|
spankmeister posted:You done hosed up now son. *shrug*
|
#
?
Oct 22, 2012 22:54
|
|
|
|
| # ? Jun 3, 2024 07:54 |
|
|
To get this discussion on track again, I'm interested in y'alls opinion on KVM v. Xen. Who's had practical experience with either and which do you prefer and why etc... There's enough blogs and sites out there detailing the differences but I'd like to hear from some goons in the field about it. 
|
|
#
?
Oct 22, 2012 22:58
|
|
|
Honestly, I wouldn't choose Samba for a production fileserver unless I had to. If you have Windows clients, use a Windows fileserver (or multiple with DFS). Virtualize it on a Linux server if you want to. Do you have filesystem ACL support enabled? It's off by default in RHEL. That said, the documentation is extremely clear on what happens in different scenarios. I'm sure you've read this, but read it again. The other admins there are pursuing an idiotic strategy. Back up every client? Files saved locally? Great idea. What exactly are you trying to do? You want local access, POSIX access, and access from Windows clients simultaneously? What is the use case? Are you sure Samba is even the right tool for what you want? Should every point of ingress be conjoined?
|
|
#
?
Oct 22, 2012 23:01
|
|
|
Slightly less intelligent question than spankmeisters: I'm doing a web design class(html/css/js/php) and I'm getting tired of "gksu gedit" every time I want to modify a file in /var/www. Is there an accepted way to make my user account able to edit everything under /var/www? Add myself to the apache group or something?
|
|
#
?
Oct 22, 2012 23:02
|
|
|
angrytech posted:Slightly less intelligent question than spankmeisters: Don't edit files directly in /var/www. Instead make a symlink, or use some kind of version control. And you really should not be running any GUI program as root.
|
|
#
?
Oct 22, 2012 23:04
|
|
|
spankmeister posted:To get this discussion on track again, I'm interested in y'alls opinion on KVM v. Xen. Who's had practical experience with either and which do you prefer and why etc... Use what works. They have different use cases. Are you talking about a NetBSD dom0? Xen Cloud Platform? XenServer? XenDesktop? oVirt? RHEV? OpenStack? KVM/QEMU? They're essentially both abstracted through libvirt 99% of the time. KVM does nested virt a little easier. Xen does paravirt (even if many of the use cases for paravirt have been eliminated by LXC, OpenVZ, and the ubiquity of virtualization extensions). KVM needs less configuration for testing. Xen is somewhat better about guaranteeing resources for the host. KVM has more active development on things like samepage merging. We use both for different cases. Is there something specific you're curious about?
|
|
#
?
Oct 22, 2012 23:05
|
|
|
angrytech posted:Slightly less intelligent question than spankmeisters: Add yourself to the www group, or change perms on /var/www. Learn vi. sudo su -
|
|
#
?
Oct 22, 2012 23:07
|
|
|
^^Awesome, thanks^^Suspicious Dish posted:Don't edit files directly in /var/www. Instead make a symlink, or use some kind of version control. I'm wary of giving read/write access to any files in my home directory, which is why I haven't done it before. I use Ubuntu1 for cloud sync, so I'd actually love if there was a secure way to set up a link from /var/www/ to ~/Documents/whatever so that any modifications I make would be simultaneously synced to ~the cloud~ as well as be served up by apache.
|
|
#
?
Oct 22, 2012 23:10
|
|
|
evol262 posted:Use what works. They have different use cases. Dom0/host is CentOS 6, usecase would be for HA hosting of LAMP stuff mainly. Shared storage will be maybe Nexenta or NetApp or something don't really know yet but most likely NFS-based. Seems to me that conceptually speaking the way Xen has the hypervisor on top of everything then the Dom0 running like a VM under the HV next to the DOmU's would be preferable to the way KVM does things but KVM seems to have become the preferred solution for Red Hat. libvirt is hella nice though, shame Xen needs to be compiled in on centos 6.
|
|
#
?
Oct 22, 2012 23:14
|
|
|
ln -s /var/www ~/Documents/whatever I don't know how Ubuntu1 does any of its ~cloud~ stuff, but I'd be surprised if a symlink didn't work. ~the cloud~ is not a substitute for git/mercurial. Learn to use one (or both) of those.
|
|
#
?
Oct 22, 2012 23:15
|
|
|
I have a colleague at my current job (YOTJ-ing soon) that still uses RCS for that. I tend to use git (hell how easy is it to do a "git init" somewhere right?)
|
|
#
?
Oct 22, 2012 23:16
|
|
|
evol262 posted:ln -s /var/www ~/Documents/whatever These are tiny 1-off pages, so I've pushed VC off until after I graduate. I did try the symlink, but it gives me a 403. I'm gonna gently caress with permissions a bit.
|
|
#
?
Oct 22, 2012 23:17
|
|
|
spankmeister posted:Dom0/host is CentOS 6, usecase would be for HA hosting of LAMP stuff mainly. Shared storage will be maybe Nexenta or NetApp or something don't really know yet but most likely NFS-based. For HA hosting of anything, please use one of the following: oVirt Xen Cloud Platform Hyper-V You can get it going with Pacemaker or whatever, but it's a pain, and there are solutions out there for you. Redhat landed on the KVM side, yeah. The description of Xen is pretty much like ESXi and Hyper-V, and it's applicable enough to Xen as well. I'm not sure why you think it's preferable, though. Different, yeah. If you're already a CentOS shop, just go with KVM/oVirt.
|
|
#
?
Oct 22, 2012 23:19
|
|
|
Why I think it's preferable? Not entirely sure but the concept of a HV with the management running as a sort of privileged guest next to the other guests seems a good way to do it. That being said I have zero issue with using KVM if it works for my usecase. oVirt looks really cool, thanks! BTW you mention oVirt, XCP and Hyper-V, no love for VMWare? Just curious.
|
|
#
?
Oct 22, 2012 23:25
|
|
|
evol262 posted:What exactly are you trying to do? You want local access, POSIX access, and access from Windows clients simultaneously? What is the use case? Are you sure Samba is even the right tool for what you want? Should every point of ingress be conjoined? File storage for a lot of labs. A user will be gathering data on one Linux systems & saving it to our server via NFS. They then jump on a Windows or Mac system and access the data on the server via SMB to process the data. Other lab users have their specific tools, but many are Linux only. They jump on a Linux system and work with the processed data via NFS. Lots of back and forth where different people will want access to centralized data from specialized systems. We've had Apple servers doing the hosting. SMB & NFS access to the same data. Samba is even more terrible on Mac OS X, and permissions got messed up a lot. Our solution here was to simply block Windows from even seeing the permissions ("nt acl support = no"). Mac OS X (up to 10.6) had a decent permissions management tool (we've been unable to get it to work in 10.7/10.8). It lets us *separately* adjust the POSIX permissions and Windows-compatible ACLs for all the directories. I'm replacing all the ancient Apple servers (no upgrade path), and Windows is terrible at working with NFS (a whole new level of permissions issues and even performance problems), so Linux seemed like the best choice. FreeBSD honestly has worked better for me as a file server (so far), but it doesn't work with our management or backup software (and I'm not going to load a ton of data on it with no backup solution). Solaris may be an option. I haven't found a tool that works as well as the Mac OS X one for managing ACLs ("Eiciel" for Linux is terrible), so we're left managing permissions from Linux command line and Windows Security dialog. I set a permission in Linux, and the Windows permission gets changed to something I don't want. I change the Windows permission back to what I want, and the Linux permission gets changed to something I don't want. I can't seem to separate the ACLs and POSIX permissions like I can on Mac OS X and FreeBSD. However, Samba+NFS still seems like a workable solution, even with the goofy permissions. I'll just have to check permissions a bit more often on the shares.
|
|
#
?
Oct 22, 2012 23:51
|
|
|
spankmeister posted:Why I think it's preferable? Not entirely sure but the concept of a HV with the management running as a sort of privileged guest next to the other guests seems a good way to do it. That being said I have zero issue with using KVM if it works for my usecase. Doesn't do clustering for free. That's pretty much why. Didn't mention XenServer either.
|
|
#
?
Oct 23, 2012 00:26
|
|
|
Suspicious Dish posted:And you really should not be running any GUI program as root. Hey, you. Why is this? (I don't think I ever do, but not because I wisely chose not to...I just haven't had a reason to) edit: Also, to report in on my attempt to use Ubuntu 12.10 as my main desktop OS... It's going great-ish so far. The problems I have right now are:
I kind of just gave up on fixing either of those, but the problems just sit there in the back of mind, irritating me. Thermopyle fucked around with this message at 00:35 on Oct 23, 2012 |
|
#
?
Oct 23, 2012 00:31
|
|
|
evol262 posted:sudo su - Why would you do this? 
|
|
#
?
Oct 23, 2012 00:34
|
|
|
evol262 posted:sudo su -
|
|
#
?
Oct 23, 2012 00:37
|
|
|
Thermopyle posted:Catalyst Control Center will not freaking remember that I want to extend my desktop instead of mirroring it onto my second monitor between reboots. This is something better left to xrandr or the monitor setup page in your desktop environment (.e.g gnome/unity's monitor setup thing).
|
|
#
?
Oct 23, 2012 00:53
|
|
|
evol262 posted:Doesn't do clustering for free. That's pretty much why. Didn't mention XenServer either. I went from Xen to KVM to ESXi. ESXi is by far the winner for home use. I felt that Xen was somewhat more mature than KVM, as KVM has a show-stopping bug with RHEL/CentOS 6 that prevents it from virtualizing FreeBSD. This is all pretty subjective, though. ESXi has the disadvantage of requiring Windows for administration and not doing software RAID, but has the overwhelming advantage of being basically impossible to gently caress up, and it being easy to configure the network however you like, something that I found pretty awful on both Xen and KVM tools.
|
|
#
?
Oct 23, 2012 00:56
|
|
|
Thermopyle posted:Hey, you. Why is this? Wine sucks. Linux games run great these days if they're native, but otherwise... translating Windows to POSIX system calls isn't necessarily a 1 to 1 or even an easily done process. That's why porting is such a big deal. It often requires rewriting a lot of the basic stuff because of how the respective Operating systems deal with simple stuff like, where in memory is your framebuffer, or what arbitrary value to I pop into register X to tell the main OS loop that we need to trap an IO call or  This problem is compounded with GPU stuff. There is so much bullshit licensing mumbo jumbo surrounding doing math with triangles and silicon chips that it's goddamn ridiculous, but that's the way the world works.
|
|
#
?
Oct 23, 2012 01:00
|
|
|
osirisisdead posted:Wine sucks. Linux games run great these days if they're native, but otherwise... translating Windows to POSIX system calls isn't necessarily a 1 to 1 or even an easily done process. That's why porting is such a big deal. It often requires rewriting a lot of the basic stuff because of how the respective Operating systems deal with simple stuff like, where in memory is your framebuffer, or what arbitrary value to I pop into register X to tell the main OS loop that we need to trap an IO call or Yeah, I'm giving up on the idea of running games. I'll just keep a Windows partition around for that. The upside being that if I have to go through the "effort" to reboot into a different OS to play a game, I'll get more work done!
|
|
#
?
Oct 23, 2012 01:03
|
|
|
Thermopyle posted:Hey, you. Why is this? Because it defeats one of the main reasons UNIX (and UNIX-alikes or *nix or whatever you want to call it) has users - security. Let's say you are running Firefox as 'thermopyle', an ordinary user. You go on some website and get a malformed GIF file or some other unpatched vulnerability. Worst case, your use account is goofed up since your user doesn't have the security to install a backdoored version of a ssh daemon or delete the /bin folder. But if you're running Firefox as root...
|
|
#
?
Oct 23, 2012 01:03
|
|
|
Bob Morales posted:Because it defeats one of the main reasons UNIX (and UNIX-alikes or *nix or whatever you want to call it) has users - security. But why is that specific to GUI programs? I mean, the GIF example is of course, but console programs can have vulnerabilities as well.
|
|
#
?
Oct 23, 2012 01:04
|
|
|
Thermopyle posted:Hey, you. Why is this? Most GUI toolkits load code at runtime, which is terrible for any sort of root operation. If you had a rogue module (not necessarily malicious), it could wreck your system. Some of these modules are for a virtual filesystem layer (gvfs with its many backends), so you could even be loading code over the network. If you inherit the user's environment (if you don't, the window will be unthemed), you also inherit their DBus bus and other envvars, which can cause all sorts of wreckage, too. What you need is some form of privilege escalation. Usually this is done with pkexec or another setuid daemon managed with PolicyKit.
|
|
#
?
Oct 23, 2012 01:05
|
|
|
Thermopyle posted:But why is that specific to GUI programs? It's not.
|
|
#
?
Oct 23, 2012 01:05
|
|
|
Doctor w-rw-rw- posted:I went from Xen to KVM to ESXi. ESXi is by far the winner for home use. I felt that Xen was somewhat more mature than KVM, as KVM has a show-stopping bug with RHEL/CentOS 6 that prevents it from virtualizing FreeBSD. This is all pretty subjective, though. ESXi has the disadvantage of requiring Windows for administration and not doing software RAID, but has the overwhelming advantage of being basically impossible to gently caress up, and it being easy to configure the network however you like, something that I found pretty awful on both Xen and KVM tools. ESXi doesn't require Windows for administration if you script it, use the CLI, or use the (experimental) web UI for it. This isn't really a "for home use" scenario, though. What show-stopping bug? Reported it? Have a bugzilla number? I've have problems with some sets of hardware not virtualizing some operating systems (specifically RHEL5.3 on Opterons and Solaris 10), but file a bug. Additionally, networking is pretty bulletproof if you're comfortable configuring Linux networking. It's somewhat more intuitive when it comes to VLANs as well. Ninja Rope posted:Why would you do this? mystes posted:Is there some reason to do this instead of sudo -i or something? Muscle memory. I could "sudo -s", but eh. On RHEL I can "su -" without needing sudo, but I prefer to run as root. osirisisdead posted:Wine sucks. Linux games run great these days if they're native, but otherwise... translating Windows to POSIX system calls isn't necessarily a 1 to 1 or even an easily done process. That's why porting is such a big deal. It often requires rewriting a lot of the basic stuff because of how the respective Operating systems deal with simple stuff like, where in memory is your framebuffer, or what arbitrary value to I pop into register X to tell the main OS loop that we need to trap an IO call or Spoken like it's 2000 and Loki is still porting games. WINE is extremely good these days. They have almost perfect DX9 support. It's never been better for gaming on Linux.
|
|
#
?
Oct 23, 2012 01:09
|
|
|
Whatever. Wine sucks. It's a fun toy, but it's not reliable for an arbitrary game to run well enough to play. edit: Linux gaming, has never been better though. There is better and quicker driver support, and poo poo like the Humble Bundle allows us to get good games that run native. I would rather have native games than a hacky tool like Wine. It's cool, really. But, Linux is past that now. We can stand on our own. Thermopyle posted:Yeah, I'm giving up on the idea of running games. I'll just keep a Windows partition around for that. The upside being that if I have to go through the "effort" to reboot into a different OS to play a game, I'll get more work done! It's not a bad idea to run Windows on your bare metal and whenever you *need* a *nix for something just spin up a VM or get yourself a sweet shell account and ssh in with putty, like the cool kids. There is little reason to worry about which OS you're running except that Linux is fun as poo poo and you can do some really good learnin' on it. If you're as insane as I am. I recommend Tanenbaum's Modern Operating Systems as a great textbook that helped make a lot of things make a lot of sense in the general, abstract case. Cyberpunkey Monkey fucked around with this message at 01:14 on Oct 23, 2012 |
|
#
?
Oct 23, 2012 01:09
|
|
|
Xenomorph posted:I can't seem to separate the ACLs and POSIX permissions like I can on Mac OS X and FreeBSD. However, Samba+NFS still seems like a workable solution, even with the goofy permissions. I'll just have to check permissions a bit more often on the shares. The "security mask" option doesn't do what you want?
|
|
#
?
Oct 23, 2012 01:17
|
|
|
evol262 posted:ESXi doesn't require Windows for administration if you script it, use the CLI, or use the (experimental) web UI for it. This isn't really a "for home use" scenario, though. evol262 posted:What show-stopping bug? Reported it? Have a bugzilla number? I've have problems with some sets of hardware not virtualizing some operating systems (specifically RHEL5.3 on Opterons and Solaris 10), but file a bug. evol262 posted:Additionally, networking is pretty bulletproof if you're comfortable configuring Linux networking. It's somewhat more intuitive when it comes to VLANs as well. evol262 posted:Spoken like it's 2000 and Loki is still porting games. WINE is extremely good these days. They have almost perfect DX9 support. It's never been better for gaming on Linux. osirisisdead posted:Whatever. Wine sucks. It's a fun toy, but it's not reliable for an arbitrary game to run well enough to play. I sort of agree and disagree with both. Wine is pretty awesome, but not for games IMO. A layer of API emulation isn't going to have the same implementation details, and game programmers use every trick they can, so I wouldn't be inclined run any games without an official Linux port on Linux, because that means they have been properly tested and supported on Linux, regardless of whether they're using OpenGL or some emulation of DirectX. Doctor w-rw-rw- fucked around with this message at 01:54 on Oct 23, 2012 |
|
#
?
Oct 23, 2012 01:19
|
|
|
pseudorandom name posted:The "security mask" option doesn't do what you want? If the ACL and POSIX permissions match (just the one owner, group, and "everyone"), then security masks work when files and sub-directories are created. As soon as the ACL no longer match the POSIX permission (a second user is added, for example), then the masks are ignored for all further files & directories created. Giving a user permission to Read a folder via ACL suddenly changes the POSIX permission files in that folder to "read/write/execute". You can change the POSIX permission back (g-wx), and the ACL stays correct. So it's obvious that the POSIX and ACLs can remain separate. I'd like Samba to just leave the POSIX permissions alone. I want it to only touch extended attributes/ACLs. I swear it didn't work like that on FreeBSD.
|
|
#
?
Oct 23, 2012 02:54
|
|
|
Xenomorph posted:File storage for a lot of labs. We do exactly this at work. This is what we configure per share, copy pasted from our config and sanitized: code:
|
|
#
?
Oct 23, 2012 04:00
|
|
|
FISHMANPET posted:Overall it's been humming along for years without any permissions problems. How do the permissions look from Windows?
|
|
#
?
Oct 23, 2012 05:09
|
|
|
Thermopyle posted:But why is that specific to GUI programs?
|
|
#
?
Oct 23, 2012 05:50
|
|
|
Xenomorph posted:
It's not Samba, it's the POSIX ACL implementation. acl(5) posted:CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS That seems to say that the permission bits explicitly are not separate from ACLs. So, the result is something of a mess because of an effort to maintain backward compatibility. Way back when I sat on a course on some other Unix, I was told that when ACLs are placed on a file, the behavior of the "ls -l" command changes: instead of displaying the actual state of the permission bits, they reflect the overall presence of read/write/execute permissions/ACLs for user(s) and group(s). So, if you had a file that is displayed as "-rwx------+" in a "ls -l" listing, that would mean the file has read, write and execute permissions for some named users, but they would not necessarily all apply for the same user. For example, user joe might have read and execute permissions, but not write, and user mike might have read and write permissions, but not permission to execute. Likewise, the group bits would describe what kind of privileges have been granted to specific groups, but not all displayed permissions would necessarily apply to the same group. The instructor suggested that the proper course of action was to ignore the permission bits completely whenever you see the '+' sign that indicates an ACL is present; instead you should use the appropriate command to view the actual ACL to get the real deal. This advice has served me well over the years on Linux, Solaris, HP-UX and occasionally some other Unixes. I could not quickly find specific documentation on the behavior of the GNU ls command in the presence of ACLs. I guess I might have to RTFS if I want to get to the bottom of it. But on Linux, the command to view the complete Posix ACL is "getfacl". For Xenomorph, I think replicating the situation and running a "getfacl" before and after the chmod is probably the only way to really understand what is going on.
|
|
#
?
Oct 23, 2012 09:58
|
|
|
telcoM posted:It's not Samba, it's the POSIX ACL implementation.
|
|
#
?
Oct 23, 2012 13:35
|
|
|
Misogynist posted:It's important to note that POSIX ACLs aren't the only ACL implementation, either. Some filesystems (e.g. ZFS, GPFS) support NFSv4 ACLs, which integrate much better with CIFS and behave a lot more predictably to CIFS clients. I understand why ZFS isn't on Linux - but why isn't NFSv4 ACLs? Samba seems to ignore them completely on Linux (but take *full* advantage of them on Solaris and BSD).
|
|
#
?
Oct 23, 2012 20:30
|
|
|
Hey Linux nerds - we have a structural biologist starting at my work soon who needs to do GPU-intensive modeling on a CentOS workstation. What brand of GPU is least likely to make me want to kill myself, trying to support it?
|
|
#
?
Oct 23, 2012 21:14
|
|
|
|
| # ? Jun 3, 2024 07:54 |
|
|
Nvidia
|
|
#
?
Oct 23, 2012 21:15
|
|