Re: Docker
Yasha Karant ykar...@csusb.edu writes: On 01/30/2015 10:32 AM, Brett Viren wrote: The application, say A, runs under environment (OS) X, not environment Y. One wants A under Y. The target is Y. Can one build A under Y using the appropriate chunks from X with Docker, or does one re-build (dockerise) A under X for target Y? In the first event, one only needs to be running Y; in the second event, one needs to be running X to build for Y. I guess there are many approaches. I can think of at least these: 1) Build fully static A under X and use Docker to set up target Y just so that you can test that A works. End user doesn't know about Docker. 2) Build A under X, A' under Y, A'' under Z (maybe static, maybe shared) and distribute A, A', A''. Use Docker simply to provide convenient build platforms X, Y, Z. End user doesn't know about Docker. (This is my approach). 3) Build A in an X Docker image and distribute that entire image as a binary executable Docker container. End user is required to have Docker on the target Y to run the image but doesn't otherwise care what is in the image - that is, running the image appears to just be an executable. This is a heavy solution but if application A is huge, it might be a practical way to go. 4) As (3) but, for whatever reason, the user treats the image as an open box and exec's a shell instead of exec'ing the application. Presumably, any application that will run under CentOS, in particular, CentOS 7 that is the RHEL source release for other ports, such as SL 7, should be able to run under SL. It depends. As you first asked in this thread, any required shared libraries need to be available and compatible. If the application exec's any external executables they obviously need to exist. Likewise, if the application loads Python or other interpreters then there may be some modules required. My understanding is that SL 7 is not built from the actual RHEL 7 source that is used to build RHEL 7 that is licensed for fee, but from the RHEL packaged CentOS source (CentOS now effectively being a unit of Red Hat, a for-profit corporation) that is used to build CentOS 7 (that, as with SL 7, is licensed for free as a binary installable executable system that requires no building from source per se). I'm not a lawyer and quickly am underwater when it comes to licensing details. All I (think I) know is that if someone gives me a binary distributed under the GPL, they must provide me on request the source code with which I may do as I please (consistent with the GPL). -Brett. pgp9aDBt7TznY.pgp Description: PGP signature
Re: static linked ISA executables
Hi Yasha,
Yasha Karant ykar...@csusb.edu writes:
My intention is this. There exist applications on various other
distributions (Fedora, Ubuntu, SuSE, etc.) that do not exist and will
not build under SL 7. The intent would be to setup a development
machine of the other distro, build the application from source as
static as possible (with bloat by this mechanism), include whatever
directories or files that need to be present, and then run the thing
under SL 7 .
I suggest just simply trying it. Here's what I see on Ubuntu 14.04 for
a trivial test:
$ cat foo.c
int main() {return 0;}
$ gcc -o foo -static foo.c
$ ldd foo
not a dynamic executable
$ ./foo
$ echo $?
0
I don't have SL7 handy, but copying that to RHEL 6.4 I get the same
results for those last three commands.
In a worst case, rather that using a physical machine,
install the other distro in a virtual machine under VirtualBox (that
runs very well under SL 7) -- with enough disk space assigned to the
Virtual Box machine to allow for such a build. Some applications (such
as a full window manager) I would not consider, but there are others
of more limited generality that I would.
I want to have easy access to a broad set of Linux distributions for the
purpose of building and testing some software stacks for the various
projects I'm involved in. I started out using VirtualBox to run Fedora
Core 20 on my Ubuntu 14.04 workstation. It worked but was a real pain
for me to set up and use and was noticeably slower when comparing the
same processes running on the native host. There's no way I could
efficiently scale this setup beyond even one virtual host. The setup
was enough of a show stopper but the disk space for multiple VM images
would start to become annoying.
I then switched to using Docker containers and have been hugely
impressed. Setup and use is very straight-forward. No messing around
with GUIs to start but also it lends itself to both scripting/automation
as well as one-off hacking. I can not notice any runtime performance
difference between processes running in a container and ones running on
the native host. And what's fairly killer is the smart way that images
are overlayed to maximize reuse. It's kind of like git but for OS
images.
-Brett.
pgprXzA33AY62.pgp
Description: PGP signature
Re: Docker
Yasha Karant ykar...@csusb.edu writes: For example, will a legally licensed MS Win application that does not run under Wine/CrossOver work under Docker under SL 7 the same as it would under VirtualBox with a full install of say MS Win 8.1 (soon MS Win 10)? Docker containers run on Linux (the kernel) so, no, if your application requires honest-to-badness MicroSoft Windows don't plan on using Docker. Can one make a Docker application package on the target host (e.g., SL 7) or does one need first a full install of the (virtual) base I don't know what target (host? guest?) means here. A Docker image is a full OS (minus the kernel). To start you write one line in a Dockerfile like: FROM fedora:20 and do a docker build You can follow up this line with additional instructions (such as yum install ...) to further populate. If you have a second image that shares some portion of these instructions, or as you add more instructions, any prior existing layer is reused. I don't find a lot of bases for SL but there are ways to add new base OSes from first principles (CMS has some scripts in github) and there are established ones for centos. -Brett. pgp_1w7X1Cgek.pgp Description: PGP signature
Re: bash bugs - alternative shell
Konstantin Olchanski olcha...@triumf.ca writes: For interactive use, most people switched from /bin/sh to /bin/tcsh back in the mid-1990-ies. (Bash, ksh, zsh came out much later). Just because I was curious, first releases as claimed on Wikipedia: Sh: 1977 Csh: 1978 Tcsh: 1981 (file-completion feature merge with csh) Ksh: 1983 Bash: 1989 Zsh: 1990 Fish: 2005 -Brett. pgpArfeVTFvnG.pgp Description: PGP signature
Re: Ye old Thorn Symbol
ToddAndMargo toddandma...@zoho.com writes: I just discovered the discontinued thorn letter. In this day and age, thorn is a critical character as it allows one to form a symmetric smiley-tongue-sticker-outer-face :รพ You can enter it using it's code point (0xFE). In a gnome-terminal (or similar): Ctrl-Shift-U f e ENTER In emacs: C-x 8 ENTER f e ENTER -Brett. pgpTdJ0IRYIyP.pgp Description: PGP signature
Re: Scientific Linux 7 -- no more IA-32 ?
Yasha Karant ykar...@csusb.edu writes: how much additional RAM and hard drive space is required by this X86-64 implementation? The memory usage going from 32 to 64bit x86 really depends on the code you run. My understanding is it boils down to how much of the job's memory is made up of pointers as compared to other data types that are invariant under this bit change. This can vary a lot and of course it matters what the absolute memory usage is to begin with. If you are concerned you should benchmark your actual code on both bit'isms. But, I can relate a few data points. The jobs we tend to run here are ~1-2GB to start with and I've seen ~50% increase in memory usage for the same code complied in 32 and 64 bits. These jobs come from relatively large C++ code bases and the code tends to be written for functionality first and size optimization later (if ever). I imagine they represent a, if maybe not the, worse case. For the various laptops and workstations I have with 4GB of RAM, I keep them in 32 bits even if they have amd64/x86_64 CPUs as these jobs benefit more from the added ~50% memory than the ~20% extra processing power available in 64bits. These are all Debian or Ubuntu so still retain the option to stick at 32. For more prosaic workloads, the change in pointer size is not apparently important, at least in my experience. For example, I have a 64bit Debian VPS doing light web serving that runs in 512MB of RAM. This particular VPS happens to be somewhat cheap and crappy, but I've never had an out-of-memory condition. I have not noticed any practical impact on HDD space usage from going to 64bit, if there even is any. -Brett. pgpIxOu38NTjq.pgp Description: PGP signature
Re: Whitelisting websites
Christopher Tooley ctoo...@uvic.ca writes: I've been requested to whitelist websites for a local user here, apparently the internet is extremely distracting for work, save for certain sites - has anyone done something like this before? I know I could put IPs and website addresses in /etc/hosts, but I don't want to have to fix the hosts file whenever IPs change. It isn't clear if you are looking to provide your user with some voluntary self-filtering or if your user wants to impose filtering on others. People gave you ideas about the latter. For the former there are various browser plugins that your user can install to self-manage their own filtering. For example Chrome's Personal Blocklist extension. Although the emphasis there looks to be default-allow rather than default-deny. Luck, -Brett. pgpVWR0zK3bIc.pgp Description: PGP signature
Re: Remote package management
Hi, Christopher Brown c...@asu.edu writes: /opt You are already up to a dime or so but here are my 2c. I have my environment setup pretty well on one machine NFS export /opt (and /home) from this machine and mount it on the lab nodes. Manage /opt's non-standard user environment with either usepackage or modules [1]. Which ever you like, keep its config file somewhere on /opt so the Lab nodes see it. Avoid putting anything special in /etc/skel as it only applies when a new account is made. Instead, put customization in /etc/profile and /etc/login, but it is best to keep that to a minimum. In particular you would need to add the sourcing of usepackage's/module's setup script. You don't need to mess with making RPM packages, imo. Puppet is indeed a good suggestion for managing things that don't fit into the above (or complementing them). For example, Puppet can distribute the changes to /etc/profile. You will also need to distribute account information. Puppet can distribute /etc/passwd (and friends) or you can setup NIS (or similar). -Brett. [1] http://usepackage.sourceforge.net/ http://modules.sourceforge.net/ pgpiVawR9wYxt.pgp Description: PGP signature
Re: Need monospace font for zenity
Todd And Margo Chester toddandma...@gmail.com writes: On 01/01/2012 08:43 AM, Phong Nguyen wrote: Why not parse the output and put it into a formatted list dialogue? What do you mean? zenity --list --column Id Name --column State KVM-FC16-LiveCD shut off KVM-ReactOS shut off (etc for all your rows) -Brett. pgpPGLJIg1DYB.pgp Description: PGP signature
Re: allow members of group to unlock screen
Devin Bougie devin.bou...@cornell.edu writes: Any recommendations for achieving this (or suggestions of a different workflow) in SL6 would be greatly appreciated. Caveat, I don't know if all the programs mentioned are in SL. I know about them from Debian. You might look into xautolock. Having it call xlock -username USER with an explicit user name might be all you need. Maybe you can couple it with a zenity script to prompt for the username. Leaving that box behind, what about installing the BlueProximity gnome-panel applet and introduce it to the BlueTooth devices (ie, ever ubiquitous cell phones) that are carried by the authorized users. I use this to lock my workstation and it winks to life when I approach and locks down as soon as I walk away. Almost never a password needed although once in a while when I approach fast enough and wiggle the mouse the normal screen saver lock will wake first and prompt me for my password. -Brett. pgpoIZBitaAxv.pgp Description: PGP signature
Re: allow members of group to unlock screen
Brett Viren b...@bnl.gov writes: Leaving that box behind, what about installing the BlueProximity Sorry, scratch that one. It looks like it only watches for one BT MAC address at a time. Although, maybe you could put the same functionality in to the locker that xautolock calls. -B. pgpSDQtkLEsn4.pgp Description: PGP signature
Re: Farewell from Troy
owen.sy...@desy.de writes: Did you know you made the slashdot headlines? http://linux.slashdot.org/story/11/08/25/2058228/Scientific-Linuxs-Troy-Dawson-Leaves-FermiLabs-For-Red-Hat Maybe Troy was some inspiration for CmdrTaco. http://meta.slashdot.org/story/11/08/25/1245200/Rob-CmdrTaco-Malda-Resigns-From-Slashdot Good luck in your future endeavors, Troy. -Brett. pgpnehJem4nTF.pgp Description: PGP signature
Re: Failed to include subprocess in Python script.
Coert Metz c.m...@erasmusmc.nl writes: Hi all, I'm running a Python script which tries to import subprocess. This fails because it cannot import the select module. Does anybody know how to solve this? My PYTHONPATH is set to: /usr/lib64/python2.6/ Normally you should not need to set PYTHONPATH when using the system Python. Although, I can't see how setting it to that value could cause harm. You can see what path Python is actually using via: python -c 'import sys; print sys.path' ['', '/usr/lib64/python24.zip', '/usr/lib64/python2.4', '/usr/lib64/python2.4/plat-linux2', '/usr/lib64/python2.4/lib-tk', '/usr/lib64/python2.4/lib-dynload', '/usr/lib64/python2.4/site-packages', '/usr/lib64/python2.4/site-packages/Numeric', '/usr/lib64/python2.4/site-packages/gtk-2.0', '/usr/lib/python2.4/site-packages'] And, here is my select module: python -c 'import select; print select' module 'select' from '/usr/lib64/python2.4/lib-dynload/selectmodule.so' This is on SL5.3. Maybe it helps you spot some inconsistency -Brett. pgppLcVEsexJM.pgp Description: PGP signature
Re: SL 5.6 beta 2 bug? All machines return the same HOSTID
Toshiaki Shingu redlav...@gmail.com writes: I installed SL 5.6 beta 2 to three nodes using PXE boot. ip addresses were obtained by dhcp, so all nodes have diferent ips. After the successful installation hostid command returns the same value '007f0100' on all machines. This happens when you have the host name in /etc/hosts bound to 127.0.0.1. Edit that file so it has the FQDN attached to the IP number for your NIC. For eg, here is mine: head -2 /etc/hosts 127.0.0.1 localhost 130.199.36.67 lycastus.phy.bnl.govlycastus -Brett. pgpX7pu7UbfSe.pgp Description: PGP signature
Re: a quick poll: what are your favourite linux power tools?
Robert P. J. Day rpj...@crashcourse.ca writes: thanks for any suggestions. Version control (git, hg, svn, cvs). With the short time you have, the students can at least learn such things exist and their concepts, if not maybe time for a lot of hands-on use. A section on Driving Bash would be useful where you can teach the tricks of how to effectively use the command line. Although a lot of that isn't appreciated until one slogs through without them. Some examples: pushd/popd and cd - to reuse previous jumps, setting the prompt to know where you are. Maybe some basic scripting. It could contain a Training your Fingers section: C-r searching and C-p/C-n browsing of command history. M-/ completion, TAB completion, C-a/C-k/C-y/C-e/M-f/M-b/M-d dorking about with the current command line. M-. insertion of last word of last command. That kind of stuff. -Brett. pgprQTrgOqwDd.pgp Description: PGP signature
Re: forum for Scientific Linux users
William Scott will...@magicwilly.info writes: How do you people filter mailing list messages? Procmail. For this and other FNAL lists I use this recipe: :0 * ^Sender: .*@listserv.fnal.gov * ^Sender: owner-\/[^@]+ $MAILDIR/.fnal.lists.$MATCH/ -Brett. pgpD7ySR4OCUx.pgp Description: PGP signature
Messing with the kernel (Was: Hyper-V Synthetic drivers on SL6)
Troy Dawson daw...@fnal.gov writes: It has been the tradition of Scientific Linux to never mess with the kernel. It's not a matter of not knowing how to recompile the kernel, it's a matter of support. We don't have the resources to support a second kernel. With the recent change in Red Hat's business tactics, messing with the kernel apparently just got more difficult: http://www.h-online.com/open/news/item/Controversy-surrounds-Red-Hat-s-obfuscated-source-code-release-1200554.html Or, maybe, now we should just consider Red Hat's kernels to come pre-messed. -Brett. PS: my guess is that RH will not continue with this silly behavior. They should really know better. pgpBmhQCPIm49.pgp Description: PGP signature
Re: ROOT on SL 4 and SL 5
Hi Stephan, Stephan Wiesand stephan.wies...@desy.de writes: I have my doubts regarding a generally useful ROOT build, though: This software has tons of build time options, often depending on external software. A one size fits all build would probably depend on a dozen or more additional packages most users won't care for. On the other hand, building ROOT for a certain use case is fairly trivial. This may explain why there are few prebuilt packages around. The built-in Debian and Red Hat package builders that come with ROOT build out to an array of binary packages (at least it is true for the Debian target - I haven't actually tried the RH one). So there is some granularity in what one can install. I agree with you that it seems most people need to pick and choose ROOT versions beyond what may be provided in binary form. Another aspect is that many users of ROOT use it as part of a larger suite and they have tools that install the suite, including ROOT. Trying to use a system-install of ROOT is a shoe-horning effort. This was the reason the Debian packages were never a good fit for me (despite supporting Christian's good work on making them). An individual not tied to an exact version could benefit from binary packages. But, I wonder what fraction of existing or potential ROOT users fall into that category. Regards, -Brett. smime.p7s Description: S/MIME cryptographic signature
SL 5x EOL?
Hi, On: http://www.scientificlinux.org/distributions/ I see that SL 5x will be supported Until at least 2012-02-02. Is there an estimate on how much past that date it might be supported? Thanks, -Brett. smime.p7s Description: S/MIME cryptographic signature
Re: Memory footprint on 64bit SL vs. 32bit
Thanks Stephan and Peter, Peter Elmer peter.el...@cern.ch writes: We are actually preparing some proposals/recommendations about measuring memory use, as in addition to this VSIZE/64bit confusion the introduction of multicore applications which share memory also misleads people... This is interesting. I didn't know about the nuances you two bring up. Peter, can you send a link whenever your document is available? Stephan, we have been looking at /proc/PID/status's VmSize and VIRT from top which I think are the same. For our Gaudi/Geant4/ROOT/Python based job on 64bits we see a size of about 1GB after initial loading including Geant4 data sets and the geometry. This then plateaus to an eventual 1.5GB as we encounter rarer and rarer upward fluctuations in event size (our Boost pools based memory manager only grows as needed, never shrinks). On 32 bits I'm used to seeing about 50% of these numbers. I'll look into the suggestions you both gave. Thanks, -Brett. smime.p7s Description: S/MIME cryptographic signature
Memory footprint on 64bit SL vs. 32bit
We recently started running our C++ analysis code on 64bit SL5.3 and have been surprised to find the memory usage is about 2x what we are used when running it on 32 bits. Comparing a few basic applications like sleep(1) show similar memory usage. Others, like sshd, show only a 30% size increase (maybe that is subject to configuration differences between the two hosts). I understand that pointers must double in size but the bulk of our objects are made of ints and floats and these are 32/64 bit-invariant. I found[1] that poorly defined structs containing pointers can bloat even on non-pointer data members due the padding needed to keep everything properly aligned. It would kind of surprise me if this is what is behind what we see. Does anyone have experience in understanding or maybe even combating this increase in a program's memory footprint when going to 64 bits? Thanks, -Brett. [1] http://www.codeproject.com/KB/winsdk/Optimization_64_bit.aspx#IDAJLKNC smime.p7s Description: S/MIME cryptographic signature
Re: New Computer purchase, what parts?
Chris Tooley ctoo...@uvic.ca writes: Of course I'm also searching around already but I was wondering if anyone had any suggestions from which I could start. Since it will be a workstation, I would spend some effort to provide a quiet system. Spec quiet fans, lower wattage CPUs, etc. I've had good luck with: http://www.aslab.com/ They offer CentOS 5.4 (among others) so getting SL 5.x working is a pretty sure bet. -Brett. smime.p7s Description: S/MIME cryptographic signature
No, yum, gcc43 not gcc44
This is probably a FAQ but I couldn't find the answer. I want to install gcc43 packages on SL 5.3 64bit so I do: yum install gcc43 gcc43-c++ gcc43-gfortran But yum ignores my command and says that gcc43 is obsoleted by gcc44 and instead installs gcc44! Complete insolence. How can I tell yum to actually do what I tell it to do? Thanks, -Brett.
Re: No, yum, gcc43 not gcc44
Hi Pete, Peter Elmer peter.el...@cern.ch writes: There were also other oddities about the gcc43 preview build, e.g. difficulties building boost, that caused the LHC experiments to reject it in favor of our own build(s) of the stock gcc43x. (Subsequent to that decision the preview switched to gcc4.4...) Funny you should say this! I'm trying to get gcc43 installed just so I can match what is on the nodes on our RACF farm which are heavily influenced by ATLAS's needs. However, I see that the stock gcc43-4.3.2-7.el5 packages installed. FWIW, we also rely on Boost and I've built it (v1.38) with gcc43 and didn't see any problems. Thanks, -Brett.
Re: Loadable shell modules
Hi John, Reddy, John jre...@bnl.gov writes: Does anyone have this tool, know what it's called, who's developing it, etc? Yes, I know, horribly, terribly vague software description. Here's the context, which may help identify it. FWIW, PDSF.nersc.gov uses it. Maybe you could ask someone there for their experience. On my own little cluster I use something called usepackage http://sourceforge.net/projects/usepackage/ It's also in Debian, maybe others, but it is easy to build from source. One nice thing I like about usepackage is that you can have a decentralized set of package environment definitions. I use this to create definitions for each experiment or group that uses my cluster and then individual users can include whichever ones matter for their own account. It also lets me manage different releases of an experiment's code. -Brett.
Re: script needed
vivek chal vivekat...@gmail.com writes: I need a script such that when someone login to my machine using ssh he will get a message on his/her screen like Welcome to Vivek's Cluster Can anybody help me in doing this? Also see the Banner configuration item in /etc/ssh/sshd_config to set a file that will be presented to the user before they offer their authentication. -Brett.
Re: changing login/default shell
suvayu ali fatkasuv...@gmail.com writes: I have tried all those possibilities, everyone of them give me the same error! I get the same error even if I provide no arguments. As far as I understand this, if no arguments are provided chsh is supposed to prompt me for a shell. Maybe you are picking up an unexpected chsh program. Does which chsh return /usr/bin/chsh? -Brett.
Re: one-sided ssh connection, restricted access to X.
William Shu ws...@yahoo.com writes: [r...@csc101a wss]# emacs [1] 4833 [r...@csc101a wss]# Xlib: connection to :0.0 refused by server Xlib: No protocol specified emacs: Cannot connect to X server :0.0. Check the DISPLAY environment variable or use `-d'. Also use the `xhost' program to verify that it is set to permit connections from your machine. Don't use xhost. It leads to insecure behavior and in most cases buys you nothing useful that you can't do better in other ways. Here are several: First, maybe it is enough for you to simply run emacs in the terminal: emacs -nw Otherwise, you can SSH to root and X11 should be forwarded correctly (maybe you need -Y or a .ssh/config entry to make X11 forwarding the default). If you don't have SSH properly forwarding X11 and/or don't want to use SSH in this case and your root session is on the same machine as that running your X11 session you can do this (assuming bash): export DISPLAY=:0.0 export XAUTHORITY=~USERNAME/.Xauthority emacs Or, if installed you can do: gksu emacs or if installed and correctly configured: gksudo emacs Luck, -Brett.
Re: Logo Contest - Judging beginning
Troy Dawson daw...@fnal.gov writes: I am going to officially say that we cannot accept any more logo's, And I was just going to suggest: Tux with a wreath of DNA on his head, an atomic tattoo on his belly and toasting the viewer with an Erlenmeyer flask full of beer. Oh well, -Brett.
Re: Logo Contest for SL6 extended
Dr Andrew C Aitchison a.c.aitchi...@dpmms.cam.ac.uk writes: Something about the linear icon + text is too late 80s early 90s corporate for me. Are people happy with the reminder of the early SGI icon http://insidehpc.com/wp-content/uploads/2009/03/silicon_graphics_logo_new.jpg ? Heh, well, I guess the lab sponsoring SL is: http://www.fnal.gov/fnalincludes/images/logo-fnal.jpg -Brett.
Re: OpenLDAP for authentication with OpenSSH?
Michael Hannon j...@physics.ucdavis.edu writes: Greetings. We're exploring the use of OpenLDAP as an authentication service on an SL 5.2 system (i386). (Yea, I know: welcome to the 20th century.) We'd like to be able to use it to enable logins via ssh, among other things. If you have a recipe for doing such things, will you please send me a pointer to it? Thanks. Yes, I do this for my group's workstations and department's servers. I run a predominantly Debian environment, but besides the exact names of the packages you need to install, my notes should be fairly general and apply to an SL based install. You can take a look here: http://www.phy.bnl.gov/computing/index.php/Ldap_Authentication_Server For me the trickiest part was getting the client PAM config correct in order to support pam_check_host_attr so as to limit who can log into what machine. Almost all instructions I read, at that time, simply got this wrong. I have also developed some Python code to manage LDAP for this purpose and have customized things to integrate am-util's automounter and puppet configuration management. If you (or others) are interested in any of this let me know and I can elaborate. -Brett.
Re: New logo for SL6?
Troy Dawson daw...@fnal.gov writes: It's not that I don't like the current logo. I think it's great, and we're all very grateful for William Somsky for creating it. But it was designed for Scientific Linux 4. It has 4 electron's, proton's and neutron's. And it would be nice to get a new one for Scientific Linux 6, with 6 electrons, proton's and neutron's. Consider incorporating the Standard Model 6 leptons and 6 quarks into the design? -Brett.
Re: Security Breach
Faye Gibbins [EMAIL PROTECTED] writes: Dr Andrew C Aitchison wrote: ssh-agent means that although the ssh keys aren't stored on disk they *are* held in memory much of the time. Given that many laptops are suspended and rarely rebooted, do you have a way of ensuring that the machine regularly reconfirms the user's identity ? Kerberosized ssh. Another, somewhat arcane, option is to use OpenPGP smart cards along with GnuPG's gpg-agent. The keys remain on the card and the card does the PGP authentication. Take the card out of the reader and no subsequent authentication can be done. I've evaluated this method and it does work but requires some amount of effort to set up. As far as I know there is only one supplier[1]. I also don't expect it to work on non-Linux platforms. But, besides all these negatives, it is a nice solution that also gives the user the usual benefits of PGP. -Brett. [1] http://www.g10code.com/p-card.html
Re: Security Breach
Rhys Morris [EMAIL PROTECTED] writes: The disadvantage of ssh keys was made clear to us recently when a machine in a different University was root compromised. The attackers stole all the ssh keys they could find, and briefly obtained access to my systems via the account of a former student. Should you allow ssh key access from machines you have no control over? Are there any remote login mechanisms that would stay secure in light of a root compromise? For example, you could make your server only allow one-time passwords which would be very secure since the secret is not even stored on the compromised machine. However, the SSH client could be trojaned to always force master mode to be on and to allow a legitimate connection to be shared for subsequent illegitimate connections by the intruder. -Brett.
Re: obscure iptables rules [Re: Security Breach]
Christopher Hunter [EMAIL PROTECTED] writes: A few months ago someone posted iptables rules using the hitcount module to limit the rate of new ssh connections (from an ip address). Does anyone use this ? Does it work ? Can someone repost the rules ? Attached is the script I started using after the brute force attempts started. Using it drastically reduced the number of bogus password attempts. Typically, any particular attempt would would give up and not restart after the block expired. Now we disallow passwords entirely on any publicly visible SSH server (and so should you) so it's less useful. Regards, -Brett. iptables.sh.gz Description: GNU Zip compressed data
Re: [5.1] Logged-in users aren't seen
Andrea [EMAIL PROTECTED] writes: Il 15/08/2008 alle 10:57, Dr Andrew C Aitchison ha scritto: Login processes have to register with utmp, but not all login processes have permission to do this (essentially by writing to /var/log/wtmp). xterm is the program which springs to mind as sometimes not have having permission to do this. Interesting. I don't know much about this topic, so any pointers are welcome. I don't have access to SL5.1 but on 4.4 xterm has no set-u/g id bit: [EMAIL PROTECTED]:~ ls -l /usr/bin/xterm -rwxr-xr-x 1 root root 258396 Nov 15 2007 /usr/bin/xterm* On my Debian workstation: [EMAIL PROTECTED]:~ ls -l /usr/bin/xterm -rwxr-sr-x 1 root utmp 318832 Mar 19 10:09 /usr/bin/xterm* [EMAIL PROTECTED]:~ ls -l /var/log/wtmp -rw-rw-r-- 1 root utmp 109440 Aug 15 11:25 /var/log/wtmp So the set-gid utmp lets xterm write to wtmp. I can't conceive of why TUV doesn't do this as well. Cheers, -Brett.
Re: problem with cd ~user
Zhi-Wei Lu [EMAIL PROTECTED] writes: After a power outage last night, one of my SL 4.5 (x86_64) server failed to do cd ~user however, cd /home/user still works fine Any filesystem damage? Any files found in lost+found/ sub directories? Does anyone see problem like this before? I am using autofs via ldap to mount home directory. This prevents apache to mount user home directory (http://www.server.com/~user) The ~user to /home/user conversion is done through NSS. Check that /etc/nsswitch.conf is still around and correct. Are you using LDAP for user info? If so, check libnss-ldap.conf (or whatever the equivalent might be in SL). If just using local passwords check /etc/password. -Brett.
Re: Does SELinux really worth it?
Stephen John Smoogen [EMAIL PROTECTED] writes: I end up tearing my hair out at times.. but its usually figuring out why some software does something that no-one would believe software would need to do. An ignorant question: can SELinux be configured to log any action that it blocks? I would think this would make finding what software has gone beyond what expectations pretty obvious. -Brett.
Minimal chroot install method?
Hi, I would like to lay down a minimal SL4 install to be used only via chroot running from the hosting distribution (Debian). I don't need kernel, bootloader, init scripts nor any servers. I just need enough to build and run some 3rd party software (Gaudi+LCGCMT). In Debian there is debootstrap to accomplish this. Is there something equivalent in SL or does anyone have pointers on how to build this chroot install? Thanks, -Brett.
Re: Minimal chroot install method?
John Hearns [EMAIL PROTECTED] writes: Brett Viren wrote: In Debian there is debootstrap to accomplish this. Is there something equivalent in SL or does anyone have pointers on how to build this chroot install? http://rpmstrap.pimpscript.net/ Any use to you? It's even packaged in Debian! http://packages.debian.org/stable/admin/rpmstrap Thanks, -Brett.
