00:32.01 | plarsen | stickster: Have I told you how selinux is always going on my nerves? :) |
00:32.12 | stickster | Umm, no, never |
00:32.14 | stickster | :-D |
00:32.18 | stickster | bwahahahahaha |
00:32.33 | plarsen | lol |
00:32.41 | stickster | The SELinux docs really do make it easier to figure out |
00:32.45 | plarsen | just figure out why my named update-allow didn't work |
00:32.48 | plarsen | SeLinux!!! |
00:32.50 | plarsen | GRRRRR! |
00:33.48 | stickster | If you're running the setroubleshootd system service and the sealert client, you'll get an alert for SELinux denials, so it's easy to see when it happens and why |
00:34.10 | plarsen | It's CentOS ;) |
00:34.17 | plarsen | doesn't have all the selinux bells and whistles on it |
00:35.27 | stickster | Ah, well you could just go the route of putting a watch on /var/log/audit/audit.log grepping for "AVC" |
00:36.42 | plarsen | Uhmmm - I know |
00:36.47 | plarsen | My problem is the error messages |
00:37.10 | plarsen | I get "permission denied" nothing about Selinux ... so when I diagnose I dont' get to the point of checking the selinux logs because they aren't mentioned |
00:37.24 | plarsen | I wish the error would say "selinux denied" or something |
00:37.28 | plarsen | Instead of just "denied" |
00:38.21 | stickster | plarsen: http://danwalsh.livejournal.com/4780.html |
00:38.47 | stickster | For a lot of daemon's there's a man page.... |
00:38.47 | plarsen | I'm just a bit puzzled -- the memory foot print of my old server is really getting pushed. It just runs dhcp, named and mail. A pretty inactive web server I used internally |
00:38.55 | stickster | i.e. 'man httpd_selinux' or 'man named_selinux' |
00:39.02 | stickster | I don't know if that helps in this situation |
00:39.08 | plarsen | It has almost 400MB physical and it still ends up swapping :( |
00:39.18 | stickster | Hmm |
00:39.25 | stickster | Wow, that's heavy |
00:39.36 | plarsen | :) cute link |
00:39.49 | plarsen | yeah - it's an old box. Well, old and old - 3 years |
00:40.12 | plarsen | Been my backbone server for ages. I just find it slow now when I try to do anything and yesterday when I burned the DVDs it hung on me .. the desktop |
00:40.14 | plarsen | I don't get it. |
00:40.22 | stickster | I was running an 8-year-old server (Pentium II/266 MHz) that did Web, named, dhcpd, mail, and a couple other things, didn't swap much |
00:40.33 | stickster | Well, except for that one bad web app I tried, but that was a lark and I threw it away :-D |
00:40.47 | plarsen | :) It's predecessor was from 98 :) It was replaced 2 years ago |
00:40.53 | plarsen | Went on retirement |
00:41.17 | plarsen | well, I noticed the last centos Updates installed somekind of kernel debugging stuff |
00:41.48 | plarsen | "crashkernel=128M@16M" |
00:41.58 | plarsen | Me thinks that's what's going on. |
00:42.20 | stickster | I need to update my server downstairs to CentOS 5. |
00:42.35 | stickster | It's currently on FC5 and I want to put something longer term on it |
00:42.38 | stickster | So I can set and forget ;-) |
00:42.47 | plarsen | That's what I was trying to do |
00:43.03 | plarsen | Actually dogbert is running CentOS5 now |
00:43.12 | plarsen | It crashed (fc4) last fall |
00:43.17 | plarsen | or something like that |
00:43.26 | plarsen | I think I was writing on here with my frustrations when everything went baserk |
00:43.37 | plarsen | So I put centOS 5 on it to "set and forget" |
00:44.18 | plarsen | kernel and selinux updates coming down again |
00:44.22 | plarsen | Another kernel update!! |
00:44.24 | plarsen | 3rd one! |
00:45.41 | stickster | Yeah the issues that caused the Fedora kernel updates are probably in there too. CVE's are generally handled quickly |
00:45.51 | stickster | Unless you'd prefer the holes... ;-) |
00:46.33 | plarsen | well; that's a philosophical discussion. |
00:46.37 | plarsen | Why patch areas you don't use? |
00:46.50 | plarsen | The kernel updates are usually in areas I don't use anyway ;) |
00:47.23 | plarsen | if I secure my box right and stop services I don't need, there's no need to patch constantly for every dog darn bug in the kernel that won't effect me anyway |
00:48.25 | stickster | It all pretty much depends on where in the kernel stack the patches land |
00:48.35 | plarsen | right :) |
00:48.43 | plarsen | Point is that every kernel bug doesnt' effect everyone using that kernel |
00:49.38 | stickster | Right, but in a situation where you're running an environment with virtualization, it would be important because you can't predict (or necessarily track) your clients' system usage |
00:49.48 | stickster | And you don't want *them* to have downtime, regardless of what your hosts are doing |
00:50.16 | plarsen | it's because the kernel is monolitic ... we need to manage it piece-by-piece like we do software packages, libraries etc. |
00:50.40 | stickster | As long as you want to play the performance price, that's fine |
00:50.52 | stickster | Sounds like you should be working with RMS on HURD :-D |
00:50.58 | plarsen | ?? you just build the module that got patched, and presto! |
00:51.05 | stickster | As a sysadmin, if virt doesn't apply to you, and you've reviewed the kernel vulnerabilities/patches and they don't apply to you, you can just ignore the updates |
00:51.30 | plarsen | I'm not saying to do it blindly ;) |
00:51.45 | plarsen | I'm saying the current system treats every issue in the kernel with the save sevirity |
00:51.52 | plarsen | ok, I give up - can't spell anymore! |
00:52.23 | stickster | I don't know about that... the new repodata now includes update metadata so you can tell security updates from bug fixes/errata |
00:52.51 | stickster | And the changelog shows you what the diffs are from the last package, so you can weigh your options |
00:54.07 | plarsen | I remember in my Redhat 6.x i liked building static kernels; I only got the stuff that was needed for the job, no more. All that "fluff" in windows was gone |
00:54.13 | plarsen | which meant a small footprint |
00:54.18 | stickster | Yup, you can still do that now |
00:54.37 | plarsen | We're unfortunately gone the same way on the standard distros. While you can control it, you really don't have that option in mega distros like Fedora |
00:54.46 | plarsen | You need the specialized distros or do it y ourself |
00:55.07 | stickster | Don't have what option? |
00:55.18 | plarsen | and still use yum etc?? |
00:55.19 | plarsen | Nope? |
00:55.41 | plarsen | It's linux right - but if you want to take advantage of the distro itself, I don't see manual kernel building as an option? |
00:55.46 | stickster | Why not? |
00:56.08 | plarsen | because of the lack of dependecy control? |
00:56.11 | stickster | You can exclude the kernel from yum updates if you don't want to run 'yum --exclude=kernel' every time |
00:56.27 | stickster | There's very few packages that depend on kernel versioning, so you're pretty safe there. |
00:56.35 | plarsen | Let's say I take away all the USB stuff; yum will still add the frigging executables for USB if it thinks a piece of software might need it. |
00:56.53 | plarsen | I know ... and I should do that on my laptop actually |
00:57.03 | plarsen | vmware and vpnclients are depending on the kernel as is |
00:57.19 | stickster | What the packages require and what you run on the system are two different things though. |
00:58.04 | stickster | I would assume if you're building a custom kernel that you're not going to be using that system for general desktop use |
00:58.23 | plarsen | the idea is a minimized system. so if I take the time to select modules and functionality in the kernel, I would definitely want to do the same on the app layer |
00:58.33 | plarsen | I agree :) |
00:58.57 | plarsen | Kernel building is not for "mr. ordinary" ... he shouldn't care. It's cheaper to add a bit more memory than being memory conservative. |
00:59.17 | plarsen | But that's one of my attractions to Linux - the control |
00:59.35 | stickster | I still don't see why you're complaining you can't do that with modern distros. |
00:59.40 | stickster | You absolutely can. |
00:59.49 | plarsen | I just felt it went out of the window with first RH8 and now Fedora, SUSE etc. Way too much is being pushed in there to "compete with windows". |
01:00.02 | stickster | Bullshit. |
01:00.05 | plarsen | yeah? |
01:00.28 | stickster | Yeah. You can still get a very minimal system by installing the Base package group only, making a minimal kernel, and installing only the packages you need. |
01:00.45 | plarsen | BASE? I did a "base" today - 1100 packages! |
01:00.50 | stickster | Nope, that's not base. |
01:01.02 | stickster | Oops, I'm sorry, I used the wrong term. |
01:01.07 | stickster | It's @Core |
01:01.13 | stickster | You can't get that out of the GUI. |
01:01.15 | plarsen | ohh, that's different ... |
01:01.28 | plarsen | I'm not saying you can't make your own kernel. |
01:01.42 | plarsen | But I am Saying that the way yum/rpm works, they don't care what I have in my kernel |
01:01.59 | stickster | Why would they? |
01:02.01 | plarsen | So if I don't have support for something, they'll still install the dependencies for that, like USB, on the app side. |
01:02.19 | plarsen | My point is, that makes it pretty hard to manage then if what I wanted was a minialistic system |
01:02.25 | stickster | Only if you install the package groups and stuff that require those things. |
01:02.39 | stickster | I think you have a misunderstanding about what's actually required in the app stack. |
01:02.44 | stickster | It's very little. |
01:03.05 | stickster | Most of what you wouldn't want with a minimal kernel would be things you would have left out anyway, by not installing the full-blown GUI desktop stuff |
01:03.32 | stickster | Like I said, try installing a system using Kickstart, and only the @Core package group. |
01:03.38 | stickster | You will be very surprised at how small it is. |
01:03.43 | plarsen | Definitely not ... the idea is exactly NOT to have a huge gui etc. etc. etc. but specific functions like firewalls, web servers etc. |
01:04.04 | stickster | But you keep saying you're going to get all these software updates you don't want with that, and that's not so. |
01:04.10 | plarsen | Last time I "kickstarted" as 3 years ago. I'll give it a try again |
01:04.36 | stickster | You get updates based on your current package complement, so if you cut it down by running a truly minimal install, you're going to get minimal updates as well. |
01:04.38 | plarsen | I am ... let's say I want to install pam sync and I excluded USB |
01:04.41 | plarsen | in the kernel |
01:04.58 | plarsen | It's still going to include lsusb etc. utils because the utility can use usb |
01:05.08 | plarsen | even though I might only want to use serial communciation |
01:05.31 | stickster | What is "pam sync"? I can't find that in the package lists |
01:05.32 | plarsen | That's my point. It's "include everything" that the package manager does. |
01:06.20 | plarsen | Just an example - the "true" name is "GNOME PilotSync" |
01:06.32 | plarsen | It has abilities for usb, network, serial etc. to talk to the palm |
01:06.33 | stickster | Why the heck would you install that on a minimal system? |
01:06.47 | plarsen | and it'll install all of the abilities even if my system doesn't have the ability to do USB for instance. |
01:06.53 | plarsen | It's the principle ;) |
01:07.05 | plarsen | the idea is the app depencency is done independent of the kernel setup |
01:07.16 | stickster | plarsen: Then you would want to build a custom package that disables the usb stack in that application, and fix the SRPM accordingly |
01:07.27 | plarsen | bingo!! |
01:07.59 | plarsen | And there goes the point of the distro ;) I know I can do it - and I can defintely take Fedora or SUSE or similar, and tweak it to my likings. But once done, I loose the distro "advantage" ... |
01:08.14 | stickster | Yes, but you're trying to meet two diametrically opposed objectives at the same time -- a "minimal" system and a desktop GUI environment. |
01:08.14 | stickster | The two do not mix. |
01:08.14 | plarsen | So I might as well just do my own distro and do all the hard work |
01:09.08 | stickster | So you want a distro that AVOIDS meeting any helpful goals for any one group so that everyone can suffer through having to custom build everything all the time? |
01:09.10 | plarsen | look besides that the app I use is a gui - the dependency system is the same for text and gui apps. |
01:09.16 | stickster | Wow, *that* is a distro no one would use. |
01:09.19 | plarsen | While guis usually have more depencies of course. |
01:09.29 | stickster | Either that, or it's Gentoo. |
01:09.43 | plarsen | it's two different goals. |
01:09.50 | stickster | Right, which one do you want? |
01:09.56 | plarsen | If your goal is to make an easy system to use, you can't take a minialistic approach = microsoft solution |
01:10.15 | stickster | But it's not that you can't take a minimalistic approach. |
01:10.26 | plarsen | All I said was that when I started, linux was trying to be minialistic ... that's no longer the case. |
01:10.41 | stickster | Linux is now able to meet a lot of different needs based on the goals of a distro. |
01:11.01 | stickster | After 11 years of using it, I would never trade what we have now for what we had back then. |
01:11.10 | stickster | We actually have a system that's worth using for non-niche cases now. |
01:11.24 | stickster | And we've done it without sacrificing security and stability. |
01:11.46 | plarsen | :) I agree that Fedora and other distros are making it possible for "normal" users to get exposure and we can generalize the use of the system |
01:11.51 | stickster | But you *can* do minimal with modern distros. You can't do minimal and full-blown at the same time. |
01:12.26 | stickster | And I think anyone who thinks meeting both goals at the same time is worthwhile or somehow pushes the boundaries of FOSS is mistaken |
01:12.26 | plarsen | But's done on the foundation of getting away from the roots; if I want to make a simple router I more or less have to make my own distro now. The small specialized distros for that are sorta way behind the wheel now. |
01:12.48 | stickster | Nope, DSL or Smoothwall are going plenty strong |
01:13.17 | plarsen | I'm talking as a system architect - not a user ;) I don't want Fedora to change for users. What I do miss is distros made with "specialities" in mind. Like a simple webserver, dns, mail or whatever. |
01:13.23 | stickster | And again, you can get that in something like Fedora too, because again, you're leaving out all that app crap you don't want on a router. |
01:13.33 | plarsen | I haven't seen anything new out of DSL for quite a while? |
01:13.41 | plarsen | I don't know smoothwall |
01:14.08 | stickster | plarsen: Wha??? DSL release candidate just came out two weeks ago!!! |
01:14.14 | plarsen | huh?? |
01:14.30 | stickster | http://damnsmalllinux.org/cgi-bin/forums/ikonboard.cgi?act=ST;f=36;t=19097 |
01:14.32 | plarsen | Maybe my links needs to be updated. I haven't seen anything for months |
01:14.58 | plarsen | Hmmm -wonder why my rss isn't picking anything up |
01:15.07 | stickster | Smoothwall is another minimal Deb-based distro, probably one of the best small business router distros availbale. |
01:15.53 | stickster | Installs and configures in about five minutes. |
01:16.28 | plarsen | Ahh, but the mirrors say 2006 for latest release :( |
01:16.36 | plarsen | wasn't all tha twrong. |
01:17.04 | stickster | Yeah, but stable releases aren't a sign of how much work is being done |
01:17.15 | stickster | Otherwise Debian would be a big dead body |
01:17.18 | plarsen | June 2006 is still more than a year ago |
01:17.25 | plarsen | That's sorta dead to me ;) |
01:18.15 | stickster | Well, one misses out on a lot of what's cool in FOSS if one only looks for stable releases |
01:19.17 | stickster | I'm working up a tiny-sys kickstart right now to see exactly how big it ends up |
01:19.21 | plarsen | well, I've made a consious choice of not being a beta-runner. When it comes to what I do, I want stable/tested releases. I use "foss" or the betas to see directions etc. but not to use for real. |
01:19.30 | stickster | No, I don't run betas either. |
01:19.41 | stickster | But I don't judge the progress of projects on just their stable releases either |
01:19.41 | plarsen | prerelease/rc are beta |
01:19.47 | plarsen | Ohhh I don't either |
01:19.50 | plarsen | I just don't use them for prod :) |
01:20.11 | stickster | right, but you said you hadn't "seen anything new" out of DSL, but they've been putting out RCs for a while now |
01:20.23 | stickster | I'm just saying they're in the game and going strong |
01:20.45 | plarsen | new to me would be releases I can take and use |
01:20.55 | plarsen | not beta/trial that's not production ready |
01:21.03 | plarsen | that's what rcs are |
01:21.24 | stickster | Well, now you're talking about lots of incremental point releases, and not half an hour ago you were lamenting how many updates you were getting! :-D |
01:21.48 | stickster | That means you get to spend your work life testing for production rollouts |
01:21.49 | plarsen | I said the "small" install in Fedora gave me 1100 packages :) That aint small ;) |
01:22.08 | stickster | But that wasn't small, it was what you *thought* was small, which is not necessarily the same thing |
01:22.34 | plarsen | hehe - true |
01:23.54 | stickster | OK... working up that ks file |
01:24.02 | plarsen | kk |
01:26.40 | stickster | Man, you have to love dd and friends |
01:27.22 | plarsen | ohhh yeah |
01:27.39 | plarsen | not sure if winblows ever got anything similar to dd |
01:29.34 | stickster | Actually they have one now |
01:29.42 | stickster | I think some fellow named.... errr.... |
01:29.44 | stickster | George Garner maybe? |
01:29.47 | stickster | He wrote it. |
01:29.58 | stickster | So you can do physical images of drives, etc. for forensic and other purposes |
01:30.03 | plarsen | yeah?? so Vista finally did something smart? |
01:30.04 | plarsen | right! |
01:30.22 | plarsen | well, the resource kits have had stuff like that, not exactly dd but stuff that could could manipulate streams |
01:30.50 | plarsen | i just wish it was part of standard install |
01:32.10 | stickster | It works on NT/2000/XP, maybe Vista too |
01:32.26 | plarsen | you're talking about a 3rd party tool?? |
01:32.54 | plarsen | Ahhh - yeah, that's what cygwin and ksh was for. |
01:33.06 | plarsen | I think it was ksh - it made all standard linux commands available on windows |
01:33.13 | plarsen | Needed for Oracle installs :) |
01:33.14 | plarsen | hehe |
01:35.58 | stickster | I'm trying to remember what the Cygwin thing I saw the other night was |
01:36.08 | stickster | Some sort of GUI glue that was pretty neat |
01:36.22 | stickster | Although I thought to myself, at that point I'd probably just rather be using Linux! :-D |
01:47.22 | stickster | 343 packages for @Core. |
01:47.28 | stickster | And apparently, that's *not* as low as you can go |
01:48.35 | stickster | If you write the kickstart to only include the few packages bash, kernel, syslinux, passwd, policycoreutils, chkconfig, authoconfig, and rootfiles, that's the minimum. |
01:48.41 | stickster | I'll try that next to see what happens. |
01:49.15 | stickster | Yeah, this one includes X libs. |
01:49.30 | stickster | Not the GUI, just libs |
01:54.53 | stickster | About 769 MB in real space on the disk, probably ~650-700 in actual data |
02:02.23 | stickster | Yeah, I see a bunch of things that could be removed. |
02:05.02 | stickster | cups, avahi, specspo... |
02:06.00 | stickster | NetworkManager :-D |
02:10.57 | plarsen | back |
02:11.39 | plarsen | loots of stuff not needed ;) |
02:11.56 | plarsen | I think you're getting my drift a bit. But yeah, 343 is much less than 1100 |
02:12.17 | plarsen | Iknow I can control it; but it means loosing "fedora" per say? |
02:19.38 | stickster | I haven't reached the minimal set yet |
02:19.43 | stickster | Still working on it |
02:20.55 | stickster | Aha, 141 packages with @Core only and %packages --nobase |
02:21.50 | stickster | Yeah, but what is "Fedora" per se? I would say that it's the integration of awesome desktop functionality and applications with a best-of-breed kernel. |
02:22.24 | stickster | You already want to take that apart -- which is fine -- so what does it mean to argue about whether it's Fedora any more? |
02:22.49 | stickster | I would say once you lose the desktop experience, it doesn't really matter much which Linux you use. |
02:22.57 | stickster | Well, not quite. |
02:23.09 | stickster | But maybe if you lose both the desktop and the integrated server experience... |
02:24.54 | stickster | Well, 141 packages and it still feels like Fedora here. |
02:25.39 | stickster | du -sm / ==> 451 MB |
02:25.50 | stickster | So that's probably about 400 MB or so of actual data. |
02:27.15 | stickster | Still has Python, perl, and much of the expected core command line functionality. |
02:40.27 | *** join/#fredlug IrishW0lf (n=william@70-41-188-87.cust.wildblue.net) |
02:42.00 | stickster | Hi IrishW0lf! |
02:42.07 | IrishW0lf | hi |
02:42.23 | IrishW0lf | great meeting this morning, i learned alot |
02:42.30 | plarsen | stickster: I don't agree that GUI = Fedora. To me the idea of a distribution is how it integrates tools and management. |
02:43.02 | stickster | Well, you can see the quality and depth of the work by the fact that at only 141 packages and ~400 MB, it still feels like Fedora, CLI only of course, but still there. |
02:43.16 | plarsen | :) of course |
02:43.24 | stickster | As you'll see I corrected myself to include the integration experience, which you still have at this level |
02:43.26 | plarsen | But as things go, for servers who needs GUI? |
02:43.33 | stickster | i.e. chkconfig/service, and so forth. |
02:43.47 | stickster | I noticed yum was not included, but that only adds 5 packages. |
02:44.00 | plarsen | right |
02:44.02 | stickster | So it's pretty slim for a full-featured distro. |
02:44.20 | stickster | I'm frankly amazed that people could build an entire working live distro into 699 MB. |
02:44.46 | plarsen | I was amazed when the whole kernel would rest on a single 1.44 floppy :) |
02:56.23 | stickster | Yup, I used to make a floppy boot system for work back in those days |
03:30.19 | stickster | heh |
05:07.37 | *** join/#fredlug quigleymd (n=quigleym@c-71-62-130-185.hsd1.va.comcast.net) |
14:23.46 | *** join/#fredlug plarsen (n=plarsen@c-24-125-211-129.hsd1.va.comcast.net) |
15:13.43 | stickster | Oops, been awake since 7:30; maybe I shouldn't look like I'm still asleep :-D |
20:38.11 | stickster | Aha, looks like we have liftoff this time :-) |