FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 10-09-2012, 01:59 PM
Simo Sorce
 
Default systemd requires HTTP server and serves QR codes

On Tue, 2012-10-09 at 15:29 +0200, Lennart Poettering wrote:
> On Mon, 08.10.12 21:00, Ray Strode (halfline@gmail.com) wrote:
>
> > Hi,
> >
> > On Mon, Oct 8, 2012 at 1:07 PM, Lennart Poettering <mzerqung@0pointer.de> wrote:
> >
> > > Correct. Note that this is not accessible at all, by default, and mostly
> > > a preview for now. Later on we will add http digest auth and proper TLS
> > > support (including client certs) if people want to control
> > > access. (thankfully, libmicrohttpd already implements auth+tls, so this
> > > is easy for us to provide).
> > I think negotiate-auth would be a really good feature here, since many
> > enterprise deployments use kerberos based SSO in their intranets.
>
> well, this is really computers authenticating against computers, not
> users against computers. Hence I think kerberos/SSO is not really the
> most appropriate logic, since it's very user-bound, no?

Not *at all*, each computer has it's own principal and keytab and can
use it to do mutual authentication to one another.
Although if possible I would support also using a syslog specific keytab
instead of using the host/fqdn one so that people can decide to give the
journal daemon access to a less sensitive key and not the main
credentials.
We can easily provision that service key to clients via FreeIPA if the
feature is used there.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 02:05 PM
Lennart Poettering
 
Default systemd requires HTTP server and serves QR codes

On Tue, 09.10.12 09:49, Matthew Miller (mattdm@fedoraproject.org) wrote:

> On Tue, Oct 09, 2012 at 03:29:05PM +0200, Lennart Poettering wrote:
> > > I think negotiate-auth would be a really good feature here, since many
> > > enterprise deployments use kerberos based SSO in their intranets.
> > well, this is really computers authenticating against computers, not
> > users against computers. Hence I think kerberos/SSO is not really the
> > most appropriate logic, since it's very user-bound, no?
>
> I think the envisioned use would be admins peeking at the logs, but not
> allowing regular users to do so. (Commonly currently accomplished by making
> /var/log/messages owned and readable by the wheel group.)

The HTTP thingy is not really how admins should access the logs. They
should just use journalctl.

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 02:06 PM
Seth Vidal
 
Default systemd requires HTTP server and serves QR codes

On Tue, 9 Oct 2012, Matthew Miller wrote:


On Tue, Oct 09, 2012 at 03:18:25PM +0200, Lennart Poettering wrote:

To build such an image I'd really would have preferred not installing
the docs. It appears rpm once had a feature for that where you could add
excludedocs in rpmrc. This feature seems to have been removed. Why? Can
we get that back? Or can I enable this for yum in some other way? Anyone
has an idea?


+1 to this, although note that we currently ship licenses as doc files, and
so that might need to go by packaging/legal.

There's a yum plugin which sets RPM transaction flags (yum-plugin-tsflags),
and with that we could put "tsflags=nodocs" in the yum.conf. Not sure how to
get that up to spin-creation tools, and if we're going to count on it it
could probably use some polish and integration.


info


Yeah that goes along with nodocs.




--nodocs and tsflags=nodocs ends up with ugly ugly things when you want to
do rpm -Va later.


nodocs 'works' but not in a pretty way

-sv

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 02:08 PM
Chris Adams
 
Default systemd requires HTTP server and serves QR codes

Once upon a time, Lennart Poettering <mzerqung@0pointer.de> said:
> The HTTP thingy is not really how admins should access the logs. They
> should just use journalctl.

So why is it part of the core package instead of a subpackage?
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 02:12 PM
Lennart Poettering
 
Default systemd requires HTTP server and serves QR codes

On Tue, 09.10.12 09:56, Simo Sorce (simo@redhat.com) wrote:

> On Tue, 2012-10-09 at 15:23 +0200, Lennart Poettering wrote:
> > On Tue, 09.10.12 07:10, "Jˇhann B. Gu­mundsson" (johannbg@gmail.com) wrote:
> >
> > > On 10/09/2012 04:34 AM, Bill Nottingham wrote:
> > > >rsyslog.service
> > >
> > > Remind me again of the reason why we are still shipping rsyslog by
> > > default now that we have the journal?
> >
> > For F19 I plan to submit a feature asking for not installing syslog by
> > default anymore. I wonder how far I'll get with this before this is
> > shut down by the conservatives... ;-)
>
> Does systemd journal populate /var/log/messages ?

No. It doesnt.

> I already found myself stranded in F18 a couple of times.
> Stuff changed and there is no way to discover how to fix things.

Well, making changes means, well, making changes. Sure it is a bit of a
learning involved if we make changes, but it should always be our goal
to make the learning easy rather than just sticking to the old ways,
because we are afraid of making these changes. More specifically a good
approach here could be to include an almost empty /var/log/messages that
just tells you to invoke "journalctl" instead. Alternatively we could
just add a /var/log/README with the same info.

(Actually, it has been on my TODO list for a while to add
/etc/rc.d/init.d/README with similar info, I just never came around to
actually do it.)

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 02:14 PM
Lennart Poettering
 
Default systemd requires HTTP server and serves QR codes

On Tue, 09.10.12 09:58, Matthew Miller (mattdm@fedoraproject.org) wrote:

> On Tue, Oct 09, 2012 at 03:18:25PM +0200, Lennart Poettering wrote:
> > To build such an image I'd really would have preferred not installing
> > the docs. It appears rpm once had a feature for that where you could add
> > excludedocs in rpmrc. This feature seems to have been removed. Why? Can
> > we get that back? Or can I enable this for yum in some other way? Anyone
> > has an idea?
>
> +1 to this, although note that we currently ship licenses as doc files, and
> so that might need to go by packaging/legal.
>
> There's a yum plugin which sets RPM transaction flags (yum-plugin-tsflags),
> and with that we could put "tsflags=nodocs" in the yum.conf. Not sure how to
> get that up to spin-creation tools, and if we're going to count on it it
> could probably use some polish and integration.

Can I somehow pass this nicely on a "yum --installroot=... install"
command line?

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 02:14 PM
Panu Matilainen
 
Default systemd requires HTTP server and serves QR codes

On 10/09/2012 04:58 PM, Matthew Miller wrote:

On Tue, Oct 09, 2012 at 03:18:25PM +0200, Lennart Poettering wrote:

To build such an image I'd really would have preferred not installing
the docs. It appears rpm once had a feature for that where you could add
excludedocs in rpmrc. This feature seems to have been removed. Why? Can
we get that back? Or can I enable this for yum in some other way? Anyone
has an idea?


Practically all such configuration was moved from rpmrc to macros eons
ago. So for the last 10+ years, set "%_excludedocs 1" macro (eg
somewhere in /etc/rpm/macros.*) to make it permament, for a signle run
with rpm cli it's --excludedocs (which just flips the relevant API flag)




+1 to this, although note that we currently ship licenses as doc files, and
so that might need to go by packaging/legal.


Yup, we can't simply skip licenses. rpm >= 4.11 will have a %doc-like
%license directive in the %files section, so these can be cleanly
separated, and licenses wont be affected by excludedocs. Eg


%files
%doc README NEWS ChangeLog
%license COPYING
...

- Panu -
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 02:15 PM
Lennart Poettering
 
Default systemd requires HTTP server and serves QR codes

On Tue, 09.10.12 10:06, Seth Vidal (skvidal@fedoraproject.org) wrote:

> On Tue, 9 Oct 2012, Matthew Miller wrote:
>
> >On Tue, Oct 09, 2012 at 03:18:25PM +0200, Lennart Poettering wrote:
> >>To build such an image I'd really would have preferred not installing
> >>the docs. It appears rpm once had a feature for that where you could add
> >>excludedocs in rpmrc. This feature seems to have been removed. Why? Can
> >>we get that back? Or can I enable this for yum in some other way? Anyone
> >>has an idea?
> >
> >+1 to this, although note that we currently ship licenses as doc files, and
> >so that might need to go by packaging/legal.
> >
> >There's a yum plugin which sets RPM transaction flags (yum-plugin-tsflags),
> >and with that we could put "tsflags=nodocs" in the yum.conf. Not sure how to
> >get that up to spin-creation tools, and if we're going to count on it it
> >could probably use some polish and integration.
> >
> >>info
> >
> >Yeah that goes along with nodocs.
> >
> >
>
> --nodocs and tsflags=nodocs ends up with ugly ugly things when you
> want to do rpm -Va later.
>
> nodocs 'works' but not in a pretty way

But shouldn't we make it possible to make it work in a pretty way?

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 02:17 PM
Lennart Poettering
 
Default systemd requires HTTP server and serves QR codes

On Tue, 09.10.12 09:08, Chris Adams (cmadams@hiwaay.net) wrote:

> Once upon a time, Lennart Poettering <mzerqung@0pointer.de> said:
> > The HTTP thingy is not really how admins should access the logs. They
> > should just use journalctl.
>
> So why is it part of the core package instead of a subpackage?

Because it is tiny, and not enabled by default, and we didn't see the
immediate need for it be split off, gien its size and
default-to-off-logic.

But as mentioned multiple times, if this really really is a problem we
can totally split it off.

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-09-2012, 02:18 PM
Seth Vidal
 
Default systemd requires HTTP server and serves QR codes

On Tue, 9 Oct 2012, Lennart Poettering wrote:


--nodocs and tsflags=nodocs ends up with ugly ugly things when you
want to do rpm -Va later.

nodocs 'works' but not in a pretty way


But shouldn't we make it possible to make it work in a pretty way?



You'll need to get the packaging team on board with it. I have to say it
is pretty much non-existent as a priority to anyone I've spoken with.


-sv

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 11:27 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org