Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
wirelessd...@gmail.com wrote: > I want to switch from macOS Server to unbound for a local LAN DNS as its DNS > features will be deprecated soon, but my reading tells me that unbound only > acts as a recursive nameserver, not authoritative. > > What’s the general consensus on a good authoritative server to pair with > unbound? > > I can see both knot and nsd are packaged in devuan, but have no experience > with any outside BIND9 and macOS. Well as you already have experience with BIND9 (and presumably, a working config) then it would be logical to stick with that. I would suggest just using the one package for both authoritative and recursive queries rather than running two packages which would mean binding them to different IPs so they don't fight over port 53 on the same IP. I haven't been following OSX Server, so they are dropping DNS now ? It's always seemed like the unwanted stepchild, not really promoted or developed, and with no proper server hardware to run it on (I used to manage two of the original XServes with 10.3 in the past). Is BIND in OSX Ports or Fink ? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] DSA Ascii Aug20
Mon, 20 Aug 2018 11:44:32 + [SECURITY] [DSA 4279-1] linux security update version 4.9.110-3+deb9u3 Confirmed: ascii-security Tue, 14 Aug 2018 21:52:19 + [SECURITY] [DSA 4272-1] linux security update version 4.9.110-3+deb9u2 Confirmed: ascii-proposed-updates Note: this update has been superseded by version 4.9.110-3+deb9u3 confirmed present in ascii-security. Note: jessie-security contains version 4.9.110-3+deb9u2~deb8u1 To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode (only available in Debian non-free). Common server class CPUs are covered in the update released as DSA 4273-1 (see below). Thu, 16 Aug 2018 20:43:21 + [SECURITY] [DSA 4273-1] intel-microcode security update version 3.20180703.2~deb9u1 (non-free) Confirmed: ascii-security, ascii-proposed-updates Note: ascii-backports contains version 3.20180703.2~bpo9+1 Note: jessie-security contains version 3.20180703.2~deb8u1 Note: beowulf and ceres contain version 3.20180703.2 Sun, 19 Aug 2018 21:21:38 + [SECURITY] [DSA 4278-1] jetty9 security update version 9.2.21-1+deb9u1 Confirmed: ascii-security Fri, 17 Aug 2018 18:15:34 + [SECURITY] [DSA 4277-1] mutt security update version 1.7.2-1+deb9u1 Confirmed: ascii-security, ascii-proposed-updates Fri, 17 Aug 2018 07:28:50 + [SECURITY] [DSA 4276-1] php-horde-image security update version 2.3.6-1+deb9u1 Confirmed: ascii-security, ascii-proposed-updates Thu, 16 Aug 2018 20:49:26 + [SECURITY] [DSA 4275-1] keystone security update version 2:10.0.0-9+deb9u1 Confirmed: ascii-security, ascii-proposed-updates Thu, 16 Aug 2018 20:47:43 + [SECURITY] [DSA 4274-1] xen security update version 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 Confirmed: ascii-security, ascii-proposed-updates Tue, 14 Aug 2018 10:16:04 + [SECURITY] [DSA 4271-1] samba security update version 2:4.5.12+dfsg-2+deb9u3 Confirmed: ascii-security, ascii-proposed-updates ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Devuan and the raspberry pi 3+
There are images of Devuan ASCII for the Raspberry Pi 3. Anyone know if these are ok for the 3+? Or would I need to run the image on a model 3 and update the firmware and kernel before moving to the 3+? cheers Jim Jackson ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Devuan and the raspberry pi 3+
On 8/20/18, Jim Jackson wrote: > There are images of Devuan ASCII for the Raspberry Pi 3. Anyone know if > these are ok for the 3+? Or would I need to run the image on a model 3 and > update the firmware and kernel before moving to the 3+? I used devuan_ascii_2.0.0_arm64_raspi3 from the embedded sets running on the 3B+ You do have to resize the root partition manually if you do not use the space for another partition. I haven't checked the graphics or anything but OpenSSH works fine. /Lars ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] DSA Ascii Aug20
On Mon, Aug 20, 2018 at 02:31:05PM +0100, leloft wrote: > > Tue, 14 Aug 2018 21:52:19 + > [SECURITY] [DSA 4272-1] linux security update > version 4.9.110-3+deb9u2 > Confirmed: ascii-proposed-updates > Note: this update has been superseded by version 4.9.110-3+deb9u3 > confirmed present in ascii-security. > Note: jessie-security contains version 4.9.110-3+deb9u2~deb8u1 > > To fully resolve these vulnerabilities it is also necessary to install > updated CPU microcode (only available in Debian non-free). Common server > class CPUs are covered in the update released as DSA 4273-1 (see below). Any idea how the microcode updates work on a machine with a disabled management engine? -- hendrik > > Thu, 16 Aug 2018 20:43:21 + > [SECURITY] [DSA 4273-1] intel-microcode security update > version 3.20180703.2~deb9u1 (non-free) > Confirmed: ascii-security, ascii-proposed-updates > Note: ascii-backports contains version 3.20180703.2~bpo9+1 > Note: jessie-security contains version 3.20180703.2~deb8u1 > Note: beowulf and ceres contain version 3.20180703.2 ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Problem with fsck during boot with kernel 4.9.0-8-amd64
Hello, The latest kernel update has this weirdness while booting: Begin: Loading essential drivers ... done. Begin: Running /scripts/init-premount ... done. Begin: Mounting root file system ... Begin: Running /scripts/local-top ... done. Begin: Running /scripts/local-premount ... [2.858611] PM: Starting manual resume from disk done. Begin: Will now check root file system ... fsck from util-linux 2.29.2 [/sbin/fsck.ext4 (1) -- /dev/xvda2] fsck.ext4 -a -C0 /dev/xvda2 fsck.ext4: symbol lookup error: /lib/x86_64-linux-gnu/libext2fs.so.2: undefined symbol: com_err fsck exited with status code 127 done. Failure: File system check of the root filesystem failed The root filesystem on /dev/xvda2 requires a manual fsck (initramfs) [ 266.336115] random: crng init done Returning to the previous kernel boots normally. I tried "update-intramfs -k all -u", but it doesn´t make any difference, does anyone know where this "com_err" symbol should be defined, or how to workaround this issue? Thanks. Cacho. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Problem with fsck during boot with kernel 4.9.0-8-amd64
On 20-08-18 21:24, Héctor González wrote: > Hello, > > The latest kernel update has this weirdness while booting: > > Begin: Loading essential drivers ... done. > Begin: Running /scripts/init-premount ... done. > Begin: Mounting root file system ... Begin: Running /scripts/local-top > ... done. > Begin: Running /scripts/local-premount ... [ 2.858611] PM: Starting > manual resume from disk > done. > Begin: Will now check root file system ... fsck from util-linux 2.29.2 > [/sbin/fsck.ext4 (1) -- /dev/xvda2] fsck.ext4 -a -C0 /dev/xvda2 > fsck.ext4: symbol lookup error: /lib/x86_64-linux-gnu/libext2fs.so.2: > undefined symbol: com_err > fsck exited with status code 127 > done. > Failure: File system check of the root filesystem failed > The root filesystem on /dev/xvda2 requires a manual fsck > (initramfs) [ 266.336115] random: crng init done > > > Returning to the previous kernel boots normally. I tried > "update-intramfs -k all -u", but it doesn´t make any difference, does > anyone know where this "com_err" symbol should be defined, or how to > workaround this issue? > > Thanks. > Cacho. A search with Google shows a Deb**n package com_err a library for common error messages. Which depends on https://packages.debian.org/wheezy/libcomerr2 so maybe installing this lib solves your problem. Grtz. Nick signature.asc Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Problem with fsck during boot with kernel 4.9.0-8-amd64
On 2018-08-20 16:31, info at smallinnovations dot nl wrote: On 20-08-18 21:24, Héctor González wrote: Hello, The latest kernel update has this weirdness while booting: ... Begin: Will now check root file system ... fsck from util-linux 2.29.2 [/sbin/fsck.ext4 (1) -- /dev/xvda2] fsck.ext4 -a -C0 /dev/xvda2 fsck.ext4: symbol lookup error: /lib/x86_64-linux-gnu/libext2fs.so.2: undefined symbol: com_err fsck exited with status code 127 ... Returning to the previous kernel boots normally. I tried "update-intramfs -k all -u", but it doesn´t make any difference, does anyone know where this "com_err" symbol should be defined, or how to workaround this issue? Thanks. Cacho. A search with Google shows a Deb**n package com_err a library for common error messages. Which depends on https://packages.debian.org/wheezy/libcomerr2 so maybe installing this lib solves your problem. Thank you Nick, I have that package installed, previous kernels used it, but this initramfs does not seem to include it. The other kernels, after "update-initramfs -k all -u" behave the same way now, so this is maybe a problem with the initramfs building process. I had to restore the previous kernel´s initramfs from backup after that. dpkg -l | grep comerr ii libcomerr2:amd64 1.43.4-2 amd64common error description library Grtz. Nick ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
On Mon, 20 Aug 2018 11:15:49 +0100 Simon Hobson wrote: > wirelessd...@gmail.com wrote: > > > What’s the general consensus on a good authoritative server to pair > > with unbound? > > > > I can see both knot and nsd are packaged in devuan, but have no > > experience with any outside BIND9 and macOS. > > Well as you already have experience with BIND9 (and presumably, a > working config) then it would be logical to stick with that. I would > suggest just using the one package for both authoritative and > recursive queries rather than running two packages which would mean > binding them to different IPs so they don't fight over port 53 on the > same IP. There are disadvantages to having the same software do both auth and cache, and BIND is a big honkin complexity. See the djbdns documentation for details. I think that's why the OP wanted unbound in the first place. The unbound man page mentions nsd as an auth server companion to unbound. I couldn't exactly understand the docs, but it sounds to me like you set up nsd on the machine's IP address and unbound either on 127.0.0.1 or on an alias of your machine's IP address. Then, to unbound.conf, you add a stub zone that points to your nsd server's address. SteveT Steve Litt September 2018 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] DSA Ascii Aug20
> On 21 Aug 2018, at 02:14, Hendrik Boom wrote: > >> On Mon, Aug 20, 2018 at 02:31:05PM +0100, leloft wrote: >> >> Tue, 14 Aug 2018 21:52:19 + >> [SECURITY] [DSA 4272-1] linux security update >> version 4.9.110-3+deb9u2 >> Confirmed: ascii-proposed-updates >> Note: this update has been superseded by version 4.9.110-3+deb9u3 >> confirmed present in ascii-security. >> Note: jessie-security contains version 4.9.110-3+deb9u2~deb8u1 >> >> To fully resolve these vulnerabilities it is also necessary to install >> updated CPU microcode (only available in Debian non-free). Common server >> class CPUs are covered in the update released as DSA 4273-1 (see below). > > Any idea how the microcode updates work on a machine with a disabled > management engine? > > -- hendrik Microcode runs on the CPU https://superuser.com/questions/1283788/what-exactly-is-microcode-and-how-does-it-differ-from-firmware —Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] DSA Ascii Aug20
On Tue, Aug 21, 2018 at 09:17:04AM +1000, wirelessd...@gmail.com wrote: > > > > On 21 Aug 2018, at 02:14, Hendrik Boom wrote: > > > >> On Mon, Aug 20, 2018 at 02:31:05PM +0100, leloft wrote: > >> > >> Tue, 14 Aug 2018 21:52:19 + > >> [SECURITY] [DSA 4272-1] linux security update > >> version 4.9.110-3+deb9u2 > >> Confirmed: ascii-proposed-updates > >> Note: this update has been superseded by version 4.9.110-3+deb9u3 > >> confirmed present in ascii-security. > >> Note: jessie-security contains version 4.9.110-3+deb9u2~deb8u1 > >> > >> To fully resolve these vulnerabilities it is also necessary to install > >> updated CPU microcode (only available in Debian non-free). Common server > >> class CPUs are covered in the update released as DSA 4273-1 (see below). > > > > Any idea how the microcode updates work on a machine with a disabled > > management engine? > > > > -- hendrik > > Microcode runs on the CPU > > https://superuser.com/questions/1283788/what-exactly-is-microcode-and-how-does-it-differ-from-firmware True; but does it use the management engine to replace the microcode? I've sen too many systems where you had to something bizarre like running MSDOS to replace the microcode to be anything but worried. It just seems like the management engine is tailor-made for this kind of action. -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Forgetting to hit reply-all :D On Tue, 21 Aug 2018 at 13:24, wrote: > > On Tue, 21 Aug 2018 at 08:15, Steve Litt wrote: > > > There are disadvantages to having the same software do both auth and > > cache, and BIND is a big honkin complexity. See the djbdns > > documentation for details. I think that's why the OP wanted unbound in > > the first place. > > > > The unbound man page mentions nsd as an auth server companion to > > unbound. > > > > I couldn't exactly understand the docs, but it sounds to me like you > > set up nsd on the machine's IP address and unbound either on 127.0.0.1 > > or on an alias of your machine's IP address. Then, to unbound.conf, you > > add a stub zone that points to your nsd server's address. > > > > SteveT > > Thanks Steve, > > I'm not much of a BIND9 expert, so I'll happily try out something else > if it's considered to be more secure. > > I've found some potentially useful docs on the Arch linux wiki which I > will go through to try and configure a nsd/unbound setup. > > https://wiki.archlinux.org/index.php/Nsd > https://wiki.archlinux.org/index.php/Unbound > > --Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Unbound details: was Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
Forgetting to hit reply-all :D On Tue, 21 Aug 2018 at 13:20, wrote: > > > I haven't been following OSX Server, so they are dropping DNS now ? It's > > always seemed like the unwanted stepchild, not really promoted or > > developed, and with no proper server hardware to run it on (I used to > > manage two of the original XServes with 10.3 in the past). > > Is BIND in OSX Ports or Fink ? > > Most of the services are disappearing from the macOS Server app, > making it almost useless for a home server environment. > https://support.apple.com/en-au/HT208312 > > Since it's running on an ancient Mac Mini, I'm considering ditching > that server and switching to something more power-conservative (RPi?) > running Devuan. > > --Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Home server replacement hardware suggestions?
On Wed, 11 Jul 2018 at 04:52, Clarke Sideroad wrote: > > On 2018-07-10 11:41 AM, John Franklin wrote: > >> On Jun 25, 2018, at 6:14 PM, taii...@gmx.com wrote: > >> > >> I have to say your current computer is more than powerful enough for > >> your current uses and I would advise saving your money instead, perhaps > >> instead just buy a SSD for the primary drive and some storage disks for > >> storage. > >> Your current system is also pre-PSP so it lacks AMD's version of the > >> evil ME thus I very much suggest keeping it. > >> > >> If you insist on upgrading I would consider: > > [snip] > > > > Reinforcing Taiidan’s suggestions, something built around a low TDP CPU > > would be good. The power draw from the CPU is going to dominate the power > > consumption of the whole system, so going with something that has a low TDP > > will ensure you stay well inside your power budget. Desktop systems tend > > to be in the 65W to 95W zone, there are some 35W parts that are common in > > all-in-one systems, or look for something intended for laptops and embedded > > systems that are 15W TDP. > > > > Unfortunately, you can’t just buy a Core i3 7100U (15W TDP) and install it > > in your choice of motherboard and install all that in your favorite case. > > You’re looking at either barebones system (like an Intel NUC or a barebones > > Shuttle) or a mini-ITX+CPU kit. If you’re lucky, you can find a compact PC > > (think: one of the Dell small desktops) with a low TDP chip in it, probably > > a Celeron or Pentium Silver or the like. > > > > The FreeNAS forums will have some good hardware recommendations, although > > they may be biased towards systems with ECC memory support, a rare feature > > in the low TDP world. > > > > The good news is the last several years of CPU development have been all > > about performance per watt, not raw performance, so there are a lot of low > > TDP options out there with reasonable performance. Since your A8-3850 has > > a 100W TDP, just about anything will be an improvement. > > > > Good luck! > > > > > The existing hardware is few years old and made up of desktop CPUs > sharing a package with reasonably decent graphics processing, but not > quite as bad as the picture you paint. > It is quite a smart piece as long as you are not running something like > Seti@home with your spare cycles. > https://www.guru3d.com/articles-pages/amd-a8-3850-apu-review,10.html > > Clarke Fortunately (or perhaps unfortunately), this machine has decided to pick itself up again and continue running without a single issue. Thanks for all the advice. I'll keep those hardware suggestions in mind and I'll be taking regular backups with clonezilla just-in-case something untoward happens. --Tom ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
