|
I want to write a small script that will send a simple email to me when run. For the email account I use FastMail and was just going to create an app password for it. Is there a safe way that I could save the password to an encrypted file or something, and unlock it the same way I use ssh-agent to unlock my ssh keys?
|
#
?
Mar 13, 2018 21:58
|
|
|
|
| # ? Jun 11, 2024 00:38 |
|
|
You might want to look into something like Hashicorp's Vault, which is tailor made for storing secrets required by apps. Alternatively, gpg-agent can also manage access to private keys (and in fact can be used as a replacement for ssh-agent), but I don't believe it's got a great API.
|
|
#
?
Mar 13, 2018 23:09
|
|
|
GNOME Keyring's got a CLI interface called secret-tool, that might work for you. Edit: Now that I'm looking at this again, I'm assuming you're meaning something you're going to run as a non-interactive service. I was previously assuming a script you run while logged in as your local user. At the end of the day, any secret storage mechanism is going to require you to authenticate in some manner to retrieve the key, which means you have to have either implicit trust in the form of the credential living on the box, or some sort of behavioral mechanism that grants you access to the secret (EC2 instance profile granting access to a KMS key, for example). If you're wanting to store the secret on the box itself, and have it run automatically, you're best off running the script as your user, with the cred stored in a read-only file that only your user has access to. Somebody with a stronger security background feel free to correct this info, security is one of my minor roles in my day job and I'm definitely not an expert. G-Prime fucked around with this message at 00:51 on Mar 14, 2018 |
|
#
?
Mar 14, 2018 00:43
|
|
|
My former university implemented a stricter firewall policy with regards to SSH. I have a server there and I can no longer access it directly, but rather have to SSH to a gateway server, then SSH again from there (or, you can use VPN through Pulse Secure Client which is a PITA). This is annoying for several reasons, mainly two. I was using the server to host web services (e.g. to share interactive data visualizations with colleagues) and that's no longer possible. Second, the gateway makes it harder to use several SSH features. For example I was using private-key authentication and the gateway has no permanent storage. It's easy enough to switch to password auth, which should be fine since the server is no longer exposed. But what about stuff like SSH tunneling, which I do use every now and then? What I am wondering if there's a way to configure a SSH host to use two-jumps, as in first connect to host1, then to host2, and have the SSH client deal with the complications this brings to auth and tunneling?
|
|
#
?
Mar 16, 2018 16:52
|
|
|
You can chain any amount of ssh tunnels, and they'll work just fine. i.e. ssh -L 12345:localhost:12345 gateway 'ssh -L 12345:anything:12345 server' will work just fine when you then connect to localhost:12345 Also, you can use ssh -A to forward your ssh agent to the gateway, though that does mean the person who has root on the gateway can use your agent while you're connected which can be problematic unless you have it set so it asks you to confirm every login attempt or trust said root person completely.
|
|
#
?
Mar 16, 2018 17:21
|
|
|
You can also use the -J arg (on newer versions, I think 7.3+) or the ProxyJump directive in your config file to just do it transparently. It'll forward your private key automatically down the chain.
|
|
#
?
Mar 16, 2018 21:45
|
|
|
Is Spacewalk still relevant as a package management system? we run a pretty... dated... software mangement and distribution system for cent7 and I'm seeing how to best replace it. Our main goal is to have all of our systems running the same versions of software. We don't do any fancy containerization yet and use cobbler for provisioning. Is building an internal repo still something people do? I've also seen Foreman but it seems... sprawling and we'd really only need the package/repo management part of it for now. Is there a newer open space project based on Satellite? Pulp also looks interesting. I guess I'm just looking for ideas or suggestions as to what other people are doing for this.
|
|
#
?
Mar 17, 2018 00:59
|
|
|
my bitter bi rival posted:Is Spacewalk still relevant as a package management system? we run a pretty... dated... software mangement and distribution system for cent7 and I'm seeing how to best replace it. Our main goal is to have all of our systems running the same versions of software. We don't do any fancy containerization yet and use cobbler for provisioning. Is building an internal repo still something people do? I've also seen Foreman but it seems... sprawling and we'd really only need the package/repo management part of it for now. Is there a newer open space project based on Satellite? Pulp also looks interesting. I guess I'm just looking for ideas or suggestions as to what other people are doing for this.
|
|
#
?
Mar 17, 2018 01:19
|
|
|
Vulture Culture posted:Not really. RHEL threw out the whole product and Satellite 6 has been based on Pulp, Katello, and a bunch of other stuff. Really? I thought spacewalk was still upstream. E: sure enough. https://spacewalkproject.github.io/faq.html. Didn’t 6 just come out too?
|
|
#
?
Mar 17, 2018 01:22
|
|
|
We've reviewed Spacewalk every couple years for about 6 years now and keep not migrating to it because it's such a monolithic monster. It's also a constant support headache, another department has been using it and while it does the job they need it to do, they've pretty much always got a support ticket open with redhat for some reason or another. Our homebrew kickstart + puppet + mirrored yum repos do everything we need for lifecycle management and each piece functions independently so if one breaks, the component that needs repair is obvious. To be fair, we only have 3000 systems and maybe 25 different configurations. If we were a "real" enterprise environment with zillions of snowflakes or departments to support I think Spacewalk would be a lot more attractive, even with the headaches.
|
|
#
?
Mar 17, 2018 03:10
|
|
|
xzzy posted:We've reviewed Spacewalk every couple years for about 6 years now and keep not migrating to it because it's such a monolithic monster. It's also a constant support headache, another department has been using it and while it does the job they need it to do, they've pretty much always got a support ticket open with redhat for some reason or another. I ran Rackspace kickstart built off mrepo and kickstart and it worked for 6 years. Horrible Perl postinstall but no one wanted to change it. I at least rewrote the unsupported os into python. Use whatever you want.
|
|
#
?
Mar 17, 2018 03:16
|
|
|
My dhcp server is perl. Tftpd came later and is python.  I wrote it around 2005, it keeps on being useful and nothing we've evaluated has been kickass enough to convince us to move on.
|
|
#
?
Mar 17, 2018 03:20
|
|
|
xzzy posted:My dhcp server is perl. Tftpd came later and is python. I wrote mine in python too. It’s probably still running in rack for the cloud installer. Citrix is god awful.
|
|
#
?
Mar 17, 2018 03:25
|
|
|
Many thanks, I was not aware of the -J and -A options. Those should make my life much easier. Hopefully they didn't gimp the gateway too much...I'll be testing it out on Monday.
|
|
#
?
Mar 17, 2018 19:50
|
|
|
jaegerx posted:Really? I thought spacewalk was still upstream. Satellite 6 is Candlepin (entitlements), Pulp (repo management), and Foreman+Katello (provisioning) wedged together. I'm not gonna lie -- I never liked Satellite. For a very small set of environments where you want QE to be able to bless a package and have it automatically make it into a deployment set, and you need to be able to make entire systems/system groups match a complete set of package NVRs exactly, but you can't use config management because reasons, Satellite is great. Also, if you want to attach a bunch of servers behind an incredibly restrictive firewall to RHN and ensure they have access to channels (with feed-forward reporting of entitlement usage) without mirroring them into mrepo, it's probably great. Most of the value in Satellite comes in the fact that Satellite already knows how to perform the 35 different procedures necessary to do a full green field deployment of Red Hat's product suite, and you can just point it at an environment. Then you can say: "Gimme 2 Cloudforms servers, 30 RHEV, 100 Openshift, 200 RHEL OSP, then spin up 1000 RHEL VMs on top of those" instead of munging your own deployment scripts/manifests/images/whatever. And a lot of RH customers want that. For a "I already manage my environment, I just want to do it better", foreman is actually pretty great standalone, though
|
|
#
?
Mar 18, 2018 03:29
|
|
|
whatever happened to CloudForms 1.0 or Satellite 6.0 it was called like Areola Project or something
|
|
#
?
Mar 18, 2018 04:19
|
|
|
Suspicious Dish posted:it was called like Areola Project or something
|
|
#
?
Mar 18, 2018 11:34
|
|
|
Satellite is a mess. I’ve had it in production since 6.0 and would say stay away from it. For deployment if it works for you your lucky, there’s zero flow control or room to add custom orchestration. So sure you can stamp out a host but good luck trying the next 10 inside the framework. Also things such as network and dns providers have a serious lack of integration. You will want cloudforms to do that but it’s another sku. The inbox cm puppet is so neglected is comically out of date. Im kind of unsettled what to do next as we have a nice workflow now for puppet but the product seems to be phasing it out. If you go with Ansible technically it requires tower yet another sku for integration. We’ve had a lot of issues with the content/pulp fail and wipe out repos. Btw content view releases are simply symlinks to the real rpm. So if something happens to the base rpm (say interrupted download) you can end up affecting all your views published or not. We automatically provisioning bunch of hosts daily then destroying them to smoke out satellite issues. A lot of issues we’ve had were related to activation keys. 6.1 went hardcore on licensing and caused a ton of issues, say virt-who couldn’t update before kickstart would finish so the box wouldn’t get Rhel entitlements. Grace licenses have been getting better and only recently on 6.2 has it been upped to 7days. But it was really rough to deal with. Upgrades of the product has been nightmarish and it seems from /r/redhat 6.3 is another gong show. We’ve moved from using satellite/kickstart for deployments to rhel templates/os customization and using VMware vrealize.
|
|
#
?
Mar 18, 2018 12:47
|
|
|
Are there any known problems we'd be opening ourselves up to by disabling NetworkManager on rhel7 systems? I'm inclined to just let it sit and learn to use it but people around me are concerned that it messes with configs and would rather kill it off. But it was supposed to be a big important dependency in rhel7 and am unsure how true that actually is.
|
|
#
?
Mar 19, 2018 17:08
|
|
|
xzzy posted:Are there any known problems we'd be opening ourselves up to by disabling NetworkManager on rhel7 systems?
|
|
#
?
Mar 19, 2018 18:43
|
|
|
How do people normally deal with renewing kerberos tickets for systems that don't have a user to enter a username/password? I'm mounting a Windows domain SMB share using krb5 authentication, and I can see that the ticket expires 10 hours after I created it, and can be renewed for up to 7 days. After the 10 hours is up the share no longer works and I have to remount it (which renews the ticket), but after the 7 days is up the tkt is completely expired and I have to reprompt a username/password to get a new one.
|
|
#
?
Mar 21, 2018 19:01
|
|
|
anthonypants posted:You'll have to configure DHCP separately, and there are some services that wait for NetworkManager to declare that the network is ready. The good thing is that once you've gotten rid of NetworkManager you can remove all the wifi driver/firmware packages. I looked into that and it looks like network-online.target is smart enough to keep on trucking even if the NetworkManager rpm has been removed. I made a brief attempt to track down exactly what process that target uses to determine network status but quickly lost interest when I ended up floundering through the systemd documentation.
|
|
#
?
Mar 21, 2018 19:09
|
|
|
I can't remember the specific circumstances but all I can remember is that NetworkManager-wait-online.service did a better job of ensuring that the network was actually up and usable than network-online.target, and I didn't want to spend any time on it so I just reinstalled NM. Like iirc network-online.target would say that the network was up, but the server either didn't have an IP address, or some interfaces weren't fully up, or they were waiting to receive a DHCP lease, and services that required networking would fail because of that.
anthonypants fucked around with this message at 19:20 on Mar 21, 2018 |
|
#
?
Mar 21, 2018 19:17
|
|
|
Hibernation seems to be broken in 4.13, which throws a monkeywrench in my plans to use Linux some more. So I am thinking of compiling a newer kernel, I already compiled a newer kernel with ThreadRipper patches which is based on 4.13. How can I use apt source to get it to download a higher Linux version than the one installed? I got the patches working after some trial and error using apt source, so I'd like to continue using that.
|
|
#
?
Mar 22, 2018 13:49
|
|
|
I have one of those new fanged 4k laptops that I run linux on. This is great except when I plug it into monitors that are a more sane resolution (ie, 2x 1080p, 2x 1440p) and the DPI settings need to be completely different and this seems to involve changing a billion settings and restarting the laptop. I'm fine with having one DPI set at a time - ie, I don't need three monitors (laptop + 2 desktop monitors) but I do need it to reliability switch DPIs. Best case is without restarting my session. Based on people's experiences what have been the best distributions for this use case?
|
|
#
?
Mar 22, 2018 18:01
|
|
|
Even on Windows you still end up with issues when changing from 4k to HD. Needing a full reboot isn't common but it's not unheard of. App restarts are a reality you gotta get used to. Logging out and back in is more of a fringe situation. Point being, linux also not being great at it is not a surprise to me. It's just one of those things where the software hasn't caught up quite yet and it's gonna be pain for a while longer.
|
|
#
?
Mar 22, 2018 18:09
|
|
|
ultrabay2000 posted:I have one of those new fanged 4k laptops that I run linux on. Since all distributions are pretty much the same thing baring few configuration changes and program versions all I can say is the program that you should be using to get the desired DPI settings: xrandr. For more information on how to use it and what can it do, see here: https://wiki.archlinux.org/index.php/HiDPI#Multiple_displays .
|
|
#
?
Mar 22, 2018 18:15
|
|
|
app restarts are fine but right now I'm using Kubuntu 16.04 HWE and it doesn't play real friendly with DPI changes without rebooting. It's probably something hacked about my setup. e: I might need to rethink how I change the config. Right now I change the DPI in a few different files but I don't call xrandr, maybe I should do that.
|
|
#
?
Mar 22, 2018 18:17
|
|
|
ultrabay2000 posted:I have one of those new fanged 4k laptops that I run linux on. I read a thing that gnome/mutter is getting support for dpi-per-display. I wouldn’t be surprised if it takes 4 years for it to actually work tho.
|
|
#
?
Mar 22, 2018 20:13
|
|
|
Wicaeed posted:How do people normally deal with renewing kerberos tickets for systems that don't have a user to enter a username/password? Service principals xzzy posted:I looked into that and it looks like network-online.target is smart enough to keep on trucking even if the NetworkManager rpm has been removed. network-online.target is just NetworkManager-wait-online.service, systemd-networkd, and systemd-resolved (if those are enabled)
|
|
#
?
Mar 23, 2018 11:04
|
|
|
FWIW I like the packer to build new base images and then using terraform to replace things model. That’s hard on prem, but if you can replicate it I think it’s better the. The satellite/foreman world.
|
|
#
?
Mar 25, 2018 23:18
|
|
|
Volguus posted:KDE's quite good. After gnome 3 reared its ugly head into the world (10 years ago it was? time flies), KDE became my main DE and although there were a couple of bumps in the road, overall it is a much better experience. The KDE that Fedora packages has a couple of very minor improvements that I personally really like (for example "Konsole" item in the desktop right-click popup menu), that for some reason never got upstream. I really want to like KDE but they have some weird annoying issues / bugs: - windows not saving size/position and appearing in random spots on the monitor (often times in the upper right corner of the screen) - mouse cursor theming 'breaking' (I don't run any gnome apps so its not that) - glitchy compositor effects - overall the spread of settings and options everywhere is a bit annoying and sometimes unintuitive with some options only being active when other options are active but that linkage isn't spelled out anywhere I really want to like KDE too because I think the Qt is the better framework between (Qt and Gtk). I think Gtk is full of spatgetti code, hacks, and amateur hour bullshit. xgalaxy fucked around with this message at 21:45 on Mar 26, 2018 |
|
#
?
Mar 26, 2018 21:29
|
|
|
freeasinbeer posted:FWIW I like the packer to build new base images and then using terraform to replace things model. It's honestly not hard on-prem, but there's pretty much no reason to do it given that Foreman already ties into puppet/chef/ansible and preseed/jumpstart/kickstart. If you have a hybrid infrastructure, then sure, why not? But Foreman is intended for both deployment and lifecycle management, not "nuke from orbit and deploy new image from terraform". Foreman isn't Cobbler. It can do what Cobbler does, sure, but Foreman is intended as: quote:Hey, I have these Puppet/Chef/Ansible manifests/recipes/playbooks, and I have some existing infrastructure or I don't wanna fiddle with poo poo. Let me log in and add existing servers so I can check them from here (instead of Tower or Puppet Enterprise or whatever). Plus, let me deploy new servers, over PXE, Openstack, RHV, Vmware, whatever. When I deploy a server, I want it to handle DHCP reservations, DNS, and RDNS for me. Then build it, add it to a server group (which uses the appropriate config management), and let me monitor it, so I can change the config or completely redeploy it with the click of a button. This is also not what Terraform does. If you don't need it do to all of these things, or you're really particular about tooling and you want to do this stuff yourself, run with it. But "I use Packer+Terraform instead of Foreman" is like "I use containers instead of AWS". They're in the same ballpark, but they're not the same thing. E: to be clear, I'm not a huge proponent of this. Never once have I seen a business redeploy on existing hardware, and I'd never want to rely on an all-in-one tool to monitor config management, but this is the use case evol262 fucked around with this message at 22:03 on Mar 26, 2018 |
|
#
?
Mar 26, 2018 21:52
|
|
|
What would you guys suggest between GitLab EE and GitHub Enterprise? Right now our decision is hinging on how many people would use it initially, and GitHub Enterprises 10 user minimum entry point is the largest hurdle we're facing right now, but I feel it's probably easiler to manage GitHub Enterprise since it's an all-in-one OVA.
|
|
#
?
Mar 27, 2018 19:46
|
|
|
Having managed Gitlab EE for the last 18 months, and watched another team struggle with Github Enterprise, I would hands down pick Gitlab every time. Have had very few issues with it, upgrades are fast and very smooth, and management of it is relatively hands-off.
|
|
#
?
Mar 27, 2018 20:20
|
|
|
Wicaeed posted:What would you guys suggest between GitLab EE and GitHub Enterprise? What are your requirements? Do you want fully integrated CI runners, with results piped back into your merge requests/issues for discussion? Will you be building containers and need a registry? Do you want an integrated Issue tracker, or near native integration with Jira? GitLab Omnibus is not an OVA, but it's pretty easy to maintain and upgrade.
|
|
#
?
Mar 27, 2018 20:20
|
|
|
Gitlabs cloud native charts and 10.6 auto deploy of ci runners to kube is pretty fantastic. Have had zero problems running a 300 user instance out of the official container. https://docs.gitlab.com/omnibus/docker/
|
|
#
?
Mar 27, 2018 23:53
|
|
|
xgalaxy posted:I really want to like KDE but they have some weird annoying issues / bugs: A lot of that sounds like something weird with your video drivers or something. I run KDE daily and the display and compositing is pretty much flawless. I'm running the Nvidia proprietary drivers installed through openSUSE repos, and my KDE install is likewise standard from the repos.
|
|
#
?
Mar 28, 2018 00:41
|
|
|
porkface posted:What are your requirements? Honestly we don't need much, really just basic version control, merging, etc. I may have a use case in the future for CI runners, but I don't need them now. We use JIRA for issue tracking, but from what I've seen GitLab can interface with that fairly easily. We do use containers, but we use Docker Trusted Registry for image hosting.
|
|
#
?
Mar 28, 2018 01:12
|
|
|
|
| # ? Jun 11, 2024 00:38 |
|
|
CaptainSarcastic posted:A lot of that sounds like something weird with your video drivers or something. I run KDE daily and the display and compositing is pretty much flawless. I'm running the Nvidia proprietary drivers installed through openSUSE repos, and my KDE install is likewise standard from the repos. I have glitchy KDE problems too (nvidia proprietary drivers). The clock will sometimes stop updating, or the icons in the Taskbar stop working. I switched to cinnamon because of the problems. It's probably my X.org, I generated the conf with nvidia-config and enabled coolbits so that I can use fan control and power limits for Folding@Home. Also something really strange is if I hook up my monitor to my Intel iGPU and run FAH on the nvidia card (no cpu folding), my 2D performance still takes a nosedive (Firefox becomes unusable, random input delays when typing). I think something is just hosed with my X.org
|
|
#
?
Mar 28, 2018 03:00
|
|