Consolidated Business & Enterprise Computing Rant Thread

Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.

  1. samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,138
    Location:
    Baulkham Hills, Sydney.
    Por que no los dos!?

     
  2. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,400
    Location:
    qld.au
    Neckbeards are looking for any excuse to blast systemd, but very few even comprehend the issue.

    This is an ASLR brute force attack, which means that for the 70 minute exploit to work you need to be continually crashing journald for 70 minutes. Here's a bit of a primer on ASLR brute force: https://hacked0x90.wordpress.com/2016/10/30/bypassing-aslr-protection-using-brute-force/

    And if you're interested in some of the more modern attacks: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

    The issue isn't unique to journald either, as per the link above:

    Of course, if compiled with a modern GCC with the right flags, there's complete mitigation against the stack clashes, which is why all browsers are safe and packages handled by Fedora / OpenSUSE weren't affected.

    But again, it's a really shit reason to hate systemd, especially if you don't comprehend how complex the trigger is.

    And you'll be thankful for that with the increase in complexity of networks these days. Again, neckbreards get all upset how Linux "used to be", but they never dealt with bonding, vlans and vxlans. Once you've implemented both the old way and trivially via nm-cli etc, you'll love how much easier the new tools are.
     
    PabloEscobar likes this.
  3. dave_dave_dave

    dave_dave_dave Member

    Joined:
    Mar 17, 2004
    Messages:
    2,824
    Location:
    Gold Coast
    "I can't log into my google"

    I can't help you with your personal gmail account.
     
  4. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    34,636
    Location:
    Brisbane
    I did both old and new methods. Neither interest me as I configure everything with Puppet anyway. It is a little annoying that sometimes I have to build a dummy box, nmcli things and copy a config file template because the man pages are so shit they don't give you the exact things needed to make stuff work. But doing it once in the life of a distro release isn't the worst thing in the world.

    Less so than systemd annoying me, what really shits me is RHEL7 allows both old and new network config methods to live side by side and in conflict. I have no problems with either (in terms of just pick one and get on with life), but it does shit me that you can trivially end up with a system in a non-reboot-safe state because some tool wants to install some other tool as a dependency and you don't realise it.

    If systemd/network-manager is the new world, great, install that in the base and make it default. Don't start installing old world tools silently that break my shit.

    At least none of that is as bad as Netplan, which can't do multiple domain search fed by dhclient (and/or network manager) by default. *That's* proper fucked.
     
  5. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,400
    Location:
    qld.au
    Have you confirmed how Puppet creates the configs? I haven't had any networking conflicts at all with RHEL7 and haven't had issues after a reboot. Just thinking you may have a corner case introduced by external tools.

    My config looks like this:
    Code:
    # Let NetworkManager manage all devices on this system
    network:
      version: 2
      renderer: NetworkManager
    
    Works for me ;)
     
  6. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    1,528
    Oh yeah, I turn to get my lab box into a router with the actual IP on a BVI and doing NAT for the virtual networks only via iptables, was 200% harder than doing it on a 'real' router, despite many 'real' routers just putting a wrapper around a 'nix backend.
    Not sure why network configs in particular are so shit in linux (as in the readability / 'making sense' / ease-to-template factors). I'm guessing that the horror was part of going systemd over sys-v init as well.
    Even Cumulus ran up the white flag and introduced a CLI syntax to convert it to the debian backend transparently.
    Depending upon what exactly it is even using Puppet/Ansible/Chef may be affected by configuratio complexity esp. if the configuration method is say jinja2 templating the config file (I am very Ansible-fied so maybe puppet is totally different).
     
  7. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    34,636
    Location:
    Brisbane
    Do you have multiple search domains fed by DHCP? We do, and it didn't work for us.

    The only fix we could get working was (copy/paste from our Wiki test/rnd notes)


    apt-get install -y resolvconf
    systemctl stop systemd-resolved
    systemctl disable systemd-resolved
    systemctl enable resolvconf
    rm /etc/resolv.conf
    • Then edit /etc/NetworkManager/NetworkManager.conf and add in the line under section [main]
    dns=default
     
  8. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,400
    Location:
    qld.au
    No, we have one local device so there's no requirement for search domains (and our staff can type full names in). All other systems use full DNS names or systems like etcd for DNS discovery.

    What you've described is disabling the resolver within systemd, not netplan anyway. Also shows the myth that systemd is monolithic, ie you can disable parts and replace trivially.
     
  9. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    34,636
    Location:
    Brisbane
    We use DNS search domains for a lot of discovery stuff, and a lot of puppet stuff. Plus, it's normal, and should work. So there's no excuse for it not working.

    Sure, but it only seems to be an issue in 18.04 with netplan. Although maybe 16.04 doesn't have systemd-resolved?

    Either way, one of systemd-resolved or netplan is fuckey, and it makes me shitty. So by all means criticise folk for hating new things, but fuck me this used to work just fine before all this new and "improved" shit.

    I can't remember the last time a UNIX variant couldn't handle multiple domain search. And I've been using this shit a long time. Why is it broken suddenly?
     
    Last edited: Jan 11, 2019
  10. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,400
    Location:
    qld.au
    The fact that you didn't look and blamed the wrong thing isn't saying much about your current skills elvis, if you're going to rant about something then it's probably a good idea to be correct (hint: you're not).

    It's OK to be too busy to investigate the underlying cause, but trying to go on a tangent about change when you don't even comprehend it is just lazy. Sorry to be so blunt, but for the same reason that you rant about people not learning IT, I have the same feelings about those in the industry who don't change.

    It's broken because you've used Ubuntu, who love to push change. Some good, some bad and some which certainly breaks the "because it's always been done this way" mantra. RHEL doesn't use systemd-resolved by default and everything works the old way without issue.

    Because Linux gives you the choice, you had a 10 second workaround to revert back to the older system and ensure compatibility, something you won't get in a closed environment. The fact that it doesn't support it and the fact that the sky hasn't fallen probably suggests your use case is so small nobody has bothered to patch it.

    I'm not defending the systemd-resolved as a 100% perfect solution, but the fact that it can trivially be replaced either with an alternative or with the existing system suggests there's a healthy ecosystem out there. If you choose to use distros who push bleeding edge changes then rant about the changes.... what have you really achieved?
     
  11. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    1,528
    Do you mean multiple domain suffixes? If so that's not that edge... plenty of orgs dish out multiple domain suffixes via DHCP
     
  12. BAK

    BAK Member

    Joined:
    Jan 7, 2005
    Messages:
    832
    Location:
    MornPen, VIC
    BlameD, new SystemD module coming soon.
     
    elvis, Daemon, cvidler and 1 other person like this.
  13. Perko

    Perko Member

    Joined:
    Aug 12, 2011
    Messages:
    2,964
    Location:
    NW Tasmania
    Poettering's been beta testing that one in the mailing lists for years.
     
  14. waltermitty

    waltermitty Member

    Joined:
    Feb 19, 2016
    Messages:
    780
    Location:
    BRISBANE
    I do bonding with ifupdown and rc scripts, no systemd, fight me.
     
  15. waltermitty

    waltermitty Member

    Joined:
    Feb 19, 2016
    Messages:
    780
    Location:
    BRISBANE
    OpenBSD still has the *best* interface configuration going

    Code:
    router$ cat /etc/hostname.trunk0
    description "LACP trunk for uplink to switch"
    trunkproto lacp trunkport em0 trunkport em1
    inet 192.168.0.1 255.255.255.0
    inet6 alias 2001:xxxxxx::1 64
    up
    
     
    j3ll0 likes this.
  16. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    1,528
    Used to see them everywhere back in the 'glory' days of flogging Evolve branding and borging UECOMM. Now they're not even in the conversation most of the time, TPG/Vocus have eaten their lunch hard.
     
  17. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    6,627
    Location:
    Brisbane
    We had little options due to regional sales people and the business requirements for overseas travel. Telstra products were, albeit priced at a premium, perfect however the administration side let them down. Our AE is in for a shock in 2 weeks when I cancel all our mobile voice and data services.
     
  18. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    1,528
    Its OK, he's probably still recovering from the shock of whatever the restructuring has put on his plate. Most of them are still walking around like stunned mullets.
     
  19. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    34,636
    Location:
    Brisbane
    Oof. All this talk about the Linux community infighting, it's all wrong, you know. We really do love each other.

    Thank fuck I'm on holidays as of today. No Internet access for a big chunk of it. Looking forward to not being pulled from pillar to post for a minute. Who knows, I might even get some sleep, with a little luck.

    See you dudes in a couple of weeks for a fresh round of systemd and Exchange bashing. 2019 new year new us.
     
    Last edited: Jan 12, 2019
    j3ll0, Perko and Gunna like this.
  20. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,326
    Me too.
    Only for 5 days though. :(
    you going somewhere for your break?

    I'm off to Malaysia again.
     

Share This Page