Re: Debian Stretch SELinux enforcing causes systemd --user unit to fail

[C J du Preez]

>C J du Preez wrote:
>
>>Good day,
>>
> Hi,
>
>>I would like to report a bug, but I am not sure which package to report it 
>>against.
>>I have SELinux enabled and enforcing on Debian Stretch (commandline via SSH 
>>only, no GUI is installed at all). I am trying to start a systemd --user unit 
>>(which I know is correct, because it works without SELinux enabled). When I 
>>try to start the service (using systemctl --user start ssh-agent) I get:
>>Failed to connect to bus: No such file or directory.
>>With SELinux enabled, DBUS_SESSION_BUS_ADDRESS is undefined (with SELinux 
>>disabled it is defined as unix:path=/run/user/1000/bus). With SELinux 
>>disabled that path exists, with SELinux enabled, it does not.
>>Could you also please try in permissive mode as well? That should fix
> the creation of the file on disk, if that problem is fixed I think you
> could open a bug against the selinux-policy-default package.
>
> Regarding the environment variable not being set, I think it's this
> bug[0]. Would you be able to rebuild systemd with this patch[1] applied?
> If that patch fixes the problem, we could maybe try to include that in a
> stable point release.
>
> Otherwise, you should try to upgrade systemd to an higher version using
> the backports.
>
> Kind regards,
>
> Laurent Bigonville
>
>
> [0] https://github.com/systemd/systemd/issues/6120
> [1]
>https://github.com/systemd/systemd/pull/6201/commits/51c7d5aa36e9ac0ec8ca6fef811a5f9deb7e4fd2
>

Hi there,

Please note that I have installed a clean Xen domU VM to better test this issue 
and potentially report a bug. One difference I noticed is that 
DBUS_SESSION_BUS_ADDRESS is not defined in permissive or enforcing modes in 
this clean install. However the systemd --user unit works in permissive mode. 
Here are my findings:

SELinux permissive
==
==

$ sudo sestatus
[sudo] password for testuser:
SELinux status: enabled
SELinuxfs mount:/sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode:   permissive
Mode from config file:  permissive
Policy MLS status:  enabled
Policy deny_unknown status: allowed
Max kernel policy version:  30



$ cat .config/systemd/user/ssh-agent.service
[Unit]
Description=SSH key agent

[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target



$ cat .profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi

export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"



$ env
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=x.x.x.x 53964 x.x.x.x 22
LANG=en_US.UTF-8
SSH_AUTH_SOCK=/run/user/1000/ssh-agent.socket
XDG_SESSION_ID=1
USER=testuser
PWD=/home/testuser
HOME=/home/testuser
SSH_CLIENT=x.x.x.x 53964 22
SS

Re: Undentified issue with primus or bumblebee.

[tv.deb...@googlemail.com]

On 01/02/2018 01:38, Attilio Giuseppe Carolillo wrote:

I use Debian "Buster" on a laptop Lenovo G580 (Geforce 635M).
I updated the primus package 2015XXYY-6 but i didn't solved anything:

When i launch flightgear with (antialiasing 2x, nothing else):
optirun -b primus fgfs --prop:/sim/rendering/multi-sample-buffers=true
--prop:/sim/rendering/multi-samples=2 --log-level=debug


[...]

Last test with vlc, "primusrun vlc" gets:

/usr/bin/primusrun: riga 41: attenzione: command substitution: ignored null
byte in input
VLC media player 3.0.0-rc6 Vetinari (revision 3.0.0-rc6-0-g1d05ae3858)
[560f57e65a30] main libvlc: Esecuzione di vlc con l'interfaccia
predefinita. Usa 'cvlc' per utilizzare vlc senza interfaccia.
../include/vlc_xlib.h:46:vlc_xlib_init: Xlib not initialized for threads.
This process is probably using LibVLC incorrectly.
Pass "--no-xlib" to libvlc_new() to fix this.
[560f57f4e240] qt interface error: Xlib not initialized for threads

../include/vlc_xlib.h:46:vlc_xlib_init: Xlib not initialized for threads.
This process is probably using LibVLC incorrectly.
Pass "--no-xlib" to libvlc_new() to fix this.
[560f57f4e240] skins2 interface error: Xlib not initialized for
threads
[560f57f4e240] skins2 interface error: initializing xlib for
multi-threading failed
[560f57f4e240] skins2 interface error: cannot initialize OSFactory

[560f57e64350] main playlist: playlist is empty
[560f57f4e240] [cli] lua interface: Listening on host "*console".
VLC media player 3.0.0-rc6 Vetinari
Command Line Interface initialized.


Any suggestions? thanks

Regards
Attilio



Hi, answering to the list and you direct since we don't know if you are 
subscribed.


What happens if you install the "mesa-utils" package and run:

optirun glxinfo | grep OpenGL

does it say Nvidia as the vendor?

Primus is in a broken state in Sid, has been for a while, so it is 
probably the same in Testing now. If you can't get it to work (I gave 
up) because the "non-glvnd" and "glvnd" Nvidia variant conflict, you can 
use virtualGL as a workaround.


If you need to go that way just uninstall primus (but keep bumblebee), 
make sure the "glvnd" (not "non-glvnd") variant of the Nvidia packages 
are installed, and download the .deb packages for virtualGL here:


https://sourceforge.net/projects/virtualgl/files/

If I presume you are on 64bits (amd64) system you need both 
"virtualgl-[version]-amd64.deb" and "virtualgl32-[version]-amd64.deb" if 
you are running 32bits programs and have Nvidia 32bits compatibility 
packages installed.
After installing the virtualgl packages, and maybe a reboot, the 
"optirun glxinfo" command above should report Nvidia as OpenGL vendor, 
and your programs should work properly.


Hope it helps.

Re: Network setup by installer

[David Wright]

On Wed 31 Jan 2018 at 23:13:52 (+), Brian wrote:
> On Wed 31 Jan 2018 at 12:29:38 -0600, David Wright wrote:
> 
> > On Fri 19 Jan 2018 at 19:09:27 (+), Brian wrote:
> > > On Sat 20 Jan 2018 at 03:25:00 +0900, Mark Fletcher wrote:
> > > > On Fri, Jan 19, 2018 at 02:33:23PM +, Brian wrote:
> > > > > On Fri 19 Jan 2018 at 22:10:39 +0900, Mark Fletcher wrote:
> > > > > > So, I return to the essential question, which I led with in my 
> > > > > > original 
> > > > > > post, which is which method does the installer use to set up 
> > > > > > networking, 
> > > > > > and where can I find documentation on that so I can replicate it 
> > > > > > for my 
> > > > > > wireless connection?
> > > > > 
> > > > > The installer uses the netcfg udeb to configure networking; the files 
> > > > > in
> > > > > the package are the documentation (AFAIK). For a wired connection 
> > > > > netcfg
> > > > > produces a file /etc/network/interfaces for use with the installer 
> > > > > which
> > > > > is something like
> > > > > 
> > > > >  allow-hotplug enp0s25
> > > > >  iface enp0s25 inet dhcp
> > > > > 
> > > > > This file is transferred to the new system (mounted on /target) just
> > > > > before d-i finishes and booting into the new system takes place.
> > > > > 
> > > > > If you had chosen to install over a wifi connection, interfaces would
> > > > > have looked like this:
> > > > > 
> > > > >  allow-hotplug wlx0060b3f580c4
> > > > >  iface wlx0060b3f580c4 inet dhcp
> > > > >wpa-ssid 
> > > > >wpa-psk  
> > > > > 
> > > > > I would preseed the installer to replace the interfaces file it puts 
> > > > > on
> > > > > /target with this file. Any firmware for the wireless adaptor would 
> > > > > also
> > > > > have to be transferred to /target/lib/firmware too.
> > > > > 
> > > > > A fly in the ointment is the desktop you install (if any). If it 
> > > > > brings
> > > > > in network-manager (MATE does) there is a possibility that there is no
> > > > > network at first boot.
> > > > > 
> > > > 
> > > > Thank you Brian -- this is exactly the information I was after. Much 
> > > > appreciated, once again!
> > > > 
> > > > To get out of the situation I'm in on those two machines, I just need 
> > > > to 
> > > > hand-craft the interfaces file to something like what you have above, 
> > > > with appropriate device, ssid and WPA password values substituted. For 
> > > > these PARTICULAR systems, firmware doesn't seem to be a problem.
> > > 
> > > That's about it. The transferring of the interfaces file takes place in
> > > a late_command. I've not tried it myself but it should work and I intend
> > > to have a go tomorrow.
> 
> Mark Fletcher's problem was one of his own making. He chose (as he has
> very reasonably given reasons for) to install over an ethernet link and
> then met a problem *afterwards*. The solution given was how to avoid or
> mitigate the problem.

Yes, I recall making some suggestions. I don't know if they helped the OP.

> You are describing something completely different - an installation over
> a wireless link.

Yes, that's why I replied on *this* subthread. I was doing what the OP
might have been expected to do if they wanted to run their machine
with the wireless interface, ie install with the wireless interface.
One might expect the debian-installer to handle that case. But:

install on wired i/f → reboot and install more software on wired i/f.
install on wireless i/f → reboot and soliloquize with the loopback i/f.

Why the difference, and where is it documented?

> > OK, I've revisited this problem because what I read here runs counter
> > to my observations, so I've double checked.
> > 
> > I installed netinst 9.3 amd64 through the wireless interface. I ran
> > the installer through the ssh interface, and in parallel I ran a shells
> > on both the installee (wren) and installer (west).
> > (Yes, I have all the best words.)
> > 
> > The installee has /etc/network/interfaces set up by the time you ask
> > to install remotely (obviously, or you couldn't do it). Nothing else
> > interesting there until the installation is complete. From the
> > installer, you can observe:
> > 
> > /target appears after the partitioning step. Its interfaces file
> > appears after the base system is installed:
> > 
> > --✄
> > 
> > ~ # ls -l /target/etc/network/
> > drwxr-xr-x2 root root  4096 Jan 31 15:10 if-down.d
> > drwxr-xr-x2 root root  4096 Jan 31 15:10 if-post-down.d
> > drwxr-xr-x2 root root  4096 Jan 31 15:10 if-pre-up.d
> > drwxr-xr-x2 root root  4096 Jan 31 15:10 if-up.d
> > -rw-r--r--1 root root   361 Jan 31 15:10 interfaces
> > drwxr-xr-x2 root root  4096 Jan 30  2017 interfaces.d
> > ~ # cat /target/etc/network/interfaces
> > # This file describes the network interfaces available on your system
> > # and how to activate them. For more information, see interfaces(5).
> > 
> > source /et

Re: Kernel for Spectre and Meltdown

[Michael Fothergill]

On 31 January 2018 at 23:13, Richard Hector  wrote:

> On 01/02/18 11:51, Michael Fothergill wrote:
> >
> >
> > On 31 January 2018 at 22:46, Richard Hector  > > wrote:
> >
> > On 01/02/18 11:20, Michael Fothergill wrote:
> > > As it turns out I have installed debian on a usb before and booted
> it up
> > > successfully.
> > > It did occur to me that you could advise the new users to buy a
> > > raspberry pi computer
> > > and use that to run sid and then install the kernel on my from it.
> > >
> > > Then I would have one machine which apparently cannot be infected
> with
> > > meltdown and spectre
> > > with both sid and the spectre enabled kernel on it (raspberry pi)
> due
> > > its architecture
> >
> > A complicated and expensive solution. The Pi being a different
> > architecture means you'd need to take extra steps to cross-compile
> the
> > kernel. A virtual machine, chroot, container or whatever is much
> cheaper
> > and simpler.
> >
> >
> > ​I agree.  It's much a better idea.  But we were actively trying to be
> > dumb in these exchanges for a bit of fun..
>
> Ah ... well in that case, why not cross-compile on a Windows box? :-)
>

​Now that is getting creative.​


​The ultimate would be if you could do it on a quantum computer..​

​MF​

>
> I guess firing up an AWS or Linode or something sounds much too sane (it
> might even be easier than setting up a local VM, depending where your
> capabilities lie).
> ​
>


> Richard
>
>

Re: Kernel for Spectre and Meltdown

[Richard Hector]

On 01/02/18 11:51, Michael Fothergill wrote:
> 
> 
> On 31 January 2018 at 22:46, Richard Hector  > wrote:
> 
> On 01/02/18 11:20, Michael Fothergill wrote:
> > As it turns out I have installed debian on a usb before and booted it up
> > successfully.
> > It did occur to me that you could advise the new users to buy a
> > raspberry pi computer
> > and use that to run sid and then install the kernel on my from it.
> >
> > Then I would have one machine which apparently cannot be infected with
> > meltdown and spectre
> > with both sid and the spectre enabled kernel on it (raspberry pi) due
> > its architecture
> 
> A complicated and expensive solution. The Pi being a different
> architecture means you'd need to take extra steps to cross-compile the
> kernel. A virtual machine, chroot, container or whatever is much cheaper
> and simpler.
> 
> 
> ​I agree.  It's much a better idea.  But we were actively trying to be
> dumb in these exchanges for a bit of fun..

Ah ... well in that case, why not cross-compile on a Windows box? :-)

I guess firing up an AWS or Linode or something sounds much too sane (it
might even be easier than setting up a local VM, depending where your
capabilities lie).

Richard



signature.asc
Description: OpenPGP digital signature

Re: Network setup by installer

[Brian]

On Wed 31 Jan 2018 at 12:29:38 -0600, David Wright wrote:

> On Fri 19 Jan 2018 at 19:09:27 (+), Brian wrote:
> > On Sat 20 Jan 2018 at 03:25:00 +0900, Mark Fletcher wrote:
> > > On Fri, Jan 19, 2018 at 02:33:23PM +, Brian wrote:
> > > > On Fri 19 Jan 2018 at 22:10:39 +0900, Mark Fletcher wrote:
> > > > > So, I return to the essential question, which I led with in my 
> > > > > original 
> > > > > post, which is which method does the installer use to set up 
> > > > > networking, 
> > > > > and where can I find documentation on that so I can replicate it for 
> > > > > my 
> > > > > wireless connection?
> > > > 
> > > > The installer uses the netcfg udeb to configure networking; the files in
> > > > the package are the documentation (AFAIK). For a wired connection netcfg
> > > > produces a file /etc/network/interfaces for use with the installer which
> > > > is something like
> > > > 
> > > >  allow-hotplug enp0s25
> > > >  iface enp0s25 inet dhcp
> > > > 
> > > > This file is transferred to the new system (mounted on /target) just
> > > > before d-i finishes and booting into the new system takes place.
> > > > 
> > > > If you had chosen to install over a wifi connection, interfaces would
> > > > have looked like this:
> > > > 
> > > >  allow-hotplug wlx0060b3f580c4
> > > >  iface wlx0060b3f580c4 inet dhcp
> > > >wpa-ssid 
> > > >wpa-psk  
> > > > 
> > > > I would preseed the installer to replace the interfaces file it puts on
> > > > /target with this file. Any firmware for the wireless adaptor would also
> > > > have to be transferred to /target/lib/firmware too.
> > > > 
> > > > A fly in the ointment is the desktop you install (if any). If it brings
> > > > in network-manager (MATE does) there is a possibility that there is no
> > > > network at first boot.
> > > > 
> > > 
> > > Thank you Brian -- this is exactly the information I was after. Much 
> > > appreciated, once again!
> > > 
> > > To get out of the situation I'm in on those two machines, I just need to 
> > > hand-craft the interfaces file to something like what you have above, 
> > > with appropriate device, ssid and WPA password values substituted. For 
> > > these PARTICULAR systems, firmware doesn't seem to be a problem.
> > 
> > That's about it. The transferring of the interfaces file takes place in
> > a late_command. I've not tried it myself but it should work and I intend
> > to have a go tomorrow.

Mark Fletcher's problem was one of his own making. He chose (as he has
very reasonably given reasons for) to install over an ethernet link and
then met a problem *afterwards*. The solution given was how to avoid or
mitigate the problem.

You are describing something completely different - an installation over
a wireless link.

> OK, I've revisited this problem because what I read here runs counter
> to my observations, so I've double checked.
> 
> I installed netinst 9.3 amd64 through the wireless interface. I ran
> the installer through the ssh interface, and in parallel I ran a shells
> on both the installee (wren) and installer (west).
> (Yes, I have all the best words.)
> 
> The installee has /etc/network/interfaces set up by the time you ask
> to install remotely (obviously, or you couldn't do it). Nothing else
> interesting there until the installation is complete. From the
> installer, you can observe:
> 
> /target appears after the partitioning step. Its interfaces file
> appears after the base system is installed:
> 
> --✄
> 
> ~ # ls -l /target/etc/network/
> drwxr-xr-x2 root root  4096 Jan 31 15:10 if-down.d
> drwxr-xr-x2 root root  4096 Jan 31 15:10 if-post-down.d
> drwxr-xr-x2 root root  4096 Jan 31 15:10 if-pre-up.d
> drwxr-xr-x2 root root  4096 Jan 31 15:10 if-up.d
> -rw-r--r--1 root root   361 Jan 31 15:10 interfaces
> drwxr-xr-x2 root root  4096 Jan 30  2017 interfaces.d
> ~ # cat /target/etc/network/interfaces
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
> 
> source /etc/network/interfaces.d/*
> 
> # The loopback network interface
> auto lo
> iface lo inet loopback
> 
> # The primary network interface
> allow-hotplug wlp2s0
> iface wlp2s0 inet dhcp
> wpa-ssid deleted
> wpa-psk  deleted
> ~ # # base system just installed
> ~ #
> 
> --✄
> 
> All is still in place before the last keystroke of installation:
> 
> --✄
> 
> ~ # cat /target/etc/network/interfaces
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
> 
> source /etc/network/interfaces.d/*
> 
> # The loopback network interface
> auto lo
> iface lo inet loopback
> 
> # The primary network interface
> allow-hotplug wlp2s0
> iface wlp2s0 inet dhcp
> wpa-ssid deleted
> wpa-psk  deleted
> ~ # # about to eject
> ~ 

Re: Kernel for Spectre and Meltdown

[Michael Fothergill]

On 31 January 2018 at 22:46, Richard Hector  wrote:

> On 01/02/18 11:20, Michael Fothergill wrote:
> > As it turns out I have installed debian on a usb before and booted it up
> > successfully.
> > It did occur to me that you could advise the new users to buy a
> > raspberry pi computer
> > and use that to run sid and then install the kernel on my from it.
> >
> > Then I would have one machine which apparently cannot be infected with
> > meltdown and spectre
> > with both sid and the spectre enabled kernel on it (raspberry pi) due
> > its architecture
>
> A complicated and expensive solution. The Pi being a different
> architecture means you'd need to take extra steps to cross-compile the
> kernel. A virtual machine, chroot, container or whatever is much cheaper
> and simpler.
>

​I agree.  It's much a better idea.  But we were actively trying to be dumb
in these exchanges for a bit of fun..

Cheers

​MF​
​


>
> Richard
>
>
>

Re: Kernel for Spectre and Meltdown

[Richard Hector]

On 01/02/18 11:20, Michael Fothergill wrote:
> As it turns out I have installed debian on a usb before and booted it up
> successfully.
> It did occur to me that you could advise the new users to buy a
> raspberry pi computer
> and use that to run sid and then install the kernel on my from it.
> 
> Then I would have one machine which apparently cannot be infected with
> meltdown and spectre
> with both sid and the spectre enabled kernel on it (raspberry pi) due
> its architecture

A complicated and expensive solution. The Pi being a different
architecture means you'd need to take extra steps to cross-compile the
kernel. A virtual machine, chroot, container or whatever is much cheaper
and simpler.

Richard




signature.asc
Description: OpenPGP digital signature

Re: Kernel for Spectre and Meltdown

[Michael Fothergill]

On 31 January 2018 at 18:31, Michael Lange  wrote:

> On Wed, 31 Jan 2018 17:54:36 +
> Michael Fothergill  wrote:
>
> >
> > What about if you became sid, made the spectre kernel and backed it up
> > on a usb drive
> > and then you backed up the work files and wiped the entire installation
> > and then
> > reinstalled stretch.
> >
> > Could you then install the kernel on the usb drive or is that not
> > possible and, like full gender reassignment surgery
> > there really is no going back as it were...?
>
> Maybe it would be a little less of "DIY-lobotomy" (or "gender
> reassignment", whichever you prefer :) if you install sid onto the usb
> drive instead and leave your default system intact.
> But then, if you are running buster and desperately want to
> build your own kernel *now*, you could probably just replace buster's
> gcc-7.2 with sid's 7.3 to keep you going.
>

​As it turns out I have installed debian on a usb before and booted it up
successfully.
It did occur to me that you could advise the new users to buy a raspberry
pi computer
and use that to run sid and then install the kernel on my from it.

Then I would have one machine which apparently cannot be infected with
meltdown and spectre
with both sid and the spectre enabled kernel on it (raspberry pi) due its
architecture
​and my PC running buster with the same kernel ported to it but I don't
really need it because
I already have it in my Gentoo installation:

ie Dumb and Dumber Heh Heh!

Cheers

MF





​

​


>
> Regards
>
> Michael
>
> .-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.
>
> "Logic and practical information do not seem to apply here."
> "You admit that?"
> "To deny the facts would be illogical, Doctor"
> -- Spock and McCoy, "A Piece of the Action", stardate
>unknown
>
>

Re: Playing or Ripping UDF CDs Under jessie

[Thomas Schmitt]

Hi,

David Wright wrote:
> $ od cd-track00-432975-2/track00.cdda.wav > /tmp/od
> 000 044522 043106 027524 01 040527 042526 066546 020164

Octal. Argh. gdb and man ascii to the rescue.

  R I F F T / \001 \000 W A V E f m t 

Looks like a .wav header:
  http://soundfile.sapp.org/doc/WaveFormat/


> 060 00 00 00 00 00 00 00 00
> *
> 0210600 00 00 00 00 00 00 01 00
> ...
> 0227534

But the sound payload looks boring.


> tracklength   begincopy pre ch
> ===
>   1.81225 [18:03.00]   33 [00:00.33]no   no  2

It might be that cdparanoia copies track 0 if the first official track
does not start at block 0.  Here it starts a block 33.

  33 blocks * 2352 bytes/block + 44 bytes .wav header = 77660 = 0227534 octal

So this theory matches the size of your track 0 file.


Have a nice day :)

Thomas

Re: Dabian: AMB64: newest stable ver: Torrent: URL needed with one large .iso file

[Thomas Schmitt]

Hi,

BM-2cU2yWYBXRkEkCTkmS6d5htLPkU7wcTZT1 wrote:
> I am in need of one large .iso image for Dabian AMD64 (stable latest ver)
> to download via torrent and mount on a 16 GB USB flash drive

There are the three 4.5 GB DVD images which you already found,
or the fourteen 4.5 GB DVD images via Jigdo at
  https://cdimage.debian.org/debian-cd/current/amd64/jigdo-dvd/
or three 25 GB BD images at
  https://cdimage.debian.org/debian-cd/current/amd64/jigdo-bd/

The first BD image on a 32 GB USB stick would be the nearest match
to your plan that is already prepared.
Jigdo download is described in
  https://www.debian.org/CD/jigdo-cd/#how
If none of this appeals to you, there is
  https://wiki.debian.org/JigdoOnLive
  "Downloading Debian Jigdo ISOs by a Debian Live system"


Well, if only a 16 GB USB stick is available or if BitTorrent is mandatory,
then you could put the DVD 1 image on the stick as described in
  https://www.debian.org/CD/faq/#write-usb
and then use partition editor fdisk to add a partition for an ext2
filesystem which stores the images of DVD 2 and DVD 3.
fdisk will possibly complain about GPT debris and nested partitions.
It should nevertheless do what is needed.

Some merciful people here can most probably explain to you how to
make those images usable as package repositories after a sparse system
has been installed from the booted DVD 1 image on USB stick.

(https://wiki.debian.org/SourcesList makes me think that you need to
 mount the ext2 partition, then mount the two images, and put their
 mount points as "deb file://..." into /etc/apt/sources.list)


Have a nice day :)

Thomas

Re: Playing or Ripping UDF CDs Under jessie

[David Wright]

On Wed 31 Jan 2018 at 12:42:20 (+0100), Thomas Schmitt wrote:
> Hi,
> 
> i wrote:
> > > The "problem CD" is pure audio.
> 
> Jonathan Dowland wrote:
> > I thought you'd identified that track 17 (at least) was marked as a data
> > track, but I might not have been following the discussion closely
> > enough.
> 
> To my memory this was shown as example of a "no problem" CD.
> 
>   https://lists.debian.org/debian-user/2018/01/msg01186.html
>   "Here is the output from a normal music CD."
> 
> Martin's assessment of "problem" and "normal" was based on the mountability
> which depends on readability by generic SCSI data command READ(10).
> Actually the problem CD is the more normal audio CD.
> It does not mount with any of its tracks, and this is what one has
> to expect with a pure audio CD which can be read only by the SCSI
> commands READ CD or READ CD MSF.
> 
> 
> Still unclear is what cdparanoia extracts as Track 0 from several
> of Martin's CDs.

I've seen dozens of these track zeroes over the years when ripping
discs with cdparanoia. Not all music CDs have them but plenty do.

cdparanoia says:

--✄

Attempting to set cdrom to full speed... 
drive returned OK.

Table of contents (audio tracks only):
tracklength   begincopy pre ch
===
  1.81225 [18:03.00]   33 [00:00.33]no   no  2
  2.42450 [09:26.00]81258 [18:03.33]no   no  2
  3.55425 [12:19.00]   123708 [27:29.33]no   no  2
  4.42825 [09:31.00]   179133 [39:48.33]no   no  2
TOTAL  221925 [49:19.00](audio only)
 
Ripping from sector   0 (track  0 [0:00.00])
  to sector  221957 (track  4 [9:30.74])

outputting to track00.cdda.wav

 (== PROGRESS == [  | 32 00 ] == :^D * ==)   

outputting to track01.cdda.wav

--✄

Attempting to mount it says:

--✄

kernel: [29384.711581] sr 2:0:0:0: [sr0]  
kernel: [29384.711592] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
kernel: [29384.711599] sr 2:0:0:0: [sr0]  
kernel: [29384.711603] Sense Key : Illegal Request [current] 
kernel: [29384.711612] Info fld=0x10, ILI
kernel: [29384.711618] sr 2:0:0:0: [sr0]  
kernel: [29384.711637] Add. Sense: Illegal mode for this track
kernel: [29384.711642] sr 2:0:0:0: [sr0] CDB: 
kernel: [29384.711644] Read(10): 28 00 00 00 00 10 00 00 01 00
kernel: [29384.711658] end_request: I/O error, dev sr0, sector 64
kernel: [29384.721457] sr 2:0:0:0: [sr0]  
kernel: [29384.721467] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
kernel: [29384.721474] sr 2:0:0:0: [sr0]  
kernel: [29384.721478] Sense Key : Illegal Request [current] 
kernel: [29384.721487] Info fld=0x100, ILI
kernel: [29384.721493] sr 2:0:0:0: [sr0]  
kernel: [29384.721511] Add. Sense: Illegal mode for this track
kernel: [29384.721516] sr 2:0:0:0: [sr0] CDB: 
kernel: [29384.721519] Read(10): 28 00 00 00 01 00 00 00 01 00
kernel: [29384.721532] end_request: I/O error, dev sr0, sector 1024
kernel: [29384.721559] UDF-fs: error (device sr0): udf_read_tagged: read 
failed, block=256, location=256
kernel: [29384.723571] sr 2:0:0:0: [sr0]  
kernel: [29384.723578] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
kernel: [29384.723583] sr 2:0:0:0: [sr0]  
kernel: [29384.723587] Sense Key : Illegal Request [current] 
kernel: [29384.723594] Info fld=0x36305, ILI
kernel: [29384.723599] sr 2:0:0:0: [sr0]  
kernel: [29384.723607] Add. Sense: Illegal mode for this track
kernel: [29384.723613] sr 2:0:0:0: [sr0] CDB: 
kernel: [29384.723617] Read(10): 28 00 00 03 63 05 00 00 01 00
kernel: [29384.723643] end_request: I/O error, dev sr0, sector 887828
kernel: [29384.723668] UDF-fs: error (device sr0): udf_read_tagged: read 
failed, block=221957, location=221957
kernel: [29384.729699] sr 2:0:0:0: [sr0]  
kernel: [29384.729707] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE

--✄

repeated many times, then it looks for isofs, then an ext4 superblock,
a FAT superblock and finally a FAT boot sector. fstab just contains

/dev/sr0 /media/cdrom0  udf,iso9660 user,noauto

The contents of the file follow. To save you looking up the CD number,
it's Brahms Piano Con 2, Brendel, Abbado, Sept 1991, Philips.

--✄

$ od cd-track00-432975-2/track00.cdda.wav > /tmp/od
000 044522 043106 027524 01 040527 042526 066546 020164
020 20 00 01 02 126104 00 130420 02
040 04 20 060544 060564 027460 01 00 00
060 00 00 00 00 00 00 00 00
*
0210600 00 00 00 00 00 00 01 00
0210620 00 00 00 00 00 00 00 00
*
0212120 00 00 00 00 00 00 01 00
0212140 00 00 00 00 00 00 00 00
*
0212420 00 00 00 00 00 00 01 00
0212440 00 00 00 00 00 00 00 00
*
0213720 01 00 00 00 00 

systemd 237-1: problem starting dnsmasq

[Stefan Pietsch]

Dear list,

after the systemd upgrade from 236-3 to 237-1 (Debian sid) the dnsmasq
service does not start correctly.


###

Jan 31 20:58:11 debiansid systemd[1]: Starting dnsmasq - A lightweight DHCP and 
caching DNS server...
-- Subject: Unit dnsmasq.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit dnsmasq.service has begun starting up.
Jan 31 20:58:11 debiansid dnsmasq[1062]: dnsmasq: syntax check OK.
Jan 31 20:58:11 debiansid dnsmasq[1067]: started, version 2.78 cachesize 150
Jan 31 20:58:11 debiansid dnsmasq[1067]: DNS service limited to local subnets
Jan 31 20:58:11 debiansid dnsmasq[1067]: compile time options: IPv6 GNU-getopt 
DBus i18n IDN DHCP DHCPv6 no-Lua TFTP
conntrack ipset auth DNSSEC l
Jan 31 20:58:11 debiansid dnsmasq[1067]: reading /etc/resolv.conf
Jan 31 20:58:11 debiansid dnsmasq[1067]: using nameserver 9.9.9.9#53
Jan 31 20:58:11 debiansid dnsmasq[1067]: read /etc/hosts - 6 addresses
Jan 31 20:58:11 debiansid systemd[1]: dnsmasq.service: Permission denied while 
opening PID file or unsafe symlink chain:
/run/dnsmasq/dnsmasq.pid
Jan 31 20:59:41 debiansid systemd[1]: dnsmasq.service: Start-post operation 
timed out. Stopping.
Jan 31 20:59:41 debiansid dnsmasq[1067]: exiting on receipt of SIGTERM
Jan 31 20:59:41 debiansid systemd[1]: dnsmasq.service: Failed with result 
'timeout'.
Jan 31 20:59:41 debiansid systemd[1]: Failed to start dnsmasq - A lightweight 
DHCP and caching DNS server.
-- Subject: Unit dnsmasq.service has failed

###


Can someone verify this?


Regards,
Stefan

Re: Iptables at boot

[Bob Weber]

On 1/31/18 12:28 PM, Jacques Rodary wrote:


Hi

Many things happened since my first message: I first had to get rid of connman 
(connection manager), which insisted to preset iptables rules without any 
notice. My Debian box is uset as a DNS chrooted server (also I had to modify 
bind9.service behaviour), and I use iptables to do NAT, since I have one 
routable address for several clients. With Jessie I managed to have all this 
working. When upgrading to stretch, because of a stupid error with grub on my 
RAID system, and of an insufficient backup, I lost most of my config. Thanks 
for your help. When everything will be OK, I surely will have the use for your 
answers.


Jacques

Have you looked at shorewall?  I use it on all my debian linux installs.  
Basically its a front end to the kernel iptables network filters.  It sets up 
the iptables entries and then goes away so that there is no additional program 
running after it does its job.   It starts up on boot after you have set up the 
rules the way you want.  You have to set a parameter in the 
/etc/default/shorewall file to have it start since you don't want to loose 
connection to your machine if you are logging in through a network port.  That 
way you can test it before you actually use it.  It is driven by several text 
config files in /etc/shorewall. For instance NAT is set up easily by this 
command in the  snat file (my internet connection is on eth1 and local 172 net 
is on eth0):


MASQUERADE  172.16.0.1/16   eth1

I redirect all the dns and time requests to my router machine even if the client 
has requested these services from an outside address.  I use opendns for its 
malware filters so bind is set to forward all non local dns querys to opendns 
servers.  I also use dnscrypt-proxy to get a secure connection to opendns so 
that I can be assured that the data coming back from opendns hasn't been 
tampered with.  These 2 lines in the rules file accomplish the redirection:


REDIRECT    Loc 53   tcp,udp   53 -
REDIRECT    Loc 123 tcp,udp  123    -

There is plenty of documentation and examples for simple setups available on the 
shorewall web site.


--


*...Bob*

Re: debian-user-digest Digest V2018 #128

[jpff]

Thank yu for your response.  It must be tat I misinterpretted the error 
message


/usr/bin/c++-ffast-math -mfpmath=sse -msse2 -fomit-frame-pointer 
-fvisibility=hidden -fvisibility=hidden -DHAVE_ATOMIC_BUILTIN -g 
CMakeFiles/winsound.dir/winsound.cxx.o 
CMakeFiles/winsound.dir/winsound/main.cxx.o  -o ../winsound -rdynamic 
/usr/lib/x86_64-linux-gnu/libfltk_images.a 
/usr/lib/x86_64-linux-gnu/libfltk_forms.a 
/usr/lib/x86_64-linux-gnu/libfltk.a -lSM -lICE -lX11 -lXext -lm 
../libcsound64.so.6.0 -lpthread -lpng -lz -ljpeg -lXft -lfontconfig 
-lXinerama -lX11 -lm -Wl,-rpath,/home/jpff/csound6:
/usr/bin/ld: /usr/lib/x86_64-linux-gnu/libfltk.a(Fl_x.o): undefined 
reference to symbol 'dlsym@@GLIBC_2.2.5'
//lib/x86_64-linux-gnu/libdl.so.2: error adding symbols: DSO missing from 
command line

collect2: error: ld returned 1 exit status
frontends/CMakeFiles/winsound.dir/build.make:122: recipe for target 
'winsound' failed

make[2]: *** [winsound] Error 1

The assummptiowas as thisused to work I must have udated something new in 
the C world.  Time to look elsewhere

==John ff

Re: Undentified issue with primus or bumblebee.

[Brian]

On Wed 31 Jan 2018 at 21:08:43 +0100, Attilio Giuseppe Carolillo wrote:

> I use Debian "Buster" on a laptop Lenovo G580 (Geforce 635M).
> I updated the primus package 2015XXYY-6 but i didn't solved anything:
> 
> When i launch flightgear with (antialiasing 2x, nothing else):
> optirun -b primus fgfs --prop:/sim/rendering/multi-sample-buffers=true
> --prop:/sim/rendering/multi-samples=2 --log-level=debug
> 
> i get:
> 
> Using stock OSG implementation of GraphicsWindow
> StatsHandler::StatsHandler() Setting up GL2 compatible shaders
> initializing cloud layers
> Using initial window size: 1024 x 768
> Error: Not able to create requested visual.
> 
> getDefaultWindow: failed to create GraphicsContext
> Error: Not able to create requested visual.
> 
> getDefaultWindow: failed to create GraphicsContext
> CameraGroup::buildGUICamera: failed to build a window
> Enabling ATI/AMD viewport hack
> .
> 
> Now with urban terror:
> primusrun /UrbanTerror43/Quake3-UrT.x86_64
> 
> I get:
> 
> - Client Initialization Complete -
> - R_Init -
> ...loading libGL.so.1:
> Calling SDL_Init(SDL_INIT_VIDEO)...
> SDL_Init(SDL_INIT_VIDEO) passed.
> Initializing OpenGL display
> ...setting mode 13: 1366 768
> Received signal 11, exiting...
> - CL_Shutdown -
> RE_Shutdown( 1 )
> Errore di segmentazione
> ...
> 
> 
> Last test with vlc, "primusrun vlc" gets:
> 
> /usr/bin/primusrun: riga 41: attenzione: command substitution: ignored null
> byte in input
> VLC media player 3.0.0-rc6 Vetinari (revision 3.0.0-rc6-0-g1d05ae3858)
> [560f57e65a30] main libvlc: Esecuzione di vlc con l'interfaccia
> predefinita. Usa 'cvlc' per utilizzare vlc senza interfaccia.
> ../include/vlc_xlib.h:46:vlc_xlib_init: Xlib not initialized for threads.
> This process is probably using LibVLC incorrectly.
> Pass "--no-xlib" to libvlc_new() to fix this.
> [560f57f4e240] qt interface error: Xlib not initialized for threads
> 
> ../include/vlc_xlib.h:46:vlc_xlib_init: Xlib not initialized for threads.
> This process is probably using LibVLC incorrectly.
> Pass "--no-xlib" to libvlc_new() to fix this.
> [560f57f4e240] skins2 interface error: Xlib not initialized for
> threads
> [560f57f4e240] skins2 interface error: initializing xlib for
> multi-threading failed
> [560f57f4e240] skins2 interface error: cannot initialize OSFactory
> 
> [560f57e64350] main playlist: playlist is empty
> [560f57f4e240] [cli] lua interface: Listening on host "*console".
> VLC media player 3.0.0-rc6 Vetinari
> Command Line Interface initialized.
> 
> 
> Any suggestions? thanks

You are appaently not subscribed to this list. Please will you indicate
whether you are reading replies to your post and are able to respond to
them.

Otherwise (speaking only for myself) my responses will be confined to this one.

-- 
Brian.

Undentified issue with primus or bumblebee.

[Attilio Giuseppe Carolillo]

I use Debian "Buster" on a laptop Lenovo G580 (Geforce 635M).
I updated the primus package 2015XXYY-6 but i didn't solved anything:

When i launch flightgear with (antialiasing 2x, nothing else):
optirun -b primus fgfs --prop:/sim/rendering/multi-sample-buffers=true
--prop:/sim/rendering/multi-samples=2 --log-level=debug

i get:

Using stock OSG implementation of GraphicsWindow
StatsHandler::StatsHandler() Setting up GL2 compatible shaders
initializing cloud layers
Using initial window size: 1024 x 768
Error: Not able to create requested visual.

getDefaultWindow: failed to create GraphicsContext
Error: Not able to create requested visual.

getDefaultWindow: failed to create GraphicsContext
CameraGroup::buildGUICamera: failed to build a window
Enabling ATI/AMD viewport hack
.

Now with urban terror:
primusrun /UrbanTerror43/Quake3-UrT.x86_64

I get:

- Client Initialization Complete -
- R_Init -
...loading libGL.so.1:
Calling SDL_Init(SDL_INIT_VIDEO)...
SDL_Init(SDL_INIT_VIDEO) passed.
Initializing OpenGL display
...setting mode 13: 1366 768
Received signal 11, exiting...
- CL_Shutdown -
RE_Shutdown( 1 )
Errore di segmentazione
...


Last test with vlc, "primusrun vlc" gets:

/usr/bin/primusrun: riga 41: attenzione: command substitution: ignored null
byte in input
VLC media player 3.0.0-rc6 Vetinari (revision 3.0.0-rc6-0-g1d05ae3858)
[560f57e65a30] main libvlc: Esecuzione di vlc con l'interfaccia
predefinita. Usa 'cvlc' per utilizzare vlc senza interfaccia.
../include/vlc_xlib.h:46:vlc_xlib_init: Xlib not initialized for threads.
This process is probably using LibVLC incorrectly.
Pass "--no-xlib" to libvlc_new() to fix this.
[560f57f4e240] qt interface error: Xlib not initialized for threads

../include/vlc_xlib.h:46:vlc_xlib_init: Xlib not initialized for threads.
This process is probably using LibVLC incorrectly.
Pass "--no-xlib" to libvlc_new() to fix this.
[560f57f4e240] skins2 interface error: Xlib not initialized for
threads
[560f57f4e240] skins2 interface error: initializing xlib for
multi-threading failed
[560f57f4e240] skins2 interface error: cannot initialize OSFactory

[560f57e64350] main playlist: playlist is empty
[560f57f4e240] [cli] lua interface: Listening on host "*console".
VLC media player 3.0.0-rc6 Vetinari
Command Line Interface initialized.


Any suggestions? thanks

Regards
Attilio

Re: Dabian: AMB64: newest stable ver: Torrent: URL needed with one large .iso file

[Brian]

On Wed 31 Jan 2018 at 19:54:20 +, Brian wrote:

> On Wed 31 Jan 2018 at 11:19:00 -0800, BM-2cU2yWYBXRkEkCTkmS6d5htLPkU7wcTZT1 
> wrote:
> 
> > I am in need of one large .iso image for Dabian AMD64 (stable latest ver)
> > to download via torrent and mount on a 16 GB USB flash drive to then
> > install to a AMD64 hard drive via the USB flash drive.
> > 
> > I can only find the DVD1.iso, DVD2.iso, & DVD3.iso images and I only know
> > how to mount one .iso image to a USB flash drive to install to a hard
> > drive (it looks as if I would need three USB flash drives for the three
> > separate .iso files).
> 
> You are not subscribed to this list. Please will you indicate whether

There should be an "apparently" in there somewhere.

-- 
Brian.

Re: Dabian: AMB64: newest stable ver: Torrent: URL needed with one large .iso file

[Brian]

On Wed 31 Jan 2018 at 11:19:00 -0800, BM-2cU2yWYBXRkEkCTkmS6d5htLPkU7wcTZT1 
wrote:

> I am in need of one large .iso image for Dabian AMD64 (stable latest ver)
> to download via torrent and mount on a 16 GB USB flash drive to then
> install to a AMD64 hard drive via the USB flash drive.
> 
> I can only find the DVD1.iso, DVD2.iso, & DVD3.iso images and I only know
> how to mount one .iso image to a USB flash drive to install to a hard
> drive (it looks as if I would need three USB flash drives for the three
> separate .iso files).

You are not subscribed to this list. Please will you indicate whether
you are reading replies to your post and are able to respond to them.

Otherwise (speaking only for myself) my responses will be confined to
this one.

-- 
Brian

Dabian: AMB64: newest stable ver: Torrent: URL needed with one large .iso file

[BM-2cU2yWYBXRkEkCTkmS6d5htLPkU7wcTZT1]

I am in need of one large .iso image for Dabian AMD64 (stable latest ver)
to download via torrent and mount on a 16 GB USB flash drive to then
install to a AMD64 hard drive via the USB flash drive.

I can only find the DVD1.iso, DVD2.iso, & DVD3.iso images and I only know
how to mount one .iso image to a USB flash drive to install to a hard
drive (it looks as if I would need three USB flash drives for the three
separate .iso files).

Kind Regards.

Current rsyslog packages are available "upstream" for Debian 8, 9

[deoren]

Hello!

The rsyslog development team has released (experimental) packages for 
Debian 8 and 9.


Please see the announcement here:

http://blog.gerhards.net/2018/01/experimental-debian-rsyslog-packages.html

and the current installation instructions here:

https://software.opensuse.org//download.html?project=home%3Argerhards&package=rsyslog

Please let the team know if you run into any issues by filing a report here:

https://github.com/rsyslog/rsyslog-pkg-debian/issues/new

Note: the package definitions in that repo do not currently match the 
ones used in the openSUSE Build Service.



Thanks in advance for any feedback you may have!

Re: Kernel for Spectre and Meltdown

[Michael Lange]

On Wed, 31 Jan 2018 17:54:36 +
Michael Fothergill  wrote:

> 
> What about if you became sid, made the spectre kernel and backed it up
> on a usb drive
> and then you backed up the work files and wiped the entire installation
> and then
> reinstalled stretch.
> 
> Could you then install the kernel on the usb drive or is that not
> possible and, like full gender reassignment surgery
> there really is no going back as it were...?

Maybe it would be a little less of "DIY-lobotomy" (or "gender
reassignment", whichever you prefer :) if you install sid onto the usb
drive instead and leave your default system intact.
But then, if you are running buster and desperately want to
build your own kernel *now*, you could probably just replace buster's
gcc-7.2 with sid's 7.3 to keep you going.

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

"Logic and practical information do not seem to apply here."
"You admit that?"
"To deny the facts would be illogical, Doctor"
-- Spock and McCoy, "A Piece of the Action", stardate
   unknown

Re: Network setup by installer

[David Wright]

On Fri 19 Jan 2018 at 19:09:27 (+), Brian wrote:
> On Sat 20 Jan 2018 at 03:25:00 +0900, Mark Fletcher wrote:
> > On Fri, Jan 19, 2018 at 02:33:23PM +, Brian wrote:
> > > On Fri 19 Jan 2018 at 22:10:39 +0900, Mark Fletcher wrote:
> > > > So, I return to the essential question, which I led with in my original 
> > > > post, which is which method does the installer use to set up 
> > > > networking, 
> > > > and where can I find documentation on that so I can replicate it for my 
> > > > wireless connection?
> > > 
> > > The installer uses the netcfg udeb to configure networking; the files in
> > > the package are the documentation (AFAIK). For a wired connection netcfg
> > > produces a file /etc/network/interfaces for use with the installer which
> > > is something like
> > > 
> > >  allow-hotplug enp0s25
> > >  iface enp0s25 inet dhcp
> > > 
> > > This file is transferred to the new system (mounted on /target) just
> > > before d-i finishes and booting into the new system takes place.
> > > 
> > > If you had chosen to install over a wifi connection, interfaces would
> > > have looked like this:
> > > 
> > >  allow-hotplug wlx0060b3f580c4
> > >  iface wlx0060b3f580c4 inet dhcp
> > >wpa-ssid 
> > >wpa-psk  
> > > 
> > > I would preseed the installer to replace the interfaces file it puts on
> > > /target with this file. Any firmware for the wireless adaptor would also
> > > have to be transferred to /target/lib/firmware too.
> > > 
> > > A fly in the ointment is the desktop you install (if any). If it brings
> > > in network-manager (MATE does) there is a possibility that there is no
> > > network at first boot.
> > > 
> > 
> > Thank you Brian -- this is exactly the information I was after. Much 
> > appreciated, once again!
> > 
> > To get out of the situation I'm in on those two machines, I just need to 
> > hand-craft the interfaces file to something like what you have above, 
> > with appropriate device, ssid and WPA password values substituted. For 
> > these PARTICULAR systems, firmware doesn't seem to be a problem.
> 
> That's about it. The transferring of the interfaces file takes place in
> a late_command. I've not tried it myself but it should work and I intend
> to have a go tomorrow.

OK, I've revisited this problem because what I read here runs counter
to my observations, so I've double checked.

I installed netinst 9.3 amd64 through the wireless interface. I ran
the installer through the ssh interface, and in parallel I ran a shells
on both the installee (wren) and installer (west).
(Yes, I have all the best words.)

The installee has /etc/network/interfaces set up by the time you ask
to install remotely (obviously, or you couldn't do it). Nothing else
interesting there until the installation is complete. From the
installer, you can observe:

/target appears after the partitioning step. Its interfaces file
appears after the base system is installed:

--✄

~ # ls -l /target/etc/network/
drwxr-xr-x2 root root  4096 Jan 31 15:10 if-down.d
drwxr-xr-x2 root root  4096 Jan 31 15:10 if-post-down.d
drwxr-xr-x2 root root  4096 Jan 31 15:10 if-pre-up.d
drwxr-xr-x2 root root  4096 Jan 31 15:10 if-up.d
-rw-r--r--1 root root   361 Jan 31 15:10 interfaces
drwxr-xr-x2 root root  4096 Jan 30  2017 interfaces.d
~ # cat /target/etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug wlp2s0
iface wlp2s0 inet dhcp
wpa-ssid deleted
wpa-psk  deleted
~ # # base system just installed
~ #

--✄

All is still in place before the last keystroke of installation:

--✄

~ # cat /target/etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug wlp2s0
iface wlp2s0 inet dhcp
wpa-ssid deleted
wpa-psk  deleted
~ # # about to eject
~ # tail /var/log/syslog 
Jan 31 15:26:46 clock-setup: 1517412406.50 is close enough to 
1517412406.50 (0.00 < 0.001000)
Jan 31 15:26:46 clock-setup: Set RTC to 1517412406 (1517412406 + 0; refsystime 
= 1517412406.00)
Jan 31 15:26:46 clock-setup: Setting Hardware Clock to 15:26:46 = 1517412406 
seconds since 1969
Jan 31 15:26:46 clock-setup: ioctl(RTC_SET_TIME) was successful.
Jan 31 15:26:46 clock-setup: Not adjusting drift factor because the 
--update-drift option was not used.
Jan 31 15:26:46 finish-install: info: Running 
/usr/lib/finish-install.d/10open-iscsi
Jan 31 15:26:46 finish-install: info: Running 
/usr/lib

Re: Kernel for Spectre and Meltdown

[Greg Wooledge]

On Wed, Jan 31, 2018 at 05:54:36PM +, Michael Fothergill wrote:
> What about if you became sid, made the spectre kernel and backed it up on a
> usb drive
> and then you backed up the work files and wiped the entire installation and
> then
> reinstalled stretch.

Way too much work and downtime.  Seriously, just debootstrap sid into
a chroot.  Build there, then copy the kernel image .deb file out to the
"real" system, and install it.

Or wait for an official backports kernel image that satisfies you.

Or do nothing.

(And how did you get from buster back to stretch, suddenly?)

Re: Kernel for Spectre and Meltdown

[Michael Fothergill]

On 30 January 2018 at 13:22, Greg Wooledge  wrote:

> On Tue, Jan 30, 2018 at 12:13:47PM +0100, Michael Lange wrote:
> > Michael Fothergill  wrote:
> > > The response from Greg was the following:
> > >
> > > On Thu, Jan 25, 2018 at 12:36:46PM +, Michael Fothergill wrote:
> > > > ​If I become sid and install the kernel correctly, could I go back to
> > > being
> > > > just buster (sounds like an energy drink) and carry on using the new
> > > kernel?
> > >
> > > No.
> > >
> > > ***
> > >
> > > At that point I really did seem that:
> > >
> > > 1. I had no choice but to become sid/unstable here.
> >
> > I can only guess of course, I think probably they figured you would
> > upgrade your system to Sid, then compile a kernel and then *downgrade*
> > the system again to buster. The answer to that would clearly be "no".
> > But running a kernel compiled on a *different* Sid system on buster or
> > stretch is an entirely different thing of course.
>
> Yes, that's correct.  If you actually "become sid" (upgrade your whole
> system to sid), there is no going back.
>

What about if you became sid, made the spectre kernel and backed it up on a
usb drive
and then you backed up the work files and wiped the entire installation and
then
reinstalled stretch.

Could you then install the kernel on the usb drive or is that not possible
and, like full gender reassignment surgery
there really is no going back as it were...?

Cheers

MF​



>
> But you can set up a *separate* system (either an entirely new box,
> or a chroot into which you debootstrap sid, or a virtual machine, or a
> container, or whatever other fancy thing the kids are using these days),
> build a kernel .deb package there, *copy* that package to your buster
> system, and install it.
>
> Or you can do what most of us are doing: wait for the Debian security
> team (and, really, for the entire *world*) to figure out how best to
> approach, mitigate, and/or solve the issues.
>
> Meanwhile, I would recommend not letting random people get shell access
> to your critical systems.  Near as I can tell, exploiting a Spectre-type
> CPU vulnerability requires the ability to install and execute a program
> of the attacker's creation on the target system.  If you don't have
> users logging in and running commands, then you probably don't have to
> worry so much about this.  Unless I'm completely missing something.
>
> (If you have users issuing commands on your system through some other
> vector, like a PHP web-app exploit, then that's a bigger issue you
> should address directly.)
>
>

Re: Re: Iptables at boot

[Jacques Rodary]

Hi
Many things happened since my  first message: I first had 
to get rid of connman (connection manager), which insisted to preset 
iptables rules without any notice. My  Debian box is uset as  a DNS  
chrooted server (also I had to modify bind9.service behaviour), and I 
use iptables to do NAT, since I have one routable address for several 
clients. With Jessie I managed to have all this working. When 
upgrading to stretch, because of a stupid error with grub on my RAID 
system, and of an insufficient backup, I lost most of my config. Thanks 
for your help. When everything will be OK, I surely will  have the use 
for your answers.
Jacques 

odd message from upowerd and simultaneous death of xfce4-notifyd

[Thomas Vaughan]

Logcheck, running on a machine with up-to-date debian unstable, sent me the
following in an email yesterday. (Times and machine name removed from
beginning of each line.)



upowerd[7393]: energy 99.90 bigger than full 91.652700

kernel: [345764.796963] xfce4-notifyd[2202]: segfault at 9 ip
7fcfb6a5c8ba sp 7ffe9f35d320 error 4+in libc-2.26.so
(deleted)[7fcfb69df000+1ad000]

systemd[2055]: xfce4-notifyd.service: Main process exited, code=killed,
status=11/SEGV

systemd[2055]: xfce4-notifyd.service: Failed with result 'signal'.

1. Does the upowerd message indicate that something is wrong?

2. Is the simultaneous death of xfce4-notifyd a mere coincidence?  (All
four messages have the same time stamp down to the second.)

-- 
Thomas E. Vaughan

Re: Kernel for Spectre and Meltdown

[Michael Fothergill]

On 30 January 2018 at 16:36, Michael Fothergill <
michael.fotherg...@gmail.com> wrote:

>
>
> On 30 January 2018 at 16:02, Michael Fothergill <
> michael.fotherg...@gmail.com> wrote:
>
>>
>>
>> On 30 January 2018 at 15:23, Elimar Riesebieter 
>> wrote:
>>
>>> * rhkra...@gmail.com  [2018-01-29 10:47 -0500]:
>>>
>>> [...]
>>> > On the other hand, if I download kernel source, I would need GCC, and a
>>> > version that is sufficient for the code.
>>>
>>> One can check the compiler version the running kernel is built with
>>> by:
>>>
>>> $ cat /proc/version
>>> Linux version 4.14.15-toy-lxtec-amd64 (riesebie@toy) (gcc version 7.3.0
>>> (Debian 7.3.0-1)) #1 SMP Tue Jan 30 14:20:49 CET 2018
>>>
>>
>> ​That is a very useful command.
>>
>> I ran it myself.
>>
>> djt /home/mikef/spectre-meltdown-checker # cat /proc/version
>> Linux version 4.14.14-gentoo (root@djt) (gcc version 7.2.0 (Gentoo
>> 7.2.0-r1)) #1 SMP Tue Jan 23 13:06:23 GMT 2018
>>
>> Here is a bit of the output from the spectre patch checker:
>>
>>
>> ​* Mitigation 2
>>   * Kernel compiled with retpoline option:  YES
>>   * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports
>> minimal retpoline compilation)
>>   * Retpoline enabled:  YES
>> > STATUS:  VULNERABLE  (Vulnerable: Minimal AMD ASM retpoline)
>>
>> ​As can be seen here, the compiler I used to create this kernel was not
>> recent enough to make retpoline work.
>>
>> Since I now have gcc 7.3 installed I will do kernel upgrade in a little
>> while and see if I can change the NO in
>>
>>   "* Kernel compiled with a retpoline-aware compiler:  NO  (kernel
>> reports minimal retpoline compilation)"
>>
>> to YES.
>>
>> I think it will work.
>>
>> Cheers MF
>>
>
> ​I just ran the kernel rebuild:
>
> djt /home/mikef # cat /proc/version
> Linux version 4.14.15-gentoo (root@djt) (gcc version 7.3.0 (Gentoo
> 7.3.0)) #1 SMP Tue Jan 30 16:22:47 GMT 2018
>
> and now the spectre kernel checker says the following:
>
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports
> full retpoline compilation)
>   * Retpoline enabled:  YES
> > STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)
>
> New kernels are going to appear soon with fancier fixes for spectre
> vulnerabilities if I understand it correctly.
>
> I can now install them right away; and if I want I can downgrade gentoo
> testing to gentoo stable and do the very same thing.
>
> Cheers
>
> MF
>

​It has occured to me that two distributions of linux could be useful for
the spectre kernel patches right now.

One is sabayon and the other is calculate linux.

Both are gentoo based distributions.  For a new linux user, I think they
could have some advantages over e.g. gentoo itself.

Both come with installers so you will avoid the funny learning curve
involved in gentoo installs.

Sabayon has its own binary package installer called equo (its answer to apt
in debian). AFAICT, you
can avoid installing kernels with emerge (compiling them) if you want; you
have a choice.

I think, but I am not 100% sure that you can take the ebuild file for
kernel 4.15 from the gentoo kernel source site and install it directly in
sabayon.
Calculate linux is similar but does not have the equo package installer.

I notice that it seems Fedora have made kernels with the spectre patch
available. Whether they run in the equivalent of the stable version of the
distribution I am not sure.

Cheers

MF











​



>
>
>
> ​
>
>
>>
>>
>>
>>
>> ​
>>
>>
>>
>>
>>
>>
>>>
>>> ^
>>>
>>> Elimar
>>> --
>>>   You cannot propel yourself forward by
>>>   patting yourself on the back.
>>>
>>>
>>
>

Re: Playing or Ripping UDF CDs Under jessie

[Thomas Schmitt]

Hi,

i wrote:
> > The "problem CD" is pure audio.

Jonathan Dowland wrote:
> I thought you'd identified that track 17 (at least) was marked as a data
> track, but I might not have been following the discussion closely
> enough.

To my memory this was shown as example of a "no problem" CD.

  https://lists.debian.org/debian-user/2018/01/msg01186.html
  "Here is the output from a normal music CD."

Martin's assessment of "problem" and "normal" was based on the mountability
which depends on readability by generic SCSI data command READ(10).
Actually the problem CD is the more normal audio CD.
It does not mount with any of its tracks, and this is what one has
to expect with a pure audio CD which can be read only by the SCSI
commands READ CD or READ CD MSF.


Still unclear is what cdparanoia extracts as Track 0 from several
of Martin's CDs.


Have a nice day :)

Thomas

Re: Playing or Ripping UDF CDs Under jessie

[Jonathan Dowland]

On Mon, Jan 29, 2018 at 12:03:27PM +0100, Thomas Schmitt wrote:

Hi,

i wrote:

> They saw a CD and tried UDF. Cluelessly and in vain.


Jonathan Dowland wrote:

They did that because of the fstab line which specified udf, and the
presence of a data track on the CD.


The "problem CD" is pure audio. No indication on Table-Of-Content level
that there would be sectors readable by READ(10).


I thought you'd identified that track 17 (at least) was marked as a data
track, but I might not have been following the discussion closely
enough.

--

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄ Please do not CC me, I am subscribed to the list.

Re: Debian Stretch SELinux enforcing causes systemd --user unit to fail

[Laurent Bigonville]

C J du Preez wrote:


Good day,


Hi,


I would like to report a bug, but I am not sure which package to report it 
against.

I have SELinux enabled and enforcing on Debian Stretch (commandline via SSH 
only, no GUI is installed at all). I am trying to start a systemd --user unit 
(which I know is correct, because it works without SELinux enabled). When I try 
to start the service (using systemctl --user start ssh-agent) I get:

Failed to connect to bus: No such file or directory.

With SELinux enabled, DBUS_SESSION_BUS_ADDRESS is undefined (with SELinux 
disabled it is defined as unix:path=/run/user/1000/bus). With SELinux disabled 
that path exists, with SELinux enabled, it does not.
Could you also please try in permissive mode as well? That should fix 
the creation of the file on disk, if that problem is fixed I think you 
could open a bug against the selinux-policy-default package.


Regarding the environment variable not being set, I think it's this 
bug[0]. Would you be able to rebuild systemd with this patch[1] applied? 
If that patch fixes the problem, we could maybe try to include that in a 
stable point release.


Otherwise, you should try to upgrade systemd to an higher version using 
the backports.


Kind regards,

Laurent Bigonville


[0] https://github.com/systemd/systemd/issues/6120
[1] 
https://github.com/systemd/systemd/pull/6201/commits/51c7d5aa36e9ac0ec8ca6fef811a5f9deb7e4fd2

Re: journal swamped with gdm3-x-session messages

[Roger Price]

Roger Price wrote Mon, 29 Jan 2018 23:13:05 +0100 (CET):

I rebooted stretch and now my journald is being swamped with the following 
message:


 /usr/lib/gdm3/gdm-x-session[2684]: Promise rejected after context 
unloaded:  Message manager disconnected


It's the Ghostery addon to Firefox 52.6.0.  I removed the addon and submitted 
ticket 6081 to Ghostery.


Roger