From mspitzer at gmail.com Mon Oct 3 18:28:45 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Mon, 3 Oct 2011 18:28:45 -0400 Subject: [nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login Message-ID: http://sitaramc.github.com/gitolite/doc/gitolite-and-ssh.html how does gitolite use all this ssh magic? These are two different questions you ought to be having by now: how does it distinguish between me and someone else, since we're all logging in as the same remote user "git" how does it restrict what I can do within a repository its a cool hack go read -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From bonsaime at gmail.com Mon Oct 3 21:20:19 2011 From: bonsaime at gmail.com (Jesse Callaway) Date: Mon, 3 Oct 2011 21:20:19 -0400 Subject: [nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login In-Reply-To: References: Message-ID: On Mon, Oct 3, 2011 at 6:28 PM, Marc Spitzer wrote: > http://sitaramc.github.com/gitolite/doc/gitolite-and-ssh.html > > how does gitolite use all this ssh magic? > > These are two different questions you ought to be having by now: > > how does it distinguish between me and someone else, since we're > all logging in as the same remote user "git" > how does it restrict what I can do within a repository > > its a cool hack go read > > -- > Freedom is nothing but a chance to be better. > --Albert Camus > > The problem with socialism is that eventually you run out > of other people's money. > --Margaret Thatcher > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > A really fugly hack that I've done in the past does the reverse, where this might be desirable. You can have individual users/passwords in the system and then vipw and set the user id to be the same. Totally fuggles, but works where you need to do this. Some would argue you don't need to do this, but those people were not my boss at the time. -- -jesse -------------- next part -------------- An HTML attachment was scrubbed... URL: From mspitzer at gmail.com Mon Oct 3 22:35:56 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Mon, 3 Oct 2011 22:35:56 -0400 Subject: [nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login In-Reply-To: References:

Message-ID: On Mon, Oct 3, 2011 at 9:20 PM, Jesse Callaway wrote: > > On Mon, Oct 3, 2011 at 6:28 PM, Marc Spitzer wrote: >> >> http://sitaramc.github.com/gitolite/doc/gitolite-and-ssh.html >> >> how does gitolite use all this ssh magic? >> >> These are two different questions you ought to be having by now: >> >> ? ?how does it distinguish between me and someone else, since we're >> all logging in as the same remote user "git" >> ? ?how does it restrict what I can do within a repository >> >> its a cool hack go read >> >> -- >> Freedom is nothing but a chance to be better. >> --Albert Camus >> >> ?The problem with socialism is that eventually you run out >> of other people's money. >> --Margaret Thatcher >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk > > A really fugly hack that I've done in the past does the reverse, where this > might be desirable. You can have individual users/passwords in the system > and then vipw and set the user id to be the same. Totally fuggles, but works > where you need to do this. Some would argue you don't need to do this, but > those people were not my boss at the time. > > -- > -jesse > I do know the feeling of speaking logic to management marc -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From edlinuxguru at gmail.com Mon Oct 3 23:12:19 2011 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Mon, 3 Oct 2011 23:12:19 -0400 Subject: [nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login In-Reply-To: References:

Message-ID: On Mon, Oct 3, 2011 at 9:20 PM, Jesse Callaway wrote: > > On Mon, Oct 3, 2011 at 6:28 PM, Marc Spitzer wrote: > >> http://sitaramc.github.com/gitolite/doc/gitolite-and-ssh.html >> >> how does gitolite use all this ssh magic? >> >> These are two different questions you ought to be having by now: >> >> how does it distinguish between me and someone else, since we're >> all logging in as the same remote user "git" >> how does it restrict what I can do within a repository >> >> its a cool hack go read >> >> -- >> Freedom is nothing but a chance to be better. >> --Albert Camus >> >> The problem with socialism is that eventually you run out >> of other people's money. >> --Margaret Thatcher >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > > A really fugly hack that I've done in the past does the reverse, where this > might be desirable. You can have individual users/passwords in the system > and then vipw and set the user id to be the same. Totally fuggles, but works > where you need to do this. Some would argue you don't need to do this, but > those people were not my boss at the time. > > -- > -jesse > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > > UIDs do not have to be unique however if you are using Name Server Caching Daemon or any other process like windbind that tries to reverse id's to users name if can confuse the heck out processes that assume the mapping is one to one. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ike at blackskyresearch.net Tue Oct 4 09:46:42 2011 From: ike at blackskyresearch.net (Isaac Levy) Date: Tue, 4 Oct 2011 09:46:42 -0400 Subject: [nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login In-Reply-To: References: Message-ID: <201110041347.p94Dl3UU005053@rs134.luxsci.com> On Oct 3, 2011, at 6:28 PM, Marc Spitzer wrote: > http://sitaramc.github.com/gitolite/doc/gitolite-and-ssh.html > > how does gitolite use all this ssh magic? > > These are two different questions you ought to be having by now: > > how does it distinguish between me and someone else, since we're > all logging in as the same remote user "git" > how does it restrict what I can do within a repository > > its a cool hack go read Ah, the old a clown car as model for user privilege separation. Rocket- .ike From brian.gupta at gmail.com Tue Oct 4 23:50:47 2011 From: brian.gupta at gmail.com (Brian Gupta) Date: Tue, 4 Oct 2011 23:50:47 -0400 Subject: [nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login In-Reply-To: References: Message-ID: >From the section for authorized_keys from the man page for sshd: command="command" Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. If an 8-bit clean chan? nel is required, one must not request a pty or should specify no-pty. A quote may be included in the command by quoting it with a backslash. This option might be useful to restrict cer? tain public keys to perform just a specific operation. An exam? ple might be a key that permits remote backups but nothing else. Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environ? ment variable. Note that this option applies to shell, command or subsystem execution. I don't know if they are using this exactly, but it is the closest native behavior I know of where different keys under the same account have different behavior. - Brian Gupta New York City user groups calendar: http://nyc.brandorr.com/ On Mon, Oct 3, 2011 at 6:28 PM, Marc Spitzer wrote: > http://sitaramc.github.com/gitolite/doc/gitolite-and-ssh.html > > how does gitolite use all this ssh magic? > > These are two different questions you ought to be having by now: > > ? ?how does it distinguish between me and someone else, since we're > all logging in as the same remote user "git" > ? ?how does it restrict what I can do within a repository > > its a cool hack go read > > -- > Freedom is nothing but a chance to be better. > --Albert Camus > > ?The problem with socialism is that eventually you run out > of other people's money. > --Margaret Thatcher > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From pete at nomadlogic.org Wed Oct 5 12:18:18 2011 From: pete at nomadlogic.org (Pete Wright) Date: Wed, 05 Oct 2011 09:18:18 -0700 Subject: [nycbug-talk] a righteous ssh hack, or how to do fine grained auth with only one login In-Reply-To: References: Message-ID: <4E8C834A.201@nomadlogic.org> On 10/4/11 8:50 PM, Brian Gupta wrote: > From the section for authorized_keys from the man page for sshd: > > command="command" > Specifies that the command is executed whenever this key is used > for authentication. The command supplied by the user (if any) is > ignored. The command is run on a pty if the client requests a > pty; otherwise it is run without a tty. If an 8-bit clean chan? > nel is required, one must not request a pty or should specify > no-pty. A quote may be included in the command by quoting it > with a backslash. This option might be useful to restrict cer? > tain public keys to perform just a specific operation. An exam? > ple might be a key that permits remote backups but nothing else. > Note that the client may specify TCP and/or X11 forwarding unless > they are explicitly prohibited. The command originally supplied > by the client is available in the SSH_ORIGINAL_COMMAND environ? > ment variable. Note that this option applies to shell, command > or subsystem execution. > > I don't know if they are using this exactly, but it is the closest > native behavior I know of where different keys under the same account > have different behavior. > yea I like that functionality too. we use this currently for puppet configs stored in svn. we have a special RSA key installed on our svn repository for our the UID we run puppet as. so when we have our puppetmaster svn up itself it executes only our predetermined svn co code as defined by "command=svn up command here, $RSA_PUB_KEY" -pete -- Pete Wright pete at nomadlogic.org www.nomadlogic.org From ike at blackskyresearch.net Thu Oct 6 14:20:13 2011 From: ike at blackskyresearch.net (Isaac Levy) Date: Thu, 6 Oct 2011 14:20:13 -0400 Subject: [nycbug-talk] CLANG Presentation Slides? Message-ID: <201110061821.p96IL3sL029311@rs134.luxsci.com> Hi All, If ADAM is on the list, would it be possible for folks to snag your slides from last night's presentation? Excellent presentation- and a good meeting all! Best, .ike From nikolai at fetissov.org Mon Oct 10 14:50:29 2011 From: nikolai at fetissov.org (Nikolai Fetissov) Date: Mon, 10 Oct 2011 14:50:29 -0400 Subject: [nycbug-talk] October 2011 meeting audio Message-ID: Folks, Audio recording of ADAM's clang presentation is online at http://www.fetissov.org/public/nycbug/nycbug-10-05-11.mp3 Apologies for the delay. Cheers, -- Nikolai From nikolai at fetissov.org Mon Oct 10 14:52:16 2011 From: nikolai at fetissov.org (Nikolai Fetissov) Date: Mon, 10 Oct 2011 14:52:16 -0400 Subject: [nycbug-talk] October 2011 meeting audio Message-ID: Folks, Audio recording of ADAM's clang presentation is online at http://www.fetissov.org/public/nycbug/nycbug-10-05-11.mp3 Apologies for the delay. Cheers, -- Nikolai From mspitzer at gmail.com Wed Oct 12 21:58:33 2011 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 12 Oct 2011 21:58:33 -0400 Subject: [nycbug-talk] Free Beer, while tickets last Message-ID: http://blog.bitbucket.org/2011/10/10/us-drink-up-tour-come-meet-the-bitbucket-team/ -- Freedom is nothing but a chance to be better. --Albert Camus ?The problem with socialism is that eventually you run out of other people's money. --Margaret Thatcher From skreuzer at exit2shell.com Wed Oct 12 23:23:07 2011 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Wed, 12 Oct 2011 23:23:07 -0400 Subject: [nycbug-talk] Dennis Ritchie has passed Message-ID: <305539D4-A870-4EA9-88C9-727BF17B4A2C@exit2shell.com> From Rob Pike: https://plus.google.com/u/0/101960720994009339267/posts/ENuEDDYfvKP?hl=en "C is quirky, flawed, and an enormous success." - Dennis Ritchie, on The Development of the C Language From siraaj at khandkar.net Wed Oct 12 23:32:04 2011 From: siraaj at khandkar.net (Siraaj Khandkar) Date: Wed, 12 Oct 2011 23:32:04 -0400 Subject: [nycbug-talk] Dennis Ritchie has passed In-Reply-To: <305539D4-A870-4EA9-88C9-727BF17B4A2C@exit2shell.com> References: <305539D4-A870-4EA9-88C9-727BF17B4A2C@exit2shell.com> Message-ID: <2AD02E01-06DA-461D-8E17-C4F1FE58B56A@khandkar.net> On Oct 12, 2011, at 11:23 PM, Steven Kreuzer wrote: >> From Rob Pike: https://plus.google.com/u/0/101960720994009339267/posts/ENuEDDYfvKP?hl=en > > "C is quirky, flawed, and an enormous success." > - Dennis Ritchie, on The Development of the C Language :( From george at ceetonetechnology.com Wed Oct 12 23:44:27 2011 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 12 Oct 2011 23:44:27 -0400 Subject: [nycbug-talk] Dennis Ritchie has passed In-Reply-To: <2AD02E01-06DA-461D-8E17-C4F1FE58B56A@khandkar.net> References: <305539D4-A870-4EA9-88C9-727BF17B4A2C@exit2shell.com> <2AD02E01-06DA-461D-8E17-C4F1FE58B56A@khandkar.net> Message-ID: <4E965E9B.5000609@ceetonetechnology.com> On 10/12/11 23:32, Siraaj Khandkar wrote: > On Oct 12, 2011, at 11:23 PM, Steven Kreuzer wrote: > >>> From Rob Pike: https://plus.google.com/u/0/101960720994009339267/posts/ENuEDDYfvKP?hl=en >> >> "C is quirky, flawed, and an enormous success." >> - Dennis Ritchie, on The Development of the C Language > > :( And still not on Slashdot. . . My guess is they'll file under some odd category and say he founded Linux. g From bcully at gmail.com Thu Oct 13 01:15:41 2011 From: bcully at gmail.com (Brian Cully) Date: Thu, 13 Oct 2011 01:15:41 -0400 Subject: [nycbug-talk] Dennis Ritchie has passed In-Reply-To: <4E965E9B.5000609@ceetonetechnology.com> References: <305539D4-A870-4EA9-88C9-727BF17B4A2C@exit2shell.com> <2AD02E01-06DA-461D-8E17-C4F1FE58B56A@khandkar.net> <4E965E9B.5000609@ceetonetechnology.com> Message-ID: <9019CE88-E288-4183-8F4A-DA775AAEA873@gmail.com> On Oct 12, 2011, at 11:44 PM, George Rosamond wrote: > On 10/12/11 23:32, Siraaj Khandkar wrote: >> On Oct 12, 2011, at 11:23 PM, Steven Kreuzer wrote: >> >>>> From Rob Pike: https://plus.google.com/u/0/101960720994009339267/posts/ENuEDDYfvKP?hl=en >>> >>> "C is quirky, flawed, and an enormous success." >>> - Dennis Ritchie, on The Development of the C Language >> >> :( > > And still not on Slashdot. . . > > My guess is they'll file under some odd category and say he founded Linux. I'm really broken up by this. He was a huge figure, even though no one knew who he was. We all owe our livelihoods to him. This is terrible news. -bjc From ike at blackskyresearch.net Thu Oct 13 01:39:07 2011 From: ike at blackskyresearch.net (Isaac Levy) Date: Thu, 13 Oct 2011 01:39:07 -0400 Subject: [nycbug-talk] Dennis Ritchie has passed In-Reply-To: <305539D4-A870-4EA9-88C9-727BF17B4A2C@exit2shell.com> References: <305539D4-A870-4EA9-88C9-727BF17B4A2C@exit2shell.com> Message-ID: <201110130540.p9D5e39b029976@rs134.luxsci.com> On Oct 12, 2011, at 11:23 PM, Steven Kreuzer wrote: >> From Rob Pike: https://plus.google.com/u/0/101960720994009339267/posts/ENuEDDYfvKP?hl=en > > "C is quirky, flawed, and an enormous success." > - Dennis Ritchie, on The Development of the C Language http://cm.bell-labs.com/who/dmr/ My sincerest condolences to all who were friends and colleagues of DMR. -- However, with Dennis Ritchie's life of sharing, time sharing, C, etc..., (/etc even?), I really can't help but feel grief over a fundamental loss- even though I never personally knew him. You get to know someone's brain, their sensibilities at the very least- by working within their code or systems. I feel silly feeling torn up over somebody I never knew personally, but after hacking on UNIX systems for some time now, it almost feels like a colleague has passed- I've engaged more of his ideas even than people I've collaborated with closely- a somewhat frightening thought. Obviously Dennis Ritchie left such a legacy behind- perhaps by accident- but in the end obviously in the spirit of sharing the fun he seemed to be having. I believe, after hacking on many UNIX systems for years, perhaps even after reading Dennis Ritchie's playfully self-incriminating foreword to the UNIX Haters Handbook, and interacting with various Plan9 outcomes which have worked their way into mainstream UNIX systems: I think it's all pretty clear Dennis Ritchie was not only a great engineer- but perhaps even a great social thinker of our time. Processes, sharing time- users sharing systems. It's a fundamental legacy I know we'll all be interacting with long after the current systems we're touching are gone. He openly stood on the shoulders of giants, and we understatedly all stand on his- even if most people don't know who he is. Not sure he seemed to care for that, he seemed to prefer hacking... Rocket- .ike From akosela at andykosela.com Thu Oct 13 03:59:29 2011 From: akosela at andykosela.com (Andy Kosela) Date: Thu, 13 Oct 2011 09:59:29 +0200 Subject: [nycbug-talk] Dennis Ritchie has passed In-Reply-To: <305539D4-A870-4EA9-88C9-727BF17B4A2C@exit2shell.com> References: <305539D4-A870-4EA9-88C9-727BF17B4A2C@exit2shell.com> Message-ID: On Thu, Oct 13, 2011 at 5:23 AM, Steven Kreuzer wrote: > >From Rob Pike: https://plus.google.com/u/0/101960720994009339267/posts/ENuEDDYfvKP?hl=en > > "C is quirky, flawed, and an enormous success." > - Dennis Ritchie, on The Development of the C Language http://www.youtube.com/watch?v=7FjX7r5icV8 I consider him as one of the greatest minds of our time and still love to read his "C Programming Language" book. His legacy will live for long -- I hope it will surpass our lives too. The beauty and simplicity of the original UNIX was a great phenomenon. --Andy From edlinuxguru at gmail.com Thu Oct 13 10:13:15 2011 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 13 Oct 2011 10:13:15 -0400 Subject: [nycbug-talk] Dennis Ritchie has passed In-Reply-To: References: <305539D4-A870-4EA9-88C9-727BF17B4A2C@exit2shell.com> Message-ID: I was traveling to San Fran for a conference a few months back. At the time I was on a language kick and had purchased books on objective-c, clojure, lisp as well as the 2nd Edition Ritchie book because my c is getting rusty. Because I had 5 ounces too much shampoo I had a bag screening. The TSA guy opened my bag saw the Ritchie book and said "That is a classic." We talked for a while, his story was he had gotten out of the field during the dot.combust. In today's world writing an "evergreen" book about technology is a difficult task. I really loved the section on malloc, "C Programming Language" book is something everyone should own. Sad to hear the news. On Thu, Oct 13, 2011 at 3:59 AM, Andy Kosela wrote: > On Thu, Oct 13, 2011 at 5:23 AM, Steven Kreuzer > wrote: > > >From Rob Pike: > https://plus.google.com/u/0/101960720994009339267/posts/ENuEDDYfvKP?hl=en > > > > "C is quirky, flawed, and an enormous success." > > - Dennis Ritchie, on The Development of the C Language > > http://www.youtube.com/watch?v=7FjX7r5icV8 > > I consider him as one of the greatest minds of our time and still love > to read his "C Programming Language" book. His legacy will live for > long -- I hope it will surpass our lives too. The beauty and > simplicity of the original UNIX was a great phenomenon. > > --Andy > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark.saad at ymail.com Thu Oct 13 11:32:55 2011 From: mark.saad at ymail.com (Mark Saad) Date: Thu, 13 Oct 2011 11:32:55 -0400 Subject: [nycbug-talk] rc.conf / rc'ng hacking Message-ID: All I am working on a system to reinstall some of my remote freebsd servers . I can not PXE boot them so here is the idea. 1. Ship a newer kernel to the remote box , which is running 6.x-RELEASE . In my case I have tarballs of 7.x-RELEASE, and 8.x-RELEASE made from the install media's kernel/generic.?? files 2. Ship a custom mfsroot to the remote box, based in part on the one I use for local jumpstarts 3. Ship a loader.conf and loader.rc that instructs the remote box to boot kernel=GENERIC and load the mfsroot and use it as its rootfs So in this state if I reboot the remote server it will boot up and follow the install.cfg I have in the mfsroot and I will have wiped out the remote server, changed the disk layout, which is important to me here, and upgraded it to 7.x-RELEASE or 8.x-RELEASE depending on what I ship to that box. So here is my question, I want to preserve the original rc.conf from the old install. Here is an example. hostname="eir-web30" defaultrouter="10.9.8.30" ifconfig_bge0="inet 10.9.8.230 netmask 255.255.254.0 media 100baseTX mediaopt full-duplex" So my idea here was to have the script that creates and ships the custom mfsroot fetch the rc.conf from the server I am going to reinstall and then grab some info from the rc.conf . So following how I use install.cfg I need to grab the NIC type and and well I could search for the first line that do not start with # and look at the line with ifconfig then take the text after _ to the = and set that as my NIC type. So I was tired,lazy yesterday and I was wondering how does rc'ng handle this , surely there has to be a rc'ng function to suck in from rc.subr that I can call to get my nic type etc . I cant find anything, can someone shed some light on how this handled ? Is there an easier way to this ? --- Mark Saad | mark.saad at ymail.com From matt at tablethotels.com Thu Oct 13 12:02:41 2011 From: matt at tablethotels.com (Matthew Story) Date: Thu, 13 Oct 2011 12:02:41 -0400 Subject: [nycbug-talk] rc.conf / rc'ng hacking In-Reply-To: References: Message-ID: <6FB6CC19-8EEC-48B2-B87F-1F86B7E8849D@tablethotels.com> On Oct 13, 2011, at 11:32 AM, Mark Saad wrote: > So I was tired,lazy yesterday and I was wondering how does rc'ng > handle this , surely there has to be a rc'ng function to suck in from > rc.subr that I can call to get my nic type etc . I cant find anything, > can someone shed some light on how this handled ? Is there an easier > way to this ? you could use /etc/rc.conf.local, from man 5 rc.conf The /etc/rc.conf file is included from the file /etc/defaults/rc.conf, which specifies the default settings for all the available options. Options need only be specified in /etc/rc.conf when the system adminis- trator wishes to override these defaults. The file /etc/rc.conf.local is used to override settings in /etc/rc.conf for historical reasons. See the rc_conf_files variable below. if you need more facility than that, you can alter the rc_conf_files variable in /etc/defaults/rc.conf: rc_conf_files="/etc/rc.conf /etc/rc.conf.local" for your inst script, you could start with the old rc_conf_files setting, and then ... awk -F '=' 'BEGIN { OFS=FS; } $1 == "rc_conf_files" { sub(/\"$/, " my.rc.conf.local\"", $2); } { print; }' /etc/defaults/rc.conf > /etc/defaults/rc.conf.new && mv /etc/defaults/rc.conf.new /etc/defaults/rc.conf will add 'my.rc.conf.local" to the rc_conf_files string. As rc conf files are just shell, you could cp the rc_conf_files functionallity from defaults to your /etc/rc.conf file and preserve the defaults file (as suggested in the defaults documentation), relevant code from rc.conf below: ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## ### scripts to source rc_conf_files overrides safely. ## ############################################################## if [ -z "${source_rc_confs_defined}" ]; then source_rc_confs_defined=yes source_rc_confs () { local i sourced_files for i in ${rc_conf_files}; do case ${sourced_files} in *:$i:*) ;; *) sourced_files="${sourced_files}:$i:" if [ -r $i ]; then . $i fi ;; esac done } fi if you care less for safety, you can just: [ -r "rc.special.conf" ] && . "rc.special.conf" or in your /etc/rc.conf, breakout your service daemon specific configs and then do the same pattern: # for apache [ -r "/etc/rc.conf.apache" ] && . "/etc/rc.conf.apache" # for sendmail [ -r "/etc/rc.conf.sendmail" ] && . "/etc/rc.conf.sendmail" # etc ... > > --- > Mark Saad | mark.saad at ymail.com > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > best of luck. -matt From matt at tablethotels.com Thu Oct 13 13:53:03 2011 From: matt at tablethotels.com (Matthew Story) Date: Thu, 13 Oct 2011 13:53:03 -0400 Subject: [nycbug-talk] rc.conf / rc'ng hacking In-Reply-To: <6FB6CC19-8EEC-48B2-B87F-1F86B7E8849D@tablethotels.com> References: <6FB6CC19-8EEC-48B2-B87F-1F86B7E8849D@tablethotels.com> Message-ID: Should have been a little more explicit about how I was thinking of using the rc.conf and ability to `.' to solve your particular problem: was thinking you could basically ship config files with directives per NIC architecture along with your other files, for example: rc.conf.local.0x10c9 and then by do a lookup of your system architecture to determine which config is correct (this one uses the device setting of the first ign pnpinfo directive, but you could key it on whatever you are looking for) sysctl -a | awk -F ':' ' /^dev\.igb.*pnpinfo/ { split($2, a, /[ =]/); for (i in a) { if (grab) { print "/etc/rc.conf.local."a[i]; break; } if (a[i] == "device") grab=1; } exit 0; }' | xargs -n 1 -I% sudo ln % /etc/rc.conf.local this same pattern works for the per rc service approach as well sysctl -a | awk -F ':' ' /^dev\.igb.*pnpinfo/ { split($2, a, /[ =]/); for (i in a) { if (grab) { print a[i]; break; } if (a[i] == "device") grab=1; } exit 0; }' | xargs -n 1 sudo sh -c ' for service in apache sendmail; do ln "/etc/rc.conf.$service.$1" "/etc/rc.conf.$service" done' 'config-linker' Then just use the pattern in /etc/rc.conf: [ -r "/etc/rc.conf.apache" ] && . "/etc/rc.conf.apache" [ -r "/etc/rc.conf.sendmail" ] && . "/etc/rc.conf.apache" Then you only have to re-run either of the above commands whenever you swap out your NIC, and don't have to put the lookup and resulting control-flow logic in the config itself. On Oct 13, 2011, at 12:02 PM, Matthew Story wrote: > > On Oct 13, 2011, at 11:32 AM, Mark Saad wrote: >> So I was tired,lazy yesterday and I was wondering how does rc'ng >> handle this , surely there has to be a rc'ng function to suck in from >> rc.subr that I can call to get my nic type etc . I cant find anything, >> can someone shed some light on how this handled ? Is there an easier >> way to this ? > > you could use /etc/rc.conf.local, from man 5 rc.conf > > The /etc/rc.conf file is included from the file /etc/defaults/rc.conf, > which specifies the default settings for all the available options. > Options need only be specified in /etc/rc.conf when the system adminis- > trator wishes to override these defaults. The file /etc/rc.conf.local is > used to override settings in /etc/rc.conf for historical reasons. See > the rc_conf_files variable below. > > if you need more facility than that, you can alter the rc_conf_files variable in /etc/defaults/rc.conf: > > rc_conf_files="/etc/rc.conf /etc/rc.conf.local" > > for your inst script, you could start with the old rc_conf_files setting, and then ... > > awk -F '=' 'BEGIN { OFS=FS; } $1 == "rc_conf_files" { sub(/\"$/, " my.rc.conf.local\"", $2); } { print; }' /etc/defaults/rc.conf > /etc/defaults/rc.conf.new && mv /etc/defaults/rc.conf.new /etc/defaults/rc.conf > > will add 'my.rc.conf.local" to the rc_conf_files string. As rc conf files are just shell, you could cp the rc_conf_files functionallity from defaults to your /etc/rc.conf file and preserve the defaults file (as suggested in the defaults documentation), relevant code from rc.conf below: > > ############################################################## > ### Define source_rc_confs, the mechanism used by /etc/rc.* ## > ### scripts to source rc_conf_files overrides safely. ## > ############################################################## > > if [ -z "${source_rc_confs_defined}" ]; then > source_rc_confs_defined=yes > source_rc_confs () { > local i sourced_files > for i in ${rc_conf_files}; do > case ${sourced_files} in > *:$i:*) ;; > *) > sourced_files="${sourced_files}:$i:" > if [ -r $i ]; then > . $i > fi > ;; esac > done > } > fi > > if you care less for safety, you can just: > > [ -r "rc.special.conf" ] && . "rc.special.conf" > > or in your /etc/rc.conf, breakout your service daemon specific configs and then do the same pattern: > > # for apache > [ -r "/etc/rc.conf.apache" ] && . "/etc/rc.conf.apache" > # for sendmail > [ -r "/etc/rc.conf.sendmail" ] && . "/etc/rc.conf.sendmail" > # etc ... > > >> >> --- >> Mark Saad | mark.saad at ymail.com >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > > best of luck. > > -matt > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From ike at blackskyresearch.net Thu Oct 13 14:45:42 2011 From: ike at blackskyresearch.net (Isaac Levy) Date: Thu, 13 Oct 2011 14:45:42 -0400 Subject: [nycbug-talk] rc.conf / rc'ng hacking In-Reply-To: References: Message-ID: <201110131846.p9DIk5De005062@rs134.luxsci.com> Hi Mark, A couple of comments (some of them obvious): - How many boxes, and how physically close are they? Performing the buildworld/buildkernel dance, tar-piping /usr/src to N machines, and install/mergemaster seems pretty simple and scriptable, except for, - The mfsroot bit: You want to change disk layout without PXE booting, or local disk access- on what sounds like unknown/aging hardware. I'd think this would fail all over the place, the smallest inconsistency would leave the boxes unusable, requiring physical intervention. Tell us how this goes... -- The rc.conf bit: I'd personally copy the files outright to a separate server, possibly toss some comment bits in at the top with other machine info- (ethernet mac addr for id, phyical locaiton, etc...) All that auto-parsing to generate the rc.conf bits just sounds trange. -- One last sanity-check question: how many boxes are we talking about, and are you sure the procedure you outline below is cheaper than a fistfull of bootable USB keys, and some install.cfg defaults? Best, .ike On Oct 13, 2011, at 11:32 AM, Mark Saad wrote: > All > I am working on a system to reinstall some of my remote freebsd > servers . I can not PXE boot them so here is the idea. > > 1. Ship a newer kernel to the remote box , which is running > 6.x-RELEASE . In my case I have tarballs of 7.x-RELEASE, and > 8.x-RELEASE made from > the install media's kernel/generic.?? files > 2. Ship a custom mfsroot to the remote box, based in part on the one I > use for local jumpstarts > 3. Ship a loader.conf and loader.rc that instructs the remote box to > boot kernel=GENERIC and load the mfsroot and use it as its rootfs > > So in this state if I reboot the remote server it will boot up and > follow the install.cfg I have in the mfsroot and I will have wiped out > the remote server, > changed the disk layout, which is important to me here, and upgraded > it to 7.x-RELEASE or 8.x-RELEASE depending on what I ship to that box. > > So here is my question, I want to preserve the original rc.conf from > the old install. Here is an example. > > hostname="eir-web30" > defaultrouter="10.9.8.30" > ifconfig_bge0="inet 10.9.8.230 netmask 255.255.254.0 media 100baseTX > mediaopt full-duplex" > > > So my idea here was to have the script that creates and ships the > custom mfsroot fetch the rc.conf from the server I am going to > reinstall > and then grab some info from the rc.conf . > > So following how I use install.cfg I need to grab the NIC type and and > well I could search for the first line that do not start with # and > look at the line with ifconfig then take the text after _ to the = and > set that as my NIC type. > > So I was tired,lazy yesterday and I was wondering how does rc'ng > handle this , surely there has to be a rc'ng function to suck in from > rc.subr that I can call to get my nic type etc . I cant find anything, > can someone shed some light on how this handled ? Is there an easier > way to this ? > > --- > Mark Saad | mark.saad at ymail.com > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From spork at bway.net Thu Oct 13 14:53:15 2011 From: spork at bway.net (Charles Sprickman) Date: Thu, 13 Oct 2011 14:53:15 -0400 Subject: [nycbug-talk] rc.conf / rc'ng hacking In-Reply-To: <201110131846.p9DIk5De005062@rs134.luxsci.com> References: <201110131846.p9DIk5De005062@rs134.luxsci.com> Message-ID: On Oct 13, 2011, at 2:45 PM, Isaac Levy wrote: > Hi Mark, > > A couple of comments (some of them obvious): > > - How many boxes, and how physically close are they? > Performing the buildworld/buildkernel dance, tar-piping /usr/src to N machines, and install/mergemaster seems pretty simple and scriptable, except for, > > - The mfsroot bit: Just a quick pointer in case you're not aware of it - mfsbsd might be helpful as it's already got many of the basics in doing a remote install/upgrade handled. http://mfsbsd.vx.sk/ It's based on "depenguinator". I use it in combination with PXE booting, but that's not the only option. Charles > You want to change disk layout without PXE booting, or local disk access- on what sounds like unknown/aging hardware. > I'd think this would fail all over the place, the smallest inconsistency would leave the boxes unusable, requiring physical intervention. > Tell us how this goes... > > -- > The rc.conf bit: > I'd personally copy the files outright to a separate server, possibly toss some comment bits in at the top with other machine info- (ethernet mac addr for id, phyical locaiton, etc...) > > All that auto-parsing to generate the rc.conf bits just sounds trange. > > -- > One last sanity-check question: how many boxes are we talking about, and are you sure the procedure you outline below is cheaper than a fistfull of bootable USB keys, and some install.cfg defaults? > > Best, > .ike > > > > On Oct 13, 2011, at 11:32 AM, Mark Saad wrote: > >> All >> I am working on a system to reinstall some of my remote freebsd >> servers . I can not PXE boot them so here is the idea. >> >> 1. Ship a newer kernel to the remote box , which is running >> 6.x-RELEASE . In my case I have tarballs of 7.x-RELEASE, and >> 8.x-RELEASE made from >> the install media's kernel/generic.?? files >> 2. Ship a custom mfsroot to the remote box, based in part on the one I >> use for local jumpstarts >> 3. Ship a loader.conf and loader.rc that instructs the remote box to >> boot kernel=GENERIC and load the mfsroot and use it as its rootfs >> >> So in this state if I reboot the remote server it will boot up and >> follow the install.cfg I have in the mfsroot and I will have wiped out >> the remote server, >> changed the disk layout, which is important to me here, and upgraded >> it to 7.x-RELEASE or 8.x-RELEASE depending on what I ship to that box. >> >> So here is my question, I want to preserve the original rc.conf from >> the old install. Here is an example. >> >> hostname="eir-web30" >> defaultrouter="10.9.8.30" >> ifconfig_bge0="inet 10.9.8.230 netmask 255.255.254.0 media 100baseTX >> mediaopt full-duplex" >> >> >> So my idea here was to have the script that creates and ships the >> custom mfsroot fetch the rc.conf from the server I am going to >> reinstall >> and then grab some info from the rc.conf . >> >> So following how I use install.cfg I need to grab the NIC type and and >> well I could search for the first line that do not start with # and >> look at the line with ifconfig then take the text after _ to the = and >> set that as my NIC type. >> >> So I was tired,lazy yesterday and I was wondering how does rc'ng >> handle this , surely there has to be a rc'ng function to suck in from >> rc.subr that I can call to get my nic type etc . I cant find anything, >> can someone shed some light on how this handled ? Is there an easier >> way to this ? >> >> --- >> Mark Saad | mark.saad at ymail.com >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From ike at blackskyresearch.net Thu Oct 13 14:59:11 2011 From: ike at blackskyresearch.net (Isaac Levy) Date: Thu, 13 Oct 2011 14:59:11 -0400 Subject: [nycbug-talk] rc.conf / rc'ng hacking In-Reply-To: References: <201110131846.p9DIk5De005062@rs134.luxsci.com> Message-ID: <201110131900.p9DJ08kn002062@rs134.luxsci.com> On Oct 13, 2011, at 2:53 PM, Charles Sprickman wrote: >> - The mfsroot bit: > > Just a quick pointer in case you're not aware of it - mfsbsd might be helpful as it's already got many of the basics in doing a remote install/upgrade handled. http://mfsbsd.vx.sk/ It's based on "depenguinator". I use it in combination with PXE booting, but that's not the only option. > > Charles Quick question to clarify: this is still a fairly risky procedure, no? Some partition on the machine has to be stable enough to persist the mfsroot for reboot/install, right? I've never put mfsroot and bare-metal upgrades/installs in the same thought before... so this is both intriguing and scary :) Rocket- .ike From spork at bway.net Thu Oct 13 15:39:24 2011 From: spork at bway.net (Charles Sprickman) Date: Thu, 13 Oct 2011 15:39:24 -0400 Subject: [nycbug-talk] rc.conf / rc'ng hacking In-Reply-To: <201110131900.p9DJ08kn002062@rs134.luxsci.com> References: <201110131846.p9DIk5De005062@rs134.luxsci.com> <201110131900.p9DJ08kn002062@rs134.luxsci.com> Message-ID: <9FFA0E00-85D6-4864-B0A6-2CD8F7D0948B@bway.net> On Oct 13, 2011, at 2:59 PM, Isaac Levy wrote: > On Oct 13, 2011, at 2:53 PM, Charles Sprickman wrote: > >>> - The mfsroot bit: >> >> Just a quick pointer in case you're not aware of it - mfsbsd might be helpful as it's already got many of the basics in doing a remote install/upgrade handled. http://mfsbsd.vx.sk/ It's based on "depenguinator". I use it in combination with PXE booting, but that's not the only option. >> >> Charles > > Quick question to clarify: this is still a fairly risky procedure, no? Some partition on the machine has to be stable enough to persist the mfsroot for reboot/install, right? My use case is totally different, but IIRC you can use this similar to the original depenguinator tool on a running system. It is risky - there's no turning back once you dd the image to the drive. I just noticed that it now has a section in the handbook: http://www.freebsd.org/doc/en/articles/remote-install/preparation.html > I've never put mfsroot and bare-metal upgrades/installs in the same thought before... so this is both intriguing and scary :) I'm really happy with mfsbsd here - it's used for two things. It's available as sort of a "livefs" rescue tool that supports ZFS on root and has all the tools needed if you need to boot a box and roll back to a known good snapshot, and it's also our default installer for new or recycled hardware. We use PXE to boot it and then use a slightly modified version of mm's zfsinstall script (included in mfsbsd) to do the install. It's very easy to add additional packages to the mfsbsd image as well if you need any custom tools. We do have remote console (but not kvm) access and that's needed to toggle between network or hdd booting in the bios. We keep multiple mfsbsd images around too - both for different FBSD versions and for i386 and amd64. Toggling between them simply requires an edit in dhcpd.conf on the dhcp server. Oh, it's also handy for pre-upgrade testing - it's a nice non-destructive way to verify that whatever new version of FreeBSD we're toying with at the very least boots and can go multi-user without wiping anything. It's currently one of my favorite hammers. Charles > Rocket- > .ike > > From mark.saad at ymail.com Thu Oct 13 17:13:24 2011 From: mark.saad at ymail.com (Mark Saad) Date: Thu, 13 Oct 2011 17:13:24 -0400 Subject: [nycbug-talk] rc.conf / rc'ng hacking In-Reply-To: <201110131846.p9DIk5De005062@rs134.luxsci.com> References: <201110131846.p9DIk5De005062@rs134.luxsci.com> Message-ID: On Thu, Oct 13, 2011 at 2:45 PM, Isaac Levy wrote: > Hi Mark, > > A couple of comments (some of them obvious): > > - How many boxes, and how physically close are they? There are 90 + servers. They are 2000 miles away in Texas and California > Performing the buildworld/buildkernel dance, tar-piping /usr/src to N machines, and install/mergemaster seems pretty simple and scriptable, except for, > Need to wipe the hd and re-partition , the previous guy set the servers up with weird disk layouts . I have done this locally in ny and it works. > - The mfsroot bit: > You want to change disk layout without PXE booting, or local disk access- on what sounds like unknown/aging hardware. The servers are HP DL145g2 and g3 along with some DL380/360 g5 and g6 > I'd think this would fail all over the place, the smallest inconsistency would leave the boxes unusable, requiring physical intervention. > Tell us how this goes... I will and they boxes are not that old. > -- > The rc.conf bit: > I'd personally copy the files outright to a separate server, possibly toss some comment bits in at the top with other machine info- (ethernet mac addr for id, phyical locaiton, etc...) > > All that auto-parsing to generate the rc.conf bits just sounds strange. agreed after some discussion on this we are going to just use a staging ip and a mfsroot/install.cfg per device type to make this simpler. > -- > One last sanity-check question: how many boxes are we talking about, and are you sure the procedure you outline below is cheaper than a fistfull of bootable USB keys, and some install.cfg defaults? Its going to cost to much to pay the co-lo hotels noc staff , to do the work and, in one case I cant not ensure the noc staff will not royally screw this up. IE try to reinstall a windows box with freebsd and or disconnect a cisco switch and ask where the vga cable goes. > > > > On Oct 13, 2011, at 11:32 AM, Mark Saad wrote: > >> All >> I am working on a system to reinstall some of my remote freebsd >> servers . I can not PXE boot them so here is the idea. >> >> 1. Ship a newer kernel to the remote box , which is running >> 6.x-RELEASE . In my case I have tarballs of 7.x-RELEASE, and >> 8.x-RELEASE made from >> the install media's kernel/generic.?? files >> 2. Ship a custom mfsroot to the remote box, based in part on the one I >> use for local jumpstarts >> 3. Ship a loader.conf and loader.rc that instructs the remote box to >> boot kernel=GENERIC and load the mfsroot and use it as its rootfs >> >> So in this state if I reboot the remote server it will boot up and >> follow the install.cfg I have in the mfsroot and I will have wiped out >> the remote server, >> changed the disk layout, which is important to me here, and upgraded >> it to 7.x-RELEASE or 8.x-RELEASE depending on what I ship to that box. >> >> So here is my question, I want to preserve the original rc.conf from >> the old install. Here is an example. >> >> hostname="eir-web30" >> defaultrouter="10.9.8.30" >> ifconfig_bge0="inet 10.9.8.230 netmask 255.255.254.0 media 100baseTX >> mediaopt full-duplex" >> >> >> So my idea here was to have the script that creates and ships the >> custom mfsroot fetch the rc.conf from the server I am going to >> reinstall >> and then grab some info from the rc.conf . >> >> So following how I use install.cfg I need to grab the NIC type and and >> well I could search for the first line that do not start with # and >> look at the line with ifconfig then take the text after _ to the = and >> set that as my NIC type. >> >> So I was tired,lazy yesterday and I was wondering how does rc'ng >> handle this , surely there has to be a rc'ng function to suck in from >> rc.subr that I can call to get my nic type etc . I cant find anything, >> can someone shed some light on how this handled ? Is there an easier >> way to this ? >> >> --- >> Mark Saad | mark.saad at ymail.com >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > > From mark.saad at ymail.com Mon Oct 24 12:04:41 2011 From: mark.saad at ymail.com (Mark Saad) Date: Mon, 24 Oct 2011 12:04:41 -0400 Subject: [nycbug-talk] Strange Apache Coredump behavior Message-ID: Hello Talk@ I have a strange apache issue , and I wonder if anyone has seen this before. I am running Apache 1.3.34 on freeBSD 7.3-RELEASE amd64 . At some point in the day apache's children segfault and die. No core files are generated. I am not running mod_php either. 1. I have setup the following sysctls #Debug options kern.sugid_coredump=1 kern.corefile="/var/coredumps/%U-%N-%P.core" 2. The httpd.conf is set with CoreDumpDirectory /var/coredumps/ 3. The dir /var/coredumps/ is set 1777 4. A ktrace of the parrent apache process shows the core file tries to create 84954 libhttpd.ep RET kill 0 84954 libhttpd.ep CALL sigreturn(0x7ffffffeb030) 84954 libhttpd.ep RET sigreturn JUSTRETURN 84954 libhttpd.ep PSIG SIGSEGV SIG_DFL 84954 libhttpd.ep NAMI ""/var/coredumps/65534-libhttpd.ep-84954.core"" 34924 libhttpd.ep RET select 0 34924 libhttpd.ep CALL gettimeofday(0x7fffffffe890,0) 34924 libhttpd.ep RET gettimeofday 0 34924 libhttpd.ep CALL fork 5. I have proc mounted and I can't gcore -s $PID either I have no cores and I am stumped. -- Mark Saad mark.saad at ymail.com From billtotman at billtotman.com Mon Oct 24 14:06:19 2011 From: billtotman at billtotman.com (Bill Totman) Date: Mon, 24 Oct 2011 14:06:19 -0400 Subject: [nycbug-talk] Strange Apache Coredump behavior In-Reply-To: References: Message-ID: <1AE02B1B-5212-47B1-A54B-13C0BD6919B4@billtotman.com> On Oct 24, 2011, at 12:04, Mark Saad wrote: > Hello Talk@ > I have a strange apache issue , and I wonder if anyone has seen this before > 4. A ktrace of the parrent apache process shows the core file tries to create > > > 84954 libhttpd.ep RET kill 0 > 84954 libhttpd.ep CALL sigreturn(0x7ffffffeb030) > 84954 libhttpd.ep RET sigreturn JUSTRETURN > 84954 libhttpd.ep PSIG SIGSEGV SIG_DFL > 84954 libhttpd.ep NAMI ""/var/coredumps/65534-libhttpd.ep-84954.core"" > 34924 libhttpd.ep RET select 0 > 34924 libhttpd.ep CALL gettimeofday(0x7fffffffe890,0) > 34924 libhttpd.ep RET gettimeofday 0 > 34924 libhttpd.ep CALL fork