Re: Help upgrade to JDK-21

2024-09-06 Thread Dan Ritter 
Arbol One wrote: 
> I'd like to upgrade from JDK-17 to JDK-21.
> Since I am new to, well, Linux in general, I'd like to know from anyone
> who'd done this upgrade if this would be OK under Debian 12 (No
> free-firmwarepackages please).
> Any advice would be much appreciated.


Debian stable (12) does not have openjdk 21; you will need to
get it from another source.

https://openjdk.org/install/

If you install it in /opt, and reference it specifically
whenever you want a program to use it, that should not cause
problems.

-dsr-

Re: Help installing gdb package using apt

2024-07-15 Thread Demetrius Stanton 
Hello everyone,

Thank you so much for your assistance on this matter. The solution was
found.

Updating the sources list to include:
deb http://deb.debian.org/debian/ bookworm main non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main
non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main
non-free-firmware

# bookworm-updates, to get updates before a point release is made;
# see
https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm-updates main
non-free-firmware

seems to have fixed my issue.

I believe this is entirely a problem of my own causing. My initial plan for
this system was to keep it offline. I later decided to take it online. I
updated the sources list with a single source, thinking that one would be
necessary to get connected, and it worked... for a while.

Thanks again for all the help!

Demetrius Stanton


On Mon, Jul 15, 2024 at 5:59 PM Tom Dial  wrote:

> Hi Demetrius.
>
> See the embedded observations below.
>
>
>
> On 7/15/24 05:42, Demetrius Stanton wrote:
> > Hi!
> >
> > My name is Demetrius Stanton. It was suggested that I reach out for a
> problem I'm experiencing trying to install gdb on my system. I'm willing to
> submit whatever information is necessary to try and get this issue resolved.
> >
> > I recently encountered a weird error, and I can't seem to find a fix
> online. When I run the command ` sudo apt update && sudo apt install gdb -y
> `, I receive an 404 error stating failed to fetch
> https://deb.debian.org/debian/pool/main/g/glibc/libc6-dbg_2.36-9%2bdeb12u
> *4*_amd64.deb.
> When I navigate to the https://deb.debian.org/debian/pool/main/g/glibc/ <
> https://deb.debian.org/debian/pool/main/g/glibc/> site, I'm able to find
> libc6-dbg_2.36-9+deb12u*7*_amd64.deb. Though I'm reasonably confident I
> could use wget to download and then dpkg to install this file, I am
> concerned I could adversely affect the stability of my system. I'm sure it
> would be safer for me to use apt to manage my packages.
> >
> > How do I proceed forward from here?
> >
> > I posed this question to  debian-rele...@lists.debian.org>> and received the following in response:
> >
> > "
> > Welcome to Debian.
> >
> > You might be able to resolve this issue you have by running
> >
> > sudo apt update
> >
> > followed by
> >
> > sudo apt full-upgrade
> >
> > and resolve resulting errors, if any occur, and then try reinstalling
> gdb. The particular error - attempting to fetch and install what looks like
> an out of date version of libc6-dbg_2.36-9 - suggests your system might not
> be fully up to date. If that helps, good; otherwise:
> >
> > You would do better to ask this question on the debian-user list (
> debian-user@lists.debian.org ). It
> is a fairly active list that includes people with a wide range of knowledge
> and who generally are willing to help.
> >
> > You should provide additional information (and will be asked to do so if
> you do not), since what you give above is a bit sketchy. In particular, I
> suggest you include in the question a copy of your /etc/apt/sources.list
> and any files that are in the directory /etc/apt/sources.list.d. It might
> also be useful to include a copy of your /etc/debian_version and
> /etc/os-release files, which will establish the exact update level of your
> system.
> >
> > In general, it is probably a bad idea to poke around in /debian/pool/ in
> the distribution repository for things to install. Those directories
> contain software for several releases and mixing versions from different
> releases may, as you suspect, result in an unstable system. Using apt is
> much safer, but depends on correct setup of the files in the /etc/apt/
> directory that describe the range of software installed.
> >
> > Regards,
> > 
> > "
> > Attempting the prescribed fix yielded the following:
> >
> > $ sudo apt update && sudo apt full-upgrade
> > [sudo] password for demetrius:
> > Hit:1 https://dl.google.com/linux/chrome/deb <
> https://dl.google.com/linux/chrome/deb> stable InRelease
> > Hit:2 https://deb.debian.org/debian 
> bookworm InRelease
> > Hit:3 https://packages.microsoft.com/repos/code <
> https://packages.microsoft.com/repos/code> stable InRelease
> > Hit:4 https://brave-browser-apt-release.s3.brave.com <
> https://brave-browser-apt-release.s3.brave.com> stable InRelease
> > Reading package lists... Done
> > Building dependency tree... Done
> > Reading state information... Done
> > All packages are up to date.
> > N: Repository 'Debian bookworm' changed its 'firmware component' value
> from 'non-free' to 'non-free-firmware'
>

Re: Help installing gdb package using apt

2024-07-15 Thread Tom Dial 

Hi Demetrius.

See the embedded observations below.



On 7/15/24 05:42, Demetrius Stanton wrote:

Hi!

My name is Demetrius Stanton. It was suggested that I reach out for a problem 
I'm experiencing trying to install gdb on my system. I'm willing to submit 
whatever information is necessary to try and get this issue resolved.

I recently encountered a weird error, and I can't seem to find a fix online. When I run the command 
` sudo apt update && sudo apt install gdb -y `, I receive an 404 error stating failed to 
fetch https://deb.debian.org/debian/pool/main/g/glibc/libc6-dbg_2.36-9%2bdeb12u 
*4*_amd64.deb. 
When I navigate to the https://deb.debian.org/debian/pool/main/g/glibc/ 
 site, I'm able to find  
libc6-dbg_2.36-9+deb12u*7*_amd64.deb. Though I'm reasonably confident I could use wget to download 
and then dpkg to install this file, I am concerned I could adversely affect the stability of my 
system. I'm sure it would be safer for me to use apt to manage my packages.

How do I proceed forward from here?

I posed this question to mailto:debian-rele...@lists.debian.org>> and received the following in response:

"
Welcome to Debian.

You might be able to resolve this issue you have by running

    sudo apt update

followed by

    sudo apt full-upgrade

and resolve resulting errors, if any occur, and then try reinstalling gdb. The 
particular error - attempting to fetch and install what looks like an out of 
date version of libc6-dbg_2.36-9 - suggests your system might not be fully up 
to date. If that helps, good; otherwise:

You would do better to ask this question on the debian-user list 
(debian-user@lists.debian.org ). It is a 
fairly active list that includes people with a wide range of knowledge and who 
generally are willing to help.

You should provide additional information (and will be asked to do so if you do 
not), since what you give above is a bit sketchy. In particular, I suggest you 
include in the question a copy of your /etc/apt/sources.list and any files that 
are in the directory /etc/apt/sources.list.d. It might also be useful to 
include a copy of your /etc/debian_version and /etc/os-release files, which 
will establish the exact update level of your system.

In general, it is probably a bad idea to poke around in /debian/pool/ in the 
distribution repository for things to install. Those directories contain 
software for several releases and mixing versions from different releases may, 
as you suspect, result in an unstable system. Using apt is much safer, but 
depends on correct setup of the files in the /etc/apt/ directory that describe 
the range of software installed.

Regards,

"
Attempting the prescribed fix yielded the following:

$ sudo apt update && sudo apt full-upgrade
[sudo] password for demetrius:
Hit:1 https://dl.google.com/linux/chrome/deb 
 stable InRelease
Hit:2 https://deb.debian.org/debian  bookworm 
InRelease
Hit:3 https://packages.microsoft.com/repos/code 
 stable InRelease
Hit:4 https://brave-browser-apt-release.s3.brave.com 
 stable InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
N: Repository 'Debian bookworm' changed its 'firmware component' value from 
'non-free' to 'non-free-firmware'
N: More information about this can be found online in the Release notes at: 
https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.html#non-free-split
 

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
$ sudo apt install gdb -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
   libbabeltrace1 libboost-regex1.74.0 libc6-dbg libdebuginfod-common 
libdebuginfod1 libipt2 libsource-highlight-common
   libsource-highlight4v5
Suggested packages:
   gdb-doc gdbserver
The following NEW packages will be installed:
   gdb libbabeltrace1 libboost-regex1.74.0 libc6-dbg libdebuginfod-common 
libdebuginfod1 libipt2 libsource-highlight-common
   libsource-highlight4v5
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 7,458 kB/12.5 MB of archives.
After this operation, 28.4 MB of additional disk space will be used.
Err:1 https://deb.debian.org/debian  
bookworm/main amd64 libc6-dbg amd64 2.36-9+deb12u4


This version of libc6-dbg, 2.36-9+deb12u4, is not the current one, and

Re: Help installing gdb package using apt

2024-07-15 Thread Lee 
On Mon, Jul 15, 2024 at 11:07 AM Demetrius Stanton wrote:
>
> Hi!
>
> My name is Demetrius Stanton. It was suggested that I reach out for a problem 
> I'm experiencing trying to install gdb on my system. I'm willing to submit 
> whatever information is necessary to try and get this issue resolved.
>
> I recently encountered a weird error, and I can't seem to find a fix online. 
> When I run the command ` sudo apt update && sudo apt install gdb -y `, I 
> receive an 404 error stating failed to fetch 
> https://deb.debian.org/debian/pool/main/g/glibc/libc6-dbg_2.36-9%2bdeb12u4_amd64.deb.
>  When I navigate to the  https://deb.debian.org/debian/pool/main/g/glibc/ 
> site, I'm able to find  libc6-dbg_2.36-9+deb12u7_amd64.deb. Though I'm 
> reasonably confident I could use wget to download and then dpkg to install 
> this file, I am concerned I could adversely affect the stability of my 
> system. I'm sure it would be safer for me to use apt to manage my packages.
>
> How do I proceed forward from here?
>
> I posed this question to  and received the 
> following in response:
>
> "
> Welcome to Debian.
>
> You might be able to resolve this issue you have by running
>
>sudo apt update
>
> followed by
>
>sudo apt full-upgrade
>
> and resolve resulting errors, if any occur, and then try reinstalling gdb. 
> The particular error - attempting to fetch and install what looks like an out 
> of date version of libc6-dbg_2.36-9 - suggests your system might not be fully 
> up to date. If that helps, good; otherwise:

  <.. snip ..>
> Attempting the prescribed fix yielded the following:
>
> $ sudo apt update && sudo apt full-upgrade
> [sudo] password for demetrius:
> Hit:1 https://dl.google.com/linux/chrome/deb stable InRelease
> Hit:2 https://deb.debian.org/debian bookworm InRelease
> Hit:3 https://packages.microsoft.com/repos/code stable InRelease
> Hit:4 https://brave-browser-apt-release.s3.brave.com stable InRelease

You're missing bookworm-security and bookworm-updates from your
sources list.  Try it again with them in your /etc/apt/sources.list

lee@laptop:~$ cat /etc/apt/sources.list
#deb cdrom:[Debian GNU/Linux 12.5.0 _Bookworm_ - Official amd64
NETINST with firmware 20240210-11:27]/ bookworm contrib main
non-free-firmware

deb http://deb.debian.org/debian/ bookworm main non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware

deb http://security.debian.org/debian-security bookworm-security main
non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security
main non-free-firmware

# bookworm-updates, to get updates before a point release is made;
# see 
https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware

Regards,
Lee

Re: Help installing gdb package using apt

2024-07-15 Thread Pranjal Singh 

Hi Demetrius,

On 15/07/24 17:12, Demetrius Stanton wrote:

[...]
I recently encountered a weird error, and I can't seem to find a fix 
online. When I run the command ` sudo apt update && sudo apt install 
gdb -y `, I receive an 404 error stating failed to fetch 
https://deb.debian.org/debian/pool/main/g/glibc/libc6-dbg_2.36-9%2bdeb12u*4*_amd64.deb. 
When I navigate to the 
https://deb.debian.org/debian/pool/main/g/glibc/ site, I'm able to 
find  libc6-dbg_2.36-9+deb12u*7*_amd64.deb. Though I'm reasonably 
confident I could use wget to download and then dpkg to install this 
file, I am concerned I could adversely affect the stability of my 
system. I'm sure it would be safer for me to use apt to manage my 
packages.



A quick fix might be to use a different Debian mirror:

https://www.debian.org/mirror/list

This is a bad solution, however, even if it works.
I am curious what it is and am looking forward to the big people
to diagnose and solve it.

Regards,
Pranjal

Re: Help installing gdb package using apt

2024-07-15 Thread The Wanderer 
On 2024-07-15 at 07:42, Demetrius Stanton wrote:

> Hi!
> 
> My name is Demetrius Stanton. It was suggested that I reach out for a
> problem I'm experiencing trying to install gdb on my system. I'm willing to
> submit whatever information is necessary to try and get this issue
> resolved.
> 
> I recently encountered a weird error, and I can't seem to find a fix
> online. When I run the command ` sudo apt update && sudo apt install gdb -y
> `, I receive an 404 error stating failed to fetch
> https://deb.debian.org/debian/pool/main/g/glibc/libc6-dbg_2.36-9%2bdeb12u*4*_amd64.deb.

> How do I proceed forward from here?
> 
> I posed this question to  and received the
> following in response:



> The particular error - attempting to fetch and install what looks like an
> out of date version of libc6-dbg_2.36-9 - suggests your system might not be
> fully up to date.



> You should provide additional information (and will be asked to do so if
> you do not), since what you give above is a bit sketchy. In particular, I
> suggest you include in the question a copy of your /etc/apt/sources.list
> and any files that are in the directory /etc/apt/sources.list.d.



> Attempting the prescribed fix yielded the following:
> 
> $ sudo apt update && sudo apt full-upgrade
> [sudo] password for demetrius:
> Hit:1 https://dl.google.com/linux/chrome/deb stable InRelease
> Hit:2 https://deb.debian.org/debian bookworm InRelease
> Hit:3 https://packages.microsoft.com/repos/code stable InRelease
> Hit:4 https://brave-browser-apt-release.s3.brave.com stable InRelease



> Err:1 https://deb.debian.org/debian bookworm/main amd64 libc6-dbg amd64
> 2.36-9+deb12u4
>   404  Not Found [IP: 2a04:4e42:d::644 443]
> E: Failed to fetch
> https://deb.debian.org/debian/pool/main/g/glibc/libc6-dbg_2.36-9%2bdeb12u4_amd64.deb
>  404  Not Found [IP: 2a04:4e42:d::644 443]
> E: Unable to fetch some archives, maybe run apt-get update or try with
> --fix-missing?
> 
> So now I'm reaching out.
> Here's the info that was recommended I add:
> 
> $ cat /etc/apt/sources.list
> # deb cdrom:[Debian GNU/Linux 12.2.0 _Bookworm_ - Official amd64 DVD
> Binary-1 with firmware 20231007-10:29]/ bookworm main non-free-firmware
> deb https://deb.debian.org/debian/ bookworm main contrib
> $ ls /etc/apt/sources.list.d/
> brave-browser-release.list  google-chrome.list  vscode.list
> $ cat /etc/apt/sources.list.d/brave-browser-release.list
> deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg]
> https://brave-browser-apt-release.s3.brave.com/ stable main
> $ cat /etc/apt/sources.list.d/google-chrome.list
> ### THIS FILE IS AUTOMATICALLY CONFIGURED ###
> # You may comment out this entry, but any other modifications may be lost.
> deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main
> $ cat /etc/apt/sources.list.d/vscode.list
> ### THIS FILE IS AUTOMATICALLY CONFIGURED ###
> # You may comment out this entry, but any other modifications may be lost.
> deb [arch=amd64,arm64,armhf] https://packages.microsoft.com/repos/code
> stable main

This sources.list file is missing entries for the portions of the
archive that contain the debug-symbols packages.

For comparison, here is a trio of successive lines from my own
sources.list:

>> deb http://ftp.us.debian.org/debian/ testing main non-free non-free-firmware 
>> contrib
>> deb-src http://ftp.us.debian.org/debian/ testing main non-free 
>> non-free-firmware contrib
>> deb http://debug.mirrors.debian.org/debian-debug/ testing-debug main 
>> non-free non-free-firmware contrib

These specify where APT should look for A: the binary packages, B: the
source packages, and D: the debug-symbols packages, for Debian testing.

(I configure sources list with the names 'stable', 'testing', and 'sid',
rather than using the release codenames; I do this on purpose, but it is
typically recommended to use the release codenames, and you are probably
correct for your situation that you use them.)


Try adding

deb https://debug.mirrors.debian.org/debian-debug/ bookworm-debug main
contrib

(and/or similar for any other official Debian repositories you want to
get debug packages from), and repeating the suggested 'apt update'
command, then installing the desired package(s) again.

I don't think a full-upgrade will be necessary in your circumstances,
although it would *probably* not hurt. If the install attempt still
fails, you can try 'apt full-upgrade' and see whether it produces
something reasonable.

> If there's anything you can suggest to help, it would be greatly
> appreciated!

I hope that is enough to lead you somewhere useful!

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: Help! secure boot is preventing boot of debian

2024-06-02 Thread Richmond 
"Thomas Schmitt"  writes:

> Hi,
>
> Richmond wrote:
>> OK I got it booted and re-installed grub from debian. But I don't
>> know why it happened, I haven't changed any keys or done anything
>> except an opensuse update. I will ask the opensuse list
>
> I remember to have seen discussions about newly installed shim adding
> names of older shims or bootloaders to something called SBAT.  I find
> in my mailbox a mail with a link to
> https://bugzilla.opensuse.org/show_bug.cgi?id=1209985
>
> About SBAT i found in the web:
>   
> https://www.gnu.org/software/grub/manual/grub/html_node/Secure-Boot-Advanced-Targeting.html
>   https://github.com/rhboot/shim/blob/main/SBAT.md
>
>
> Have a nice day :)
>
> Thomas

Thanks. They have a wiki on how to fix this:

https://en.opensuse.org/openSUSE:UEFI#Reset_SBAT_string_for_booting_to_old_shim_in_old_Leap_image

I found re-installing debian's grub easier, until next time perhaps...

Re: Help! secure boot is preventing boot of debian

2024-06-02 Thread Thomas Schmitt 
Hi,

Richmond wrote:
> OK I got it booted and re-installed grub from debian. But I don't know
> why it happened, I haven't changed any keys or done anything except an
> opensuse update. I will ask the opensuse list

I remember to have seen discussions about newly installed shim adding
names of older shims or bootloaders to something called SBAT.
I find in my mailbox a mail with a link to
  https://bugzilla.opensuse.org/show_bug.cgi?id=1209985

About SBAT i found in the web:
  
https://www.gnu.org/software/grub/manual/grub/html_node/Secure-Boot-Advanced-Targeting.html
  https://github.com/rhboot/shim/blob/main/SBAT.md


Have a nice day :)

Thomas

Re: Help! secure boot is preventing boot of debian

2024-06-01 Thread Richmond 
Marco Moock  writes:

> Am 01.06.2024 um 20:01:43 Uhr schrieb Richmond:
>
>> Should I disable secure boot temporarily? will that allow booting?
>
> That should allow booting it.
>
> Have you changed anything at the keys in the EFI (maybe UEFI
> firmware update)?

OK I got it booted and re-installed grub from debian. But I don't know
why it happened, I haven't changed any keys or done anything except an
opensuse update. I will ask the opensuse list

Re: Help! secure boot is preventing boot of debian

2024-06-01 Thread Marco Moock 
Am 01.06.2024 um 20:01:43 Uhr schrieb Richmond:

> Should I disable secure boot temporarily? will that allow booting?

That should allow booting it.

Have you changed anything at the keys in the EFI (maybe UEFI
firmware update)?

-- 
Gruß
Marco

Send unsolicited bulk mail to 1717264903mu...@cartoonies.org

Re: Help to report a bug related to a usb3 lan adapter driver

2024-04-15 Thread Charles Curley 
On Mon, 15 Apr 2024 20:57:00 +0200
user7415 same  wrote:

> I had a discussion in stack exchange related to the problem that is
> well explained here:
> https://unix.stackexchange.com/questions/774594/debian-12-all-of-sudden-my-usb3-lan-adapter-get-assigned-random-mac-address-ea
> 
> For what I understood the problem was fixed in 6.8, but I'm using
> debian 12 that will never use that so much new kernel I guess, could
> you help me to report officially the bug so that the upstream channel
> will correct it by the 6.1.0-22 version ?

Bookwom backports has linux-image-6.6.13+bpo-amd64. You might try that.
https://backports.debian.org/

It just so happens I have one of the same beasties. I just plugged it
in to a machine running kernel 6.6.13+bpo-amd64, unplugged it, waited
20 seconds, and plugged it in to another machine running kernel
6.5.0-0.deb12.4-amd64. I then plugged it into a machine with
6.6.13+bpo-amd64. All three times I got a MAC address of
8c:ae:4c:d6:22:17. So either of those kernels might well work for you.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: help needed to get a bookworm install to succeed

2024-04-05 Thread Curt 
On 2024-04-01, Michel Verdier  wrote:
> On 2024-04-01, DdB wrote:
>
>>> A computer with a 6-core processor, 64 GB memory, and 9 drive bays/
>>> ports that cannot boot USB?  That does not make sense.
>>
>> Why not?
>
> Perhaps because usb boot is available since a very long time
>

The OP informed us that the board was over ten years old, and does not
offer USB booting.

I would assume he would know, and you would not.

SOLVED (was: Re: help needed to get a bookworm install to succeed)

2024-04-01 Thread DdB 
Am 01.04.2024 um 18:52 schrieb David Christensen:
> A bad USB flash drive would explain why you cannot boot the Debian
> installer.  Please buy a good quality USB 3.0+ flash drive and try again.

A friend of mine just let me use an external CD-Drive with the netboot
image. This is already the third time, i am restarting the installation
process, due to my false assumptions about the intelligence within the
installer.

The last time, i was quite happy until i came to notice, that partitions
were not aligned with physical sector boundaries, which i assumed would
be elementary best practice.

But apart from losing some of my illusions the hard way, all is well.
A big thank you to all the crowd offering suggestions and encouragement.

so long, DdB

Re: help needed to get a bookworm install to succeed

2024-04-01 Thread David Christensen 

On 4/1/24 03:10, DdB wrote:

Am 01.04.2024 um 07:44 schrieb David Christensen:

Please post a console session that identifies the ISO you are using,
verifies the checksum, burns the ISO to a USB flash drive, and compares
the ISO against the flash drive.


Ok, in the meantime, i came to similar conclusions and found that the
USB-stick i was using, had consistent read errors at the first 2
gigabytes after having been used for years as memory extension in my
router. Fixed that and will replace the stick.



A bad USB flash drive would explain why you cannot boot the Debian 
installer.  Please buy a good quality USB 3.0+ flash drive and try again.



David

Re: help needed to get a bookworm install to succeed

2024-04-01 Thread Michel Verdier 
On 2024-04-01, DdB wrote:

>> A computer with a 6-core processor, 64 GB memory, and 9 drive bays/
>> ports that cannot boot USB?  That does not make sense.
>
> Why not?

Perhaps because usb boot is available since a very long time

> *should* is the correct word. The board being over 10 years old, it does
> not offer USB booting, no way.

I have one 20+ old which can usb boot but need to switch it in the
bios. The usb choice appears in the bios only after having plugged the
usb device. And of course detecting a valid usb device. You should check
that.

Re: help needed to get a bookworm install to succeed

2024-04-01 Thread DdB 
Am 01.04.2024 um 07:44 schrieb David Christensen:
> 
> 
> A computer with a 6-core processor, 64 GB memory, and 9 drive bays/
> ports that cannot boot USB?  That does not make sense.

Why not?

> 
> 
> Please post a console session that identifies the ISO you are using,
> verifies the checksum, burns the ISO to a USB flash drive, and compares
> the ISO against the flash drive.

Ok, in the meantime, i came to similar conclusions and found that the
USB-stick i was using, had consistent read errors at the first 2
gigabytes after having been used for years as memory extension in my
router. Fixed that and will replace the stick.

> 
> 
> Then insert the USB flash drive into a USB port on the the target
> computer, power up and enter Setup, reset the settings to factory
> defaults, enable USB booting, set the USB flash drive as the first boot
> device, save, and exit.  The Debian installer should then boot.

*should* is the correct word. The board being over 10 years old, it does
not offer USB booting, no way. It is an early server board that supports
that much ECC, which is great for zfs.
> 
> 
> David

But i received many hints and ideas and just have to wait for a friend
of mine to overcome my physical handicap to see some progress. :-)

Tx 2 everyone
DdB

Re: help needed to get a bookworm install to succeed

2024-03-31 Thread David Christensen 

On 3/31/24 02:18, DdB wrote:

Hello list,

i intend to create a huge backup server from some oldish hardware.
Hardware has been partly refurbished and offers 1 SSD + 8 HDD on a 6core
Intel with 64 GB RAM.
Already before assembling the hardware, grub was working from the SSD,
which got lvm partitioning and is basically empty. As i have no working
CD drive nor can this old machine boot from USB, i put an ISO for
bookworm onto an lvm-LV. Using grub, i can manually boot from that ISO
and see the first installer screens. But after asking some questions,
the installer wants to mount the external media (ISO), and does not find
it on sd[a-z], then aborts.
By switching to Desktop 4, i can see the attempt to search for the
"CD"-drive, which is bound to fail.
I am not familiar with the very restricted shell, that is available from
the installer (busybox) and have not yet found an approach to circumvent
my problems. i would like to use the installer, as debootstrapping would
necessitate alot more knowledge than mine.

Suggestions are welcome :-)
DdB




A computer with a 6-core processor, 64 GB memory, and 9 drive bays/ 
ports that cannot boot USB?  That does not make sense.



Please post a console session that identifies the ISO you are using, 
verifies the checksum, burns the ISO to a USB flash drive, and compares 
the ISO against the flash drive.



Then insert the USB flash drive into a USB port on the the target 
computer, power up and enter Setup, reset the settings to factory 
defaults, enable USB booting, set the USB flash drive as the first boot 
device, save, and exit.  The Debian installer should then boot.



David

Re: help needed to get a bookworm install to succeed

2024-03-31 Thread David Wright 
On Sun 31 Mar 2024 at 11:18:30 (+0200), DdB wrote:

> Already before assembling the hardware, grub was working from the SSD,
> which got lvm partitioning and is basically empty. As i have no working
> CD drive nor can this old machine boot from USB, i put an ISO for
> bookworm onto an lvm-LV. Using grub, i can manually boot from that ISO
> and see the first installer screens. But after asking some questions,
> the installer wants to mount the external media (ISO), and does not find
> it on sd[a-z], then aborts.
> By switching to Desktop 4, i can see the attempt to search for the
> "CD"-drive, which is bound to fail.
> I am not familiar with the very restricted shell, that is available from
> the installer (busybox) and have not yet found an approach to circumvent
> my problems. i would like to use the installer, as debootstrapping would
> necessitate alot more knowledge than mine.

My memory of doing this is rusty, as it's a while since my
Seattle2 machine finally expired. I would try downloading the
kernel¹ and initrd from:

  
http://http.us.debian.org/debian/dists/bookworm/main/installer-amd64/current/images/netboot/debian-installer/amd64/

as these can search for the ISO in a greater range of locations.
I'd copy the two files onto the hard disk, and use an entry like:

  menuentry "Install Debian via HTTP" {
search --no-floppy --label --set=root noah03
linux   /boot/linux priority=low
initrd  /boot/initrd.gz
  }

in Grub to boot it. (Add a custom entry, or just edit a preexisting
entry to suit. BTW I use LABELs on my disks.) Make sure the kernel
versions are the same for those two files and the ISO.

https://www.debian.org/releases/bookworm/amd64/apas02.en.html#howto-getting-images-hard-disk
https://www.debian.org/releases/bookworm/amd64/ch05s01.en.html#boot-initrd
https://www.debian.org/releases/bookworm/amd64/ch04s04.en.html

¹ I see linux, rather than vmlinuz, at that location now.

Cheers,
David.

Re: help needed to get a bookworm install to succeed

2024-03-31 Thread Michael Kjörling 
On 31 Mar 2024 11:18 +0200, from debianl...@potentially-spam.de-bruyn.de (DdB):
> As i have no working
> CD drive nor can this old machine boot from USB, i put an ISO for
> bookworm onto an lvm-LV. Using grub, i can manually boot from that ISO
> and see the first installer screens. But after asking some questions,
> the installer wants to mount the external media (ISO), and does not find
> it on sd[a-z], then aborts.

I would suggest to write the _same_ ISO file to a USB stick of
sufficient size, and leave the USB stick connected while running the
installer. The installer should detect the USB stick and use that as
the source for installation, regardless of how you booted into the
installer.

As long as both media contain the same data, this should be completely
unproblematic.

Think of it as a variation of, in the old days, booting the installer
from a floppy (on a system that couldn't boot from CD) but actually
installing from a CD.

-- 
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Re: help needed to get a bookworm install to succeed

2024-03-31 Thread Felix Miata 
DdB composed on 2024-03-31 11:18 (UTC+0200):

> Suggestions are welcome :-)

https://www.debian.org/CD/netinst/

All my installations use this NET method. What I usually do though is extract
linux and initrd.gz from it or directly from the mirrors and load them with Grub
rather than booting the NET .iso.
-- 
Evolution as taught in public schools is, like religion,
based on faith, not based on science.

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata

Re: help needed to get a bookworm install to succeed

2024-03-31 Thread Geert Stappers 
On Sun, Mar 31, 2024 at 11:18:30AM +0200, DdB wrote:
> Hello list,
> 
> i intend to create a huge backup server from some oldish hardware.
> Hardware has been partly refurbished and offers 1 SSD + 8 HDD on a 6core
> Intel with 64 GB RAM.
> Already before assembling the hardware, grub was working from the SSD,
> which got lvm partitioning and is basically empty. As i have no working
> CD drive nor can this old machine boot from USB, i put an ISO for
> bookworm onto an lvm-LV.

Not knowing how that was done, I guess disk was taken to another
computer where the lvm-LV was written.

If so:  put the (ISO)image just on the disk, not in LVM.



> Using grub, i can manually boot from that ISO
> and see the first installer screens. But after asking some questions,
> the installer wants to mount the external media (ISO), and does not find
> it on sd[a-z], then aborts.
> By switching to Desktop 4, i can see the attempt to search for the
> "CD"-drive, which is bound to fail.
> I am not familiar with the very restricted shell, that is available from
> the installer (busybox) and have not yet found an approach to circumvent
> my problems. i would like to use the installer, as debootstrapping would
> necessitate alot more knowledge than mine.
> 
> Suggestions are welcome :-)

Original post based:
  Take bootdisk out the back server,
  take the disk to other server.
  Install there, move the disk to the back server.

What I would do:
  Network boot


> DdB
 

Groeten
Geert Stappers
-- 
Silence is hard to parse

Re: Help: network abuse

2023-12-24 Thread David Christensen 

On 12/23/23 22:16, Timothy M Butterworth wrote:

On Sat, Dec 23, 2023 at 8:58 PM David Christensen wrote:

I believe Debian includes packages for various intrusion detection
systems.  Does anyone have any comments or recommendations?


Debian has SNORT and Suricata. I use Suricata. It works well and does not
require paying the subscription for the SNORT oink account.

sudo apt install suricata suricata-update

You can configure Suricata via /etc/suricata/suricata.yaml. All that really
needs configured for a basic IDS/IPS is to change the interfaces from Eth0
to the actual interface. After that you can enable and start Suricata via
SystemD.



Thank you.  :-)


David

Re: Help: network abuse

2023-12-23 Thread Timothy M Butterworth 
On Sat, Dec 23, 2023 at 8:58 PM David Christensen 
wrote:

> On 12/23/23 01:29, Tim Woodall wrote:
> > The fact that the OP is not sending a SYN+ACK (according to the
> > tcpdumps that I saw) means that this is already blackholed.[2]
> >
> > There are three options at this point:
> > 1. Ignore it - my "EVILSYN[1]" blacklist is right at the top of my
> iptables
> > rules and drops without logging before anything else.
> >
> > 2. Talk to their ISP and get it blocked there - that's the only surefire
> > way to stop it eating their quota if that's the problem.
> >
> > 3. Try and make them give up - that's why I suggested sending a RST.
> >
> >
> > [1] I have a set of rules that blacklist IPs that send too many SYN
> > packets that are not responded to with SYN+ACK.
> >
> > [2] This did look weird. I'm not sure how only some connections get a
> > SYN+ACK back - I wonder if their webserver is rate-limited and these are
> > "genuine" connection attempts that are failing - although the SPT=80
> > DPT=80 looks suspiciously like something crafted to get through naive
> > stateless firewall rules that rely on outgoing (allowed) connections to
> > have DPT=80 to the internet and SPT=80 from the internet.
>
>
> Thank you for your comments and explanations.
>
>
> Your [1] and [2] make me think of fail2ban(1).  Any similarities?
>
>
> STFW I found some informative articles:
>
> https://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/14760-4.html
>
> https://heimdalsecurity.com/blog/syn-flood/
>
>
> Sending a RST to a falsified IP address would make the sending host into
> an attacker by proxy.  Why do you suggest it?
>
>
> Does Debian and/or Linux support SYN cookies?
>
>
> I believe Debian includes packages for various intrusion detection
> systems.  Does anyone have any comments or recommendations?
>

Debian has SNORT and Suricata. I use Suricata. It works well and does not
require paying the subscription for the SNORT oink account.

sudo apt install suricata suricata-update

You can configure Suricata via /etc/suricata/suricata.yaml. All that really
needs configured for a basic IDS/IPS is to change the interfaces from Eth0
to the actual interface. After that you can enable and start Suricata via
SystemD.



> Analyzing and correlating iptables and httpd logs should provide a
> better understanding of legitimate traffic versus attacker traffic.  We
> would need matching excerpts from the OP to try it.
>
>
> David
>
>

-- 
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀

Re: Help: network abuse

2023-12-23 Thread David Christensen 

On 12/23/23 16:15, Dan Ritter wrote:

David Christensen wrote:

Does Debian and/or Linux support SYN cookies?


Yes.

Put

net.ipv4.tcp_syncookies=1

in an appropriate sysctl.d/ file.

To check on current settings:

sysctl -n net.ipv4.tcp_syncookies



It looks like SYN cookies are enabled by default since 
debian-11.6.0-amd64-netinst (what I installed and have since tried to 
keep up to date):


2023-12-23 18:51:24 root@taz ~
# cat /etc/debian_version ; uname -a
11.8
Linux taz 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29) x86_64 
GNU/Linux


2023-12-23 18:51:57 root@taz ~
# sysctl -n net.ipv4.tcp_syncookies
1


Thank you for the incantations.  :-)


David

Re: Help: network abuse

2023-12-23 Thread Dan Ritter 
David Christensen wrote: 
> Does Debian and/or Linux support SYN cookies?

Yes.

Put

net.ipv4.tcp_syncookies=1

in an appropriate sysctl.d/ file.

To check on current settings:

sysctl -n net.ipv4.tcp_syncookies

Re: Help: network abuse

2023-12-23 Thread Pocket 



Sent from my iPhone

> On Dec 23, 2023, at 4:53 PM, Tim Woodall  wrote:
> 
> On Sat, 23 Dec 2023, David Christensen wrote:
>> Sending a RST to a falsified IP address would make the sending host into an 
>> attacker by proxy.  Why do you suggest it?
>> 
> Because the OP wants it to stop. And the OP is running a server on this
> port that is clearly not responding properly or we'd at least see the
> syn+ack. Perhaps it cannot keep up with the connections.
> 
> So the op needs to tell the problem clients to stop retrying.
> 
> If it's malicious traffic then there's nothing the op can do to stop it
> except get a new ip or get their ISP to drop it before it gets to them.
> 
> The op can try icmp port unreachable too. But that tells the client
> there's no server, rather than there's a tcp problem.
> 
> If it's not a bandwidth problem then the op should just ignore it.
> 
> Nobody, but nobody is going to send traffic to some random host with a
> fake source ip in the hopes someone will notice and start sending RST
> some tine later to that address instead of continuing to drop it.
> 

I have a web server on my network. 
I have a firewall on it that only accepts traffic from my internal network.  
Therefore no knows it exists from the outside.  That may not work for the op,  
but his complaint was port 80 traffic to his personal pc.  Which should not 
have a web server running on it.  
You can not do much about scans etc but you can restrict traffic to servers 
only to your internal traffic.   That was my one of my points in stating his 
firewall wasn’t setup properly,  the other is  the firewall blocking icmp and 
conpany.  I use to do that many years ago and it resulting in 1/2 connections.

Re: Help: network abuse

2023-12-23 Thread Tim Woodall 

On Sat, 23 Dec 2023, David Christensen wrote:
Sending a RST to a falsified IP address would make the sending host into an 
attacker by proxy.  Why do you suggest it?



Because the OP wants it to stop. And the OP is running a server on this
port that is clearly not responding properly or we'd at least see the
syn+ack. Perhaps it cannot keep up with the connections.

So the op needs to tell the problem clients to stop retrying.

If it's malicious traffic then there's nothing the op can do to stop it
except get a new ip or get their ISP to drop it before it gets to them.

The op can try icmp port unreachable too. But that tells the client
there's no server, rather than there's a tcp problem.

If it's not a bandwidth problem then the op should just ignore it.

Nobody, but nobody is going to send traffic to some random host with a
fake source ip in the hopes someone will notice and start sending RST
some tine later to that address instead of continuing to drop it.

Re: Help: network abuse

2023-12-23 Thread David Christensen 

On 12/23/23 01:29, Tim Woodall wrote:

The fact that the OP is not sending a SYN+ACK (according to the
tcpdumps that I saw) means that this is already blackholed.[2]

There are three options at this point:
1. Ignore it - my "EVILSYN[1]" blacklist is right at the top of my iptables
rules and drops without logging before anything else.

2. Talk to their ISP and get it blocked there - that's the only surefire
way to stop it eating their quota if that's the problem.

3. Try and make them give up - that's why I suggested sending a RST.


[1] I have a set of rules that blacklist IPs that send too many SYN
packets that are not responded to with SYN+ACK.

[2] This did look weird. I'm not sure how only some connections get a
SYN+ACK back - I wonder if their webserver is rate-limited and these are
"genuine" connection attempts that are failing - although the SPT=80
DPT=80 looks suspiciously like something crafted to get through naive
stateless firewall rules that rely on outgoing (allowed) connections to
have DPT=80 to the internet and SPT=80 from the internet.



Thank you for your comments and explanations.


Your [1] and [2] make me think of fail2ban(1).  Any similarities?


STFW I found some informative articles:

https://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/14760-4.html

https://heimdalsecurity.com/blog/syn-flood/


Sending a RST to a falsified IP address would make the sending host into 
an attacker by proxy.  Why do you suggest it?



Does Debian and/or Linux support SYN cookies?


I believe Debian includes packages for various intrusion detection 
systems.  Does anyone have any comments or recommendations?



Analyzing and correlating iptables and httpd logs should provide a 
better understanding of legitimate traffic versus attacker traffic.  We 
would need matching excerpts from the OP to try it.



David

Re: Help: network abuse

2023-12-23 Thread Tim Woodall 

On Thu, 21 Dec 2023, David Christensen wrote:



Perhaps you could set up a DMZ, move services into the DMZ,  and provide a 
VPN connection to the DMZ for your Internet users.  Then you could close all 
of the incoming WAN ports except VPN.



It might be possible to put the VPN endpoint into a VPS, create an SSH tunnel 
out from the httpd server to the VPS, and close all of the WAN incoming 
ports.




If the OP is worried about the bandwidth usage then none of that will
help. The fact that the OP is not sending a SYN+ACK (according to the
tcpdumps that I saw) means that this is already blackholed.[2]

There are three options at this point:
1. Ignore it - my "EVILSYN[1]" blacklist is right at the top of my iptables
rules and drops without logging before anything else.

2. Talk to their ISP and get it blocked there - that's the only surefire
way to stop it eating their quota if that's the problem.

3. Try and make them give up - that's why I suggested sending a RST.


[1] I have a set of rules that blacklist IPs that send too many SYN
packets that are not responded to with SYN+ACK.

[2] This did look weird. I'm not sure how only some connections get a
SYN+ACK back - I wonder if their webserver is rate-limited and these are
"genuine" connection attempts that are failing - although the SPT=80
DPT=80 looks suspiciously like something crafted to get through naive
stateless firewall rules that rely on outgoing (allowed) connections to
have DPT=80 to the internet and SPT=80 from the internet.

Re: Help: network abuse

2023-12-21 Thread David Christensen 

On 12/21/23 04:00, Alain D D Williams wrote:

My home PC is receiving, for hours at a time, 12-30 kB/s input traffic. This is
unsolicited. I do not know what it is trying to achieve but suspect no good. It
is also eating my broadband allowance.

This does not show up in the Apache log files - the TCP connection does not 
succeed.

Sometimes my machine does send a packet in reply, there are 2 examples at the
foot of this email.

Questions:

• What is going on ?

• What can I do about it ?
   I do manually add some of the IPs to the f2b chain which will stop replies
   but that is about it.

My ISP refuses to do anything about it - I admit that I cannot see what they
could do, maybe filter packets with a source port of 80 or 443.

I also get attempts to break into ssh (port 22) - I am not worried about that.

I append a few lines of output of "tcpdump -n -i enp3s0" done today.
192.168.108.2 is the address of my desktop PC.

The connecting IPs below all belong to Amazon but this changes with time, China
is another common source of similar packets.

11:08:56.354303 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 
19070976, win 51894, options [mss 1401,sackOK,TS val 1182532729 ecr 0,nop,wscale 
7], length 0
11:08:56.354700 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 
3665362944, win 51894, options [mss 1402,sackOK,TS val 4179952761 ecr 0,nop,wscale 
7], length 0
11:08:56.360527 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
479395840, win 51894, options [mss 1412,sackOK,TS val 3391683448 ecr 0,nop,wscale 
7], length 0
11:08:56.360696 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
1622147072, win 51894, options [mss 1410,sackOK,TS val 2887711608 ecr 0,nop,wscale 
7], length 0
11:08:56.360950 IP 54.184.78.87.80 > 192.168.108.2.80: Flags [S], seq 
3168796672, win 51894, options [mss 1404,sackOK,TS val 535364985 ecr 0,nop,wscale 
7], length 0
11:08:56.364565 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
132317184, win 51894, options [mss 1407,sackOK,TS val 2350122105 ecr 0,nop,wscale 
7], length 0
11:08:56.364708 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 
1098776576, win 51894, options [mss 1405,sackOK,TS val 3426157689 ecr 0,nop,wscale 
7], length 0
11:08:56.367975 IP 13.231.232.88.80 > 192.168.108.2.80: Flags [S], seq 
3272540160, win 51894, options [mss 1413,sackOK,TS val 979961209 ecr 0,nop,wscale 
7], length 0

2 days ago a similar capture. Note that the source port is 443 not 80:

09:47:31.416452 IP 5.45.73.147.443 > 192.168.108.2.80: Flags [S], seq 
2724200448, win 51894, options [mss 1401,sackOK,TS val 862439534 ecr 0,nop,wscale 
7], length 0
09:47:31.417861 IP 27.124.10.200.443 > 192.168.108.2.80: Flags [S], seq 
925237248, win 51894, options [mss 1407,sackOK,TS val 756418658 ecr 0,nop,wscale 
7], length 0
09:47:31.440892 IP 27.124.10.197.443 > 192.168.108.2.80: Flags [S], seq 
3474063360, win 51894, options [mss 1404,sackOK,TS val 3970828642 ecr 0,nop,wscale 
7], length 0
09:47:31.449393 IP 27.124.10.200.443 > 192.168.108.2.80: Flags [S], seq 
2844721152, win 51894, options [mss 1407,sackOK,TS val 1831471202 ecr 0,nop,wscale 
7], length 0
09:47:31.451430 IP 154.39.104.67.443 > 192.168.108.2.80: Flags [S], seq 
2336358400, win 51894, options [mss 1415,sackOK,TS val 395513698 ecr 0,nop,wscale 
7], length 0
09:47:31.451610 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 
808976384, win 51894, options [mss 1414,sackOK,TS val 1960250978 ecr 0,nop,wscale 
7], length 0
09:47:31.453372 IP 143.92.60.30.443 > 192.168.108.2.80: Flags [S], seq 
3177512960, win 51894, options [mss 1408,sackOK,TS val 4033677410 ecr 0,nop,wscale 
7], length 0
09:47:31.456937 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 
1042087936, win 51894, options [mss 1415,sackOK,TS val 2011106914 ecr 0,nop,wscale 
7], length 0
09:47:31.461961 IP 27.124.10.226.443 > 192.168.108.2.80: Flags [S], seq 
3200516096, win 51894, options [mss 1403,sackOK,TS val 2314013026 ecr 0,nop,wscale 
7], length 0

Examples where my machine sends a reply:

09:47:31.658790 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 
612564992, win 51894, options [mss 1415,sackOK,TS val 2011106914 ecr 0,nop,wscale 
7], length 0
09:47:31.659442 IP 192.168.108.2.80 > 154.39.104.67.443: Flags [S.], seq 
3770299450, ack 1858732033, win 65160, options [mss 1460,sackOK,TS val 164888251 
ecr 395513698,nop,wscale 7], length 0

09:47:31.756220 IP 5.45.73.147.443 > 192.168.108.2.80: Flags [S], seq 
2992898048, win 51894, options [mss 1401,sackOK,TS val 862439534 ecr 0,nop,wscale 
7], length 0
09:47:31.756272 IP 192.168.108.2.80 > 5.45.73.147.443: Flags [.], ack 
1226309633, win 509, options [nop,nop,TS val 2085784149 ecr 994101358], length 0



On 12/21/23 05:10, Alain D D Williams wrote:
> ... I do run a web server at home, but there is only a little/personal
> stuff, it does not receive much real traffic, I do not want it to.
> Most of my web presence is hosted elsewhere.


On 12/21/23 06:58, Alain D D

Re: Help: network abuse

2023-12-21 Thread gene heskett 

On 12/21/23 07:45, Tim Woodall wrote:

On Thu, 21 Dec 2023, Alain D D Williams wrote:

My home PC is receiving, for hours at a time, 12-30 kB/s input 
traffic. This is
unsolicited. I do not know what it is trying to achieve but suspect no 
good. It

is also eating my broadband allowance.

This does not show up in the Apache log files - the TCP connection 
does not succeed.


Sometimes my machine does send a packet in reply, there are 2 examples 
at the

foot of this email.

Questions:

? What is going on ?

? What can I do about it ?
 I do manually add some of the IPs to the f2b chain which will stop 
replies

 but that is about it.

My ISP refuses to do anything about it - I admit that I cannot see 
what they

could do, maybe filter packets with a source port of 80 or 443.

I also get attempts to break into ssh (port 22) - I am not worried 
about that.


I append a few lines of output of "tcpdump -n -i enp3s0" done today.
192.168.108.2 is the address of my desktop PC.

The connecting IPs below all belong to Amazon but this changes with 
time, China

is another common source of similar packets.

11:08:56.354303 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], 
seq 19070976, win 51894, options [mss 1401,sackOK,TS val 1182532729 
ecr 0,nop,wscale 7], length 0
11:08:56.354700 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], 
seq 3665362944, win 51894, options [mss 1402,sackOK,TS val 4179952761 
ecr 0,nop,wscale 7], length 0
11:08:56.360527 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
479395840, win 51894, options [mss 1412,sackOK,TS val 3391683448 ecr 
0,nop,wscale 7], length 0
11:08:56.360696 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
1622147072, win 51894, options [mss 1410,sackOK,TS val 2887711608 ecr 
0,nop,wscale 7], length 0
11:08:56.360950 IP 54.184.78.87.80 > 192.168.108.2.80: Flags [S], seq 
3168796672, win 51894, options [mss 1404,sackOK,TS val 535364985 ecr 
0,nop,wscale 7], length 0
11:08:56.364565 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
132317184, win 51894, options [mss 1407,sackOK,TS val 2350122105 ecr 
0,nop,wscale 7], length 0
11:08:56.364708 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], 
seq 1098776576, win 51894, options [mss 1405,sackOK,TS val 3426157689 
ecr 0,nop,wscale 7], length 0
11:08:56.367975 IP 13.231.232.88.80 > 192.168.108.2.80: Flags [S], seq 
3272540160, win 51894, options [mss 1413,sackOK,TS val 979961209 ecr 
0,nop,wscale 7], length 0


2 days ago a similar capture. Note that the source port is 443 not 80:

09:47:31.416452 IP 5.45.73.147.443 > 192.168.108.2.80: Flags [S], seq 
2724200448, win 51894, options [mss 1401,sackOK,TS val 862439534 ecr 
0,nop,wscale 7], length 0
09:47:31.417861 IP 27.124.10.200.443 > 192.168.108.2.80: Flags [S], 
seq 925237248, win 51894, options [mss 1407,sackOK,TS val 756418658 
ecr 0,nop,wscale 7], length 0
09:47:31.440892 IP 27.124.10.197.443 > 192.168.108.2.80: Flags [S], 
seq 3474063360, win 51894, options [mss 1404,sackOK,TS val 3970828642 
ecr 0,nop,wscale 7], length 0
09:47:31.449393 IP 27.124.10.200.443 > 192.168.108.2.80: Flags [S], 
seq 2844721152, win 51894, options [mss 1407,sackOK,TS val 1831471202 
ecr 0,nop,wscale 7], length 0
09:47:31.451430 IP 154.39.104.67.443 > 192.168.108.2.80: Flags [S], 
seq 2336358400, win 51894, options [mss 1415,sackOK,TS val 395513698 
ecr 0,nop,wscale 7], length 0
09:47:31.451610 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], 
seq 808976384, win 51894, options [mss 1414,sackOK,TS val 1960250978 
ecr 0,nop,wscale 7], length 0
09:47:31.453372 IP 143.92.60.30.443 > 192.168.108.2.80: Flags [S], seq 
3177512960, win 51894, options [mss 1408,sackOK,TS val 4033677410 ecr 
0,nop,wscale 7], length 0
09:47:31.456937 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], 
seq 1042087936, win 51894, options [mss 1415,sackOK,TS val 2011106914 
ecr 0,nop,wscale 7], length 0
09:47:31.461961 IP 27.124.10.226.443 > 192.168.108.2.80: Flags [S], 
seq 3200516096, win 51894, options [mss 1403,sackOK,TS val 2314013026 
ecr 0,nop,wscale 7], length 0


Examples where my machine sends a reply:

09:47:31.658790 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], 
seq 612564992, win 51894, options [mss 1415,sackOK,TS val 2011106914 
ecr 0,nop,wscale 7], length 0
09:47:31.659442 IP 192.168.108.2.80 > 154.39.104.67.443: Flags [S.], 
seq 3770299450, ack 1858732033, win 65160, options [mss 1460,sackOK,TS 
val 164888251 ecr 395513698,nop,wscale 7], length 0


09:47:31.756220 IP 5.45.73.147.443 > 192.168.108.2.80: Flags [S], seq 
2992898048, win 51894, options [mss 1401,sackOK,TS val 862439534 ecr 
0,nop,wscale 7], length 0
09:47:31.756272 IP 192.168.108.2.80 > 5.45.73.147.443: Flags [.], ack 
1226309633, win 509, options [nop,nop,TS val 2085784149 ecr 
994101358], length 0



You can try sending RST. That might make them give up.

There is not much else you can do.

I sometimes do a whois on a persistent offender and blacklist the entire
network. But I don't know if they stop as th

Re: Help: network abuse

2023-12-21 Thread debian-user 
Alain D D Williams  wrote:
> On Thu, Dec 21, 2023 at 10:11:08AM -0500, Pocket wrote:
> 
> > Use a firewall and set it up correctly.  
> 
> That I have done.
> 
> The issue is broadband usage - ie before it hits the firewall.

IIUC you have a residential system with an ISP connection with a
download limit, and on that you are running a web server that you want
to expose so some of your contacts can access it.

You are concerned by scans run by potentially hostile actors against
your server. Particularly by the volume of data they send.

Is that correct?

As long as you have a web server exposed, you cannot stop anybody and
everybody sending packets to it, for good purposes or foul. You can
cause your outermost firewall to drop packets, either from a blacklist
of disallowed addresses or from all hosts except those on an allowed
whitelist of hosts. That should reduce the traffic you see
significantly.

You should in any case instruct your firewall to drop all incoming
packets on all ports except those you specifically need.

Alternatively, you can change your ISP to one that offers unlimited
service. I am happy with Zen, and would be happy to switch to Andrews &
Arnold if I needed to.

Re: Help: network abuse

2023-12-21 Thread Peter Hillier-Brook 

On 21/12/2023 15:11, Pocket wrote:

On 12/21/23 09:58, Alain D D Williams wrote:

[cut]



Use a firewall and set it up correctly.

Assuming a residential environment.

Firewall the router and server(s) as well as all the client machines.

I have nginx, dovecot and exim4 and other daemons running on my network 
servers.


Most, (includes many of the ones here) don't have a firewall properly 
configured. Nor do they understand how to properly configure a firewall.


You will still get scanned but there is little you can do about that.

Are you still here? I thought that you had exited in a sulk because some 
of us on this list were fed up with your trolling.


You're black listed on my systems so don't bother responding.

Peter HB

Re: Help: network abuse

2023-12-21 Thread Pocket 



On 12/21/23 13:04, Alain D D Williams wrote:

On Thu, Dec 21, 2023 at 11:39:40AM -0500, Pocket wrote:

On 12/21/23 10:50, Alain D D Williams wrote:

It is NOT a firewall issue.


If I am correct you don't want any thing from the outside to hit your web
server?

The words "web server" is ambiguous. It can mean my machine, ie can me the
Apache process. The packets are hitting the machine (evidence tcpdump) but not
the process (as the TCP startup does not complete).


If so your firewall is not configured correctly.

You have failed to understand what is happening.



Well yes, I guess so, that is why I don't have the issue you do and I 
don't have any unwanted traffic on my network to any system.





I shall stop after this.


--
Hindi madali ang maging ako

Re: Help: network abuse

2023-12-21 Thread Alain D D Williams 
On Thu, Dec 21, 2023 at 11:39:40AM -0500, Pocket wrote:
> 
> On 12/21/23 10:50, Alain D D Williams wrote:
> > It is NOT a firewall issue.
> 
> 
> If I am correct you don't want any thing from the outside to hit your web
> server?

The words "web server" is ambiguous. It can mean my machine, ie can me the
Apache process. The packets are hitting the machine (evidence tcpdump) but not
the process (as the TCP startup does not complete).

> If so your firewall is not configured correctly.

You have failed to understand what is happening.

I shall stop after this.

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include

Re: Help: network abuse

2023-12-21 Thread Pocket 



On 12/21/23 10:50, Alain D D Williams wrote:

On Thu, Dec 21, 2023 at 10:31:06AM -0500, Pocket wrote:


All you should be seeing is scans which you can not prevent.

I am looking at incoming packets with tcpdump. This sees packets *before* they
are filtered by iptables.


What are you using for a firewall?

Something hand rolled. Reasonably complicated (over 300 rules) as it deals
with: internet, VPN, DMZ, internal network for virtual machines.

It is NOT a firewall issue.



If I am correct you don't want any thing from the outside to hit your 
web server?


If so your firewall is not configured correctly.





It is my belief that your firewall is NOT setup correctly and that is why
you are seeing the traffic.

My firewall *cannot* deal with packets before they hit my machine. They only
hit my machine after they have arrived over broadband.

The only thing that I might be able to do is to somehow prevent discovery that 
my
machine is listening on port 80 -- that would mean somehow distinguishing
between a genuine visitor and one that is mapping the Internet to later pass
that map somewhere else which generates the unwanted traffic that I see.



Which points to your firewall not being correct.



Amazon AWS system. should not be able to hit your http server, unless you
want it to.

How do I distinguish between wanted & unwanted connections. The only thing that
I can think of is to DROP incoming packets if the source port is 80 or 443 -
which would disrupt the mapping process.

However: if the mapping process uses normal TCP (ie high/random port number)
this would do little.


What mapping process?


--
Hindi madali ang maging ako

Re: Help: network abuse

2023-12-21 Thread Jeffrey Walton 
On Thu, Dec 21, 2023 at 10:51 AM Alain D D Williams  wrote:
>
> On Thu, Dec 21, 2023 at 10:31:06AM -0500, Pocket wrote:
> [...]
> > Amazon AWS system. should not be able to hit your http server, unless you
> > want it to.
>
> How do I distinguish between wanted & unwanted connections. The only thing 
> that
> I can think of is to DROP incoming packets if the source port is 80 or 443 -
> which would disrupt the mapping process.
>
> However: if the mapping process uses normal TCP (ie high/random port number)
> this would do little.

You may be able to use

to generate a blacklist.

On machines under my purview, I find Amazon is fairly well behaved.
Microsoft/Sharepoint/Teams, Digital Ocean, China, and other European
country netblocks are much more misbehaving.

Jeff

Re: Help: network abuse

2023-12-21 Thread Alain D D Williams 
On Thu, Dec 21, 2023 at 10:31:06AM -0500, Pocket wrote:

> All you should be seeing is scans which you can not prevent.

I am looking at incoming packets with tcpdump. This sees packets *before* they
are filtered by iptables.

> What are you using for a firewall?

Something hand rolled. Reasonably complicated (over 300 rules) as it deals
with: internet, VPN, DMZ, internal network for virtual machines.

It is NOT a firewall issue.

> It is my belief that your firewall is NOT setup correctly and that is why
> you are seeing the traffic.

My firewall *cannot* deal with packets before they hit my machine. They only
hit my machine after they have arrived over broadband.

The only thing that I might be able to do is to somehow prevent discovery that 
my
machine is listening on port 80 -- that would mean somehow distinguishing
between a genuine visitor and one that is mapping the Internet to later pass
that map somewhere else which generates the unwanted traffic that I see.

> Amazon AWS system. should not be able to hit your http server, unless you
> want it to.

How do I distinguish between wanted & unwanted connections. The only thing that
I can think of is to DROP incoming packets if the source port is 80 or 443 -
which would disrupt the mapping process.

However: if the mapping process uses normal TCP (ie high/random port number)
this would do little.

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include

Re: Help: network abuse

2023-12-21 Thread Pocket 


On 12/21/23 10:24, Alain D D Williams wrote:

On Thu, Dec 21, 2023 at 10:11:08AM -0500, Pocket wrote:


Use a firewall and set it up correctly.

That I have done.

The issue is broadband usage - ie before it hits the firewall.



All you should be seeing is scans which you can not prevent.

What are you using for a firewall?

Show your firewall setup

It is my belief that your firewall is NOT setup correctly and that is 
why you are seeing the traffic.


Amazon AWS system. should not be able to hit your http server, unless 
you want it to.






Assuming a residential environment.

Firewall the router and server(s) as well as all the client machines.

I have nginx, dovecot and exim4 and other daemons running on my network
servers.

Most, (includes many of the ones here) don't have a firewall properly
configured. Nor do they understand how to properly configure a firewall.

You will still get scanned but there is little you can do about that.

--

Hindi madali ang maging ako


--
Hindi madali ang maging ako

Re: Help: network abuse

2023-12-21 Thread Alain D D Williams 
On Thu, Dec 21, 2023 at 10:11:08AM -0500, Pocket wrote:

> Use a firewall and set it up correctly.

That I have done.

The issue is broadband usage - ie before it hits the firewall.

> Assuming a residential environment.
> 
> Firewall the router and server(s) as well as all the client machines.
> 
> I have nginx, dovecot and exim4 and other daemons running on my network
> servers.
> 
> Most, (includes many of the ones here) don't have a firewall properly
> configured. Nor do they understand how to properly configure a firewall.
> 
> You will still get scanned but there is little you can do about that.
> 
> -- 
> 
> Hindi madali ang maging ako
> 

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include

Re: Help: network abuse

2023-12-21 Thread Pocket 

On 12/21/23 09:58, Alain D D Williams wrote:

On Thu, Dec 21, 2023 at 01:39:53PM +, Andy Smith wrote:


Okay well 30KiB/s is only about 78GiB/month which isn't really a
lot. I think we're both in UK and it's been hard to find a domestic
Internet connection that you'd run a web server on that can't cope
with 78G/mo. So ignoring it seems okay.

I have been with my ISP for 14 years (moved to get IPv6), for various reasons I
cannot change to a tariff that will give me anything like that (their support
has also fallen through the floor) - I need to change (& the landline) and then
I prolly would not care. Andrews & Arnold and Zen seem recommended.


You say these never complete a TCP handshake even though you do run
Apache on port 80? If so, it does make me wonder what they are
trying to do.

They might be trying to hijack an existing TCP connection or, even simpler,
cause my machine problems by having many, many 1/2 set up TCP connections
(which uses memory until they expire).



Use a firewall and set it up correctly.

Assuming a residential environment.

Firewall the router and server(s) as well as all the client machines.

I have nginx, dovecot and exim4 and other daemons running on my network 
servers.


Most, (includes many of the ones here) don't have a firewall properly 
configured. Nor do they understand how to properly configure a firewall.


You will still get scanned but there is little you can do about that.

--

Hindi madali ang maging ako

Re: Help: network abuse

2023-12-21 Thread Alain D D Williams 
On Thu, Dec 21, 2023 at 01:39:53PM +, Andy Smith wrote:

> Okay well 30KiB/s is only about 78GiB/month which isn't really a
> lot. I think we're both in UK and it's been hard to find a domestic
> Internet connection that you'd run a web server on that can't cope
> with 78G/mo. So ignoring it seems okay.

I have been with my ISP for 14 years (moved to get IPv6), for various reasons I
cannot change to a tariff that will give me anything like that (their support
has also fallen through the floor) - I need to change (& the landline) and then
I prolly would not care. Andrews & Arnold and Zen seem recommended.

> You say these never complete a TCP handshake even though you do run
> Apache on port 80? If so, it does make me wonder what they are
> trying to do.

They might be trying to hijack an existing TCP connection or, even simpler,
cause my machine problems by having many, many 1/2 set up TCP connections
(which uses memory until they expire).

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include

Re: Help: network abuse

2023-12-21 Thread tomas 
On Thu, Dec 21, 2023 at 12:44:33PM +, Tim Woodall wrote:
> On Thu, 21 Dec 2023, Alain D D Williams wrote:

[...]

> You can try sending RST. That might make them give up.

And then, there's tarpit [1] . But then I'd make double-sure you aren't
hurting legitimate traffic.

Cheers

[1] https://manpages.debian.org/bullseye/firehol-doc/firehol-tarpit.5.en.html
-- 
t


signature.asc
Description: PGP signature

Re: Help: network abuse

2023-12-21 Thread Michel Verdier 
On 2023-12-21, Alain D D Williams wrote:

> Yes: I do run a web server at home, but there is only a little/personal stuff,
> it does not receive much real traffic, I do not want it to. Most of my web
> presence is hosted elsewhere.

If you open a port (80 or something else), not on your server but on your
ISP, you will receive traffic from spammers/hackers and enterprises
scanning internet for telling you your security breaches. Even if you
block the traffic on your server, your ISP will transmit and count
it. You can do nothing for that except change your ISP for one who do not
limit your upload.

Re: Help: network abuse

2023-12-21 Thread Andy Smith 
Hello,

On Thu, Dec 21, 2023 at 01:10:59PM +, Alain D D Williams wrote:
> Yes: I do run a web server at home, but there is only a little/personal stuff,
> it does not receive much real traffic, I do not want it to. Most of my web
> presence is hosted elsewhere.

Okay well 30KiB/s is only about 78GiB/month which isn't really a
lot. I think we're both in UK and it's been hard to find a domestic
Internet connection that you'd run a web server on that can't cope
with 78G/mo. So ignoring it seems okay.

You say these never complete a TCP handshake even though you do run
Apache on port 80? If so, it does make me wonder what they are
trying to do. I mean, I don't find surprising a constant stream of
connections to port 80 looking for typical exploitable scripts, but
if they don't even complete the TCP connection then that's a bit
strange.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Help: network abuse

2023-12-21 Thread Alain D D Williams 
On Thu, Dec 21, 2023 at 07:50:42AM -0500, Greg Wooledge wrote:

> If your home Internet service has an "allowance", you probably shouldn't
> run a web server on it.

Yes: I do run a web server at home, but there is only a little/personal stuff,
it does not receive much real traffic, I do not want it to. Most of my web
presence is hosted elsewhere.

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT 
Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers. Registration Information: 
https://www.phcomp.co.uk/Contact.html
#include

Re: Help: network abuse

2023-12-21 Thread Greg Wooledge 
On Thu, Dec 21, 2023 at 12:00:55PM +, Alain D D Williams wrote:
> My home PC is receiving, for hours at a time, 12-30 kB/s input traffic. This 
> is
> unsolicited. I do not know what it is trying to achieve but suspect no good. 
> It
> is also eating my broadband allowance.

> 11:08:56.354303 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 
> 19070976, win 51894, options [mss 1401,sackOK,TS val 1182532729 ecr 
> 0,nop,wscale 7], length 0

34.217.144.104 appears to be an Amazon AWS system.

> 11:08:56.360527 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
> 479395840, win 51894, options [mss 1412,sackOK,TS val 3391683448 ecr 
> 0,nop,wscale 7], length 0

As does 52.195.179.12.

> 11:08:56.367975 IP 13.231.232.88.80 > 192.168.108.2.80: Flags [S], seq 
> 3272540160, win 51894, options [mss 1413,sackOK,TS val 979961209 ecr 
> 0,nop,wscale 7], length 0

Same for 13.231.232.88.

I'm not 100% sure how to read these logs, but it looks like you're
running a web server on your local system...?  I see .80 after your
internal IP address, which I'm assuming means you have a service running
on port 80, which is normally HTTP.

If your home Internet service has an "allowance", you probably shouldn't
run a web server on it.  If your web site becomes popular all of a sudden
(these things happen -- one link posted in the right place can drive a ton
of traffic to you with no warning), your "allowance" could be completely
exhausted in a day.

You really should consider moving this web service to a provider with no
bandwidth limits.  There are many available, and they're cheap.

Re: Help: network abuse

2023-12-21 Thread Dan Purgert 
On Dec 21, 2023, Alain D D Williams wrote:
> My home PC is receiving, for hours at a time, 12-30 kB/s input
> traffic. This is unsolicited. I do not know what it is trying to
> achieve but suspect no good. It is also eating my broadband
> allowance.
> 
> Questions:
> 
> • What is going on ?

Looks like bots.

> 
> • What can I do about it ?
 

Dropping the entirety of Asia/Africa has helped my logs (though, my ISP
doesn't track usage; and I imagine if they did, it wouldn't actually
HELP anything there, since the traffic already made it to me).  If it's
a reputable hosting company, contacting their abuse department may
possibly help them kill the account(s) running the bots.

-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Help: network abuse

2023-12-21 Thread Tim Woodall 

On Thu, 21 Dec 2023, Alain D D Williams wrote:


My home PC is receiving, for hours at a time, 12-30 kB/s input traffic. This is
unsolicited. I do not know what it is trying to achieve but suspect no good. It
is also eating my broadband allowance.

This does not show up in the Apache log files - the TCP connection does not 
succeed.

Sometimes my machine does send a packet in reply, there are 2 examples at the
foot of this email.

Questions:

? What is going on ?

? What can I do about it ?
 I do manually add some of the IPs to the f2b chain which will stop replies
 but that is about it.

My ISP refuses to do anything about it - I admit that I cannot see what they
could do, maybe filter packets with a source port of 80 or 443.

I also get attempts to break into ssh (port 22) - I am not worried about that.

I append a few lines of output of "tcpdump -n -i enp3s0" done today.
192.168.108.2 is the address of my desktop PC.

The connecting IPs below all belong to Amazon but this changes with time, China
is another common source of similar packets.

11:08:56.354303 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 
19070976, win 51894, options [mss 1401,sackOK,TS val 1182532729 ecr 0,nop,wscale 
7], length 0
11:08:56.354700 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 
3665362944, win 51894, options [mss 1402,sackOK,TS val 4179952761 ecr 0,nop,wscale 
7], length 0
11:08:56.360527 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
479395840, win 51894, options [mss 1412,sackOK,TS val 3391683448 ecr 0,nop,wscale 
7], length 0
11:08:56.360696 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
1622147072, win 51894, options [mss 1410,sackOK,TS val 2887711608 ecr 0,nop,wscale 
7], length 0
11:08:56.360950 IP 54.184.78.87.80 > 192.168.108.2.80: Flags [S], seq 
3168796672, win 51894, options [mss 1404,sackOK,TS val 535364985 ecr 0,nop,wscale 
7], length 0
11:08:56.364565 IP 52.195.179.12.80 > 192.168.108.2.80: Flags [S], seq 
132317184, win 51894, options [mss 1407,sackOK,TS val 2350122105 ecr 0,nop,wscale 
7], length 0
11:08:56.364708 IP 34.217.144.104.80 > 192.168.108.2.80: Flags [S], seq 
1098776576, win 51894, options [mss 1405,sackOK,TS val 3426157689 ecr 0,nop,wscale 
7], length 0
11:08:56.367975 IP 13.231.232.88.80 > 192.168.108.2.80: Flags [S], seq 
3272540160, win 51894, options [mss 1413,sackOK,TS val 979961209 ecr 0,nop,wscale 
7], length 0

2 days ago a similar capture. Note that the source port is 443 not 80:

09:47:31.416452 IP 5.45.73.147.443 > 192.168.108.2.80: Flags [S], seq 
2724200448, win 51894, options [mss 1401,sackOK,TS val 862439534 ecr 0,nop,wscale 
7], length 0
09:47:31.417861 IP 27.124.10.200.443 > 192.168.108.2.80: Flags [S], seq 
925237248, win 51894, options [mss 1407,sackOK,TS val 756418658 ecr 0,nop,wscale 
7], length 0
09:47:31.440892 IP 27.124.10.197.443 > 192.168.108.2.80: Flags [S], seq 
3474063360, win 51894, options [mss 1404,sackOK,TS val 3970828642 ecr 0,nop,wscale 
7], length 0
09:47:31.449393 IP 27.124.10.200.443 > 192.168.108.2.80: Flags [S], seq 
2844721152, win 51894, options [mss 1407,sackOK,TS val 1831471202 ecr 0,nop,wscale 
7], length 0
09:47:31.451430 IP 154.39.104.67.443 > 192.168.108.2.80: Flags [S], seq 
2336358400, win 51894, options [mss 1415,sackOK,TS val 395513698 ecr 0,nop,wscale 
7], length 0
09:47:31.451610 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 
808976384, win 51894, options [mss 1414,sackOK,TS val 1960250978 ecr 0,nop,wscale 
7], length 0
09:47:31.453372 IP 143.92.60.30.443 > 192.168.108.2.80: Flags [S], seq 
3177512960, win 51894, options [mss 1408,sackOK,TS val 4033677410 ecr 0,nop,wscale 
7], length 0
09:47:31.456937 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 
1042087936, win 51894, options [mss 1415,sackOK,TS val 2011106914 ecr 0,nop,wscale 
7], length 0
09:47:31.461961 IP 27.124.10.226.443 > 192.168.108.2.80: Flags [S], seq 
3200516096, win 51894, options [mss 1403,sackOK,TS val 2314013026 ecr 0,nop,wscale 
7], length 0

Examples where my machine sends a reply:

09:47:31.658790 IP 27.124.10.225.443 > 192.168.108.2.80: Flags [S], seq 
612564992, win 51894, options [mss 1415,sackOK,TS val 2011106914 ecr 0,nop,wscale 
7], length 0
09:47:31.659442 IP 192.168.108.2.80 > 154.39.104.67.443: Flags [S.], seq 
3770299450, ack 1858732033, win 65160, options [mss 1460,sackOK,TS val 164888251 
ecr 395513698,nop,wscale 7], length 0

09:47:31.756220 IP 5.45.73.147.443 > 192.168.108.2.80: Flags [S], seq 
2992898048, win 51894, options [mss 1401,sackOK,TS val 862439534 ecr 0,nop,wscale 
7], length 0
09:47:31.756272 IP 192.168.108.2.80 > 5.45.73.147.443: Flags [.], ack 
1226309633, win 509, options [nop,nop,TS val 2085784149 ecr 994101358], length 0


You can try sending RST. That might make them give up.

There is not much else you can do.

I sometimes do a whois on a persistent offender and blacklist the entire
network. But I don't know if they stop as this happens before any
logging.

I'd suggest sending RST f

Re: Help ! No syslog anymore

2023-11-16 Thread Bhasker C V 
Michael,
You are a star.
I dont know what I did before but I re-installed rsyslog and changed the
PrivateTmp to no
It works now.
I can see /tmp/server.log is now pushing syslog contents
Thank you very much.

On Mon, Nov 13, 2023 at 10:24 AM Michael Biebl  wrote:

> Am 13.11.23 um 10:13 schrieb Bhasker C V:
> > I forgot to answer the question on why I am doing this
> > I am experimenting on a no-log system where there is no writes
> > what-so-ever to /var/log (except for mails) or systemd journal
> > (currently kept volatile)
> > /tmp/ is tmpfs mounted
> > Attached is the rsyslog config as-it-is being used now.
> >
>
> With the attached rsyslog.conf, disabling PrivateTmp makes rsyslog log
> to /run/server.log correctly (verified locally).
>
> I can only assume you didn't follow my instructions properly.
>
> Please make sure after following my instruction that you have afterwards
> # systemctl show -P PrivateTmp rsyslog.service
> no
>
> Btw, for your use case, a subdirectory in /run would be more suitable,
> like say /run/syslog/.
>
> Also, you currently have
> *.* -/tmp/server.log
> *and*
> *.=info;*.=notice;*.=warn;\
> auth,authpriv.none;\
> cron,daemon.none;\
> mail,audit,news.none-/tmp/server.log
>
> This doesn't make any sense.
> This will basically duplicate the log messages in /tmp/server.log and
> interleave them.
>
> Either you split up the logs facilities and log them to separate files
> or you only keep a single log rule like
>
> *.* -/tmp/server.log
>
> which simply logs everything to /tmp/server.log
>
>

Re: Help ! No syslog anymore

2023-11-13 Thread Michael Biebl 

Am 13.11.23 um 10:13 schrieb Bhasker C V:

I forgot to answer the question on why I am doing this
I am experimenting on a no-log system where there is no writes 
what-so-ever to /var/log (except for mails) or systemd journal 
(currently kept volatile)

/tmp/ is tmpfs mounted
Attached is the rsyslog config as-it-is being used now.



With the attached rsyslog.conf, disabling PrivateTmp makes rsyslog log 
to /run/server.log correctly (verified locally).


I can only assume you didn't follow my instructions properly.

Please make sure after following my instruction that you have afterwards
# systemctl show -P PrivateTmp rsyslog.service
no

Btw, for your use case, a subdirectory in /run would be more suitable, 
like say /run/syslog/.


Also, you currently have
*.* -/tmp/server.log
*and*
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,audit,news.none-/tmp/server.log

This doesn't make any sense.
This will basically duplicate the log messages in /tmp/server.log and 
interleave them.


Either you split up the logs facilities and log them to separate files 
or you only keep a single log rule like


*.* -/tmp/server.log

which simply logs everything to /tmp/server.log



OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Help ! No syslog anymore

2023-11-13 Thread Bhasker C V 
I forgot to answer the question on why I am doing this
I am experimenting on a no-log system where there is no writes what-so-ever
to /var/log (except for mails) or systemd journal (currently kept volatile)
/tmp/ is tmpfs mounted
Attached is the rsyslog config as-it-is being used now.



On Sun, Nov 12, 2023 at 1:46 PM Michael Biebl  wrote:

> Am 12.11.23 um 08:18 schrieb Bhasker C V:
> > Hi,
> > I have tried removing PrivateTmp=no in the rsyslog service file and it
> > still doesnt work
>
> I assume you mean PrivateTmp=yes?
>
> > I  have removed the service file which I had created too.
> > I found that when I run the daemon manually, it works well. Hence I have
> > disabled rsyslog and I have put the daemon startup in my rc-local
> >
> > But yes, removing PrivateTmp doesnt help.
> > I am happy to troubleshoot this if anyone wants me to be a QA for this.
>
> As a first step, please share your complete rsyslog config *verbatim*
>
>
> Michael
>
> [Not subsribed to debian-user, so please CC on replies]
>


rsyslog.conf
Description: Binary data

Re: Help ! No syslog anymore

2023-11-12 Thread Michael Biebl 

Am 12.11.23 um 08:18 schrieb Bhasker C V:

Hi,
I have tried removing PrivateTmp=no in the rsyslog service file and it 
still doesnt work


I assume you mean PrivateTmp=yes?


I  have removed the service file which I had created too.
I found that when I run the daemon manually, it works well. Hence I have 
disabled rsyslog and I have put the daemon startup in my rc-local


But yes, removing PrivateTmp doesnt help.
I am happy to troubleshoot this if anyone wants me to be a QA for this.


As a first step, please share your complete rsyslog config *verbatim*


Michael

[Not subsribed to debian-user, so please CC on replies]


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Help ! No syslog anymore

2023-11-11 Thread Bhasker C V 
Hi,
I have tried removing PrivateTmp=no in the rsyslog service file and it
still doesnt work
I  have removed the service file which I had created too.
I found that when I run the daemon manually, it works well. Hence I have
disabled rsyslog and I have put the daemon startup in my rc-local

But yes, removing PrivateTmp doesnt help.
I am happy to troubleshoot this if anyone wants me to be a QA for this.


On Fri, Nov 10, 2023 at 3:55 PM Michael Biebl  wrote:

> The service file you posted is not a good idea. Please remove it again.
>
>
> If moving the log file out of /tmp is not an option, please run
> systemctl edit rsyslog.service
> and disable PrivateTmp via
>
> [Service]
> PrivateTmp=no
>

Re: Help ! No syslog anymore

2023-11-10 Thread Michael Biebl 

The service file you posted is not a good idea. Please remove it again.


If moving the log file out of /tmp is not an option, please run
systemctl edit rsyslog.service
and disable PrivateTmp via

[Service]
PrivateTmp=no


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: Help ! No syslog anymore

2023-11-10 Thread Bhasker C V 
Thanks very  much.
Adding bind path did not help. I found that if I run rsyslog from
command-line as unconfined_t, it works well. It is just the extra systemd
locks which fail
I have since written a simple systemd unit file to make rsyslog work and it
has started working

# /etc/systemd/system/user-rsyslog.service
[Unit]
Description=Simple Rsyslog service
After=network.target auditd.service

[Service]
Type=simple
ExecStart=pkill -9 -f rsyslogd;/usr/sbin/rsyslogd -n -iNONE

[Install]
WantedBy=multi-user.target

On Wed, Nov 8, 2023 at 4:47 PM Sven Joachim  wrote:

> On 2023-11-08 08:26 +, Bhasker C V wrote:
>
> >  I moved my syslog to a different location  '/tmp/server.log'
>
> A rather strange decision, since /tmp is usually pruned on reboot.
>
> > This was working all fine until I moved to selinux in enforcing mode.
> >
> > I have tried putting selinux in permissive state and that too did not
> help
>
> Most likely your problem has nothing to do with selinux, but is rather
> due to the hardening features implemented in rsyslog 8.2310.0-1.  Among
> other things, rsyslogd now gets its own /tmp directory (PrivateTmp=yes
> in rsyslog.service) which is not shared with other processes.
>
> > Please could someone help ? Or if there is a procedure to move syslog
> file
> > /var/log/syslog to a different location, I am happy to follow ...
>
> If you insist on moving it to /tmp, one possibility is to use a bind
> mount for /tmp/server.log.  Run "systemctl edit rsyslog.service" and put
> the following two lines in the file:
>
> [Service]
> BindPaths=-/tmp/server.log
>
> You may also need a tmpfiles.d(5) snippet to create /tmp/server.log on
> reboot if it does not exist.
>
> Good luck,
> Sven
>
>

Re: Help to find the Debians repository

2023-11-09 Thread Marco M. 
Am 08.11.2023 um 18:34:12 Uhr schrieb ARY SAYD SAULT:

> I am reaching out to you because the team and I need to analyze the
> evolution of Debian software over the years and correlate it with
> Lehman's laws.

The tracker gives you version information: https://tracker.debian.org/

On the archive mirrors you can find older software versions:
That server includes stuff from the late 90s.
http://mirror.mephi.ru/debian-archive/debian/dists/

Re: Help to find the Debians repository

2023-11-08 Thread David Christensen 

On 11/8/23 13:34, ARY SAYD SAULT wrote:

Dear Debian's Team,

I hope this email finds you well. My name is Ary I am a software 
engineering student at Catholic University of Salvador. I am reaching

out to you because the team and I need to analyze the evolution of
Debian software over the years and correlate it with Lehman's laws.
Obviously, for this type of work, we would not need to analyze all
the software since its release, just the most recent versions.

I would greatly appreciate it if you could help me and my colleagues
to find a repository where we could do this kind of analysis. If you
need any additional information from me, please let me know.

Thank you for your time and consideration. I look forward to hearing
back from you soon.

Best regards, Ary



On 11/8/23 14:05, Greg Wooledge wrote:

  has most of
it.



If you want source code:

https://sources.debian.org/


David

Re: Help to find the Debians repository

2023-11-08 Thread Greg Wooledge 
On Wed, Nov 08, 2023 at 06:34:12PM -0300, ARY SAYD SAULT wrote:
> software over the years and correlate it with Lehman's laws. Obviously, for
> this type of work, we would not need to analyze all the software since its
> release, just the most recent versions.

 has most of it.

Re: Help ! No syslog anymore

2023-11-08 Thread Sven Joachim 
On 2023-11-08 08:26 +, Bhasker C V wrote:

>  I moved my syslog to a different location  '/tmp/server.log'

A rather strange decision, since /tmp is usually pruned on reboot.

> This was working all fine until I moved to selinux in enforcing mode.
>
> I have tried putting selinux in permissive state and that too did not help

Most likely your problem has nothing to do with selinux, but is rather
due to the hardening features implemented in rsyslog 8.2310.0-1.  Among
other things, rsyslogd now gets its own /tmp directory (PrivateTmp=yes
in rsyslog.service) which is not shared with other processes.

> Please could someone help ? Or if there is a procedure to move syslog file
> /var/log/syslog to a different location, I am happy to follow ...

If you insist on moving it to /tmp, one possibility is to use a bind
mount for /tmp/server.log.  Run "systemctl edit rsyslog.service" and put
the following two lines in the file:

[Service]
BindPaths=-/tmp/server.log

You may also need a tmpfiles.d(5) snippet to create /tmp/server.log on
reboot if it does not exist.

Good luck,
Sven

Re: Help fixing package dependencies

2023-10-11 Thread Timothy M Butterworth 
On Wed, Oct 11, 2023 at 9:39 AM Rishikesh Kakade <1rishikaka...@gmail.com>
wrote:

> Hi!
>
> I am trying to upgrade my system from Debian 11 to Debian 12. When I run
> sudo apt full-upgrade,
>
> λ ~/ main* sudo apt full-upgrade
>
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> Calculating upgrade... Error!
> Some packages could not be installed. This may mean that you have
> requested an impossible situation or if you are using the unstable
> distribution that some required packages have not yet been created
> or been moved out of Incoming.
> The following information may help to resolve the situation:
>
> The following packages have unmet dependencies:
> libboost-thread1.74.0 : Breaks: libboost-regex1.74.0-icu67
> libc6-dev : Breaks: libnetcdf-dev (<= 1:4.9.0-3) but 1:4.7.4-1 is to be
> installed
> libgirepository-1.0-1 : Breaks: libgjs0g (< 1.68.4-1+b1) but 1.66.2-1 is
> to be installed
> E: Error, pkgProblemResolver::Resolve generated breaks, this may be
> caused by held packages.
>
>
>
> I am afraid that I will break my system if I attempt to solve it alone.
> Can anyone help me figure out how to fix the dependency issue?
>
> Rishi
>

First run:
sudo apt update
sudo apt upgrade
sudo apt full-upgrade

Second if that does not work then check your repose. You should have
something similar to:

less /etc/apt/sources.list
deb http://deb.debian.org/debian/ bookworm main non-free contrib
non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main
contrib non-free non-free-firmware

-- 
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀

Re: Help fixing package dependencies during Debian 11 -> 12 upgrade

2023-10-11 Thread Michael Kjörling 
On 11 Oct 2023 11:08 +0530, from 1rishikaka...@gmail.com (Rishikesh Kakade):
> I am trying to upgrade my system from Debian 11 to Debian 12.

Okay.

First things first: did you read through and follow the upgrade
preparation portions of the Bookworm release notes? Going straight for
`apt full-upgrade` _might_ work but is not the recommended upgrade
method for going from one major release to the next.

> When I run sudo apt full-upgrade,
> [...]
> libc6-dev : Breaks: libnetcdf-dev (<= 1:4.9.0-3) but 1:4.7.4-1 is to be
> installed

I didn't check the other ones, but this doesn't seem right. For that
package, Bullseye is at package version 1:4.7.4-1, but Bookworm is at
1:4.9.0-3+b1, so apt _shouldn't_ try to install 1:4.7.4-1 as part of
an upgrade to Bookworm.

My guess would be that you have some stale Bullseye repository in your
apt sources list, either from Debian or some third-party repository.
See 
https://www.debian.org/releases/bookworm/amd64/release-notes/ch-upgrading.en.html#system-status

Please share the output of: grep -r -v '^#' /etc/apt/sources.list*

Please take care to not introduce any line breaks in that output which
are not in the original.

-- 
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Re: Help fixing package dependencies

2023-10-10 Thread David 
On Wed, 2023-10-11 at 11:08 +0530, Rishikesh Kakade wrote:
> Hi!
> 
> I am trying to upgrade my system from Debian 11 to Debian 12. When I
> run
> sudo apt full-upgrade,

Well, to start with what appears to be the obvious, did you begin with
`apt-get update' first?
The, `apt-get full-upgrade'.

It's important to establish the current state of your system first.
Cheers!

> λ ~/ main* sudo apt full-upgrade
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> Calculating upgrade... Error!
> Some packages could not be installed. This may mean that you have
> requested an impossible situation or if you are using the unstable
> distribution that some required packages have not yet been created
> or been moved out of Incoming.
> The following information may help to resolve the situation:
> 
> The following packages have unmet dependencies:
> libboost-thread1.74.0 : Breaks: libboost-regex1.74.0-icu67
> libc6-dev : Breaks: libnetcdf-dev (<= 1:4.9.0-3) but 1:4.7.4-1 is to
> be
> installed
> libgirepository-1.0-1 : Breaks: libgjs0g (< 1.68.4-1+b1) but 1.66.2-1
> is to
> be installed
> E: Error, pkgProblemResolver::Resolve generated breaks, this may be
> caused
> by held packages.
> 
> 
> 
> I am afraid that I will break my system if I attempt to solve it
> alone. Can
> anyone help me figure out how to fix the dependency issue?
> 
> Rishi

-- 
`I intend to live forever,
or die trying'.

--Groucho Marx

Re: Help ! libvirt

2023-09-22 Thread Michal Prívozník 
On 9/22/23 10:34, Andrea Bolognani wrote:
> On Fri, Sep 22, 2023 at 06:33:06AM +0100, Bhasker C V wrote:
>> I finally fixed it.
>> The issue seems to be with the tpm-tis/cpu backend  (wonder why it shows up
>> with a different error)
>> For the sake of community, I am attaching the new xml file so that you can
>> do forensics on what changed
>> (I prettymuch did a virt-install --import --print-xml to redo the config
>> keeping everything intact)
> 
> Glad to hear you managed to make it work!
> 
>> I found another issue
>> If I switch the suspend-to-disk enabled="yes"
>> I strangely get an error
>> error: operation failed: Unable to find any firmware to satisfy 'efi'
> 
> I can explain that one.
> 
> suspend-to-disk.enabled=yes requires a firmware image that advertises
> the acpi-s4 feature, and you probably don't have one on your system.
> 
> For example, on my Fedora 38 machine:
> 
>   $ grep acpi-s4 /usr/share/qemu/firmware/*.json
>   $
> 
> Yeah, the error message is not very helpful. Unfortunately, due to
> the way firmware autoselection works, emitting a better one would be
> pretty much impossible :(
> 

You can enable debug logs and then observe why each one FW was rejected
(see those VIR_DEBUG() printings in qemuFirmwareMatchDomain() [1]).

1: 
https://gitlab.com/libvirt/libvirt/-/blob/master/src/qemu/qemu_firmware.c?ref_type=heads#L1174

Michal

Re: Help ! libvirt

2023-09-22 Thread Andrea Bolognani 
On Fri, Sep 22, 2023 at 06:33:06AM +0100, Bhasker C V wrote:
> I finally fixed it.
> The issue seems to be with the tpm-tis/cpu backend  (wonder why it shows up
> with a different error)
> For the sake of community, I am attaching the new xml file so that you can
> do forensics on what changed
> (I prettymuch did a virt-install --import --print-xml to redo the config
> keeping everything intact)

Glad to hear you managed to make it work!

> I found another issue
> If I switch the suspend-to-disk enabled="yes"
> I strangely get an error
> error: operation failed: Unable to find any firmware to satisfy 'efi'

I can explain that one.

suspend-to-disk.enabled=yes requires a firmware image that advertises
the acpi-s4 feature, and you probably don't have one on your system.

For example, on my Fedora 38 machine:

  $ grep acpi-s4 /usr/share/qemu/firmware/*.json
  $

Yeah, the error message is not very helpful. Unfortunately, due to
the way firmware autoselection works, emitting a better one would be
pretty much impossible :(

-- 
Andrea Bolognani / Red Hat / Virtualization

Re: Help ! libvirt

2023-09-21 Thread Bhasker C V 
I finally fixed it.
The issue seems to be with the tpm-tis/cpu backend  (wonder why it shows up
with a different error)
For the sake of community, I am attaching the new xml file so that you can
do forensics on what changed
(I prettymuch did a virt-install --import --print-xml to redo the config
keeping everything intact)

I found another issue
If I switch the suspend-to-disk enabled="yes"
I strangely get an error
error: operation failed: Unable to find any firmware to satisfy 'efi'

I presume the errors being spit out are not accurate description of
failures anymore with libvirt and for the life of mine I could not find why
the other xml file doesnt work and why this does.
Happy libvirt-ing


On Thu, Sep 21, 2023 at 2:58 PM Bhasker C V  wrote:

> Hi,
>  I have tried that too and that did not help either (i.e adding the format
> type=gpt)
> The output you requested
>
> ```
> $ sudo  qemu-img info --backing-chain /var/virt/WINDOWS/WIN11
> image: /var/virt/WINDOWS/WIN11
> file format: qcow2
> virtual size: 60 GiB (64424509440 bytes)
> disk size: 55.1 GiB
> cluster_size: 65536
> backing file: WIN11-BASE (actual path: /var/virt/WINDOWS/WIN11-BASE)
> backing file format: raw
> Format specific information:
> compat: 1.1
> compression type: zlib
> lazy refcounts: false
> refcount bits: 16
> corrupt: false
> extended l2: false
> Child node '/file':
> filename: /var/virt/WINDOWS/WIN11
> protocol type: file
> file length: 55.1 GiB (59202338816 bytes)
> disk size: 55.1 GiB
>
> image: /var/virt/WINDOWS/WIN11-BASE
> file format: raw
> virtual size: 60 GiB (64424509440 bytes)
> disk size: 26.5 GiB
> Child node '/file':
> filename: /var/virt/WINDOWS/WIN11-BASE
> protocol type: file
> file length: 60 GiB (64424509440 bytes)
> disk size: 26.5 GiB
> ```
>
> On Thu, Sep 21, 2023 at 2:52 PM Peter Krempa  wrote:
>
>> On Thu, Sep 21, 2023 at 10:50:07 +0100, Bhasker C V wrote:
>> > Attaching win11.xml
>> > Please note that this used to work fine. It is failing now on libvirt-
>> > 9.7.0-1
>> >
>> > On Thu, Sep 21, 2023 at 9:13 AM Peter Krempa 
>> wrote:
>> >
>> > > On Thu, Sep 21, 2023 at 09:05:43 +0100, Bhasker C V wrote:
>> > > > Adding libvirt mailing list
>> > > > apologies for cross-posting
>> > > > libvirt version: 9.7.0-1
>> > > >
>> > > > On Thu, Sep 21, 2023 at 8:39 AM john doe 
>> wrote:
>> > > >
>> > > > > On 9/21/23 09:32, Bhasker C V wrote:
>> > > > > > I am getting an error with libivrt when I create a VM
>> > > > > >
>> > > > > > ```
>> > > > > >   $ sudo virsh create ./win11.xml
>> > >
>> > > Please attach the XML used here. It comes from a code path which
>> > > shouldn't be possible to reach.
>> > >
>> > > > > > error: Failed to create domain from ./win11.xml
>> > > > > > error: internal error: mishandled storage format 'none'
>> > > > > >
>> > > > > > ```
>> > > > > >
>> > > > > > This is after I have done a dist-upgrade (was working fine
>> before)
>> > > > > > debian trixie.
>> > >
>> > > Which version did you have before?
>> > >
>> > > > > >
>> > > > > > error message says
>> > > > > > qemuBlockStorageSourceGetBlockdevFormatProps:1227 : internal
>> error:
>> > > > > > mishandled storage format 'none'
>> > >
>> > >
>>
>> >   destroy
>> >   restart
>> >   destroy
>> >   
>> > 
>> > 
>> >   
>> >   
>> > /usr/bin/qemu-system-x86_64
>> > 
>> >   
>> >   
>> >   
>> > 
>>
>> Could you please also attach the output of:
>>
>>   qemu-img info --backing-chain '/var/virt/WINDOWS/WIN11'
>>
>>
>> > 
>> >   
>> >   
>> > 
>> >   
>> >   
>> > 
>>
>> In the definition I don't see anything that would hint that anything
>> with the disk config is broken, for qcow2 volumes we do auto-detection
>> of backing images, thus the request for the output of the command above.
>>
>>

  windows
  2476be4a-85b6-4be2-bf57-71cfde64d9de
  
http://libosinfo.org/xmlns/libvirt/domain/1.0";>
  http://microsoft.com/win/11"/>

  
  2
  2
  2
  
hvm

/var/virt/WINDOWS/win11_vars_nvram.fd
  
  



  
  
  


  
  
  




  
  


  
  
/usr/bin/qemu-system-x86_64

Re: Help ! libvirt

2023-09-21 Thread Peter Krempa 
On Thu, Sep 21, 2023 at 10:50:07 +0100, Bhasker C V wrote:
> Attaching win11.xml
> Please note that this used to work fine. It is failing now on libvirt-
> 9.7.0-1
> 
> On Thu, Sep 21, 2023 at 9:13 AM Peter Krempa  wrote:
> 
> > On Thu, Sep 21, 2023 at 09:05:43 +0100, Bhasker C V wrote:
> > > Adding libvirt mailing list
> > > apologies for cross-posting
> > > libvirt version: 9.7.0-1
> > >
> > > On Thu, Sep 21, 2023 at 8:39 AM john doe  wrote:
> > >
> > > > On 9/21/23 09:32, Bhasker C V wrote:
> > > > > I am getting an error with libivrt when I create a VM
> > > > >
> > > > > ```
> > > > >   $ sudo virsh create ./win11.xml
> >
> > Please attach the XML used here. It comes from a code path which
> > shouldn't be possible to reach.
> >
> > > > > error: Failed to create domain from ./win11.xml
> > > > > error: internal error: mishandled storage format 'none'
> > > > >
> > > > > ```
> > > > >
> > > > > This is after I have done a dist-upgrade (was working fine before)
> > > > > debian trixie.
> >
> > Which version did you have before?
> >
> > > > >
> > > > > error message says
> > > > > qemuBlockStorageSourceGetBlockdevFormatProps:1227 : internal error:
> > > > > mishandled storage format 'none'
> >
> >

>   destroy
>   restart
>   destroy
>   
> 
> 
>   
>   
> /usr/bin/qemu-system-x86_64
> 
>   
>   
>   
> 

Could you please also attach the output of:

  qemu-img info --backing-chain '/var/virt/WINDOWS/WIN11'


> 
>   
>   
> 
>   
>   
> 

In the definition I don't see anything that would hint that anything
with the disk config is broken, for qcow2 volumes we do auto-detection
of backing images, thus the request for the output of the command above.

Re: Help ! libvirt

2023-09-21 Thread Bhasker C V 
Hi,
 I have tried that too and that did not help either (i.e adding the format
type=gpt)
The output you requested

```
$ sudo  qemu-img info --backing-chain /var/virt/WINDOWS/WIN11
image: /var/virt/WINDOWS/WIN11
file format: qcow2
virtual size: 60 GiB (64424509440 bytes)
disk size: 55.1 GiB
cluster_size: 65536
backing file: WIN11-BASE (actual path: /var/virt/WINDOWS/WIN11-BASE)
backing file format: raw
Format specific information:
compat: 1.1
compression type: zlib
lazy refcounts: false
refcount bits: 16
corrupt: false
extended l2: false
Child node '/file':
filename: /var/virt/WINDOWS/WIN11
protocol type: file
file length: 55.1 GiB (59202338816 bytes)
disk size: 55.1 GiB

image: /var/virt/WINDOWS/WIN11-BASE
file format: raw
virtual size: 60 GiB (64424509440 bytes)
disk size: 26.5 GiB
Child node '/file':
filename: /var/virt/WINDOWS/WIN11-BASE
protocol type: file
file length: 60 GiB (64424509440 bytes)
disk size: 26.5 GiB
```

On Thu, Sep 21, 2023 at 2:52 PM Peter Krempa  wrote:

> On Thu, Sep 21, 2023 at 10:50:07 +0100, Bhasker C V wrote:
> > Attaching win11.xml
> > Please note that this used to work fine. It is failing now on libvirt-
> > 9.7.0-1
> >
> > On Thu, Sep 21, 2023 at 9:13 AM Peter Krempa  wrote:
> >
> > > On Thu, Sep 21, 2023 at 09:05:43 +0100, Bhasker C V wrote:
> > > > Adding libvirt mailing list
> > > > apologies for cross-posting
> > > > libvirt version: 9.7.0-1
> > > >
> > > > On Thu, Sep 21, 2023 at 8:39 AM john doe 
> wrote:
> > > >
> > > > > On 9/21/23 09:32, Bhasker C V wrote:
> > > > > > I am getting an error with libivrt when I create a VM
> > > > > >
> > > > > > ```
> > > > > >   $ sudo virsh create ./win11.xml
> > >
> > > Please attach the XML used here. It comes from a code path which
> > > shouldn't be possible to reach.
> > >
> > > > > > error: Failed to create domain from ./win11.xml
> > > > > > error: internal error: mishandled storage format 'none'
> > > > > >
> > > > > > ```
> > > > > >
> > > > > > This is after I have done a dist-upgrade (was working fine
> before)
> > > > > > debian trixie.
> > >
> > > Which version did you have before?
> > >
> > > > > >
> > > > > > error message says
> > > > > > qemuBlockStorageSourceGetBlockdevFormatProps:1227 : internal
> error:
> > > > > > mishandled storage format 'none'
> > >
> > >
>
> >   destroy
> >   restart
> >   destroy
> >   
> > 
> > 
> >   
> >   
> > /usr/bin/qemu-system-x86_64
> > 
> >   
> >   
> >   
> > 
>
> Could you please also attach the output of:
>
>   qemu-img info --backing-chain '/var/virt/WINDOWS/WIN11'
>
>
> > 
> >   
> >   
> > 
> >   
> >   
> > 
>
> In the definition I don't see anything that would hint that anything
> with the disk config is broken, for qcow2 volumes we do auto-detection
> of backing images, thus the request for the output of the command above.
>
>

Re: Help ! libvirt

2023-09-21 Thread Bhasker C V 
Attaching win11.xml
Please note that this used to work fine. It is failing now on libvirt-
9.7.0-1

On Thu, Sep 21, 2023 at 9:13 AM Peter Krempa  wrote:

> On Thu, Sep 21, 2023 at 09:05:43 +0100, Bhasker C V wrote:
> > Adding libvirt mailing list
> > apologies for cross-posting
> > libvirt version: 9.7.0-1
> >
> > On Thu, Sep 21, 2023 at 8:39 AM john doe  wrote:
> >
> > > On 9/21/23 09:32, Bhasker C V wrote:
> > > > I am getting an error with libivrt when I create a VM
> > > >
> > > > ```
> > > >   $ sudo virsh create ./win11.xml
>
> Please attach the XML used here. It comes from a code path which
> shouldn't be possible to reach.
>
> > > > error: Failed to create domain from ./win11.xml
> > > > error: internal error: mishandled storage format 'none'
> > > >
> > > > ```
> > > >
> > > > This is after I have done a dist-upgrade (was working fine before)
> > > > debian trixie.
>
> Which version did you have before?
>
> > > >
> > > > error message says
> > > > qemuBlockStorageSourceGetBlockdevFormatProps:1227 : internal error:
> > > > mishandled storage format 'none'
>
>

  windows
  8c8df02f-e7ca-41b4-8002-d2e4c8b2bd5a
  
http://libosinfo.org/xmlns/libvirt/domain/1.0";>
  http://microsoft.com/win/10"/>

  
  2
  4194304
  2
  
/machine
  
  
hvm
/var/virt/WINDOWS/ovmf_code.fd
/var/virt/WINDOWS/win11_vars_nvram.fd

  
  



  
  
  



  

  
   
  


  




  
  destroy
  restart
  destroy
  


  
  
/usr/bin/qemu-system-x86_64

  
  
  


  
  

  
  



  
  


  
  


  


  
  
  
  


  
  
  


  
  
  
  


  
  
  
  


  
  
  
  


  
  
  
  


  
  
  
  


  
  


  
  
  
  
  
  


  
  

  
  


  
  
  


  
  
  


  
  


  


  


  
  


  
  


  
  



  
  
  


  
  


  
  


  
  

  
  
+64055:+64055
+64055:+64055

Re: Help ! libvirt

2023-09-21 Thread Peter Krempa 
On Thu, Sep 21, 2023 at 09:05:43 +0100, Bhasker C V wrote:
> Adding libvirt mailing list
> apologies for cross-posting
> libvirt version: 9.7.0-1
> 
> On Thu, Sep 21, 2023 at 8:39 AM john doe  wrote:
> 
> > On 9/21/23 09:32, Bhasker C V wrote:
> > > I am getting an error with libivrt when I create a VM
> > >
> > > ```
> > >   $ sudo virsh create ./win11.xml

Please attach the XML used here. It comes from a code path which
shouldn't be possible to reach.

> > > error: Failed to create domain from ./win11.xml
> > > error: internal error: mishandled storage format 'none'
> > >
> > > ```
> > >
> > > This is after I have done a dist-upgrade (was working fine before)
> > > debian trixie.

Which version did you have before?

> > >
> > > error message says
> > > qemuBlockStorageSourceGetBlockdevFormatProps:1227 : internal error:
> > > mishandled storage format 'none'

Re: Help ! libvirt

2023-09-21 Thread Daniel P . Berrangé 
On Thu, Sep 21, 2023 at 09:05:43AM +0100, Bhasker C V wrote:
> Adding libvirt mailing list
> apologies for cross-posting
> libvirt version: 9.7.0-1
> 
> On Thu, Sep 21, 2023 at 8:39 AM john doe  wrote:
> 
> > On 9/21/23 09:32, Bhasker C V wrote:
> > > I am getting an error with libivrt when I create a VM
> > >
> > > ```
> > >   $ sudo virsh create ./win11.xml

Please post the win11.xml file contents too

> > > error: Failed to create domain from ./win11.xml
> > > error: internal error: mishandled storage format 'none'
> > >
> > > ```
> > >
> > > This is after I have done a dist-upgrade (was working fine before)
> > > debian trixie.
> > >
> > > error message says
> > > qemuBlockStorageSourceGetBlockdevFormatProps:1227 : internal error:
> > > mishandled storage format 'none'
> > >

With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: Help ! libvirt

2023-09-21 Thread Bhasker C V 
Adding libvirt mailing list
apologies for cross-posting
libvirt version: 9.7.0-1

On Thu, Sep 21, 2023 at 8:39 AM john doe  wrote:

> On 9/21/23 09:32, Bhasker C V wrote:
> > I am getting an error with libivrt when I create a VM
> >
> > ```
> >   $ sudo virsh create ./win11.xml
> > error: Failed to create domain from ./win11.xml
> > error: internal error: mishandled storage format 'none'
> >
> > ```
> >
> > This is after I have done a dist-upgrade (was working fine before)
> > debian trixie.
> >
> > error message says
> > qemuBlockStorageSourceGetBlockdevFormatProps:1227 : internal error:
> > mishandled storage format 'none'
> >
>
> You might want to post this as well to the Libvirt mailing list.
>
> --
> John Doe
>
>

Re: Help ! libvirt

2023-09-21 Thread john doe 

On 9/21/23 09:32, Bhasker C V wrote:

I am getting an error with libivrt when I create a VM

```
  $ sudo virsh create ./win11.xml
error: Failed to create domain from ./win11.xml
error: internal error: mishandled storage format 'none'

```

This is after I have done a dist-upgrade (was working fine before)
debian trixie.

error message says
qemuBlockStorageSourceGetBlockdevFormatProps:1227 : internal error:
mishandled storage format 'none'



You might want to post this as well to the Libvirt mailing list.

--
John Doe

Re: Help with Optimus and external monitor use

2023-05-23 Thread Bob McGowan 
Additional info:
$ nvidia-detect
Detected NVIDIA GPUs:
01:00.0 VGA compatible controller [0300]: NVIDIA Corporation TU117M
[GeForce GTX 1650 Mobile / Max-Q] [10de:1f91] (rev a1)

Checking card:  NVIDIA Corporation TU117M [GeForce GTX 1650 Mobile / Max-Q]
(rev a1)
Your card is supported by the default drivers.
Your card is also supported by the Tesla 470 drivers series.
Your card is also supported by the Tesla 450 drivers series.
Your card is also supported by the Tesla 418 drivers series.
It is recommended to install the
nvidia-driver
package.

$ apt search nvidia-driver
Sorting... Done
Full Text Search... Done
glx-alternative-nvidia/stable,now 1.2.1~deb11u1 amd64 [installed,automatic]
 allows the selection of NVIDIA as GLX provider

libegl-nvidia0/stable,now 470.182.03-1 amd64 [installed,automatic]
 NVIDIA binary EGL library

libgl1-nvidia-glvnd-glx/stable,now 470.182.03-1 amd64 [installed,automatic]
 NVIDIA binary OpenGL/GLX library (GLVND variant)

libgles-nvidia1/stable,now 470.182.03-1 amd64 [installed,automatic]
 NVIDIA binary OpenGL|ES 1.x library

libgles-nvidia2/stable,now 470.182.03-1 amd64 [installed,automatic]
 NVIDIA binary OpenGL|ES 2.x library

libglx-nvidia0/stable,now 470.182.03-1 amd64 [installed,automatic]
 NVIDIA binary GLX library

nvidia-alternative/stable,now 470.182.03-1 amd64 [installed,automatic]
 allows the selection of NVIDIA as GLX provider

nvidia-detect/stable,now 470.182.03-1 amd64 [installed]
 NVIDIA GPU detection utility

nvidia-driver/stable,now 470.182.03-1 amd64 [installed]
 NVIDIA metapackage

nvidia-driver-bin/stable,now 470.182.03-1 amd64 [installed,automatic]
 NVIDIA driver support binaries

nvidia-driver-libs/stable,now 470.182.03-1 amd64 [installed,automatic]
 NVIDIA metapackage (OpenGL/GLX/EGL/GLES libraries)

nvidia-kernel-dkms/stable,now 470.182.03-1 amd64 [installed,automatic]
 NVIDIA binary kernel module DKMS source

nvidia-kernel-source/stable 470.182.03-1 amd64
 NVIDIA binary kernel module source

nvidia-legacy-390xx-driver/stable 390.157-1~deb11u1 amd64
 NVIDIA metapackage (390xx legacy version)

nvidia-legacy-390xx-kernel-dkms/stable 390.157-1~deb11u1 amd64
 NVIDIA binary kernel module DKMS source (390xx legacy version)

nvidia-legacy-390xx-kernel-source/stable 390.157-1~deb11u1 amd64
 NVIDIA binary kernel module source (390xx legacy version)

xserver-xorg-video-nvidia/stable,now 470.182.03-1 amd64
[installed,automatic]
 NVIDIA binary Xorg driver

xserver-xorg-video-nvidia-legacy-390xx/stable 390.157-1~deb11u1 amd64
 NVIDIA binary Xorg driver (390xx legacy version)

$
Bob

Re: Help with Debian for ARM

2023-05-13 Thread Dan Ritter 
Mario Marietto wrote: 
> I still have the old "Samsung / Google Nexus 10" tablet. I don't like
> Android. Any help to install Ubuntu instead of Android on this device is
> appreciated. Thanks.


First, this is a Debian list, not an Ubuntu list.

Second, as far as I know, there are proprietary components to
that tablet which make it impossible for Debian to be installed.

As an alternative, nearly all Android devices can run a Debian
environment in a chroot:

https://wiki.debian.org/ChrootOnAndroid


-dsr-

Re: Help with Debian for ARM

2023-05-13 Thread Mario Marietto 
Errata corrige :

I still have the old "Samsung / Google Nexus 10" tablet. I don't like
Android. Any help to install Debian instead of Android on this device is
appreciated. Thanks.

On Sat, May 13, 2023 at 2:27 PM Mario Marietto 
wrote:

> Hello.
>
> I still have the old "Samsung / Google Nexus 10" tablet. I don't like
> Android. Any help to install Ubuntu instead of Android on this device is
> appreciated. Thanks.
>
> --
> Mario.
>


-- 
Mario.

Re: Help: disk swap

2022-08-02 Thread Chuck Zmudzinski 
On 7/27/2022 1:51 PM, Erik Mathis wrote:
> I would look at the UEFI vs BIOS boot options in the "backup" server and 
> compare it to the "broken" server and make sure they are the same. Also check 
> for BIOS updates and such.
>
>
> -Erik-
>
>
> On Wed, Jul 27, 2022 at 7:59 AM tony  wrote:
>
> Hi,
>
> I turned on my main home server after a few weeks absence,  and got
> smoke from its power supply. Fortunately, I have a backup system, which
> does work; both are running Debian 10, so I swapped use to that machine.
> and am able to work with that, but some of the files and settings are a
> bit out of date.
>
> I decided to move the disk from the broken machine to the backup, but on
> booting I'm dropped into a grub screen saying disk id  not
> found. Not entirely surprising perhaps.
>
> So, how do I get it to recognize, and boot from the old disK.
>
> Cheers, Tony
>

I have used the following procedure to fix booting from a disk that
causes the system to drop to the grub shell instead of booting normally:

When in the grub shell, type ls, and you will see a list of the available
disks and partitions. You will see items like (hd0,gpt1) which would be
the first gpt partition on the first disk. Then you can list the files in that
partition using 'ls (hd0,gpt1)/'. You should then look for the partition with
the boot/grub/grub.cfg file, and then use the configfile command from
the grub shell to load the grub configuration on the disk from the broken
machine which should allow you to boot the Debian system that is on that
disk. For example, if the grub.cfg file is on (hd0,gpt1), then you do:

grub> configfile (hd0,gpt1)/boot/grub/grub.cfg

Hopefully you will see the normal grub menu giving you the option to
select on OS to boot, and hopefully you will be able to boot the Debian
that is on the disk from the broken machine.

If you can get the Debian system on the disk from the broken machine running,
then you will need to reinstall grub to update your grub so it can boot using 
the
disk from the broken machine without dropping to the grub shell. For example,
If you use efi, you will need to reinstall grub-efi-amd64-bin or maybe
grub-efi-amd64-bin-signed for secure boot, and after that it should boot the
disk from the broken machine without dropping to the grub shell.

Chuck

Re: Help: disk swap

2022-08-02 Thread mick.crane 

On 2022-08-02 05:17, David wrote:


And then use something like this:
  https://www.newegg.com/sabrent-ec-dflt-dock/p/N82E16817366069
to connect disk "A" to machine "B".


StarTech external caddies/connectors seem OK.

mick

Re: Help: disk swap

2022-08-02 Thread Jude DaShiell 
The second disk would need to be connected to the running linux in some
way either by a disk dock or a disk caddy such that the running linux
could find the second disk using lsblk and blkid.  Once located, parted -a
optimal /dev/xxx and then print to show the partition table then quit on
/dev/xxx could reveal boot partition information.  I have a disk caddy
here for sata disks which has its own power supply and that caddy also
boots external ssd drives once inserted correctly since the connectors for
sata and ssd are identical.



On Tue, 2 Aug 2022, David wrote:

> On Tue, 2 Aug 2022 at 13:25, David Wright  wrote:
> > On Thu 28 Jul 2022 at 14:29:32 (+0100), tony van der Hoff wrote:
> > > On 27/07/2022 16:07, Jude DaShiell wrote:
>
> > > Thanks for your help. Sadly, I'm not getting very far with this. I
> > > guess I'm not understanding your instructions too well:
> > >
> > > > Have the running linux system on the machine.  Run lsblk to locate the
> > > > name of the boot partition.
> > >
> > > I'll call the disk from the backup machine "B", and the disk I want to
> > > use "A".
>
> > The methodology below is unsuitable for you because you don't have
> > both disks in the machine at the same time.
>
> It would certainly be easier to help if that was the situation.
>
> We have been told that both machines were running Debian 10. But a
> problem is as yet we don't know if they have similar or different boot
> systems. That lack of information makes it very difficult to give advice.
>
> So trying to modify disk "A" to boot machine "B" could be tricky. But
> perhaps trying to get disk "A" to boot machine "B" is an XY problem that
> can be avoided, if maybe Tony only needs to recover some data off
> disk "A" onto disk "B".
>
> Given that Tony is not finding this easy, another approach that might
> be easier would be to keep the backup machine "B" intact and working
> and booting with its disk "B" connected as previously.
> And then use something like this:
>   https://www.newegg.com/sabrent-ec-dflt-dock/p/N82E16817366069
> to connect disk "A" to machine "B".
>
> And then the desired data can just be copied off it, and that might
> meet all Tony's needs.
>
> This method can also reveal evidence of what boot system is used by
> both machines, and would permit modifying disk "A" if that turns out
> to be necessary.
>
> I find this kind of drive dock very useful for admin flexibility and
> rescue tasks. I think they are a versatile and useful general purpose
> tool for tinkering. So, a worthwhile investment, in my opinion.
>
>

Re: Help: disk swap

2022-08-01 Thread David 
On Tue, 2 Aug 2022 at 13:25, David Wright  wrote:
> On Thu 28 Jul 2022 at 14:29:32 (+0100), tony van der Hoff wrote:
> > On 27/07/2022 16:07, Jude DaShiell wrote:

> > Thanks for your help. Sadly, I'm not getting very far with this. I
> > guess I'm not understanding your instructions too well:
> >
> > > Have the running linux system on the machine.  Run lsblk to locate the
> > > name of the boot partition.
> >
> > I'll call the disk from the backup machine "B", and the disk I want to
> > use "A".

> The methodology below is unsuitable for you because you don't have
> both disks in the machine at the same time.

It would certainly be easier to help if that was the situation.

We have been told that both machines were running Debian 10. But a
problem is as yet we don't know if they have similar or different boot
systems. That lack of information makes it very difficult to give advice.

So trying to modify disk "A" to boot machine "B" could be tricky. But
perhaps trying to get disk "A" to boot machine "B" is an XY problem that
can be avoided, if maybe Tony only needs to recover some data off
disk "A" onto disk "B".

Given that Tony is not finding this easy, another approach that might
be easier would be to keep the backup machine "B" intact and working
and booting with its disk "B" connected as previously.
And then use something like this:
  https://www.newegg.com/sabrent-ec-dflt-dock/p/N82E16817366069
to connect disk "A" to machine "B".

And then the desired data can just be copied off it, and that might
meet all Tony's needs.

This method can also reveal evidence of what boot system is used by
both machines, and would permit modifying disk "A" if that turns out
to be necessary.

I find this kind of drive dock very useful for admin flexibility and
rescue tasks. I think they are a versatile and useful general purpose
tool for tinkering. So, a worthwhile investment, in my opinion.

Re: Help: disk swap

2022-08-01 Thread David Wright 
On Thu 28 Jul 2022 at 14:29:32 (+0100), tony van der Hoff wrote:
> Thanks for your help. Sadly, I'm not getting very far with this. I
> guess I'm not understanding your instructions too well:
> 
> On 27/07/2022 16:07, Jude DaShiell wrote:
> > Have the running linux system on the machine.  Run lsblk to locate the
> > name of the boot partition.
> 
> I'll call the disk from the backup machine "B", and the disk I want to
> use "A".
> 
> 
> OK, on disk B:  lsblk sda9 /boot
> >  Once you have the name run blkid and copy the
> 
> sudo blkid
> /dev/sda9: LABEL="boot" UUID="3fe30767-f7d7-4e6d-b48e-f80eef2d4b71"
> 
> Now I'm lost.
> 
> Remove disk B, install disk A
> Boots into grub rescue.

The methodology below is unsuitable for you because you don't have
both disks in the machine at the same time.

> > uuid for use in the end of /etc/fstab and put in the path to the boot
> > device, the disk format ext4, defaults,nofail 1 2 on an fstab entry.
> > Next, run update-grub and you should get a new boot entry in grub.  If you
> > boot the machine on the boot screen hit down-arrow followed by enter and
> > your other disk should boot up.
> > I got a new computer with no sata tray in it and have a sata caddy and
> > some older sata disks and that's how I got those to boot.  hth.

You'd need to provide more information about both your computers and
how they boot in order to get better help. That would include whether
each one boots with EFI or the BIOS, and whether the disks are MBR
or GPT. It would help to know whether A's disk has a separate /boot
partition like B's does.

In the meantime, you could try the following commands from the Grub
Rescue prompt. It's not straightforward as only a subset of commands
will work. It's very likely to fail if the two computers boot in
different ways. All the disk and partition numbers below are just
examples: substitute according to what Grub finds present.

grub rescue> set pager=1

  in case you type a command that produces more than a page of output.

grub rescue> set

  will list the environment. The interesting ones are prefix and root,
  as these are the ones you might need to change.

grub rescue> ls

  should tell you what Grub calls your disk. It might look like:

  (hd0) (hd0,msdos4) (hd0,msdos3) (hd0,msdos2) (hd0,msdos1)

  or ditto with msdos→gpt. If you only see:

  (hd0)

  then you should see the partitions by typing:

grub rescue> ls (hd0)

  If you know the partition layout of the disk, and where
  /boot is, then you can type:

grub rescue> set prefix=(hd0,msdos3)/grub
grub rescue> set prefix=(hd0,msdos2)/boot/grub

  The first is where /boot is separate and on the 3rd partition,
  whereas the second is where boot is in the root filesystem on
  the 2nd.

  Similarly, you need to set the root partition by typing:

grub rescue> set root=(hd0,msdos2)

  You'll notice that that would be appropriate for the second example
  above, where /boot was in the root filesystem.

  Say you don't know the layout of your disk. Then you have to poke
  around with ls, using commands like:

grub rescue> ls (hd0,msdos1)

  which, for a root filesystem, should show bin dev etc lib and so on.

  Once the prefix is set, you should be able to get more of Grub
  loaded by typing these two lines:

grub rescue> insmod normal
grub rescue> normal

  I can't remember if the prompt changes, but you should have more
  commands available now.

  At a minimum you need, for a system where /boot is not separate,
  but in the root (and first) partition:

grub> insmod linux
grub> linux /boot/vmlinuz-… root=/dev/sda1 ro single
grub> initrd /boot/initrd.img-…
grub> boot

  Filename completion should word at …, and note that the kernel
  root parameter uses kernel notation, not Grub's. (Fortunately,
  both count partitions from 1 nowadays.)

  It's possible that you need to insmod more modules, so report
  at which step it fails.

Cheers,
David.

Re: Help: disk swap

2022-07-28 Thread David 
On Fri, 29 Jul 2022 at 02:32, Jude DaShiell  wrote:
>
> Then your new /etc/fstab record should
> look like:
> The email program split that line all
> of that should be on one line
> space-separated.  hth.
> 3fe30767-f7d7-4e6d-b48e-f80eef2d4b71
> /dev/sda9 ext4 defaults,nofail 1 2

Although it does no harm, "defaults," is unnecessary and can be
omitted there.

Because it specifies defaults.

And defaults are values that are used when nothing is specified.

It can be omitted because "nofail" by itself is sufficient to establish
column 4, so that later values occur in columns 5 and 6.

"defaults" in /etc/fstab should only ever be used by itself, in column
number 4, when a non-default (ie not 0) value is required for one of
the following columns. Its function is to occupy an otherwise empty
column number 4, so that what follows it on the same line occurs
in column 5.

Re: Help: disk swap

2022-07-28 Thread Jude DaShiell 
Then your new /etc/fstab record should
look like:
The email program split that line all
of that should be on one line
space-separated.  hth.
3fe30767-f7d7-4e6d-b48e-f80eef2d4b71
/dev/sda9 ext4 defaults,nofail 1 2

On Thu, 28 Jul 2022, tony van der Hoff wrote:

> Thanks for your help. Sadly, I'm not getting very far with this. I guess I'm
> not understanding your instructions too well:
>
> On 27/07/2022 16:07, Jude DaShiell wrote:
> > Have the running linux system on the machine.  Run lsblk to locate the
> > name of the boot partition.
>
> I'll call the disk from the backup machine "B", and the disk I want to use
> "A".
>
>
> OK, on disk B:  lsblk sda9 /boot
> >  Once you have the name run blkid and copy the
>
> sudo blkid
> /dev/sda9: LABEL="boot" UUID="3fe30767-f7d7-4e6d-b48e-f80eef2d4b71"
>
> Now I'm lost.
>
> Remove disk B, install disk A
> Boots into grub rescue.
>
> > uuid for use in the end of /etc/fstab and put in the path to the boot
> > device, the disk format ext4, defaults,nofail 1 2 on an fstab entry.
> > Next, run update-grub and you should get a new boot entry in grub.  If you
> > boot the machine on the boot screen hit down-arrow followed by enter and
> > your other disk should boot up.
> > I got a new computer with no sata tray in it and have a sata caddy and
> > some older sata disks and that's how I got those to boot.  hth.
> >
> >
>
>
>

Re: Help: disk swap

2022-07-27 Thread Charlie Gibbs 

On Wed Jul 27 10:30:05 2022 tony  wrote:

> I turned on my main home server after a few weeks absence,  and got
> smoke from its power supply. Fortunately, I have a backup system,
> which does work; both are running Debian 10, so I swapped use to that
> machine. and am able to work with that, but some of the files and
> settings are a bit out of date.
>
> I decided to move the disk from the broken machine to the backup, but
> on booting I'm dropped into a grub screen saying disk id 
> not found. Not entirely surprising perhaps.
>
> So, how do I get it to recognize, and boot from the old disK.

You might not be able to.  I once had a power supply fail
in such a way as to destroy the motherboard and the two
hard drives in the machine.  I lost about 180GB of stuff,
only some of which I was able to replace.  My backups are
_much_ better now.

Let's hope you're luckier than that.

--
/~\  Charlie Gibbs  |  Life is perverse.
\ /|  It can be beautiful -
 X   I'm really at ac.dekanfrus |  but it won't.
/ \  if you read it the right way.  |-- Lily Tomlin

Re: Help: disk swap

2022-07-27 Thread Erik Mathis 
I would look at the UEFI vs BIOS boot options in the "backup" server and
compare it to the "broken" server and make sure they are the same. Also
check for BIOS updates and such.


-Erik-


On Wed, Jul 27, 2022 at 7:59 AM tony  wrote:

> Hi,
>
> I turned on my main home server after a few weeks absence,  and got
> smoke from its power supply. Fortunately, I have a backup system, which
> does work; both are running Debian 10, so I swapped use to that machine.
> and am able to work with that, but some of the files and settings are a
> bit out of date.
>
> I decided to move the disk from the broken machine to the backup, but on
> booting I'm dropped into a grub screen saying disk id  not
> found. Not entirely surprising perhaps.
>
> So, how do I get it to recognize, and boot from the old disK.
>
> Cheers, Tony
>
>

Re: Help: disk swap

2022-07-27 Thread Felix Miata 
tony composed on 2022-07-27 12:37 (UTC+0100):

> I turned on my main home server after a few weeks absence,  and got
> smoke from its power supply. Fortunately, I have a backup system, which
> does work; both are running Debian 10, so I swapped use to that machine.
> and am able to work with that, but some of the files and settings are a
> bit out of date.

> I decided to move the disk from the broken machine to the backup, but on
> booting I'm dropped into a grub screen saying disk id  not
> found. Not entirely surprising perhaps.

> So, how do I get it to recognize, and boot from the old disK.

It could be as simple as striking the right key at POST. If you have two UEFI 
PCs
and the disks were installed in UEFI mode, you might be able to select the 
foreign
disk with a BBS key:

BBS Boot Keys

[*]ASRock   F11
[*]Asus F8
[*]Biostar  F9?
[*]Dell F12
[*]eCS  F10
[*]eMachinesF10
[*]EVGA F7
[*]Gigabyte F12
[*]HP   F9 or ESC or ESC,F9
[*]Lenovo   F12 or F8 or F10
[*]MSI  F11
[*]Toshiba  F12

If one PC was configured to use legacy mode while the other UEFI, you might need
to go into BIOS to enable the other mode.

There are all sorts of reasons possible for your predicament. David's reply 
covers
many ways to minimize or eliminate the inconvenience of a PC or disk failure, 
and
includes your providing information for helping us to help you.

One possible way to encounter your non-recognition situation is to add the other
disk rather than substituting. Swapping SATA cables between the two drives with
both installed at once might work around that issue.

The "name" Gene's reply refers to is called a volume label, easier for mere 
humans
to deal with than the UUIDs Grub uses by default, and referred to by Jude. Use
e2label or tune2fs to assign labels where they don't already exist on EXTn
filesystems. Volume labels are how I do all native Linux filesystem mounting and
booting, never UUIDs.
-- 
Evolution as taught in public schools is, like religion,
based on faith, not based on science.

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata

Re: Help: disk swap

2022-07-27 Thread David Christensen 

On 7/27/22 04:37, tony wrote:

Hi,

I turned on my main home server after a few weeks absence,  and got
smoke from its power supply. Fortunately, I have a backup system, which
does work; both are running Debian 10, so I swapped use to that machine.
and am able to work with that, but some of the files and settings are a
bit out of date.

I decided to move the disk from the broken machine to the backup, but on
booting I'm dropped into a grub screen saying disk id  not
found. Not entirely surprising perhaps.

So, how do I get it to recognize, and boot from the old disK.

Cheers, Tony



Please provide a hardware inventory for each computer.


For each disk drive, please describe the purpose of the drive.


Please tell us how each computer is booted, what services are provided, 
and what data is stored.



Prior to the disaster, please tell us about your disaster preparedness 
measures.  Were backups, archives, images, etc., up-to-date?



Since the disaster, where is your live data?  Have your disaster 
preparedness measures changed?  Are your backups, archives, images, 
etc., up-to-date?



Have you repaired the main home server?  When the power supply failed, 
did anything else fail?



Suggestions:

1.  Install Debian onto a high quality USB 3.0 flash drive, to use for 
maintenance and troubleshooting.


2.  Buy a hardware power supply tester.

3.  Buy external drive adapters corresponding to whatever internal 
drives you use -- so that you can remove internal drives, connect them 
to the adapters, and access them using another computer.


4.  Do not be afraid to "throw money at the problem" -- e.g. maintain an 
inventory of spare parts and computers.  The last time I lost data was 
when I decided not to buy big, new, backup HDD's for a data migration.



David

Re: Help: disk swap

2022-07-27 Thread gene heskett 

On 7/27/22 08:02, tony wrote:

Hi,

I turned on my main home server after a few weeks absence,  and got
smoke from its power supply. Fortunately, I have a backup system, which
does work; both are running Debian 10, so I swapped use to that machine.
and am able to work with that, but some of the files and settings are a
bit out of date.

I decided to move the disk from the broken machine to the backup, but on
booting I'm dropped into a grub screen saying disk id  not
found. Not entirely surprising perhaps.

So, how do I get it to recognize, and boot from the old disK.

Cheers, Tony

.

name the disk partition, and use that "name" in the /etc/fstab to mount it.
You may have to rerun grub install too.

Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page

Re: Help: disk swap

2022-07-27 Thread Jude DaShiell 
Have the running linux system on the machine.  Run lsblk to locate the
name of the boot partition.  Once you have the name run blkid and copy the
uuid for use in the end of /etc/fstab and put in the path to the boot
device, the disk format ext4, defaults,nofail 1 2 on an fstab entry.
Next, run update-grub and you should get a new boot entry in grub.  If you
boot the machine on the boot screen hit down-arrow followed by enter and
your other disk should boot up.
I got a new computer with no sata tray in it and have a sata caddy and
some older sata disks and that's how I got those to boot.  hth.

Re: Unlocking (remote/local), was Re: Help with suid (bash)

2022-05-11 Thread David Wright 
On Wed 11 May 2022 at 20:26:20 (+0200), to...@tuxteam.de wrote:
> On Wed, May 11, 2022 at 11:07:09AM -0500, David Wright wrote:
> 
> [...]
> 
> > But after two posts about background information on setuid shell
> > scripts, you now write "the worst antipattern is to misuse tech
> > to force people to follow some nonsensical rituals". Strong words.
> 
> Sorry if I was unclear. The point I was trying to make is that
> OpenSSH allows you to change the behaviour we are discussing
> if you wish so. So it /doesn't/ follow that antipattern.

I don't know what the antipattern is, that openssh doesn't follow.

> As to the other points? Well:
> 
>  0. if you want to be able to login directly as root, /and/
>with a password, change the server's /etc/sshd_config

Perhaps I need to make it clear that:

. I have set a password for root.
. I can login as root at the console, using that password.
. I do not want to login as root by password from any other
  system, be it mine or anyone else's.
. I do not want to force, persuade, or hint that anyone else
  should follow my preferences.

>  1. if you can be bothered to set up a key for root, use
>that (generally preferrable to 0.)

I have. On all my systems, root can login as root, by key,
on any other of my systems. And the same for me as me. Other
users (which includes me) aren't set up to login by key or
password to the root account: they use su.
(Or avoid login with sudo.)

The recipe I posted for the OP doesn't mention or use keys,
or use the root account. The secondary script (unlock-…)
that I use to run the main one does use ssh, but is silent on
the authentication method.

Charles suggested that the OP just run things as root. As
I was posting a script that's really designed for remote
unlocking, I thought it helpful to point out that in an
unaltered Debian system, you wouldn't be able to login as
root. (I see no reason against basing answers on a vanilla
Debian stable system.)

>  1a. you can even limit what a private key owner is able to
>do: e.g. "only backup". So even if someone manages to
>steal your remote backup's private key, (s)he'll only
>able to trigger a backup

I didn't read the OP's question as necessitating that sort of
configuration. Anyone who thinks to the contrary is free to
add their own reply.

>  2. if you don't like 0..1a, there's still sudo. You can
>fine-tune what commands (and what parameters go with
>those) each (local or remote) user is allowed to invoke,
>and even whether they're supposed to issue a password
>for that or they get it "password-less".

Isn't that what I did: I spelled out the exact limitations
that I impose, with the actual lines from the sudoers file,
complete with their parameters and partial values, including
the fact that after quoting (or not) the password to log in,
they're not expected to quote it again just for sudo.

> What's not to like?

I don't know. I posted a script that does more than what the OP
wanted to achieve (which was to avoid using the root account),
and because it's a real script, I tried to add any information
that explained specifics that might not be immediately understood,
like:

. why it's in .profile,
. what /home/0 is,
. why it prints a line between unlocking and mounting,
. who unlock is,
. why unlocking a system remotely might be attractive,
. why lines were added to the sudoers file.

> What's missing?

Evidently, a discussion on becoming root.

And if you're following along closely, and ignore the likely
circumstances of my script being run, you might point out that
there's no obvious way for user unlock to unmount or lock /home.

Cheers,
David.

Re: Unlocking (remote/local), was Re: Help with suid (bash)

2022-05-11 Thread tomas 
On Wed, May 11, 2022 at 11:07:09AM -0500, David Wright wrote:

[...]

> But after two posts about background information on setuid shell
> scripts, you now write "the worst antipattern is to misuse tech
> to force people to follow some nonsensical rituals". Strong words.

Sorry if I was unclear. The point I was trying to make is that
OpenSSH allows you to change the behaviour we are discussing
if you wish so. So it /doesn't/ follow that antipattern.

As to the other points? Well:

 0. if you want to be able to login directly as root, /and/
   with a password, change the server's /etc/sshd_config
 1. if you can be bothered to set up a key for root, use
   that (generally preferrable to 0.)
 1a. you can even limit what a private key owner is able to
   do: e.g. "only backup". So even if someone manages to
   steal your remote backup's private key, (s)he'll only
   able to trigger a backup
 2. if you don't like 0..1a, there's still sudo. You can
   fine-tune what commands (and what parameters go with
   those) each (local or remote) user is allowed to invoke,
   and even whether they're supposed to issue a password
   for that or they get it "password-less".

What's not to like? What's missing?

Cheers
-- 
t


signature.asc
Description: PGP signature

Re: Unlocking (remote/local), was Re: Help with suid (bash)

2022-05-11 Thread David Wright 
On Wed 11 May 2022 at 07:05:47 (+0200), to...@tuxteam.de wrote:
> On Tue, May 10, 2022 at 10:08:20PM -0500, David Wright wrote:
> > On Tue 10 May 2022 at 17:12:25 (-0600), Charles Curley wrote:
> 
> [...]
> 
> > IOW, though logging in to root by password is ok at the console,
> > it's not ok when remote. ➀
> 
> I assume you know all that you can set "PermitRootLogin yes" in
> your /etc/ssh/sshd_config (the default is "prohibit-password",
> which fits the behaviour you are describing).
> 
> It's not recommended, (for good reasons!), but hey, it's your box,
> and you decide what you deem to be "secure enough". After all,
> security is context-dependent, and the worst antipattern is to
> misuse tech to force people to follow some nonsensical rituals
> (it happens far too often, alas, but OpenSSH isn't that sort of
> software).
> 
> So you can change that, if you wish so. What's your point?

Well, Charles seemed to have difficulty with understanding my first
paragraph, which I wrote merely to explain that I assume a root
password has been set. It seems odd to get three follow-ups, all of
which centre on the consequences of the ssh configuration chosen
by the Debian developers for a bullseye installation.

When you write a script to unlock and mount a partition, you can
do it in two lines:

# udisksctl unlock --block-device /dev/foo
# mount /dev/bar /baz

but that's useless as it stands, and needs to be embedded into
your ecosystem to be useful, which is why I posted my script,
a real example.

But after two posts about background information on setuid shell
scripts, you now write "the worst antipattern is to misuse tech
to force people to follow some nonsensical rituals". Strong words.

Perhaps you could elaborate on which specific rituals you find
offensive. I can't work out whether you're criticising my script,
or the Debian developers for the way they're now choosing to
configure ssh, or the linux kernel developers for the ban on
setuid shell scripts.

Cheers,
David.

Re: Unlocking (remote/local), was Re: Help with suid (bash)

2022-05-11 Thread Dan Ritter 
Charles Curley wrote: 
> On Tue, 10 May 2022 11:08:23 -0500
> David Wright  wrote:
> 
> > That complicates unlocking partitions remotely because, even if you
> > can log in as root, you normally can't log in remotely as root.
> 
> ??? I log in as root over SSH all the time.

Most sshd configs either prevent root from logging in directly
or prevent root from logging in with a password (ssh key
required).

-dsr-

Re: Unlocking (remote/local), was Re: Help with suid (bash)

2022-05-10 Thread tomas 
On Tue, May 10, 2022 at 10:08:20PM -0500, David Wright wrote:
> On Tue 10 May 2022 at 17:12:25 (-0600), Charles Curley wrote:

[...]

> IOW, though logging in to root by password is ok at the console,
> it's not ok when remote. ➀

I assume you know all that you can set "PermitRootLogin yes" in
your /etc/ssh/sshd_config (the default is "prohibit-password",
which fits the behaviour you are describing).

It's not recommended, (for good reasons!), but hey, it's your box,
and you decide what you deem to be "secure enough". After all,
security is context-dependent, and the worst antipattern is to
misuse tech to force people to follow some nonsensical rituals
(it happens far too often, alas, but OpenSSH isn't that sort of
software).

So you can change that, if you wish so. What's your point?

Cheers

[1] cf. man 5 sshd_config
-- 
t


signature.asc
Description: PGP signature

Re: Unlocking (remote/local), was Re: Help with suid (bash)

2022-05-10 Thread David Wright 
On Tue 10 May 2022 at 17:12:25 (-0600), Charles Curley wrote:
> On Tue, 10 May 2022 11:08:23 -0500
> David Wright  wrote:
> 
> > That complicates unlocking partitions remotely because, even if you
> > can log in as root, you normally can't log in remotely as root.
> 
> ??? I log in as root over SSH all the time.

This sequence will be familiar to a lot of people:

$ ssh acer -l root   ➀
root@acer's password: 
Permission denied, please try again.
root@acer's password:   ^C

130 $  /bin/su - ➁
Password: 
bullseye on /dev/sda5 toto05
# ssh acer
Linux acer 5. … …➂
 …  …
Last login: Tue May 10 …
acer # mv -i .ssh/authorized_keys .ssh/hide-authorized_keys  ➃
acer # 
logout
Connection to acer closed.
# ssh acer   ➄
root@acer's password: 
Permission denied, please try again.
root@acer's password:   ^C

130 # 

IOW, though logging in to root by password is ok at the console,
it's not ok when remote. ➀

However, when I'm already root ➁, logging in by key is ok because acer's
root has my public key and I can prove I have the private key. ➂

If acer's root doesn't have my public key ➃, then I still can't login
to acer with ssh because password is all that's left. ➄

I don't give root's public key to other users, where "other" includes me.

I presume that in some respect, your systems differ.

> > I use a special user called unlock, whose home directory is on
> > /var/local/, to unlock my /home partitions:
> 
> Unlock? What does "unlock" mean in this context? It looks like a
> synonym for "mount". If so, it's an unnecessary opportunity for
> confusion. And it sounds like it's more complicated than it need be.

/etc/fstab could mount /home, except for the context:

> > > On Tue 10 May 2022 at 07:50:18 (-0400), rhkra...@gmail.com wrote:

> > > > Background: 8 years ago I wrote a set of scripts to help me mount and 
> > > > unmount 
> > > > LUKS encrypted partitions as needed and as myself () rather 
> > > > than as 
> > > > root. 

So any complexity, outside the script itself, arises from:

unlock has a home directory that's not on /home (which is still locked),
unlock can run just one program, and with strictly limited arguments,
unlock doesn't have to authenticate to use that sudo command,
I'm lazy and would rather type unloac than ssh acer -l unlock,
and I'm lazy and would rather type wake-ac than walk 30 yards
and a flight of stairs, plus return, just to press a button.

Cheers,
David.

Re: Unlocking (remote/local), was Re: Help with suid (bash)

2022-05-10 Thread Greg Wooledge 
On Tue, May 10, 2022 at 05:12:25PM -0600, Charles Curley wrote:
> David Wright  wrote:
> > I use a special user called unlock, whose home directory is on
> > /var/local/, to unlock my /home partitions:
> 
> Unlock? What does "unlock" mean in this context? It looks like a
> synonym for "mount". If so, it's an unnecessary opportunity for
> confusion. And it sounds like it's more complicated than it need be.

I think it implies some kind of encryption, requiring a key to mount.

Re: Unlocking (remote/local), was Re: Help with suid (bash)

2022-05-10 Thread Charles Curley 
On Tue, 10 May 2022 11:08:23 -0500
David Wright  wrote:

> That complicates unlocking partitions remotely because, even if you
> can log in as root, you normally can't log in remotely as root.

??? I log in as root over SSH all the time.

> 
> I use a special user called unlock, whose home directory is on
> /var/local/, to unlock my /home partitions:

Unlock? What does "unlock" mean in this context? It looks like a
synonym for "mount". If so, it's an unnecessary opportunity for
confusion. And it sounds like it's more complicated than it need be.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: Unlocking (remote/local), was Re: Help with suid (bash)

2022-05-10 Thread David Wright 
On Tue 10 May 2022 at 13:02:41 (-0400), Greg Wooledge wrote:
> On Tue, May 10, 2022 at 11:08:23AM -0500, David Wright wrote:

[> > On Tue 10 May 2022 at 08:21:00 (-0600), Charles Curley wrote:]

> > > Why the aversion to doing things as root? Why not just run your scripts
> > > as root? This is exactly the sort of thing that is reserved to root for
> > > reasons of security.
> > 
> > That complicates unlocking partitions remotely because, even if you
> > can log in as root, you normally can't log in remotely as root.
> 
> But you *can* typically sudo on the remote system, which is what is
> actually being suggested here.  I think.

It's certainly what's being suggested by /me/, as can be seen in my:

  sudo udisksctl unlock --block-device "$j"

but that's not how rhkramer (judging by the 12:40:25 response¹) and
I would take Charles' post as meaning, but rather:

  $ su -
  # cryptsetup luksOpen /dev/sd  && /bin/mount \
/dev/mapper/ 

presumably with the command wrapped, as now, in a script.

> (Also, you'd be surprised how many systems *do* allow remote root logins,
> either from a quasi-trusted set of source IPs, or using key auth only,
> or both.)

I do myself, using keys, but only local-root to remote-root. Having an
ordinary user use sudo means that one script suffices to unlock /home
both from a remote machine or at the console. Of course, it's a separate
ordinary user because of their non-/home home directory.

Simplification and generalisation are quite important to me, so as you
can see, the script will work unchanged on any of my hosts, and though
I mentioned unlock-acer, that function is one of several that are
created on the fly, in this case from:

  function unlock- { # unlock /home before logging in or transfers
  ping -c 1 -W 1  | grep 'bytes from' # wake it up first
  date && ssh -X  -l unlock
  }

(The ping seems to help those powerline devices that some hosts use.)

¹ "a general aversion to being in root"

Cheers,
David.

Re: Unlocking (remote/local), was Re: Help with suid (bash)

2022-05-10 Thread Greg Wooledge 
On Tue, May 10, 2022 at 11:08:23AM -0500, David Wright wrote:
> > On Tue, 10 May 2022 07:50:18 -0400 rhkra...@gmail.com wrote:
> > Why the aversion to doing things as root? Why not just run your scripts
> > as root? This is exactly the sort of thing that is reserved to root for
> > reasons of security.
> 
> That complicates unlocking partitions remotely because, even if you
> can log in as root, you normally can't log in remotely as root.

But you *can* typically sudo on the remote system, which is what is
actually being suggested here.  I think.

(Also, you'd be surprised how many systems *do* allow remote root logins,
either from a quasi-trusted set of source IPs, or using key auth only,
or both.)

Re: Help with suid (bash)

2022-05-10 Thread rhkramer 
On Tuesday, May 10, 2022 10:21:00 AM Charles Curley wrote:
> Why the aversion to doing things as root? Why not just run your scripts
> as root? This is exactly the sort of thing that is reserved to root for
> reasons of security.

I may think about that some more, but it is a general aversion to being in 
root, or switching to root while I'm doing "ordinary" things (like accessing 
information on some mounted-on-demand LUKS partitions).

  1   2   3   4   5   6   7   8   9   10   >