Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Linux Questions Thread: a bunch of pitfalls, but technically it's possible
«1028 »
 
  • Post
  • Reply
Suspicious Dish
Sep 24, 2011

2020 is the year of linux on the desktop, bro
Fun Shoe
File a bug on https://bugs.freedesktop.org?product=xorg please, under the "Driver/nouveau" component. Link it in here once you do so I can CC to it as well.

* # ? Nov 30, 2013 15:50
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 9, 2024 22:41
  • Quote
ArcticZombie
Sep 15, 2010
 Bug report here:

https://bugs.freedesktop.org/show_bug.cgi?id=72180

It's a bit all over the place as I wasn't sure which information was relevant.

* # ? Nov 30, 2013 19:14
  • Quote
cowboy beepboop
Feb 24, 2001

 What's a good ssh/rdp connection manager thing? I'd like something with tabs. I use Gnome 3.

I've tried Remmina which had a few quirks (can't copy from SSH sessions, menu floats in a different window) and Vinagre (can't copy from SSH, can't work out how to change size of terminal buffer, RDP sessions close instantly)

Seriously what is with these programs copy/paste is really important. Anything better? I think I literally just want a list of bookmarked servers and sessions in tabs.

* # ? Dec 2, 2013 08:36
  • Quote
Captain Pike
Jul 29, 2003

 I think pianobar is pretty neat. It is a command-line Pandora app. I have an old, slow laptop connected to my stereo, with Linux installed on it. I SSH into it from my personal laptop, and control Pandora with keyboard shortcuts.

It's very convenient, and needless to say, it REALLY impresses chicks.

* # ? Dec 2, 2013 09:40
  • Quote
Suspicious Dish
Sep 24, 2011

2020 is the year of linux on the desktop, bro
Fun Shoe

my stepdads beer posted:

What's a good ssh/rdp connection manager thing? I'd like something with tabs. I use Gnome 3.

I've tried Remmina which had a few quirks (can't copy from SSH sessions, menu floats in a different window) and Vinagre (can't copy from SSH, can't work out how to change size of terminal buffer, RDP sessions close instantly)

Seriously what is with these programs copy/paste is really important. Anything better? I think I literally just want a list of bookmarked servers and sessions in tabs.

A coworker is working on hotssh in his spare time. You'll have to compile from source, but it has copy/paste support in the form of Shift+Insert / Ctrl+Insert, and PRIMARY support. I'm trying to make Ctrl+Shift+C / Ctrl+Shift+V work.

It's a bit rough now, also.

* # ? Dec 2, 2013 17:40
  • Quote
The Third Man
Nov 5, 2005

I know how much you like ponies so I got you a ponies avatar bro
This popped up on hacker news and I thought it was really useful: http://explainshell.com/

* # ? Dec 2, 2013 18:40
  • Quote
hifi
Jul 25, 2012

my stepdads beer posted:

What's a good ssh/rdp connection manager thing? I'd like something with tabs. I use Gnome 3.

I've tried Remmina which had a few quirks (can't copy from SSH sessions, menu floats in a different window) and Vinagre (can't copy from SSH, can't work out how to change size of terminal buffer, RDP sessions close instantly)

Seriously what is with these programs copy/paste is really important. Anything better? I think I literally just want a list of bookmarked servers and sessions in tabs.

This is ssh-only but you can use gnome-terminal for tabs, add hosts in ~/.ssh/config and then set up your shell to tab-complete with data from the config and known_hosts files.

* # ? Dec 2, 2013 19:36
  • Quote
cowboy beepboop
Feb 24, 2001

Suspicious Dish posted:

A coworker is working on hotssh in his spare time. You'll have to compile from source, but it has copy/paste support in the form of Shift+Insert / Ctrl+Insert, and PRIMARY support. I'm trying to make Ctrl+Shift+C / Ctrl+Shift+V work.

It's a bit rough now, also.

I will check this out at work today, thnaks

edit this is weird - one of the issues of running a beta I guess? Worth a bug report?
code:
sudo yum install glib2-devel
Loaded plugins: langpacks, refresh-packagekit
Resolving Dependencies
--> Running transaction check
---> Package glib2-devel.x86_64 0:2.38.2-1.fc20 will be installed
--> Processing Dependency: glib2(x86-64) = 2.38.2-1.fc20 for package: glib2-devel-2.38.2-1.fc20.x86_64
--> Finished Dependency Resolution
Error: Package: glib2-devel-2.38.2-1.fc20.x86_64 (fedora)
           Requires: glib2(x86-64) = 2.38.2-1.fc20
           Installed: glib2-2.38.2-2.fc20.x86_64 (@updates-testing)
               glib2(x86-64) = 2.38.2-2.fc20
           Available: glib2-2.38.2-1.fc20.x86_64 (fedora)
               glib2(x86-64) = 2.38.2-1.fc20

cowboy beepboop fucked around with this message at 23:35 on Dec 2, 2013

* # ? Dec 2, 2013 22:35
  • Quote
Experto Crede
Aug 19, 2008

Keep on Truckin'
Does anyone know how to get more info out of wpa_supplicant about why it's not connecting?

When I try to run it, I get the error "ioctl[SIOCSIWENCODEEXT]: Invalid argument", and then it just hangs for ages never connecting. The wifi chip is on and the firmware's loaded as dmesg says as such.

Just to clarify the wifi chip is a Marvell SD8797.

* # ? Dec 3, 2013 02:53
  • Quote
telcoM
Mar 21, 2009
Fallen Rib

Experto Crede posted:

Does anyone know how to get more info out of wpa_supplicant about why it's not connecting?

When I try to run it, I get the error "ioctl[SIOCSIWENCODEEXT]: Invalid argument", and then it just hangs for ages never connecting.

Knowing the name and version of your Linux distribution would be helpful.

Google tells me that your wpa_supplicant.conf file might be incorrectly formatted:
http://askubuntu.com/questions/106633/wpa-supplicant-ioctlsiocsiwencodeext-invalid-argument

Another possible cause is that the driver might only support the newer nl80211 configuration API instead of the old Wireless Extensions. In that case, start your wpa_supplicant with "-D nl80211" instead of "-D wext", or make the equivalent change to the configuration file.

* # ? Dec 3, 2013 10:08
  • Quote
Experto Crede
Aug 19, 2008

Keep on Truckin'

telcoM posted:

Knowing the name and version of your Linux distribution would be helpful.

Google tells me that your wpa_supplicant.conf file might be incorrectly formatted:
http://askubuntu.com/questions/106633/wpa-supplicant-ioctlsiocsiwencodeext-invalid-argument

Another possible cause is that the driver might only support the newer nl80211 configuration API instead of the old Wireless Extensions. In that case, start your wpa_supplicant with "-D nl80211" instead of "-D wext", or make the equivalent change to the configuration file.

Sorry, thought I'd included that!

This is ubuntu 12.04 (sans a UI) running on an ARM chromebook. I just ran it with a -d and it seems it was that the chip didn't like wext, but when using nl80211 I just get it stuck on Daemonize and then not doing anything.

EDIT: Actually, ignore all that. It seems wpa_supplicant was running fine, but dhclient running after it is hanging. When I do dhclient -d mlan0, I see the license info then nothing.

Experto Crede fucked around with this message at 14:19 on Dec 3, 2013

* # ? Dec 3, 2013 14:11
  • Quote
Thermopyle
Jul 1, 2003

...the stupid are cocksure while the intelligent are full of doubt. —Bertrand Russell

 On Ubuntu what's a good way to work with commands that have tab-completion, but the system needs elevated privleges to get the info for the tab completion?

Specifically, zfs' zpool commands can tab-complete device names, but if you try doing something like:

pre:
sudo zpool clear tank1 name_of_de
and then hit tab to complete the name of the device, you end up with a command line that looks like:

pre:
sudo zpool clear tank1 name_of_deUnable to open /dev/zfs: Permission denied.

* # ? Dec 3, 2013 17:48
  • Quote
Experto Crede
Aug 19, 2008

Keep on Truckin'

Thermopyle posted:

On Ubuntu what's a good way to work with commands that have tab-completion, but the system needs elevated privleges to get the info for the tab completion?

Specifically, zfs' zpool commands can tab-complete device names, but if you try doing something like:

pre:
sudo zpool clear tank1 name_of_de
and then hit tab to complete the name of the device, you end up with a command line that looks like:

pre:
sudo zpool clear tank1 name_of_deUnable to open /dev/zfs: Permission denied.

Can you do sudo -i first to put yourself in a temporarily elevated shell?

* # ? Dec 3, 2013 17:51
  • Quote
Delta-Wye
Sep 29, 2005

Thermopyle posted:

On Ubuntu what's a good way to work with commands that have tab-completion, but the system needs elevated privleges to get the info for the tab completion?

Specifically, zfs' zpool commands can tab-complete device names, but if you try doing something like:

pre:
sudo zpool clear tank1 name_of_de
and then hit tab to complete the name of the device, you end up with a command line that looks like:

pre:
sudo zpool clear tank1 name_of_deUnable to open /dev/zfs: Permission denied.

This is one thing I hate about sudo vs. simply su'ing to root. I usually just type out the command sans sudo, then hit home and add in the sudo last. Does zpool tab complete even with an unprivileged user?

* # ? Dec 3, 2013 18:14
  • Quote
hifi
Jul 25, 2012

Thermopyle posted:

On Ubuntu what's a good way to work with commands that have tab-completion, but the system needs elevated privleges to get the info for the tab completion?

Specifically, zfs' zpool commands can tab-complete device names, but if you try doing something like:

pre:
sudo zpool clear tank1 name_of_de
and then hit tab to complete the name of the device, you end up with a command line that looks like:

pre:
sudo zpool clear tank1 name_of_deUnable to open /dev/zfs: Permission denied.

Copy whatever completer gets used to your local config file and then prepend a sudo to it.

* # ? Dec 3, 2013 18:22
  • Quote
Drunk Badger
Aug 27, 2012

Trained Drinking Badger
A Faithful Companion

Grimey Drawer
What's a good way I can write a script on my side to send commands to a remote host via SSH? This isn't something I can send a script to and run remotely, so every command I need to send needs to be written locally.

Drunk Badger fucked around with this message at 19:51 on Dec 3, 2013

* # ? Dec 3, 2013 19:48
  • Quote
evol262
Nov 30, 2010
#!/usr/bin/perl

Drunk Badger posted:

What's a good way I can write a script on my side to send commands to a remote host via SSH? This isn't something I can send a script to and run remotely, so every command I need to send needs to be written locally.

Net::SSH
Paramiko
Pexpect
Expect if you hate yourself.

* # ? Dec 3, 2013 19:56
  • Quote
matato
Apr 5, 2009

Drunk Badger posted:

What's a good way I can write a script on my side to send commands to a remote host via SSH? This isn't something I can send a script to and run remotely, so every command I need to send needs to be written locally.

I've attached a work in progress python script that I use daily to do this, seems to do the trick for most things. Please note that there are issues with the script which I've noted below. I'll put it up on github or sourcefourge... eventually. Comments welcome.

Requirements: python-argparse, python-paramiko, python 2.6+ (2.7+ more better for a number of reasons, including native argparse)

I TAKE NO RESPONSIBILITY FOR THIS SCRIPT RUNNING ON LIVE PRODUCTION SYSTEMS AND BURNING THINGS TO THE GROUND OR OTHERWISE BREAKING poo poo so use common sense pls

http://howdoilinux.com/files/premote

sample command:
code:
./premote -f hosts.txt -t10 -o outfile.txt "uname -r"

# chaining commands
./premote -f hosts.txt -t30 -o outfile-01.txt "uptime" "grep 534 /etc/passwd"
./premote -f hosts.txt -t5 "sudo whoami; uptime"

# one-offs when i can't be arsed to make a separate file and just want STDOUT
./premote -s host1,host2,host3 -t3 "foo bar"

# when using key-based auth, for batch execution
./premote -f hosts.txt -q -k -o outfile.txt "hostname"
TO-DO:
- move sudo prompt into OutputThread
- clean up argument parsing (-q -k unexpected behavior)

KNOWN ISSUES:
- child threads default to 30 second connect timeout (OpenSSH default). This is an issue when attempting to connect to a host in DNS with no network. Workaround with -T <n> (ssh connect timeout). Root cause: child threads do not catch the ^C against the parent thread.

matato fucked around with this message at 20:52 on Dec 3, 2013

* # ? Dec 3, 2013 20:29
  • Quote
Cidrick
Jun 10, 2001

Praise the siamese

pliantkitchen posted:

I've attached a work in progress python script that I use daily to do this, seems to do the trick for most things. Paramiko can be wily and it hangs or kills the child thread on extremely long-running remote commands - I'm still debugging that issue. I'll put it up on github or sourcefourge... eventually. Comments welcome.

I use pliant's script daily as well (we work together - sup bro) for all manner of tasks that are too ad-hoc for Puppet and for things I'd prefer to run via sudo rather than root. Here's an example of me bouncing all five of my Splunk indexers at once

code:
premote -f indexers.txt -t 5 "sudo /sbin/service splunk restart"
* # ? Dec 3, 2013 20:39
  • Quote
evol262
Nov 30, 2010
#!/usr/bin/perl

pliantkitchen posted:

I've attached a work in progress python script that I use daily to do this, seems to do the trick for most things. Paramiko can be wily and it hangs or kills the child thread on extremely long-running remote commands - I'm still debugging that issue. I'll put it up on github or sourcefourge... eventually. Comments welcome.

Requirements: python-argparse (default in 2.7.5+), python-paramiko, python 2.6+ (2.7+ more better for a number of reasons)

I TAKE NO RESPONSIBILITY FOR THIS SCRIPT RUNNING ON LIVE PRODUCTION SYSTEMS AND BURNING THINGS TO THE GROUND OR OTHERWISE BREAKING poo poo so use common sense pls

http://howdoilinux.com/files/premote

sample command:
code:
./premote -f hosts.txt -t10 -o outfile.txt "uname -r"

# chaining commands
./premote -f hosts.txt -t30 -o outfile-01.txt "uptime" "grep 534 /etc/passwd"
./premote -f hosts.txt -t5 "sudo whoami; uptime"

# one-offs when i can't be arsed to make a separate file and just want STDOUT
./premote -s host1,host2,host3 -t3 "foo bar"

# when using key-based auth, for batch execution
./premote -f hosts.txt -q -k -o outfile.txt "hostname"
TO-DO:
- move sudo prompt into OutputThread
- clean up argument parsing (-q -k unexpected behavior)

KNOWN ISSUES:
- child threads default to 30 second connect timeout (OpenSSH default). This is an issue when attempting to connect to a host in DNS with no network. Workaround with -T <n> (ssh connect timeout). Root cause: child threads do not catch the ^C against the parent thread.

Honest question:

What's the advantage of this over polysh?

* # ? Dec 3, 2013 20:49
  • Quote
matato
Apr 5, 2009

evol262 posted:

Honest question:

What's the advantage of this over polysh?

That's a good question! I've never used polysh. I'm curious how it handles multi-line output or interactive responses (sudo, yes/no, ls -l on a large directory)... all of the examples I see on that page show commands that produce one line of output.

Edit: Gave a quick spin...

a few pros:
- synchronous commands on multiple hosts (acts like DSH on AIX)
- multi-line output and interactive responses handled well

a few knocks (maybe there are flags to disable some of these so ignore if so):
- requires a known_hosts entry for the remote host, does not auto-add from what I found
- assumes SSH keys
- much more complex for simple tasks
- output generated is not easily parsed using simple commands

In general, if something were to require me to use an interactive shell for configuration like polysh I'd rather throw it into puppet to avoid fat fingering something. We typically use premote for fire-and-forget operational tasks (sudo service restart, etc) or auditing flat files; in general stuff that doesn't require tight synchronization or the use of distributed shells.

matato fucked around with this message at 21:36 on Dec 3, 2013

* # ? Dec 3, 2013 20:55
  • Quote
Drunk Badger
Aug 27, 2012

Trained Drinking Badger
A Faithful Companion

Grimey Drawer
I ended up using pexpect, which worked pretty well. Thanks for the advice!

* # ? Dec 3, 2013 22:30
  • Quote
evol262
Nov 30, 2010
#!/usr/bin/perl

pliantkitchen posted:

That's a good question! I've never used polysh. I'm curious how it handles multi-line output or interactive responses (sudo, yes/no, ls -l on a large directory)... all of the examples I see on that page show commands that produce one line of output.

Edit: Gave a quick spin...

a few pros:
- synchronous commands on multiple hosts (acts like DSH on AIX)
- multi-line output and interactive responses handled well

a few knocks (maybe there are flags to disable some of these so ignore if so):
- requires a known_hosts entry for the remote host, does not auto-add from what I found
- assumes SSH keys
- much more complex for simple tasks
- output generated is not easily parsed using simple commands

In general, if something were to require me to use an interactive shell for configuration like polysh I'd rather throw it into puppet to avoid fat fingering something. We typically use premote for fire-and-forget operational tasks (sudo service restart, etc) or auditing flat files; in general stuff that doesn't require tight synchronization or the use of distributed shells.

I guess I've always used polysh for exactly the same things your example command lines looked like. I take keybased auth as a given, but using polysh to run commands across servers which don't require enough complexity for mcollective, one-off puppet runs, or whatever is natural enough. I'd definitely rather use puppet, chef, ansible, or something else for configuration management, but my implication was that you don't necessarily need to roll your own utility for fire-and-forget operational tasks.

That said, I've never seen a utility quite like premote before, and there's definitely room for more than one tool in this space. You should try to get it packaged in Debian, and/or Fedora/EPEL.

* # ? Dec 3, 2013 22:36
  • Quote
Cidrick
Jun 10, 2001

Praise the siamese

evol262 posted:

I take keybased auth as a given

Maybe I'm being naïve, but - is this the case everywhere? I've never been in a shop that has encouraged blasting SSH keys to thousands of boxes just for convenience's sake.

* # ? Dec 3, 2013 22:49
  • Quote
evol262
Nov 30, 2010
#!/usr/bin/perl

Cidrick posted:

Maybe I'm being naïve, but - is this the case everywhere? I've never been in a shop that has encouraged blasting SSH keys to thousands of boxes just for convenience's sake.

I guess I should have said passwordless auth, but it's common to have keys, kerberos auth+forwardable tickets, or some other method of single-sign-on for SSH. If you're in a regulated environment which needs auditing, you may still be connecting with your account and escalating with powerbroker, sudo (with pam_audit logging), or some other mechanism, but there's no reason to be typing in your password (or worse, a root or service password) all day.

SSH keys are an expected part of AWS-like environments as well.

* # ? Dec 3, 2013 22:58
  • Quote
matato
Apr 5, 2009

evol262 posted:

I guess I should have said passwordless auth, but it's common to have keys, kerberos auth+forwardable tickets, or some other method of single-sign-on for SSH. If you're in a regulated environment which needs auditing, you may still be connecting with your account and escalating with powerbroker, sudo (with pam_audit logging), or some other mechanism, but there's no reason to be typing in your password (or worse, a root or service password) all day.

SSH keys are an expected part of AWS-like environments as well.

That's a good point, I didn't take Kerberos into account. I could see polysh being very useful in an environment like that...

* # ? Dec 3, 2013 23:16
  • Quote
Vulture Culture
Jul 14, 2003

I was never enjoying it. I only eat it for the nutrients.

Cidrick posted:

Maybe I'm being naïve, but - is this the case everywhere? I've never been in a shop that has encouraged blasting SSH keys to thousands of boxes just for convenience's sake.
It's not a question of "convenience's sake," they're much more secure than passwords as long as you don't do dumb poo poo like adding everyone in the department to root's authorized_keys.

* # ? Dec 4, 2013 01:53
  • Quote
Goon Matchmaker
Oct 23, 2003

I play too much EVE-Online
So, somewhat related to the Linux topic, but I'm leaving my current job next Friday. They're finally starting to realize that it's impossible for the guy they've chosen to replace me to actually do anything near what I do. They want to keep me available as a contractor. I'm not sure of the full details yet, like if I get to set the rate, etc. I'm looking for some tips on how to approach this as I've never done consulting/contract type stuff before. What should I charge? Is there anything I need to be aware of?

* # ? Dec 4, 2013 16:32
  • Quote
evol262
Nov 30, 2010
#!/usr/bin/perl

Goon Matchmaker posted:

So, somewhat related to the Linux topic, but I'm leaving my current job next Friday. They're finally starting to realize that it's impossible for the guy they've chosen to replace me to actually do anything near what I do. They want to keep me available as a contractor. I'm not sure of the full details yet, like if I get to set the rate, etc. I'm looking for some tips on how to approach this as I've never done consulting/contract type stuff before. What should I charge? Is there anything I need to be aware of?

The best thing you can do is to leave good documentation for the new guy. I'm sure you couldn't do anything near what you can do when you started in your position either.

If you're going to contract for them, you should basically set the following conditions:

  • You set the rate
  • There are no conflicts with your new job
  • You'll only do it for 3 months tops
  • You want your new hourly rate + 50% (25% overhead for HR stuff on regular employees is common, and the other 25% is for your hassle). Calculate salary into hourly as $5/hr = $2k/yr.
  • W2 only. If they want to make you I9, raise your rate by another 30% to account for the tax hassle you'll have to do.
  • If you get called outside normal business hours or for a production problem, you want 150%
  • Disable your user accounts -- if they want them reenabled so you can directly log in (and assume responsibility), it's 24 hours at a time only and you want a fee, even if it's only $100.
All of this sounds dickish, but it's to make sure they learn to rely on the new guy, can't blame problems on you, and to deter them from harassing you unless they really need to.

* # ? Dec 4, 2013 17:34
  • Quote
wolrah
May 8, 2006
what?
 Not entirely a Linux question but since there isn't an OpenSSH thread I figure it makes the most sense here, is there any way to get OpenSSH to behave more like PuTTY when it encounters a key mismatch? As in scream and yell a warning, but still let me acknowledge and continue on? Or at least tell it to never, ever, ever remember keys for common internal IPs like 192.168.1.1?

It's annoying as hell to have a 50/50 shot of needing to open up known_hosts and delete a line every time I connect to a device at a customer site.

* # ? Dec 4, 2013 17:45
  • Quote
evol262
Nov 30, 2010
#!/usr/bin/perl

wolrah posted:

Not entirely a Linux question but since there isn't an OpenSSH thread I figure it makes the most sense here, is there any way to get OpenSSH to behave more like PuTTY when it encounters a key mismatch? As in scream and yell a warning, but still let me acknowledge and continue on?
StrictHostKeyChecking no

wolrah posted:

Or at least tell it to never, ever, ever remember keys for common internal IPs like 192.168.1.1?
~/.ssh/config

Host whatever
Hostname 192.168.1.1
UserKnownHostsFile /dev/null
StrictHostKeyChecking no

* # ? Dec 4, 2013 18:04
  • Quote
wolrah
May 8, 2006
what?

evol262 posted:

StrictHostKeyChecking no
This disables the alert altogether, which is not desirable for obvious reasons.

quote:

~/.ssh/config

Host whatever
Hostname 192.168.1.1
UserKnownHostsFile /dev/null
StrictHostKeyChecking no

This got me on the right track, and I found that this apparently works:

code:
Host 192.168.0.*
   StrictHostKeyChecking no
   UserKnownHostsFile=/dev/null
* # ? Dec 4, 2013 18:17
  • Quote
eightysixed
Sep 23, 2004

I always tell the truth. Even when I lie.

evol262 posted:

W2 only. If they want to make you I9

If they're moving him from a waged employee to a contractor, he'll likely not be compensated via regular W-2 in the company any longer - that's synonymous with a waged employee, something a contractor is not. If what he said is actually what's happening, he'll definitely be filing for a 1099, or Independent Contractor. Why you brought up an I-9 (aka: whether or not he's legal to work in the United States, I'll never know :psyduck: - as that doesn't cause any tax hassle at all).

eightysixed fucked around with this message at 17:48 on Dec 5, 2013

* # ? Dec 4, 2013 19:40
  • Quote
Goon Matchmaker
Oct 23, 2003

I play too much EVE-Online

evol262 posted:

The best thing you can do is to leave good documentation for the new guy. I'm sure you couldn't do anything near what you can do when you started in your position either.

I've written about 100 pages of documentation covering day to day stuff and some of the more common things that explode, so there's that. The guy is a windows admin they're trying to shoehorn into Linux administration. His knowledge extends as far as "cd" and "ls".

quote:

If you're going to contract for them, you should basically set the following conditions:

  • You set the rate
  • There are no conflicts with your new job
  • You'll only do it for 3 months tops
  • You want your new hourly rate + 50% (25% overhead for HR stuff on regular employees is common, and the other 25% is for your hassle). Calculate salary into hourly as $5/hr = $2k/yr.
  • W2 only. If they want to make you I9, raise your rate by another 30% to account for the tax hassle you'll have to do.
  • If you get called outside normal business hours or for a production problem, you want 150%
  • Disable your user accounts -- if they want them reenabled so you can directly log in (and assume responsibility), it's 24 hours at a time only and you want a fee, even if it's only $100.
All of this sounds dickish, but it's to make sure they learn to rely on the new guy, can't blame problems on you, and to deter them from harassing you unless they really need to.

I don't think any of this is unreasonable. I've given them 3 full weeks of notice and made myself available over the thanksgiving week I took off in case they had issues. The contract labor stuff is going to go straight to savings if I do any of it which is the only reason I'm considering it.

Thanks!

* # ? Dec 4, 2013 19:45
  • Quote
Ninja Rope
Oct 22, 2005

Wee.
Don't look at it like you're doing a favor for them, it's an opportunity for you to make more money and expand your business knowledge and resume. Do you have the time and interest in doing so? You have no obligation to do anything for them.

If you do want the extra work and extra money then charge them a rate that makes it worth your time. If "worth your time" is double or whatever then be honest and tell them that, but know that if you ask for something ridiculous they'll think poorly of you.

I'd suggest you work for them on "projects" only. Scope the work, send them an estimate, and have them approve, all before you do any actual work. Don't let them call you whenever they want and ask you to do something if you have a new full time job, they need to schedule your time in advance. This helps you not gently caress up your real job and makes sure they understand you work for them on specific tasks agreed upon tasks only. After the work is done make sure they sign off on it and send them an invoice. Save all the emails.

* # ? Dec 4, 2013 22:33
  • Quote
nitrogen
May 21, 2004

Oh, what's a 217°C difference between friends?
 Got a new lenovo T430 laptop.

I put Fedora 19 on it.

It seems that every windowmanager except for Cinnamon has really poor graphics performance, like an old OLD OLD windows 3.1 box with no 2d or 3d acceleration. Any window I move gets "jagged" and so does any video.

UNLESS i use Cinnamon.

I'm not sure what kind of thing i'm missing, because i'm a dummy when it comes to X.

* # ? Dec 6, 2013 04:03
  • Quote
more like dICK
Feb 15, 2010

This is inevitable.
Is there a best practices guide for securing linux (CentOS in this case) servers? Right now I've got a VPS with some basics set up. fail2ban, iptables drops null/xmas packets and lock down the ports I'm not using, ssh password authentication disabled etc. It would be nice to know if I'm missing some really obvious things.

* # ? Dec 6, 2013 15:46
  • Quote
evol262
Nov 30, 2010
#!/usr/bin/perl

more like dICK posted:

Is there a best practices guide for securing linux (CentOS in this case) servers? Right now I've got a VPS with some basics set up. fail2ban, iptables drops null/xmas packets and lock down the ports I'm not using, ssh password authentication disabled etc. It would be nice to know if I'm missing some really obvious things.
If you really care, you should read this.

We don't enable every service under the sun anymore, so most of your IPtables "lock down the ports I'm not using" rules are doing essentially nothing. Linux is basically "secure" out of box on a default installation of Debian, CentOS, or whatever. It's a waste of time to go "harden" it by setting up port knocking, fail2ban, and other "make sure people can't brute force my SSH password!" services as long as you're using keybased auth or have a strong password. It's extremely likely that you'll get compromised through whatever services you are running (whatever those happen to be -- Wordpress exploit, etc), so worry about hardening those.

nitrogen posted:

Got a new lenovo T430 laptop.

I put Fedora 19 on it.

It seems that every windowmanager except for Cinnamon has really poor graphics performance, like an old OLD OLD windows 3.1 box with no 2d or 3d acceleration. Any window I move gets "jagged" and so does any video.

UNLESS i use Cinnamon.

I'm not sure what kind of thing i'm missing, because i'm a dummy when it comes to X.

Do you actually have accelerated graphics on it? Because it doesn't sound like it. glxinfo |grep Direct

* # ? Dec 6, 2013 16:04
  • Quote
more like dICK
Feb 15, 2010

This is inevitable.

evol262 posted:

If you really care, you should read this.

We don't enable every service under the sun anymore, so most of your IPtables "lock down the ports I'm not using" rules are doing essentially nothing. Linux is basically "secure" out of box on a default installation of Debian, CentOS, or whatever. It's a waste of time to go "harden" it by setting up port knocking, fail2ban, and other "make sure people can't brute force my SSH password!" services as long as you're using keybased auth or have a strong password. It's extremely likely that you'll get compromised through whatever services you are running (whatever those happen to be -- Wordpress exploit, etc), so worry about hardening those.

Thanks, that makes sense. I'm more comfortable and experienced with the application side of things, not the OS :shobon:

* # ? Dec 6, 2013 16:21
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 9, 2024 22:41
  • Quote
nem
Jan 4, 2003

panel.dev
apnscp: cPanel evolved

evol262 posted:

If you really care, you should read this.

We don't enable every service under the sun anymore, so most of your IPtables "lock down the ports I'm not using" rules are doing essentially nothing. Linux is basically "secure" out of box on a default installation of Debian, CentOS, or whatever. It's a waste of time to go "harden" it by setting up port knocking, fail2ban, and other "make sure people can't brute force my SSH password!" services as long as you're using keybased auth or have a strong password. It's extremely likely that you'll get compromised through whatever services you are running (whatever those happen to be -- Wordpress exploit, etc), so worry about hardening those.

This is very much true. Although, fail2ban does do DoS mitigation that can arise from brute-forcing. We have a rule in production to block an IP for x minutes if y failures occur during a given interval. Before this, it wasn't uncommon for Dovecot login processes to swell and max out while some attacker enumerated over every username A-Z. Same idea for SASL authentication via SMTP with Postfix.

A similar practice is used for MySQL and iptables, since it's been the target of a brute-force in production. Use rate limiting to restrict the number of remote MySQL connections. This only works though, because the majority of MySQL traffic originates on the same server as the MySQL server itself. Remote access is provided as a convenience.

Important thing is to follow guidelines with some discretion. Know why you're doing it in addition to what you're doing.

* # ? Dec 6, 2013 17:25
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Linux Questions Thread: a bunch of pitfalls, but technically it's possible
«1028 »