Re: Debian 11: How to disable IPv6

[Charles Curley]

On Sun, 10 Jul 2022 06:44:46 +0200 (CEST)
local10  wrote:

> Jul 10, 2022, 00:51 by charlescur...@charlescurley.com:
> 
> >  I do it in part by
> > using my own resolver, BIND9, and having it return only IPv4
> > addresses. 
> 
> How did you do it? I tried to start named with "-4" option to use
> only ipv4 but it refused to start with that option, IIRC.
> 
> Regards,
> 

My /etc/default/named looks like:

#
# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-4 -u bind"


That should do it.

But all that does is tell named to use IPv4. It will still return IPv6
addresses. So maybe I'm wrong about returning only IPv4 addresses.
Hmmm

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: nft newbie

[Gareth Evans]

On Sat  9 Jul 2022, at 10:05, Roger Price  wrote:
> On Sat, 9 Jul 2022, Gareth Evans wrote:
>
>> Also for any good nft/netfilter overview articles etc.
>
> Have you seen "Mastering Linux Security and Hardening", 2nd Edition, Donald 
> A. 
> Tevault, chapter 4.  Suitable for those of us who read this newbie thread.
>
> Roger

Thanks Roger, that also suggests "policy drop" in its nftables examples.

I've just noticed the nftables wiki mentions an nftables users mailing list, 

https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

which might be useful too.

Thanks,
Gareth

Re: Problem mounting encrypted blu-ray disc or image

[Tim Woodall]

On Sat, 9 Jul 2022, B.M. wrote:


Verifying that your procdure with two UDF images is not the culprit would
help even if the result is boringly ok, as we expect. (Or we are in for
a surprise ...)


I don't have two UDF images.


Not been following this closely, but I do something very similar and
have never had a problem.

However, immediately after burning the disk I verify it like this:


fileSHA=$( sha1sum $UDFIMAGE | cut -d' ' -f1 )
cdromSHA=$( dd status=progress if=/dev/cdrom bs=1k count=$maxsize |
sha1sum | cut -d' ' -f1 )

STATUS=0

[[ "$fileSHA" != "$cdromSHA" ]] && STATUS=1


It's unusual, but I have had instances where the burn has completed
without any issues but the verify has failed. When that happens I got
several failures close together - I've assumed faulty disks.

I write slightly more often than once a month on average and I'm now on
disk 90 - nearly 7 years (prior to that I was using dvd), and I have
never had an issue accessing old backups (which I do from time to time)


Tim



In my script I create a file, put an encrypted UDF filesystem into it and start
writing compressed files into it. Unfortunately it can happen (and happened in
the past) that the filesystem got filled up completely.

Beside that, I use a fully encrypted system with several partitions...
Extract from df -h:

FilesystemSize  Used Avail Use% Mounted on
/dev/mapper/sdb2_crypt 28G   23G  3.0G  89% /
/dev/sdb1 447M  202M  221M  48% /boot
/dev/mapper/var_crypt  27G   18G  8.4G  68% /var
/dev/mapper/vraid1-home   1.8T  1.5T  251G  86% /home
/dev/mapper/BDbackup  6.5M  6.5M  2.0K 100% /mnt/BDbackup

(I create the image file as /home/TMP_BKP/backup.img just because that's where
I have enough available space.)


After the boring outcome you have the unencrypted images to make the next
step, namely to create /dev/mapper/BDbackup with a new empty image file
as base, to copy the images into it (e.g. by dd), and to close it.
Then try whether the two encrypted image files can be properly openend
as /dev/mapper/BDbackup ans show mountable UDF filesystems.


it's not only the burned disc which is not readable/mountable, it's
also the image I created before burning.


So we can exclude growisofs as culprit.


Might it be possible, that when my UDF filesystem gets filled completely,
the encryption get damaged?


That would be a bad bug in the device-mapper code and also such a mishap
is hard to imagine. The UDF driver is supposed not to write outside its
filesystem data range. That range would be at most as large as the payload
of the device mapping.


Doesn't look like that - I tried the following several times:
Create (a much smaller) image file, put an encrypted filesystem in it, fill it
completely with either cp or dd, unmount it, close and re-open with
cryptsetup, than check /dev/mapper/BDbackup: no problems, only hex zeros and
it's mountable.


Multi-disc backups are not
handled by my script, I have to intervene manually.


That's always a potential source of problems.



Do i get it right, that your script copies files into the mounted UDF
and gets a "filesystem full" error ?

What exactly are you doing next ?
(From where to where are you moving the surplus files ?
Does the first /dev/mapper device stay open while you create the encrypted
device for the second UDF filesystem ? Anything i don't think of ... ?)


If you want you can have a look at my script, I attached it to this mail...

Basically, I use extended attributes (user.xdg.tags) to manage which folders
have to get backuped, write the last backup date into user.xdg.comment. By
comparing file timestamps with these backup dates this allows for incremental
backups.
Then for each folder which should be backuped, I use tar and plzip, writing
into BKPDIR="/mnt/BDbackup".

"Filesystem full" is not handled at all. Typically if this happens it's quite
late i.e. most folders are already backuped and I do the following:
- remove the last lz-file, I never checked if it is corrupted
- burn the image
- reset user.xdg.comment for not yet backuped folders manually
- execute the script again, burn the so created second image

Since this is quite ugly, I try to prevent it by moving very large lz-files
from /mnt/BDbackup to a temporary location outside of /mnt/BDbackup while the
script is running. When the "create lz-files"-part of my script has finished, I
check if there is sufficient space to move the large files back to /mnt/
BDbackup. If yes I do this, if not I leave them outside, burn the first disc,
then I create a second image manually, put the large files into the empty
filesystem, burn this disc as well. Not perfect at all, I know, but it's
working... and I do this about every 3 or 6 months. Beside that, it's just a
second kind of backup additionally to bi-weekly backups on external, also
encrypted HDDs. (I think with these two kind of backups I'm doing enough to
save our precious personal files, images, videos etc., doing much 

Re: Debian 11: How to disable IPv6

[local10]

Jul 10, 2022, 00:51 by charlescur...@charlescurley.com:

>  I do it in part by
> using my own resolver, BIND9, and having it return only IPv4 addresses.
>

How did you do it? I tried to start named with "-4" option to use only ipv4 but 
it refused to start with that option, IIRC.

Regards,

Re: Debian 11: How to disable IPv6

[gene heskett]

On 7/9/22 21:00, Greg Wooledge wrote:

On Sat, Jul 09, 2022 at 06:51:22PM -0600, Charles Curley wrote:

On Sat, 9 Jul 2022 15:59:48 -0400
gene heskett  wrote:


Andy, you obviously don't live in ipv4 only territory. Until n-m or
whatever gets trained to auto switch to ipv4 if 6 fails, then we have
no choice but to disable it if we want network connectivity of any
kind outside of our own home nets, in an address block that does not
get thru a router.

Gene, I also live at the end of an IPv4 only connection. By and large I
simply ignore IPv6. You may have an oddball setup, but it is up to you
to housebreak your applications to use IPv4 first. I do it in part by
using my own resolver, BIND9, and having it return only IPv4 addresses.

And every single piece of this discussion is irrelevant to the OP's
issue, which is that their MTA is apparently not listening on 127.0.0.1;25.

IPv6 is a red herring.

.

I agree with that too Greg, and its had it's 3 days in the fridge,
and is beginning to smell.

Take care & stay well.

Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Debian 11: How to disable IPv6

[Greg Wooledge]

On Sat, Jul 09, 2022 at 06:51:22PM -0600, Charles Curley wrote:
> On Sat, 9 Jul 2022 15:59:48 -0400
> gene heskett  wrote:
> 
> > Andy, you obviously don't live in ipv4 only territory. Until n-m or 
> > whatever gets trained to auto switch to ipv4 if 6 fails, then we have
> > no choice but to disable it if we want network connectivity of any
> > kind outside of our own home nets, in an address block that does not
> > get thru a router.
> 
> Gene, I also live at the end of an IPv4 only connection. By and large I
> simply ignore IPv6. You may have an oddball setup, but it is up to you
> to housebreak your applications to use IPv4 first. I do it in part by
> using my own resolver, BIND9, and having it return only IPv4 addresses.

And every single piece of this discussion is irrelevant to the OP's
issue, which is that their MTA is apparently not listening on 127.0.0.1;25.

IPv6 is a red herring.

Re: Debian 11: How to disable IPv6

[Charles Curley]

On Sat, 9 Jul 2022 15:59:48 -0400
gene heskett  wrote:

> Andy, you obviously don't live in ipv4 only territory. Until n-m or 
> whatever gets trained to auto switch to ipv4 if 6 fails, then we have
> no choice but to disable it if we want network connectivity of any
> kind outside of our own home nets, in an address block that does not
> get thru a router.

Gene, I also live at the end of an IPv4 only connection. By and large I
simply ignore IPv6. You may have an oddball setup, but it is up to you
to housebreak your applications to use IPv4 first. I do it in part by
using my own resolver, BIND9, and having it return only IPv4 addresses.


-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: Any way to make apt ignore dpkg status file?

[Tim Woodall]

On Sat, 9 Jul 2022, Tim Woodall wrote:


Hi

$ APT_CONFIG=../apt/apt.conf.buster.amd64 apt-cache policy dpkg
dpkg:
 Installed: 1.20.10
 Candidate: 1.20.10
 Version table:
*** 1.20.10 100
   100 /var/lib/dpkg/status
1.19.8 500
   500 http://aptmirror17.home.woodall.me.uk/local buster/essential 
amd64 Packages


Is there any way to make this not see the installed version other than
by using -o RootDir?


In case anyone finds this thread:

$ APT_CONFIG=apt/apt.conf.buster.amd64 apt-cache policy dpkg
dpkg:
  Installed: (none)
  Candidate: 1.19.8
  Version table:
 1.19.8 500
500 http://aptmirror17.home.woodall.me.uk/local buster/essential amd64 
Packages

Needs:
Dir::State::Status "file";

file must exist but can be empty.

DPKG_ADMINDIR environment variable doesn't work in this case.

Tim

Re: Problem mounting encrypted blu-ray disc or image

[David Christensen]

On 7/9/22 08:41, B.M. wrote:


If you want you can have a look at my script, I attached it to this mail...



I have written several generations of such scripts in Bourne and Perl 
over the past 3+ decades.  They all have obvious and inobvious 
limitations and bugs.



What we both have are programs.  What we really want is programming 
systems product [1] -- especially if we are going to trust it for backup 
and recovery.



Learning and implementing the suggests in my prior response [2] have 
improved my various scripts, but I have often thought I should just 
migrate to an established and mature FOSS solution:


https://www.linuxlinks.com/backup/


Doing so would:

1.  Give me more confidence in my backups, and the ability to restore.

2.  Once I learned the software, I could just use it and not have to 
debug or upgrade my own software every time I find a bug or want another 
feature.



David


[1] 
https://www.pearson.com/us/higher-education/program/Brooks-Mythical-Man-Month-The-Essays-on-Software-Engineering-Anniversary-Edition-2nd-Edition/PGM172844.html


[2] https://www.mail-archive.com/debian-user@lists.debian.org/msg783600.html

Re: Debian 11: How to disable IPv6

[gene heskett]

On 7/9/22 11:31, Andy Smith wrote:

Hello,

On Sat, Jul 09, 2022 at 04:52:27PM +0200, Roger Price wrote:

When I try to start fetchmail I get the error message

  Jul 09 10:22:57 titan fetchmail[7286]:
  reading message
  mail...@rogerprice.org@mail.gandi.net:1 of 7 (8954 octets)
  (log message incomplete)
  Jul 09 10:22:57 titan fetchmail[7286]:
  Connection errors for this poll:
  name 0: connection to localhost:smtp [127.0.0.1/25] failed:
  Connection refused.
  name 1: connection to localhost:smtp [127.0.0.1/25] failed:
  Connection refused.
  Jul 09 10:22:57 titan fetchmail[7286]: SMTP connect to localhost failed

I understand this to mean that my Debian 11 machine cannot connect to itself
on port 25 despite the netfilter rule "iif lo accept", so I assumed it was
an IPv6 problem with fetchmail trying to use IPv6 with exim4.

There's nothing in the above that references IPv6. There isn't a
single IPv6 address in that text. There is an IPv4 address though
(127.0.0.1).


As a check, I tried:

  root@titan ~ telnet localhost 25
  Trying 127.0.0.1...
  Trying ::1...
  telnet: Unable to connect to remote host: Address family not supported by 
protocol

This shows that nothing is listening on port 25 of 127.0.0.1 (or
it's firewalled with a rule that returns TCP RST) and that there is
something wrong with your IPv6, maybe because you disabled it or
maybe because this variant of telnet you're using doesn't support
it. But whatever the case, it seems like port 25 of your (IPv4)
localhost is the main issue here.

I don't use fetchmail but I guess you are wanting it to connect to
your Exim, so you should check that Exim is actually set to listen
on port 25 of 127.0.0.1.

Thing is, I think that Exim by default does listen on localhost:25
on Debian, so in order for yours to not do that you probably have
altered its config in some way. Or it could be the firewall.


There is nothing I can find in the exim4 configuration that would inhibit IPv6.

You disabling IPv6 inhibits IPv6 but I really don't know what the
fixation is with IPv6 (and why it must be disabled).

Cheers,
Andy

Andy, you obviously don't live in ipv4 only territory. Until n-m or 
whatever gets
trained to auto switch to ipv4 if 6 fails, then we have no choice but to 
disable it
if we want network connectivity of any kind outside of our own home 
nets, in an address
block that does not get thru a router. Unless the FBI has a special wire 
into their
facility 30 miles north of me, the nearest ipv6 connection is probably 
150 miles
north of me.  Until such time as our local ISP's offer it, we have no 
choice but to

disable it. It really is that simple.

Take care and stay well Andy.

Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Verwisseling sda en sdb

[Diederik de Haas]

On Saturday, 9 July 2022 20:16:36 CEST Sjoerd wrote:
> Nee, sda is een SSD van 256 GB, sdb een harde schijf van 1 TB.

Voor de kernel zijn dat dezelfde categorie schijven, vandaar dat de 
schijfaanduiding bij allebei sdX is.

> > Is het UEFI?
> 
> Nee, nog altijd BIOS.
> Misschien nog eens een idee om dit op UEFI over te zetten?
> In de BIOS is te kiezen uit:
> 
> - UEFI
> - LEGACY+UEFI
> 
> En de laatste is dus geselecteerd.
> Maar dit lijkt me nog een hele operatie.

Volgens mij komt dat neer op je systeem helemaal opnieuw installeren.
Dus ja, dat is een hele operatie.
En ik ben er vrij zeker van dat dat geen verschil zal maken mbt je 'probleem'.

signature.asc
Description: This is a digitally signed message part.

Re: Verwisseling sda en sdb

[Sjoerd]

Paul van der Vlis schreef:
> Waarom die sda en sdb soms verwisseld zijn weet ik ook niet, misschien 
> een timing issue. Vertel misschien wat het voor apparaten zijn, zitten 
> er USB apparaten bij?

Nee, sda is een SSD van 256 GB, sdb een harde schijf van 1 TB.

> En wat is de bootvolgorde in het bios?

1. USB-stick, maar er is geen USB aangesloten;
2. Die SSD.

Ik heb de eerste uit de bootvolgorde verwijderd en de SSD op 1 gezet.
Maar opnieuw gaat het nu eens goed en dan weer niet.

> Is het UEFI?

Nee, nog altijd BIOS.
Misschien nog eens een idee om dit op UEFI over te zetten?
In de BIOS is te kiezen uit:

- UEFI
- LEGACY+UEFI

En de laatste is dus geselecteerd.
Maar dit lijkt me nog een hele operatie.

Re: Verwisseling sda en sdb

[Diederik de Haas]

On Saturday, 9 July 2022 18:05:11 CEST Sjoerd wrote:
> Het volgende vreemde verschijnsel doet zich voor. (Debian testing)
> Meestal, maar niet altijd, zie ik dat sda en sdb verwisseld zijn.

Je kan/mag er NIET van uit gaan dat de letters constant naar dezelfde schijf 
wijzen. De kernel 'probed' (ontdekt) je hardware en kent er dan een letter 
aan. Ik neem aan dat de eerste die succesvol geïdentificeerd is, sda wordt.

Maar er kunnen diverse factoren zijn die ervoor zorgen dat de identificatie van 
een schijf de ene keer langer duurt dan de andere. Mogelijk dat `dmesg` een 
indicatie geeft waarom het soms langer duurt dan verwacht.

signature.asc
Description: This is a digitally signed message part.

Re: Verwisseling sda en sdb

[Paul van der Vlis]

Hoi Sjoerd,

Op 09-07-2022 om 18:05 schreef Sjoerd:

Het volgende vreemde verschijnsel doet zich voor. (Debian testing)
Meestal, maar niet altijd, zie ik dat sda en sdb verwisseld zijn.

Bijvoorbeeld, bij een 'df' zie ik dat '/' op sdb2 zit, terwijl ik weet dat
ik op sda2 zit.

In gparted zie ik dat sda en sdb overal verwisseld zijn.

Bij een 'blkid' zijn sda en sdb ook verwisseld. Dat is o.a. duidelijk te
zien omdat ik sda1 t/m sda4 en sdb1 t/m sdb8 heb, maar 'blkid' laat
sdb1 t/m sdb4 en sda1 t/m sda8 zien.

Zelfs in /dev/disk/by-uuid zijn de links naar sdaX en sdbX verwisseld.
Wanneer het een keer wel goed gaat, kloppen die links wel weer.

Na een 'update-grub' zijn hd0 en hd1 in /boot/grub/grub.cfg ook overal
verwisseld.

Het is wel zo dat alles werkt. Maar als ik b.v. sdb8 wil mounten, dan komt
de melding dat die niet bestaat; sdb8 is alleen te bereiken via sda8.

Enig idee hoe dit kan? In fstab worden alle partities die gemount worden,
aangeduid met 'UUID=...'.


Ja, daarom gaat het goed.

Waarom die sda en sdb soms verwisseld zijn weet ik ook niet, misschien 
een timing issue. Vertel misschien wat het voor apparaten zijn, zitten 
er USB apparaten bij?


En wat is de bootvolgorde in het bios?  Is het UEFI?

Groet,
Paul



--
Paul van der Vlis Linux systeembeheer Groningen
https://vandervlis.nl/

Virtualisation distribuée de machines (avec différents OS)

[roger . tarani]

Bonjour, 

Je vise le double objectif suivant : 
1/ permettre à des utilisateurs linux (CLI ou GUI) ou autre win (ou MacOS, mais 
ça coince un peu apparemment) d'accéder à leur machine devenue virtualisée sur 
un beau serveru linux ; depuis un poste quelconque muni du client idoine (ssh, 
x2go, vnc, rdp). 
2/ sauvegarder automatiquement ces machines en profitant des capacités de cette 
architecture (prendre des instantanés automatiques basés sur les blocs modifiés 
; prendre un instantané ; restaurer une version d'instantané) ; là c'est un peu 
flou pour moi sauf que l'utilisateur doit pouvoir choisir ce qu'il veut 
récupérer (au niveau d'une VM) ou au niveau d'un FS à quoi il veut revenir à la 
manière de Deja Dup/Timeshift/Back in Time/etc., l'équivalent linux d'Apple 
TimeMachine ; ce qui me fait dire qu'il faut en connaître un peu plus pour 
pouvoir décider ! 

Je pense à libvirt qemu/kvm que j'ai déjà expérimenté. 
J'avais peiné longtemps sur les pilotes (redhat, je crois) et n'ai jamais su si 
j'avais obtenu la performance maximale possible. Mais ça marchait. 

Questions 
1/ L'utilisateur va-t-il retrouver une fluidité indiscutable avec un réseau 
rapide (FO/ADSL) ? avec un réseau mobile (4G/3G) ? 
et les services habituels (dialoguer avec l'imprimante/le scanner local 
habituel, vidéoconf) 

2/ Comment assurer les tâches relatives au stockage 
(Sauvegarder/Synchroniser/Archiver) pour rendre robuste cette architecture ? 
A priori, sauvegarder "ça" (cad les fichiers des VM en cours d'utilisation) est 
supporté. 
cf. 
https://www.cyberciti.biz/faq/how-to-create-create-snapshot-in-linux-kvm-vmdomain/
 

3/ Si je veux AUSSI que tout ça vive "sur" une architecture robuste distribuée, 
avec au moins deux serveurs capable de prendre le relais l'un de l'autre, 
comment faire ? 
Je ne parle pas de cluster HA avec corosync/heartbeat etc. qui requiert une 
faible latence qui impose que les deux noeuds soient à proximité pour être 
synchronisés. 
Je parle de deux serveurs distants, capables de prendre le relais l'un de 
l'autre qui flancherait. 
Tout ça m'évoque des FS distribués que je connais mal ou pas. Mais il vaut 
mieux en parler avant qu'après ! Je crois que ce sont tout de même des 
préoccupations orthogonales puisqu'on doit pouvoir y faire tourner ce qu'on 
veut. 

Merci 
Cordialement 
Roger 

Re: Problem mounting encrypted blu-ray disc or image

[Thomas Schmitt]

Hi,

B.M. wrote:
> If you want you can have a look at my script, I attached it to this mail...

Will do. (There must be some rational explanation ...)


> "Filesystem full" is not handled at all. Typically if this happens it's
> quite late i.e. most folders are already backuped and I do the following:
> - remove the last lz-file, I never checked if it is corrupted
> - burn the image

No
  cryptsetup luksClose /dev/mapper/BDbackup
between remove and burn ?

---

I wrote:
> > But growisofs formats it [BD-R] by default to 11,826,176 = 23098 MiB =
> > 23,652,352 KiB.

> I didn't know that growisofs gives away a few bytes... Do you know why
> that's the case?

Andy Polyakov decided to format BD-R by default. Possibly because he used
an operating system (IIRC, Solaris) which did not expect that BD-R can be
used for multi-session. So its mount program followed the volume descriptors
starting at block 16 rather than at 16 blocks after the start of the youngest
session.
Whatever, growisofs by default wants to update the volume descriptors at
block 16 of the BD-R and for this uses BD-R Pseudo-Overwrite formatting.
This special feature uses the Defect Management to replace old written blocks
by newly written blocks.

Formatted BD-R cause the drive to perform Defect Management when writing.
This means half write speed at best, heavy clonking with smaller write
quality problems, and often miserable failure on media which work well
unformatted.


> Never heard about xorriso before

It makes ISO 9660 filesystems and burns them to optical media.
I am its developer.


> - from my understanding I could use it instead of growisofs, but with
> larger images?

Be invited. :))
Image burning is handled by its cdrecord emulation mode.

  growisofs -dvd-compat -Z /dev/dvd=$IMGFILE; eject

translates to

  xorriso -as cdrecord -v dev=/dev/dvd -eject $IMGFILE

But xorriso (in particular: libburn) cannot write more bytes to a BD-R
than growisofs with option -use-the-force-luke=spare=none can do.
It's just a matter of program defaults, in this case.
(There are other cases where think to have outperformed growisofs.)


> > -use-the-force-luke=spare=...

> I didn't use these options.

That's why i riddle why your burns do not fail in the end.
What do you get from a run of

  dvd+rw-mediainfo /dev/dvd

or

  xorriso -outdev /dev/dvd -toc -list_formats

with the burnt DB-R medium in /dev/dvd ?


> General question:
> Do you think I should completely change my script such that it creates lz-
> files, encrypts each of them and then writes them on an unencrypted disc?

We should first find out why your procedure produces a bad encrypted image
when you do your manual overflow handling.

In the case of no overflow it looks perfectly ok. The result has some
advantages over a home-made encryption of file content or the whole
filesystem.
(I am still looking for a stream facility which produces encryption
which can later be put on a block device and decrypted by a /dev/mapper
device. Your way of creating a big image has the disadvantage of needing
extra disk space. Cool would be to write directly to the BD-R. But it
is a block device only for reading, not when it gets written.)

I have a backup use case where i define an encryption filter and apply
it to data file content. The filter makes use of an external encryption
program which can operate on data streams. (In this case it is self-made
from some published encryption algorithm. But any stream capable encryption
program which can read the key from a file should do.)
It is for multi-session. So the /dev/mapper approach will meet more
problems. I doubt that dm-crypt handles growing devices.


Have a nice day :)

Thomas

Verwisseling sda en sdb

[Sjoerd]

Het volgende vreemde verschijnsel doet zich voor. (Debian testing)
Meestal, maar niet altijd, zie ik dat sda en sdb verwisseld zijn.

Bijvoorbeeld, bij een 'df' zie ik dat '/' op sdb2 zit, terwijl ik weet dat
ik op sda2 zit.

In gparted zie ik dat sda en sdb overal verwisseld zijn.

Bij een 'blkid' zijn sda en sdb ook verwisseld. Dat is o.a. duidelijk te
zien omdat ik sda1 t/m sda4 en sdb1 t/m sdb8 heb, maar 'blkid' laat
sdb1 t/m sdb4 en sda1 t/m sda8 zien.

Zelfs in /dev/disk/by-uuid zijn de links naar sdaX en sdbX verwisseld.
Wanneer het een keer wel goed gaat, kloppen die links wel weer.

Na een 'update-grub' zijn hd0 en hd1 in /boot/grub/grub.cfg ook overal
verwisseld.

Het is wel zo dat alles werkt. Maar als ik b.v. sdb8 wil mounten, dan komt
de melding dat die niet bestaat; sdb8 is alleen te bereiken via sda8.

Enig idee hoe dit kan? In fstab worden alle partities die gemount worden,
aangeduid met 'UUID=...'.

Re: ALSA pcm problem

[Dan Ritter]

Thomas George wrote: 
> 
> On 7/8/22 7:30 PM, Dan Ritter wrote:
> > Thomas George wrote:
> > > On 7/8/22 5:57 PM, Dan Ritter wrote:
> > > > Thomas George wrote:
> > > > > speaker-test fails
> > 
> > Now try
> > 
> > speaker-test -C2 -Dhw:Generic
> > speaker-test -C2 -Dfront:Generic
> > 
> > and so on to see if you get output that way.
> > 
> > Also check the mixing levels with alsamixer; accidental muting
> > happens.
> > 
> Result of suggested speaker tests: Playback open error: -16, Device or
> resource busy
> 
> alsamixer: OK, no output channels muted

Is that on all attempts down the line of devices?

If so, I would guess that you have something claiming them
already - pulseaudio or jack or pipewire. Check for running
processes.

-dsr-

Re: Problem mounting encrypted blu-ray disc or image

[B.M.]

> > > A UDF filesystem image is supposed to bear at its start 32 KiB of zeros.
>
> B.M. wrote:
> > This is indeed the case:
> > [...]
> > For a readable disk, this look like you said: Only zeros.
>
> So it looks like at least a part of the problem is decryption.

Agreed

> > > If UDF does not work even unencrypted,
> >
> > Why should UDF not work correctly without encryption?
>
> It's improbable, i confess.
> But for now we are hunting an unexplainable problem. So we have to divide
> the situation in order to narrow the set of suspects.
>
> Verifying that your procdure with two UDF images is not the culprit would
> help even if the result is boringly ok, as we expect. (Or we are in for
> a surprise ...)

I don't have two UDF images.
In my script I create a file, put an encrypted UDF filesystem into it and start
writing compressed files into it. Unfortunately it can happen (and happened in
the past) that the filesystem got filled up completely.

Beside that, I use a fully encrypted system with several partitions...
Extract from df -h:

FilesystemSize  Used Avail Use% Mounted on
/dev/mapper/sdb2_crypt 28G   23G  3.0G  89% /
/dev/sdb1 447M  202M  221M  48% /boot
/dev/mapper/var_crypt  27G   18G  8.4G  68% /var
/dev/mapper/vraid1-home   1.8T  1.5T  251G  86% /home
/dev/mapper/BDbackup  6.5M  6.5M  2.0K 100% /mnt/BDbackup

(I create the image file as /home/TMP_BKP/backup.img just because that's where
I have enough available space.)

> After the boring outcome you have the unencrypted images to make the next
> step, namely to create /dev/mapper/BDbackup with a new empty image file
> as base, to copy the images into it (e.g. by dd), and to close it.
> Then try whether the two encrypted image files can be properly openend
> as /dev/mapper/BDbackup ans show mountable UDF filesystems.
>
> > it's not only the burned disc which is not readable/mountable, it's
> > also the image I created before burning.
>
> So we can exclude growisofs as culprit.
>
> > Might it be possible, that when my UDF filesystem gets filled completely,
> > the encryption get damaged?
>
> That would be a bad bug in the device-mapper code and also such a mishap
> is hard to imagine. The UDF driver is supposed not to write outside its
> filesystem data range. That range would be at most as large as the payload
> of the device mapping.

Doesn't look like that - I tried the following several times:
Create (a much smaller) image file, put an encrypted filesystem in it, fill it
completely with either cp or dd, unmount it, close and re-open with
cryptsetup, than check /dev/mapper/BDbackup: no problems, only hex zeros and
it's mountable.

> > Multi-disc backups are not
> > handled by my script, I have to intervene manually.
>
> That's always a potential source of problems.

> Do i get it right, that your script copies files into the mounted UDF
> and gets a "filesystem full" error ?
>
> What exactly are you doing next ?
> (From where to where are you moving the surplus files ?
> Does the first /dev/mapper device stay open while you create the encrypted
> device for the second UDF filesystem ? Anything i don't think of ... ?)

If you want you can have a look at my script, I attached it to this mail...

Basically, I use extended attributes (user.xdg.tags) to manage which folders
have to get backuped, write the last backup date into user.xdg.comment. By
comparing file timestamps with these backup dates this allows for incremental
backups.
Then for each folder which should be backuped, I use tar and plzip, writing
into BKPDIR="/mnt/BDbackup".

"Filesystem full" is not handled at all. Typically if this happens it's quite
late i.e. most folders are already backuped and I do the following:
- remove the last lz-file, I never checked if it is corrupted
- burn the image
- reset user.xdg.comment for not yet backuped folders manually
- execute the script again, burn the so created second image

Since this is quite ugly, I try to prevent it by moving very large lz-files
from /mnt/BDbackup to a temporary location outside of /mnt/BDbackup while the
script is running. When the "create lz-files"-part of my script has finished, I
check if there is sufficient space to move the large files back to /mnt/
BDbackup. If yes I do this, if not I leave them outside, burn the first disc,
then I create a second image manually, put the large files into the empty
filesystem, burn this disc as well. Not perfect at all, I know, but it's
working... and I do this about every 3 or 6 months. Beside that, it's just a
second kind of backup additionally to bi-weekly backups on external, also
encrypted HDDs. (I think with these two kind of backups I'm doing enough to
save our precious personal files, images, videos etc., doing much more than
most people out there ;-)

Honestly I don't see where this process may corrupt the UDF fs or the
encryption. And I don't see an error / bug in my script neither.

> >  Or is my filesystem too large?
>
> 25 "GB" 

Re: Debian 11: How to disable IPv6

[Christian Britz]

Am 09.07.22 um 16:14 schrieb Andy Smith:

> Sounds like you have a misconfiguration that should be fixed, rather
> than disabling IPv6 to work around it.
> 

I do not know about this case, but there are still situations where
applications have problems with IPv6. For example the proprietary Citrix
client if you go online using the mobile phone.

> That directory exists for me on all of my Debian 11 machines, so I

On mine too.


-- 
http://www.cb-fraggle.de

Re: Debian 11: How to disable IPv6

[Christian Britz]

Am 09.07.22 um 15:52 schrieb Roger Price:

> because directory /proc/sys/net/ipv6 doesn't exist. What is the new way of 
> disabling IPv6?

I did it recently just in the way you described on Debian 11.

-- 
http://www.cb-fraggle.de

Re: Debian 11: How to disable IPv6

[Andy Smith]

Hello,

On Sat, Jul 09, 2022 at 04:52:27PM +0200, Roger Price wrote:
> When I try to start fetchmail I get the error message
> 
>  Jul 09 10:22:57 titan fetchmail[7286]:
>  reading message
>  mail...@rogerprice.org@mail.gandi.net:1 of 7 (8954 octets)
>  (log message incomplete)
>  Jul 09 10:22:57 titan fetchmail[7286]:
>  Connection errors for this poll:
>  name 0: connection to localhost:smtp [127.0.0.1/25] failed:
>  Connection refused.
>  name 1: connection to localhost:smtp [127.0.0.1/25] failed:
>  Connection refused.
>  Jul 09 10:22:57 titan fetchmail[7286]: SMTP connect to localhost failed
> 
> I understand this to mean that my Debian 11 machine cannot connect to itself
> on port 25 despite the netfilter rule "iif lo accept", so I assumed it was
> an IPv6 problem with fetchmail trying to use IPv6 with exim4.

There's nothing in the above that references IPv6. There isn't a
single IPv6 address in that text. There is an IPv4 address though
(127.0.0.1).

> As a check, I tried:
> 
>  root@titan ~ telnet localhost 25
>  Trying 127.0.0.1...
>  Trying ::1...
>  telnet: Unable to connect to remote host: Address family not supported by 
> protocol

This shows that nothing is listening on port 25 of 127.0.0.1 (or
it's firewalled with a rule that returns TCP RST) and that there is
something wrong with your IPv6, maybe because you disabled it or
maybe because this variant of telnet you're using doesn't support
it. But whatever the case, it seems like port 25 of your (IPv4)
localhost is the main issue here.

I don't use fetchmail but I guess you are wanting it to connect to
your Exim, so you should check that Exim is actually set to listen
on port 25 of 127.0.0.1.

Thing is, I think that Exim by default does listen on localhost:25
on Debian, so in order for yours to not do that you probably have
altered its config in some way. Or it could be the firewall.

> There is nothing I can find in the exim4 configuration that would inhibit 
> IPv6.

You disabling IPv6 inhibits IPv6 but I really don't know what the
fixation is with IPv6 (and why it must be disabled).

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Debian 11: How to disable IPv6

[Greg Wooledge]

On Sat, Jul 09, 2022 at 04:52:27PM +0200, Roger Price wrote:
>  Jul 09 10:22:57 titan fetchmail[7286]:
>  Connection errors for this poll:
>  name 0: connection to localhost:smtp [127.0.0.1/25] failed:
>  Connection refused.
>  name 1: connection to localhost:smtp [127.0.0.1/25] failed:
>  Connection refused.

Find out what's going on with your MTA.  You could start with

ss -lnt | grep :25

to see what's listening on port 25, if anything, and which address(es)
it's listening on.

If you don't see anything listening on port 25 at all, then perhaps your
MTA is simply not running.  Use "systemctl status exim4" or whatever
package/service your MTA uses.  (I don't use exim4, so I don't know its
service name.)

If you don't get helpful error messages out of that, try running it as
root.  Sometimes that gives more information.

Also check exim4's configuration, and make sure it has been told to run,
and to listen on port 25 of *all* interfaces.

Re: Debian 11: How to disable IPv6

[Roger Price]

On Sat, 9 Jul 2022, Andy Smith wrote:

On Sat, Jul 09, 2022 at 03:52:03PM +0200, Roger Price wrote:

I would like to disable IPv6 adapters in order to persuade
fetchmail to talk to exim4.


Sounds like you have a misconfiguration that should be fixed, rather
than disabling IPv6 to work around it.


Its the misconfiguration that I'm trying to fix. When I try to start fetchmail I 
get the error message


 Jul 09 10:22:57 titan fetchmail[7286]:
 reading message
 mail...@rogerprice.org@mail.gandi.net:1 of 7 (8954 octets)
 (log message incomplete)
 Jul 09 10:22:57 titan fetchmail[7286]:
 Connection errors for this poll:
 name 0: connection to localhost:smtp [127.0.0.1/25] failed:
 Connection refused.
 name 1: connection to localhost:smtp [127.0.0.1/25] failed:
 Connection refused.
 Jul 09 10:22:57 titan fetchmail[7286]: SMTP connect to localhost failed

I understand this to mean that my Debian 11 machine cannot connect to itself on 
port 25 despite the netfilter rule "iif lo accept", so I assumed it was an IPv6 
problem with fetchmail trying to use IPv6 with exim4. As a check, I tried:


 root@titan ~ telnet localhost 25
 Trying 127.0.0.1...
 Trying ::1...
 telnet: Unable to connect to remote host: Address family not supported by 
protocol

There is nothing I can find in the exim4 configuration that would inhibit IPv6.


   net.ipv6.conf.all.disable_ipv6 = 1
and run sysctl -p as root.  With Debian 11 this generates the error message
   sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such file 
or directory
because directory /proc/sys/net/ipv6 doesn't exist. What is the new way of
disabling IPv6?


That directory exists for me on all of my Debian 11 machines, so I
guess you have something else wrong. Or maybe have already disabled
IPv6 on the kernel command line (don't know if that removes the
net.ipv6 sysfs tree as well).


I have just discovered that in file /etc/default/grub I already have lines

  #  See https://nouveau.freedesktop.org/Bugs.html
  GRUB_CMDLINE_LINUX="log_buf_len=1M ipv6.disable=1 net.ifnames=0 3"

I do not remember adding the ipv6.disable=1 myself.  I do not know where it 
comes from.


Roger

Re: Debian 11: How to disable IPv6

[Andy Smith]

Hello,

On Sat, Jul 09, 2022 at 03:52:03PM +0200, Roger Price wrote:
> I would like to disable IPv6 adapters in order to persuade
> fetchmail to talk to exim4.

Sounds like you have a misconfiguration that should be fixed, rather
than disabling IPv6 to work around it.

>  net.ipv6.conf.all.disable_ipv6 = 1
> 
> and run sysctl -p as root.  With Debian 11 this generates the error message
> 
>  sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such file 
> or directory
> 
> because directory /proc/sys/net/ipv6 doesn't exist. What is the new way of
> disabling IPv6?

That directory exists for me on all of my Debian 11 machines, so I
guess you have something else wrong. Or maybe have already disabled
IPv6 on the kernel command line (don't know if that removes the
net.ipv6 sysfs tree as well).

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Debian 11: How to disable IPv6

[Greg]

On 7/9/22 15:52, Roger Price wrote:
In a Debian 11 system, I would like to disable IPv6 adapters in order to 
persuade fetchmail to talk to exim4.  The advice generally given is to 
add a line to /etc/sysctl.conf


  net.ipv6.conf.all.disable_ipv6 = 1

and run sysctl -p as root.  With Debian 11 this generates the error message

  sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such 
file or directory


because directory /proc/sys/net/ipv6 doesn't exist. What is the new way 
of disabling IPv6?


ipv6.disable=1 as a bootarg

Regards

Debian 11: How to disable IPv6

[Roger Price]

In a Debian 11 system, I would like to disable IPv6 adapters in order to 
persuade fetchmail to talk to exim4.  The advice generally given is to add a 
line to /etc/sysctl.conf


 net.ipv6.conf.all.disable_ipv6 = 1

and run sysctl -p as root.  With Debian 11 this generates the error message

 sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such file or 
directory

because directory /proc/sys/net/ipv6 doesn't exist. What is the new way of 
disabling IPv6?


Roger

Re: easy package manager for debian based distros

[David Wright]

On Sat 09 Jul 2022 at 08:58:36 (-0400), Devin Harper wrote:
[reordered into some sort of logical order]
> please add the most necessary and common examples of package management
> with apt to the synopsis of "man apt".

> the commands that should be in the synopsis are "sudo apt update",
> "apt search [app name]", "sudo apt install [app name]", "sudo apt upgrade",
> "sudo apt remove [app name]", "sudo apt purge [app name]", " sudo apt
> autoremove".

You obviously know what you want this synopsis to look like, so
I suggest you get writing, rather than leaving it up to someone else
to second-guess what it is you want.

> this will act as a readme for all
> debian based distros to use apt as their only package manager.

> then distros can just say read "man apt" upon install and look
> at the synopsis section to tell people how to use their/your package
> manager.

That presumably means that you're going to collate all the options etc
that are documented alsewhere, so that they all appear under man apt.

> then we can get rid of the inferior and discrete guis for package
> management.

> cli package
> management is way better than ubuntu's software package manager for
> example.

You seem to have forgotten about visual tools that are text-based,
such as aptitude. Where do these fit into your grand scheme?

Finally, it's not in the nature of free software to be proscriptive
about what's available. People will continue to write whatever
software they feel like writing despite your judgmentalism.

Cheers,
David.

easy package manager for debian based distros

[Devin Harper]

hi
please add the most necessary and common examples of package management
with apt to the synopsis of "man apt". this will act as a readme for all
debian based distros to use apt as their only package manager. cli package
management is way better than ubuntu's software package manager for
example. the commands that should be in the synopsis are "sudo apt update",
"apt search [app name]", "sudo apt install [app name]", "sudo apt upgrade",
"sudo apt remove [app name]", "sudo apt purge [app name]", " sudo apt
autoremove". then distros can just say read "man apt" upon install and look
at the synopsis section to tell people how to use their/your package
manager. then we can get rid of the inferior and discrete guis for package
management.

sincerely devin wesley harper

Re: Any way to make apt ignore dpkg status file?

[Dan Ritter]

Tim Woodall wrote: 
> Hi
> 
> $ APT_CONFIG=../apt/apt.conf.buster.amd64 apt-cache policy dpkg
> dpkg:
>   Installed: 1.20.10
>   Candidate: 1.20.10
>   Version table:
>  *** 1.20.10 100
> 100 /var/lib/dpkg/status
>  1.19.8 500
> 500 http://aptmirror17.home.woodall.me.uk/local buster/essential 
> amd64 Packages
> 
> Is there any way to make this not see the installed version other than
> by using -o RootDir?


/etc/apt/preferences.d/pin-dpkg:
---
Package: dpkg
Pin: version 1.19.8
Pin-Priority: 1001
---

This will eventually bite you when you inevitably forget about
it.

-dsr-

Re: nft newbie

[Roger Price]

On Sat, 9 Jul 2022, Gareth Evans wrote:


Also for any good nft/netfilter overview articles etc.


Have you seen "Mastering Linux Security and Hardening", 2nd Edition, Donald A. 
Tevault, chapter 4.  Suitable for those of us who read this newbie thread.


Roger

Re: nft newbie

[Gareth Evans]

On Sat  9 Jul 2022, at 07:17, Gareth Evans  wrote:
[...]
> If there is no drop by default, why add "policy accept" for 
> related/established as it does?  Doesn't this happen anyway?

I suppose this probably modifies behaviour for otherwise closed ports (which 
would make sense for a firewall!) but I can't find much of a high-level 
overview in documentation - man nft, wiki.

I would still be grateful for thoughts from experienced nft users if any issues 
seem to arise from the lack of qualified "policy drop" in input.  Also for any 
good nft/netfilter overview articles etc.

Thanks,
Gareth

Re: nft newbie

[Gareth Evans]

Having found ufw suited my needs I have only dabbled with firewalld / 
firewall-config / firewall-applet over the years.

Having noticed the recommendation for firewalld on the debian wiki re nftables 

https://wiki.debian.org/nftables#Use_firewalld

I installed it and had a look at the default ruleset with

$ sudo nft list ruleset

If, as I understand, nftables default policy is accept, 

"NOTE: If no policy is explicitly selected, the default policy accept will be 
used."
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains

firewalld doesn't seem to "drop all input unless allowed" by default, as ufw's 
ruleset with only port 22 opened suggests it does.

If there is no drop by default, why add "policy accept" for related/established 
as it does?  Doesn't this happen anyway?

Isn't this less secure, as it seems?

The nftables wiki suggests "policy drop" for input, but the examples are rather 
restrictive.

https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation

https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server

nmap from another machine confirms only port 22 is open via firewalld (which is 
the default) but is default acceptance in other respects a security risk?

I haven't included rulesets but happy to provide if wanted.

Thanks,
Gareth