-- 
[EMAIL PROTECTED] mailing list



[gentoo-user] mysql emerge error

2007-04-20 Thread Eray Aslan
Hello,

New server.  While emerging mysql, I got the following:

> [...]
> make[4]: Entering directory 
> `/var/tmp/portage/dev-db/mysql-5.0.38/work/mysql/innobase/trx'
> Makefile:251: .deps/trx0purge.Po: No such file or directory
> make[4]: *** No rule to make target `.deps/trx0purge.Po'.  Stop.
> make[4]: Leaving directory 
> `/var/tmp/portage/dev-db/mysql-5.0.38/work/mysql/innobase/trx'
> make[3]: *** [all-recursive] Error 1
> make[3]: Leaving directory 
> `/var/tmp/portage/dev-db/mysql-5.0.38/work/mysql/innobase'
> make[2]: *** [all] Error 2
> make[2]: Leaving directory 
> `/var/tmp/portage/dev-db/mysql-5.0.38/work/mysql/innobase'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/var/tmp/portage/dev-db/mysql-5.0.38/work/mysql'
> make: *** [all] Error 2
> 
> !!! ERROR: dev-db/mysql-5.0.38 failed.
> Call stack:
>   ebuild.sh, line 1614:   Called dyn_compile
>   ebuild.sh, line 971:   Called qa_call 'src_compile'
>   environment, line 4489:   Called src_compile
>   ebuild.sh, line 1304:   Called mysql_src_compile
>   mysql.eclass, line 605:   Called die
> 
> !!! emake failed
> !!! If you need support, post the topmost build error, and the call stack if 
> relevant.
> !!! A complete build log is located at 
> '/var/log/portage/dev-db:mysql-5.0.38:20070420-074312.log'.

Couldn't find a related bug.  Any ideas what might be causing this?
emerge --info below.

Thanks.

> sunny ~ # emerge --info
> Portage 2.1.2.2 (default-linux/amd64/2006.1/no-multilib, gcc-4.1.1, 
> glibc-2.5-r0, 2.6.18-hardened-r6 x86_64)
> =
> System uname: 2.6.18-hardened-r6 x86_64 AMD Athlon(tm) 64 X2 Dual Core 
> Processor 4000+
> Gentoo Base System release 1.12.9
> Timestamp of tree: Thu, 19 Apr 2007 15:50:01 +
> dev-lang/python: 2.4.3-r4
> dev-python/pycrypto: 2.0.1-r5
> sys-apps/sandbox:1.2.17
> sys-devel/autoconf:  2.13, 2.61
> sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
> sys-devel/binutils:  2.16.1-r3
> sys-devel/gcc-config: 1.3.15-r1
> sys-devel/libtool:   1.5.22
> virtual/os-headers:  2.6.17-r2
> ACCEPT_KEYWORDS="amd64"
> AUTOCLEAN="yes"
> CBUILD="x86_64-pc-linux-gnu"
> CFLAGS="-march=k8 -O2 -pipe"
> CHOST="x86_64-pc-linux-gnu"
> CONFIG_PROTECT="/etc"
> CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
> CXXFLAGS="-march=k8 -O2 -pipe"
> DISTDIR="/usr/portage/distfiles"
> FEATURES="buildpkg distlocks metadata-transfer sandbox sfperms strict"
> GENTOO_MIRRORS="ftp://ftp.ankara.edu.tr/gentoo/  http://gentoo.osuosl.org/ 
> ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/ 
> ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ 
> ftp://ftp.ntua.gr/pub/linux/gentoo/ 
> ftp://ftp.linux.org.tr/pub/mirrors/gentoo/";
> MAKEOPTS="-j2"
> PKGDIR="/usr/portage/packages"
> PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times 
> --compress --force --whole-file --delete --delete-after --stats --timeout=180 
> --exclude=/distfiles --exclude=/local --exclude=/packages 
> --filter=H_**/files/digest-*"
> PORTAGE_TMPDIR="/var/tmp"
> PORTDIR="/usr/portage"
> SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
> USE="amd64 berkdb cjk crypt hardened mysql ncurses nls nptl pam perl pic 
> python readline snmp ssl tcpd unicode xml" ALSA_CARDS="ali5451 als4000 atiixp 
> atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 
> hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem 
> ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty 
> extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null 
> plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard 
> mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 
> lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark ati 
> chips cirrus cyrix dummy fbdev glint i128 i810 mga neomagic nv rendition s3 
> s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga 
> via vmware voodoo"
> Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, 
> LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, 
> PORTDIR_OVERLAY

-- 
Eray
-- 
[EMAIL PROTECTED] mailing list



Re: [gentoo-user] Squirrelmail plugins the Gentoo way?

2007-03-08 Thread Eray Aslan
On 09.03.2007 02:22, Grant wrote:
[...]
> It appears squirrelmail is installed with the crypt USE flag.  'equery
> uses squirrelmail' says this about crypt:
> 
> Add support for encryption -- using mcrypt or gpg where applicable
> 
> Does anyone know if that is the gpg plug-in or not?  If so, does
> anyone know how to enable it for use in squirrelmail?

From squirrelmail-1.4.9a.ebuild:

RDEPEND="virtual/php
[...]
crypt? ( app-crypt/gnupg )
[...]
if use crypt; then
docinto gpg
for doc in plugins/gpg/README plugins/gpg/README.txt
plugins/gpg/INSTALL plugins/gpg/INSTALL.txt plugins/gpg/TODO; do
dodoc ${doc}
rm -f ${doc}
done
fi

So yes.  It installs the g/pgp plugin for you.  I prefer to install the
plugins by hand.  There are just too many plugins and not enough USE
flags.  No problems so far.

Enabling g/pgp plugin is like enabling any other plugin.  Untar into
plugins directory, read the documentation, adjust as needed and run
conf.pl to enable the plugin.

-- 
Eray



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-user] I think my machine is being used for spam

2006-09-14 Thread Eray Aslan
On Fri, September 15, 2006 8:48 am, Kevin O'Gorman wrote:
> My mail queue is chock full of messages that appear to be
> error-reports from MAILER_DAEMON to the effect that some piece of mail
> is undeliverable.  The form of the messages is baffling to me, and I
> cannot figure out what the original message was or where it came from.
>  All of the addresses seem bogus.
[snip]

Most probably you did not configure Postfix to reject all mail for
non-existent recipients.  We cannot tell if this is really the case
without furher information.

If you did not, read and implement:
http://www.postfix.org/BACKSCATTER_README.html

This is really a question for postfix-users list.

-- 
Eray

-- 
gentoo-user@gentoo.org mailing list



Re: [gentoo-user] Guidance on encrypting my /home

2006-08-13 Thread Eray Aslan
On Sun, August 13, 2006 3:22 am, John J. Foster wrote:
[snip]
> So, before I get to settled on using this, a few questions.
>
> Do you encrypt your home directory?

/home and swap

> What apps and/or combination of apps do you use, and why?

cryptsetupLUKS

> Which ciphers do you prefer? Why?

AES and Serpent are popular choices AFAIK.

> Is it well supported?
>
> What apps and/or files don't play well with encrytion?

DRBD.  But then again it might work.  I didnot spend too much time trying
to make them play nice together.
-- 
Eray

-- 
gentoo-user@gentoo.org mailing list



[gentoo-user] high packet loss

2006-07-27 Thread Eray Aslan
Hello,

I wanted to change the router/firewall at a small office lan to hardened
gentoo.  The machine in question sits between a consumer grade adsl modem
and 3 different networks (so a total of 4 eth cards on the server).

However, there is a high packet loss (25-50%) between server and adsl
modem.  cat /proc/net/dev reveals high error count on the receive side of
the eth card connected to modem (transmit side has no errors).  I changed
the eth card and the network cable but the problem stays the same.

The same eth card and cable works without any errors with a FC3 server.  I
am beginning to think that the errors are because of a faulty (on my part)
sofware config.

I am out of ideas to try.  Any pointers to possible causes of high packet
loss are highly appreciated.

Thank you
-- 
Eray

-- 
gentoo-user@gentoo.org mailing list



RE: [gentoo-user] recommendatoin for a new server

2005-11-13 Thread Eray Aslan
El Nino  wrote:
> Dear friends,i'm planning on buying a server for running gentoo(will
> b our 1st gentoo server) with a mail+dns server(<1000mails/per
> day).i'm looking for sata raid,amd opteron & around 1GB ram. has
> anyone built a server recently that worked?1) can anyone give me a
> suggestions for a good(cost-effective) server(good with gentoo).   

Mailservers are generally I/O bound.  So getting fast disks will help.

Spam checking is generally CPU bound.  So getting fast CPUs will help.

You should design your mail server around peak usage rate, say max number of 
emails per hour, instead of per day.

That being said, <1000 mails/day is really low volume and any modern and 
not-so-modern (meaning PIII) server can do the job without breaking a sweat.  
No need to spend big $$$ for such a volume.

HTH
Eray

-- 
gentoo-user@gentoo.org mailing list



RE: [gentoo-user] Out of portage

2005-11-09 Thread Eray Aslan
Renat Golubchyk  wrote:
>
> You can copy the ebuild to your overlay and patch postfix from there.
> If you don't have to do anything else before compiling it then it's as
> trivial as "epatch /path/to/postfix.patch" somewhere in src_unpack().
> Doing it this way has the benefit of letting portage manage your
> packages. 

This seems to be the best way.  And indeed it is trivial.

> You'll just have to keep an eye for upgrades, because they
> will probably come without this patch. If you want this patch to be
> included in postfix create a bug in bugzilla with the request.

I don't think it is a good idea.  I would not second guess Wietse (author of 
postfix) for the suitability of the patch for general consumption.

Thank you for your help.

Eray

-- 
gentoo-user@gentoo.org mailing list



RE: [gentoo-user] Out of portage

2005-11-08 Thread Eray Aslan
Renat Golubchyk  wrote:
> 
> If postfix becomes a dependency of another package in the
> future it will
> get updated by portage regardless of it being in the world-file. 

Possible but unlikely.  It is a stable mail server.  I doubt we will add or 
remove any software in the near future.

> Abetter way would be to install it by hand in /usr/local which is
> reserved for user-managed programs. But you _will_ have to keep an eye
> on all the required libraries. If they get updated by portage it could
> break your local install of postfix unless you compile it statically.

Thank you for the info.
 
> Another option would be to mask every version of postfix except of
> yours in package.mask. If you have to modify the ebuild copy
> it to your
> portage overlay and install it from there.
> 
> Anyway, why do you want to manage those programs yourself?
> 

Because of this patch for postfix: 
http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/duchovni/multi_instance.gz

It makes managing / upgrading postfix with multi instances easier.  But it 
seems sticking with portage and managing the (infrequent) upgrades by hand for 
the second instance of postfix is less work than messing with ebuilds.

Thanks again.
Eray

-- 
gentoo-user@gentoo.org mailing list



[gentoo-user] Out of portage

2005-11-08 Thread Eray Aslan
Hello,

I am using portage for packet management.  But there are a few programs 
(postfix for example) that I have emerged and now would like to manage myself.  
What is the best way to take a program out of portage without unmerging the 
program?  Deleting the appropriate line from /var/lib/portage/world perhaps?  
Any side effects if I do that? Thank you.

Eray

-- 
gentoo-user@gentoo.org mailing list



RE: [gentoo-user] daemon monitoring programs

2005-09-29 Thread Eray Aslan
> 
> for some reason I've got a couple of daemons that keep going out to 
> lunch on me.  Are there any good tools  for monitoring daemons and 
> possibly restarting them when they go away?
> 

Write a small script running out of cron every x minutes
or
inittab (man 5 inittab)

Do not forget to check the reason daemons quit on you.

Eray

-- 
gentoo-user@gentoo.org mailing list



RE: [gentoo-user] OT: Web mail suggestions...

2005-09-26 Thread Eray Aslan
> Anybody out there able to point me to an existing open-source, solid 
> package?
> 
> Thanks!
> 
> Dave
> 

I've had no problems with squirrelmail so far: www.squirrelmail.com

Eray

-- 
gentoo-user@gentoo.org mailing list