FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 12-06-2010, 06:22 PM
Michał Piotrowski
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

2010/12/6 Bill Nottingham <notting@redhat.com>:
> Michał Piotrowski (mkkp4x4@gmail.com) said:
>> >> If systemd will allow us to do that, sure.
>> >
>> > What's the point here? For example, this doesn't cut down on the number
>> > of listening ports, obviously, nor on the requirements for root passwords
>> > and potential root login. And if it's started in parallel, I doubt it's a
>> > huge drain on resources.
>>
>> "For a fast and efficient boot-up two things are crucial:
>>
>> * * * To start less.
>> * * * And to start more in parallel."
>>
>> http://0pointer.de/blog/projects/systemd.html
>>
>> IMO "start less" philosophy is a good thing.
>
> Yes. However, I'm leery of adding too many drastic changes that don't have
> upstream buy-in yet.

I understand your POV.

> What's upstream openssh's opinion on socket activation?

Does openssh stands out something special between other demons?

>
> Bill
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel



--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 06:52 PM
Michał Piotrowski
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

I wonder why my server rejected my previous email?


---------- Wiadomość przekazana dalej ----------
Od: Michał Piotrowski <mkkp4x4@gmail.com>
Data: 6 grudnia 2010 20:46
Temat: Re: Fedora default services (was: Re: F15 Feature - convert as
many service init files as possible to the native SystemD services)
Do: Development discussions related to Fedora <devel@lists.fedoraproject.org>


2010/12/6 Miloslav Trmač <mitr@volny.cz>:
> Michał Piotrowski p*še v Po 06. 12. 2010 v 20:22 +0100:
>> 2010/12/6 Bill Nottingham <notting@redhat.com>:
>> Does openssh stands out something special between other demons?
> Actually, it does - for remote installations (sometimes the only option)
> ssh needs to be running after installation so that the system
> administrator can connect to it and start configuring it. *Other
> services are not necessary like this.
>
> (Yes, the system administrator can write a kickstart script that enables
> the service after installation. *I'm not sure that something we can ask
> a novice sysadmin to do, however.)

We are talking here about the case when ssh server is started when
user connect to 22 port (or other configured). From my POV everything
should work as expected.

> * * * *Mirek
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel



--
Best regards,
Michal

Sent from my iToaster



--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 06:56 PM
Bill Nottingham
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

Michał Piotrowski (mkkp4x4@gmail.com) said:
> We are talking here about the case when ssh server is started when
> user connect to 22 port (or other configured). From my POV everything
> should work as expected.

Right. To do this in systemd implies that you're patching openssh to
do socket-based activation... hence why I asked about upstream's opinion
on it.

Bill
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 07:04 PM
Michał Piotrowski
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

2010/12/6 Bill Nottingham <notting@redhat.com>:
> Michał Piotrowski (mkkp4x4@gmail.com) said:
>> We are talking here about the case when ssh server is started when
>> user connect to 22 port (or other configured). From my POV everything
>> should work as expected.
>
> Right. To do this in systemd implies that you're patching openssh to
> do socket-based activation... hence why I asked about upstream's opinion
> on it.

I wasn't aware that they don't support it. I saw Lennart's
http://0pointer.de/public/systemd-units/sshd.socket
and I thought that it just works (I didn't tested it yet)

>
> Bill
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel



--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 10:07 PM
Toshio Kuratomi
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote:
> W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi <kevin@scrye.com> napisał:
> > On Mon, 6 Dec 2010 18:17:51 +0100
> > Michał Piotrowski <mkkp4x4@gmail.com> wrote:
> >
> >> W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin@scrye.com>
> >> napisał:
> >
> > ...snip...
> >
> >> > What are you trying to do?
> >>
> >> I'm trying to convert sysvinit scripts to systemd services (as many
> >> as possible)
> >
> > If you're trying to determine what units should be enabled by default,
> > please talk to the Fedora Packaging Comittee.
> >
> > See also:
> > https://fedorahosted.org/fesco/ticket/504
> >
> > Where fesco decided:
> >
> > "Default is off, exceptions exist to allow proper functioning of the
> > os. FPC to document exceptions and process exception requests."
> >
> > FPC was going to work on a exceptions list I think...
>
> This list will be useful.
>
> Dear FPC people, could you provide this list in the near future?
>
Feedback appreciated -- what do you think should be on? What do you think
should be off? Right now I think we'd make an exception for ssh (a really
big exception since it's a network facing service, even). Dbus and
default syslog variant also spring to mind which might be. Those might be
able to start defining a category of "things needed to run a desktop
session" or something.

iptables, auditd, restorecond sound like keepers -- maybe a category here
would be things that add to system security in a default install. For this
category we'd want to be careful, do we also want to allow fail2ban or
denyhosts to run by default if they're installed?

Other categories or specific examples would be good.

-Toshio
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 10:38 PM
Michał Piotrowski
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

2010/12/7 Toshio Kuratomi <a.badger@gmail.com>:
> On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote:
>> W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi <kevin@scrye.com> napisał:
>> > On Mon, 6 Dec 2010 18:17:51 +0100
>> > Michał Piotrowski <mkkp4x4@gmail.com> wrote:
>> >
>> >> W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin@scrye.com>
>> >> napisał:
>> >
>> > ...snip...
>> >
>> >> > What are you trying to do?
>> >>
>> >> I'm trying to convert sysvinit scripts to systemd services (as many
>> >> as possible)
>> >
>> > If you're trying to determine what units should be enabled by default,
>> > please talk to the Fedora Packaging Comittee.
>> >
>> > See also:
>> > https://fedorahosted.org/fesco/ticket/504
>> >
>> > Where fesco decided:
>> >
>> > "Default is off, exceptions exist to allow proper functioning of the
>> > os. FPC to document exceptions and process exception requests."
>> >
>> > FPC was going to work on a exceptions list I think...
>>
>> This list will be useful.
>>
>> Dear FPC people, could you provide this list in the near future?
>>
> Feedback appreciated -- what do you think should be on? *What do you think
> should be off? *Right now I think we'd make an exception for ssh (a really
> big exception since it's a network facing service, even).

Ok

> *Dbus and
> default syslog variant also spring to mind which might be.

Ok

> *Those might be
> able to start defining a category of "things needed to run a desktop
> session" or something.
>
> iptables,

no chance to disable this

I guess ip6tables too?

> auditd, restorecond sound like keepers -- maybe a category here
> would be things that add to system security in a default install.

These are things related to core system security, so should be enabled.

> *For this
> category we'd want to be careful, do we also want to allow fail2ban or
> denyhosts to run by default if they're installed?

No, other things not related with SELinux (or something that we could
call "core security subsystem") should be IMHO off by default.

>
> Other categories or specific examples would be good.

Cron - but should be activated only when cron files exist

It seems to me that the list:
- ssh
- Dbus
- syslog
- iptables
- ip6tables
- auditd
- restorecond
is an absolute minimum to get "working system".

- udev-post ? - is it needed for F15?
- mdmonitor and lvm2-monitor? - are they needed for proper working MD's/LVM's?
- network/Networkmanager ?

Everything else that is not essential for Fedora security, basic
desktop functionality should be IMO off by default.

>
> -Toshio
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>



--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 11:07 PM
Michał Piotrowski
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

2010/12/7 Matt McCutchen <matt@mattmccutchen.net>:
> On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote:
>> Cron - but should be activated only when cron files exist
>>
>> It seems to me that the list:
>> - ssh
>> - Dbus
>> - syslog
>> - iptables
>> - ip6tables
>> - auditd
>> - restorecond
>> is an absolute minimum to get "working system".
>
> I don't agree that ssh is required for a "working system".

It's required for all systems without display device

> *A desktop
> user may never ssh to his/her own machine.

That's why it should be socket activated as soon as possible

> *(Whether to enable ssh by
> default is a different question.)
>
> --
> Matt
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel



--
Best regards,
Michal

Sent from my iToaster
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 11:10 PM
Toshio Kuratomi
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

On Tue, Dec 07, 2010 at 12:38:07AM +0100, Michał Piotrowski wrote:
> 2010/12/7 Toshio Kuratomi <a.badger@gmail.com>:
> > *Those might be
> > able to start defining a category of "things needed to run a desktop
> > session" or something.
> >
> > iptables,
>
> no chance to disable this
>
I'd be more inclined to ask what benefit we have to turning the firewall off
vs having a more permissive set of firewall rules by default. AFAIK,
turning the firewall on doesn't currently turn on any additional daemon --
it just sets up the defined rules.

> I guess ip6tables too?
>
Yep.

Would you be willing to write up a Packaging Draft and add it to the FPC
tracker? If not, I'll bring it up in the Packaging Meeting on Wednesday
morning.

-Toshio

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-07-2010, 12:57 AM
Adam Williamson
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:

> There are no stupid questions
>
> On most desktop systems firewall is not needed. Many users do not even
> know how to configure it. In fact I disable it in most of my systems,
> because there is no real use for it. So I asked a simple question
> whether there is a need to install iptables by default?

On most laptops, however, which are the most common types of system sold
today, a firewall is very definitely needed when you're connecting to
hotel networks, public wifi access points...
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-07-2010, 01:04 AM
Jesse Keating
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

On 12/06/2010 05:57 PM, Adam Williamson wrote:
> On most laptops, however, which are the most common types of system sold
> today, a firewall is very definitely needed when you're connecting to
> hotel networks, public wifi access points...


Please explain why. What actual service is the firewall rendering in
this case?

--
Jesse Keating
Fedora -- Freedom is a feature!
identi.ca: http://identi.ca/jkeating
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 06:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org