Re: Journald's qualities
Dnia 2024-02-26, o godz. 13:10:43 Anssi Saari napisał(a): > Mariusz Gronczewski writes: > > > Offtopic but since Debian switched to systemd for DNS management on > > VPNs and suc I need to restart it sometimes multiple times to just > > get "right" DNS servers, because there appears to be no notion of > > priority: > > > > https://github.com/systemd/systemd/issues/27543 > > > > so now any time I connect to work (just openvpn tunnel, nothing > > fancy) I need to spam > > > > systemclt restart systemd-resolved ; sleep 1 ; cat /etc/resolv.conf > > > > few times till the dice rolls the right order of DNS servers... > > Interesting. I leaped on systemd-networkd and -resolved when I read > years ago it added interface specific DNS support. So now my local DNS > (dnsmasq in the router) handles my home network and what goes out via > the VPN (i.e. tun0 or wg0 these days) uses the VPN's DNS. ... in what way? You need to resolve DNS first before you know which interface the traffic is going out of. > Or if the > VPN is off, the local DNS forwards queries to DHCP assigned DNS. I > see no issues although I don't have the kind of VPN where some > external traffic goes through it only but might work for that too. > For me the default was that systemd-resolved dutifully spammed all > DNS queries to all DNS servers through all interfaces. > > This interface specific DNS was a little hard to setup as I > recall. Easier with WG than OpenVPN. > Our case is basically that: * some of the records exist only on VPN DNS server (private domains pointing to private IPs) * some of the records exist on outside but the VPN DNS returns private range IP addresses for it (so-called split-horizon DNS). So the only right way is to ask the first server on the list. That worked before systemd-resolved came as Debian scripts just put the VPN's DNS servers in the front. Now it is throw of the dice any time the daemon is restarted. The proper way would be either to: * ask in order, with components registering the DNS server specifying that priority so the daemon can result the sorted list * have a way to do per-domain exception and do "if domain is *.internal.example.com, ask VPN server's DNS" The second is possible in dnsmasq but not (AFAIK) in systemd. And currently neither "make systemd a DNS resolver" nor "use systemd-resolved provided DNS config" work reliably. -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Postel's Law (Was Re: Inclusive terminology (instead of master/slave) for network bonding/LACP)
Dnia 2024-02-25, o godz. 11:22:50 Alain D D Williams napisał(a): > On Sat, Feb 24, 2024 at 07:44:44PM -0500, Jeffrey Walton wrote: > > On Sat, Feb 24, 2024 at 7:37 PM Andy Smith > > wrote: > > > > > > [...] > > > Turning back more to protocol design, we have spent decades > > > walking back Postel's Law as we find more and more ways that > > > being liberal in what our software accepts is untenable in the > > > face of a hostile Internet. > > > > ++. Postel's Law is a disaster nowadays. It was fine back in the > > 1980's, but it is dangerous in the toxic environments of today. > > > > Here's what we teach our developers: Look for any reason you can to > > reject the data. If you can't find a reason, then begrudgingly > > perform the processing or transformation. > > There is a difference between not doing validation (eg a field being > numeric) and flexibility (eg a line length being 100 bytes which is > more than the specified 80 bytes). This is what Postel is talking > about. ...and how you would even handle it ? The DB field is 80 characters, do you want to just truncate it ? Or oversize the DB? what if DB field have that 100 bytes but someone sends 101? If the numeric field can be hex,dec,oct number or a string representing one of those (octal representation in particular is satan that claimed bugs in many projects), together with locale-specific dots dashes and commas separating thousands, that's plenty of code that can go wrong vs "okay this number is in range, job done" Yes of course there is a diffence between validation and flexibility but flexibility of protocol should only extend to backward compability, where it doesn't cost you too much, and not indefinitely. Not to be flexible just so someone can half-ass the implementation and still have it "work" because other servers cover up for the errors with being "flexible". There is a case for leeway in user-facing stuff - nobody wants to hunt for trailing whitespace in their forms just because they dared to copy-paste - but protocols had way too much leeway *because* most implementations ignored the second part, "be conservative in what you do" and frankly sent fucked up stuff that your implementation still needed to work with if it was a common open protocol. e-mail being particular example, oh the hundreds of problems with "our" mail servers that could be summed up by "your implementation pisses on RFC and that's why our mail server doesn't get your mail"... -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
Dnia 2024-02-25, o godz. 07:29:32 napisał(a): > On Sat, Feb 24, 2024 at 06:05:26PM -0500, Karen Lewellen wrote: > > May I interject a different perspective? > > what brings greater freedom, asking that words be changed by many, > > that some see, no matter how justified from their view as harmful? > > Or teaching those people how to free themselves from being > > controlled by those words? > > Not using the words doesn't remove the injustice. I'm not that naïve. > It's just a question of politeness. > > As an example: I left the Christian religion long time ago. If I > visit a church (to admire its architecture, for example), I behave > with a modicum of respect and restrain myself of farting aloud. If I > visit a mosque (I'm not a Muslim) I take off my shoes. Great point! I do that too, nor would I flaunt my (non)-religious beliefs to religious people without being asked. Now did you know that by you not being a Muslim your entire existence offends that religion ? So, will you remove or convert yourself, or will you deem that demand to be unreasonable ? I'm gonna assume the latter. So would you acquiesce that shunning certain words (nigger,faggot etc.) that are used 99% as an insults is reasonable, while leaving ones that have multiple uses (master, slave, git, gimp) and not being used in modern speech as insults untouched is a reasonable approach ? -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
Dnia 2024-02-25, o godz. 00:27:41 Marco Moock napisał(a): > Am Sat, 24 Feb 2024 14:42:39 +0100 > schrieb Emanuel Berg : > > > I think the reason is black people shouldn't be associated > > with everything negative that is black in language. > > I can't understand why people draw that association. > Black as a color is different from the skin and different from illegal > activities on black markets. > If you decide that there is a problem first, then try to find "evidence" of it existing you will always find it. Even if "evidence" will be "someone somewhere in earth of billion people used the term in racist way once", the fact it normally is not used like that doesn't matter, a virtual offended minority in their head must've been offended by that so they by proxy are too and need to fight it. All so they can tell themselves that they "made a difference" and "made a world a better place", without doing anything actually meaningful, while typing on their device made by wage-slavery in some asian country. But we're supposed to believe them on their word that there is some theoretical group former slaves that somehow made career as Linux admin, had to set up bonding and pick the slave interfaces bonded to it and got PTSD in the process. And when you ask them which real people are exactly offended by it and how it is even supposed to help you get "guys let's not get political, just do exactly what I said you should do, I'm the expert here, you peons just abide by my wishes" or "I won't respond to argument because you must be racist, and by racist I define "doesn't agree with me"". I don't like religious proverbs but the road to hell is truly paved with good intentions. Also I am a member of minority group called West Slavs, which the term slave came from so I hereby grant the Linux kernel unlimited permission to use that term indefinitely (that was a joke, I don't think any group should have any power in defining stuff like that). -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Postel's Law (Was Re: Inclusive terminology (instead of master/slave) for network bonding/LACP)
Dnia 2024-02-24, o godz. 19:44:44 Jeffrey Walton napisał(a): > On Sat, Feb 24, 2024 at 7:37 PM Andy Smith > wrote: > > > > [...] > > Turning back more to protocol design, we have spent decades walking > > back Postel's Law as we find more and more ways that being liberal > > in what our software accepts is untenable in the face of a hostile > > Internet. > > ++. Postel's Law is a disaster nowadays. It was fine back in the > 1980's, but it is dangerous in the toxic environments of today. > Postel's law works on user-interfaced data far better than protocols. > Here's what we teach our developers: Look for any reason you can to > reject the data. If you can't find a reason, then begrudgingly perform > the processing or transformation. On flip-side it's terrible idea to do that on user-entered data. Yes, security wise it's a great idea, but usability-wise it generates annoyances at every step. Like, if say user enters a data (say a token from mail 2FA) with extra spaces, the "accept only the perfectly good data" would prompt to tell them to sod off and try again", instead of just cutting the whitespaces out and checking the token. Similarly if the site requires bank account number most people don't type it, they copy it is not accepting the long string of numbers just because it had some whitespaces added for better presentation just annoys the users. And that pre-processing often (if it is a website) can be done client side so server code can keep its tight and secure processing without compromising. -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: medically smart watches
Dnia 2024-02-24, o godz. 12:06:16 gene heskett napisał(a): > On 2/24/24 11:03, Loïc Grenié wrote: > > On Sat Feb 24th, 2024, at 16:03, Gene Heskett wrote: > > > > Greetings all; > > > > As most of you know I'm a DM-II, but the recent shortage of > > trulicity, a > > weekly self administerd shot that helps regulate one's blood > > guclose levels has got us scrambling for alternatives. So a month > > back I bought > > one of the so called smart watches that purports to monitor > > blood sugar. > > > > > > "purports" appears to be the correct verb > > https://www.fda.gov/medical-devices/safety-communications/do-not-use-smartwatches-or-smart-rings-measure-blood-glucose-levels-fda-safety-communication > > <https://www.fda.gov/medical-devices/safety-communications/do-not-use-smartwatches-or-smart-rings-measure-blood-glucose-levels-fda-safety-communication> > > > I got a msg from our state AG warning me about these, but it was 2 > days after I had ordered this thing. Too little warning, too late, > but I'm the curios type, and this device looks good so I would like > to see how it compares with the antique finger prick model we've been > using since Hector's great grandfather was a puppy.. New tech > sometimes work pretty good while the FDA seems to try to protect old > tech. > > (as for the rest of the mail, I have no idea whatsoever). > > > > Loïc > > Cheers, Gene Heskett, CET. This steers vastly into offtopic but here is a video of someone testing one: https://www.youtube.com/watch?v=sWadFt4vBtY TL;DR both tested watches were so far off mark they are probably dangerous. -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
Dnia 2024-02-24, o godz. 14:42:39 Emanuel Berg napisał(a): > jeremy ardley wrote: > > >> But what about the black market? Or does in fact "block > >> market" work just fine? > > > > The term "black market" is from World War II - i.e. 1939-45. > > It has nothing to do with slaves. It means transactions in > > the dark, not visible, not official. > > I think the reason is black people shouldn't be associated > with everything negative that is black in language. They are not associated with everything negative. The people that want those changed just assume that people think that. I assure you normal people don't see the word "black" attached to something and automatically think it means something about the people. People wanting to change common unoffensive terms just assume everyone else *must* be racist so they play the pretend game and imagine that if their idealized proxy for minority that they imagined in their heads would get offended that it needs to be changed One of recent (and also not so recent as similar thing was tried few decades before with same character) examples of that was when some activists decided "surely Speedy Gonzales stereotypica presentation of Mexicans is racist, lets remove it". Someone imagined people portrayed might be offended, decided to not ask anyone (or as the single person offended they could find in hundreds) in actual demographics, then remove it. Then the activists patted themselves on the back after doing the good in the world. Then the minority told them to sod off and bring it back because thats the opposite of what they wanted and all they ended up doing is pissing off or wasting time of everyone involved As for that particular phrase I'm guessing black market came from being under cover of darkness, underground or otherwise secluded area, but I'm no etymologist. People just like short descriptive terms and dont care much about source of words. Slave kinda came from that too; in many hardware setups it does actually means "the device's every action is directed by master" and not just "a replica or a secondary node", like for example in SPI or I2C protocol the master is only one putting read/write commands on the bus and slave device just respons to orders. You could maybe replace it with thrall but I'm sure someone would be offended on behalf of someone else by that too somehow... -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Journald's qualities (was: Selective rotation of journald logs)
Dnia 2024-02-23, o godz. 15:05:52 Nicholas Geovanis napisał(a): > On Fri, Feb 23, 2024, 2:57 PM Dan Ritter wrote: > > > Stefan Monnier wrote: > > > Makes one wonder why they don't use naive append-only "plain > > > text" logs (tho with appropriate delimiters (maybe some kind of > > > CSV) to make searches more reliable than with old-style plain > > > text logs)? > > > > > > What are the advantages of journald's representation? > > > I mean, to justify the slow search and large disk space usage, > > > there is presumably some upside for some use cases. I can see > > > some weak argument against Sqlite based on the size of Sqlite, > > > but what are the advantages of journald's representation compared > > > to a naive one? > > > > > > systemd's design philosophy, observed from the outside, goes > > like this: > > > > bunch trimmed. > > Exactly correct in my view. Systemd's use-case is the desktop, not the > server in the datacenter. They will be using log-aggregation software > in the datacenter anyway so no use for systemd logging. We don't > install desktop software on servers either, no X Windows, no gnome, > etc. Network connections are stable, no roaming :-) > > Long-term logs are for servers, so systemd doesn't want them. Right but it would be nice if it could at least forward them upstream then! Your choices are * use rsyslog, which does everything better than journald, including writing to many different databases directly, just to forward to remote host. * setup super special listener for super special journald remote log sending method that nothing but journald supports If it just supported standard, common protocols like RFC5424 flavour (that adds structured data to entries), or hell, just "send a JSONed log to that address", I could just have a bunch of my "small" devices run journald-only and send it to central logging server. But no dice, even my router needs to run extra daemon just to forward logs. Actually, having pluggable "backends" would solve a lot of that, dumb little IoT device could just have "a text file" or remote output implemented as write method and "grep the text file" as query method. Or DBI plugin that could write to SQLite and query it back. Or just remote log plugin that returned "sorry, your logs are in another castle" on query. But that's just building rsyslog but worse at that point... I wish I disliked C less than I miss those features... -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Journald's qualities
Dnia 2024-02-23, o godz. 23:02:49 Jeffrey Walton napisał(a): > > Systemd also provides tamper-resistant logs. The property is often > desirable in the enterprise. See Forward Secure Sealing, > <https://lwn.net/Articles/512895/>. > > Jeff > I had mentioned that feature. I haven't it seen in a wild or as an requirement, ever, and we work with few of the local banks deploying apps on their infrastructure. It's *basically* always "send the logs to audit server". rm -rf /var/log does not care about tamper proofing either. IMO it's a feature that should be a separate plugin that the people that need it can just load and use. There is no reason to have it in default logging format or carry the burden of code for it in core. Now, tamper-proof *wire* format, that could be useful (if enough other software supported it). Rsyslog have RELP (https://en.wikipedia.org/wiki/Reliable_Event_Logging_Protocol) that we use as it fix few of the issues with sending logs via TCP/TLS (interrupted connection can lose up to buffer's worth of logs), having on top of that information "hey, some of the blocks of that log were lost before being sent" would be useful. For that all it would be needed is to FSS send queue of logger (which wouldn't be queried so it could be nice and compressed), not entire on-disk format. Then again journald can't even send(AFAIK) using normal syslog protocol as author decided to XKCD#927 that too... -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Journald's qualities (was: Selective rotation of journald logs)
Dnia 2024-02-23, o godz. 12:34:34 Dan Ritter napisał(a): > Stefan Monnier wrote: > > Makes one wonder why they don't use naive append-only "plain text" > > logs (tho with appropriate delimiters (maybe some kind of CSV) to > > make searches more reliable than with old-style plain text logs)? > > > > What are the advantages of journald's representation? > > I mean, to justify the slow search and large disk space usage, > > there is presumably some upside for some use cases. I can see some > > weak argument against Sqlite based on the size of Sqlite, but what > > are the advantages of journald's representation compared to a naive > > one? > > > systemd's design philosophy, observed from the outside, goes > like this: > > - assume that the machine is a laptop or mobile device that is > always changing: moves from network to network, plugs and > unplugs devices, goes to sleep and is woken up I had thought similar thoughts many times when using it. But some of the stuff that derived from that is pretty useful; for example we had a service tht downloaded encryption keys from central server to unlock the hard drive and sysV version was a bit of a mess (if service didn't ran on boot there was no unlocked volume to mount), while in systemd the dependencies allow it to automatically bring it up when mount is requested, and the mount will also be automatically done if service using it is started (if it has correct RequiresMountsFor entries). So some actually useful stuff for more "constant config" machines had flown from that > - disk space is limited, but cpu time is free In which way ? It doesn't care about wasting space, but it does assume you have blazing fast storage or else journal related ops are sluggish (and waste disk cache as it just reads hundreds of MBs to find last few lines of logfile) > - the network knows better than local config Offtopic but since Debian switched to systemd for DNS management on VPNs and suc I need to restart it sometimes multiple times to just get "right" DNS servers, because there appears to be no notion of priority: https://github.com/systemd/systemd/issues/27543 so now any time I connect to work (just openvpn tunnel, nothing fancy) I need to spam systemclt restart systemd-resolved ; sleep 1 ; cat /etc/resolv.conf few times till the dice rolls the right order of DNS servers... XANi -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
Dnia 2024-02-23, o godz. 14:50:12 fxkl4...@protonmail.com napisał(a): > On Fri, 23 Feb 2024, Andy Smith wrote: > > > Hi, > > > > On Thu, Feb 22, 2024 at 11:19:16AM +0100, Ralph Aichinger wrote: > >> I know this is a loaded topic. I really don't want to discuss the > >> political aspects of the "why", > > > > No surprise that there are a lot of people in this thread with very > > strong feelings that they simply must tell us about, even though you > > asked them not to, and very little to say on the actual technical > > facts they claim to care about. > > too many people have nothing constuctive to do > so they spend there days stirring the pile > idle hands and all that > Yeah like asking other people to do changes because they want to be activists on internet but can't bother to put effort to do anything that actually helps anyone. -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
Dnia 2024-02-23, o godz. 14:44:03 Andy Smith napisał(a): > Hi, > > On Thu, Feb 22, 2024 at 11:19:16AM +0100, Ralph Aichinger wrote: > > I know this is a loaded topic. I really don't want to discuss the > > political aspects of the "why", > > No surprise that there are a lot of people in this thread with very > strong feelings that they simply must tell us about, even though you > asked them not to, and very little to say on the actual technical > facts they claim to care about. "Do what I say, discussion is not allowed because I don't want to make a sensible arguments!" "Damn those people using reason and questioning what I want, just do what I say!" Yes, completely unsurprising as those kinds of demands always come from those kinds of unreasonable people. Fork a kernel, do your changes and see how many are interested. -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Journald's qualities (was: Selective rotation of journald logs)
t stuff. PITA to get chronological order thought, every approach really have some drawbacks and benefits. But honestly ? Send it to central logger and worry there if you have a chance, especially if you do some parsing there can be some amazing productivity gains to be had. We took a bunch of work to have every firewall log parsed into right columns but now answering questions like "at which firewall this traffic is blocked?" is a breeze. Of course, not really an option for smaller stuff -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Selective rotation of journald logs
Dnia 2024-02-23, o godz. 14:23:07 Nicolas George napisał(a): > Mariusz Gronczewski (12024-02-23): > > Like, really what kind of person gets angry when they get too much > > details in instruction? > > What kind of person writes pages of angry mail when the details are > not liked? > That would be you, the thing like "conversation" and "having common courtesy to answer questions instead of ignoring ones you don't like" seems like foreign concept to you too. Now please just be quiet as this is just spam at that point and the question has already been answered. -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Selective rotation of journald logs
Dnia 2024-02-23, o godz. 14:09:45 Nicolas George napisał(a): > Greg Wooledge (12024-02-23): > > Have you even *read* this mailing list? Most of the people who ask > > for help here lack experience that you might consider "baby > > sysadmin" level, and would greatly appreciate the explanations. > > It is usually quite easy to tell the difference by the phrasing and > accuracy of the question. > It does. It looked like person that can't comprehend the manual they have been given nor use Google -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Selective rotation of journald logs
Dnia 2024-02-23, o godz. 14:03:50 Nicolas George napisał(a): > Greg Wooledge (12024-02-23): > > What was "blind" about his anaylsis? It looked pretty well thought > > out to me. He showed actual examples of how space-inefficient it > > is, and provided a theoretical example of how one misbehaved > > service could flush out the important logs of well-behaved > > services. > > The selective blindness here is to look only at the bad things. The > drawbacks mentioned exist, but they are in part there for reasons, in > order to fix the issues of the previous solutions. I wrote about the stuff you explicitly asked, saving the logs on disk, because you apparently can't stand a conversation about alternatives. First you bitch I wrote about "the old stuff you know" now you bitch about not going thru entire manpage of journalctl features. Decide > > An analysis that mentions only the bad things and conclude to > recommend using the previous solutions without even discussing their > own drawbacks is not worth our time. > The selective blindness is your problem, not "us". You decided "old stuff" didn't work for you and got into shouting match when I described you in excessive detail why what you want to do is impossible under systemd. And you got angry that someone described you why you can't do that. > > If anything, the person who's blindly following a path is *you*. > > You're looking to do something that multiple people have said is > > not possible, > > Multiple? > > > and when they offer you an alternative, your claws come out. > > When somebody spends one line answering the question and then pages > “offering an alternative” by explaining things a baby sysadmin would > already know, I deduce they are not much above the level of baby > sysadmin themselves, and it cancels any trust I could have put in the > one-line answer. > I assumed that you are a beginner because if you read a manpage of journald/ctl you would know what you are asking is not possible. And the fact you haven't mentioned any other "traditional" way of doing it made it look like that too, a newbie linux user that didn't knew it existed. So I wrote it with detail needed for beginner to do the job. I would say I am sorry for mistaking your "skill" level but you already proven abilty to read the documentation with understand is above you, so I am not. Like, really what kind of person gets angry when they get too much details in instruction? -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Selective rotation of journald logs
Dnia 2024-02-23, o godz. 13:48:35 Nicolas George napisał(a): > Mariusz Gronczewski (12024-02-23): > > So to say it short: It is horrid. > > Generic bashing of systemd in favor of a blind cult of the good old > ways are not what I am looking for either, and the unbalanced tone of > your reply makes it look like precisely that. > What was "blind" about it? I had now years of experience on few hundreds systems dealing with it from basically since it was included in Debian. I assume you're one of those ignorants that assume any critique of product means that I somehow "hate" it and everything around it without reason and that is frankly disgusting. Systemd saved us thousands of lines of code thanks to its many useful features and cut down whole swathes of bugs commonly made in "simple" SysV systems and I'd recommend it on any alternative in a flash. But journalctl is just not one of them and the way it stores the data looks like an amateur really wanted towanted to write a file format/database/querying system and failed at all of that, instead of slapping SQLite (or any other existing established embedded database) on it and calling it a day. Hell "a bunch of texfiles prefixed with program name would've been an improvement. That's even before we got into whole log duration management that I already mentioned. I *want* it to be good, system like that that is also efficient and easy to query would be a dream for embedded system but it. is. just. not. that. At the moment. -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Selective rotation of journald logs
Dnia 2024-02-23, o godz. 13:02:00 Nicolas George napisał(a): > Mariusz Gronczewski (12024-02-23): > > That is not a feature systemd's logging have. > > That is what it seems, but I would like second opinions. > > > You'd have to make a > > rsyslogd rule to put it in one directory > > Thanks, but my question was about systemd's infrastructure. Answers > about the old systlog/logrotate infrastructure are a waste of time > since I already know how they work and they are amply documented > elsewhere. > So to say it short: It is horrid. There is no any sensible indexing or split between services or anything. Single spamming service can easily make it rotate out more important but much more rare log entries and there is nothing you can do about it. It is also woefully inefficient, with each "line" of log taking few times more than it does in text or even if thrown into SQLite database. For example: [13:37:01]cthulhu:/var/log/journal☠ ls -s -h /tmp/log.sqlite 79M /tmp/log.sqlite [13:37:12]cthulhu:/var/log/journal☠ sqlite /tmp/log.sqlite 'select count(*) from log' 386351 journalctl |wc -l 381770 [13:37:48]cthulhu:/var/log/journal☠ journalctl |dd of=/dev/zero bs=1M 0+15442 records in 0+15442 records out 63643115 bytes (64 MB, 61 MiB) copied, 5,47791 s, 11,6 MB/s du -h /var/log/journal/ 337M/var/log/journal/44cf6f547971fc33309d1e9e02e7 337M/var/log/journal/ (I've raised a bug 8 years ago about it https://github.com/systemd/systemd/issues/2460 ) To summarize: the ~61MB of resulting text of logs takes around 337MB on disk when saved by journald, ~80MB in sqlite (~103MB when I added index for time and process). Use the old ways you know, it's a waste of time to try to wrangle journald to do what you want. -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
Dnia 2024-02-23, o godz. 12:40:19 Arno Lehmann napisał(a): > On 23.02.24 at 10:33, Mariusz Gronczewski wrote: > > On 22.02.2024 11:19, Ralph Aichinger wrote: > >> Hello! > >> > >> I know this is a loaded topic... > ... > > There is no good reason *why*. It's entirely US political feel-good > > activism > > Statement one above proven. > > ... > > All it does is wastes tens of thousands of people's time once the > > have to fix > > If there's a single person in the world who feels existing > terminology to hurt them, I consider my usage of such terms. So you do nothing all day or ? Because there is always someone that will find something a problem. > If it makes one person feel better, I think I did something good. That's HORRID argument. You can do massive variety of unexcusably bad things with that excuse. "But that person was happy for it" > If it makes others feel worse, I have to balance arguments. Arguments > such as "it was always thus" or "it's too much effort" are not strong > ones. > And that 0.001% that isn't even affected by term want it changed is argument to you why ? > As it happens, I prefer being called "woke" above being rude. > How about "unable to discuss actual topic but throwing useless generalizations in every sentence"? Is that woke or rude ? -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Selective rotation of journald logs
Dnia 2024-02-23, o godz. 11:15:29
Nicolas George napisał(a):
> Hi.
>
> It might be an obvious question, but I do not manage to find the
> obvious answer:
>
> How do I tell systemd's logging system to keep authentication logs for
> one year and mail logs for one month?
>
> Regards,
>
That is not a feature systemd's logging have. You'd have to make a
rsyslogd rule to put it in one directory, another one for the other use
then tweak logrotate rules to rotate and keep each of them for
different length.
Most packages already log to separate files and have separate logrotate
rules so often it is just changing a single line, for example auth.log
is rotated with rest of the default logs:
/var/log/syslog
/var/log/mail.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/cron.log
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
so if you wanted to change only auth.log you'd copy the section, and remove it
from current one, like this:
/var/log/auth.log
{
rotate 53 # a year in weeks
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
--
Mariusz Gronczewski (XANi)
GnuPG: 0xEA8ACE64
https://devrandom.eu
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
Dnia 2024-02-23, o godz. 10:54:09 napisał(a): > On Fri, Feb 23, 2024 at 10:33:08AM +0100, Mariusz Gronczewski wrote: > > On 22.02.2024 11:19, Ralph Aichinger wrote: > > > Hello! > > > > > > I know this is a loaded topic. I really don't want to discuss the > > > political aspects of the "why", but just want to know the facts, > > > i.e. how far this has been progressed in Debian. > > > > There is no good reason *why*. It's entirely US political feel-good > > activism > [...] > > Oh, goody. A culture warrior. > > *plonk* > Me? Exactly opposite, I'm against bringing culture into tech, it's the OP that decided to. It's a pair of words that worked well for decades for the purpose. Now someone decided to do some feel good activism and just add work for no gain. I'm against that. -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
Dnia 2024-02-23, o godz. 11:25:25 Roger Price napisał(a): > On Fri, 23 Feb 2024, Marco Moock wrote: > > > The only package I am aware of that changed some terms is sendmail. > > > > With the publication of RFC 9271 "UPS Management Protocol", the nut > packages (Network UPS Tools) did a vocabulary cleanup at release > 2.8.0 which included changing Master/Slave to Primary/Secondary. > There have been no reports in the mailing list of this causing any > problems. > > Roger > Because nut have backward-compatible name support. Can't do that if you change literal text returned by kernel about device config. That is why it "works" (for us too, we use it). Bringing unrelated project to the discussion is, well, unrelated as problems are of entirely different kind, making config backward-compatible is far easier than what it returns (and nothing realistically would check for the word anyway in case of UPS) Did you looked up what actually changed and thought about implications vs changing kernel interfaces or did you just google for random tidbit of which project did waste time on that ? -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
Re: Inclusive terminology (instead of master/slave) for network bonding/LACP
On 22.02.2024 11:19, Ralph Aichinger wrote: Hello! I know this is a loaded topic. I really don't want to discuss the political aspects of the "why", but just want to know the facts, i.e. how far this has been progressed in Debian. There is no good reason *why*. It's entirely US political feel-good activism that doesn't change anything but wastes people's time. Do you actually think pressing on brake pedal oppresses anybody ? Because it also has master and slave cylinder. All it does is wastes tens of thousands of people's time once the have to fix every script, tool and doc piece related to it, for absolutely no benefit aside from making some twitter activist happy "they did something". It would *literally* break every single script that checks the status of bonding config in system, as it is all just plain text. -- Mariusz Gronczewski (XANi) GnuPG: 0xEA8ACE64 https://devrandom.eu
"passwd username" asks for current password of user even tho I'm root
Hi, On previous releases, and on our CentOS systems I could change password of user by just sudo-ing to root and typing "passwd testuser" In current Debian release, doing that asks me to specify that user password, which is pointless because: * I can access /etc/shadow anyway * I'm changing it because user forgot it Is there any way to set passwd (or PAM) to not ask root for current password on passwd-ing non-root accounts ? Cheers Mariusz -- Mariusz Gronczewski, Administrator Efigence S. A. ul. Wołoska 9a, 02-583 Warszawa T: [+48] 22 380 13 13 F: [+48] 22 380 13 14 E: mariusz.gronczew...@efigence.com <mailto:mariusz.gronczew...@efigence.com>
Re: Make CapsLock an additional Escape key - Problem: https://wiki.debian.org/Keyboard advice does not work
On Fri, 15 Sep 2017 08:48:21 +0200, Peter Smith <peter.smith3...@gmail.com> wrote: > Hi, > > I have tried to change the behavior of the CapsLock key to make it an > additional Escape key. In order to do this I read the advice on > https://wiki.debian.org/Keyboard > > Specifically I did: > I changed the file /etc/default/keyboard to: > > XKBLAYOUT="us,at" > XKBVARIANT="," > BACKSPACE="guess" > XKBMODEL="pc105" > XKBOPTIONS="caps:escape" > > I did it by xmodmap, just to different key than escape: keycode 66= Hyper_L then just load xmodmap via xmodmap filename -- Mariusz Gronczewski, Administrator Efigence S. A. ul. Wołoska 9a, 02-583 Warszawa T: [+48] 22 380 13 13 F: [+48] 22 380 13 14 E: mariusz.gronczew...@efigence.com <mailto:mariusz.gronczew...@efigence.com>
Re: Advanced RAID configuration in preseed
This is how we do 2x RAID1, altho on same disk (one for boot, other for
LVM)
# Parameters are:
# \
#
d-i partman-auto-raid/recipe string \
1 2 0 ext2 /boot\
/dev/sda1#/dev/sdb1 \
. \
1 2 0 lvm - \
/dev/sda2#/dev/sdb2 \
.
so it is definitely possible to *create* raid but I have no idea how to
partition many drives differently
Back in bad old centos days we just have script that was called during
install that partitioned it manually but I don't know how to tell
partman to use that specific device
On Wed, 27 Jul 2016 13:53:40 +0200 (CEST), Robert Haist
<rha...@mailbox.org> wrote:
> Hi everyone,
>
> I am currently trying to write a debian8 preseed config that creates two
> different software RAIDs (Mirror). I am trying to achieve the following
> layout:
>
> 2 x 128GB SSD -> /dev/sda & /dev/sdb -> /
> 2 x 1TB HGST -> /dev/sdc & /dev/sdd -> /var
>
> As far as I read in all examples and blog posts it is only possible to create
> one software raid with disks of the same size and preferably the same
> physical attributes.
>
> I successfully created the first RAID1 on the SSDs with preseed and the
> following "code":
>
>
> d-i partman-auto/choose_recipe select atomic
> d-i partman-basicfilesystem/no_swap boolean true
> d-i partman-md/device_remove_md boolean true
> d-i partman-auto/method string raid
> d-i partman-auto/disk string /dev/sda /dev/sdb
> d-i partman-auto/expert_recipe string \
> multiraid :: \
> 1 5000 10 raid \
> $primary{ } method{ raid } \
> .
>
> d-i partman-auto-raid/recipe string \
> 1 2 0 ext4 /\
> /dev/sda1#/dev/sdb1 \
> .
>
>
> Does partman have any option or possibility to create an additional RAID in
> the same automated way in the same config? Any help is really appreciated.
>
> Kind regards,
>
> Robert Haist
> -
> # Please consider secure communication with PGP #
> # PGP-Public-Key: https://db.tt/IfBskuvO
> # PGP-Fingerprint:
> 2BC8 3F55 A400 7468 864C 680E 1B7C C8D4 D4E9 14AA
> -
>
--
Mariusz Gronczewski, Administrator
Efigence S. A.
ul. Wołoska 9a, 02-583 Warszawa
T: [+48] 22 380 13 13
F: [+48] 22 380 13 14
E: mariusz.gronczew...@efigence.com
<mailto:mariusz.gronczew...@efigence.com>
Re: [Jessie] Is there a way to delay bonding interface initalization to happen after network driver is up
On Fri, 29 Apr 2016 17:52:36 +0200, Sven Hartge <s...@svenhartge.de> wrote: > Mariusz Gronczewski <x...@efigence.com> wrote: > > > I have 2 machines(IBM servers). Both use bnx2 NIC driver but one is VERY > > slow to boot thru kernel (2.3s vs 27s) > > > Config is: > > > auto bond508 > > allow-hotplug bond508 > > > iface bond508 inet static > > address 1.2.3.4/24 > > slaves eth0.508 eth1.508 > > bond-mode active-backup > > Question, separate from your problem: Why do you bond the VLANed > interfaces instead of the raw eth0/1 and then VLAN the bond? Is there a > special reason you do it that way? > Bugs in centos/nic drivers, mostly, we're migrating away from it and I want to try to make same config first before playing around with different ways to do it. We have config you've descriped on several c5/6 machines but for some reason it didn't wanted to work in c6 when there was both tagged and untagged vlan on wire. After spending some time trying to figure out why same config in c5 doesn't want to work in c6 I did it that way. We also have few odd servers that need different bond config for different vlans (mostly by having different "active" cards in each to not force all traffic via one switch) -- Mariusz Gronczewski, Administrator Efigence S. A. ul. Wołoska 9a, 02-583 Warszawa T: [+48] 22 380 13 13 F: [+48] 22 380 13 14 E: mariusz.gronczew...@efigence.com <mailto:mariusz.gronczew...@efigence.com>
[Jessie] Is there a way to delay bonding interface initalization to happen after network driver is up
I have 2 machines(IBM servers). Both use bnx2 NIC driver but one is VERY slow to boot thru kernel (2.3s vs 27s) Config is: auto bond508 allow-hotplug bond508 iface bond508 inet static address 1.2.3.4/24 slaves eth0.508 eth1.508 bond-mode active-backup on "fast" one it "just" works, NIC is initialized first, VLAN interfaces are created, bond adds them and everything works on "slow" one bond starts with no interfaces because ifup happens before NIC driver settled (eth0/1 are not in the system), it looks like that Apr 28 17:49:31 blade710 kernel: [ 44.346366] bonding: Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Apr 28 17:49:31 blade710 kernel: [ 44.421839] bonding: bond508 is being created... Apr 28 17:49:31 blade710 kernel: [ 44.424930] bonding: bond508: Setting xmit hash policy to layer3+4 (1) Apr 28 17:49:31 blade710 kernel: [ 44.429511] bonding: bond508: option lacp_rate: mode dependency failed, not supported in mode active-backup(1) Apr 28 17:49:31 blade710 kernel: [ 44.435247] bonding: bond508: interface eth0.508 does not exist! Apr 28 17:49:31 blade710 kernel: [ 44.440974] bonding: bond508: interface eth1.508 does not exist! Apr 28 17:49:31 blade710 kernel: [ 44.444804] IPv6: ADDRCONF(NETDEV_UP): bond508: link is not ready then NIC boots: Apr 28 17:49:31 blade710 kernel: [ 44.492469] bnx2 :10:00.0: firmware: direct-loading firmware bnx2/bnx2-mips-09-6.2.1b.fw Apr 28 17:49:31 blade710 kernel: [ 44.494198] bnx2 :10:00.0: firmware: direct-loading firmware bnx2/bnx2-rv2p-09-6.0.17.fw Apr 28 17:49:31 blade710 kernel: [ 44.494243] bnx2 :10:00.0: irq 74 for MSI/MSI-X Apr 28 17:49:31 blade710 kernel: [ 44.494251] bnx2 :10:00.0: irq 75 for MSI/MSI-X Apr 28 17:49:31 blade710 kernel: [ 44.494257] bnx2 :10:00.0: irq 76 for MSI/MSI-X Apr 28 17:49:31 blade710 kernel: [ 44.494263] bnx2 :10:00.0: irq 77 for MSI/MSI-X Apr 28 17:49:31 blade710 kernel: [ 44.494269] bnx2 :10:00.0: irq 78 for MSI/MSI-X Apr 28 17:49:31 blade710 kernel: [ 44.494275] bnx2 :10:00.0: irq 79 for MSI/MSI-X Apr 28 17:49:31 blade710 kernel: [ 44.494281] bnx2 :10:00.0: irq 80 for MSI/MSI-X Apr 28 17:49:31 blade710 kernel: [ 44.494286] bnx2 :10:00.0: irq 81 for MSI/MSI-X Apr 28 17:49:31 blade710 kernel: [ 44.494292] bnx2 :10:00.0: irq 82 for MSI/MSI-X Apr 28 17:49:31 blade710 kernel: [ 44.553877] bnx2 :10:00.0 eth0: using MSIX Apr 28 17:49:31 blade710 kernel: [ 44.553917] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready Apr 28 17:49:31 blade710 kernel: [ 44.610343] bnx2 :10:00.0 eth0: NIC SerDes Link is Up, 1000 Mbps full duplex I *can* make it work on boot if I define eth interfaces separately: iface eth0.508 inet manual bond-master bond508 bond-mode active-backup but that is not exactly pretty solution... is there a way to force bonding interfaces to get up only after required devices are up ? -- Mariusz Gronczewski, Administrator Efigence S. A. ul. Wołoska 9a, 02-583 Warszawa T: [+48] 22 380 13 13 F: [+48] 22 380 13 14 E: mariusz.gronczew...@efigence.com <mailto:mariusz.gronczew...@efigence.com>
