View previous topic :: View next topic |
Author |
Message |
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Fri Jan 24, 2014 10:03 pm Post subject: |
|
|
Anon-E-moose wrote: | I don't know that you'll gain much by removing those particular flags.
...
The major flags that affect package bloat are the ones I mentioned earlier from my make.conf file, IMO. |
OK thanks ... I want to avoid the bloat, minimise the potential exposure to security threats but still have a usable desktop system. The more I strip out without compromising security or loosing the functionality I use and care about the better
mv wrote: | -acl is fine for single-user systems. Actually you can even remove support for POSIX Access Control Lists in your kernel from the filesystems. Again, you will be careful with recompiling.
I would recommend to keep xattr and to keep/set security labels for your filesystems in the kernel: This is the new way how hardened-sources marks exceptional binaries, and this is also needed if you should ever want to run overlayfs.
sendmail is not important and up to you, but probably you want to install a MTA anyway e.g. to get errors from cron.
cxx is a heavily needed unless you build an extremely tiny embedded systems; many basic projects use c++. |
Thanks ... I think I'll go with -acl. I'm sure at some point I'll figure something out I actually want to use cron for ... tripwire, chkrootkit, rkhunter pull it in. If I wanted to schedule this then it would be the tool of choice, but I don't. No use flag to remove it from tripwire or rkhunter
Thanks everyone for your patience and replies |
|
Back to top |
|
|
Roman_Gruber Advocate
Joined: 03 Oct 2006 Posts: 3846 Location: Austro Bavaria
|
Posted: Sat Jan 25, 2014 8:03 am Post subject: |
|
|
Anon-E-moose wrote: |
Edit to add: this is from my /etc/make.conf
Code: | -introspection -hal -bluetooth -kde -gnome -libnotify -pam -consolekit -policykit -systemd -udisks -upower -pulseaudio |
Edit to add 2: It wouldn't hurt to leave pam installed, either. Just don't use it. It's your system and your choice. |
Thanks I just try that out now.
I just saw that hal does not exists anymore on my box. I could not find it in my make.conf and also ufed does not show hal anymore. Maybe the hal useflag is already gone ... |
|
Back to top |
|
|
Chiitoo Administrator
Joined: 28 Feb 2010 Posts: 2574 Location: Here and Away Again
|
Posted: Sat Jan 25, 2014 9:22 am Post subject: |
|
|
tw04l124 wrote: | I just saw that hal does not exists anymore on my box. I could not find it in my make.conf and also ufed does not show hal anymore. Maybe the hal useflag is already gone ... |
If I'm not horribly wrong, hal has been gone about two years now. ^^
(Also another user here with KDE/Enlightenment without pam, *kit, and the likes. For the time being, using udev, but soon going static at least as a test at first.) _________________ Kindest of regardses. |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6100 Location: Dallas area
|
Posted: Sat Jan 25, 2014 10:46 am Post subject: |
|
|
Yes, hal has long been gone, I just didn't clean up make.conf when it disappeared completely.
Doesn't hurt anything (on my system) so I just left it.
As always, modify those flags I use for your individual case,
ie I don't use bluetooth, so I have the flag there, if you do then of course remove it. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sat Jan 25, 2014 11:06 am Post subject: |
|
|
Hang on a minute!
If /bin/login isn't built with PAM, then how would /etc/security/limits.d/* get applied? Which is needed for sensible process prioritization (which 99% of users ignore, it seems).
Edit: Here's CK blog, as an interesting read. _________________ Improve your font rendering and ALSA sound |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6100 Location: Dallas area
|
Posted: Sat Jan 25, 2014 11:17 am Post subject: |
|
|
PaulBredbury wrote: | Hang on a minute!
If /bin/login isn't built with PAM, then how would /etc/security/limits.d/* get applied? Which is needed for sensible process prioritization (which 99% of users ignore, it seems). |
I don't have /etc/security/limits.d/, I have /etc/security/limits.conf, which date back to jan 2013.
Not sure what installed it or why.
I've never had any problem with video playback, and I watch a fair amount of movies, anime, etc.
and don't use pam, process prioritization, etc.
If a process really needed a better priority, I would use the old standby, nice
Thus in my case no need for pam having anything to do with /bin/login
Edit to add: I do use zen patches and BFS for my scheduler. Don't know if that makes a difference re. prioritization. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sat Jan 25, 2014 11:37 am Post subject: |
|
|
Anon-E-moose wrote: | I would use the old standby, nice |
Well, of course. The point is that it is very convenient for a user to be able to set a negative niceness, for the convenient setting of relative priorities, since the default is of course a niceness of zero.
These settings show their usefulness when the system is under load.
Last edited by PaulBredbury on Sat Jan 25, 2014 11:39 am; edited 1 time in total |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat Jan 25, 2014 11:38 am Post subject: |
|
|
PaulBredbury wrote: | If /bin/login isn't built with PAM, then how would /etc/security/limits.d/* get applied? |
Without PAM the file is called /etc/limits and is interpreted directly by sys-apps/shadow. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat Jan 25, 2014 11:48 am Post subject: |
|
|
PaulBredbury wrote: | These settings show their usefulness when the system is under load. |
The limits have nothing to do whether you have pam or not - it is just a question how you specify it.
However, in any case I would not allow a default priority lower than 0 since this is even lower than system tasks which should react on IRQs etc. It is really dangerous to do this. If you want to view movies (on a single-user system) when the system is under load it is better to give your other tasks a lower priority - but usually nothing helps anyway because the hangs are not caused by priority questions but by io things which you cannot control reasonably (e.g. I have a laptop where nothing runs when it flushes to disk - the disk just blocks the processor completely). In an emergency case you can still use sudo to set negative nice values, but as said: In my experience it helps nothing and can do harm. On a multiuser system I would not give any user permission to set negative priority, anyway. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sat Jan 25, 2014 11:56 am Post subject: |
|
|
Thanks. According to shadow's README.limits file, there's no way to let the user set a negative niceness
E.g. in /etc/security/limits.d/91-limits.conf:
Code: | myusername - nice -8 |
So it looks like I need /bin/login linked to PAM.
mv wrote: | even lower than system tasks which should react on IRQs |
Are you sure? This shows a lot of kernel processes running at a niceness of -20:
Code: | ps -eo pid,rtprio,nice,policy,ruser,rgroup,comm,args |
You say it's "dangerous", yet I've been doing this for years without seeing adverse effects
Edit: Just to make things a bit clearer: -20 takes priority over -8
Last edited by PaulBredbury on Sat Jan 25, 2014 12:17 pm; edited 1 time in total |
|
Back to top |
|
|
Anon-E-moose Watchman
Joined: 23 May 2008 Posts: 6100 Location: Dallas area
|
Posted: Sat Jan 25, 2014 12:13 pm Post subject: |
|
|
Bottom line,
Can one have a nice responsive system with pam? Yes
Can one have a nice responsive system without pam? Yes
Use what you like, what fits your needs, and the way you like your system.
I know that not only is my hardware different than many others,
including things like turning off changing cpu frequency, etc,
but I do things a completely different way.
I boot up into console mode, then use startx. I usually run my emerges from the console, etc.
So everyone's system is different even if they were using the same hardware.
Use what works for you, though I do like hearing of the way different people run their system and why.
If it looks good enough, for me, I might change the way that I run my own system. _________________ PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat Jan 25, 2014 12:25 pm Post subject: |
|
|
PaulBredbury wrote: |
Thanks. According to shadow's README.limits file, there's no way to let the user set a negative niceness |
Maybe; I have never tried. As I said, a negative value is usually not a good idea since normally you do not want to interfere with kernel processes. Concerning other processes only the relative value is important. If you really want to allow it for a particular program, it is probably safer to set a sudo exception.
Quote: | Are you sure? This shows a lot of kernel processes running at a niceness of -20: |
So you probably do not want to decrease the ratio to them to slow these down relatively.
Quote: | You say it's "dangerous", yet I've been doing this for years without seeing adverse effects |
I guess this can all depend on your hardware. It is probably hard to predict what happens if your system reacts too slow on certain hardware IRQs. When you are burning a dvd, it is clear what is happening. I would guess that you can similarly e.g. wear your harddisk more than necessary, but I am not a hardware expert. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sat Jan 25, 2014 12:59 pm Post subject: |
|
|
mv wrote: | So you probably do not want to decrease the ratio to them to slow these down relatively. |
What? Where's the sense in what you're saying?
These niceness levels exist so that they can be used, and altered. And I do. The kernel doesn't panic, files don't get corrupted, wi-fi stays up and reliable. Why are you scaremongering?
I'm using this e.g. to state, quite deliberately, that the CPU should give priority to e.g. a music player and especially a video player, over the "normal" CPU processes (i.e. the processes which are niceness zero). It's that simple.
Burning a DVD is a special case (haven't done it for a while, not sure if it's still realtime-critical with e.g. "burnfree"), and I would give that a negative niceness too (and use ionice), as appropriate. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat Jan 25, 2014 2:43 pm Post subject: |
|
|
PaulBredbury wrote: | These niceness levels exist so that they can be used |
And there is a reason that the default lowest niceness for a normal user is 0 and not -20
Quote: | The kernel doesn't panic, files don't get corrupted, wi-fi stays up and reliable. |
Maybe it does, but maybe there is considerable more delay (e.g. a need to retransfer packets or even reestablish some connection) than usual. Does saving a few milliseconds by slowing down basic kernel tasks really improve your experience when watching videos? I mean:
Quote: | give priority to e.g. a music player and especially a video player, over the "normal" CPU processes (i.e. the processes which are niceness zero). |
Why do you start your "normal" processes at lowest possible niceness in the first place? Starting your shell (and thus everything else) with a higher niceness by default won't hurt you with a low load, and giving niceness 0 to a process is then practically the same as giving a negative niceness, except that you are saver from interfering with really basic tasks: Instead of decreasing niceness of video, it is probably better to increase niceness of the rest. (Of course, you can also do this only at the moment when you decide that you want to watch a video and observe that it is too slow). |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sat Jan 25, 2014 3:00 pm Post subject: |
|
|
mv wrote: | there is a reason that the default lowest niceness for a normal user is 0 and not -20 |
I am not interfering with the kernel's high-priority threads (although we can if we want). I use -8 as my highest user priority, that's all. It gives me plenty of scale.
Quote: | a few milliseconds |
There's only 16 milliseconds per frame, at 60fps. So yeah, the kernel should wait. There is no disadvantage in such prioritization!
Quote: | Why do you start your "normal" processes at lowest possible niceness in the first place? |
I don't. Whatever gives you that idea?
Here's some more examples, for those interested. |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Sat Jan 25, 2014 6:15 pm Post subject: |
|
|
My understanding is pam is for user authentication ... so if I want to authenticate users using a fingerprint reader or some other method then pam might help me out.
If I have a problem with system responsiveness then I don't think pam is the answer ... and if removing pam makes my system unresponsive then I will look at how to resolve this, re-installing pam would not be my first approach.
If it's not installed then it can't leak, break or be incorrectly configured ... |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat Jan 25, 2014 6:42 pm Post subject: |
|
|
jonathan183 wrote: | My understanding is pam is for user authentication ... |
Yes, it is. However pam's /etc/security/... is a little bit more fine-grained than /etc/limits.conf; the case of negative maximal niceness just discussed is only one of several minor differences; a default niceness is another one; the possibiity to avoid things like suxs or sudox to pass X authorization is yet another extension which you get only with pam; also some screenlockers have decided to rely only on pam and not any "manual" authentification method. So in some cases, pam really has advantages.
On the other hand, all these conveniences come at the price of introducing an already rather complex layer.
If you play this game to the extreme, you end up with polkit: Convenience everywhere, but due to the complexity you can almost expect that your system is vulnerable. Only running everything directly as root is even more convenient and only slightly less secure |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat Jan 25, 2014 6:52 pm Post subject: |
|
|
Wasn't there a daemon which would automatically set the niceness based on the process name and a configurable list? (Maybe it was app-admin/verynice?) This could be something for you.
I never cared too much about it since in my experience changes in niceness did not have a remarkable influence on the performance: On my slower machines, RAM is the bottleneck so e.g. compiling gcc in the background makes the machine almost unusable even with highest nice and ionice, and my faster machines are so fast that I do not observe any disturbing slowdown when viewing video except on a view occassions when the harddisk becomes the bottleneck. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sat Jan 25, 2014 7:11 pm Post subject: |
|
|
I noted verynice, but didn't bother trying it, because I don't need/want a daemon. Sensible defaults for nice & ionice work fine |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|