Re: Temporary failure in name resolution error when I try to ping Debian 12 / DomU running on top of the Devuan 5 host os / Dom0

[Andrew M.A. Cater]

t_error'
> ;;
> esac
> 
> case "${type_if}" in
> tap)
> metric=1
> ;;
> vif)
> metric=2
> ;;
> *)
> fatal "Unrecognised interface type ${type_if}"
> ;;
> esac
> 
> # If we've been given a list of IP addresses, then add routes from dom0 to
> # the guest using those addresses.
> for addr in ${ip} ; do
> ${cmdprefix} ip route ${ipcmd} ${addr} dev ${dev} src ${main_ip} metric
> ${metric}
> done
> 
> handle_iptable
> 
> call_hooks vif post
> 
> log debug "Successful vif-route ${command} for ${dev}."
> if [ "${command}" = "online" ]
> then
> success
> fi
> 
> 
> B) on the guest os (Debian 12)
> 
> 
> /etc/network/interfaces :
> 
> source /etc/network/interfaces.d/*
> iface enX0 inet static
> address 192.168.1.10/24
> gateway 192.168.1.7
> 
> /etc/resolv.conf :
> 
> options edns0 trust-ad
> search homenet.telecomitalia.it
> nameserver 8.8.8.8
> 
> 
> this is what happens within the guest os (Debian 12) :
> 
> 
> root@bookworm:~# ifup enX0
> 
> root@bookworm:~# ip a
> 
> 1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group
> default qlen 1000
>link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>inet 127.0.0.1/8 scope host lo
>   valid_lft forever preferred_lft forever
>inet6 ::1/128 scope host noprefixroute
>   valid_lft forever preferred_lft forever
> 
> 2: sit0@NONE:  mtu 1480 qdisc noop state DOWN group default qlen
> 1000
>link/sit 0.0.0.0 brd 0.0.0.0
> 
> 3: enX0:  mtu 1500 qdisc
> pfifo_fast state UP group default
> qlen 1000
>link/ether 00:16:3e:12:34:56 brd ff:ff:ff:ff:ff:ff
>inet 192.168.1.10/24 brd 192.168.1.255 scope global enX0
>   valid_lft forever preferred_lft forever
>inet6 fe80::216:3eff:fe12:3456/64 scope link
>   valid_lft forever preferred_lft forever
> 
> root@bookworm:~# ping google.it
> ping: google.it: Temporary failure in name resolution
> 
> 
> Where can be the error ? thanks.
> 
> -- 
> Mario.

Re: Temporary failure in name resolution error when I try to ping Debian 12 / DomU running on top of the Devuan 5 host os / Dom0

[Mario Marietto]

 ${main_ip} netmask 255.255.255.255 up
>> echo 1 >/proc/sys/net/ipv4/conf/${dev}/proxy_arp
>> echo 1 >/proc/sys/net/ipv4/conf/${dev}/forwarding
>> echo 1 >/proc/sys/net/ipv4/conf/mlan0/forwarding
>> echo 1 >/proc/sys/net/ipv4/conf/mlan0/proxy_arp
>> /usr/sbin/arp -i mlan0 -Ds $main_ip mlan0 pub
>> ipcmd='add'
>> cmdprefix=''
>> ;;
>> remove|offline)
>> do_without_error ifdown ${dev}
>> ipcmd='del'
>> cmdprefix='do_without_error'
>> ;;
>> esac
>>
>> case "${type_if}" in
>> tap)
>> metric=1
>> ;;
>> vif)
>> metric=2
>> ;;
>> *)
>> fatal "Unrecognised interface type ${type_if}"
>> ;;
>> esac
>>
>> # If we've been given a list of IP addresses, then add routes from dom0 to
>> # the guest using those addresses.
>> for addr in ${ip} ; do
>> ${cmdprefix} ip route ${ipcmd} ${addr} dev ${dev} src ${main_ip}
>> metric ${metric}
>> done
>>
>> handle_iptable
>>
>> call_hooks vif post
>>
>> log debug "Successful vif-route ${command} for ${dev}."
>> if [ "${command}" = "online" ]
>> then
>> success
>> fi
>>
>>
>> B) on the guest os (Debian 12)
>>
>>
>> /etc/network/interfaces :
>>
>> source /etc/network/interfaces.d/*
>> iface enX0 inet static
>> address 192.168.1.10/24
>> gateway 192.168.1.7
>>
>> /etc/resolv.conf :
>>
>> options edns0 trust-ad
>> search homenet.telecomitalia.it
>> nameserver 8.8.8.8
>>
>>
>> this is what happens within the guest os (Debian 12) :
>>
>>
>> root@bookworm:~# ifup enX0
>>
>> root@bookworm:~# ip a
>>
>> 1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group
>> default qlen 1000
>>link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>inet 127.0.0.1/8 scope host lo
>>   valid_lft forever preferred_lft forever
>>inet6 ::1/128 scope host noprefixroute
>>   valid_lft forever preferred_lft forever
>>
>> 2: sit0@NONE:  mtu 1480 qdisc noop state DOWN group default qlen
>> 1000
>>link/sit 0.0.0.0 brd 0.0.0.0
>>
>> 3: enX0:  mtu 1500 qdisc
>> pfifo_fast state UP group default
>> qlen 1000
>>link/ether 00:16:3e:12:34:56 brd ff:ff:ff:ff:ff:ff
>>inet 192.168.1.10/24 brd 192.168.1.255 scope global enX0
>>   valid_lft forever preferred_lft forever
>>inet6 fe80::216:3eff:fe12:3456/64 scope link
>>   valid_lft forever preferred_lft forever
>>
>> root@bookworm:~# ping google.it
>> ping: google.it: Temporary failure in name resolution
>>
>>
>> Where can be the error ? thanks.
>>
>> --
>> Mario.
>>
>
>
> --
> Mario.
>


-- 
Mario.

Re: Temporary failure in name resolution error when I try to ping Debian 12 / DomU running on top of the Devuan 5 host os / Dom0

[jeremy ardley]

On 20/11/23 05:54, Mario Marietto wrote:

root@bookworm:~# ifup enX0

root@bookworm:~# ip a

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000

   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
  valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host noprefixroute
  valid_lft forever preferred_lft forever

2: sit0@NONE:  mtu 1480 qdisc noop state DOWN group default 
qlen 1000

   link/sit 0.0.0.0 brd 0.0.0.0

3: enX0:  mtu 1500 qdisc 
pfifo_fast state UP group default

qlen 1000
   link/ether 00:16:3e:12:34:56 brd ff:ff:ff:ff:ff:ff
   inet 192.168.1.10/24 <http://192.168.1.10/24> brd 192.168.1.255 
scope global enX0

  valid_lft forever preferred_lft forever
   inet6 fe80::216:3eff:fe12:3456/64 scope link
  valid_lft forever preferred_lft forever

root@bookworm:~# ping google.it <http://google.it>
ping: google.it <http://google.it>: Temporary failure in name resolution



In the client try the command

dig @8.8.8.8 lists.debian.org mx

This will tell if your network config allows your client to access the 
8.8.8.8 DNS server.


What is the contents of your host /etc/resolv.conf ?

Re: Temporary failure in name resolution error when I try to ping Debian 12 / DomU running on top of the Devuan 5 host os / Dom0

[Mario Marietto]

quot; = "online" ]
> then
> success
> fi
>
>
> B) on the guest os (Debian 12)
>
>
> /etc/network/interfaces :
>
> source /etc/network/interfaces.d/*
> iface enX0 inet static
> address 192.168.1.10/24
> gateway 192.168.1.7
>
> /etc/resolv.conf :
>
> options edns0 trust-ad
> search homenet.telecomitalia.it
> nameserver 8.8.8.8
>
>
> this is what happens within the guest os (Debian 12) :
>
>
> root@bookworm:~# ifup enX0
>
> root@bookworm:~# ip a
>
> 1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group
> default qlen 1000
>link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>inet 127.0.0.1/8 scope host lo
>   valid_lft forever preferred_lft forever
>inet6 ::1/128 scope host noprefixroute
>   valid_lft forever preferred_lft forever
>
> 2: sit0@NONE:  mtu 1480 qdisc noop state DOWN group default qlen
> 1000
>link/sit 0.0.0.0 brd 0.0.0.0
>
> 3: enX0:  mtu 1500 qdisc
> pfifo_fast state UP group default
> qlen 1000
>link/ether 00:16:3e:12:34:56 brd ff:ff:ff:ff:ff:ff
>inet 192.168.1.10/24 brd 192.168.1.255 scope global enX0
>   valid_lft forever preferred_lft forever
>inet6 fe80::216:3eff:fe12:3456/64 scope link
>   valid_lft forever preferred_lft forever
>
> root@bookworm:~# ping google.it
> ping: google.it: Temporary failure in name resolution
>
>
> Where can be the error ? thanks.
>
> --
> Mario.
>


-- 
Mario.

Temporary failure in name resolution error when I try to ping Debian 12 / DomU running on top of the Devuan 5 host os / Dom0

[Mario Marietto]

Hello.

I'm trying to configure Debian 12 / DomU on my (Arm32) Chromebook because I
want to use the Internet and I want its IP address to be seen from
"outside" of my LAN.

This is the tutorial that I'm following :


https://github.com/mobile-virt/u-boot-chromebook-xe303c12/tree/chromebook/xen#starting-a-domu-guest

Given these config files :


A) on the host os (Devuan 5)

Linux devuan-bunsen 6.1.61-stb-xen-cbe+ #1 SMP PREEMPT Sat Nov  4 13:46:17
EDT 2023 armv7l

root@devuan-bunsen:~# ifconfig

lo: flags=73  mtu 65536
   inet 127.0.0.1  netmask 255.0.0.0
   inet6 ::1  prefixlen 128  scopeid 0x10
   loop  txqueuelen 1000  (Local Loopback)
   RX packets 2729  bytes 8279984 (7.8 MiB)
   RX errors 0  dropped 0  overruns 0  frame 0
   TX packets 2729  bytes 8279984 (7.8 MiB)
   TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

mlan0: flags=4163  mtu 1500
   inet 192.168.1.7  netmask 255.255.255.0  broadcast 192.168.1.255
   inet6 fe80::8839:239b:9b37:cf84  prefixlen 64  scopeid 0x20
   RX packets 19694  bytes 2193230 (2.0 MiB)
   RX errors 0  dropped 0  overruns 0  frame 0
   TX packets 18757  bytes 10464406 (9.9 MiB)
   TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vif4.0: flags=4163  mtu 1500
   inet 192.168.1.7  netmask 255.255.255.255  broadcast 192.168.1.255
   ether fe:ff:ff:ff:ff:ff  txqueuelen 1000  (Ethernet)
   RX packets 359  bytes 94924 (92.6 KiB)
   RX errors 0  dropped 0  overruns 0  frame 0
   TX packets 42  bytes 1764 (1.7 KiB)
   TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

nano debian.cfg :

kernel = '/Dati/xen/kernels/zImage-6.1.61-stb-xen-cbe+'
memory = '768'
name = 'Debian-bookworm'
vcpus = '1'
disk = [ '/Dati/xen/debian.img,,xvda,w' ]
vif = [ 'type=vif,mac=00:16:3e:12:34:56,script=vif-route' ]
extra = 'console=hvc0 root=/dev/xvda rw init=/sbin/init
xen-fbfront.video=24,1024,768'


nano /etc/xen/scripts/vif-route-local :

#!/bin/bash
#
# ${XEN_SCRIPT_DIR}/vif-route
#
# Script for configuring a vif in routed mode.
#
# Usage:
# vif-route (add|remove|online|offline)
#
# Environment vars:
# dev vif interface name (required).
# XENBUS_PATH path to this device's details in the XenStore (required).
#
# Read from the store:
# ip  list of IP networks for the vif, space-separated (default given in
# this script).
#

dir=$(dirname "$0")
. "${dir}/vif-common.sh"
#netdev=$(mlan0)
main_ip=$(dom0_ip)
case "${command}" in
add|online)
echo $dev
  echo $ip
echo $main_ip
ifconfig ${dev} ${main_ip} netmask 255.255.255.255 up
echo 1 >/proc/sys/net/ipv4/conf/${dev}/proxy_arp
echo 1 >/proc/sys/net/ipv4/conf/${dev}/forwarding
echo 1 >/proc/sys/net/ipv4/conf/mlan0/forwarding
echo 1 >/proc/sys/net/ipv4/conf/mlan0/proxy_arp
/usr/sbin/arp -i mlan0 -Ds $main_ip mlan0 pub
ipcmd='add'
cmdprefix=''
;;
remove|offline)
do_without_error ifdown ${dev}
ipcmd='del'
cmdprefix='do_without_error'
;;
esac

case "${type_if}" in
tap)
metric=1
;;
vif)
metric=2
;;
*)
fatal "Unrecognised interface type ${type_if}"
;;
esac

# If we've been given a list of IP addresses, then add routes from dom0 to
# the guest using those addresses.
for addr in ${ip} ; do
${cmdprefix} ip route ${ipcmd} ${addr} dev ${dev} src ${main_ip} metric
${metric}
done

handle_iptable

call_hooks vif post

log debug "Successful vif-route ${command} for ${dev}."
if [ "${command}" = "online" ]
then
success
fi


B) on the guest os (Debian 12)


/etc/network/interfaces :

source /etc/network/interfaces.d/*
iface enX0 inet static
address 192.168.1.10/24
gateway 192.168.1.7

/etc/resolv.conf :

options edns0 trust-ad
search homenet.telecomitalia.it
nameserver 8.8.8.8


this is what happens within the guest os (Debian 12) :


root@bookworm:~# ifup enX0

root@bookworm:~# ip a

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
  valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host noprefixroute
  valid_lft forever preferred_lft forever

2: sit0@NONE:  mtu 1480 qdisc noop state DOWN group default qlen
1000
   link/sit 0.0.0.0 brd 0.0.0.0

3: enX0:  mtu 1500 qdisc
pfifo_fast state UP group default
qlen 1000
   link/ether 00:16:3e:12:34:56 brd ff:ff:ff:ff:ff:ff
   inet 192.168.1.10/24 brd 192.168.1.255 scope global enX0
  valid_lft forever preferred_lft forever
   inet6 fe80::216:3eff:fe12:3456/64 scope link
  valid_lft forever preferred_lft forever

root@bookworm:~# ping google.it
ping: google.it: Temporary failure in name resolution


Where can be the error ? thanks.

-- 
Mario.

Re: why would ping and traceroute give you different IP addresses?

[Geert Stappers]

On Tue, Aug 15, 2023 at 05:02:49AM +, Albretch Mueller wrote:
> site="download.gluonhq.com"
> date
> time ping "${site}" -c 4
> time traceroute "${site}"
> 
> $ site="download.gluonhq.com"
> date
> time ping "${site}" -c 4
> time traceroute "${site}"
> Mon 14 Aug 2023 11:54:19 PM UTC
> PING s3-website.us-east-1.amazonaws.com (54.231.134.85) 56(84) bytes of data.
> 64 bytes from s3-website-us-east-1.amazonaws.com (54.231.134.85): icmp_seq=1 
> ttl=242 time=47.8 ms
> 64 bytes from s3-website-us-east-1.amazonaws.com (54.231.134.85): icmp_seq=2 
> ttl=242 time=54.9 ms
> 64 bytes from s3-website-us-east-1.amazonaws.com (54.231.134.85): icmp_seq=3 
> ttl=242 time=46.2 ms
> 64 bytes from s3-website-us-east-1.amazonaws.com (54.231.134.85): icmp_seq=4 
> ttl=242 time=48.1 ms
> 
> --- s3-website.us-east-1.amazonaws.com ping statistics ---
> 4 packets transmitted, 4 received, 0% packet loss, time 3004ms
> rtt min/avg/max/mdev = 46.246/49.253/54.875/3.320 ms
> 
> real  0m3.186s
> user  0m0.005s
> sys   0m0.000s
> 
> traceroute to download.gluonhq.com (52.216.228.138), 30 hops max, 60
> byte packets
>  1  _gateway (192.168.68.1)  9.267 ms  9.223 ms  8.035 ms
>  2  dsldevice.attlocal.net (192.168.1.254)  10.349 ms  10.333 ms  10.319 ms
>  3  99-178-252-1.lightspeed.stlsmo.sbcglobal.net (99.178.252.1) 33.434 ms  
> 33.420 ms  33.406 ms
>  4  71.154.70.113 (71.154.70.113)  34.515 ms  33.379 ms  38.092 ms 5  * * *
>  6  32.130.88.131 (32.130.88.131)  50.165 ms  42.200 ms  35.492 ms
>  7  * * *
   
> 22  * * *
> 23  s3-website-us-east-1.amazonaws.com (52.216.228.138)  50.960 ms
> 50.902 ms  53.215 ms
> 
> real  0m15.213s
> user  0m0.009s
> sys   0m0.000s
> $
> 

$ host download.gluonhq.com
download.gluonhq.com is an alias for 
download.gluonhq.com.s3-website-us-east-1.amazonaws.com.
download.gluonhq.com.s3-website-us-east-1.amazonaws.com is an alias for 
s3-website.us-east-1.amazonaws.com.
s3-website.us-east-1.amazonaws.com has address 52.217.163.181
s3-website.us-east-1.amazonaws.com has address 52.217.83.203
s3-website.us-east-1.amazonaws.com has address 52.217.206.181
s3-website.us-east-1.amazonaws.com has address 52.217.98.51
s3-website.us-east-1.amazonaws.com has address 16.182.72.93
s3-website.us-east-1.amazonaws.com has address 52.216.227.162
s3-website.us-east-1.amazonaws.com has address 52.216.212.237
s3-website.us-east-1.amazonaws.com has address 52.217.83.179
$ host download.gluonhq.com
download.gluonhq.com is an alias for 
download.gluonhq.com.s3-website-us-east-1.amazonaws.com.
download.gluonhq.com.s3-website-us-east-1.amazonaws.com is an alias for 
s3-website.us-east-1.amazonaws.com.
s3-website.us-east-1.amazonaws.com has address 52.217.163.181
s3-website.us-east-1.amazonaws.com has address 52.217.83.203
s3-website.us-east-1.amazonaws.com has address 52.217.206.181
s3-website.us-east-1.amazonaws.com has address 52.217.98.51
s3-website.us-east-1.amazonaws.com has address 16.182.72.93
s3-website.us-east-1.amazonaws.com has address 52.216.227.162
s3-website.us-east-1.amazonaws.com has address 52.216.212.237
s3-website.us-east-1.amazonaws.com has address 52.217.83.179
$
 

Groeten
Geert Stappers
-- 
Silence is hard to parse

why would ping and traceroute give you different IP addresses?

[Albretch Mueller]

site="download.gluonhq.com"
date
time ping "${site}" -c 4
time traceroute "${site}"

$ site="download.gluonhq.com"
date
time ping "${site}" -c 4
time traceroute "${site}"
Mon 14 Aug 2023 11:54:19 PM UTC
PING s3-website.us-east-1.amazonaws.com (54.231.134.85) 56(84) bytes of data.
64 bytes from s3-website-us-east-1.amazonaws.com (54.231.134.85):
icmp_seq=1 ttl=242 time=47.8 ms
64 bytes from s3-website-us-east-1.amazonaws.com (54.231.134.85):
icmp_seq=2 ttl=242 time=54.9 ms
64 bytes from s3-website-us-east-1.amazonaws.com (54.231.134.85):
icmp_seq=3 ttl=242 time=46.2 ms
64 bytes from s3-website-us-east-1.amazonaws.com (54.231.134.85):
icmp_seq=4 ttl=242 time=48.1 ms

--- s3-website.us-east-1.amazonaws.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 46.246/49.253/54.875/3.320 ms

real0m3.186s
user0m0.005s
sys 0m0.000s

traceroute to download.gluonhq.com (52.216.228.138), 30 hops max, 60
byte packets
 1  _gateway (192.168.68.1)  9.267 ms  9.223 ms  8.035 ms
 2  dsldevice.attlocal.net (192.168.1.254)  10.349 ms  10.333 ms  10.319 ms
 3  99-178-252-1.lightspeed.stlsmo.sbcglobal.net (99.178.252.1)
33.434 ms  33.420 ms  33.406 ms
 4  71.154.70.113 (71.154.70.113)  34.515 ms  33.379 ms  38.092 ms
 5  * * *
 6  32.130.88.131 (32.130.88.131)  50.165 ms  42.200 ms  35.492 ms
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  s3-website-us-east-1.amazonaws.com (52.216.228.138)  50.960 ms
50.902 ms  53.215 ms

real0m15.213s
user0m0.009s
sys 0m0.000s
$

Re: besides ping/nslookup, any other tools to resolve a hostname?

[Ken Young]

Hi,

I just launched an ubuntu container in that namespace and installed
dnsutils/iputils-ping to resolve the hostname issue.

Thank you.


On Sat, Mar 4, 2023 at 1:11 PM Rodrigo Cunha 
wrote:

> I have bitnami/mysql container (debian OS) running on kubernetes.
>> This container seems too restricted for system software, these following
>> commands are removed:
>>
>> sudo (so I can't su to root for apt)
>> ping
>> dig
>> nslookup
>> net-tools
>>
> It is a good practice to build small images for pods without commands for
> the network. To solve this problem, you can do that:
> Create a pod in the same network with net tools.
> Or
> 1 .rebuild a new docker image with another version, with net-tools.
> 2. then change the current pod with edit in deployment.
>
>
>
> On Fri, Mar 3, 2023 at 9:59 PM Ken Young  wrote:
>
>> Hello,
>>
>> I have bitnami/mysql container (debian OS) running on kubernetes.
>> This container seems too restricted for system software, these following
>> commands are removed:
>>
>> sudo (so I can't su to root for apt)
>> ping
>> dig
>> nslookup
>> net-tools
>>
>> Do you know any other way to resolve a hostname by manual  on this
>> container?
>>
>> Thanks
>> Ken
>>
>
>
> --
> Atenciosamente,
> Rodrigo da Silva Cunha
> São Gonçalo, RJ - Brasil
>
>

Re: besides ping/nslookup, any other tools to resolve a hostname?

[Nicolas George]

Greg Wooledge (12023-03-03):
> Dedicated lookup tools:
> 
> getent hosts
> host
> dnsqr

It is important to know that host and dnsqr do actual DNS requests, and
therefore ignore local configuration about other means of resolving
hosts, including /etc/hosts.

getent hosts is the dedicated command, the one that matches directly the
libc API that is used by most applications.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: besides ping/nslookup, any other tools to resolve a hostname?

[Rodrigo Cunha]

>
> I have bitnami/mysql container (debian OS) running on kubernetes.
> This container seems too restricted for system software, these following
> commands are removed:
>
> sudo (so I can't su to root for apt)
> ping
> dig
> nslookup
> net-tools
>
It is a good practice to build small images for pods without commands for
the network. To solve this problem, you can do that:
Create a pod in the same network with net tools.
Or
1 .rebuild a new docker image with another version, with net-tools.
2. then change the current pod with edit in deployment.



On Fri, Mar 3, 2023 at 9:59 PM Ken Young  wrote:

> Hello,
>
> I have bitnami/mysql container (debian OS) running on kubernetes.
> This container seems too restricted for system software, these following
> commands are removed:
>
> sudo (so I can't su to root for apt)
> ping
> dig
> nslookup
> net-tools
>
> Do you know any other way to resolve a hostname by manual  on this
> container?
>
> Thanks
> Ken
>


-- 
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil

Re: besides ping/nslookup, any other tools to resolve a hostname?

[Max Nikulin]

On 04/03/2023 07:53, Ken Young wrote:
Do you know any other way to resolve a hostname by manual  on this 
container?


systemd-resolve

However I am unsure concerning k8s containers. Some interpreters:

python3 -c 'import socket as s, sys; 
print(s.gethostbyname(sys.argv[1]))' debian.net

Re: besides ping/nslookup, any other tools to resolve a hostname?

[Greg Wooledge]

On Sat, Mar 04, 2023 at 08:53:39AM +0800, Ken Young wrote:
> ping
> dig
> nslookup
> net-tools
> 
> Do you know any other way to resolve a hostname by manual  on this
> container?

Dedicated lookup tools:

getent hosts
host
dnsqr

Utilities that resolve hostnames as a side effect of what they are:

ssh
scp
sftp
telnet
ftp
wget
curl
lynx (et al.)

besides ping/nslookup, any other tools to resolve a hostname?

[Ken Young]

Hello,

I have bitnami/mysql container (debian OS) running on kubernetes.
This container seems too restricted for system software, these following
commands are removed:

sudo (so I can't su to root for apt)
ping
dig
nslookup
net-tools

Do you know any other way to resolve a hostname by manual  on this
container?

Thanks
Ken

Re: ping

[Anders Andersson]

On Mon, Nov 14, 2022 at 4:21 AM Greg Wooledge  wrote:

> On Sun, Nov 13, 2022 at 09:05:03PM -0600, David Wright wrote:
> > On Sun 13 Nov 2022 at 14:50:58 (+), Andrew M.A. Cater wrote:
> > > On Sun, Nov 13, 2022 at 06:04:51AM -0800, pe...@easthope.ca wrote:
> > > > root@joule:/home/root# /bin/ping -c 3  192.168.0.12
> > > > PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
> > > > 64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
> > > > 64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
> > > > 64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms
> > > >
> > > > --- 192.168.0.12 ping statistics ---
> > > > 3 packets transmitted, 3 received, 0% packet loss, time 2041ms
> > > > rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms
> > > > root@joule:/home/root# echo $PATH
> > > > /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
> >
> > Nobody has commented on that final period yet …  …  …  …  …  …   ↑
>
> I didn't see it.  Yeah, that's *nasty*.  I don't think it's directly
> related to whatever the OP's current problem is, but it's a trap waiting
> to strike.
>
> The OP is clearly not running a standard Debian system.  With root's
> home directory having been moved, and now with some evidence that the
> PATH given to root has a massive security hole in it, I'm convinced
> this is some derivative OS.
>
> Perhaps whoever put the ":." on root's PATH is also responsible for
> the alias or function that's overriding "ping".  I'm starting to get
> rather curious about this whole situation.
>
>
Yes, this user runs as root all the time, from previous threads:
https://lists.debian.org/debian-user/2022/02/msg00041.html

Re: ping

[Tim Woodall]

On Sun, 13 Nov 2022, Greg Wooledge wrote:


unicorn:~$ command -v ls
ls

But sure, the OP could provide the output of "command -v ping" in addition
to "type ping".  It couldn't hurt.



command -V ping

Re: ping

[Greg Wooledge]

On Sun, Nov 13, 2022 at 10:24:13PM -0500, Jeffrey Walton wrote:
> On Sun, Nov 13, 2022 at 3:54 PM Klaus Singvogel
>  wrote:
> >
> > pe...@easthope.ca wrote:
> > > root@joule:/home/root# /bin/ping -c 3  192.168.0.12
> > > PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
> > > 64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
> > > 64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
> > > 64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms
> > > ...
> > But my hottest solution in your report is an alias.
> > Having an alias of ping will never be reported by "which" neither. So I can 
> > imaging you've defined ping as an alias.
> > And as Greg said, try "type ping" to find this out (and not "which ping").
> 
> As far as I know, `command -v ping` is the Posix way. It is portable,
> and it shows shell aliases and other user environment changes.

It doesn't appear to give useful output for functions.

unicorn:~$ type ls
ls is a function
ls () 
{ 
if [ -t 1 ]; then
command ls --color -F "$@";
    else
command ls "$@";
fi
}
unicorn:~$ command -v ls
ls

But sure, the OP could provide the output of "command -v ping" in addition
to "type ping".  It couldn't hurt.

Re: ping

[Jeffrey Walton]

On Sun, Nov 13, 2022 at 3:54 PM Klaus Singvogel
 wrote:
>
> pe...@easthope.ca wrote:
> > root@joule:/home/root# /bin/ping -c 3  192.168.0.12
> > PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
> > 64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
> > 64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
> > 64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms
> > ...
> But my hottest solution in your report is an alias.
> Having an alias of ping will never be reported by "which" neither. So I can 
> imaging you've defined ping as an alias.
> And as Greg said, try "type ping" to find this out (and not "which ping").

As far as I know, `command -v ping` is the Posix way. It is portable,
and it shows shell aliases and other user environment changes.

Jeff

Re: ping

[Greg Wooledge]

On Sun, Nov 13, 2022 at 09:05:03PM -0600, David Wright wrote:
> On Sun 13 Nov 2022 at 14:50:58 (+), Andrew M.A. Cater wrote:
> > On Sun, Nov 13, 2022 at 06:04:51AM -0800, pe...@easthope.ca wrote:
> > > root@joule:/home/root# /bin/ping -c 3  192.168.0.12
> > > PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
> > > 64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
> > > 64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
> > > 64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms
> > > 
> > > --- 192.168.0.12 ping statistics ---
> > > 3 packets transmitted, 3 received, 0% packet loss, time 2041ms
> > > rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms
> > > root@joule:/home/root# echo $PATH
> > > /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
> 
> Nobody has commented on that final period yet …  …  …  …  …  …   ↑

I didn't see it.  Yeah, that's *nasty*.  I don't think it's directly
related to whatever the OP's current problem is, but it's a trap waiting
to strike.

The OP is clearly not running a standard Debian system.  With root's
home directory having been moved, and now with some evidence that the
PATH given to root has a massive security hole in it, I'm convinced
this is some derivative OS.

Perhaps whoever put the ":." on root's PATH is also responsible for
the alias or function that's overriding "ping".  I'm starting to get
rather curious about this whole situation.

Re: ping

[David Wright]

On Sun 13 Nov 2022 at 14:50:58 (+), Andrew M.A. Cater wrote:
> On Sun, Nov 13, 2022 at 06:04:51AM -0800, pe...@easthope.ca wrote:
> > root@joule:/home/root# /bin/ping -c 3  192.168.0.12
> > PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
> > 64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
> > 64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
> > 64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms
> > 
> > --- 192.168.0.12 ping statistics ---
> > 3 packets transmitted, 3 received, 0% packet loss, time 2041ms
> > rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms
> > root@joule:/home/root# echo $PATH
> > /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.

Nobody has commented on that final period yet …  …  …  …  …  …   ↑

> > root@joule:/home/root# which ping
> > /bin/ping
> > root@joule:/home/root# ping -c 3  192.168.0.12
> > 
> > No response.
> > 
> > Ideas?
> 
> How did you become root? If with su, remember to now use su -
> 
> If with sudo, use sudo -s, maybe.

Perhaps https://lists.debian.org/debian-user/2022/02/msg00120.html
gives you a hint of explanation.

Cheers,
David.

Re: ping

[Klaus Singvogel]

pe...@easthope.ca wrote:
> root@joule:/home/root# /bin/ping -c 3  192.168.0.12
> PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
> 64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
> 64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
> 64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms
> 
> --- 192.168.0.12 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2041ms
> rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms
> root@joule:/home/root# echo $PATH
> /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
> root@joule:/home/root# which ping
> /bin/ping
> root@joule:/home/root# ping -c 3  192.168.0.12
> 
> No response.
> 
> Ideas?

Strange that "which ping" is reporting /bin/ping and not /usr/bin/ping as first 
executable. The strange thing is that /usr/bin/ping is locate before /bin/ping 
in your $PATH and both are the same files in a standard installation (the 
inodes are identical).

So I assume, there is something utterly broken with your system (or your 
report), because of this.

But my hottest solution in your report is an alias.
Having an alias of ping will never be reported by "which" neither. So I can 
imaging you've defined ping as an alias.
And as Greg said, try "type ping" to find this out (and not "which ping").

Best regards,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: ping

[Greg Wooledge]

On Sun, Nov 13, 2022 at 06:04:51AM -0800, pe...@easthope.ca wrote:
> root@joule:/home/root# /bin/ping -c 3  192.168.0.12
> PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
> 64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
> 64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
> 64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms
> 
> --- 192.168.0.12 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2041ms
> rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms

> root@joule:/home/root# which ping
> /bin/ping

"which" is useless.

> root@joule:/home/root# ping -c 3  192.168.0.12
> 
> No response.

What does "type ping" say in that shell?

Re: ping

[Charles Curley]

On Sun, 13 Nov 2022 06:13:38 -0800
pe...@easthope.ca wrote:

> root@joule:/home/root# /bin/ping -c 3  192.168.0.12
> PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
> 64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
> 64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
> 64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms
> 
> --- 192.168.0.12 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2041ms
> rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms
> root@joule:/home/root# echo $PATH
> /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
> root@joule:/home/root# which ping
> /bin/ping
> root@joule:/home/root# ping -c 3  192.168.0.12
> 
> No response.

What system are you running? I am running pretty much standard Debian
11, and I notice these differences:

You appear to have root's home at /home/root. Mine is at /root, and I
have no /home/root.

root@jhegaala:~# cd
root@jhegaala:~# pwd
/root
root@jhegaala:~# ll /home/
total 28
drwxr-xr-x  4 rootroot 4096 Oct 10  2021 ./
drwxr-xr-x 19 rootroot 4096 Oct 19 06:27 ../
drwxr-xr-x 50 charles charles  4096 Nov 10 08:00 charles/
drwx--  2 rootroot16384 Oct 10  2021 lost+found/
root@jhegaala:~# 


which finds ping at /usr/bin/ping.

root@jhegaala:~# which ping
/usr/bin/ping
root@jhegaala:~#

although the two are the same:

root@jhegaala:~# ls -i /bin/ping /usr/bin/ping
7607442 /bin/ping  7607442 /usr/bin/ping
root@jhegaala:~# 


I get a different response when I try to execute a program that the
shell cannot find.

root@jhegaala:~# foo
-bash: foo: command not found
root@jhegaala:~# 

And, of course, I have no problem running ping without specifying a
full path to the executable.

root@jhegaala:~# ping -c 3 chaffee
PING chaffee.localdomain (192.168.100.30) 56(84) bytes of data.
64 bytes from chaffee.localdomain (192.168.100.30): icmp_seq=1 ttl=64 time=1.33 
ms
64 bytes from chaffee.localdomain (192.168.100.30): icmp_seq=2 ttl=64 time=1.99 
ms
64 bytes from chaffee.localdomain (192.168.100.30): icmp_seq=3 ttl=64 time=3.15 
ms

--- chaffee.localdomain ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.334/2.157/3.153/0.752 ms
root@jhegaala:~# 




-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: ping

[David Christensen]

On 11/13/22 06:13, pe...@easthope.ca wrote:

root@joule:/home/root# /bin/ping -c 3  192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms

--- 192.168.0.12 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2041ms
rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms
root@joule:/home/root# echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
root@joule:/home/root# which ping
/bin/ping
root@joule:/home/root# ping -c 3  192.168.0.12

No response.

Ideas?

Thanks, ... Peter E.




mobile: +1 778 951 5147
   VoIP: +1 604 670 0140
https://en.wikibooks.org/wiki/User:PeterEasthope



If you run Bash, RTFM bash(1), "SHELL BUILTIN COMMANDS",
"command [-pVv] command [arg ...]":

2022-11-13 08:12:17 dpchrist@laalaa ~
$ command -V test ll ping
test is a shell builtin
ll is aliased to `ls -al --time-style="+%Y-%m-%d %H:%M:%S"'
ping is /usr/bin/ping


David

Re: ping

[Peter Ehlert]

On 11/13/22 06:50, Andrew M.A. Cater wrote:

On Sun, Nov 13, 2022 at 06:04:51AM -0800, pe...@easthope.ca wrote:

root@joule:/home/root# /bin/ping -c 3  192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms

--- 192.168.0.12 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2041ms
rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms
root@joule:/home/root# echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
root@joule:/home/root# which ping
/bin/ping
root@joule:/home/root# ping -c 3  192.168.0.12

No response.

Ideas?

Thanks, ... Peter E.




How did you become root? If with su, remember to now use su -

If with sudo, use sudo -s, maybe.

is this the expected response?

peter@z840:~$ su -
Password:
root@z840:~#  /bin/ping -c 3  192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.

--- 192.168.0.12 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2060ms

root@z840:~#



All the very best, as ever,

Andy Cater

mobile: +1 778 951 5147
   VoIP: +1 604 670 0140
https://en.wikibooks.org/wiki/User:PeterEasthope

ping

[peter]

root@joule:/home/root# /bin/ping -c 3  192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms

--- 192.168.0.12 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2041ms
rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms
root@joule:/home/root# echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
root@joule:/home/root# which ping
/bin/ping
root@joule:/home/root# ping -c 3  192.168.0.12

No response.

Ideas?

Thanks, ... Peter E.




mobile: +1 778 951 5147
  VoIP: +1 604 670 0140
https://en.wikibooks.org/wiki/User:PeterEasthope

Re: ping

[Andrew M.A. Cater]

On Sun, Nov 13, 2022 at 06:04:51AM -0800, pe...@easthope.ca wrote:
> root@joule:/home/root# /bin/ping -c 3  192.168.0.12
> PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
> 64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
> 64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
> 64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms
> 
> --- 192.168.0.12 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2041ms
> rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms
> root@joule:/home/root# echo $PATH
> /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
> root@joule:/home/root# which ping
> /bin/ping
> root@joule:/home/root# ping -c 3  192.168.0.12
> 
> No response.
> 
> Ideas?
> 
> Thanks, ... Peter E.
> 
> 
>

How did you become root? If with su, remember to now use su -

If with sudo, use sudo -s, maybe.

All the very best, as ever,

Andy Cater 
> 
> mobile: +1 778 951 5147
>   VoIP: +1 604 670 0140
> https://en.wikibooks.org/wiki/User:PeterEasthope
> 

ping

[peter]

root@joule:/home/root# /bin/ping -c 3  192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.114 ms
64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.113 ms

--- 192.168.0.12 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2041ms
rtt min/avg/max/mdev = 0.079/0.102/0.114/0.016 ms
root@joule:/home/root# echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
root@joule:/home/root# which ping
/bin/ping
root@joule:/home/root# ping -c 3  192.168.0.12

No response.

Ideas?

Thanks, ... Peter E.




mobile: +1 778 951 5147
  VoIP: +1 604 670 0140
https://en.wikibooks.org/wiki/User:PeterEasthope

Re: QEMU guests can ping but can't access host

[Charles Curley]

On Sat, 04 Sep 2021 18:08:18 -0500
"David Palacio"  wrote:

> I have compared my previous install nft ruleset and installed
> packages list with the current install and found that firewalld
> wasn't installed in the working system but ufw was. The nft ruleset
> was nearly identical save for the missing firewalld rules.
> 
> And so after purging firewalld, plasma-firewall and installing ufw
> the VM guest can communicate with the host.

Excellent. Good detective work.

> 
> This was odd, though. I had already uninstalled firewalld and
> restarted the system before in an attempt to fix the issue only to
> find the VM couldn't access *anything* then. Maybe the installation
> of ufw helps somehow or plasma-firewall breaks something.

Ah. That is because routing between the two networks is usually shut
off by default. The firewall software usually silently takes care of
that for you.

> 
> Thank you for trying to help me.

You are welcome.

And I've learned something also, that comparing packages installed
might be useful. Thank you.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: QEMU guests can ping but can't access host

[David Palacio]

I have compared my previous install nft ruleset and installed packages list 
with the current install and found that firewalld wasn't installed in the 
working system but ufw was. The nft ruleset was nearly identical save for the 
missing firewalld rules.

And so after purging firewalld, plasma-firewall and installing ufw the VM guest 
can communicate with the host.

This was odd, though. I had already uninstalled firewalld and restarted the 
system before in an attempt to fix the issue only to find the VM couldn't 
access *anything* then. Maybe the installation of ufw helps somehow or 
plasma-firewall breaks something.

Thank you for trying to help me.

On Thu, Sep 2, 2021, at 5:13 PM, Charles Curley wrote:
> On Thu, 02 Sep 2021 16:09:23 -0500
> "David Palacio"  wrote:
> 
> > Hi,
> > 
> > > If you copied a disk image (.qcow2 extension) over, but not the
> > > setup files that Virtual Machine Manager (VMM) uses
> > > (in /etc/libvirt), then Windows is on a new machine, and can have
> > > conniptions over it. Go into Windows' device manager (or whatever
> > > they're calling it this week) and see if it is finding all its
> > > hardware correctly.  
> > 
> > The VM virtual network hardware is working. It can access the
> > internet. It can't access only the host, either on the virtual
> > network ip or the physical network ip. I have since removed the old
> > guest image and replaced it with a new installation on a new VM
> > configuration. The same behavior is also seen on a new Linux VM
> > running the Debian Bullseye Live KDE CD.
> 
> OK, then that's not the issue.
> 
> > > What program are you using to try to contact the host?  
> > 
> > I noticed the problem first with Windows Explorer to access the samba
> > share. It simply timesout after a minute or two. Then I have tried
> > ping and a browser. Pinging the host works and the host responds.
> > Then I used nc to test connections like this: nc -lp 8080 On the host
> > and point a guest browser to http://hostip:8080/ but nc never
> > receives anything.
> 
> That sounds suspiciously like firewall ports aren't open.
> 
> > 
> > > You may also have a firewall issue, as you say. On the host, please
> > > run whatever you use as a firewall control program and check to see
> > > if the relevant port(s) is open.  
> > 
> > I have to point out I haven't touched anything regarding firewall
> > since installation, however I have attached the output of iptables
> > and nft in this message.
> > 
> > > You may find it useful to open a terminal and, as root, run
> > > 
> > > tail -f /var/log/syslog
> > > 
> > > and, while that is sitting there, try contacting the host again. If
> > > the firewall is blocking you, you'll see it in syslog.  
> > 
> > Neither syslog nor journalctl display anything related at the time
> > this problem happens.
> > 
> > > If nothing obvious jumps out at you, let us know which program(s)
> > > you are using to control your firewall (shorewall, ufw, gufw,
> > > etc.), and we will see if someone familiar with that program can
> > > help.  
> > 
> > I don't `control` my firewall. It's all Debian's default and the
> > installed Debian packages defaults, like libvirt, which adds some
> > firewall rules automatically. Attached are the outputs of `iptables
> > -L`, `nft list tables` and `nft list table tablename`.
> 
> I looked at the ntf listings you provided. I am completely new to nft
> and nftables, so I may have missed something. I don't see any ports
> open on the guest network (192.168.122.0/24). So I suspect that's the
> problem.
> 
> Now we need an nftables guru to chime in.
> 
> I did find examples on the Web, but none of them looked like it was
> exactly what you needed. Sorry I can't help further.
> 
> 
> -- 
> Does anybody read signatures any more?
> 
> https://charlescurley.com
> https://charlescurley.com/blog/
> 
> 

Re: QEMU guests can ping but can't access host

[Charles Curley]

On Thu, 02 Sep 2021 16:09:23 -0500
"David Palacio"  wrote:

> Hi,
> 
> > If you copied a disk image (.qcow2 extension) over, but not the
> > setup files that Virtual Machine Manager (VMM) uses
> > (in /etc/libvirt), then Windows is on a new machine, and can have
> > conniptions over it. Go into Windows' device manager (or whatever
> > they're calling it this week) and see if it is finding all its
> > hardware correctly.  
> 
> The VM virtual network hardware is working. It can access the
> internet. It can't access only the host, either on the virtual
> network ip or the physical network ip. I have since removed the old
> guest image and replaced it with a new installation on a new VM
> configuration. The same behavior is also seen on a new Linux VM
> running the Debian Bullseye Live KDE CD.

OK, then that's not the issue.

> > What program are you using to try to contact the host?  
> 
> I noticed the problem first with Windows Explorer to access the samba
> share. It simply timesout after a minute or two. Then I have tried
> ping and a browser. Pinging the host works and the host responds.
> Then I used nc to test connections like this: nc -lp 8080 On the host
> and point a guest browser to http://hostip:8080/ but nc never
> receives anything.

That sounds suspiciously like firewall ports aren't open.

> 
> > You may also have a firewall issue, as you say. On the host, please
> > run whatever you use as a firewall control program and check to see
> > if the relevant port(s) is open.  
> 
> I have to point out I haven't touched anything regarding firewall
> since installation, however I have attached the output of iptables
> and nft in this message.
> 
> > You may find it useful to open a terminal and, as root, run
> > 
> > tail -f /var/log/syslog
> > 
> > and, while that is sitting there, try contacting the host again. If
> > the firewall is blocking you, you'll see it in syslog.  
> 
> Neither syslog nor journalctl display anything related at the time
> this problem happens.
> 
> > If nothing obvious jumps out at you, let us know which program(s)
> > you are using to control your firewall (shorewall, ufw, gufw,
> > etc.), and we will see if someone familiar with that program can
> > help.  
> 
> I don't `control` my firewall. It's all Debian's default and the
> installed Debian packages defaults, like libvirt, which adds some
> firewall rules automatically. Attached are the outputs of `iptables
> -L`, `nft list tables` and `nft list table tablename`.

I looked at the ntf listings you provided. I am completely new to nft
and nftables, so I may have missed something. I don't see any ports
open on the guest network (192.168.122.0/24). So I suspect that's the
problem.

Now we need an nftables guru to chime in.

I did find examples on the Web, but none of them looked like it was
exactly what you needed. Sorry I can't help further.


-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: QEMU guests can ping but can't access host

[David Palacio]

On Thu, Sep 2, 2021, at 2:09 PM, Charles Curley wrote:
> On Thu, 02 Sep 2021 12:43:41 -0500
> "David Palacio"  wrote:
> 
> > Good day,
> > 
> > I have recently installed Debian testing around its alpha release
> > state. Previously I had a working Windows 10 QEMU guest with access
> > to the host Samba shares in a previous Debian testing install. I
> > copied the Windows 10 disk image over to the new Debian install and
> > set it up to run again but it no longer could connect to the host. It
> > can ping it and the host responds to the ping but any access attempt
> > to the host on a TCP port is dropped. This too happens to any new
> > virtual machine I create from scratch, including Linux VMs. I have no
> > idea what has changed on the host. I suspect it may be the firewall
> > but I'm no network admin and I know very little outside of
> > network-manager and /etc/network/interfaces.
> > 
> > I use virtual machine manager to create and run my virtual machines.

Hi,

> If you copied a disk image (.qcow2 extension) over, but not the setup
> files that Virtual Machine Manager (VMM) uses (in /etc/libvirt), then
> Windows is on a new machine, and can have conniptions over it. Go into
> Windows' device manager (or whatever they're calling it this week) and
> see if it is finding all its hardware correctly.

The VM virtual network hardware is working. It can access the internet. It 
can't access only the host, either on the virtual network ip or the physical 
network ip. I have since removed the old guest image and replaced it with a new 
installation on a new VM configuration. The same behavior is also seen on a new 
Linux VM running the Debian Bullseye Live KDE CD.
 
> What program are you using to try to contact the host?

I noticed the problem first with Windows Explorer to access the samba share. It 
simply timesout after a minute or two. Then I have tried ping and a browser. 
Pinging the host works and the host responds. Then I used nc to test 
connections like this:
  nc -lp 8080
On the host and point a guest browser to http://hostip:8080/ but nc never 
receives anything.

> You may also have a firewall issue, as you say. On the host, please run
> whatever you use as a firewall control program and check to see if the
> relevant port(s) is open.

I have to point out I haven't touched anything regarding firewall since 
installation, however I have attached the output of iptables and nft in this 
message.

> You may find it useful to open a terminal and, as root, run
> 
> tail -f /var/log/syslog
> 
> and, while that is sitting there, try contacting the host again. If the
> firewall is blocking you, you'll see it in syslog.

Neither syslog nor journalctl display anything related at the time this problem 
happens.

> If nothing obvious jumps out at you, let us know which program(s) you
> are using to control your firewall (shorewall, ufw, gufw, etc.), and we
> will see if someone familiar with that program can help.

I don't `control` my firewall. It's all Debian's default and the installed 
Debian packages defaults, like libvirt, which adds some firewall rules 
automatically. Attached are the outputs of `iptables -L`, `nft list tables` and 
`nft list table tablename`.

> -- 
> Does anybody read signatures any more?
> 
> https://charlescurley.com
> https://charlescurley.com/blog/
> 
> 


nft.table.mangle
Description: Binary data


nft.table.nat
Description: Binary data


nft.table.filter
Description: Binary data


nft.table.firewalld
Description: Binary data


nft.tables
Description: Binary data


iptables
Description: Binary data


virsh.net-dumpxml.default
Description: Binary data

Re: QEMU guests can ping but can't access host

[Charles Curley]

On Thu, 02 Sep 2021 12:43:41 -0500
"David Palacio"  wrote:

> Good day,
> 
> I have recently installed Debian testing around its alpha release
> state. Previously I had a working Windows 10 QEMU guest with access
> to the host Samba shares in a previous Debian testing install. I
> copied the Windows 10 disk image over to the new Debian install and
> set it up to run again but it no longer could connect to the host. It
> can ping it and the host responds to the ping but any access attempt
> to the host on a TCP port is dropped. This too happens to any new
> virtual machine I create from scratch, including Linux VMs. I have no
> idea what has changed on the host. I suspect it may be the firewall
> but I'm no network admin and I know very little outside of
> network-manager and /etc/network/interfaces.
> 
> I use virtual machine manager to create and run my virtual machines.

If you copied a disk image (.qcow2 extension) over, but not the setup
files that Virtual Machine Manager (VMM) uses (in /etc/libvirt), then
Windows is on a new machine, and can have conniptions over it. Go into
Windows' device manager (or whatever they're calling it this week) and
see if it is finding all its hardware correctly.

What program are you using to try to contact the host?

You may also have a firewall issue, as you say. On the host, please run
whatever you use as a firewall control program and check to see if the
relevant port(s) is open.

You may find it useful to open a terminal and, as root, run

tail -f /var/log/syslog

and, while that is sitting there, try contacting the host again. If the
firewall is blocking you, you'll see it in syslog.

If nothing obvious jumps out at you, let us know which program(s) you
are using to control your firewall (shorewall, ufw, gufw, etc.), and we
will see if someone familiar with that program can help.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

QEMU guests can ping but can't access host

[David Palacio]

Good day,

I have recently installed Debian testing around its alpha release state. 
Previously I had a working Windows 10 QEMU guest with access to the host Samba 
shares in a previous Debian testing install. I copied the Windows 10 disk image 
over to the new Debian install and set it up to run again but it no longer 
could connect to the host. It can ping it and the host responds to the ping but 
any access attempt to the host on a TCP port is dropped. This too happens to 
any new virtual machine I create from scratch, including Linux VMs. I have no 
idea what has changed on the host. I suspect it may be the firewall but I'm no 
network admin and I know very little outside of network-manager and 
/etc/network/interfaces.

I use virtual machine manager to create and run my virtual machines.

Please help and thank you for reading.

Re: ping gateway ok, ping any other local network address fails

[Mart van de Wege]

rudu  writes:
>
> To configure the printer, I first have to be able to ping it on the
> local network, which every over computer can do.

So all other peers on the LAN can get to the printer.

> And they can print all right, so this desktop must have some network
> misconfiguration of some sort, I guess ...
> It seems like trapped into a tunnel toward the gateway/router to get
> out, but can't shake hands with a pal next door.

If your netmask on both sides of the connection is OK, then the problem
is at the Ethernet level. Your previous output showed a /24 on the
desktop. Can you verify that all the other peers are also in
192.168.1.0/24?

If so, next step should be trying to plug the misbehaving desktop into a
different switch port, assuming 1. you have one free, 2. you can get
someone to do that for you, as you have no physical access yourself (did
I understand that correctly?), and 3. this is a dumb switch that just
forwards between all ports, so any port is fine.

Mart

-- 
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.

Re: ping gateway ok, ping any other local network address fails

[Lee]

On 4/9/21, rudu  wrote:
>
> To configure the printer, I first have to be able to ping it on the
> local network, which every over computer can do.
> And they can print all right, so this desktop must have some network
> misconfiguration of some sort, I guess ...
> It seems like trapped into a tunnel toward the gateway/router to get
> out, but can't shake hands with a pal next door.
> I first suspected a firewall rule of some sort, but there's none.
>
> I had to investigate remotely as I can't physically access the machine,
> so until I can have another chance (the lock-down situation here doesn't
> help) I'm gathering hints and ideas.

netstat -nr
  because your earlier
$ netstat -r
Table de routage IP du noyau
Destination Passerelle  Genmask Indic   MSS Fenêtre irtt Iface
default msbr.home   0.0.0.0 UG0 0  0 enp2s0

looks a bit strange (msbr.home for the default gateway??)  And

arp -n
after pinging the printer to see if you got an answer to your arp or no

Lee

Re: ping gateway ok, ping any other local network address fails

[Alexander V. Makartsev]

On 09.04.2021 21:37, deloptes wrote:

Alexander V. Makartsev wrote:


I don't see any reason why your computer could not ping the printer,
since you can ping gateway IP and access the Internet from it.
I suspect printer's IP address has changed somehow, or it is in powered
off state (some printers can power off themselves, if they were not used
for a set period of time).

if netmask is /32 or /30 ?


https://lists.debian.org/debian-user/2021/04/msg00260.html

--
With kindest regards, Alexander.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄

Re: ping gateway ok, ping any other local network address fails

[Andrei POPESCU]

On Vi, 09 apr 21, 11:41:56, rudu wrote:
> 
> I paste here a few commands I passed when remotely connected to the
> problematic machine (sorry for the french locale).

You can always prepend 'LANG=C.UTF-8' to get the output in English.


Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: ping gateway ok, ping any other local network address fails

[mick crane]

On 2021-04-09 10:41, rudu wrote:

Hi,

First, I tried to understand why a single machine among others
couldn't print on the local printer.
So I tried to ping the printer and it failed.
The machine could nevertheless surf the web with no problem ...

I paste here a few commands I passed when remotely connected to the
problematic machine (sorry for the french locale).
What should I check next ? Ideas ?


Can nmap query hosts on the network, see what's there ?

mick

--
Key ID4BFEBB31

Re: ping gateway ok, ping any other local network address fails

[deloptes]

Alexander V. Makartsev wrote:

> I don't see any reason why your computer could not ping the printer,
> since you can ping gateway IP and access the Internet from it.
> I suspect printer's IP address has changed somehow, or it is in powered
> off state (some printers can power off themselves, if they were not used
> for a set period of time).

if netmask is /32 or /30 ?

Re: ping gateway ok, ping any other local network address fails

[Alexander V. Makartsev]

On 09.04.2021 19:09, rudu wrote:

Le 09/04/2021 à 12:08, Alexander V. Makartsev a écrit :

On 09.04.2021 14:41, rudu wrote:

Hi,

First, I tried to understand why a single machine among others 
couldn't print on the local printer.

So I tried to ping the printer and it failed.
The machine could nevertheless surf the web with no problem ...

I paste here a few commands I passed when remotely connected to the 
problematic machine (sorry for the french locale).

What should I check next ? Ideas ?


It looks like your printer could be mis-configured.

What is make\model of your printer?
How printer was connected to your local area network (using Switch or 
Router)?

What method have you used to configure IP address of the printer?
Usually, network settings could be verified by printing a special 
settings report page.


Thanks for your help Alexander,

To configure the printer, I first have to be able to ping it on the 
local network, which every over computer can do.
Do you have remote access to another computer on the same local network 
to confirm that printer's IP address is "192.168.1.20", as you expect, 
and it responds to ping command from another computer?


Please answer other questions I asked:
1. What is make\model of your printer?
2. Is your printer connected to another PC using USB cable, or is it 
connected directly to the local network using a network cable (RJ-45 
patch cord), or is it connected using wireless connection?
3. How was IP address "192.168.1.20" assigned initially to it? (Ex. 
Using physical screen and buttons on the printer itself, or it was 
configured automatically)


And they can print all right, so this desktop must have some network 
misconfiguration of some sort, I guess ...
It seems like trapped into a tunnel toward the gateway/router to get 
out, but can't shake hands with a pal next door.

I first suspected a firewall rule of some sort, but there's none.

I had to investigate remotely as I can't physically access the 
machine, so until I can have another chance (the lock-down situation 
here doesn't help) I'm gathering hints and ideas.
I don't see any reason why your computer could not ping the printer, 
since you can ping gateway IP and access the Internet from it.
I suspect printer's IP address has changed somehow, or it is in powered 
off state (some printers can power off themselves, if they were not used 
for a set period of time).


--
With kindest regards, Alexander.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄

Re: ping gateway ok, ping any other local network address fails

[rudu]

Le 09/04/2021 à 12:08, Alexander V. Makartsev a écrit :

On 09.04.2021 14:41, rudu wrote:

Hi,

First, I tried to understand why a single machine among others 
couldn't print on the local printer.

So I tried to ping the printer and it failed.
The machine could nevertheless surf the web with no problem ...

I paste here a few commands I passed when remotely connected to the 
problematic machine (sorry for the french locale).

What should I check next ? Ideas ?


It looks like your printer could be mis-configured.

What is make\model of your printer?
How printer was connected to your local area network (using Switch or 
Router)?

What method have you used to configure IP address of the printer?
Usually, network settings could be verified by printing a special 
settings report page.


Thanks for your help Alexander,

To configure the printer, I first have to be able to ping it on the 
local network, which every over computer can do.
And they can print all right, so this desktop must have some network 
misconfiguration of some sort, I guess ...
It seems like trapped into a tunnel toward the gateway/router to get 
out, but can't shake hands with a pal next door.

I first suspected a firewall rule of some sort, but there's none.

I had to investigate remotely as I can't physically access the machine, 
so until I can have another chance (the lock-down situation here doesn't 
help) I'm gathering hints and ideas.


Rudu

Re: ping gateway ok, ping any other local network address fails

[Henning Follmann]

On Fri, Apr 09, 2021 at 11:41:56AM +0200, rudu wrote:
> Hi,
> 
> First, I tried to understand why a single machine among others couldn't
> print on the local printer.
> So I tried to ping the printer and it failed.
> The machine could nevertheless surf the web with no problem ...
> 
> I paste here a few commands I passed when remotely connected to the
> problematic machine (sorry for the french locale).
> What should I check next ? Ideas ?
>

[..]

What does your network topology look like?


-H


-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: ping gateway ok, ping any other local network address fails

[Alexander V. Makartsev]

On 09.04.2021 14:41, rudu wrote:

Hi,

First, I tried to understand why a single machine among others 
couldn't print on the local printer.

So I tried to ping the printer and it failed.
The machine could nevertheless surf the web with no problem ...

I paste here a few commands I passed when remotely connected to the 
problematic machine (sorry for the french locale).

What should I check next ? Ideas ?


It looks like your printer could be mis-configured.

What is make\model of your printer?
How printer was connected to your local area network (using Switch or 
Router)?

What method have you used to configure IP address of the printer?
Usually, network settings could be verified by printing a special 
settings report page.


--
With kindest regards, Alexander.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄

ping gateway ok, ping any other local network address fails

[rudu]

Hi,

First, I tried to understand why a single machine among others couldn't 
print on the local printer.

So I tried to ping the printer and it failed.
The machine could nevertheless surf the web with no problem ...

I paste here a few commands I passed when remotely connected to the 
problematic machine (sorry for the french locale).

What should I check next ? Ideas ?

Thanks


$ /sbin/ifconfig
enp2s0: flags=4163  mtu 1500
    inet 192.168.1.50  netmask 255.255.255.0  broadcast 192.168.1.255
    inet6 fe80::f67f:8a2c:e338:3db4  prefixlen 64  scopeid 0x20
    ether d0:50:99:7a:ae:6f  txqueuelen 1000  (Ethernet)
    RX packets 26166  bytes 6940725 (6.9 MB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 33708  bytes 29316822 (29.3 MB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
    inet 127.0.0.1  netmask 255.0.0.0
    inet6 ::1  prefixlen 128  scopeid 0x10
    loop  txqueuelen 1000  (Boucle locale)
    RX packets 513  bytes 48788 (48.7 KB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 513  bytes 48788 (48.7 KB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

$ ping -c 4 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 octets de 192.168.1.1 : icmp_seq=1 ttl=64 temps=0.468 ms
64 octets de 192.168.1.1 : icmp_seq=2 ttl=64 temps=0.435 ms
64 octets de 192.168.1.1 : icmp_seq=3 ttl=64 temps=0.445 ms
64 octets de 192.168.1.1 : icmp_seq=4 ttl=64 temps=0.427 ms

--- statistiques ping 192.168.1.1 ---
4 paquets transmis, 4 reçus, 0 % paquets perdus, temps 3068 ms
rtt min/avg/max/mdev = 0.427/0.443/0.468/0.015 ms


$ ping -c 4 192.168.1.20
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
De 192.168.1.50 icmp_seq=1 Hôte de destination injoignable
De 192.168.1.50 icmp_seq=2 Hôte de destination injoignable
De 192.168.1.50 icmp_seq=3 Hôte de destination injoignable
De 192.168.1.50 icmp_seq=4 Hôte de destination injoignable

--- statistiques ping 192.168.1.20 ---
4 paquets transmis, 0 reçus, +4 erreurs, 100 % paquets perdus, temps 3048 ms
 tuyau 3



$ netstat -r
Table de routage IP du noyau
Destination Passerelle  Genmask Indic   MSS Fenêtre irtt 
Iface
default msbr.home   0.0.0.0 UG    0 0  0 
enp2s0
link-local  0.0.0.0 255.255.0.0 U 0 0  0 
enp2s0
192.168.1.0 0.0.0.0 255.255.255.0   U 0 0  0 
enp2s0



$ ping -c 4 msbr.home
PING msbr.home (192.168.1.1) 56(84) bytes of data.
64 octets de msbr.home (192.168.1.1) : icmp_seq=1 ttl=64 temps=0.412 ms
64 octets de msbr.home (192.168.1.1) : icmp_seq=2 ttl=64 temps=0.447 ms
64 octets de msbr.home (192.168.1.1) : icmp_seq=3 ttl=64 temps=0.415 ms
64 octets de msbr.home (192.168.1.1) : icmp_seq=4 ttl=64 temps=0.436 ms

--- statistiques ping msbr.home ---
4 paquets transmis, 4 reçus, 0 % paquets perdus, temps 3059 ms
rtt min/avg/max/mdev = 0.412/0.427/0.447/0.014 ms


$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination


$ groups
administration adm cdrom sudo dip plugdev lpadmin sambashare

Router Can't ping instance

[Umesh Regmi]

Hi,

Recently I created debian 9.9 image in the Ubuntu openstack and I was able
to create instance from the image.I assigned floating ip to the interface.I
tried to ping floating ip from the router.It is unreachable.I can ping
external/internal gateway from the router.It perfectly works on the ubuntu
xenial image.Am I missing something here?

Thanks,
Umesh.

Re: systemd-networkd, bridge and containers: unable to ping host from guest

[Reco]

Hi.

On Thu, Jul 11, 2019 at 05:37:43PM +0200, lanquil wrote:
> On Thu 11 Jul 2019 at 16:51:50 +0200, john doe wrote:
> > 
> > If you can, I would turn off iptables to see if iptables is the culprit.
> 
> Ok, I have nftables.service active and stopping it I'm able to ping the host 
> from the
> guest. So this was the problem. Thank you very much =)
> 
> If I remember well, I configured nftables.conf using one of the Debian 
> defaults. Since
> it's a topic I still have not find the time to study, I'm a little blind on 
> what I can
> do to fix the configuration...

An nft equivalent of:

iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

Which should be:

icmp type destination-unreachable counter accept
icmp type echo-request counter accept

Reco

Re: systemd-networkd, bridge and containers: unable to ping host from guest

[lanquil]

On Thu 11 Jul 2019 at 16:51:50 +0200, john doe wrote:
> 
> If you can, I would turn off iptables to see if iptables is the culprit.

Ok, I have nftables.service active and stopping it I'm able to ping the host 
from the
guest. So this was the problem. Thank you very much =)

If I remember well, I configured nftables.conf using one of the Debian 
defaults. Since
it's a topic I still have not find the time to study, I'm a little blind on 
what I can
do to fix the configuration...

/etc/nftables.conf::

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
chain input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept

# activate the following line to accept common local services
tcp dport { 22 } ct state new accept
#tcp dport { 22, 80, 443 } ct state new accept

# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  
nd-router-advert, nd-neighbor-advert } accept

# count and drop any other traffic
counter drop
}
}


-- 
~ Sandro ~


signature.asc
Description: PGP signature

Re: systemd-networkd, bridge and containers: unable to ping host from guest

[Reco]

Hi.

On Thu, Jul 11, 2019 at 03:29:57PM +0200, lanquil wrote:
> The problem I'm encountering is that in all guests (Debian and
> Windows, DHCP or static IP configurations) I'm never able to ping the
> host system.

And the "tcpdump -pni br0 icmp" shows us what exactly here?
Assuming that the guest uses ICMP for pings. They have some curious
views at this at M$ .

> From the host I'm instead able to ping the guest.

Likewise. Please provide the output of tcpdump.


> Can someone kindly give me some hint on how to solve this issue?

On a first glance I see nothing unusual here, but libvirt likes to wreak
havok with host's netfilter/nft rules. With the best intentions, of
course.

So, an output of both iptables-save and iptables-legacy-save would be
helpful here too.

Reco

Re: systemd-networkd, bridge and containers: unable to ping host from guest

[john doe]

On 7/11/2019 3:29 PM, lanquil wrote:
> Hello,
>
> In my machine (4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64 
> GNU/Linux) I've setup a bridge with systemd-networkd.
>
> I've then setup a systemd-nspawn container and some virtual machines with 
> qemu/virt-manager (Debian and Windows10 guest).
>
> The problem I'm encountering is that in all guests (Debian and Windows, DHCP 
> or static IP configurations) I'm never able to ping the host system. >From 
> the host I'm instead able to ping the guest.
> In the guests everything else seems to work and I'm able to reach the 
> internet as expected.
>
> Can someone kindly give me some hint on how to solve this issue?
>
> I really don't know if it's related to systemd-networkd, Debian, iptables...
> I'm therefore posting here this question, but I'm open to suggestions for a 
> more appropriate place to ask for assistance...
>

If you can, I would turn off iptables to see if iptables is the culprit.

--
John Doe

systemd-networkd, bridge and containers: unable to ping host from guest

[lanquil]

Hello,

In my machine (4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64 
GNU/Linux) I've setup a bridge with systemd-networkd.

I've then setup a systemd-nspawn container and some virtual machines with 
qemu/virt-manager (Debian and Windows10 guest).

The problem I'm encountering is that in all guests (Debian and Windows, DHCP or 
static IP configurations) I'm never able to ping the host system. From the host 
I'm instead able to ping the guest.
In the guests everything else seems to work and I'm able to reach the internet 
as expected.

Can someone kindly give me some hint on how to solve this issue?

I really don't know if it's related to systemd-networkd, Debian, iptables...
I'm therefore posting here this question, but I'm open to suggestions for a 
more appropriate place to ask for assistance...

The configuration files are:

`/etc/systemd/network/br0.netdev`:
[NetDev]
Name=br0
Kind=bridge
MACAddress=08:60:6e:d6:4d:7b


`/etc/systemd/network/br0.network`:
[Match]
Name=en*

[Network]
Bridge=br0


`/etc/systemd/network/20-wired.network`:
[Match]
Name=br0

[Network]
DNS=172.17.0.10
DNS=172.17.0.20

[Address]
Address=172.17.1.48/16

[Route]
Gateway=172.17.0.1


`ip a` on the host:
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: enp3s0:  mtu 1500 qdisc pfifo_fast master 
br0 state UP group default qlen 1000
link/ether 08:60:6e:d6:4d:7b brd ff:ff:ff:ff:ff:ff
inet6 fe80::a60:6eff:fed6:4d7b/64 scope link 
   valid_lft forever preferred_lft forever
3: br0:  mtu 1500 qdisc noqueue state UP group 
default qlen 1000
link/ether 08:60:6e:d6:4d:7b brd ff:ff:ff:ff:ff:ff
inet 172.17.1.48/16 brd 172.17.255.255 scope global br0
   valid_lft forever preferred_lft forever
inet6 fe80::a60:6eff:fed6:4d7b/64 scope link 
   valid_lft forever preferred_lft forever
6: vnet0:  mtu 1500 qdisc pfifo_fast master 
br0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:9c:89:fa brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe9c:89fa/64 scope link 
   valid_lft forever preferred_lft forever
7: vb-sidcontaine@if2:  mtu 1500 qdisc noqueue 
master br0 state UP group default qlen 1000
link/ether da:a4:31:ec:1e:57 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::d8a4:31ff:feec:1e57/64 scope link 
   valid_lft forever preferred_lft forever


`brctl show` on the host:
bridge name bridge id   STP enabled interfaces
br0 8000.08606ed64d7b   no  enp3s0
vb-sidcontaine
vnet0

with vb-sidcontainer = systemd-nspawn container
vnet0 = qemu VM

Peace,

-- 
~ Sandro ~


signature.asc
Description: PGP signature

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Andrei POPESCU]

On Vi, 31 mai 19, 08:51:20, Greg Wooledge wrote:
> On Fri, May 31, 2019 at 11:47:26AM +0200, Pascal Hambourg wrote:
> > > https://wiki.debian.org/MergedUsr
> > 
> > The wiki says this page does not exist yet.
> 
> It's actually .
 
Right, thanks (again) Greg for correcting my mistakes.

My current setup doesn't allow for easy copy-pasting so I wrote that by 
hand and misremembered it :(

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Gmail problems (was Re: Ping as normal user)

[Brian]

On Fri 31 May 2019 at 14:33:42 +0100, mick crane wrote:

> On 2019-05-31 14:01, rhkra...@gmail.com wrote:
> > I guess I have to learn more about google
> > mail, maybe either disabling their spam filter, or deciding to switch to
> > an
> > email provider (ideally free or cheap) who doesn't filter email for me.
> > (I
> > guess when others mark something as spam, at least sometimes it affects
> > me or
> > everybody -- very annoying.)
> > 
> posteo.de has been mentioned if you don't mind using 100% green electricity

The mind boggles!

-- 
Brian.

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Andy Smith]

Hello,

On Fri, May 31, 2019 at 08:48:36AM -0500, Jason wrote:
> On Wed, May 29, 2019 at 11:46:50PM +, Andy Smith wrote:
> > How did you install this system?

[…]

> > One other person in this thread said they used (a script which
> > ultimately uses) debootstrap.
> 
> This system was installed on an SBC (similar to RPi) from a zipped 
> filesystem image, dd'd to the onboard eMMC chip.

It sounds likely that something in that process failed to copy
across file capabilities. As previously mentioned, some care has to
be used with tar for example, if you want to (re)store these. So
that's something to be aware of I guess…

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Jason]

On Wed, May 29, 2019 at 11:46:50PM +, Andy Smith wrote:
> Hi Jason,
> 
> On Wed, May 29, 2019 at 04:18:51PM -0500, Jason wrote:
> > On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
> > > While I didn't mention it in this thread, ping had indeed somehow lost 
> > > its capabilities on my system. 'dpkg-reconfigure iputils-ping' fixed it.
> > 
> > That worked for me (I'm not the OP) with Stretch on an ARM board. Before 
> > running the above command, I could only ping as root or using sudo, now 
> > I can ping as a normal user. Thanks!
> 
> How did you install this system? Because /bin/ping is supposed to
> come with file capabilities such that the user can allow it to do
> what it needs to do (this is part of what 'dpkg-reconfigure
> iputils-ping' restores). So it would be interesting to know how the
> system was installed in case there is a general theme for those who
> never got those capabilities.
> 
> One other person in this thread said they used (a script which
> ultimately uses) debootstrap.

This system was installed on an SBC (similar to RPi) from a zipped 
filesystem image, dd'd to the onboard eMMC chip.

Thanks,
-- 
Jason

Re: Gmail problems (was Re: Ping as normal user)

[mick crane]

On 2019-05-31 14:01, rhkra...@gmail.com wrote:

I guess I have to learn more about google
mail, maybe either disabling their spam filter, or deciding to switch 
to an
email provider (ideally free or cheap) who doesn't filter email for me. 
 (I
guess when others mark something as spam, at least sometimes it affects 
me or

everybody -- very annoying.)

posteo.de has been mentioned if you don't mind using 100% green 
electricity


mick
--
Key ID4BFEBB31

Gmail problems (was Re: Ping as normal user)

[rhkramer]

On Friday, May 31, 2019 07:26:54 AM Pascal Hambourg wrote:
> Le 31/05/2019 à 13:16, rhkra...@gmail.com a écrit :
> > I wanted to learn at least a little more about that, starting by looking
> > back at the original post that mentioned that.  I looked back about 10
> > posts but couldn't find it  -- can you point me to the original post
> 
> 3 posts back.

Thanks -- looks like google mail decided that was spam and didn't send it to 
me (via their version of pop3).  I guess I have to learn more about google 
mail, maybe either disabling their spam filter, or deciding to switch to an 
email provider (ideally free or cheap) who doesn't filter email for me.  (I 
guess when others mark something as spam, at least sometimes it affects me or 
everybody -- very annoying.)

 
> From: Andy Smith
> Date: Thu, 30 May 2019 02:44:58 +
> Message-ID: <20190530024458.ga4...@bitfolk.com>

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Greg Wooledge]

On Fri, May 31, 2019 at 11:47:26AM +0200, Pascal Hambourg wrote:
> > https://wiki.debian.org/MergedUsr
> 
> The wiki says this page does not exist yet.

It's actually .

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Thomas Schmitt]

Hi,

i wrote:
> > Currently the Default User depends on assumptions about local package
> > management which are not obviously related to security.
> > That's a future pitfall which just needs its unintentional cover removed.

Reco wrote:
> The way I see it, the "problematic" package got that Important priority
> already. A potential pitfall is closed.

The priority in debian/control (and thus .dsc) is scheduled on salsa to be
lowered to "optional" by the next package release.

Whatever, the priority is not the problem with security. The lack of
dependency of iputils-ping on libcap2-bin is the problem.
This lack was justified by policy as of 2016. Soon later the priority of
libcap2-bin was raised to "important", but iputils-ping never made use of
this move.


> Replacing a working fallback mechanism with one-size-fits-all "everyone
> are using ext4 on amd64 and Linux" is hardly an improvement.

The proposal in the bug report would not disable the fallback mechanism
for situations where it is needed. It would only make sure that capable
kernels and filesystems would be able use upstream improvements of iptools.

The installation code in
  
https://sources.debian.org/src/iputils/3:20180629-2/debian/iputils-ping.postinst
adapts itself to effective success of an attempt to set capabilities:

if command -v setcap > /dev/null; then
    if setcap cap_net_raw+ep /bin/ping; then
    chmod u-s /bin/ping
else
echo "Setcap failed on /bin/ping, falling back to setuid" >&2
chmod u+s /bin/ping
fi
else
echo "Setcap is not installed, falling back to setuid" >&2
chmod u+s /bin/ping
    fi

Safe for Default Users.

My best theory for the problem reported in bug 780721 that a normal user
cannot ping, is that setuid was disabled by mount -o nosuid or -o owner
and that setcap did not work because of his sparse installation.


Have a nice day :)

Thomas

Re: Ping as normal user

[Pascal Hambourg]

Le 31/05/2019 à 13:16, rhkra...@gmail.com a écrit :

On Thursday, May 30, 2019 10:55:57 PM Stefan Monnier wrote:

$ getcap /bin/ping
/bin/ping = cap_net_raw+ep


I wanted to learn at least a little more about that, starting by looking back
at the original post that mentioned that.  I looked back about 10 posts but
couldn't find it  -- can you point me to the original post


3 posts back.

From: Andy Smith
Date: Thu, 30 May 2019 02:44:58 +
Message-ID: <20190530024458.ga4...@bitfolk.com>

Re: Ping as normal user

[rhkramer]

On Thursday, May 30, 2019 10:55:57 PM Stefan Monnier wrote:
> > $ getcap /bin/ping
> > /bin/ping = cap_net_raw+ep

I wanted to learn at least a little more about that, starting by looking back 
at the original post that mentioned that.  I looked back about 10 posts but 
couldn't find it  -- can you point me to the original post (and, in the future, 
could you include the line that mentions when and who posted it (as the first 
line in this post).

Aside: I saw some other posts in this thread that either didn't quote anything 
or didn't properly attribute the quote -- I truly appreciate appropriate 
snipping of quotes, and encourage that, but, on the other hand, I also 
encourage quoting for context and proper attribution.

> BTW, if these caps are missing you can recover them with:
> 
> dpkg-reconfigure iputils-ping
> 
> 
> -- Stefan

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Reco]

On Fri, May 31, 2019 at 12:09:19PM +0200, Thomas Schmitt wrote:
> > Not every filesystem supported by Debian
> > implements extended attributes needed for capabilities.
> > Off the top of my head it's NFS and JFFS2.
> 
> It is about the filesystem which holds the /bin directory. I would deem it
> extra-expert to use a partly incapable filesystem for that.

Please. NFS-for-root is decades old. JFFS2 is wildly popular for DIY solutions.
Calling everyone who bought $20 ARM board on AliExpress an 'expert'
seems overstretched.


> Whatever, the maintainer's reasoning was a then valid quote from the
> policy manual
...
> It became not a decisive argument against dependency.

It's really sad to see a maintainer who resorts to lawyering instead of
considering real technical limitations of the "solution" proposed.


> > Upgrading this particular dependency leads
> > only to a dependency bloat, and Default Users™ (i.e. ones that are
> > installing Recommends by default) aren't affected anyway.
> 
> Currently the Default User depends on assumptions about local package
> management which are not obviously related to security.

So? The end result justifies a current situation.


> That's a future pitfall which just needs its unintentional cover removed.

The way I see it, the "problematic" package got that Important priority
already. A potential pitfall is closed.


> To skip a security improvement in order to save 111 kB of installed size
> seems daring. (Size for amd64 taken from end of
>   https://packages.debian.org/unstable/libcap2-bin
> )

Replacing a working fallback mechanism with one-size-fits-all "everyone
are using ext4 on amd64 and Linux" is hardly an improvement.

Reco

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Thomas Schmitt]

Hi,

i wrote:
> > "d/control: Drop Priority of libcap2"
> > https://salsa.debian.org/debian/libcap2/commit/5386335db24bfff5cc85bda69dbcda6ab2d7d20d

Reco wrote:
> Ah, that's what is was. That change made into the stable, I've just checked.

Not according to the package tracker:

oldstable has 1:2.24-8 of march 2015, i.e. before bug 780721.
  https://tracker.debian.org/media/packages/libc/libcap2/control-1%3A2.24-8
No particular Priority set on lbibcap2-bin

stable has 1:2.25-1 of october 2017, i.e. after bug 780721 went to sleep.
  https://tracker.debian.org/media/packages/libc/libcap2/control-1%3A2.25-1
libcap2-bin gets "Priority: important".

testing has 1:2.25-2 of february 2019.
  https://tracker.debian.org/media/packages/libc/libcap2/control-12.25-2
libcap2-bin still gets "Priority: important".
It was accepted in unstable at the very same day as the commit was made
which removed the particular Priority in the salsa git repo.
The package tracker's source browser says it is still in:
  https://sources.debian.org/src/libcap2/1:2.25-2/debian/control/#L17

But not to forget, the packages on the Debian mirrors get their priority
from the uploading procedure, not necessarily from the debian/control file
or the derived .dsc file.
All this forth and back might be independent of the maintainer of libcap2.


> Not every filesystem supported by Debian
> implements extended attributes needed for capabilities.
> Off the top of my head it's NFS and JFFS2.

It is about the filesystem which holds the /bin directory. I would deem it
extra-expert to use a partly incapable filesystem for that.

Whatever, the maintainer's reasoning was a then valid quote from the
policy manual

  "Packages must not depend on packages with lower priority values
   (excluding build-time dependencies). In order to ensure this, the
   priorities of one or more packages may need to be adjusted."

which is now replaced by a contrary statement

  "The priority of a package should
   not be increased merely because another higher-priority package depends
   on it; instead, the tools used to construct Debian installations will
   correctly handle package dependencies. In particular, this means that
   C-like libraries will almost never have a priority above optional [...]"

The issue of incapable systems was addressed in bug 780721 by maintainer:

  "The iputils-ping postinst script takes care to handle the case where
   setcap is either not available or not functional (due e.g. to running on
   a filesystem that doesn't support capabilities."

and bug reporter:

  "I'm aware we can't use capabilities on the non-Linux kernels yet, but
   since dpkg allows us to set dependencies per arch or per kernel, I don't
   see any particular problem adding libcap2-bin as to Depends for Linux."

It became not a decisive argument against dependency.


> Upgrading this particular dependency leads
> only to a dependency bloat, and Default Users™ (i.e. ones that are
> installing Recommends by default) aren't affected anyway.

Currently the Default User depends on assumptions about local package
management which are not obviously related to security. That's a future
pitfall which just needs its unintentional cover removed.

To skip a security improvement in order to save 111 kB of installed size
seems daring. (Size for amd64 taken from end of
  https://packages.debian.org/unstable/libcap2-bin
)
We can expect that the bug reporter, who is working on a colorful bunch
of elderly CPU arches, has a different idea of a Default User than us.
But shortage of memory and disk capacity surely belong to his considerations.


Have a nice day :)

Thomas

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Pascal Hambourg]

Le 31/05/2019 à 08:38, Andrei POPESCU a écrit :

On Mi, 29 mai 19, 23:29:21, Gene Heskett wrote:


the default $PATH the installer sets up for $users, apparently does not
include any of the sbin's, only /usr/bin and /bin. I've been fixing that
for several generations of debian installs.


It won't be necessary if you switch to merged /usr.


AFAIK, the /usr merge does not merge sbin and bin together.


https://wiki.debian.org/MergedUsr


The wiki says this page does not exist yet.

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Reco]

Hi.

On Fri, May 31, 2019 at 09:08:55AM +0200, Thomas Schmitt wrote:
> Andrei POPESCU wrote:
> > The other way would be if the archive priority was changed between
> > different installs.
> 
> This has happened in april 2016 (maybe related to bug 780721 ?)
> 
>   "d/control: Increase Priority of libcap2{,-bin} to important"
>   
> https://salsa.debian.org/debian/libcap2/commit/a3f0fbccfa946b6895da1b3521849d04ccf8da0f
> 
> and again four months ago
> 
>   "d/control: Drop Priority of libcap2"
>   
> https://salsa.debian.org/debian/libcap2/commit/5386335db24bfff5cc85bda69dbcda6ab2d7d20d
> 
> (The latter is not yet in the released package's control file.)
> 
> So one maintainer already adapted to the new policy rules.

Ah, that's what is was. That change made into the stable, I've just checked.


> But
>   https://salsa.debian.org/debian/iputils/raw/master/debian/control
> still has the hunchbacked gesture of recommending an actually necessary
> dependency:

No, maintainer is correct. Not every filesystem supported by Debian
implements extended attributes needed for capabilities. Off the top of
my head it's NFS and JFFS2. Upgrading this particular dependency leads
only to a dependency bloat, and Default Users™ (i.e. ones that are
installing Recommends by default) aren't affected anyway.

Reco

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Thomas Schmitt]

Hi,

Andrei POPESCU wrote:
> The other way would be if the archive priority was changed between
> different installs.

This has happened in april 2016 (maybe related to bug 780721 ?)

  "d/control: Increase Priority of libcap2{,-bin} to important"
  
https://salsa.debian.org/debian/libcap2/commit/a3f0fbccfa946b6895da1b3521849d04ccf8da0f

and again four months ago

  "d/control: Drop Priority of libcap2"
  
https://salsa.debian.org/debian/libcap2/commit/5386335db24bfff5cc85bda69dbcda6ab2d7d20d

(The latter is not yet in the released package's control file.)

So one maintainer already adapted to the new policy rules.

But
  https://salsa.debian.org/debian/iputils/raw/master/debian/control
still has the hunchbacked gesture of recommending an actually necessary
dependency:

  Package: iputils-ping
  ...
  Recommends: libcap2-bin
  ...
  Package: iputils-arping
  ...
  Recommends: libcap2-bin

(I understand that this suffices if your local package management is set
 to automatically install recommendations.
 I also understand that there is a coarse workaround if libcap2 is missing.)

So bug 780721 is still valid and could now be fixed.


Have a nice day :)

Thomas

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Andrei POPESCU]

On Jo, 30 mai 19, 18:43:05, Reco wrote:
>   Hi.
> 
> On Thu, May 30, 2019 at 11:08:22AM -0400, Greg Wooledge wrote:
> > I asked on IRC, and got this answer:
> > 
> >   The archive (Packages) and individual .debs can disagree on Priority. It's
> >   mostly a field that has no meaning these days.
> > 
> > I'm not 100% sure how to interpret that.  Are different mirrors giving
> > out different Packages files with different Priority settings?
> 
> Now that you mention it - [1].
> A mirror can override a package priority, that's true.

This would suggest you can get different results depending on mirror 
used, which is not the case. The priority is set in the central archive, 
which is then mirrored.

> I don't know if http://ftp.debian.org/debian/indices/ is mirrored too,
> along with the usual Release files and *debs. It can explain this
> discrepancy if it's true.
>
> The question is - which Priority goes into the package database on
> package install? That one from the package itself, or the one from the
> mirror?

APT and debootstrap will definitely use the archive view on priorities 
when deciding which packages to download and install.

dpkg on the other hand is probably using the information inside the 
package (debian/control) for its database, but probably not much else.
 
This is the most obvious way one could end up with different results. 

The other way would be if the archive priority was changed between 
different installs.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Andrei POPESCU]

On Mi, 29 mai 19, 23:29:21, Gene Heskett wrote:
> 
> the default $PATH the installer sets up for $users, apparently does not 
> include any of the sbin's, only /usr/bin and /bin. I've been fixing that 
> for several generations of debian installs. Probably shouldn't as there  
> may be some good reason for it, but it is MY machine.

It won't be necessary if you switch to merged /usr.
https://wiki.debian.org/MergedUsr

This will be the default for new buster installs. Older installs can be 
switched with the package usrmerge.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: Ping as normal user

[Stefan Monnier]

> $ getcap /bin/ping
> /bin/ping = cap_net_raw+ep

BTW, if these caps are missing you can recover them with:

dpkg-reconfigure iputils-ping


-- Stefan

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Andy Smith]

Hello,

On Thu, May 30, 2019 at 09:08:38AM +0300, Reco wrote:
> Easy. You run debootstrap, set some --include options (which pull
> libcap2-bin by dependency), and then you tar the whole resulting
> filesystem.
> tar never understood file capabilities, so they are lost in the process.

Sure, tar is one of the example ways I mentioned before of how I've
seen this go wrong.

> debootstrap (no --variant) does install iputils-ping, but does not
> install libcap2-bin. Hence iputils-ping postinst script simply sets
> suid bit on /bin/ping as postinst cannot locate setcap.

Oh, that's interesting. I didn't think of the case where there is no
libcap2-bin. Still, these reporters aren't getting a suid bit
either, so I guess there must be something else going wrong. Not
debootstrap.

Cheers,
Andy

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Thomas Schmitt]

Hi,

i pointed to:
> > https://www.debian.org/doc/debian-policy/upgrading-checklist.html#version-4-
0-1
> > [...] Packages may now depend on packages with a lower priority. [...]

Curt wrote:
> So it seems the reason invoked above is no longer valid due to a change in
> policy.

It can be legally called a bug meanwhile, because
  https://tracker.debian.org/media/packages/i/iputils/control-320180629-2
has

  Standards-Version: 4.1.4

whereas the policy change was already in 4.0.1.


If somebody here feels able to test the policy compliant change of
"Depends:", then it would be worth to mail to
   780...@bugs.debian.org
and to point out that the change is overdue. Binary package iputils-arping
has the same Recommends as iputils-ping. So one should check whether
the reason is the same.

The policy also demands to change libcap2-bin priority to "optional".
Currently it is "important", which probably gets overridden by the repo
deciders.
  https://tracker.debian.org/media/packages/libc/libcap2/control-12.25-2
has
  Standards-Version: 4.3.0


So that would be two maintainers to convince ... YMMV.


Have a nice day :)

Thomas

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Curt]

On 2019-05-30, Thomas Schmitt  wrote:
>
> So the explanation in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721#10
>
>   iputils-ping, as priority "important", cannot declare a dependency on
>   libcap2-bin, which is priority "optional".
>
> is wrong and in direct contradiction to The Policy.

I think it would be more accurate to call the explanation *caduc* (or
*caduque*) perhaps. 

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721#20
> quotes exactly the above policy paragraph as
>
>   Packages must not depend on packages with lower priority values
>   (excluding build-time dependencies). In order to ensure this, the
>   priorities of one or more packages may need to be adjusted.
>
> which i cannot see there any more.
> The change probably happened in august 2017:
>
>   
> https://www.debian.org/doc/debian-policy/upgrading-checklist.html#version-4-0-1
>   2.5
>   [...] Packages may now depend on packages with a lower priority. [...]

So it seems the reason invoked above is no longer valid due to a change in 
policy.

> Last message in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721
> is of february 2016.
>
>
> So this bug could need an update and iputils-ping could now depend on
> libcap2-bin.
>
> As we see in
>   https://tracker.debian.org/media/packages/i/iputils/control-320180629-2
> it is not done yet:
>
>   Package: iputils-ping
>   ...
>   Recommends: libcap2-bin
>
>
> Have a nice day :)

Ditto.

> Thomas
>
>


-- 
“Decisions are never really made – at best they manage to emerge, from a chaos
of peeves, whims, hallucinations and all around assholery.” – Thomas Pynchon

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Reco]

Hi.

On Thu, May 30, 2019 at 11:08:22AM -0400, Greg Wooledge wrote:
> I asked on IRC, and got this answer:
> 
>   The archive (Packages) and individual .debs can disagree on Priority. It's
>   mostly a field that has no meaning these days.
> 
> I'm not 100% sure how to interpret that.  Are different mirrors giving
> out different Packages files with different Priority settings?

Now that you mention it - [1].
A mirror can override a package priority, that's true.
I don't know if http://ftp.debian.org/debian/indices/ is mirrored too,
along with the usual Release files and *debs. It can explain this
discrepancy if it's true.

The question is - which Priority goes into the package database on
package install? That one from the package itself, or the one from the
mirror?


> Someone who's affected by the missing capabilities on ping might want
> to investigate more closely, or add some info to bug #780721.  Adrian
> talked about libcap2-bin being changed to "Priotity: important" at some
> point in the future (relative to 2016), so maybe that has already happened.

It sure did not happen here.


> I'm not sure how to *find out* whether that has happened, since we can't
> even figure out how to view the actual Priority.  Or, if the Priority
> "mostly ... has no meaning", then whatever was stopping Adrian from acting
> in 2016 might no longer be a roadblock.

In the context of the original deboostrap behaviour - it's simple.
debootstrap installs barebones to produce a working apt, and uses it to
install the rest of the packages.

apt trusts the mirror (it would be counterproductive to download and
analyze every package just to extract their Priority and Depends), hence
mirror's priority wins here.

Reco

[1] https://wiki.debian.org/FtpMaster/Override

Re: Ping as normal user

[Sven Hartge]

Greg Wooledge  wrote:

> I asked on IRC, and got this answer:

>   The archive (Packages) and individual .debs can disagree on Priority. It's
>   mostly a field that has no meaning these days.

> I'm not 100% sure how to interpret that.  Are different mirrors giving
> out different Packages files with different Priority settings?

No, it means the Priority in the package itself is quite often overriden
by the archive software and thus the Priority in the Packages-file is
different. 

But all mirrors will have the same content, of course.

Grüße,
S!

-- 
Sigmentation fault. Core dumped.

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Thomas Schmitt]

Hi,

Curt wrote:
> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721
> >> (libcap2-bin is recommended but is not a dependancy of iputils-ping,
> >> because "iputils-ping, as priority 'important', cannot declare a
> >> dependency on libcap2-bin, which is priority 'optional'").

> Why is my Stretch apt-cache command telling me it's priority optional?
> Or am I once again missing some essential thing?

The statement in bug 780721 seems to be outdated. The priority
rules have been changed since then. The package maintainer does not
have the last say on this, anyways.



https://www.debian.org/doc/manuals/maint-guide/dreq.en.html#control

  Section and priority are used by front-ends like aptitude when they
  sort packages and select defaults. Once you upload the package to Debian,
  the value of these two fields can be overridden by the archive
  maintainers, in which case you will be notified by email.

https://www.debian.org/doc/debian-policy/ch-archive.html#s-priorities

  The priority of a package is determined solely by the functionality
  it provides directly to the user. The priority of a package should
  not be increased merely because another higher-priority package depends
  on it; instead, the tools used to construct Debian installations will
  correctly handle package dependencies. In particular, this means that
  C-like libraries will almost never have a priority above optional,
  since they do not provide functionality directly to users. However,
  as an exception, the maintainers of Debian installers may request an
  increase of the priority of a package to resolve installation issues
  and ensure that the correct set of packages is included in a standard
  or minimal install.



So the explanation in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721#10

  iputils-ping, as priority "important", cannot declare a dependency on
  libcap2-bin, which is priority "optional".

is wrong and in direct contradiction to The Policy.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721#20
quotes exactly the above policy paragraph as

  Packages must not depend on packages with lower priority values
  (excluding build-time dependencies). In order to ensure this, the
  priorities of one or more packages may need to be adjusted.

which i cannot see there any more.
The change probably happened in august 2017:

  
https://www.debian.org/doc/debian-policy/upgrading-checklist.html#version-4-0-1
  2.5
  [...] Packages may now depend on packages with a lower priority. [...]

Last message in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721
is of february 2016.


So this bug could need an update and iputils-ping could now depend on
libcap2-bin.

As we see in
  https://tracker.debian.org/media/packages/i/iputils/control-320180629-2
it is not done yet:

  Package: iputils-ping
  ...
  Recommends: libcap2-bin


Have a nice day :)

Thomas

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Greg Wooledge]

I asked on IRC, and got this answer:

  The archive (Packages) and individual .debs can disagree on Priority. It's
  mostly a field that has no meaning these days.

I'm not 100% sure how to interpret that.  Are different mirrors giving
out different Packages files with different Priority settings?

Someone who's affected by the missing capabilities on ping might want
to investigate more closely, or add some info to bug #780721.  Adrian
talked about libcap2-bin being changed to "Priotity: important" at some
point in the future (relative to 2016), so maybe that has already happened.
I'm not sure how to *find out* whether that has happened, since we can't
even figure out how to view the actual Priority.  Or, if the Priority
"mostly ... has no meaning", then whatever was stopping Adrian from acting
in 2016 might no longer be a roadblock.

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Reco]

Hi.

On Thu, May 30, 2019 at 10:26:29AM -0400, Greg Wooledge wrote:
> On Thu, May 30, 2019 at 05:19:49PM +0300, Reco wrote:
> > "dpkg -s" gets package state from /var/lib/dpkg/status.
> > "apt-cache" also uses /var/lib/apt/lists/*.
> > 
> > Basically your result tells that libcap2-bin is "optional" from the
> > repository POV, but your local package database thinks it's "important".
> > 
> > And in this case I trust the repository and have to assume that your
> > local package database is somehow corrupt.
> 
> arc3:~$ grep -A2 'Package: libcap2-bin' /var/lib/dpkg/status
> Package: libcap2-bin
> Status: install ok installed
> Priority: important
> 
> wooledg:~$ grep -A2 'Package: libcap2-bin' /var/lib/dpkg/status
> Package: libcap2-bin
> Status: install ok installed
> Priority: important
> 
> wooledg:~$ ssh root@megview5 "grep -A2 'Package: libcap2-bin' 
> /var/lib/dpkg/status"
> root@megview5's password: 
> Package: libcap2-bin
> Status: install ok installed
> Priority: important
> 
> wooledg:~$ ssh svr4 "grep -A2 'Package: libcap2-bin' /var/lib/dpkg/status"
> wooledg@svr4's password: 
> Package: libcap2-bin
> Status: install ok installed
> Priority: important
> 
> oledg:~$ ssh meglin2 "grep -A2 'Package: libcap2-bin' /var/lib/dpkg/status"
> wooledg@meglin2's password: 
> Package: libcap2-bin
> Status: install ok installed
> Priority: optional
> 
> meglin2 is jessie.  wooledg is buster.  The others are stretch.

Yep. But for me it's (stretch):

$ grep -A2 'Package: libcap2-bin' /var/lib/dpkg/status
Package: libcap2-bin
Status: install ok installed
Priority: optional

Reco

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Greg Wooledge]

On Thu, May 30, 2019 at 05:19:49PM +0300, Reco wrote:
> "dpkg -s" gets package state from /var/lib/dpkg/status.
> "apt-cache" also uses /var/lib/apt/lists/*.
> 
> Basically your result tells that libcap2-bin is "optional" from the
> repository POV, but your local package database thinks it's "important".
> 
> And in this case I trust the repository and have to assume that your
> local package database is somehow corrupt.

arc3:~$ grep -A2 'Package: libcap2-bin' /var/lib/dpkg/status
Package: libcap2-bin
Status: install ok installed
Priority: important

wooledg:~$ grep -A2 'Package: libcap2-bin' /var/lib/dpkg/status
Package: libcap2-bin
Status: install ok installed
Priority: important

wooledg:~$ ssh root@megview5 "grep -A2 'Package: libcap2-bin' 
/var/lib/dpkg/status"
root@megview5's password: 
Package: libcap2-bin
Status: install ok installed
Priority: important

wooledg:~$ ssh svr4 "grep -A2 'Package: libcap2-bin' /var/lib/dpkg/status"
wooledg@svr4's password: 
Package: libcap2-bin
Status: install ok installed
Priority: important

oledg:~$ ssh meglin2 "grep -A2 'Package: libcap2-bin' /var/lib/dpkg/status"
wooledg@meglin2's password: 
Package: libcap2-bin
Status: install ok installed
Priority: optional

meglin2 is jessie.  wooledg is buster.  The others are stretch.

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Reco]

Hi.

On Thu, May 30, 2019 at 09:10:55AM -0400, Greg Wooledge wrote:
> On Thu, May 30, 2019 at 01:00:19PM -, Curt wrote:
> > On 2019-05-30, Greg Wooledge  wrote:
> > > But libcap2-bin is priority important in both stretch and buster.
> > 
> > Why is my Stretch apt-cache command telling me it's priority optional?
> > Or am I once again missing some essential thing?
> 
> Uh...
> 
> arc3:~$ dpkg -s libcap2-bin | grep -i priority
> Priority: important
> arc3:~$ apt-cache show libcap2-bin | grep -i priority
> Priority: optional

Both show "optional" to me BTW.


> OK, I have no freaking idea what this means.

strace(1) to the rescue.
"dpkg -s" gets package state from /var/lib/dpkg/status.
"apt-cache" also uses /var/lib/apt/lists/*.

Basically your result tells that libcap2-bin is "optional" from the
repository POV, but your local package database thinks it's "important".

And in this case I trust the repository and have to assume that your
local package database is somehow corrupt.

Reco

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Curt]

On 2019-05-30, Greg Wooledge  wrote:
> On Thu, May 30, 2019 at 01:00:19PM -, Curt wrote:
>> On 2019-05-30, Greg Wooledge  wrote:
>> > But libcap2-bin is priority important in both stretch and buster.
>> 
>> Why is my Stretch apt-cache command telling me it's priority optional?
>> Or am I once again missing some essential thing?
>
> Uh...
>
> arc3:~$ dpkg -s libcap2-bin | grep -i priority
> Priority: important
> arc3:~$ apt-cache show libcap2-bin | grep -i priority
> Priority: optional
>
> OK, I have no freaking idea what this means.
>
>

curty@einstein:~$ dpkg -s libcap2-bin | grep -i priority
Priority: optional

At least I'm optionally consistent.

;-)

-- 
“Decisions are never really made – at best they manage to emerge, from a chaos
of peeves, whims, hallucinations and all around assholery.” – Thomas Pynchon

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Greg Wooledge]

On Thu, May 30, 2019 at 01:00:19PM -, Curt wrote:
> On 2019-05-30, Greg Wooledge  wrote:
> > But libcap2-bin is priority important in both stretch and buster.
> 
> Why is my Stretch apt-cache command telling me it's priority optional?
> Or am I once again missing some essential thing?

Uh...

arc3:~$ dpkg -s libcap2-bin | grep -i priority
Priority: important
arc3:~$ apt-cache show libcap2-bin | grep -i priority
Priority: optional

OK, I have no freaking idea what this means.

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Curt]

On 2019-05-30, Greg Wooledge  wrote:
> On Thu, May 30, 2019 at 09:11:44AM -, Curt wrote:
>> There is a bug related to this imbroglio:
>> 
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721
>> (libcap2-bin is recommended but is not a dependancy of iputils-ping,
>> because "iputils-ping, as priority 'important', cannot declare a
>> dependency on libcap2-bin, which is priority 'optional'").
>
> But libcap2-bin is priority important in both stretch and buster.
>
>

Why is my Stretch apt-cache command telling me it's priority optional?
Or am I once again missing some essential thing?

curty@einstein:~$ apt-cache show libcap2-bin 
Package: libcap2-bin
Source: libcap2
Version: 1:2.25-1
Installed-Size: 85
Maintainer: Christian Kastner 
Architecture: amd64
Replaces: libcap-bin
Depends: libc6 (>= 2.14), libcap2 (>= 1:2.10)
Recommends: libpam-cap
Breaks: libcap-bin
Description-en: POSIX 1003.1e capabilities (utilities)
 Libcap implements the user-space interfaces to the POSIX 1003.1e capabilities
 available in Linux kernels. These capabilities are a partitioning of the all
 powerful root privilege into a set of distinct privileges.
 .
 This package contains additional utilities.
Description-md5: f223f06c6e812dc45d4b21cbd8163d36
Multi-Arch: foreign
Homepage: http://sites.google.com/site/fullycapable/
Tag: admin::configuring, implemented-in::c, interface::commandline,
 role::program, scope::utility
Section: utils
Priority: optional
Filename: pool/main/libc/libcap2/libcap2-bin_2.25-1_amd64.deb
Size: 26490
MD5sum: cf46bb9dd77bd949226b90f735d52f33
SHA256: 8b6a70886d13a53e35bfacebab1bc869a09f405783f734835f313460e80be94e


-- 
“Decisions are never really made – at best they manage to emerge, from a chaos
of peeves, whims, hallucinations and all around assholery.” – Thomas Pynchon

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Greg Wooledge]

On Thu, May 30, 2019 at 09:11:44AM -, Curt wrote:
> There is a bug related to this imbroglio:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721
> (libcap2-bin is recommended but is not a dependancy of iputils-ping,
> because "iputils-ping, as priority 'important', cannot declare a
> dependency on libcap2-bin, which is priority 'optional'").

But libcap2-bin is priority important in both stretch and buster.

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Curt]

On 2019-05-29, Andy Smith  wrote:
>
> How did you install this system? Because /bin/ping is supposed to
> come with file capabilities such that the user can allow it to do
> what it needs to do (this is part of what 'dpkg-reconfigure
> iputils-ping' restores). So it would be interesting to know how the
> system was installed in case there is a general theme for those who
> never got those capabilities.

There is a bug related to this imbroglio:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721
(libcap2-bin is recommended but is not a dependancy of iputils-ping,
because "iputils-ping, as priority 'important', cannot declare a
dependency on libcap2-bin, which is priority 'optional'").

> One other person in this thread said they used (a script which
> ultimately uses) debootstrap.
>
> Cheers,
> Andy
>
>


-- 
“Decisions are never really made – at best they manage to emerge, from a chaos
of peeves, whims, hallucinations and all around assholery.” – Thomas Pynchon

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Reco]

Hi.

On Thu, May 30, 2019 at 02:44:58AM +, Andy Smith wrote:
> So my question is, are installs done by debootstrap somehow losing
> the file capabilities? I ask because in this thread, one of the
> other people reporting a /bin/ping without the correct capabilities
> did their install through debootstrap.

Easy. You run debootstrap, set some --include options (which pull
libcap2-bin by dependency), and then you tar the whole resulting
filesystem.
tar never understood file capabilities, so they are lost in the process.


> If you've just done a debootstrap, what does getcap return for the
> /bin/ping that got installed?

I'm not Cindy (obviously), but I'm not lazy, so I just run debootstrap a
couple of times.

debootstrap --variant=minbase does not install iputils-ping at all.

debootstrap (no --variant) does install iputils-ping, but does not
install libcap2-bin. Hence iputils-ping postinst script simply sets
suid bit on /bin/ping as postinst cannot locate setcap.

Reco

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Gene Heskett]

On Wednesday 29 May 2019 07:46:50 pm Andy Smith wrote:

> Hi Jason,
>
> On Wed, May 29, 2019 at 04:18:51PM -0500, Jason wrote:
> > On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
> > > While I didn't mention it in this thread, ping had indeed somehow
> > > lost its capabilities on my system. 'dpkg-reconfigure
> > > iputils-ping' fixed it.
> >
> > That worked for me (I'm not the OP) with Stretch on an ARM board.
> > Before running the above command, I could only ping as root or using
> > sudo, now I can ping as a normal user. Thanks!
>
> How did you install this system? Because /bin/ping is supposed to
> come with file capabilities such that the user can allow it to do
> what it needs to do (this is part of what 'dpkg-reconfigure
> iputils-ping' restores). So it would be interesting to know how the
> system was installed in case there is a general theme for those who
> never got those capabilities.
>
> One other person in this thread said they used (a script which
> ultimately uses) debootstrap.
>
> Cheers,
> Andy

the default $PATH the installer sets up for $users, apparently does not 
include any of the sbin's, only /usr/bin and /bin. I've been fixing that 
for several generations of debian installs. Probably shouldn't as there  
may be some good reason for it, but it is MY machine.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Andy Smith]

Hi Cindy,

On Wed, May 29, 2019 at 09:48:44PM -0400, Cindy Sue Causey wrote:
> So, yeah, at least for Debootstrap. "iputils-ping" is in there at the
> absolute very first start where the Developers have picked the very
> first packages that get the party started before the User then picks
> everything else...

That's not the issue at hand. The issue is whether the file
/bin/ping retains the file capabilities. People who have a /bin/ping
that only works as root are missing these:

$ getcap /bin/ping
/bin/ping = cap_net_raw+ep

If they didn't have the package installed at all then it would be a
very different and more obvious error that was presented.

So my question is, are installs done by debootstrap somehow losing
the file capabilities? I ask because in this thread, one of the
other people reporting a /bin/ping without the correct capabilities
did their install through debootstrap.

If you've just done a debootstrap, what does getcap return for the
/bin/ping that got installed?

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Cindy Sue Causey]

On 5/29/19, Andy Smith  wrote:
> Hi Jason,
>
> On Wed, May 29, 2019 at 04:18:51PM -0500, Jason wrote:
>> On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
>> > While I didn't mention it in this thread, ping had indeed somehow lost
>> > its capabilities on my system. 'dpkg-reconfigure iputils-ping' fixed
>> > it.
>>
>> That worked for me (I'm not the OP) with Stretch on an ARM board. Before
>> running the above command, I could only ping as root or using sudo, now
>> I can ping as a normal user. Thanks!
>
> How did you install this system? Because /bin/ping is supposed to
> come with file capabilities such that the user can allow it to do
> what it needs to do (this is part of what 'dpkg-reconfigure
> iputils-ping' restores). So it would be interesting to know how the
> system was installed in case there is a general theme for those who
> never got those capabilities.
>
> One other person in this thread said they used (a script which
> ultimately uses) debootstrap.


Was sitting here reading through before responding. Debootstrap. I
JUST seconds ago finished running the first step, the initial download
and install, for that again. *having to rebuild my dotDeb cache, don't
wanna talk about it, smacking my head!*

Just searched and "iputils-ping" is already installed at the absolute
bare minimum debootstrap base level. I really didn't think that
package was installed because I don't ever remember encountering that
package name. That "ping" part would stand out to me, but it never
has... until just now.

So, yeah, at least for Debootstrap. "iputils-ping" is in there at the
absolute very first start where the Developers have picked the very
first packages that get the party started before the User then picks
everything else...

Cindy :)
-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* Base system installed successfully. Works every time... as long
as... APT archives are not... cough.. symlinked instead of "mount -B".
*

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Andy Smith]

Hi Jason,

On Wed, May 29, 2019 at 04:18:51PM -0500, Jason wrote:
> On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
> > While I didn't mention it in this thread, ping had indeed somehow lost 
> > its capabilities on my system. 'dpkg-reconfigure iputils-ping' fixed it.
> 
> That worked for me (I'm not the OP) with Stretch on an ARM board. Before 
> running the above command, I could only ping as root or using sudo, now 
> I can ping as a normal user. Thanks!

How did you install this system? Because /bin/ping is supposed to
come with file capabilities such that the user can allow it to do
what it needs to do (this is part of what 'dpkg-reconfigure
iputils-ping' restores). So it would be interesting to know how the
system was installed in case there is a general theme for those who
never got those capabilities.

One other person in this thread said they used (a script which
ultimately uses) debootstrap.

Cheers,
Andy

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

[Jason]

On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
> 
> While I didn't mention it in this thread, ping had indeed somehow lost 
> its capabilities on my system. 'dpkg-reconfigure iputils-ping' fixed it.

That worked for me (I'm not the OP) with Stretch on an ARM board. Before 
running the above command, I could only ping as root or using sudo, now 
I can ping as a normal user. Thanks!

> 
> Kind regards,
> Andrei
> -- 
> http://wiki.debian.org/FAQsFromDebianUser


-- 
Jason

iputils-ping bug, please verify

[Stefan Helmert]

Hi,

I got this bug:

https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/1700413

on Ubuntu. Please check, if it can be also triggered on debian.

xscreensaver sonar : sonar must be setuid to ping

[Avinash Sonawane]

Hello!

I am using XScreenSaver 5.36 on Debian Jessie.
I have setuid to sonar as mentioned in `man sonar` i.e.

chown root:root sonar
chmod u+s sonar

$ ls -ld /usr/lib/xscreensaver/sonar
-rwsr-xr-x 1 root root 104016 Apr 15  2016 /usr/lib/xscreensaver/sonar

Now, whenever I invoke sonar through xscreensaver by locking the
screen it still says "sonar must be setuid to ping" but interestingly
when I execute it directly as $ /usr/lib/xscreensaver/sonar it works
as expected showing the machines in LAN.

How can I make the sonar work when I lock the screen through xscreensaver?

-- 
Avinash Sonawane (rootKea)
PICT, Pune
https://rootkea.wordpress.com

Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.

[Lisi Reisz]

On Friday 07 October 2016 19:00:12 Tony Baldwin wrote:
> I have a little business card website up for my big brother's media
> consulting side-business at http://playomatic.myownsite.me.
> Now, at the moment, if I try to load it in Google-Chrome-Stable, I'm
> getting redirected to a yahoo! search for "create web",

It works fine here.  Chrome 54 on Jessie.  Both fully updated.

Lisi

Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.

[Lisi Reisz]

On Sunday 09 October 2016 12:28:03 Tony Baldwin wrote:
> I kind of think Montenegro should be .Mn, really (or that for the US
> stat of  Minnesota).

Except that it is Mongolia.  Country TLDs have to be unique.

Lisi

Re: Linux source address selection (Was Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.)

[rhkramer]

Hi Andy,

Thanks very much!  It looks like quite a comprehensive answer (including 
links) that I'll surely have to read more than once to absorb.  (At that 
point, I'll ask more questions if I feel the need.)

regards,
Randy Kramer


On Tuesday, October 11, 2016 10:18:38 PM Andy Smith wrote:
> On Sun, Oct 09, 2016 at 04:23:45PM -0400, rhkra...@gmail.com wrote:
> > I'm not the OP, and I'm sort of piggybacking and going somewhat (or a
> > lot?) OT,
> 
> In that case it would be good to change the subject of the email.
> I've done so here.
> 
> > but I am curious about how old inet4 (right term?) and the new
> > inet6 addresses interact.

Other good stuff elided.

Linux source address selection (Was Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.)

[Andy Smith]

Hi rhkramer,

On Sun, Oct 09, 2016 at 04:23:45PM -0400, rhkra...@gmail.com wrote:
> I'm not the OP, and I'm sort of piggybacking and going somewhat (or a lot?) 
> OT,

In that case it would be good to change the subject of the email.
I've done so here.

> but I am curious about how old inet4 (right term?) and the new
> inet6 addresses interact.

As the address family for IPv4 is "inet" (vs "inet6"), you could say
"inet", but then it may not be so obvious that you were intending to
make a distinction between IPv4 and IPv6. So, perhaps "inet4" is not
so bad, or IPv4. Some go as far as to say "legacy". :)

> When I do ifconfig, I see that eth0 has both a 32 bit (e.g., 192.168.1.19) 
> and 
> an inet6 address assigned.

On Linux, it would be best to get used to using the "ip" command
rather than "ifconfig". Issuing an "ip address" command will get you
all the configured addresses of the various families.

> Can anybody point me to a fairly short document that explains things like 
> which gets used under what circumstances

If we restrict the domain of this question to source address
selection then reading around from this point may help:

http://linux-ip.net/html/routing-saddr-selection.html

> does one have precedence over the other,

Clearly if there is just one inet address and one inet6 address,
then which will be chosen depends on which family the destination
address comes from. i.e., if the destination is an inet6 address
then the source address will have to be an inet6 address as well,
otherwise no communication will be possible¹.

If the destination address has been directly specified then that's
simple enough to predict.

Usually though, we are just dealing with host names that we wish to
communicate with. A host name is going to be presented to the
system's hostname resolution system, which may return a result from
/etc/hosts or some other database. More usually though it's going to
go out to DNS.

The DNS may contain both A (IPv4) and  (IPv6) addresses with no
regard as to whether the client actually has a source address of the
matching family. That is, if you had a host with only inet6
addresses and you did a DNS query, you would still receive A records
as answers. If amongst the answers there were no  records then
you'd have no way to communicate with the destination when the
application tried to do that.

It's the getaddrinfo() function of GNU libc that decides which
destination address to select for use. You can find more details
about that with "man getaddrinfo".

By default, if there are both inet and inet6 family addresses to
choose from, getaddrinfo will choose the inet6 one. So, if your host
has at least one configured global inet6 address then your
applications will tend to try to connect to inet6 destination
addresses, where available.

You can configure getaddrinfo's address selection in /etc/gai.conf.
A very common desire is to prefer inet addresses over inet6 ones,
and so on Debian the configuration required to do that is shown in
/etc/gai.conf commented out.

An application can be told to use a specific source address, but it
is more common for applications to be allowed to use any address. In
that case for inet it will generally be a reasonably simple case of
using the routing table to determine which source address is
"closest" to the destination.

For example, suppose you have an interface that has the addresses
192.168.1.1/24 and 192.168.1.175/25 on it. When attempting to
communicate with 192.168.1.180 the routing table will show that this
is in the same network as 192.168.1.175/25 and that that is the most
specific address.

When it comes to inet6 it can get a bit more complicated, especially
as it is much more common to have several inet6 addresses, and
you've got whole new concepts like privacy addresses and deprecated
addresses. But, it's all covered by RFC 6724, and this may help as a
summary:

http://biplane.com.au/blog/?p=22

> do they both use DNS,

As hopefully made clear by the above, it is not the addresses on
your system which "use DNS". It's more like your system uses DNS,
and the DNS may contain both inet and inet6 addresses, thus your
system decides which to communicate with based on which families of
address you have.

> and similar things which might let me make sense of the situation?

Hopefully that helped. It's quite a large topic, so some reading
will be required in many places to fully understand it.

Cheers,
Andy

¹ This ignores the various translation mechanisms that may in place
  to allow IPv4 networks and IPv6 networks to inter-operate. These
  can involve various kinds of NAT and DNS rewriting. Look into
  things like "NAT64" and "DNS64" for more information about these.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.

[rhkramer]

I'm not the OP, and I'm sort of piggybacking and going somewhat (or a lot?) 
OT, but I am curious about how old inet4 (right term?) and the new inet6 
addresses interact.

When I do ifconfig, I see that eth0 has both a 32 bit (e.g., 192.168.1.19) and 
an inet6 address assigned.

Can anybody point me to a fairly short document that explains things like 
which gets used under what circumstances, does one have precedence over the 
other, do they both use DNS, and similar things which might let me make sense 
of the situation?

On Sunday, October 09, 2016 03:02:25 PM Tony Baldwin wrote:
> On 10/09/2016 11:54 AM, claude juif wrote:
> > Are you logged in with a google account on that chrome/chromium ? By
> > the way, how did you install them ?
>

Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.

[Tony Baldwin]

On 10/09/2016 11:54 AM, claude juif wrote:
Are you logged in with a google account on that chrome/chromium ? By 
the way, how did you install them ?


I WAS logged into my google account when I had the problem,  in fact, 
but eventually determined that when I logged out, I could load the 
proper page for the url, oddly.
I installed chromium with aptitude, google-chrome-stable by downloading 
google's .deb pkg and doing sudo dpkg -i $said-google-pkg.deb


To resume :
On your debian computer, only for this website, you get redirect to 
ads only with chrome/chromium ?


That is correct, Iceweasel, w3m, lynx and e-links all load the proper 
page/site.
Chrome and dolphin on my android phone do fine, as well, but apparently 
chrome on iOS (what my brother was using when he found the problem), 
does not.


I would try these :

purge chromium and chrome.
Install chromium and go to your website. (do not log in before).

The only things i can think of is broken extension. I've never see 
this happening, it's really strange. If that happens on windows i 
would have say, search for malware and delete them.




2016-10-09 15:00 GMT+02:00 Tony Baldwin >:




On 10/09/2016 07:36 AM, Richard Hector wrote:

On 10/10/16 00:28, Tony Baldwin wrote:



But we're getting a bit off-topic :-)

Richard


Indeed we are, but I thank you for humoring my curiosity.
Thanks,

Tony
-- 
http://tonybaldwin.me

all tony, all the time





--
http://tonybaldwin.me
all tony, all the time

Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.

[Joe Pfeiffer]

Richard Hector  writes:
>
> It appears that Montenegro only came into existence (most recently) in
> 2006 - it was part of Yugoslavia, then 'Serbia and Montenegro'. So all
> the 'good' codes were presumably taken.

I'd imagine .me would, like .tv (Tuvalo) be one that a small country
could use to bolster their income quite a bit...

> I'm looking here:
> http://www.domainsherpa.com/country-code-top-level-domains/
>
> But we're getting a bit off-topic :-)
>
> Richard

Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.

[claude juif]

Are you logged in with a google account on that chrome/chromium ? By the
way, how did you install them ?

To resume :
On your debian computer, only for this website, you get redirect to ads
only with chrome/chromium ?

I would try these :

purge chromium and chrome.
Install chromium and go to your website. (do not log in before).

The only things i can think of is broken extension. I've never see this
happening, it's really strange. If that happens on windows i would have
say, search for malware and delete them.



2016-10-09 15:00 GMT+02:00 Tony Baldwin :

>
>
> On 10/09/2016 07:36 AM, Richard Hector wrote:
>
>> On 10/10/16 00:28, Tony Baldwin wrote:
>>
>
>
>> But we're getting a bit off-topic :-)
>>
>> Richard
>>
>>
> Indeed we are, but I thank you for humoring my curiosity.
> Thanks,
>
> Tony
> --
> http://tonybaldwin.me
> all tony, all the time
>
>

Re: url redirected in chrome/chromium, but working fine, according to ping/traceroute, lynx, w3m, iceweasel.

[Tony Baldwin]

On 10/09/2016 07:36 AM, Richard Hector wrote:

On 10/10/16 00:28, Tony Baldwin wrote:




But we're getting a bit off-topic :-)

Richard



Indeed we are, but I thank you for humoring my curiosity.
Thanks,
Tony
--
http://tonybaldwin.me
all tony, all the time