libera/#devuan/ Saturday, 2021-01-09

nemo"latest debian"  is awfully vague00:18
numzobthat would be "sid"?00:19
* numzob may have misunderstood the question00:19
e3d3maybe another stupid question but; I have ssh-agent not activated on startup but see that something else did. What programs are using ss-agent ?17:00
e3d3ss-agent = ssh-agent17:01
e3d3:)17:01
gnarfacenothing i have installed17:01
gnarfacesome gnome-keyring thing maybe17:01
e3d3can I de-install all ssh-related stuff because I never use ssh, and don't feel save with it installed ?17:04
gnarfaceyes17:04
fsmithredin my case, lxdm-session starts ssh-agent (pstree told me)17:05
e3d3so I don't get problems with sudo, connecting to the internet etc ?17:05
gnarfaceyou probably want to remove rpcbind too17:05
gnarfaceif you're not using ssh i assume you're not using nfs either17:06
e3d3I even don't no wat nfs means17:06
e3d3no = know17:06
djphNetwork File System17:06
djphnow you do :)17:06
e3d3thanks, no I guess I don't use that, or ssh must activate it behind my back.17:07
djphe3d3: as long as you don't have openssh-server installed (sshd) there's not exactly anything to be "afraid of"17:07
djphyou just have a client, so you can ssh to a remote host.17:07
e3d3djph: not to insult you but I'm very bad at trusting 'safe/honest' software.17:08
e3d3better save than sorry17:08
djphe3d3: I mean it's "safe" in that _you_ have to invoke it.  Might as well delete all teh CA Certificates too, since they're "safe/honest"17:09
e3d3I prefer to deinstall it. Normally I boot once in 1-3 months, then immediatly check running processes (htop) and kill 2 ssh-related progs17:09
djphyour choice17:10
gnarfacee3d3: you don't need to justify removing unused software on a production system... his point is just that the ssh client has to be invoked (it's not a daemon) and the ssh-agent doesn't do anything at all unless you make keys for it17:10
e3d3djph: I never need shh, but guess I need the certificates. I prefer minimal risk with things that are to big, complex etc for me to control17:10
djphe3d3: TLS certs certainly fall within "too big/complex for you to control" though17:11
e3d3gnarface: I understand but seeing it almost on every distro active, or starting although there should be no remote control, doesn't comfort me.17:11
djphe3d3: "ssh-agent" is a KEYRING MANAGER; that's all17:12
djphit's also a stupid name17:12
gnarfacee3d3: well, when i do installs (and i would recommend you do this too) when i get to the tasksel stage, i just uncheck everything17:12
gnarfacethen you only17:12
e3d3... bad connection ... ?17:13
gnarface*then you only need to add what you want17:13
e3d3gnarface: I don't think I understand you. You mean that I could have deselected the ssh-agent install ?17:14
e3d3anyway, I better first find out what started ssh-agent before removing it.17:16
gnarfacee3d3: yes, you don't have to install anything in the first place17:17
gnarfacewell, almost nothing, anyway17:17
gnarfaceif you take defaults or if you get a bunch of free stuff17:18
gnarfaces/or//17:18
gnarfacesorry17:18
e3d3:)17:18
gnarfacedistracted17:18
gnarfaceyou get my point17:18
gnarfacethe live installer is different though17:19
gnarfacehmm, i also only do expert mode installs17:20
gnarfacethat might also be why you don't see that question17:20
gnarfacei forget, really17:21
djphexpert mode is (IIRC) the only way to get tasksel17:24
e3d3I did minimal installs etc but can't bring up concentration/effort etc for all OS-facets. E.g. I can set myself to read about fonts, colors, new internet conventions. Now I prefer a basic out-of-the-box system and ignore or remove unwanted content, so I can spend my energy for my own work.17:28
e3d3E.g. I can = E.g. I can NOT17:29
e3d3it breaks me if I have to spend one day to discover that a supposed hidden taskbar obscure part of my text with the background color.17:32
e3d3I'm going to try if reconnecting to the internet invokes the ssh-agent17:33
e3d3It didn't, nor using a sudo command, so now I'm going to reboot to check out what invoked the ssh-agent (that I killed to quickly).17:37
e3d3Thanks again for helping, and don't take my paroia personal. I'm just an old fool17:38
e3d3sorry if I bothered you with it17:38
rwpdjph, We might be using different installers but tasksel is called at the end of normal (non-expert) installs too.22:11
rwpdjph, I usually select nothing there, not even essential because that pulls in exim which I immediately replace with postfix.22:11
Xenguyrwp: Hi, I tend to prefer postfix over exim myself, but up to now I've just been accepting the default...22:13
rwpIt's not the end of the world to have had exim installed, then purged and postfix installed.22:13
XenguyWhen you use postfix instead of exim, how much post-install configuration is typically required?22:14
rwpThe only real difference that I know of is that the /etc/aliases file is then pre-existing with exim defaults.22:14
Xenguyhuh22:14
rwpPostfix configuration depends very much upon what it is being used for and so there is no simple answer.22:14
rwpI have always run my own standalone mail server on my main mail relay and therefore that one is quite extensive.22:15
rwpBut for all of the random other systems the configurations there are really very simple.22:15
XenguyI no longer use the MTU(?) extensively, so it would just be for local delivery I think22:15
rwpFor local delivery only then any of the package installation selections from the dialog would be okay.22:16
XenguySounds pretty simple then, thanks22:16
rwpRegarding /etc/aliases, exim seeds the file with a dozen typical aliases for news, usenet, www, ftp, and so forth that are not really apropos these days.  Postfix does not.22:17
rwpXenguy, https://paste.debian.net/1180382/22:17
rwpIt's a pretty small difference in the grand scheme of things.22:18
rwpIf the system in on a LAN then it is not anything to be concerned about.  If the system is an incoming mail relay then those are all spam targets that can be avoided by not having them.22:19
rwpThe only two that really need to be there are abuse and postmaster in order to play nice with the community and standards.22:19
rwpThen of course one should route root's mail to a mailbox that will be read.22:19
rwpBut for ftp, news, usenet, those are definitely not desired when those services are not being used.22:20
rwps/MTU/MTA/  Maximum Transmission Unit != Mail Transfer Agent  :-) :-)22:20
Xenguyhah, that's my memory playing games again:  I only recall that there are 2 TLA's, one for mail servers, and one for mail clients22:22
rwpJust for extra security I recommend setting "inet_interfaces = loopback-only" so that there is no incoming SMTP possible.22:22
rwpMUA Mail User Agent, (mutt FTW!) and I think that is the complete set of TLAs for mail.22:23
rwpWith inet_interfaces = loopback-only then it binds to 127.0.0.1 only and then no spam or abuse can enter.  Good when that is just not needed.22:23
XenguyThat' it : -)  MUA and MTA then.22:23
rwpHowever note that inet_interfaces = loopback-only affects only *incoming* connections.  Of course *outgoing* connections may still proceed.22:24
rwpSo a send-only leaf node can still send mail to another system okay.22:24
XenguyCool, thanks for the pointers22:25
rwpWhich still means that if someone sets up Wordpress or whatever and has a security penetration and it sends spam out then out it goes through that access.22:25
XenguyIt's mostly just receiving mail from daemons that I need, and yes, I do remember my days of using Mutt as my daily driver quite fondly : -)22:27
rwpAgreed.  It's mail notifications from the system that I think are important to always have some way to read root's email at least.22:27
rwpAnyway...  It is only that exim is marked as essential and is pulled in by tasksel for essential that I decide not to install it by default.22:27
XenguyStands to reason22:28
rwpBut then I script everything and I run the configuration scripts afterward and they install everything and configure it as per my setup.22:28
rwpSince I am doing this quite a bit the advantage is that when things are scripted then they are applied consistently.22:29
XenguyThat sounds convenient; are you leveraging dpkg --get-selections at all?22:29
rwpHowever if I set up a truly one-off system then I do often just hack and slash on it manually and accept that it isn't reliably set up the same as others.22:29
rwpNo. I am not using the dpkg --get/set-selections method.  I simply install a list of packages.  And then configure those packages.22:30
rwpThe problem I run into (which others may have solved differently) is that I only want to tag the main package as manually installed.  I want the rest to be marked as auto installed.22:31
rwpSo that later 'apt-get autoremove' will keep them available as candidates for removal.  Especially libraries.22:31
rwpThat means that upgrades work nicely and autoremove keeps things clean with removing now replaced library packages.22:31
rwpbind9 for example is always top of tree now and rolls libraries with *every* upgrade.  So those dependent libraries I want to autoremove after they are no longer needed.  Or there would be dozens and dozens of obsolete copies of them left behind.22:32
rwpAnd old kernels.  And other mostly library related packages.  But also "php" pulls in php5, php7.0, php7.2, and so forth as the versions roll forward over time.22:33
XenguyLooks like your configuration process is deep : -)22:34
rwpWell...  Yes! :-)22:35
rwpI don't happen to use puppet, chef, salt, ansible, or what have you because about 20 years ago I wrote my own.22:35
rwpAnd have been using it pretty much continuously ever since.  And since I wrote it therefore I know it.  And so I use it instead of one of the well known ones.22:36
rwpBut having a system like those is very important if you are rolling out new systems as a routine occurrence.22:36
rwpIf you are interested in the philosophy side of it then http://www.infrastructures.org/ is where it all started.22:37
rwpI am not associated with that site in any way other than citing it for reference.  "Bootstrapping the Infrastructure" was an early paper published on the topic.  Stale now but the concepts...22:38
XenguyCool, will have a look.  I don't roll new systems on a regular basis, but it would be handy to have something in place for when I do do a fresh install.22:44
rwpOnly because Python is so popular but I will hazzard a guess that Ansible is the most popular system configurator framework these days.23:02
rwpUntil systemd decides to implement it itself.  (Did I actually say that?  Or just think it?)23:11
Xenguyhaha23:16
tarzeaurwp: i'm glad it's only popular. which is in no way related to quality23:18
tarzeaurwp: we had also written our own, it is called dphys-config (the config format was great, the transport not so efficient)23:18
tarzeaurwp: i'm yet to see others to use ansible for linux workstation deployment (i do that)23:19
tarzeaurwp: i've found myself to sort out to use parallel over ansible as it's horribly slow at some point23:20
rwpI haven't actually used Ansible myself so don't know enough to comment upon it.23:22
tarzeaui've found it utterly cumbersome for workstation configuration (being used to dphys-config, unix style single line configuration for a thing)23:22
tarzeauand run time didn't get me neither23:23
rwpI haven't used dphys-config either.  But I am using dphys-swapfile! :-)23:23
tarzeauhaha, we've stopped using dphys-swapfile long ago. we use zram now by default, and btrfs compressed file systes, nohang, and xz for kernel compression23:23
tarzeauand i'm all for rotating platter + more ram, than ssd (for machines being up 24/7)23:24
tarzeauwe've got like 100 gb binary software for /opt, and like 20 gb of deb pakaged software (4000 packages) per workstation23:25
tarzeauand i'm a big fan of eatmydate apt-get install all-the-stuff (huge speed boost)23:25
rwpHuge speed boost.23:25
rwpBut rather the actual problem is *huge speed loss* by the additional cache busting fsync() calls that were added.23:25
rwpThose folks would prefer not to have any caching at all.  Because!23:26
rwpAs a reaction I have seen a lot of movement to doing stuff in /tmp as a tmpfs for which fsync() is a noop and then copy the result back so avoiding the fsync() cache busting.23:28
tarzeaui use some nice trick to install tar.gz to /opt download the thing, and unpack it right to the filesystem (wget pipe tar xf), instead of downloard, write to disk, unpacke, remove downloadfile (saves also problem with diskspace for hugeh softawre packages)23:28
tarzeaui wish that was possible for debs23:28
rwpWith enough RAM and dynamic file system buffer cache (where cache is actually used) the result _should_ be similar.23:29
tarzeaubut the compressed content downloaded deb/tar.xz/tar.gz is idfferent than it's unpacked content23:32
tarzeauso everything goes twice through disk,cache23:32
rwpBefore rsync became such a good kitchen swiss army sink for file copies that we use it everywhere without thinking it was common to ssh remotehost tar czf - path | ssh remotehost tar xzf -23:32
rwpYes on deb format but with enough file system buffer cache that might all happen in memory.23:33
rwpAnd if it weren't for the cache busting then "apt-get upgrade -y ; apt-get clean" (and similar) might happen before the updated sync daemon decides those dirty pages need to be written to disk.23:34
tarzeauis that disk firmware cache (16mb or 64mb depending on disks) or linux memory caching?23:35
rwpAt one time in the Linux kernel one could tar xzf, cd, make, make check, cd .., rm -rf, and it would all happen before the disk sync wrote anything to disk.23:35
rwpLinux kernel dynamic file system buffer cache.23:35
tarzeaui see... until someone runs "sync"23:36
rwpRight.  Or codes in fsync() into the code everywhere.  That's what eatmydata overrides with an LD_PRELOAD library23:36
tarzeaulet me guess you don't use btrfs, because at some point swapfiles would not work with btrfs ( i think recently they fixed it)23:36
tarzeauack23:36
rwpI have not ever used btrfs myself.  And frankly I was surprised to hear it was in such heavy use by some of the big players.23:37
tarzeaumy todo list also has, benchmark runtimes of binaries built with clang vs gcc. and using mimalloc (with stuff that'd doing lots of malloc calls) (need to profile the stuff first)23:37
tarzeaui used 10 years xfs, but recent 5 years switched to btrfs for the live compression23:37
rwptarzeau, You should join #devuan-offtopic and we should continue there.  It's drifted pretty far from Devuan Stable support here...23:38

Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!