Re: Strange permissions issue with virt-install + UEFI

2022-05-13 Thread Matt Ventura

On 5/13/2022 6:53 PM, David wrote:

On Sat, 14 May 2022 at 10:57, Matt Ventura  wrote:


On one box (Debian 11.3), my virt-install script works fine:
virt-install [...]
However, on another box, the same command (minus the final --network option) 
gives me this:

[...]

Could not open '/var/lib/libvirt/qemu/nvram/openwisp_VARS.fd': Permission denied

[...]

Any ideas?

You don't mention which user is running the 'virt-install' commands.
I suggest to think about that.

https://wiki.debian.org/KVM says:
   In order to manage virtual machines as a regular user, that user
needs to be added to the libvirt group:
   # adduser  libvirt

On both machines, check that the user (who is running the virt-install
command) is a member of group=libvirt.

Run: groups | grep libvirt

I'm not sure if this is the answer, but it is the first thing I would check.
Also, test if that user can read the file openwisp_VARS.fd via its
full path.

On the broken machine, it fails even if I run it as root. Root isn't a 
member of libvirt on either machine, but root is root, so it shouldn't 
be getting permission denied either way. Perhaps the file is being 
created as libvirt-qemu, but the plain old libvirt user needs to access 
it too? That's the only thing I can think of, since root ignores 
permissions anyway.


I did try to `su` into the libvirt-qemu user, and the path was reachable 
via the full absolute path. I could create, modify, read, and delete 
files in that dir.


Some searching pointed to it being an AppArmor problem, but AA is 
enabled on both.


Matt Ventura



Strange permissions issue with virt-install + UEFI

2022-05-13 Thread Matt Ventura

Hi,

On one box (Debian 11.3), my virt-install script works fine:

virt-install --virt-type kvm --name $NEWVM 
--locationhttp://ftp.us.debian.org/debian/dists/bullseye/main/installer-amd64  
--extra-args "netcfg/hostname=$NEWVM" -v  \
--os-variant debian11 --disk 
size=30,pool=vmvol,bus=scsi,discard=unmap,cache=writeback,io=threads --disk 
size=4,pool=vmvol-nobackup,bus=scsi,discard=unmap,cache=unsafe,io=threads \
--memory 8196 --initrd-inject=preseed.cfg --noautoconsole  --boot uefi 
--graphics spice --video virtio --controller=scsi,model=virtio-scsi 
--network=bridge=virbr1,model=virtio


However, on another box, the same command (minus the final --network 
option) gives me this:



ERROR    internal error: process exited while connecting to monitor: 
2022-05-14T00:11:48.169264Z qemu-system-x86_64: -blockdev \

{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/openwisp_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}:
 \
Could not open '/var/lib/libvirt/qemu/nvram/openwisp_VARS.fd': Permission denied
Domain installation does not appear to have been successful.

First idea was to check the perms of the /var/lib/libvirt-qemu/nvram 
directory. On both boxes, it is owned by user+group libvirt-qemu, mode 
0755. The files themselves seem to be owned by libvirt-qemu:libvirt-qemu 
as well.


On the failing box, the new file /is/ created:

-rw---  1 libvirt-qemu libvirt-qemu 540672 May 13 16:39 openwisp_VARS.fd

So, I'm really not sure why it thinks it's failing, but it aborts the 
installation regardless.


Any ideas?

Matt Ventura


Correct way to build in-tree module?

2021-10-28 Thread Matt Ventura

Hi,

I'd like to build a module that is in-tree, but not enabled by the 
Debian kernel by default (module 'pmbus', selected by CONFIG_PMBUS). I 
would rather not build an entire custom kernel just for one module.


Most of the resources out there are for building *out of tree* modules, 
but this is in-tree. Or, they tell you how to do a one-time build of the 
module, but not how to get it into DKMS or anything that would keep the 
module up to date as you install new kernel versions. The module is not 
listed in module-assistant either.


So, what is the right (or at least, best) way to do this, that won't 
break on a kernel update?


Thanks,

Matt



Re: Thin Mate window edges

2016-03-02 Thread Matt Ventura

On 3/2/2016 2:51 PM, Russell Gadd wrote:

I have just installed Jessie with the Mate desktop. My screen is 1920 x
1080. I find grabbing the edges or corner of a window with the mouse
pointer in order to extend it is very fiddly. Is this due to the border
being very thin? Are there any options to make this easier, such as
choosing a window style with thicker borders?

Not a solution to the border problem, but alt-rightclick drag allows you to
resize windows (in some window managers) without having to grad the border.

Matt Ventura



Re: sexist content in the package openclipart2-png

2016-01-06 Thread Matt Ventura

On 01/05/2016 04:24 AM, Brad Rogers wrote:


On Tue, 5 Jan 2016 10:21:02 +0900
Joel Rees  wrote:

Hello Joel,


of the clipart out into a separate package so that a child looking for
a general image of a woman won't bump into a male sexual fantasy

Not aimed at any person, just observation.

By putting "sensitive" images in a separate package, one *highlights*
them, thus enabling those children one's intention it is to protect,
to find them a good deal more easily.  Whether that's preferable to
lumping the images in with a more generalised package is up for debate.

It's a two edged sword;  Damned if you do, and damned if you don't.
Either way, somebody gets upset/annoyed.   :-(


Yes, you might end up highlighting it, but what I assumed from the OP is
not that the children were looking for clipart packages, but rather
looking through clipart that the parent had already installed. So
separating it would still help in that situation.

If I were searching for inappropriate imagery, 'apt-cache search' is one
of the last places I'd look.

Matt



Re: How to make "headless" system?

2015-11-09 Thread Matt Ventura

On 11/07/2015 12:36 PM, Dennis Wicks wrote:

Greetings;

I have a number of older PCs that I use for testing/local webservers, 
fileservers, backup machines and other stuff. A couple of these have 
"glass ttys", ie. no graphics at all, and others have old low-res 
monitors of 800x600 at best. Also, they are all in the basement, which 
is a trip I don't like to make very often!


I want to force these systems to support hi-res 1680x1050 or better so 
I can VNC to them from my main machine and be able to use graphic 
software to operate and maintain these machines.


Right now I mostly use ssh and it can be a real pain!

Can anybody tell me how to accomplish this or point me to a "How To" 
somewhere?


I am running Jessie and XFCE.

Many TIA!!
Dennis

If you absolutely must have a full X running on the machines, you can 
use xvfb to create a "fake" X that doesn't actually display anywhere, 
and use VNC to access it. There's also xvnc which is specifically for 
use over VNC.




Re: Regarding Hotspot configuration

2015-10-27 Thread Matt Ventura

On 10/24/2015 01:26 AM, Sven Arvidsson wrote:

On Fri, 2015-10-23 at 14:38 -0700, Matt Ventura wrote:

I'm not sure about that, I just told n-m to create a new network,
and it did ad-hoc even though my card supports AP mode.
Can you check in iwconfig to confirm it's actually an AP?

iwconfig does say master mode.


What card is it?
With my Intel 7260 (which works as an AP if I use hostapd directly),
n-m only wants to create an ad-hoc network.
Does it present you with the option to create an AP mode network?

Matt Ventura



Re: Regarding Hotspot configuration

2015-10-27 Thread Matt Ventura

On 10/23/2015 08:56 PM, Himanshu Shekhar wrote:

Got it!
My wireless driver is "wl", and "iw list" shows that it doesn't 
supports "ap" mode. Also, I have browsed Linux_Drivers_page 
<http://linuxwireless.org/en/users/Drivers/> and Wikipedia_article 
<https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers> about 
the same, and found that there were no "wl" drivers, but something 
like "wl***".
My "iw list" and "lspci -v" outputs are attached. Please have a look 
at them.
Also, I didn't mention that my hardware has bluetooth and wireless 
combined, and bluetooth doesn't work.

It would be great if anyone could suggest the proper drivers.

Thanks for help!

Regards,
Himanshu Shekhar



Looking at that, it doesn't look like it supports AP mode.
If it does, it would say "AP" and/or "AP/VLAN" under "Supported 
interface modes".


Matt Ventura


Re: Regarding Hotspot configuration

2015-10-23 Thread Matt Ventura

On 10/23/2015 01:39 PM, Sven Arvidsson wrote:

On Fri, 2015-10-23 at 19:13 +0530, Himanshu Shekhar wrote:

I have spent couple of hours about using hotspot on my Debian laptop.
The
hotspotd method didn't work. So, I tried ap-hotspot after knowing
that the
hotspot which the GNOME network manager starts is an ad-hoc network
which
Android cannot identify.

I only made a very quick test, but on my laptop the "hotspot"
NetworkManager creates is visible on my Android phone.

I think NM only uses ad-hoc if your network driver doesn't support
anything else.


I'm not sure about that, I just told n-m to create a new network,
and it did ad-hoc even though my card supports AP mode.
Can you check in iwconfig to confirm it's actually an AP?



Re: Regarding Hotspot configuration

2015-10-23 Thread Matt Ventura

On 10/23/2015 06:43 AM, Himanshu Shekhar wrote:
I have spent couple of hours about using hotspot on my Debian laptop. 
The hotspotd method didn't work. So, I tried ap-hotspot after knowing 
that the hotspot which the GNOME network manager starts is an ad-hoc 
network which Android cannot identify. So, I began searching for 
solution for creating Infrastructure network, and eventually found 
that there was no simple way, like a click and hotspot started.


Also, some googling suggested "iw list" which would expose device's 
capability, and didn't mention ap in the list. However, I have used ap 
using Connectify in Windows on the same device.


Any help will be appreciated!

--
Regards
Himanshu Shekhar
IIIT-Allahabad
IRM2015006
Post the output of 'iw list'. It's entirely possible that the driver 
and/or firmware used in the windows drivers support AP mode while the 
ones in Debian do not. It also might not have AP support on all bands.


Matt Ventura



Re: Adapter Names on Stretch

2015-08-29 Thread Matt Ventura

On 8/28/2015 11:32 PM, Tixy wrote:

On Sat, 2015-08-29 at 10:06 +1200, Chris Bannister wrote:

On Fri, Aug 28, 2015 at 10:22:58AM -0500, David Wright wrote:

Quoting Ric Moore (wayward4...@gmail.com):


 From my own experience, if you replace a network card, udev will
automagically name it /dev/eth +1 so eth0 becomes eth1. I'm using
eth1 right now. Bugs the hell out of me but the network works, :)

That's because you didn't clear the previous card's eth0 entry in
/etc/udev/rules.d/70-persistent-net.rules before you booted up
the new card.

I think you can delete the file and it will get regenerated on boot.
Well, it used to be that way, probably best to save a copy first in case
it doesn't work that way any more.

It does on Jessie. Just been bringing up several boards using the same
filesystem image and needed to do this myself. Which reminds me, I
should add a command to rc.local to delete all udev rules at boot. (Idea
is that I can swap out boards if they fail and keep the same disk image
- which is on SD card).


You can also just delete the udev rule that generates the persistent
interface names to begin with.

Matt Ventura



Re: VLAN config on Jessie

2015-08-01 Thread Matt Ventura



On 8/1/2015 1:30 AM, Andrew Wood wrote:



On 30/07/15 23:14, Arno Schuring wrote:
This configures an untagged connection, which is not the same as vlan 
1. Also, there's no need to set that broadcast address manually, it's 
inferred from the netmask.

auto eth1.2
iface eth1.2 inet static
address 192.168.100.254
netmask 255.255.255.0
vlan-raw-device eth1


I want vlan 1 to be the default hence I decared it as eth1 not eth1.1

That is most likely wrong. You set a "default interface" by configuring
the default gateway with the lowest metric. Other than that, there's no
"default" between network interfaces.


Im not talking about the default route Im talking about how it should 
handle ethernet frames with no vlan tag arriving on eth1



Before going any further, you should know that having tagged and 
untagged frames on the same port is far from best practices. You either 
want to have a port be an untagged member of a single vlan, or a tagged 
member of one or more vlans. It's hard to tell at this point if that's 
what's actually causing the problem or if that's unrelated.


Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/55bd657e.7060...@mattventura.net



Re: VLAN config on Jessie

2015-07-30 Thread Matt Ventura

On 07/30/2015 01:43 PM, Andrew Wood wrote:
Can I please clarify the correct way to configure VLANS on Jessie as 
Im having problems with DHCPD giving out IP addresses for the wrong 
VLAN subnet but only for certain clients - Windows 7, & Apple iOS 
whereas Debian clients and Windows XP clients are working fine.


Ive got a Jessie machine acting as a router with eth0 being the WAN 
connection to the internet and eth1 being the LAN connection with 2 
VLANS on it (VLAN1 has addresses 192.168.10.x and VLAN2 192.168.100.x)


If I assign addresses statically on the clients its all fine but on 
Wifi via DHCP the Wifi AP is set to map two separate SSIDs to the two 
VLANS and in such cases the clients use DHCP.


As I say, if a Debian or Windows XP client connects via wifi it works 
fine but if a Windows 7 client connects to VLAN2s SSID DHCPD is giving 
it an IP on VLAN1 and then nothing works.


This is the /etc/network/interfaces file:

auto eth0
iface eth0 inet dhcp


#LAN (MZ)
auto eth1
iface eth1 inet static
address 192.168.10.254
broadcast 192.168.10.255
netmask 255.255.255.0
up /etc/network/if-up.d/iptables


auto eth1.2
iface eth1.2 inet static
address 192.168.100.254
netmask 255.255.255.0
vlan-raw-device eth1


I want vlan 1 to be the default hence I decared it as eth1 not eth1.1 
however I did try that and it reversed the problem - vlan1 gets vlan2 
ip addresses!


Whats the correct way to do this please?

Thanks
Andrew



Could you post the DHCPD config?

Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/55ba985a.1070...@mattventura.net



Re: Free GNU/Linux intro class for teens advice? Purchase box? Squeak/Smalltalk programming

2015-07-07 Thread Matt Ventura

On 7/6/2015 5:12 PM, Marc D Ronell wrote:

I am  working toward  teaching a free  introductory class to  teens on
GNU/Linux  and the  philosophy of  free  software at  the Newton  Free
Library in MA this coming September.

For the class, the participants  will need access to GNU/Linux.  After
reviewing   some  options,   including   sdf.org,  virtual   machines,
Chromebooks,  etc.,  I  am  considering just  asking  participants  to
purchase a dedicated  laptop and installing the OS.  I  may be able to
direct students to install fests  in the area before the class starts.
I am  not sure that this is  the best idea, but  it offers significant
advantages including a potentially working  box as part of the results
of the course.

As a test, I purchased  a laptop (Toshiba Satellite C75-B7180) on sale
for $350  at our local Microcenter  in Cambridge and was  able to load
GNU/Linux  for my  son.  I  am  thinking of  working some  programming
assignments in Squeak (Smalltalk), but  maybe C is a better choice for
an OS class?

Has  anyone tried  running a  GNU/Linux  intro class  for teens?   Can
anyone  share their  experiences, thoughts  or  suggestions?  Feedback
based on actual experience would be most helpful, I think, but I would
appreciate any insights.

Thanks for your thoughts,

Marc


May I ask why you decided against virtualization? It might be something
that can be worked around.

Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/559c0400.1060...@mattventura.net



Re: Colorized Prompts Problem

2015-05-04 Thread Matt Ventura

On 5/4/2015 7:57 AM, Thomas H. George wrote:

On Mon, May 04, 2015 at 06:54:40AM +, Bonno Bloksma wrote:

Hi,


I entered the following in .bashrc

PS1='\033[01;33m\h:\w\$ \033[00m'

to colorize the prompt (very handy to find the prompt when a command
fills the console screen with lines of text)

The only problem occurs when the next entry is more than one line.  In that
case the entry wraps around without moving to a new line.

I had the same problem using the prompt I found at first, I think it is the 
same you are using. It seems there is a problem in closing the ANSI code string.
Someone else gave me this:
   PS1='\[\e[0;31m\]${debian_chroot:+($debian_chroot)}\h:\w\$\[\e[m\] '
This does not have the problem, I have been using this now for over a year, no 
problems at all.

Bonno Bloksma


Thank you, this works while nothing else did.  The sequences to start
and end coloring are different and the colors are different too.  In the
prompt I was initially using 33 resulted in a bright yellow prompt.
With this prompt 33 results in a dull rust color prompt. No matter, it
works.

The bright yellow is the bold version of that color. The "1" causes it 
to be bold, so just change the 0;33m to 1;33m.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/55478ee3.5080...@mattventura.net



Re: Installing Jessie on a computer that current has Windows 7 on it

2015-03-10 Thread Matt Ventura

On 03/10/2015 02:00 PM, Paul E Condon wrote:
Comments? Suggestions of things to try? 
Boot the installer up to the point where it reads the disks. Do a 'dd 
if=/dev/zero of=/dev/sda bs=512 count=1M' to try to forcibly erase the 
boot sector and any EFI stuff that might be on the disk. If that fails, 
then it might come down to some BIOS settings.


Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54ff6d33.4010...@mattventura.net



Re: Installing Jessie on a computer that current has Windows 7 on it

2015-03-10 Thread Matt Ventura

On 3/9/2015 9:07 PM, Paul E Condon wrote:

I have NO interest in dual boot. I simply want to wipe the disk and install
Jessie. I have last weeks weekly build of debian-testing-i3k6-xfce-CD-1.iso.
I starts nicely like I have seen many times before, but when I get to
partitoning the HD there is trouble. It won't overwrite the NTFS partitions
that contain Windows 7. I think I have read about this and there is some
special trick, but I can't find it. Please, someone. Help. Point me to the
directions.

Does creating a new partition table work? In the text based installer, 
try pressing enter
on the disk itself (not the partition). You can also hop over to a TTY 
and manually use fdisk
to do it (fdisk /dev/, o, w, then sort out partitioning in the 
installer).


Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54fea5c4.4010...@mattventura.net



Re: Strange entry in my routing table.

2015-03-04 Thread Matt Ventura

On 03/04/2015 03:18 PM, Juan R. de Silva wrote:

Here is my routing table:

0.0.0.0   192.168.25.68   0.0.0.0 UG0  00 eth0
192.168.24.0  0.0.0.0 255.255.252.0   U 1  00 eth0

The first entry IS my default gateway as I expected.

The second line, however, is something I cannot neither recognize nor
explain. It obviously belongs to something on a different LAN segment,
which I do not have. I mean I do not have any subnets on my LAN.

I tried to ping 192.168.24.0 with no response.
Trying 'ping -b 192.168.24.255' gives me only my own LAN IP address with
"Destination Host Unreachable".

The wireless on my router is disabled from GUI interface. The router is
flashed with dd-wrt. Should I assume my router has been hacked and re-
flash it?

Can somebody help me to understand this, please?


Looks perfectly fine to me. 192.168.24.0 with a netmask of 255.255.252.0 
(a /22 subnet) means the address range is 192.168.24.0 - 192.168.27.255. 
Both your PC and router are on this network. Generally, an 
internet-connected interface will always have two entries, one for the 
network itself (the second line here) and one for the gateway (the first 
line).



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54f79f62.3050...@mattventura.net



Re: Anti-spam recommendations

2015-02-04 Thread Matt Ventura

On 2/4/2015 10:00 AM, Mark Carroll wrote:

I'm moving a Debian mail server installation over to a different machine
environment and I figure that I may as well take the opportunity for a
fresh install and rethink. I've been using greylistd to good effect, but
I'd be surprised if it keeps working so well long-term. I have long
lists of aliases in Exim and perhaps more automated use of throwaway
addresses could have value; I haven't really thought that through.

What are people expecting will work well in the future for rejecting
spam at the MTA? E.g., SpamAssassin's performance, use of IP blacklists,
etc. I can live with some spam, if I am fairly sure I'm not wrongly
rejecting anything. I'm happy to look at anything conveniently packaged
for jessie.

-- Mark



IMO, it depends on the level of spam you're getting.

The first step is reverse DNS checking [0]. This will filter out about 
80% of
spam right off the bat. Next step would be a blacklist. I personally use 
SORBS
but it can get a little sensitive sometimes (it threw the server for 
this list
on the blacklist once) but overall it's pretty good. Spamassassin or 
some other

filtering mechanism that actually examines messages can be used as a last
resort if you're still having issues with spam.

Remember, most spammers aren't trying that hard to bypass anti-spam 
measures.
They'd rather just go for the low-hanging fruit and spam unprotected 
systems.


[0]: http://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS

Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54d264de.5010...@mattventura.net



Problem with recent updates+sleep+screen locking

2015-02-04 Thread Matt Ventura
I just updated my unstable system. It was set to not lock my screen upon 
suspend/resume, and it still is. However, now it locks after resuming 
anyway. I'm using xfce but am running Gnome screensaver for certain 
reasons, which I suspect is related to the problem. I'm guessing 
gnome-screensaver simply no longer respects whatever setting the xfce 
settings system is changing. I assumed that there would be some kind of 
setting for this in gnome-control-panel, but there isn't anything 
related to screensaver, nor do any of the Power settings seem to have 
any bearing on locking.


Is there any way to get gnome screensaver to not lock on suspend/resume?

Thanks,
Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54d1d7fd.7030...@mattventura.net



Re: network newbie seeks help combining routesets for VPN tunnel

2015-01-25 Thread Matt Ventura

On 1/25/2015 5:13 AM, Tom Roche wrote:

Tom Roche Sat, 24 Jan 2015 16:00:37 -0500 [1] (envvar names translated to 
`bash`ian)

[The "original routeset" on the client/laptop:]
1:  default via 192.168.1.1 dev eth0  proto static
2:  169.254.0.0/16 dev eth0  scope link  metric 1000
3:  192.168.1.0/24 dev eth0  proto kernel  scope link  src ${LOCAL_ETH0_IPN}
[OpenVPN routeset, overwrites the original routeset:]
1:  0.0.0.0/1 via ${OPEN_VPN_ENDPT_IPN} dev tun0
 # inherited from "original" route#=1?
2:  default via 192.168.1.1 dev eth0  proto static
3:  10.8.0.1 via ${OPEN_VPN_ENDPT_IPN} dev tun0
4:  ${OPEN_VPN_ENDPT_IPN} dev tun0  proto kernel  scope link  src 10.8.0.6
5:  128.0.0.0/1 via ${OPEN_VPN_ENDPT_IPN} dev tun0
 # inherited from "original" route#=2?
6:  169.254.0.0/16 dev eth0  scope link  metric 1000
7:  ${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0
 # inherited from "original" route#=3?
8:  192.168.1.0/24 dev eth0  proto kernel  scope link  src ${LOCAL_ETH0_IPN}
[F5VPN routeset, overwrites the OpenVPN routeset:]
1:  0.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
 # inherited from "original" route#=1?
2:  default via 192.168.1.1 dev eth0  proto static
3:  10.144.0.1 dev ppp0  proto kernel  scope link  src ${F5_VPN_ENDPT_IPN}
4:  128.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
5:  ${F5_VPN_PUBLIC_IPN} via ${OPEN_VPN_ENDPT_IPN} dev tun0  proto none  metric 
1

Matt Ventura Sat, 24 Jan 2015 19:26:48 -0800 [2] (slightly reformatted)

[The new routeset] should look like:

new routeset option 1:


[192.168.1.0/24 dev eth0  proto kernel  scope link  src ${LOCAL_ETH0_IPN}]
${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0
${F5_VPN_PUBLIC_IPN} via ${OPEN_VPN_ENDPT_IPN} dev tun0 ...
0.0.0.0/0 via ${F5_VPN_ENDPT_IPN} dev ppp0 ...
Come to think of it, the set of routes that the F5 VPN puts in place should 
work, needing only the addition of
${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0
What I wrote above is the cleanest possible set of routes that would
still work, but just adding that one route should fix the existing
one. I think you would want to add it just before starting the
OpenVPN, otherwise do it right after.

Well, the OpenVPN client sets that route itself: the problem is, the F5VPN 
client overwrites it (see above). So I'd need to add it after starting the 
F5VPN client, producing something like

new routeset option 2: F5VPN routes with 1 added route:

1:  0.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
2:  default via 192.168.1.1 dev eth0  proto static
3:  10.144.0.1 dev ppp0  proto kernel  scope link  src ${F5_VPN_ENDPT_IPN}
4:  128.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
5:  ${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0
6:  ${F5_VPN_PUBLIC_IPN} via ${OPEN_VPN_ENDPT_IPN} dev tun0  proto none  metric 
1

Is that the correct order?


After starting the F5 VPN, you might need to [also] re-add the
192.168.1.0/24 dev eth0 ... src ${LOCAL_ETH0_IPN}

so that would be option 3: F5VPN routes with 2 added routes:

1:  192.168.1.0/24 dev eth0  proto kernel  scope link  src ${LOCAL_ETH0_IPN}
2:  0.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
3:  default via 192.168.1.1 dev eth0  proto static
4:  10.144.0.1 dev ppp0  proto kernel  scope link  src ${F5_VPN_ENDPT_IPN}
5:  128.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1
6:  ${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0
7:  ${F5_VPN_PUBLIC_IPN} via ${OPEN_VPN_ENDPT_IPN} dev tun0  proto none  metric 
1

Is that the correct order?

thanks again, Tom Roche

[1]: https://lists.debian.org/debian-user/2015/01/msg00882.html
[2]: https://lists.debian.org/debian-user/2015/01/msg00892.html

Yes. Although the OpenVPN client shouldn't be adding those unless it was 
configured to do so (or the server pushed instructions to do so), or 
you're using some frontend like network-manager in which case you'd want 
to configure that frontend to not do that.


Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54c55592.5060...@mattventura.net



Re: network newbie seeks help combining routesets for VPN tunnel

2015-01-24 Thread Matt Ventura

On 1/24/2015 6:59 PM, Tom Roche wrote:

Tom Roche Sat, 24 Jan 2015 16:00:37 -0500 [1] (envvar names translated to 
`bash`ian)

[The "original routeset" on the client/laptop:]

1:  default via 192.168.1.1 dev eth0  proto static
2:  169.254.0.0/16 dev eth0  scope link  metric 1000
3:  192.168.1.0/24 dev eth0  proto kernel  scope link  src LOCAL_ETH0_IPN

[OpenVPN routeset, overwrites the original routeset:]
1:  0.0.0.0/1 via OPEN_VPN_ENDPT_IPN dev tun0
 # inherited from "original" route#=1?
2:  default via 192.168.1.1 dev eth0  proto static
3:  10.8.0.1 via OPEN_VPN_ENDPT_IPN dev tun0
4:  OPEN_VPN_ENDPT_IPN dev tun0  proto kernel  scope link  src 10.8.0.6
5:  128.0.0.0/1 via OPEN_VPN_ENDPT_IPN dev tun0
 # inherited from "original" route#=2?
6:  169.254.0.0/16 dev eth0  scope link  metric 1000
7:  OPEN_VPN_PUBLIC_IPN via 192.168.1.1 dev eth0
 # inherited from "original" route#=3?
8:  192.168.1.0/24 dev eth0  proto kernel  scope link  src LOCAL_ETH0_IPN
[F5VPN routeset, overwrites the OpenVPN routeset:]
1:  0.0.0.0/1 via F5_VPN_ENDPT_IPN dev ppp0  proto none  metric 1
 # inherited from "original" route#=1?
2:  default via 192.168.1.1 dev eth0  proto static
3:  10.144.0.1 dev ppp0  proto kernel  scope link  src F5_VPN_ENDPT_IPN
4:  128.0.0.0/1 via F5_VPN_ENDPT_IPN dev ppp0  proto none  metric 1
5:  F5_VPN_PUBLIC_IPN via OPEN_VPN_ENDPT_IPN dev tun0  proto none  metric 1
[my proposed new routeset:]
  # 1st route in Hartge's Trinity == OpenVPN route#=1 (compare with F5VPN 
route#=1)
  1:  0.0.0.0/1 via OPEN_VPN_ENDPT_IPN dev tun0
  # inherited from "original" route#=1 == OpenVPN route#=2 == F5VPN route#=2
  2:  default via 192.168.1.1 dev eth0  proto static
  # OpenVPN route#=3
  3:  10.8.0.1 via OPEN_VPN_ENDPT_IPN dev tun0
  # OpenVPN route#=4 , but what is the difference between 'src' and 'via'?
  4:  OPEN_VPN_ENDPT_IPN dev tun0  proto kernel  scope link  src 10.8.0.6
  # F5VPN route#=3
  5:  10.144.0.1 dev ppp0  proto kernel  scope link  src F5_VPN_ENDPT_IPN
  # 2nd route in Hartge's Trinity == OpenVPN route#=5 (compare with F5VPN 
route#=4)
  6:  128.0.0.0/1 via OPEN_VPN_ENDPT_IPN dev tun0
  # inherited from "original" route#=2 == OpenVPN route#=6 (absent in F5VPN 
routeset)
  7:  169.254.0.0/16 dev eth0  scope link  metric 1000
  # OpenVPN route#=7
  8:  OPEN_VPN_PUBLIC_IPN via 192.168.1.1 dev eth0
  # almost F5VPN route#=5 ... but which dev should this take? eth0, ppp0, 
tun0?
  9:  F5_VPN_PUBLIC_IPN via OPEN_VPN_ENDPT_IPN dev   proto none  metric 1
  # inherited from "original" route#=3 == OpenVPN route#=8 (absent in F5VPN 
routeset)
10:  default via 192.168.1.1 dev eth0  proto static

Matt Ventura Sat, 24 Jan 2015 15:04:55 -0800 [2] (slightly rearranged)

Basically, your final routing table, in plain English,

always tricky, that plain English :-)


should look like this:

Please correct me where I get it wrong:


1. Traffic to 192.168.1.0/24 should go through eth0

192.168.1.0/24 dev eth0  proto kernel  scope link  src ${LOCAL_ETH0_IPN}

which is original route#=3 == OpenVPN route#=8


#1 shouldn't ever be touched by either VPN.

OpenVPN respects it, but F5VPN removes it!


2. Traffic to the OpenVPN server's external IP should go through eth0 to 
192.168.1.1

${OPEN_VPN_PUBLIC_IPN} via 192.168.1.1 dev eth0

which is OpenVPN route#=7


#2 is something you'll probably need to manually add before (or after, not 
sure) starting the F5 VPN.

I should be able to script that (more below).


3. Traffic to the F5 VPN server's external IP (I assume this is the 134.x.x.x 
one)

(correct, though F5_VPN_PUBLIC_IPN changes per-connection, hence the 
parameterization)


should go through the OpenVPN ptp endpoint (10.8.0.5)

on dev=tun0? I.e.

${F5_VPN_PUBLIC_IPN} via ${OPEN_VPN_ENDPT_IPN} dev tun0  proto none  metric 1

If so, that's F5VPN route#=5


4. All other traffic should go through the F5 VPN's ptp endpoint (10.144.x.x).

Does '128.0.0.0/1' == 'all other traffic'? If so,

128.0.0.0/1 via ${F5_VPN_ENDPT_IPN} dev ppp0  proto none  metric 1

is F5VPN route#=4


The F5 client seems to be adamant about having route #4 in place, so we don't 
need to worry about that.

OK.


As mentioned above, you should remove the default routing to the OpenVPN server

i.e., proposed route#={1, 3, 4}, which are also OpenVPN route#={1, 3, 4}


and just have [F5_VPN_PUBLIC_IPN] route through the 10.8.0.5, rather than 0/1 
and 128/1.

i.e., F5VPN route#=5.

But then (IIUC) we're routing 128.0.0.0/1 but not 0.0.0.0/1. If so, does 
0.0.0.0/1 not need routed? (And why did I not take the networking elective when 
I got my BSCS ?-(

Meanwhile, assuming I understand correctly, it sounds like, after I start the 
F5VPN client on my client/laptop, I need to produce the routes given above with 
something like the foll

Re: network newbie seeks help combining routesets for VPN tunnel

2015-01-24 Thread Matt Ventura
ually serviced by `dev ppp0`).

Question 3: What am I missing? Conversely, what do I have that is superfluous?

Your assistance is appreciated! Tom Roche

[1]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[2]: https://lists.debian.org/debian-user/2015/01/msg00830.html
[3]: https://lists.debian.org/debian-user/2015/01/msg00831.html
[4]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap
[5]: https://en.wikipedia.org/wiki/Thesis,_antithesis,_synthesis
[6]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-productive-past
[7]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-connection

Well, you don't need the 169 route unless you're actually doing 
something with link-local addresses.


You may want to just reconfigure the OpenVPN to not be used as a default 
route, but rather to just route traffic for any IPs needed for the 
operation of the F5 VPN to go through the OpenVPN. There's no real need 
for the OpenVPN link to ever be a default route since the F5 VPN 
overrides that.


Basically, your final routing table, in plain English, should look like 
this:

1. Traffic to 192.168.1.0/24 should go through eth0
2. Traffic to the OpenVPN server's external IP should go through eth0 to 
192.168.1.1
3. Traffic to the F5 VPN server's external IP (I assume this is the 
134.x.x.x one) should go through the OpenVPN ptp endpoint (10.8.0.5)
4. All other traffic should go through the F5 VPN's ptp endpoint 
(10.144.x.x).


The F5 client seems to be adamant about having route #4 in place, so we 
don't need to worry about that. As mentioned above, you should remove 
the default routing to the OpenVPN server and just have 134.x.x.x route 
through the 10.8.0.5, rather than 0/1 and 128/1. #2 is something you'll 
probably need to manually add before (or after, not sure) starting the 
F5 VPN. #1 shouldn't ever be touched by either VPN.


Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54c42517.2060...@mattventura.net



Re: SIOCDELRT, or: proper syntax to delete default route for an interface?

2015-01-23 Thread Matt Ventura

On 01/23/2015 04:05 AM, Sven Hartge wrote:

Matt Ventura  wrote:

me@client:~$ date ; sudo route -n
Thu Jan 22 11:48:48 EST 2015
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
0.0.0.0 10.144.15.100   128.0.0.0   UG1  00 ppp0
0.0.0.0 192.168.1.1 0.0.0.0 UG0  00 eth0
10.144.0.1  0.0.0.0 255.255.255.255 UH0  00 ppp0
128.0.0.0   10.144.15.100   128.0.0.0   UG1  00 ppp0
134.67.15.3010.8.0.5255.255.255.255 UGH   1  00 tun0

Try it with 0.0.0.0 instead of default. I didn't notice that the netmask
was 128.0.0.0 rather than 0.0.0.0. Not sure why it would do that or if
that has some kind of special meaning.

VPN clients normally use two routes as "default" route:

0.0.0.0/128.0.0.0(or 0.0.0.0/1)
128.0.0.0/128.0.0.0  (or 128.0.0.0/1)

This way, the VPN client does not need to replace the existing default
route. Because those two new route are more specific than 0/0, all
packages are routed into the tunnel and not to the old default gateway.

If the VPN client crashes (or the tunnel interfaces is removed) those
two routes are automatically removed too and the old default route is
active again.

If the client replaced the old default route then you would be left with
a system without any default route, because the new one would have been
deleted together with the tunnel interface.

Grüße,
Sven.

Well, that confirms my original suspicion. The F5 VPN is throwing its 
default route over the original one, and that's causing traffic to the 
OpenVPN server to try to route over the F5 VPN. Obviously this doesn't 
work because the traffic to the F5 VPN needs to go through the OpenVPN 
link, so it becomes circular.


What you need to do is add a route, something like:
route add  gw 192.168.1.1 dev eth0
so that the traffic to the OpenVPN server can be routed properly.

Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54c2b359.7000...@mattventura.net



Re: SIOCDELRT, or: proper syntax to delete default route for an interface?

2015-01-22 Thread Matt Ventura

On 1/22/2015 3:55 PM, Tom Roche wrote:

summary:

me@client:~$ sudo route del default ppp0
SIOCDELRT: No such process
me@client:~$ sudo route del default dev ppp0
SIOCDELRT: No such process
me@client:~$ sudo route del -net default dev ppp0
SIOCDELRT: No such process
me@client:~$ sudo route del -net default gw 10.144.15.234 dev ppp0
SIOCDELRT: No such process
me@client:~$ sudo route del -net default netmask 128.0.0.0 gw 10.144.15.234 dev 
ppp0
SIOCDELRT: No such process
me@client:~$ sudo route del -net default gw 0.0.0.0 dev ppp0
SIOCDELRT: No such process
me@client:~$ sudo route del -net default netmask 255.255.255.255 gw 0.0.0.0 dev 
ppp0
SIOCDELRT: No such process

details:

I'm trying to debug a VPN-related misconfiguration on a laptop (call it "the 
client") which is running

me@client:~$ cat /etc/debian_version
jessie/sid
me@client:~$ uname -rv
3.11-2-amd64 #1 SMP Debian 3.11.8-1 (2013-11-13)
me@client:~$ gcc --version | head -n 1
gcc (Debian 4.8.2-1) 4.8.2
me@client:~$ sudo route --version
[sudo] password for tlroche:
net-tools 1.60
route 1.98 (2001-04-15)
+NEW_ADDRT +RTF_IRTT +RTF_REJECT +I18N
AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE
HW:  +ETHER +ARC +SLIP +PPP +TUNNEL -TR +AX25 +NETROM +X25 +FR +ROSE +ASH +SIT 
+FDDI +HIPPI +HDLC/LAPB +EUI64

On this client, I have started an OpenVPN client (after previously starting an 
OpenVPN server in the cloud), logged into a remote-access website, and used 
that site's web UI to connect to an F5 SSL VPN (which I want to tunnel through 
the OpenVPN). (More details on the design goal here[1] and the problem 
configuration here[2].) This produces

me@client:~$ date ; sudo ifconfig
Thu Jan 22 11:48:43 EST 2015
eth0  Link encap:Ethernet  HWaddr
   inet addr:192.168.1.142  Bcast:192.168.1.255  Mask:255.255.255.0
   inet6 addr:
   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
   RX packets:10224715 errors:0 dropped:0 overruns:0 frame:0
   TX packets:6011530 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:1000
   RX bytes:12886933501 (12.0 GiB)  TX bytes:677423768 (646.0 MiB)
   Interrupt:20 Memory:f260-f262

loLink encap:Local Loopback
   inet addr:127.0.0.1  Mask:255.0.0.0
   inet6 addr: ::1/128 Scope:Host
   UP LOOPBACK RUNNING  MTU:65536  Metric:1
   RX packets:497 errors:0 dropped:0 overruns:0 frame:0
   TX packets:497 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:0
   RX bytes:51273 (50.0 KiB)  TX bytes:51273 (50.0 KiB)

# Note I get slightly different IP#s for interface=ppp0 each time I run this 
scenario.

ppp0  Link encap:Point-to-Point Protocol
   inet addr:10.144.15.234  P-t-P:10.144.0.1  Mask:255.255.255.255
   UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
   RX packets:6 errors:0 dropped:0 overruns:0 frame:0
   TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:3
   RX bytes:56 (56.0 B)  TX bytes:2418 (2.3 KiB)

tun0  Link encap:UNSPEC  HWaddr 
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
   inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
   UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
   RX packets:4 errors:0 dropped:0 overruns:0 frame:0
   TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:100
   RX bytes:304 (304.0 B)  TX bytes:304 (304.0 B)

me@client:~$ date ; sudo route -n
Thu Jan 22 11:48:48 EST 2015
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
0.0.0.0 10.144.15.100   128.0.0.0   UG1  00 ppp0
0.0.0.0 192.168.1.1 0.0.0.0 UG0  00 eth0
10.144.0.1  0.0.0.0 255.255.255.255 UH0  00 ppp0
128.0.0.0   10.144.15.100   128.0.0.0   UG1  00 ppp0
134.67.15.3010.8.0.5255.255.255.255 UGH   1  00 tun0

Once at that point, I'm directed[3] (IIUC) to delete the default route being 
set by the F5VPN, for debugging. Furthermore, I need to do this quickly, 
because (and this is the problem with the current misconfiguration) the 
misconfiguration causes the OpenVPN tunnel to fail quickly, which breaks the 
situation I want to debug.

Hence it is quite infuriating that I cannot seem to find the correct `route` 
syntax to do this:

me@client:~$ sudo route del default ppp0
SIOCDELRT: No such process

me@client:~$ sudo route del default dev ppp0
SIOCDELRT: No such process

me@client:~$ sudo route del -net default dev ppp0
SIOCDELRT: No such process

me@client:~$ sudo route del -net default gw 10.144.15.234 dev ppp0
SIOCDELRT: No such process

me@client:~$ sudo route del -net default netmask 128.0.0.0 gw 10.144.15.234 dev 
ppp0
SIOCDELRT: No such process

me@client:~$ 

Re: network newbie seeks assistance debugging iptables for VPN tunnel

2015-01-22 Thread Matt Ventura

On 1/22/2015 9:43 AM, Tom Roche wrote:

summary: Smells like progress! If I'm guessing correctly, the `route` changes 
imposed by connecting to the F5VPN[3] are conflicting with my server/jumpbox's 
current `iptables` (through which my client seeks to tunnel[7]. Does that claim 
seem warranted? If so, how to fix the server firewall?

details:

Matt Ventura Wed, 21 Jan 2015 09:58:38 -0800 [1]

First thing to check would be the routing table while the VPN is active.

Tom Roche Wed, 21 Jan 2015 16:33:43 -0500 [2]

The `route -n` for while the OpenVPN connection is active is here[3],
which is part of a longer section[4] with "all the gory details" ...

Matt Ventura Wed, 21 Jan 2015 22:18:57 -0800 [5]

I meant the routing table when the F5 VPN is active, when the connectivity 
breaks.

The bad news is, I should have realized that :-) The good news is, that seems 
quite revealing, esp in the now-upgraded context of the revised 
connectivity-debugging scenario[3] (which I also reran to verify results): 
connecting to the F5VPN (after logging into the remote-access website) creates 
an interface=ppp0 and extensively rewrites the routing table!

https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt

### 4. After connecting to F5VPN (requires login to remote-access website)

...

me@client:~$ date ; sudo route -n
Thu Jan 22 11:48:48 EST 2015
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
0.0.0.0 10.144.15.100   128.0.0.0   UG1  00 ppp0
0.0.0.0 192.168.1.1 0.0.0.0 UG0  00 eth0
10.144.0.1  0.0.0.0 255.255.255.255 UH0  00 ppp0
128.0.0.0   10.144.15.100   128.0.0.0   UG1  00 ppp0
134.67.15.3010.8.0.5255.255.255.255 UGH   1  00 tun0

So now I'm guessing that:

1. (from `whois 134.67.15.30`) 134.67.15.30 is the agency's VPN server.

2. I need to reconcile the above `route`ing with my server's current firewall 
config[6]:

https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt

Chain INPUT (policy ACCEPT)
target prot opt source   destination
fail2ban-ssh  tcp  --  anywhere anywhere multiport 
dports ssh
ACCEPT all  --  anywhere anywhere
ACCEPT all  --  anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source   destination
ACCEPT all  --  anywhere anywhere state 
RELATED,ESTABLISHED
ACCEPT all  --  10.8.0.0/24  anywhere
REJECT all  --  anywhere anywhere reject-with 
icmp-port-unreachable
ACCEPT all  --  anywhere anywhere
ACCEPT all  --  anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source   destination
Chain fail2ban-ssh (1 references)
target prot opt source   destination
DROP   all  --  222.186.34.202   anywhere
RETURN all  --  anywhere anywhere

So my questions are:

1. Am I guessing correctly?
2. If so, how to reconcile the `route`ing change imposed by the F5VPN with my 
server's current firewall config[6]?

Thanks again for your prompt assistance, Tom Roche

[1]: https://lists.debian.org/debian-user/2015/01/msg00733.html
[2]: https://lists.debian.org/debian-user/2015/01/msg00744.html
[3]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt
[4]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-dns-problem
[5]: https://lists.debian.org/debian-user/2015/01/msg00761.html
[6]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt
[7]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution


I'm assuming ppp0 is the F5 VPN interface. Try deleting the first entry 
in the routing table after bringing up the F5 VPN
(something like 'route del default ppp0' if memory serves) and see if it 
fixes the problem.


This will probably break connectivity to the VPN until you restart it, 
but see if you can access the internet in general.


Also, another option would be to simply run the F5 VPN client on the 
linode.


Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54c1485e.2060...@mattventura.net



Re: network newbie seeks assistance debugging iptables for VPN tunnel

2015-01-21 Thread Matt Ventura

On 1/21/2015 1:33 PM, Tom Roche wrote:

Tom Roche Wed, 21 Jan 2015 12:50:04 -0500 [1]


I need to tunnel one SSL VPN (F5, running on one debian host) through
another (OpenVPN, running on another debian host), but lose networking
(e.g., `ping`) after the F5 VPN connects. I'm not sure whether this
is due to my firewall/iptables or VPN configuration, but suspect the
former. Unfortunately I am not knowledgeable regarding networking, so
I'd appreciate any assistance you could provide.

...

slightly revised ASCII art

  <-MY CONTROL  AGENCY CONTROL->
   firewall
+--+  +---+  +---+   |   +-+
| laptop + |  | linode  + |  | remote-access |   |   | cluster |
| F5NAP  + |<-->  | OpenVPN   |<-->  | website + |<-|->  | node(s) |
| OpenVPN  |  | server  + |  | F5VPN server  |   |   | |
| client   |  | security  |  |   |   |   | |
+--+  +---+  +-------+   |   +-+

Matt Ventura Wed, 21 Jan 2015 09:58:38 -0800 [2]

First thing to check would be the routing table while the VPN is active.

The `route -n` for while the OpenVPN connection is active is here[3], which is part of a 
longer section[4] with "all the gory details" ...

and thanks! your prompt assistance is appreciated, Tom 
Roche

[1]: https://lists.debian.org/debian-user/2015/01/msg00732.html
[2]: https://lists.debian.org/debian-user/2015/01/msg00733.html
[3]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt
[4]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-dns-problem


Sorry, I meant the routing table when the F5 VPN is active, when the 
connectivity breaks.


Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54c09651.3070...@mattventura.net



Re: network newbie seeks assistance debugging iptables for VPN tunnel

2015-01-21 Thread Matt Ventura

On 1/21/2015 9:50 AM, Tom Roche wrote:

[note: following contains ASCII art in the middle, and footnoted links at the 
end]

summary: I need to tunnel one SSL VPN (F5, running on one debian host) through 
another (OpenVPN, running on another debian host), but lose networking (e.g., 
`ping`) after the F5 VPN connects. I'm not sure whether this is due to my 
firewall/iptables or VPN configuration, but suspect the former. Unfortunately I 
am not knowledgeable regarding networking, so I'd appreciate any assistance you 
could provide.

details:

I need to remotely (off the physical LAN) SSH into some firewalled compute clusters to do 
environmental modeling (e.g., this[1]). Formerly I could do this from my debian laptop using the 
cluster-provider-mandated F5VPN[2]. However, access policy changed[3] (notably to require a single 
registered IP#), so I can no longer do this "directly" (i.e., just running the F5VPN from 
my laptop). I seek to adapt to the new policy (and resume work on my project) by implementing a VPN 
tunnel "through" a debian linode. Design details here[4], but my design can be roughly 
summarized with the following ASCII art (appropriately rendered here[4]):


First thing to check would be the routing table while the VPN is active. 
If the VPN client doesn't automatically add a route for the VPN server 
through your normal gateway, but does add a default route through the 
VPN, then it will break your connectivity because it's trying to send 
all traffic through the VPN, including the traffic to the actual VPN 
server. Post your 'route' table and I'll have a look.



Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54bfe8ce.9010...@mattventura.net



Re: wifi connection tool?

2014-12-30 Thread Matt Ventura

On 12/30/2014 07:26 AM, Mart van de Wege wrote:

Andrei POPESCU  writes:


On Lu, 29 dec 14, 15:58:06, Vincent Lefevre wrote:

This is for Network Manager (which I'm not using since it handles
the full network configuration, but I already have my own for
Ethernet, and I don't want it to be broken).

If I'm not mistaken it can be configured to not handle connections
already handled by ifupdown.


Network devices which are configured in /etc/network/interfaces will
   typically be managed by ifupdown. Such devices will by default be
   marked as "unmanaged" in NetworkManager.

>From /usr/share/doc/network-manager/README.Debian

I used to run a configuration like that, so I can confirm that this
works indeed.

(For completeness' sake: I used to have the static network config of my
workstation configured on the box itself, until I decided that it would
be a lot simpler to just set up a static association on my DHCP server
and just let NM handle all the network issues on my clients)

Mart

In addition, if you'd like to manually tell n-m to not manage 
interfaces, you

can add a section like this to your /etc/NetworkManager/NetworkManager.conf:

[keyfile]
unmanaged-devices=mac:01:02:03:04:05:06;mac:00:11:22:33:44:55


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54a2f7fe.4010...@mattventura.net



Re: Image cloning software

2014-12-16 Thread Matt Ventura

On 12/15/2014 03:26 PM, Miroslav Skoric wrote:

On 12/09/2014 11:11 PM, Andrei POPESCU wrote:



You should probably provide more details about the installation to be
cloned and hardware where the clone will be used.

Kind regards,
Andrei



Here it is:

'Source 1' hardware: Desktop CPU Celeron 400 MHz, RAM 224 MB, HDD 21 
GB (a half of a 41 GB ATA Maxtor)
'Source 1' OS: Debian 6.0.10 (Gnome, KDE, LXDE, Xfce), LILO dual-boot 
with Windows XP


'Source 2' hardware: Compaq Presario CQ56 CPU Pentium Dual-Core T4500 
2.30 GHz, RAM 1.37 GB, HDD 320 GB (encrypted LVM)

'Source 2' OS: only Debian 7.7 (Gnome, KDE, LXDE, Xfce), LILO

'Target' hardware: Desktop CPU AMD Athlon 1.1 GHz, RAM 512 MB, HDD 41 
GB (a half of a 82 GB ATA Maxtor)

'Target' OS: LILO for dual-boot with Windows XP

Regards,

M.


Going from an older CPU to a newer one shouldn't cause problems, and 
going from a newer one to an older one is fine as long as it's not 
extremely old. You might want to check and make sure that whatever 
kernel is being used on Source 2 will support the CPU on Target. Memory 
shouldn't ever cause problems, unless a machine simply doesn't have 
enough. Dual booting also shouldn't be that difficult. I'm not sure if 
LILO automatically picks up on your Windows install and adds it as a 
boot option, but I know GRUB does.
The only issue is the hard drive space. Going from a smaller hard drive 
to a larger one isn't a problem (dd the partition contents, then use the 
appropriate resize program such as resize2fs), but going from a larger 
partition to a smaller one is harder. Your best bet is to grab another 
hard drive (well, you'll need one to boot off of anyway so you can copy 
partitions around), copy the partition there, resize it down to the 
minimum, copy it to the final disk, then resize it up to the full 
partition size. Lastly, install the bootloader.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54902bd3.9050...@mattventura.net



Re: Headless server just got suspended by updating systemd

2014-11-23 Thread Matt Ventura

On 11/23/2014 8:31 PM, John Hasler wrote:

Joel Rees writes:

So, what should Patrick file the bug against?

I'd file against udev.  That may not be correct but if not the
maintainers will sort it out.  Just explain that you are not certain of
the exact package and why.
I think the bug here IMO is that a system simply shouldn't *do* things 
in general without me telling it to. If I close the lid of my laptop, 
unless I have told it to suspend when I do so, then it shouldn't 
suspend. I should be telling my machine to do the things I want it to 
do, not telling it to not do the things I don't want it to do.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5472bb06.6030...@mattventura.net



Re: Headless server just got suspended by updating systemd

2014-11-23 Thread Matt Ventura

On 11/23/2014 2:36 PM, Patrick Wiseman wrote:

I am NOT starting another flamewar about systemd, but I was just
upgrading a headless system (an old T61p laptop which has no
functioning screen any more but which otherwise runs well and which I
use as an internal webserver) by running aptitude in an ssh session.
All went well until udev got upgraded, when I lost contact with the
server and could not ping it.

Looking at the laptop, I noticed that the suspend indicator was on,
even though I have had power management ignore the lid switch. I
opened the lid and it resumed. I was able again to ping and ssh into
the server. However, 'w' told me that the machine had been up for 85
days, which meant it was time to reboot. I did that - it took a VERY
long time to come back up, compared with how quickly it used to reboot
- but when I closed the lid, it suspended again.

It turns out that logind, a piece of systemd, has taken over power
management by default. Editing /etc/systemd/logind.conf so that it
contains "HandleLidSwitch=ignore" and restarting logind (with 'sudo
systemctl restart systemd-logind')[1] has corrected the problem.

My situation is probably rather unusual and so others may not run into
the same problem, but just in case, this information may help.

Patrick
  [1]See 
http://unix.stackexchange.com/questions/52643/how-to-disable-auto-suspend-when-i-close-laptop-lid,
which I found by Googling.



What version of udev was it running before the upgrade?


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/547290ae.2090...@mattventura.net



Re: What provides /dev/disk/by-uuid?

2014-11-19 Thread Matt Ventura

On 11/19/2014 12:10 PM, Sven Joachim wrote:

On 2014-11-19 20:45 +0100, Matt Ventura wrote:


What module/script/thing actually provides /dev/disk/by-uuid and
by-label?

Those are created by udev, the rules are in the file
/lib/udev/rules.d/60-persistent-storage.rules.


I'm asking because I disabled some things in my kernel
config and now I no longer have those (neither before mounting root
nor when fully booted). If I go back to my old kernel config, it works
fine. What do I need to put in my kernel or initramfs to get these
working?

You did not specify which udev version you have, but the one in Jessie
needs CONFIG_DEVTMPFS=y.  See /usr/share/doc/systemd/README.gz (if
systemd is installed) for other requirements.

Cheers,
Sven


I'm using unstable. udevd --version says 215. I tried restarting udev 
manually but they didn't appear, and that script is in place (in the 
booted system, not sure about the initramfs).



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/546cfa7f.4050...@mattventura.net



Re: What provides /dev/disk/by-uuid?

2014-11-19 Thread Matt Ventura

On 11/19/2014 12:02 PM, Andrei POPESCU wrote:

On Mi, 19 nov 14, 11:45:40, Matt Ventura wrote:

What module/script/thing actually provides /dev/disk/by-uuid and by-label?
I'm asking because I disabled some things in my kernel config and now I no
longer have those (neither before mounting root nor when fully booted). If I
go back to my old kernel config, it works fine. What do I need to put in my
kernel or initramfs to get these working?

You could post the diff between the configs, I'm sure some of the people
building their own kernels will spot it ;)

Kind regards,
Andrei
I think this is it, although I doubt anyone wants to look through this 
whole thing.


http://termbin.com/lw1y

In hindsight I probably should have done this more incrementally.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/546cf9d3.3060...@mattventura.net



What provides /dev/disk/by-uuid?

2014-11-19 Thread Matt Ventura
What module/script/thing actually provides /dev/disk/by-uuid and 
by-label? I'm asking because I disabled some things in my kernel config 
and now I no longer have those (neither before mounting root nor when 
fully booted). If I go back to my old kernel config, it works fine. What 
do I need to put in my kernel or initramfs to get these working?



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/546cf364.1000...@mattventura.net



Re: running two CPU's in parallel with e.g. Beowulf in the same box.....

2014-11-18 Thread Matt Ventura

On 11/18/2014 10:29 AM, Michael Fothergill wrote:

Dear Folks,

Out of interest, if I installed two Kaveri motherboads side by side in 
the same box (if there would be enough room e.g. in a HAF-x box, could 
I use something like Beowulf to run them in tandem?


Could I not set it up so that I could run one board most of the time 
and only switch on the  power (and Beowulf) when I wanted to do so?


How well would the two APU's work together?

Regards

Michael Fothergill
Tempus fugit , sed Latini etiam sugit 


You'll run into issues with power. Unless you're going to stuff 2 power 
supplies in the case, you have to buy or create splitters for the main 
power connector and the CPU power connector.


You won't be able to have one on and the other off, at least not 
completely, because you're powering them with a single power supply. 
Then you've still got the issue of the case not really supporting two 
motherboards.


You're probably better off getting two small cases and just having two 
separate machines. Then, you can have one power off the other and turn 
it back on with wake-on-lan as necessary.


Re: "Lennart Poettering Linux" -- some real eye openers here ... don't be blindsided!

2014-11-10 Thread Matt Ventura

On 11/9/2014 11:01 PM, Matthias Urlichs wrote:

Hi,

Andrew McGlashan:

Forwarding a message "as is" from another mailing list ... very relevant
to Linux and the systemd dilemma.


No, it is not.

Sorry, but requiring an up-to-date kernel (or any other infrastructure you
rely on) instead of maintaining workarounds and compatibility code in
perpetuity makes perfect sense.

If you don't like that choice, you have a lot of legitimate options

* use another init
* use an older version of systemd
* upgrade your kernel
* back-port the features you want/need

Note that bitching about upstream choices on debian-vote is not included in
this list.

The problem is that option #1 is becoming less and less viable due to 
more and

more packages pulling in systemd dependencies, sometimes completely
unecessarily from a functionality standpoint.

I use systemd on a laptop and a desktop (voluntarily, not because of
dependencies), but it's fairly clear that there are enough reasons for 
systemd

to not be forced on people.

I find it quite ironic that people are complaining about a GR being used to
force a decision on people when this whole thing started because systemd is
being forced on people.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5460797c.8000...@mattventura.net



Re: Best way to "pin" a kernel

2014-09-12 Thread Matt Ventura

I'm just doing 'make deb-pkg' on the kernel, and installing
the resulting package. From what I can tell, update-grub isn't
treating it special in any way, just picking the highest-numbered
kernel.

It looks like my best bet is to probably change the behavior
in the 10_linux script to only choose from kernel version numbers
that have my custom suffix to be the highest kernel.

On 09/12/2014 05:57 AM, Jonathan Dowland wrote:

On Thu, Sep 11, 2014 at 08:27:46AM -0700, Matt Ventura wrote:

Quick question: I want Debian to not switch Grub2 to a new kernel
when I update
it, since I have a custom kernel on a particular machine. When I
install a new
kernel from apt, I don't want to immediately use it. What's the
cleanest way of
doing this?

How does your custom kernel get into the grub2 configuration - i.e. which bit
of /etc/grub.d defines the custom kernel boot instructions?

If it's a custom file (XX_custom) that you wrote yourself, make sure it is
numbered lower than the files which generate the lines for Debian/other
kernels, it will then be the 'first' OS that is defined. I think '06_' would be
suitablly low (the first OS-defining configuration item in my directory is
10_linux, so you'd want earlier than that, but after some of the pre-OS boiler
plate, the latest of which for me is 05_debian_theme). Grub2 defaults to the
first item (this is configurable in /etc/default/grub).

Once you've made the necessary changes run update-grub to generate the grub2
config file.





--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/54133846.20...@mattventura.net



Best way to "pin" a kernel

2014-09-11 Thread Matt Ventura
Quick question: I want Debian to not switch Grub2 to a new kernel when I 
update
it, since I have a custom kernel on a particular machine. When I install 
a new
kernel from apt, I don't want to immediately use it. What's the cleanest 
way of

doing this?

Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5411bf72.9050...@mattventura.net



Re: Make n-m not touch WWAN

2014-09-05 Thread Matt Ventura

On 9/5/2014 7:24 PM, B wrote:

On Fri, 05 Sep 2014 19:12:32 -0700
Matt Ventura  wrote:


I'll probably file a bug report somewhere about this, but in the
meantime, is there a way to just get it to ignore the card? Or does
enabling mobile broadband in the menu activate the card without really
doing anything? I don't want it using any unnecessary cpu/mem/power
compared to before the update that broke this.

Ace Ventura


You can fill a bug if you want, but I don't think it one.

The problem is the MODEM is apparently not dissociable
from the GPS.  If it is really so, you're stuck.




They're dissociable in that they share a control channel
(ttyUSB0 = control, ttyUSB1 = data, ttyUSB2 = GPS output) and they
share the rfkill.

However, before some update at some point (I don't know where
exactly because ironically I used to have my rc.local rfkill the
card to save some battery life since I didn't need GPS), n-m
would allow me to leave the card in that state where I don't
"Mobile Broadband" in the menu is disabled, but it didn't rfkill
the card. If having MB enabled but not connected to any network
does exactly the same thing, then that would be an acceptable
solution to my problem.

I can live with this regression since it's a bit of a corner case,
but there's definitely at least one bug in all of this: it shouldn't
be removing the option to (re)enable the card because it no longer
sees it.

Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/540a750e.4000...@mattventura.net



Re: Make n-m not touch WWAN

2014-09-05 Thread Matt Ventura

On 9/5/2014 2:10 PM, Michael Biebl wrote:


Am 05.09.2014 21:14, schrieb Matt Ventura:

I don't recall this happening until recent updates, but on my laptop
with testing installed, any time network-manager starts/restarts, it
will rfkill my WWAN card. I use the card exclusively as a GPS, so I
want n-m to pretend it doesn't exist. Is there something like
unmanaged-devices but for WWAN cards?


You could try something like

[keyfile]
unmanaged-devices=mac:00:11:22:33:44:55

in /etc/NetworkManager/NetworkManager.conf

But the problem is that the card doesn't actually expose any network interface
until I tell n-m to actually connect to a cellular network with the card (I 
don't
have a plan for the card so it obviously fails). Even then, it's just a ppp 
interface
with no MAC address, so I don't know what I would put in the config.

This bug seems to be deeper though. When I rfkill unblock the card, after some 
time
the option in n-m applet's context menu to enable mobile broadband will appear.
However, if I enable this option and disable it, it will rfkill the card and I 
will
lose that option to toggle it in the menu. It looks like this is a bug with how
n-m handles the card. The card (Sierra Wireless MC5725) will drop off the USB
entirely, so I guess n-m thinks the card is gone and doesn't give me the option 
to
re-enable it.

As for why it disables it to begin with, it appears that if you have the
"Mobile Broadband" option disabled in the menu, it will rfkill the card for you.
Except in this case, it becomes a chicken-and-egg problem because it ends up 
hiding
the card from itself and thinking it doesn't exist, thus not giving me the 
option to
enable it to begin with.

I'll probably file a bug report somewhere about this, but in the meantime, is 
there
a way to just get it to ignore the card? Or does enabling mobile broadband in 
the
menu activate the card without really doing anything? I don't want it using any
unnecessary cpu/mem/power compared to before the update that broke this.

Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/540a6d90.5060...@mattventura.net



Make n-m not touch WWAN

2014-09-05 Thread Matt Ventura

I don't recall this happening until recent updates, but on my laptop
with testing installed, any time network-manager starts/restarts, it
will rfkill my WWAN card. I use the card exclusively as a GPS, so I
want n-m to pretend it doesn't exist. Is there something like
unmanaged-devices but for WWAN cards?

Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/540a0baf.8050...@mattventura.net



Re: IP Forwarding to Windows machine

2014-08-08 Thread Matt Ventura

On 8/8/2014 12:04 AM, Mike McClain wrote:

 I've been trying to get my hand rolled iptables firewall to
masquerade traffic on the LAN to/from a Win2K box. I've gotten it to
the point that I can ping from the boxes both ways, smbclient can move
files both ways and the Win2K box can ping Google's IP address but DNS
lookup fails even though I've used the same DNS server in the Win2K
box as on my Debian box which access the Inet via dialup. IE says
"Cannot find server or DNS error."
 I've read every HOWTO and the iptables man pages several times but
am at a loss.
 Suggestions?
Thanks,
Mike

Can you post the exact output of the nslookup attempt from the win2k box?

Thanks,
Matt Ventura


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53e5a085.6010...@mattventura.net



xfwm troubles and systemd questions

2014-07-11 Thread Matt Ventura

1. My xfwm4 seems to remember what workspaces I have windows
on for the next time I open them. The problem is, I don't want
it to do this because it will do things like open a window
on another workspace minimized so I can't even see where it
is without flipping through every workspace. I want all new
windows to simply appear on the current workspace.

2. Is there a way to tell systemd (or whatever controls
backlight) which backlight to use with brightness up/down keys?
I have /sys/class/acpi_video0 and intel_backlight, and I'd rather
it use the intel_backlight since it lets the backlight go down to
0 and has better resolution.

3. Is there a way to tell systemd or whatever else is managing
my screen to do absolutely nothing when the laptop lid is closed,
not even turning off the backlight? The hardware already does
this so I have no need for any software to try to manage the backlight.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53c02f86.7000...@mattventura.net



Re: Clone GPT partition table - with Lenny ?

2014-07-06 Thread Matt Ventura

On 7/6/2014 1:56 PM, B wrote:

On Sun, 06 Jul 2014 13:41:15 -0700
Matt Ventura  wrote:


You don't need to know, you just use dd over the entire disk (i.e.
sda instead of sda1).

Yup.


Just to be clear, you're trying to copy the entire disk with all
its partitions, right?

I think you also read too fast, apparently he just wanna
have the same partition table.

Which RAID doesn't care, eg:
dsk0 partition = 100 (sectors, GB, whatever)
dsk1 " = 101 or 4242.42

RAID will only pick 100 on dsk1 partition to achieve
its work.
This was mandatory from the very beginning, as HDz,
even from the same brand, had not the same number
of heads, track , etc .

Well if he just needs the partition table but no data (it sounded like 
that, but I don't understand
the reason for doing that), then according to wikipedia he should copy 
the first 34*512 bytes and

the last 33*512 bytes onto the new disk.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b9bd87.7040...@mattventura.net



Re: Clone GPT partition table - with Lenny ?

2014-07-06 Thread Matt Ventura

On 7/6/2014 1:37 PM, Steve Litt wrote:

On Sun, 6 Jul 2014 22:20:55 +0200
B  wrote:


On Sun, 06 Jul 2014 20:54:10 +0100
Ron Leach  wrote:


Is there, in Lenny, a command or tool for cloning a GPT?

Use dd, it'll take a looong time but you'll have a bit copy.


But...

How do you know how much to copy? GPT partitions vary in length.

SteveT

Steve Litt*  http://www.troubleshooters.com/
Troubleshooting Training  *  Human Performance


You don't need to know, you just use dd over the entire disk (i.e. sda 
instead of sda1).


Just to be clear, you're trying to copy the entire disk with all its 
partitions, right?



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b9b46b.8010...@mattventura.net



Re: wifi & bluetooth deactivation problem

2014-07-04 Thread Matt Ventura

On 7/4/2014 2:16 PM, B wrote:

On Fri, 4 Jul 2014 22:36:43 +0200
B  wrote:


Ze ozer problem iz: I'd like to independently turn on/off wifi&
bt.

I answer myself: rfkill block wifi||bluetooth
but LEDs stays on, which isn't very useful :((


Check if the LEDs in question are accessible through /sys/class/leds


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b761ac.4000...@mattventura.net



Re: flakey wifi access

2014-06-30 Thread Matt Ventura

On 6/30/2014 5:20 PM, Brian Flaherty wrote:

On 06/29/2014 07:50 PM, tom arnall wrote:

my wicd agent is unable to connect to wifi at mcDonald's, both in
mexico and the states. it's fine with my home wifi and the coffee shop
i go to. it also fails on the network at the campus where i teach in
mexico.




I had used wicd for months without problems, but last spring, I was 
unable to get on a WPA/WPA2 access point. The password was correct. 
Several other devices were connected. After a few days, I was able to 
get a cable connection and install networkmanager. I tried it and 
worked without problem. Didn't have time to work out what the issue 
was and I'm still just using networkmanager.




In my case, the issue was with the underlying driver with the card plus 
wicd's poor handling of failures. The connection would drop, but wicd 
would continue to try to do DHCP on the connection, so it would sit 
there for a while spinning its wheels. Networkmanager would actually see 
the failures and restart the connection process until it worked. Using 
NM instead of wicd can be a good way to cover up driver issues.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b20422.5080...@mattventura.net



Re: GTK crashing X?

2014-06-30 Thread Matt Ventura

On 6/30/2014 4:29 PM, Brian wrote:

On Mon 30 Jun 2014 at 15:41:48 -0700, Matt Ventura wrote:


The card shows up as:
01:09.0 VGA compatible controller: Advanced Micro Devices, Inc.
[AMD/ATI] Rage XL PCI (rev 27)

I'm hesitant to apt-get --purge autoremove since it wants to remove systemd.

If I install xorg and fvwm, it works fine. I can run xclock, it
shows up, and I can move it around.
When I install xfce4, then startx crashes with the segfault at 0xc,
signal 11.

You weigh up

http://lists.opensuse.org/archive/opensuse-bugs/2014-02/msg02602.html

and the links in it and see if there is anything comparable in the BTS.
Then go from there.



Thanks, the "ExaNoComposite" option worked for me.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b1f6bc.1080...@mattventura.net



Re: GTK crashing X?

2014-06-30 Thread Matt Ventura

On 6/30/2014 2:54 PM, Brian wrote:

On Mon 30 Jun 2014 at 13:12:01 -0700, Matt Ventura wrote:


On 6/30/2014 10:43 AM, Brian wrote:

6. Hopefully report success. :)



...

Could be hardware, I suppose. Switch to a tty with CTL-ALT-F1. Login as a
user and get the video card data from the command 'lspci'.

While you are out of X ALT-F2 gives you another console to log in as
root and remove lightdm with

apt-get purge lightdm

Because I like to be tidy I'd now return the machine to a more or less
basic configuration

apt-get purge fonts* x11-* dbus xfce4*

followed by

apt-get --purge autoremove

Now

apt-get install xorg fvwm

and, as a user

startx

How does this go? If ok 'apt-get install xfce4' and 'startx'.



The card shows up as:
01:09.0 VGA compatible controller: Advanced Micro Devices, Inc. 
[AMD/ATI] Rage XL PCI (rev 27)


I'm hesitant to apt-get --purge autoremove since it wants to remove systemd.

If I install xorg and fvwm, it works fine. I can run xclock, it shows 
up, and I can move it around.
When I install xfce4, then startx crashes with the segfault at 0xc, 
signal 11.





--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b1e7ac.1060...@mattventura.net



Re: GTK crashing X?

2014-06-30 Thread Matt Ventura

On 6/30/2014 10:43 AM, Brian wrote:

On Mon 30 Jun 2014 at 10:23:38 -0700, Matt Ventura wrote:


Well, all I did was netinstall stable with xfce, log in once,
add testing repos, and dist-upgrade. I could just try directly
netinstalling testing, and if it's broken out of the box then
it's almost certainly a bug, right?

You could try:

1. Install without choosing Xfce. Untick the desktop item when asked to
select software.

2. You'll boot into a tty. Login and and change sources.lst to "jessie".

3. Update, upgrade and dist-upgrade.

4. Reboot. Login and

apt-get task-xfce-desktop

or

apt-get xfce4 lightdm

The first gives you what d-i gives you. The second has fewer packages
but is fine. I'd choose the latter.

5. Reboot.

6. Hopefully report success. :)



Nope, installed lightdm after doing a dist-upgrade and rebooting, still
has the same issue. Starts X, displays a cursor for a couple seconds,
then crashes and repeatedly tries to restart lightdm.

I'm still wondering if it has something to do with the video card, since
another issue is that when I dist-upgrade and it upgrades GRUB, it tries
to do a graphical boot, but it gets the monitor refresh rate wrong and
can't display the menu. I have to manually set it to a lower resolution
(native is 1280x1024) to get it to work.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b1c491.1050...@mattventura.net



Re: GTK crashing X?

2014-06-30 Thread Matt Ventura

On 6/30/2014 11:53 AM, rob wrote:

On 29/06/14 19:16, Matt Ventura wrote:

I've got a pretty old machine (Celeron 2.8 GHz, ATI rage XL). It's been
running Debian fine for years, but I reinstalled recently. Installed
stable (chose XFCE as desktop environment), everything worked fine
(lightdm worked, xfce worked). Did a dist-upgrade to testing (also tried
unstable), and now neither lightdm nor xfce works (lightdm goes into an
endless crash loop, xfce sends me back to the login screen). I can
manually start an X server, and it can display basic programs like
xclock fine. But as soon as I start a GTK application (or at least I
think it's GTK causing the problem), X crashes with "Segmentation fault
at address 0xc" "Fatal server error: Caught signal 11 (Segmentation
fault). Server aborting". There's nothing in the log immediately before
the error other than the backtrace.

There doesn't appear to be a problem with any of those components
individually, since xfce and individual applications will both run
perfectly fine if I display them on another machine's X, so I'm not even
sure what to file a bug under.




Which gtk application(s)?
I have the issue with chromium, (as a start-up application), since an 
upgrade on 18/06.

Which video drivers are you using, xorg-xserver-video-* or AMD(ATI)?

rob


Well, lightdm itself crashes it. I also tried with various xfce 
applications like thunar and the xfce panel.

Gnome applications also seem to crash it.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b1b5cc.7090...@mattventura.net



Re: GTK crashing X?

2014-06-30 Thread Matt Ventura

On 6/30/2014 10:13 AM, Brian wrote:

On Mon 30 Jun 2014 at 09:11:01 -0700, Matt Ventura wrote:


The system otherwise works completely fine. Packages operations work
fine, so I don't think that's where the problem lies. There was no
downgrading, just upgraded to testing and it didn't work, figured I
might as well check if it was fixed in unstable since it was a fresh
install so there was nothing to lose.

It looks like stable has 1:7.7+3~deb7u1 for xserver-xorg, 2.24.10-2
for gtk2, and 3.4.2-7 for gtk3. Testing has 1:7.7+7, 2.24.23-1, and
3.12.2-1+b1.  Unstable is the same except gtk2 is 2.24.23-1.

Considering we don't know exactly where you started from and your
upgrading is not repeatable (making thoughts of bugs premature), what
are your thoughts now?

1. Reinstall stable and stick with it? (After all, it worked).

2. Go for Jessie? (In a slightly different way than previously).



Well, all I did was netinstall stable with xfce, log in once,
add testing repos, and dist-upgrade. I could just try directly
netinstalling testing, and if it's broken out of the box then
it's almost certainly a bug, right?

There's some other issues that I'd like to report (and/or workaround)
as well so I'm holding off on reinstalling stable.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b19d1a.5080...@mattventura.net



Re: GTK crashing X?

2014-06-30 Thread Matt Ventura

On 6/30/2014 4:12 AM, Chris Bannister wrote:

On Sun, Jun 29, 2014 at 11:16:58AM -0700, Matt Ventura wrote:

I've got a pretty old machine (Celeron 2.8 GHz, ATI rage XL). It's been
running Debian fine for years, but I reinstalled recently. Installed stable
(chose XFCE as desktop environment), everything worked fine (lightdm worked,
xfce worked). Did a dist-upgrade to testing (also tried unstable), and now

Did you downgrade to testing from unstable?


neither lightdm nor xfce works (lightdm goes into an endless crash loop,
xfce sends me back to the login screen). I can manually start an X server,
and it can display basic programs like xclock fine. But as soon as I start a
GTK application (or at least I think it's GTK causing the problem), X
crashes with "Segmentation fault at address 0xc" "Fatal server error: Caught
signal 11 (Segmentation fault). Server aborting". There's nothing in the log
immediately before the error other than the backtrace.

There doesn't appear to be a problem with any of those components
individually, since xfce and individual applications will both run perfectly
fine if I display them on another machine's X, so I'm not even sure what to
file a bug under.

I'd check the package versions from what you say above about trying stable
unstable and testing. Is the system in a sane state? i.e. does an
apt-get update/upgrade occur without issue?

Just as an aside, if stable was working fine why did you upgrade?

The system otherwise works completely fine. Packages operations work 
fine, so I
don't think that's where the problem lies. There was no downgrading, 
just upgraded
to testing and it didn't work, figured I might as well check if it was 
fixed in unstable

since it was a fresh install so there was nothing to lose.

It looks like stable has 1:7.7+3~deb7u1 for xserver-xorg, 2.24.10-2 for 
gtk2, and
3.4.2-7 for gtk3. Testing has 1:7.7+7, 2.24.23-1, and 3.12.2-1+b1. 
Unstable is the same

except gtk2 is 2.24.23-1.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b18c15.2080...@mattventura.net



Re: flakey wifi access

2014-06-29 Thread Matt Ventura
I've had something similar happen, but it turned out that the problem 
wasn't wicd but rather the driver for the card itself. Can you check if 
the problem occurs with something other than wicd? Also, what wifi card?


On 6/29/2014 7:50 PM, tom arnall wrote:

my wicd agent is unable to connect to wifi at mcDonald's, both in
mexico and the states. it's fine with my home wifi and the coffee shop
i go to. it also fails on the network at the campus where i teach in
mexico.





--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b0d2cc.1010...@mattventura.net



GTK crashing X?

2014-06-29 Thread Matt Ventura
I've got a pretty old machine (Celeron 2.8 GHz, ATI rage XL). It's been 
running Debian fine for years, but I reinstalled recently. Installed 
stable (chose XFCE as desktop environment), everything worked fine 
(lightdm worked, xfce worked). Did a dist-upgrade to testing (also tried 
unstable), and now neither lightdm nor xfce works (lightdm goes into an 
endless crash loop, xfce sends me back to the login screen). I can 
manually start an X server, and it can display basic programs like 
xclock fine. But as soon as I start a GTK application (or at least I 
think it's GTK causing the problem), X crashes with "Segmentation fault 
at address 0xc" "Fatal server error: Caught signal 11 (Segmentation 
fault). Server aborting". There's nothing in the log immediately before 
the error other than the backtrace.


There doesn't appear to be a problem with any of those components 
individually, since xfce and individual applications will both run 
perfectly fine if I display them on another machine's X, so I'm not even 
sure what to file a bug under.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/53b0581a.8050...@mattventura.net