| View previous topic :: View next topic |
| Author |
Message |
dmpogo
Advocate
Joined: 02 Sep 2004
Posts: 3267
Location: Canada
|
 Posted: Thu May 18, 2023 8:13 pm Post subject: |
 |
|
| Hu wrote: | | As sam_ said immediately above, the new scheme avoids the need to interact with etc-update / dispatch-conf, because the tools can recognize that the live file is exactly what the previous version of the package installed, and so replacing it with the new version's file cannot lose any user changes. In contrast, with a single file that contains both Gentoo-maintainer directives and local-administrator directives, you will likely need to review the file and selectively keep pieces from each side. |
So basically, it is to bypass the established Gentoo mechanism and rely on another way of preserving user changes. Which I am not sure is a right strategy of management. Mishmash is the word.
Also I am not sure that the idea to split sshd_config into system and user file, and basically exclude user configs from config management is that a great idea.
It eliminates the incentive to carefully review the changes to the system config, which could come incompatible to your custom file, and also let user configs slowly rot, since they do not need to be reviewed.
Last edited by dmpogo on Thu May 25, 2023 8:57 pm; edited 1 time in total |
|
| Back to top |
|
 |
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Thu May 18, 2023 11:41 pm Post subject: |
|
|
| szatox wrote: | Sure.
Starting with this point:
| Quote: | | The idea is for users (or sysadmins of larger deployments) to be able to configure their sshd easier, not for other packages to interfere |
These are 2 completely opposite approaches, none of which really has the problem to solve. A "user" won't mind modifying a single, almost empty file directly.
A larger deployment is a more enterprise-y scenario, which calls for actual tools for centralized management. E.g. I've been working with ansible; puppet, salt and others exist too, and although syntax varies, I'm pretty sure they will all provide similar features, and this is where the fun begins: |
Oh, that kind of template. I thought you meant something related to ssh specifically.
Having used ansible, I think it might be easier to manage the new use of directories. Again, the original files remains untouched. Distro changes can be easily monitored, and Local changes are more easily controlled. The segregation is a big improvement for individuals and enterprise situations in my opinion. As an individual user, I have enough changes that in fact, I DO mind having to modify a single file. Thank you for clarifying, but on this, we disagree for both the individual and enterprise use case.
So far at least, the change isn't mandatory. You can ignore the new gentoo files and directories and completely mange settings on your own. Honestly I also think that could be an improvement too. Although I probably "appreciate" gentoo's additions without realizing it :)
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Thu May 18, 2023 11:44 pm Post subject: |
|
|
| AJM wrote: | | Isn't that what etc-update solves though? I've virtually always found it to be a great tool for (1) seeing what maintainers would like to add / change in config files and (2) ensuring that my custom alterations are carried over. Certainly easier than say using vimdiff with Debian configs which I also use frequently. All these extra 2 or 3 line config files are just more debris to wade through for me... |
I use it for trivial changes. For anything more complicated than that, I don't find the display of changes useful. I use tools manually to evaluate non-trivial changes.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3133
|
| Posted: Fri May 19, 2023 12:11 am Post subject: |
|
|
| Quote: | | As an individual user, I have enough changes that in fact, I DO mind having to modify a single file. |
Do you mean volume of changes in ssh config specifically, or total number of changed files under config-protect?
In the first case: you're weird 
In the second case: I tend to just reject changes from package maintainer. I don't bother reading it all, it's just a quick glance and "Z". In fact, is there an easy way to make this behavior default? Even better if it could automatically reject changes and save maintainer's version in an inactive location for future reference.
| Quote: | | Thank you for clarifying, but on this, we disagree for both the individual and enterprise use case. |
You do you. I don't like ( sharing | fighting over) a single responsibility with strangers.
Delegating is great when I can just let things happen without me being involved, but once I take over, everybody get off my lawn and _stay_ there. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Fri May 19, 2023 6:12 am Post subject: |
|
|
| szatox wrote: | | Quote: | | As an individual user, I have enough changes that in fact, I DO mind having to modify a single file. |
Do you mean volume of changes in ssh config specifically, or total number of changed files under config-protect?
In the first case: you're weird :lol: |
Changes to the ssh config. It isn't that many, but I add comments and extra spacing for readability. It adds up.
| szatox wrote: | | In the second case: I tend to just reject changes from package maintainer. I don't bother reading it all, it's just a quick glance and "Z". |
I vaguely recall there having been breaking changes at some point, and since I don't like calls at weird hours, I tend toward behaviors that help me avoid said calls. Even more so if my lack of preparation results in having to wake someone else up because I'm not physically located at the system's location. As a result, I take a relatively similar approach in managing my own systems.
| szatox wrote: | | In fact, is there an easy way to make this behavior default? Even better if it could automatically reject changes and save maintainer's version in an inactive location for future reference. |
Not that I know of.
| szatox wrote: | | You do you. I don't like ( sharing | fighting over) a single responsibility with strangers. |
Absolutely. No fighting intended. As I mentioned, I thought you mean an 'ssh' template' solution, so I was hoping to learn something.
And as I also mentioned, it appears that you can do you and completely ignore the new directories / files.
| szatox wrote: | | Delegating is great when I can just let things happen without me being involved, but once I take over, everybody get off my lawn and _stay_ there. |
We agree there too! It seems as though we can both not be involved with the option of the new solution, or at least less involved. Win-win as they say.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3133
|
| Posted: Sat May 20, 2023 1:50 pm Post subject: |
|
|
| Quote: | | No fighting intended |
Oh, I didn't mean you. It was about package maintainers or whoever provides the default configs - though obviously, it's not their fault either.
| Quote: | | And as I also mentioned, it appears that you can do you and completely ignore the new directories / files. |
Yes, I went ahead and did just that.
Things are good. |
|
| Back to top |
|
|
tld
Veteran
Joined: 09 Dec 2003
Posts: 1816
|
| Posted: Thu Jun 01, 2023 6:45 pm Post subject: |
|
|
| figueroa wrote: | | I'm pretty sure what the news item is suggesting is for users create their own /etc/ssh/sshd_config.d/90gentoo.conf, in other words a file with a LOWER number than the existing default files. |
I'm just now getting to the update with this change. First of all...I HATE this change with every fiber of my being, and honestly don't see how it would ever be useful in the case of ssh. That aside, I DO NOT get the explanation of this change at all.
First of all, I'm unclear as to exactly what it might be in my existing config that would differ from the defaults offhand, and I'm not sure how to tell. What's more confusing to me is this: If the config files in the new directory are processed in order, wouldn't MY changes to defaults need to happen AFTER the default to work?
Not getting it at all. I'm actually updating now and haven't see the new configs as yet but wow am I confused.
EDIT: OK...I see why I was confused. I was under the impression that everything was now under the new /etc/ssh/sshd_config.d and that the sshd_config file ONLY included that. I see that handling the differences in the existing default sshd_config file and mine is just as with any other ssh update. Sorry for the confusion.
Tom |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21619
|
| Posted: Thu Jun 01, 2023 7:06 pm Post subject: |
|
|
Your installed configuration would differ from defaults if at some point you customized it. For example, I always ensure that PasswordAuthentication no is set on both server and client, because I never want clients asking for a password, nor servers accepting it if a misconfigured client tried to offer one. Historically, I made it a point to leave a comment in my writing style adjacent to each such override, so that when reviewing it years later, whether in etc-update or just general administration, I would know a change was mine and why I did it, so that my future self could evaluate whether the reasons still made sense.
OpenSSH uses a first-match-wins model for its configuration processing. Since files will be lexically sorted, then concatenated, the file with the lexically first name will be the topmost set of lines in the resulting virtual file. Any directives found there will cause the program not to react to that same directive appearing later. Thus, since Gentoo numbered its files with 9999999, any lower number will make your changes appear earlier in the file and prevail. Any directives you do not set will pull the Gentoo default, if there is one. |
|
| Back to top |
|
|
jesnow
l33t
Joined: 26 Apr 2006
Posts: 856
|
| Posted: Sun Jun 04, 2023 9:27 pm Post subject: |
|
|
This caused me a massive pain in the ass.
| sam_ wrote: | People are free to use the old method if they want.
|
I really hate turning every config file into a directory. Please post instructions on how to revert it in such a way that my config files don't get nuked again.
Cheers,
Jon. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3133
|
| Posted: Sun Jun 04, 2023 9:34 pm Post subject: |
|
|
Just zap the changes when you run etc-update.
You will still have the directory, but bits inside won't be included from the main config file. |
|
| Back to top |
|
|
jesnow
l33t
Joined: 26 Apr 2006
Posts: 856
|
| Posted: Sun Jun 04, 2023 10:16 pm Post subject: |
|
|
So I get minimum four more config files per openssh update to manually zap from now on. PLUS it craps directories I don't want into my most important config directory.
Not cool.
Cheers,
Jon |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21619
|
| Posted: Sun Jun 04, 2023 10:31 pm Post subject: |
|
|
| If you don't touch the files in the subdirectory, then etc-update should be able to automatically merge them in subsequent updates. If this really bothers you, you can INSTALL_MASK them out of existence. |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Mon Jun 05, 2023 6:25 am Post subject: |
|
|
Just to not let the wrong impression stand that many users dislike the change:
I find the change great! It simplifies so many things and makes so much clearer.- Previously, it was a PITA to distinguish original comments, original defaults, commented out defaults, and my own settings. Putting a separate comment in each lines for distinction did not help to increase clarity, either.
- Previously, at every change of the default config some manual merging was necessary. Now it suffices to sketch over the comment/default changes to check whether there is something to be done (experience shows in 99% cases: no)
- Moreover, now the same custom config can be copied/backed up on all of my machines. Previously, for some machines an adaption of the sftp path (sometimes "lib" sometimes "lib64") was necessary. Now this is of course no longer part of my custom config.
- If I really want some custom config on some machines only, I can have exactly these parts in a separate file.
|
|
| Back to top |
|
|
AJM
Apprentice
Joined: 25 Sep 2002
Posts: 189
Location: Aberdeen, Scotland
|
| Posted: Mon Jun 05, 2023 9:01 am Post subject: |
|
|
| mv wrote: | | Just to not let the wrong impression stand that many users dislike the change: I find the change great! |
It's not a "wrong impression" that many users dislike the change, it's fact. Other users like the change and I'm happy for you that you're one of them... that doesn't somehow invalidate the opinions of the rest of us who don't like it though...
(I still haven't seen any great reason for it myself other than to make life easier for an anonymous large consumer of Gentoo) |
|
| Back to top |
|
|
sam_
Developer
Joined: 14 Aug 2020
Posts: 1678
|
| Posted: Mon Jun 05, 2023 11:10 am Post subject: |
|
|
| AJM wrote: | | mv wrote: | | Just to not let the wrong impression stand that many users dislike the change: I find the change great! |
It's not a "wrong impression" that many users dislike the change, it's fact. Other users like the change and I'm happy for you that you're one of them... that doesn't somehow invalidate the opinions of the rest of us who don't like it though...
(I still haven't seen any great reason for it myself other than to make life easier for an anonymous large consumer of Gentoo) |
I made a point of saying that while it was convenient for them, I only found that out after I'd written up the changes. I think it's a bit unfair to claim that given I explicitly gave my reasoning. You don't have to agree with it, but I made clear that was not why we did it. It was just useful to know that it was helpful for larger deployments. But feel free to INSTALL_MASK it and go about your business as you were before? |
|
| Back to top |
|
|
AJM
Apprentice
Joined: 25 Sep 2002
Posts: 189
Location: Aberdeen, Scotland
|
| Posted: Mon Jun 05, 2023 11:47 am Post subject: |
|
|
I didn't claim, or intend to claim, that you'd made this change for the large consumer of Gentoo (pity these types of users are so quiet about it though) - I just genuinely still don't understand how it benefits anyone other than them. /etc/ssh/sshd_config exists - one simple file, can be customised at will; if maintainers come across a pressing need to change a default setting there, the rest of us will see that when we next update and either accept or refuse the change as required. Those maintaining large fleets of systems surely have systems to automatically maintain config files in a more sophisticated way? Possibly just me being stupid, it doesn't really matter at this point.
Anyway, I appreciate the work you and the other Gentoo devs do, I certainly don't intend to waste anyone's time with something as trivial (in the overall scheme of life) as this - I just strongly dislike it and what I believe to be the trend it represents in the wider ecosystem. My personal feeling, I'm fine with other people having theirs! |
|
| Back to top |
|
|
sam_
Developer
Joined: 14 Aug 2020
Posts: 1678
|
| Posted: Mon Jun 05, 2023 11:49 am Post subject: |
|
|
| AJM wrote: | I didn't claim, or intend to claim, that you'd made this change for the large consumer of Gentoo (pity these types of users are so quiet about it though) - I just genuinely still don't understand how it benefits anyone other than them. /etc/ssh/sshd_config exists - one simple file, can be customised at will; if maintainers come across a pressing need to change a default setting there, the rest of us will see that when we next update and either accept or refuse the change as required. Those maintaining large fleets of systems surely have systems to automatically maintain config files in a more sophisticated way? Possibly just me being stupid, it doesn't really matter at this point.
Anyway, I appreciate the work you and the other Gentoo devs do, I certainly don't intend to waste anyone's time with something as trivial (in the overall scheme of life) as this - I just strongly dislike it and what I believe to be the trend it represents in the wider ecosystem. My personal feeling, I'm fine with other people having theirs! |
No worries, I understand - thanks for explaining. Sometimes we get people making nonsense conspiratorial claims and it gets a bit tiring.
The whole motivation for this was really: github RSA key incident -> want to deploy a revocation for users -> realise the ebuild is super fragile for deploying Gentoo defaults, relying on seds (this can often mean that unintended changes can happen without developers realising on new version bumps) -> have an idea for making it look a fair bit cleaner from our end.
I think I should've made it clearer in the news item how to opt out of this via INSTALL_MASK, but I think there's still scope for me to do that on the wiki page or similar. |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Mon Jun 05, 2023 7:12 pm Post subject: |
|
|
| AJM wrote: | | mv wrote: | | Just to not let the wrong impression stand that many users dislike the change: I find the change great! |
It's not a "wrong impression" that many users dislike the change, it's fact. |
Life experience shows that very likely it is a wrong impression, since users happy with a decision in the vast majority of cases do not post.
Your claim "it's fact" is simply outrageous, because you cannot know. The only fact we can be sure about is about the opinion of a few posters.
Fortunately, the change can actually make both sides happy: One side can keep a single config file if they want (with a one-line config change in INSTALL_MASK) and will have to continue doing the work of manual merging at every update as it was before. The other side can profit from less work and all the other advantages I mentioned. Without the change only one side would be happy.
Another advantage from which both sides and the gentoo developers profit is that the installed config files suffer less likely from mistakes in the sed-hackery as sam_ mentioned. Actually, gentoo as a whole profits from this, because having less such hacks is always good. |
|
| Back to top |
|
|
dmpogo
Advocate
Joined: 02 Sep 2004
Posts: 3267
Location: Canada
|
| Posted: Tue Jun 06, 2023 1:03 pm Post subject: |
|
|
| mv wrote: | | AJM wrote: | | mv wrote: | | Just to not let the wrong impression stand that many users dislike the change: I find the change great! |
It's not a "wrong impression" that many users dislike the change, it's fact. |
Life experience shows that very likely it is a wrong impression, since users happy with a decision in the vast majority of cases do not post.
Your claim "it's fact" is simply outrageous, because you cannot know. The only fact we can be sure about is about the opinion of a few posters.
Fortunately, the change can actually make both sides happy: One side can keep a single config file if they want (with a one-line config change in INSTALL_MASK) and will have to continue doing the work of manual merging at every update as it was before. The other side can profit from less work and all the other advantages I mentioned. Without the change only one side would be happy.
Another advantage from which both sides and the gentoo developers profit is that the installed config files suffer less likely from mistakes in the sed-hackery as sam_ mentioned. Actually, gentoo as a whole profits from this, because having less such hacks is always good. |
I suspect the majority simply does not care, rather than being 'happy'. Yes, the phrase 'I am happy with' now days often means ' I don't care, do what you want'.
Also "make all sides happy" idea cannot be pushed too far. At the end, distribution is a particular way of doing things, it needs to project a specific discipline to be still a coherent thing. For instance, the simplest way to edit what is in the world is to go and edit /var/lib/portage/world by hand. But this is not a Gentoo way, Gentoo suggests using emerge tools to do it. Or permissions - we could be adding system groups/users the old Unix way by hand, Gentoo suggests using specific ebuilds for that. |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2964
Location: Edge of marsh USA
|
| Posted: Tue Jun 06, 2023 8:25 pm Post subject: |
|
|
| dmpogo wrote: | | ... Or permissions - we could be adding system groups/users the old Unix way by hand, Gentoo suggests using specific ebuilds for that. |
There is a specific Gentoo ebuild for this?
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Tue Jun 06, 2023 8:30 pm Post subject: |
|
|
Not one. Almost 1k.
$ find acct-* -type f -name "*.ebuild" |wc -l
904
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
figueroa
Advocate
Joined: 14 Aug 2005
Posts: 2964
Location: Edge of marsh USA
|
| Posted: Wed Jun 07, 2023 4:01 am Post subject: |
|
|
Thanks. I have 77 of those as *.conf files in /usr/lib/sysusers.d since October 2020, but I don't know how they work or how it was done before. I don't believe there was a news item about the innovation. I noted that for some new programs users and/or groups were created. It works and I did not explore further.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
| Back to top |
|
|
dmpogo
Advocate
Joined: 02 Sep 2004
Posts: 3267
Location: Canada
|
| Posted: Wed Jun 07, 2023 4:53 am Post subject: |
|
|
| figueroa wrote: | | Thanks. I have 77 of those as *.conf files in /usr/lib/sysusers.d since October 2020, but I don't know how they work or how it was done before. I don't believe there was a news item about the innovation. I noted that for some new programs users and/or groups were created. It works and I did not explore further. |
Oh my, I did not even know about that directory, I hope one is not expected to drop there a custom made configurations ? ( I think I am joking here) |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Wed Jun 07, 2023 5:17 am Post subject: |
|
|
| dmpogo wrote: | | figueroa wrote: | | Thanks. I have 77 of those as *.conf files in /usr/lib/sysusers.d since October 2020, but I don't know how they work or how it was done before. I don't believe there was a news item about the innovation. I noted that for some new programs users and/or groups were created. It works and I did not explore further. |
Oh my, I did not even know about that directory, I hope one is not expected to drop there a custom made configurations ? ( I think I am joking here) |
Unfortunately, I am afraid that it is much worse than that: If you modify your /etc/{passwd,group,shadow,gshadow} directly or indirectly you are probably obliged to modify these files analogously or can otherwise expect troubles after the next emerges. This is a completely unnecessary duplication of an information which should have only one source-of-truth. Instead of aiming for a good solution for a rare problem, gentoo has chosen here the probably worst possible solution. Even using a suid-wrapper if absolutely nothing helps would have been better than that. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20067
|
| Posted: Wed Jun 07, 2023 4:38 pm Post subject: |
|
|
| figueroa wrote: | | Thanks. I have 77 of those as *.conf files in /usr/lib/sysusers.d since October 2020, but I don't know how they work or how it was done before. I don't believe there was a news item about the innovation. I noted that for some new programs users and/or groups were created. It works and I did not explore further. |
Superficially at least, it it looks pretty simple. The ebuilds contain information about each user/group. uid/gid, shell, etc. If Portage is the hammer, the ebuild solution is at least a functioning nail. Personally, I don't think it is a good solution to a "problem" that exists across all Unix-like systems. A generic solution would have been nice.
| mv wrote: | | Unfortunately, I am afraid that it is much worse than that: If you modify your /etc/{passwd,group,shadow,gshadow} directly or indirectly you are probably obliged to modify these files analogously or can otherwise expect troubles after the next emerges. This is a completely unnecessary duplication of an information which should have only one source-of-truth. Instead of aiming for a good solution for a rare problem, gentoo has chosen here the probably worst possible solution. Even using a suid-wrapper if absolutely nothing helps would have been better than that. |
Oh my. I hadn't noticed those files. *sigh*
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
