Examine individual changes
From Gentoo Wiki
This page allows you to examine the variables generated by the Abuse Filter for an individual change, and test it against filters.
Variables generated for this change
| Variable | Value |
|---|---|
Edit count of the user (user_editcount) | 1927 |
Name of the user account (user_name) | 'Needle' |
Age of the user account (user_age) | 384708765 |
Page ID (page_id) | 736 |
Page namespace (page_namespace) | 2 |
Page title (without namespace) (page_title) | 'Needle' |
Full page title (page_prefixedtitle) | 'User:Needle' |
Action (action) | 'edit' |
Edit summary/reason (summary) | 'add list' |
Old content model (old_content_model) | 'wikitext' |
New content model (new_content_model) | 'wikitext' |
Old page wikitext, before the edit (old_wikitext) | '{{lowercase title}}
{{InfoBox stack
|{{InfoBox user
| irc = needle
| github = needless
}}
|{{InfoBox user since|2006|header=true}}
|{{InfoBox user de}}
|{{InfoBox user pl}}
|{{InfoBox user en-3}}
|{{InfoBox user ru}}
}}
needle uses '''gentoo linux''' for ''working'' and does <code>IP</code> for living. Since years.
Building and breaking IP networks using the most flexible, most configurable and the most ''stable'' tool available out there: '''gentoo linux'''.
My main area of interest is:
* networking
* IP networks
* IP network related software
* IP routing
And all kinds of ''cross'' - '''$vendor'''/'''$platform'''/'''$implementation'''/'''$protocol''' related issues.
Yes, [https://rfc.fyi I read RFC's]. Operating IP networks, troubleshooting IP related or protocol related issues, in different networking environements, using different implementations, needs one ''common'' basis - That is what '''RFC's''' are good for.
You will spot all kind issues among the ''above'' mentioned '''$variables''', you really would not belive it is real. Specifically, RFC's that are:
# Partially implemented
# Wrong implemented
# Not implemented at all
# Implemented, but in that '''one specific implementation detail''' it differs from the RFC, root of $EVENT_CASCADE
In the worst imabinable network or protocol troubleshooting situation, do not trust that all involved parties:
* '''$vendor'''
* '''$hardware-platform'''
* '''$operating-system'''
* '''$software'''
comply to listed RFC's own websites. Read it, look it up, troubleshoot or debug this '''$issue''' using the listed RFC.
Most sighted '''$issues''' are really just stupid bugs, or the ''typo in the code'' manner.
If they are professionals, and on a rare ocassion you might get feedback like this:
'''$feature''' on '''$implementation''' was not planned at THIS '''$scale''', you hit specific '''$edge''' case. You are the first to notice this, thanks for reporting. It is already fixed in the latest code. We will get back to you, for testing.
I am lurking in the [irc://irc.libera.chat/gentoo #gentoo] Gentoo Linux Support and the [irc://irc.libera.chat/gentoo-wiki #gentoo-wiki] Gentoo Wiki channels on the [https://libera.chat/ Libera.Chat] IRC network.
* [[Gentoo_for_Network_Admins]]
== OATH Toolkit - PAM authentication error==
'''Error:'''
{{Warning|If the system files involved in authentication are '''corrupt''', this might generate following PAM authentication syslog error:
* <code>error: PAM: User not known to the underlying authentication module for znurt from 192.0.2.10</code>}}
Authentication issue related to corrupt files on the test system:
* {{Path|/etc/shadow}}
* {{Path|/etc/passwd}}
'''Fix:'''
Sanitize using the tool {{C|pwck}}:
{{RootInvocation|pwck|output=<pre>
user 'adm': directory '/var/adm' does not exist
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/usr/lib/news' does not exist
user 'games': directory '/usr/games' does not exist
user 'polkituser': no group 1011
pwck: no change</pre>}}
== ''less is more'' ==
USE flag ebuild suggestions for ''more'' out of the box gentoo 'fun' by simply ''using'' 'less' of all that USE flags where not necessarily needed.
Resulting in:
* less maintanance
* less corner cases
* less snakeflow configurations
* less annoying preset default behaviours
* less pulled package dependencies
* less code
* less bugs
* less attack vector
* less ressources usage CPU/RAM
* less CPU cycles wasted on unused code
* less complexity
* less time spent on troubleshooting complex systems
* less build packages
* less electrical energy used
That is resulting in:
* more easy configuration
* more easy setup
* more unification
* more chance for automating stuff
* more automation
* more time for important stuff
=== MPD minimal USE flag combo ===
only 6 USE flags is good enough for the gentoo system to be playing most audio files. Shown used libraries, could be swapped out as drop-in replacement, if minimal configuration should be kept. No extencive libraries testing done here, more pragmatical approach. work for me(tm). If something is missing just add this on top of that USE flag combo, recompile, and you are done. A good starting point for minimal configuration of for troubleshooting, sorting out libraries etc.
{{Invocation|equery uses mpd {{!}} grep +|output=<pre>
+alsa
+curl
+flac
+mad
+vorbis
+wavpack
</pre>}}
== SMW ==
This wiki has SMW support, create easy examples for demonstration using: [[Special:Version#mw-version-ext]]
Perfect example collections for SMW:
* [[Logging]]
* [[Network_Time_Protocol]]
Here are few [https://www.semantic-mediawiki.org/wiki/Help:Getting_started simple SMW examples] for the beginning.
== SHA-512 to Blowfish migration testing==
=== (glibc)bcrypt implementation status ===
List of events why '''bcrypt''' still not is availble in the mainstream linux distribution sector: https://access.redhat.com/articles/1519843.
* [https://sourceware.org/bugzilla/show_bug.cgi?id=2100 TL;DR version - (glibc)bcrypt #2100 official implementation tracking bug.]
A bug reported, in the year 2006. Now nearly 2 decades ago.
----
{{Important|Before reading furhter. Read about bcrypt <code>rounds</code> or <code>cost</code>, take a close look at the generated <code>salt</code>. Use a '''professional''' password when using bcrypt.}}
This is a test, done before migration. If the test succeeds, the target system is considered safe for migration. The steps described here, should work for every other user that is to be migrated. This short description is meant for nodes only with few users.
Take sure your target system supports Blowfish, apparently it is not available everywhere on every linux:
{{Cmd|man 3 crypt}}
Over here it looks like in depicted table, this man 3 crypto
ID Method
────────────────────────────────────────────────────────────────────────────
1 MD5
2a Blowfish (not in mainline glibc; added in some Linux distributions)
5 SHA-256 (since glibc 2.7)
6 SHA-512 (since glibc 2.7)
Create a test user here larry the target system:
{{RootCmd|useradd -m -G users,wheel,audio -s /bin/bash larry}}
=== Emerge ===
Review and set USE flags before emerging the package, enable the <var>bcrypt</var> USE flag
{{Emerge|sys-apps/shadow}}
{{Note|Verify the package {{Package|sys-apps/shadow}} has the <code>bcrypt</code> USE flag enabled. And the package has been rebuild using that flag.}}
=== Generate ===
Now, configure bcrypt to create really safe password hashes. If you are an expert in fastfood security done is 5 seconds, here a quick cli to generate a hash:
{{Cmd|<nowiki>htpasswd -bnBC 15 "" G3n70o_L1nuX-r0ck5?! | tr -d ':\n'</nowiki>|output=<pre>
$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK%
</pre>}}
Generated prefix, here {{c|$2y$}} is NOT interesting. There is NO difference between {{c|$2a$}} or {{c|$2y$}} in any sense. If implemented correctly, all created hashes are working the same. No matter which prefix, is generated using Blowfish.
Generated crypto prefix, is only important in the context of the specific application, operating system, and used libraries to distinguish kaputt crypto {{c|$2a$}} from fixed crypto {{c|$2y$}}.
=== Replace ===
Now using a text editor edit the {{Path|/etc/shadow}} file
{{RootCmd|vim /etc/shadow}}
And replace following test user created SHA-512 hash
...
larry:'''$6$W2LZ5IsI$KVrGRLf7YbTPKA.t/4gvwOr4wtHBdvF6DYpSV93ZvkdkNy0qZFu0VMt7Igy7EzW8GIEED8tVdD5vq2/HpMn7b0''':16134:0:99999:7:::
...
With this generated bcrypt hash, notice the cost of bcrypt, it is not the real time of rounds depicted below, it is fake here for the example:
...
larry:'''$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK''':16134:0:99999:7:::
...
=== Sanitize ===
Run {{C|pwck}} to assure file consistency and to sanitize system files involved.
{{RootCmd|pwck}}
{{Tip|'''Best practice''': Always sanitize files if there is a {{C|$tool}} for it. This ''saves'' a lot of '''time''' spent on needless troubleshooting.}}
=== Verify ===
Open a SSH connection to localhost, using that changed test username, here larry:
{{Cmd|ssh larry@localhost}}
If authentication succeeds, then you are ready to plan the migration, on working users.
=== Clean up ===
After the testing is finished, remove larry from the system
{{RootCmd|userdel larry}}
== etckeeper whitelist configuration ==
{{Note|Create a {{Path|.gitignore}} file '''before''' running the etckeeper initialization.}}
This example below shows how to save ''explicit'' files to the [[etckeeper]] repository. This is the '''reverse''' approach, compared to the default etckeeper configuration, which
The first entry <code>*</code> ignores ALL files in the /etc directory, following <code>!</code> negated entries mark the ''interesting'' files that will be saved to the repository.
Configuration example for saving these 3 files:
* {{Path|/etc/crontab}}
* {{Path|/etc/inittab}}
* {{Path|/etc/resolv.conf}}
{{FileBox|filename=/etc/.gitignore|lang=ini|1=
# ignore everything
*
# now add interesting files
!crontab
!inittab
!resolv.conf}}
Configuration example for {{Path|/etc/apache2/}} directory:
{{FileBox|filename=/etc/.gitignore|lang=ini|1=
# ignore everything
*
# now add interesting files and dirs
!apache2/
!apache2/*}}
Configuration example for directories containing subdirectcories with interesting files:
* {{Path|/etc/apache2/httpd.conf}}
* {{Path|/etc/apache2/vhosts.d/}}
* {{Path|/etc/apache2/modules.d/}}
{{FileBox|filename=/etc/.gitignore|lang=ini|1=
# ignore everything
*
# now add interesting files and dirs
!apache2/
!apache2/httpd.conf
!apache2/modules.d/
!apache2/modules.d/*
!apache2/vhosts.d/
!apache2/vhosts.d/*}}
== Automated rebuild of portage packages ==
This solution relies on the {{Package|sys-process/cronie}} and the usage of anacron USE flag.
What does that anacron USE flag do, verify using the euse tool:
{{Cmd|euse -i anacron|output=<pre>
[- ] anacron (sys-process/cronie):
Install the periodic anacron command scheduler.
</pre>}}
it is a added feature or function to cronie. The anacron USE flag re-schedules missed cron jobs for machines that are not 24/7 online, like f.e. laptops, workstations. Apart from that it is working like an usual cron scheduler. This feature does not rely on the separate anacron package.
Install cronie:
{{Emerge|sys-process/cronie}}
Schedule daily rebuild by adding following file in the {{Path|/etc/cron.daily/}} directory:
{{Note|[[user:Sam]] suggested sanity checks are missing the ''pre-upgrade'' and ''post-emerge'' routines are not handled by this script. Read [[Portage_log]] and [[elogv]] for final solution.}}
{{FileBox|filename=/etc/cron.daily/portage|lang=bash|1=
#!/bin/sh
#
# Sync portage using eix-sync
# -U Do not touch the database, do not show differences
# -T Do not measure time
/usr/bin/eix-sync -U -T
if [ $? -eq 0 ]; then
logger "eix-sync has finished."
else
logger "eix-sync has exited with error code: $?"
fi
# Now update the database
/usr/bin/eix-update
if [ $? -eq 0 ]; then
logger "eix-update has finished."
else
logger "eix-update has exited with error code: $?"
fi
# Emerge world packages. For skipping bugged ebuild,
# add "EMERGE_DEFAULT_OPTS= --keep-going"* to make.conf file
emerge -uDN @world
if [ $? -eq 0 ]; then
logger "emerge --world has finished."
else
logger "emerge --world has exited with error code: $?"
fi
# And keep everything working
emerge @preserved-rebuild
if [ $? -eq 0 ]; then
logger "emerge @preserved-rebuild has finished."
else
logger "emerge @preserved-rebuild has exited with error code: $?"
fi
# Write a message to syslog portage rebuild has finished now.
logger "daily cron portage update has finished with exit status: $?"
}}
Make the {{Path|/etc/cron.daily/portage}} file executable by adding the +x flag:
{{RootCmd|chmod +x /etc/cron.daily/portage}}
This will schedule run the eix-sync and ebuild jobs, at ~03:00 AM. And if the job has been missed because host was turned off, the job gets scheduled after a the host has been turned on again.
Now it would be nice to see, what has been rebuild and how it worked out without using any complex commands. Add a bash script to the ~/bin directory of the root user. The script runs 2 qlop commands showing the results from beginning of the day. qlop is part of {{Package|app-portage/portage-utils}} ebuild.
{{FileBox|filename=/root/bin/emergelog.sh|lang=bash|1=
#!/bin/sh
qlop -H -s -d today
qlop -H -m -u -d today
}}
Make the {{Path|/root/bin/emergelog.sh}} file executable by adding the +x flag:
{{RootCmd|chmod +x ~/bin/emergelog.sh}}
Because I am even to tazy to run that command manually, I add following lines to the {{Path|/root/.profile}} file, this calls the upper {{Path|/root/bin/emergelog.sh}}, each time the root user authenticates to this host. Additionally this lists the last 8 lines of the {{Path|/var/log/emerge.log}} file:
{{FileBox|filename=/root/.profile|lang=bash|1=
echo "Last emerged packages:"
sh ~/bin/emergelog.sh
echo ""
echo "Last emerge.log entries:"
tail -n 8 /var/log/emerge.log
echo ""
}}
And this is the prompt how it looks like after successful authentication:
{{RootCmd|<pre>
Last emerged packages:
2020-04-21T02:30:13 *** gentoo
2020-04-21T03:22:44 >>> dev-util/re2c
2020-04-21T03:32:45 >>> net-misc/whois
2020-04-21T08:20:39 >>> dev-libs/libpcre2
Last emerge.log entries:
1587455666: *** Finished. Cleaning up...
1587455669: *** exiting successfully.
1587455669: *** terminating.
1587455675: Started emerge on: Apr 21, 2020 09:54:34
1587455675: *** emerge --keep-going @preserved-rebuild
1587455687: *** Finished. Cleaning up...
1587455690: *** exiting successfully.
1587455691: *** terminating.
</pre>}}
This is a optional step and could be useful on always on systems, for the update routine to be sane. If the update routine has changed the daemons libriaries, that particular service would need a unattended restart. To accomplish ths use following tool:
{{Emerge|app-admin/needrestart}}
Default configuration needs to be adjusted to the own system. Do not rely on defaults. {{Package|app-admin/needstart}} needs further configuration. The list of all configuration files:
{{Cmd|tree /etc/needrestart}}
This solution works 99% of the time. If packages fail to build, this needs to be resolved manually by doing a world rebuild, and inspecting what has gone wrong.
== laptop_mode laptop roaming howto==
=== Additional software ===
These packages are all needed to get it to run:
* {{See also|openrc}} - with enabled '''USE''' flag ''netifrc''
* {{See also|wpa_supplicant}}
* {{Package|sys-apps/ifplugd}} - Brings up/down ethernet ports automatically with cable detection
* {{See also|dhcpcd}}
* {{Package|app-laptop/laptop-mode-tools}} - Linux kernel laptop_mode user-space utilities
=== Configuration ===
==== OpenRC ====
Managing daemon status and interfaces reflecting the current powerlevel AC or running on battery. This can be accomplished by using {{Package|sys-apps/openrc}}. OpenRC configuration and management is more complex compared to the {{package|app-laptop/laptop-mode-tools}} configuration approach, but also much more flexible.
A simplified openrc configuration is needed. Dynamic services are handled by laptop-mode-tools. Overview of running daemons handled by openrc runlevel default, note laptop_mode daemon is started here:
{{Cmd|rc-status default|output=<pre>
Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
acpid [ started ]
cupsd [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
sshd [ started ]
</pre>}}
Following daemons need to be managed by laptop-tools:
{{Cmd|rc-status default|output=<pre>
net.eth0 [ started ]
net.wlan0 [ started ]
sshd [ started ]
cupsd [ started ]
</pre>}}
Remove the daemons from the openrc default startup level
{{RootCmd|rc-update del net.eth0 default}}
{{RootCmd|rc-update del net.wlan0 default}}
{{RootCmd|rc-update del net.sshd default}}
{{RootCmd|rc-update del net.cupsd default}}
Verify the default startup of openrc:
{{Cmd|rc-status default|output=<pre>
Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
</pre>}}
=== Laptop-mode-tools ===
The laptop_mode tools dynamic configuration relies on default 2 ACPI levels:
* laptop is running on AC power
* laptop is running on battery
laptop-mode tools has 2 according ACPI states named '''batt''' and '''lm-ac''':
* batt
* lm-ac
* nolm-ac
The 3-rd state '''nolm-ac''' (laptop-mode tools daemon NOT running) is not used.
Get an overview of the laptop-mode directory:
{{Cmd|tree -L 1 /etc/laptop-mode|output=<pre>
/etc/laptop-mode
├── batt-start
├── batt-stop
├── conf.d
├── laptop-mode.conf
├── lm-ac-start
├── lm-ac-stop
├── lm-profiler.conf
├── modules
├── nolm-ac-start
└── nolm-ac-stop
</pre>}}
Each of the 3 predefined states '''batt''' '''lm-ac''' and '''nolm-ac''' have a ''-start'' and ''-stop'' suffix in the directory structure. There is also a conf.d directory for services configuration that would be handled by laptop-mode and a modules directory for modules to be used explicitelly.
The goal is reached when the laptop automatically determines which daemons need to be started and which need to be stopped depending on the ACPI battery level.
There are 2 states in which the laptop is working:
* laptop is docked, ac connected, wired access, printing available, ssh daemon running
* laptop is not docked, battery, wireless access, no priting available, no ssh daemon runni
Adjust the previosly removed daemons to laptop-mode. Change to the battery level. wlan is the only one service needed while running on battery.
Change to the directory:
{{RootCmd|cd /etc/laptop-mode/batt-start/}}
Create a symlink to daemons to be run while on battery:
{{RootCmd|ln -s /etc/init.d/net.wlan0 . }}
Change to the directory /etc/laptop-mode/batt-stop/:
{{RootCmd|cd /etc/laptop-mode/batt-stop/}}
Create a symlink to deamons to be stopped while on battery:
{{RootCmd|ln -s /etc/init.d/cupsd . }}
{{RootCmd|ln -s /etc/init.d/net.eth0 . }}
{{RootCmd|ln -s /etc/init.d/sshd . }}
Start and Stop daemons handled by the battery status after configuration:
{{Cmd|tree -L 1 /etc/laptop-mode/batt-st*|output=<pre>
tree -L 1 /etc/laptop-mode/batt-st*
/etc/laptop-mode/batt-start
└── net.wlan0 -> /etc/init.d/net.wlan0
/etc/laptop-mode/batt-stop
├── cupsd -> /etc/init.d/cupsd
├── net.eth0 -> /etc/init.d/net.eth0
└── sshd -> /etc/init.d/sshd
</pre>}}
Start and Stop daemons handled by the battery status:
{{Cmd|tree -L 1 /etc/laptop-mode/lm-ac-st*|output=<pre>
/etc/laptop-mode/lm-ac-start
├── cupsd -> /etc/init.d/cupsd
├── net.eth0 -> /etc/init.d/net.eth0
└── sshd -> /etc/init.d/sshd
/etc/laptop-mode/lm-ac-stop
└── net.wlan0 -> /etc/init.d/net.wlan0
</pre>}}
=== Verification ===
Docked laptop and service status:
{{Cmd|rc-status default|output=<pre>
Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
mpd [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
net.eth0 [ started ]
cupsd [ started ]
Dynamic Runlevel: manual
sshd [ started ]
</pre>}}
Undocked status:
{{Cmd|rc-status default|output=<pre>
Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
mpd [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
net.wlan0 [ started ]
</pre>}}
This is a ready, easy to use, running configuration.
== Enable IPv6 privacy extensions (RFC4941) ==
IPv6 privacy extensions are disabled by default on GNU/linux, they lead to problems if users are not aware of this.
To enable privacy extensions on gentoo permanently add following lines and reboot the system:
{{FileBox|filename=/etc/sysctl.conf|lang=ini|title=Enabling IPv6 privacy extensions|1=
...
# Enabling IPv6 privacy extensions for specified interfaces.
# here eth0 and wlan0
# net.ipv6.conf.eth0.use_tempaddr = 2
# net.ipv6.conf.wlan0.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
# Setting q shorter timeout for a temporary IPv6 prefix
# default setting is one day
net.ipv6.conf.eth0.temp_prefered_lft = 14400
net.ipv6.conf.wlan0.temp_prefered_lft = 14400
}}
The setting ''net.ipv6.conf.all.use_tempaddr'' is used to propagate its value to all interfaces currently attached to the system. This setting might not work reliably for all interfaces. At least not on my own tested gentoo installations up to kernel 4.14.
There are two old bugs in the Linux kernel bugtracker for this issue:
* https://bugzilla.kernel.org/show_bug.cgi?id=11655
* https://bugzilla.kernel.org/show_bug.cgi?id=9224
== Wiki templates for templates ==
* [[:Category:Templates_for_templates]]
== Command sequence for old gentoo boxes to update after a long time ==
This is a basic sequence of commands for updating older gentoo boxes.
Divide and conquer:
Update the toolchain first, then resolve the blocks manually afterwards.
Sync portage tree:
{{RootCmd|eix-sync}}
Update the portage application:
{{RootCmd|emerge --oneshot portage}}
Emerge latest linux kernel first:
{{RootCmd|emerge gentoo-sources}}
Show available kernel sources:
{{RootCmd|eselect kernel list}}
Set the latest linux kernel version:
{{RootCmd|eselect kernel set <input>}}
Emerge GCC first:
{{RootCmd|emerge --oneshot gcc}}
Show availabe GCC compilers:
{{RootCmd|eselect gcc list}}
Set the latest available GCC compiler in the list:
{{RootCmd|eselect gcc set <input>}}
Check if the desired GCC has been set, apply portage postinstall hint:
{{RootCmd|eselect gcc list}}
Emerge latest glibc
{{RootCmd|emerge --oneshot glibc}}
Check the latest gentoo related toolchain changes on the wiki, bugs, etc: [[Project:Toolchain]]
Emerge latest binutils:
{{RootCmd|emerge binutils}}
Show current available binutils:
{{RootCmd|eselect binutils list}}
Set the latest binutils version:
{{RootCmd|eselect binutils set <input>}}
Verify binutils setting:
{{RootCmd|eselect binutils list}}
Emerge latest python
{{RootCmd|emerge --oneshot python}}
Emerge latest perl:
{{RootCmd|emerge --oneshot perl}}
Emerge latest iproute2
{{RootCmd|emerge --oneshot iproute2}}
Update the system with following command, resolve dependency errors:
{{RootCmd|emerge -vauDN system}}
Update the system with following command, resolve dependency errors:
{{RootCmd|emerge -vauDN world}}
Now it is done.' |
New page wikitext, after the edit (new_wikitext) | '{{lowercase title}}
{{InfoBox stack
|{{InfoBox user
| irc = needle
| github = needless
}}
|{{InfoBox user since|2006|header=true}}
|{{InfoBox user de}}
|{{InfoBox user pl}}
|{{InfoBox user en-3}}
|{{InfoBox user ru}}
}}
needle uses '''gentoo linux''' for ''working'' and does <code>IP</code> for living. Since years.
Building and breaking IP networks using the most flexible, most configurable and the most ''stable'' tool available out there: '''gentoo linux'''.
My main area of interest is:
* networking
* IP networks
* IP network related software
* IP routing
And all kinds of ''cross'' - '''$vendor'''/'''$platform'''/'''$implementation'''/'''$protocol''' related issues.
Yes, [https://rfc.fyi I read RFC's]. Operating IP networks, troubleshooting IP related or protocol related issues, in different networking environements, using different implementations, needs one ''common'' basis - That is what '''RFC's''' are good for.
You will spot all kind issues among the ''above'' mentioned '''$variables''', you really would not belive it is real. Specifically, RFC's that are:
# Partially implemented
# Wrong implemented
# Not implemented at all
# Implemented, but in that '''one specific implementation detail''' it differs from the RFC, root of $EVENT_CASCADE
In the worst imabinable network or protocol troubleshooting situation, do not trust that all involved parties:
* '''$vendor'''
* '''$hardware-platform'''
* '''$operating-system'''
* '''$software'''
comply to listed RFC's own websites. Read it, look it up, troubleshoot or debug this '''$issue''' using the listed RFC.
Most sighted '''$issues''' are really just stupid bugs, or the ''typo in the code'' manner.
If they are professionals, and on a rare ocassion you might get feedback like this:
'''$feature''' on '''$implementation''' was not planned at THIS '''$scale''', you hit specific '''$edge''' case. You are the first to notice this, thanks for reporting. It is already fixed in the latest code. We will get back to you, for testing.
I am lurking in the [irc://irc.libera.chat/gentoo #gentoo] Gentoo Linux Support and the [irc://irc.libera.chat/gentoo-wiki #gentoo-wiki] Gentoo Wiki channels on the [https://libera.chat/ Libera.Chat] IRC network.
* [[Gentoo_for_Network_Admins]]
= iproute2 =
serious ''net-tools'' 2 ''iproute'' syntax converstion wiki entries:
* https://wiki.gentoo.org/wiki/Vpnc
* https://wiki.gentoo.org/wiki/Handbook:Parts/Networking/Modular
== OATH Toolkit - PAM authentication error==
'''Error:'''
{{Warning|If the system files involved in authentication are '''corrupt''', this might generate following PAM authentication syslog error:
* <code>error: PAM: User not known to the underlying authentication module for znurt from 192.0.2.10</code>}}
Authentication issue related to corrupt files on the test system:
* {{Path|/etc/shadow}}
* {{Path|/etc/passwd}}
'''Fix:'''
Sanitize using the tool {{C|pwck}}:
{{RootInvocation|pwck|output=<pre>
user 'adm': directory '/var/adm' does not exist
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/usr/lib/news' does not exist
user 'games': directory '/usr/games' does not exist
user 'polkituser': no group 1011
pwck: no change</pre>}}
== ''less is more'' ==
USE flag ebuild suggestions for ''more'' out of the box gentoo 'fun' by simply ''using'' 'less' of all that USE flags where not necessarily needed.
Resulting in:
* less maintanance
* less corner cases
* less snakeflow configurations
* less annoying preset default behaviours
* less pulled package dependencies
* less code
* less bugs
* less attack vector
* less ressources usage CPU/RAM
* less CPU cycles wasted on unused code
* less complexity
* less time spent on troubleshooting complex systems
* less build packages
* less electrical energy used
That is resulting in:
* more easy configuration
* more easy setup
* more unification
* more chance for automating stuff
* more automation
* more time for important stuff
=== MPD minimal USE flag combo ===
only 6 USE flags is good enough for the gentoo system to be playing most audio files. Shown used libraries, could be swapped out as drop-in replacement, if minimal configuration should be kept. No extencive libraries testing done here, more pragmatical approach. work for me(tm). If something is missing just add this on top of that USE flag combo, recompile, and you are done. A good starting point for minimal configuration of for troubleshooting, sorting out libraries etc.
{{Invocation|equery uses mpd {{!}} grep +|output=<pre>
+alsa
+curl
+flac
+mad
+vorbis
+wavpack
</pre>}}
== SMW ==
This wiki has SMW support, create easy examples for demonstration using: [[Special:Version#mw-version-ext]]
Perfect example collections for SMW:
* [[Logging]]
* [[Network_Time_Protocol]]
Here are few [https://www.semantic-mediawiki.org/wiki/Help:Getting_started simple SMW examples] for the beginning.
== SHA-512 to Blowfish migration testing==
=== (glibc)bcrypt implementation status ===
List of events why '''bcrypt''' still not is availble in the mainstream linux distribution sector: https://access.redhat.com/articles/1519843.
* [https://sourceware.org/bugzilla/show_bug.cgi?id=2100 TL;DR version - (glibc)bcrypt #2100 official implementation tracking bug.]
A bug reported, in the year 2006. Now nearly 2 decades ago.
----
{{Important|Before reading furhter. Read about bcrypt <code>rounds</code> or <code>cost</code>, take a close look at the generated <code>salt</code>. Use a '''professional''' password when using bcrypt.}}
This is a test, done before migration. If the test succeeds, the target system is considered safe for migration. The steps described here, should work for every other user that is to be migrated. This short description is meant for nodes only with few users.
Take sure your target system supports Blowfish, apparently it is not available everywhere on every linux:
{{Cmd|man 3 crypt}}
Over here it looks like in depicted table, this man 3 crypto
ID Method
────────────────────────────────────────────────────────────────────────────
1 MD5
2a Blowfish (not in mainline glibc; added in some Linux distributions)
5 SHA-256 (since glibc 2.7)
6 SHA-512 (since glibc 2.7)
Create a test user here larry the target system:
{{RootCmd|useradd -m -G users,wheel,audio -s /bin/bash larry}}
=== Emerge ===
Review and set USE flags before emerging the package, enable the <var>bcrypt</var> USE flag
{{Emerge|sys-apps/shadow}}
{{Note|Verify the package {{Package|sys-apps/shadow}} has the <code>bcrypt</code> USE flag enabled. And the package has been rebuild using that flag.}}
=== Generate ===
Now, configure bcrypt to create really safe password hashes. If you are an expert in fastfood security done is 5 seconds, here a quick cli to generate a hash:
{{Cmd|<nowiki>htpasswd -bnBC 15 "" G3n70o_L1nuX-r0ck5?! | tr -d ':\n'</nowiki>|output=<pre>
$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK%
</pre>}}
Generated prefix, here {{c|$2y$}} is NOT interesting. There is NO difference between {{c|$2a$}} or {{c|$2y$}} in any sense. If implemented correctly, all created hashes are working the same. No matter which prefix, is generated using Blowfish.
Generated crypto prefix, is only important in the context of the specific application, operating system, and used libraries to distinguish kaputt crypto {{c|$2a$}} from fixed crypto {{c|$2y$}}.
=== Replace ===
Now using a text editor edit the {{Path|/etc/shadow}} file
{{RootCmd|vim /etc/shadow}}
And replace following test user created SHA-512 hash
...
larry:'''$6$W2LZ5IsI$KVrGRLf7YbTPKA.t/4gvwOr4wtHBdvF6DYpSV93ZvkdkNy0qZFu0VMt7Igy7EzW8GIEED8tVdD5vq2/HpMn7b0''':16134:0:99999:7:::
...
With this generated bcrypt hash, notice the cost of bcrypt, it is not the real time of rounds depicted below, it is fake here for the example:
...
larry:'''$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK''':16134:0:99999:7:::
...
=== Sanitize ===
Run {{C|pwck}} to assure file consistency and to sanitize system files involved.
{{RootCmd|pwck}}
{{Tip|'''Best practice''': Always sanitize files if there is a {{C|$tool}} for it. This ''saves'' a lot of '''time''' spent on needless troubleshooting.}}
=== Verify ===
Open a SSH connection to localhost, using that changed test username, here larry:
{{Cmd|ssh larry@localhost}}
If authentication succeeds, then you are ready to plan the migration, on working users.
=== Clean up ===
After the testing is finished, remove larry from the system
{{RootCmd|userdel larry}}
== etckeeper whitelist configuration ==
{{Note|Create a {{Path|.gitignore}} file '''before''' running the etckeeper initialization.}}
This example below shows how to save ''explicit'' files to the [[etckeeper]] repository. This is the '''reverse''' approach, compared to the default etckeeper configuration, which
The first entry <code>*</code> ignores ALL files in the /etc directory, following <code>!</code> negated entries mark the ''interesting'' files that will be saved to the repository.
Configuration example for saving these 3 files:
* {{Path|/etc/crontab}}
* {{Path|/etc/inittab}}
* {{Path|/etc/resolv.conf}}
{{FileBox|filename=/etc/.gitignore|lang=ini|1=
# ignore everything
*
# now add interesting files
!crontab
!inittab
!resolv.conf}}
Configuration example for {{Path|/etc/apache2/}} directory:
{{FileBox|filename=/etc/.gitignore|lang=ini|1=
# ignore everything
*
# now add interesting files and dirs
!apache2/
!apache2/*}}
Configuration example for directories containing subdirectcories with interesting files:
* {{Path|/etc/apache2/httpd.conf}}
* {{Path|/etc/apache2/vhosts.d/}}
* {{Path|/etc/apache2/modules.d/}}
{{FileBox|filename=/etc/.gitignore|lang=ini|1=
# ignore everything
*
# now add interesting files and dirs
!apache2/
!apache2/httpd.conf
!apache2/modules.d/
!apache2/modules.d/*
!apache2/vhosts.d/
!apache2/vhosts.d/*}}
== Automated rebuild of portage packages ==
This solution relies on the {{Package|sys-process/cronie}} and the usage of anacron USE flag.
What does that anacron USE flag do, verify using the euse tool:
{{Cmd|euse -i anacron|output=<pre>
[- ] anacron (sys-process/cronie):
Install the periodic anacron command scheduler.
</pre>}}
it is a added feature or function to cronie. The anacron USE flag re-schedules missed cron jobs for machines that are not 24/7 online, like f.e. laptops, workstations. Apart from that it is working like an usual cron scheduler. This feature does not rely on the separate anacron package.
Install cronie:
{{Emerge|sys-process/cronie}}
Schedule daily rebuild by adding following file in the {{Path|/etc/cron.daily/}} directory:
{{Note|[[user:Sam]] suggested sanity checks are missing the ''pre-upgrade'' and ''post-emerge'' routines are not handled by this script. Read [[Portage_log]] and [[elogv]] for final solution.}}
{{FileBox|filename=/etc/cron.daily/portage|lang=bash|1=
#!/bin/sh
#
# Sync portage using eix-sync
# -U Do not touch the database, do not show differences
# -T Do not measure time
/usr/bin/eix-sync -U -T
if [ $? -eq 0 ]; then
logger "eix-sync has finished."
else
logger "eix-sync has exited with error code: $?"
fi
# Now update the database
/usr/bin/eix-update
if [ $? -eq 0 ]; then
logger "eix-update has finished."
else
logger "eix-update has exited with error code: $?"
fi
# Emerge world packages. For skipping bugged ebuild,
# add "EMERGE_DEFAULT_OPTS= --keep-going"* to make.conf file
emerge -uDN @world
if [ $? -eq 0 ]; then
logger "emerge --world has finished."
else
logger "emerge --world has exited with error code: $?"
fi
# And keep everything working
emerge @preserved-rebuild
if [ $? -eq 0 ]; then
logger "emerge @preserved-rebuild has finished."
else
logger "emerge @preserved-rebuild has exited with error code: $?"
fi
# Write a message to syslog portage rebuild has finished now.
logger "daily cron portage update has finished with exit status: $?"
}}
Make the {{Path|/etc/cron.daily/portage}} file executable by adding the +x flag:
{{RootCmd|chmod +x /etc/cron.daily/portage}}
This will schedule run the eix-sync and ebuild jobs, at ~03:00 AM. And if the job has been missed because host was turned off, the job gets scheduled after a the host has been turned on again.
Now it would be nice to see, what has been rebuild and how it worked out without using any complex commands. Add a bash script to the ~/bin directory of the root user. The script runs 2 qlop commands showing the results from beginning of the day. qlop is part of {{Package|app-portage/portage-utils}} ebuild.
{{FileBox|filename=/root/bin/emergelog.sh|lang=bash|1=
#!/bin/sh
qlop -H -s -d today
qlop -H -m -u -d today
}}
Make the {{Path|/root/bin/emergelog.sh}} file executable by adding the +x flag:
{{RootCmd|chmod +x ~/bin/emergelog.sh}}
Because I am even to tazy to run that command manually, I add following lines to the {{Path|/root/.profile}} file, this calls the upper {{Path|/root/bin/emergelog.sh}}, each time the root user authenticates to this host. Additionally this lists the last 8 lines of the {{Path|/var/log/emerge.log}} file:
{{FileBox|filename=/root/.profile|lang=bash|1=
echo "Last emerged packages:"
sh ~/bin/emergelog.sh
echo ""
echo "Last emerge.log entries:"
tail -n 8 /var/log/emerge.log
echo ""
}}
And this is the prompt how it looks like after successful authentication:
{{RootCmd|<pre>
Last emerged packages:
2020-04-21T02:30:13 *** gentoo
2020-04-21T03:22:44 >>> dev-util/re2c
2020-04-21T03:32:45 >>> net-misc/whois
2020-04-21T08:20:39 >>> dev-libs/libpcre2
Last emerge.log entries:
1587455666: *** Finished. Cleaning up...
1587455669: *** exiting successfully.
1587455669: *** terminating.
1587455675: Started emerge on: Apr 21, 2020 09:54:34
1587455675: *** emerge --keep-going @preserved-rebuild
1587455687: *** Finished. Cleaning up...
1587455690: *** exiting successfully.
1587455691: *** terminating.
</pre>}}
This is a optional step and could be useful on always on systems, for the update routine to be sane. If the update routine has changed the daemons libriaries, that particular service would need a unattended restart. To accomplish ths use following tool:
{{Emerge|app-admin/needrestart}}
Default configuration needs to be adjusted to the own system. Do not rely on defaults. {{Package|app-admin/needstart}} needs further configuration. The list of all configuration files:
{{Cmd|tree /etc/needrestart}}
This solution works 99% of the time. If packages fail to build, this needs to be resolved manually by doing a world rebuild, and inspecting what has gone wrong.
== laptop_mode laptop roaming howto==
=== Additional software ===
These packages are all needed to get it to run:
* {{See also|openrc}} - with enabled '''USE''' flag ''netifrc''
* {{See also|wpa_supplicant}}
* {{Package|sys-apps/ifplugd}} - Brings up/down ethernet ports automatically with cable detection
* {{See also|dhcpcd}}
* {{Package|app-laptop/laptop-mode-tools}} - Linux kernel laptop_mode user-space utilities
=== Configuration ===
==== OpenRC ====
Managing daemon status and interfaces reflecting the current powerlevel AC or running on battery. This can be accomplished by using {{Package|sys-apps/openrc}}. OpenRC configuration and management is more complex compared to the {{package|app-laptop/laptop-mode-tools}} configuration approach, but also much more flexible.
A simplified openrc configuration is needed. Dynamic services are handled by laptop-mode-tools. Overview of running daemons handled by openrc runlevel default, note laptop_mode daemon is started here:
{{Cmd|rc-status default|output=<pre>
Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
acpid [ started ]
cupsd [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
sshd [ started ]
</pre>}}
Following daemons need to be managed by laptop-tools:
{{Cmd|rc-status default|output=<pre>
net.eth0 [ started ]
net.wlan0 [ started ]
sshd [ started ]
cupsd [ started ]
</pre>}}
Remove the daemons from the openrc default startup level
{{RootCmd|rc-update del net.eth0 default}}
{{RootCmd|rc-update del net.wlan0 default}}
{{RootCmd|rc-update del net.sshd default}}
{{RootCmd|rc-update del net.cupsd default}}
Verify the default startup of openrc:
{{Cmd|rc-status default|output=<pre>
Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
</pre>}}
=== Laptop-mode-tools ===
The laptop_mode tools dynamic configuration relies on default 2 ACPI levels:
* laptop is running on AC power
* laptop is running on battery
laptop-mode tools has 2 according ACPI states named '''batt''' and '''lm-ac''':
* batt
* lm-ac
* nolm-ac
The 3-rd state '''nolm-ac''' (laptop-mode tools daemon NOT running) is not used.
Get an overview of the laptop-mode directory:
{{Cmd|tree -L 1 /etc/laptop-mode|output=<pre>
/etc/laptop-mode
├── batt-start
├── batt-stop
├── conf.d
├── laptop-mode.conf
├── lm-ac-start
├── lm-ac-stop
├── lm-profiler.conf
├── modules
├── nolm-ac-start
└── nolm-ac-stop
</pre>}}
Each of the 3 predefined states '''batt''' '''lm-ac''' and '''nolm-ac''' have a ''-start'' and ''-stop'' suffix in the directory structure. There is also a conf.d directory for services configuration that would be handled by laptop-mode and a modules directory for modules to be used explicitelly.
The goal is reached when the laptop automatically determines which daemons need to be started and which need to be stopped depending on the ACPI battery level.
There are 2 states in which the laptop is working:
* laptop is docked, ac connected, wired access, printing available, ssh daemon running
* laptop is not docked, battery, wireless access, no priting available, no ssh daemon runni
Adjust the previosly removed daemons to laptop-mode. Change to the battery level. wlan is the only one service needed while running on battery.
Change to the directory:
{{RootCmd|cd /etc/laptop-mode/batt-start/}}
Create a symlink to daemons to be run while on battery:
{{RootCmd|ln -s /etc/init.d/net.wlan0 . }}
Change to the directory /etc/laptop-mode/batt-stop/:
{{RootCmd|cd /etc/laptop-mode/batt-stop/}}
Create a symlink to deamons to be stopped while on battery:
{{RootCmd|ln -s /etc/init.d/cupsd . }}
{{RootCmd|ln -s /etc/init.d/net.eth0 . }}
{{RootCmd|ln -s /etc/init.d/sshd . }}
Start and Stop daemons handled by the battery status after configuration:
{{Cmd|tree -L 1 /etc/laptop-mode/batt-st*|output=<pre>
tree -L 1 /etc/laptop-mode/batt-st*
/etc/laptop-mode/batt-start
└── net.wlan0 -> /etc/init.d/net.wlan0
/etc/laptop-mode/batt-stop
├── cupsd -> /etc/init.d/cupsd
├── net.eth0 -> /etc/init.d/net.eth0
└── sshd -> /etc/init.d/sshd
</pre>}}
Start and Stop daemons handled by the battery status:
{{Cmd|tree -L 1 /etc/laptop-mode/lm-ac-st*|output=<pre>
/etc/laptop-mode/lm-ac-start
├── cupsd -> /etc/init.d/cupsd
├── net.eth0 -> /etc/init.d/net.eth0
└── sshd -> /etc/init.d/sshd
/etc/laptop-mode/lm-ac-stop
└── net.wlan0 -> /etc/init.d/net.wlan0
</pre>}}
=== Verification ===
Docked laptop and service status:
{{Cmd|rc-status default|output=<pre>
Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
mpd [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
net.eth0 [ started ]
cupsd [ started ]
Dynamic Runlevel: manual
sshd [ started ]
</pre>}}
Undocked status:
{{Cmd|rc-status default|output=<pre>
Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
mpd [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
net.wlan0 [ started ]
</pre>}}
This is a ready, easy to use, running configuration.
== Enable IPv6 privacy extensions (RFC4941) ==
IPv6 privacy extensions are disabled by default on GNU/linux, they lead to problems if users are not aware of this.
To enable privacy extensions on gentoo permanently add following lines and reboot the system:
{{FileBox|filename=/etc/sysctl.conf|lang=ini|title=Enabling IPv6 privacy extensions|1=
...
# Enabling IPv6 privacy extensions for specified interfaces.
# here eth0 and wlan0
# net.ipv6.conf.eth0.use_tempaddr = 2
# net.ipv6.conf.wlan0.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
# Setting q shorter timeout for a temporary IPv6 prefix
# default setting is one day
net.ipv6.conf.eth0.temp_prefered_lft = 14400
net.ipv6.conf.wlan0.temp_prefered_lft = 14400
}}
The setting ''net.ipv6.conf.all.use_tempaddr'' is used to propagate its value to all interfaces currently attached to the system. This setting might not work reliably for all interfaces. At least not on my own tested gentoo installations up to kernel 4.14.
There are two old bugs in the Linux kernel bugtracker for this issue:
* https://bugzilla.kernel.org/show_bug.cgi?id=11655
* https://bugzilla.kernel.org/show_bug.cgi?id=9224
== Wiki templates for templates ==
* [[:Category:Templates_for_templates]]
== Command sequence for old gentoo boxes to update after a long time ==
This is a basic sequence of commands for updating older gentoo boxes.
Divide and conquer:
Update the toolchain first, then resolve the blocks manually afterwards.
Sync portage tree:
{{RootCmd|eix-sync}}
Update the portage application:
{{RootCmd|emerge --oneshot portage}}
Emerge latest linux kernel first:
{{RootCmd|emerge gentoo-sources}}
Show available kernel sources:
{{RootCmd|eselect kernel list}}
Set the latest linux kernel version:
{{RootCmd|eselect kernel set <input>}}
Emerge GCC first:
{{RootCmd|emerge --oneshot gcc}}
Show availabe GCC compilers:
{{RootCmd|eselect gcc list}}
Set the latest available GCC compiler in the list:
{{RootCmd|eselect gcc set <input>}}
Check if the desired GCC has been set, apply portage postinstall hint:
{{RootCmd|eselect gcc list}}
Emerge latest glibc
{{RootCmd|emerge --oneshot glibc}}
Check the latest gentoo related toolchain changes on the wiki, bugs, etc: [[Project:Toolchain]]
Emerge latest binutils:
{{RootCmd|emerge binutils}}
Show current available binutils:
{{RootCmd|eselect binutils list}}
Set the latest binutils version:
{{RootCmd|eselect binutils set <input>}}
Verify binutils setting:
{{RootCmd|eselect binutils list}}
Emerge latest python
{{RootCmd|emerge --oneshot python}}
Emerge latest perl:
{{RootCmd|emerge --oneshot perl}}
Emerge latest iproute2
{{RootCmd|emerge --oneshot iproute2}}
Update the system with following command, resolve dependency errors:
{{RootCmd|emerge -vauDN system}}
Update the system with following command, resolve dependency errors:
{{RootCmd|emerge -vauDN world}}
Now it is done.' |
Unified diff of changes made by edit (edit_diff) | '@@ -51,4 +51,11 @@
* [[Gentoo_for_Network_Admins]]
+
+= iproute2 =
+
+serious ''net-tools'' 2 ''iproute'' syntax converstion wiki entries:
+
+* https://wiki.gentoo.org/wiki/Vpnc
+* https://wiki.gentoo.org/wiki/Handbook:Parts/Networking/Modular
== OATH Toolkit - PAM authentication error==
' |
Old page size (old_size) | 26142 |
Lines added in edit (added_lines) | [
0 => '',
1 => '= iproute2 =',
2 => '',
3 => 'serious ''net-tools'' 2 ''iproute'' syntax converstion wiki entries:',
4 => '',
5 => '* https://wiki.gentoo.org/wiki/Vpnc',
6 => '* https://wiki.gentoo.org/wiki/Handbook:Parts/Networking/Modular'
] |
Lines removed in edit (removed_lines) | [] |
New page text, stripped of any markup (new_text) | '
Needle
Contact info
Webformneedle (IRC)needless
User info
Gentoo user since 2006
deThis user is a native speaker of German.
plThis user is a native speaker of Polish.
en-3This user is able to contribute with an advanced level of English.
ruThis user is a native speaker of Russian.
needle uses gentoo linux for working and does IP for living. Since years.
Building and breaking IP networks using the most flexible, most configurable and the most stable tool available out there: gentoo linux.
My main area of interest is:
networking
IP networks
IP network related software
IP routing
And all kinds of cross - $vendor/$platform/$implementation/$protocol related issues.
Yes, I read RFC's. Operating IP networks, troubleshooting IP related or protocol related issues, in different networking environements, using different implementations, needs one common basis - That is what RFC's are good for.
You will spot all kind issues among the above mentioned $variables, you really would not belive it is real. Specifically, RFC's that are:
Partially implemented
Wrong implemented
Not implemented at all
Implemented, but in that one specific implementation detail it differs from the RFC, root of $EVENT_CASCADE
In the worst imabinable network or protocol troubleshooting situation, do not trust that all involved parties:
$vendor
$hardware-platform
$operating-system
$software
comply to listed RFC's own websites. Read it, look it up, troubleshoot or debug this $issue using the listed RFC.
Most sighted $issues are really just stupid bugs, or the typo in the code manner.
If they are professionals, and on a rare ocassion you might get feedback like this:
$feature on $implementation was not planned at THIS $scale, you hit specific $edge case. You are the first to notice this, thanks for reporting. It is already fixed in the latest code. We will get back to you, for testing.
I am lurking in the #gentoo Gentoo Linux Support and the #gentoo-wiki Gentoo Wiki channels on the Libera.Chat IRC network.
Gentoo_for_Network_Admins
Contents
1 iproute2
1.1 OATH Toolkit - PAM authentication error
1.2 less is more
1.2.1 MPD minimal USE flag combo
1.3 SMW
1.4 SHA-512 to Blowfish migration testing
1.4.1 (glibc)bcrypt implementation status
1.4.2 Emerge
1.4.3 Generate
1.4.4 Replace
1.4.5 Sanitize
1.4.6 Verify
1.4.7 Clean up
1.5 etckeeper whitelist configuration
1.6 Automated rebuild of portage packages
1.7 laptop_mode laptop roaming howto
1.7.1 Additional software
1.7.2 Configuration
1.7.2.1 OpenRC
1.7.3 Laptop-mode-tools
1.7.4 Verification
1.8 Enable IPv6 privacy extensions (RFC4941)
1.9 Wiki templates for templates
1.10 Command sequence for old gentoo boxes to update after a long time
iproute2[edit]
serious net-tools 2 iproute syntax converstion wiki entries:
https://wiki.gentoo.org/wiki/Vpnc
https://wiki.gentoo.org/wiki/Handbook:Parts/Networking/Modular
OATH Toolkit - PAM authentication error[edit]
Error:
WarningIf the system files involved in authentication are corrupt, this might generate following PAM authentication syslog error:
error: PAM: User not known to the underlying authentication module for znurt from 192.0.2.10
Authentication issue related to corrupt files on the test system:
/etc/shadow
/etc/passwd
Fix:
Sanitize using the tool pwck:
root #pwckuser 'adm': directory '/var/adm' does not exist
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/usr/lib/news' does not exist
user 'games': directory '/usr/games' does not exist
user 'polkituser': no group 1011
pwck: no change
less is more[edit]
USE flag ebuild suggestions for more out of the box gentoo 'fun' by simply using 'less' of all that USE flags where not necessarily needed.
Resulting in:
less maintanance
less corner cases
less snakeflow configurations
less annoying preset default behaviours
less pulled package dependencies
less code
less bugs
less attack vector
less ressources usage CPU/RAM
less CPU cycles wasted on unused code
less complexity
less time spent on troubleshooting complex systems
less build packages
less electrical energy used
That is resulting in:
more easy configuration
more easy setup
more unification
more chance for automating stuff
more automation
more time for important stuff
MPD minimal USE flag combo[edit]
only 6 USE flags is good enough for the gentoo system to be playing most audio files. Shown used libraries, could be swapped out as drop-in replacement, if minimal configuration should be kept. No extencive libraries testing done here, more pragmatical approach. work for me(tm). If something is missing just add this on top of that USE flag combo, recompile, and you are done. A good starting point for minimal configuration of for troubleshooting, sorting out libraries etc.
user $equery uses mpd | grep ++alsa
+curl
+flac
+mad
+vorbis
+wavpack
SMW[edit]
This wiki has SMW support, create easy examples for demonstration using: Special:Version#mw-version-ext
Perfect example collections for SMW:
Logging
Network_Time_Protocol
Here are few simple SMW examples for the beginning.
SHA-512 to Blowfish migration testing[edit]
(glibc)bcrypt implementation status[edit]
List of events why bcrypt still not is availble in the mainstream linux distribution sector: https://access.redhat.com/articles/1519843.
TL;DR version - (glibc)bcrypt #2100 official implementation tracking bug.
A bug reported, in the year 2006. Now nearly 2 decades ago.
ImportantBefore reading furhter. Read about bcrypt rounds or cost, take a close look at the generated salt. Use a professional password when using bcrypt.
This is a test, done before migration. If the test succeeds, the target system is considered safe for migration. The steps described here, should work for every other user that is to be migrated. This short description is meant for nodes only with few users.
Take sure your target system supports Blowfish, apparently it is not available everywhere on every linux:
user $man 3 crypt
Over here it looks like in depicted table, this man 3 crypto
ID Method
────────────────────────────────────────────────────────────────────────────
1 MD5
2a Blowfish (not in mainline glibc; added in some Linux distributions)
5 SHA-256 (since glibc 2.7)
6 SHA-512 (since glibc 2.7)
Create a test user here larry the target system:
root #useradd -m -G users,wheel,audio -s /bin/bash larry
Emerge[edit]
Review and set USE flags before emerging the package, enable the bcrypt USE flag
root #emerge --ask sys-apps/shadow
NoteVerify the package sys-apps/shadow has the bcrypt USE flag enabled. And the package has been rebuild using that flag.
Generate[edit]
Now, configure bcrypt to create really safe password hashes. If you are an expert in fastfood security done is 5 seconds, here a quick cli to generate a hash:
user $htpasswd -bnBC 15 "" G3n70o_L1nuX-r0ck5?! | tr -d ':\n'$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK%
Generated prefix, here $2y$ is NOT interesting. There is NO difference between $2a$ or $2y$ in any sense. If implemented correctly, all created hashes are working the same. No matter which prefix, is generated using Blowfish.
Generated crypto prefix, is only important in the context of the specific application, operating system, and used libraries to distinguish kaputt crypto $2a$ from fixed crypto $2y$.
Replace[edit]
Now using a text editor edit the /etc/shadow file
root #vim /etc/shadow
And replace following test user created SHA-512 hash
...
larry:$6$W2LZ5IsI$KVrGRLf7YbTPKA.t/4gvwOr4wtHBdvF6DYpSV93ZvkdkNy0qZFu0VMt7Igy7EzW8GIEED8tVdD5vq2/HpMn7b0:16134:0:99999:7:::
...
With this generated bcrypt hash, notice the cost of bcrypt, it is not the real time of rounds depicted below, it is fake here for the example:
...
larry:$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK:16134:0:99999:7:::
...
Sanitize[edit]
Run pwck to assure file consistency and to sanitize system files involved.
root #pwck
TipBest practice: Always sanitize files if there is a $tool for it. This saves a lot of time spent on needless troubleshooting.
Verify[edit]
Open a SSH connection to localhost, using that changed test username, here larry:
user $ssh larry@localhost
If authentication succeeds, then you are ready to plan the migration, on working users.
Clean up[edit]
After the testing is finished, remove larry from the system
root #userdel larry
etckeeper whitelist configuration[edit]
NoteCreate a .gitignore file before running the etckeeper initialization.
This example below shows how to save explicit files to the etckeeper repository. This is the reverse approach, compared to the default etckeeper configuration, which
The first entry * ignores ALL files in the /etc directory, following ! negated entries mark the interesting files that will be saved to the repository.
Configuration example for saving these 3 files:
/etc/crontab
/etc/inittab
/etc/resolv.conf
FILE /etc/.gitignore # ignore everything
*
# now add interesting files
!crontab
!inittab
!resolv.conf
Configuration example for /etc/apache2/ directory:
FILE /etc/.gitignore # ignore everything
*
# now add interesting files and dirs
!apache2/
!apache2/*
Configuration example for directories containing subdirectcories with interesting files:
/etc/apache2/httpd.conf
/etc/apache2/vhosts.d/
/etc/apache2/modules.d/
FILE /etc/.gitignore # ignore everything
*
# now add interesting files and dirs
!apache2/
!apache2/httpd.conf
!apache2/modules.d/
!apache2/modules.d/*
!apache2/vhosts.d/
!apache2/vhosts.d/*
Automated rebuild of portage packages[edit]
This solution relies on the sys-process/cronie and the usage of anacron USE flag.
What does that anacron USE flag do, verify using the euse tool:
user $euse -i anacron[- ] anacron (sys-process/cronie):
Install the periodic anacron command scheduler.
it is a added feature or function to cronie. The anacron USE flag re-schedules missed cron jobs for machines that are not 24/7 online, like f.e. laptops, workstations. Apart from that it is working like an usual cron scheduler. This feature does not rely on the separate anacron package.
Install cronie:
root #emerge --ask sys-process/cronie
Schedule daily rebuild by adding following file in the /etc/cron.daily/ directory:
Noteuser:Sam suggested sanity checks are missing the pre-upgrade and post-emerge routines are not handled by this script. Read Portage_log and elogv for final solution.
FILE /etc/cron.daily/portage #!/bin/sh
#
# Sync portage using eix-sync
# -U Do not touch the database, do not show differences
# -T Do not measure time
/usr/bin/eix-sync -U -T
if [ $? -eq 0 ]; then
logger "eix-sync has finished."
else
logger "eix-sync has exited with error code: $?"
fi
# Now update the database
/usr/bin/eix-update
if [ $? -eq 0 ]; then
logger "eix-update has finished."
else
logger "eix-update has exited with error code: $?"
fi
# Emerge world packages. For skipping bugged ebuild,
# add "EMERGE_DEFAULT_OPTS= --keep-going"* to make.conf file
emerge -uDN @world
if [ $? -eq 0 ]; then
logger "emerge --world has finished."
else
logger "emerge --world has exited with error code: $?"
fi
# And keep everything working
emerge @preserved-rebuild
if [ $? -eq 0 ]; then
logger "emerge @preserved-rebuild has finished."
else
logger "emerge @preserved-rebuild has exited with error code: $?"
fi
# Write a message to syslog portage rebuild has finished now.
logger "daily cron portage update has finished with exit status: $?"
Make the /etc/cron.daily/portage file executable by adding the +x flag:
root #chmod +x /etc/cron.daily/portage
This will schedule run the eix-sync and ebuild jobs, at ~03:00 AM. And if the job has been missed because host was turned off, the job gets scheduled after a the host has been turned on again.
Now it would be nice to see, what has been rebuild and how it worked out without using any complex commands. Add a bash script to the ~/bin directory of the root user. The script runs 2 qlop commands showing the results from beginning of the day. qlop is part of app-portage/portage-utils ebuild.
FILE /root/bin/emergelog.sh #!/bin/sh
qlop -H -s -d today
qlop -H -m -u -d today
Make the /root/bin/emergelog.sh file executable by adding the +x flag:
root #chmod +x ~/bin/emergelog.sh
Because I am even to tazy to run that command manually, I add following lines to the /root/.profile file, this calls the upper /root/bin/emergelog.sh, each time the root user authenticates to this host. Additionally this lists the last 8 lines of the /var/log/emerge.log file:
FILE /root/.profile echo "Last emerged packages:"
sh ~/bin/emergelog.sh
echo ""
echo "Last emerge.log entries:"
tail -n 8 /var/log/emerge.log
echo ""
And this is the prompt how it looks like after successful authentication:
root #Last emerged packages:
2020-04-21T02:30:13 *** gentoo
2020-04-21T03:22:44 >>> dev-util/re2c
2020-04-21T03:32:45 >>> net-misc/whois
2020-04-21T08:20:39 >>> dev-libs/libpcre2
Last emerge.log entries:
1587455666: *** Finished. Cleaning up...
1587455669: *** exiting successfully.
1587455669: *** terminating.
1587455675: Started emerge on: Apr 21, 2020 09:54:34
1587455675: *** emerge --keep-going @preserved-rebuild
1587455687: *** Finished. Cleaning up...
1587455690: *** exiting successfully.
1587455691: *** terminating.
This is a optional step and could be useful on always on systems, for the update routine to be sane. If the update routine has changed the daemons libriaries, that particular service would need a unattended restart. To accomplish ths use following tool:
root #emerge --ask app-admin/needrestart
Default configuration needs to be adjusted to the own system. Do not rely on defaults. app-admin/needstart needs further configuration. The list of all configuration files:
user $tree /etc/needrestart
This solution works 99% of the time. If packages fail to build, this needs to be resolved manually by doing a world rebuild, and inspecting what has gone wrong.
laptop_mode laptop roaming howto[edit]
Additional software[edit]
These packages are all needed to get it to run:
openrc — a dependency-based init system for Unix-like systems that maintains compatibility with the system-provided init system - with enabled USE flag netifrc
wpa_supplicant — a Wi-Fi supplicant
sys-apps/ifplugd - Brings up/down ethernet ports automatically with cable detection
dhcpcd — a popular DHCP client capable of handling both IPv4 and IPv6 configuration.
app-laptop/laptop-mode-tools - Linux kernel laptop_mode user-space utilities
Configuration[edit]
OpenRC[edit]
Managing daemon status and interfaces reflecting the current powerlevel AC or running on battery. This can be accomplished by using sys-apps/openrc. OpenRC configuration and management is more complex compared to the app-laptop/laptop-mode-tools configuration approach, but also much more flexible.
A simplified openrc configuration is needed. Dynamic services are handled by laptop-mode-tools. Overview of running daemons handled by openrc runlevel default, note laptop_mode daemon is started here:
user $rc-status defaultRunlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
acpid [ started ]
cupsd [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
sshd [ started ]
Following daemons need to be managed by laptop-tools:
user $rc-status default net.eth0 [ started ]
net.wlan0 [ started ]
sshd [ started ]
cupsd [ started ]
Remove the daemons from the openrc default startup level
root #rc-update del net.eth0 default
root #rc-update del net.wlan0 default
root #rc-update del net.sshd default
root #rc-update del net.cupsd default
Verify the default startup of openrc:
user $rc-status defaultRunlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
Laptop-mode-tools[edit]
The laptop_mode tools dynamic configuration relies on default 2 ACPI levels:
laptop is running on AC power
laptop is running on battery
laptop-mode tools has 2 according ACPI states named batt and lm-ac:
batt
lm-ac
nolm-ac
The 3-rd state nolm-ac (laptop-mode tools daemon NOT running) is not used.
Get an overview of the laptop-mode directory:
user $tree -L 1 /etc/laptop-mode /etc/laptop-mode
├── batt-start
├── batt-stop
├── conf.d
├── laptop-mode.conf
├── lm-ac-start
├── lm-ac-stop
├── lm-profiler.conf
├── modules
├── nolm-ac-start
└── nolm-ac-stop
Each of the 3 predefined states batt lm-ac and nolm-ac have a -start and -stop suffix in the directory structure. There is also a conf.d directory for services configuration that would be handled by laptop-mode and a modules directory for modules to be used explicitelly.
The goal is reached when the laptop automatically determines which daemons need to be started and which need to be stopped depending on the ACPI battery level.
There are 2 states in which the laptop is working:
laptop is docked, ac connected, wired access, printing available, ssh daemon running
laptop is not docked, battery, wireless access, no priting available, no ssh daemon runni
Adjust the previosly removed daemons to laptop-mode. Change to the battery level. wlan is the only one service needed while running on battery.
Change to the directory:
root #cd /etc/laptop-mode/batt-start/
Create a symlink to daemons to be run while on battery:
root #ln -s /etc/init.d/net.wlan0 .
Change to the directory /etc/laptop-mode/batt-stop/:
root #cd /etc/laptop-mode/batt-stop/
Create a symlink to deamons to be stopped while on battery:
root #ln -s /etc/init.d/cupsd .
root #ln -s /etc/init.d/net.eth0 .
root #ln -s /etc/init.d/sshd .
Start and Stop daemons handled by the battery status after configuration:
user $tree -L 1 /etc/laptop-mode/batt-st*tree -L 1 /etc/laptop-mode/batt-st*
/etc/laptop-mode/batt-start
└── net.wlan0 -> /etc/init.d/net.wlan0
/etc/laptop-mode/batt-stop
├── cupsd -> /etc/init.d/cupsd
├── net.eth0 -> /etc/init.d/net.eth0
└── sshd -> /etc/init.d/sshd
Start and Stop daemons handled by the battery status:
user $tree -L 1 /etc/laptop-mode/lm-ac-st*/etc/laptop-mode/lm-ac-start
├── cupsd -> /etc/init.d/cupsd
├── net.eth0 -> /etc/init.d/net.eth0
└── sshd -> /etc/init.d/sshd
/etc/laptop-mode/lm-ac-stop
└── net.wlan0 -> /etc/init.d/net.wlan0
Verification[edit]
Docked laptop and service status:
user $rc-status defaultRunlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
mpd [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
net.eth0 [ started ]
cupsd [ started ]
Dynamic Runlevel: manual
sshd [ started ]
Undocked status:
user $rc-status defaultRunlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
mpd [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
net.wlan0 [ started ]
This is a ready, easy to use, running configuration.
Enable IPv6 privacy extensions (RFC4941)[edit]
IPv6 privacy extensions are disabled by default on GNU/linux, they lead to problems if users are not aware of this.
To enable privacy extensions on gentoo permanently add following lines and reboot the system:
FILE /etc/sysctl.confEnabling IPv6 privacy extensions ...
# Enabling IPv6 privacy extensions for specified interfaces.
# here eth0 and wlan0
# net.ipv6.conf.eth0.use_tempaddr = 2
# net.ipv6.conf.wlan0.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
# Setting q shorter timeout for a temporary IPv6 prefix
# default setting is one day
net.ipv6.conf.eth0.temp_prefered_lft = 14400
net.ipv6.conf.wlan0.temp_prefered_lft = 14400
The setting net.ipv6.conf.all.use_tempaddr is used to propagate its value to all interfaces currently attached to the system. This setting might not work reliably for all interfaces. At least not on my own tested gentoo installations up to kernel 4.14.
There are two old bugs in the Linux kernel bugtracker for this issue:
https://bugzilla.kernel.org/show_bug.cgi?id=11655
https://bugzilla.kernel.org/show_bug.cgi?id=9224
Wiki templates for templates[edit]
Category:Templates_for_templates
Command sequence for old gentoo boxes to update after a long time[edit]
This is a basic sequence of commands for updating older gentoo boxes.
Divide and conquer:
Update the toolchain first, then resolve the blocks manually afterwards.
Sync portage tree:
root #eix-sync
Update the portage application:
root #emerge --oneshot portage
Emerge latest linux kernel first:
root #emerge gentoo-sources
Show available kernel sources:
root #eselect kernel list
Set the latest linux kernel version:
root #eselect kernel set <input>
Emerge GCC first:
root #emerge --oneshot gcc
Show availabe GCC compilers:
root #eselect gcc list
Set the latest available GCC compiler in the list:
root #eselect gcc set <input>
Check if the desired GCC has been set, apply portage postinstall hint:
root #eselect gcc list
Emerge latest glibc
root #emerge --oneshot glibc
Check the latest gentoo related toolchain changes on the wiki, bugs, etc: Project:Toolchain
Emerge latest binutils:
root #emerge binutils
Show current available binutils:
root #eselect binutils list
Set the latest binutils version:
root #eselect binutils set <input>
Verify binutils setting:
root #eselect binutils list
Emerge latest python
root #emerge --oneshot python
Emerge latest perl:
root #emerge --oneshot perl
Emerge latest iproute2
root #emerge --oneshot iproute2
Update the system with following command, resolve dependency errors:
root #emerge -vauDN system
Update the system with following command, resolve dependency errors:
root #emerge -vauDN world
Now it is done.' |
Parsed HTML source of the new revision (new_html) | '<div class="mw-parser-output"><p><span></span>
</p>
<div id="infobox-stack" class="list-group" style="width: 25em; float: right; clear: right; font-size: 90%; margin-left: 1em;">
<div class="list-group-item text-center" style="padding-top: 3px; padding-bottom: 3px; background-color: #463C65; color: white;"><b>Needle </b></div>
<div class="list-group-item text-center" style="padding-top: 3px; padding-bottom: 3px; background-color: #463C65; color: white;"><b>Contact info</b></div>
<div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><span class="fa fa-envelope-o fa-fw fa-2x"></span></span><span><a href="/wiki/Special:EmailUser/Needle" title="Special:EmailUser/Needle">Webform</a></span></div><div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><span class="fa fa-comments-o fa-fw fa-2x"></span></span><span>needle (IRC)</span></div><div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><span class="fa fa-github fa-fw fa-2x"></span></span><span><a rel="nofollow" class="external text" href="https://github.com/needless">needless</a></span></div>
<p><br />
</p>
<div class="list-group-item text-center" style="padding-top: 3px; padding-bottom: 3px; background-color: #463C65; color: white;"><b>User info</b></div>
<div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><span class="fa fa-calendar fa-fw fa-2x"></span></span><span>Gentoo user since 2006</span></div>
<div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><span style="white-space:nowrap;"><a href="https://en.wikipedia.org/wiki/German_language" class="extiw" title="wikipedia:German language">de</a></span></span><span>This user is a <b>native</b> speaker of <b><a href="/wiki/Category:User_de" title="Category:User de">German</a></b>.</span></div>
<div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><span style="white-space:nowrap;"><a href="https://en.wikipedia.org/wiki/Polish_language" class="extiw" title="wikipedia:Polish language">pl</a></span></span><span>This user is a <b>native</b> speaker of <b><a href="/wiki/Category:User_pl" title="Category:User pl">Polish</a></b>.</span></div>
<div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><span style="white-space:nowrap;"><a href="https://en.wikipedia.org/wiki/English_language" class="extiw" title="wikipedia:English language">en</a>-3</span></span><span>This user is able to contribute with an <b><a href="/wiki/Category:User_en-3" title="Category:User en-3">advanced</a></b> level of <b><a href="/wiki/Category:User_en" title="Category:User en">English</a></b>.</span></div>
<div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><span style="white-space:nowrap;"><a href="https://en.wikipedia.org/wiki/Russian_language" class="extiw" title="wikipedia:Russian language">ru</a></span></span><span>This user is a <b>native</b> speaker of <b><a href="/wiki/Category:User_ru" title="Category:User ru">Russian</a></b>.</span></div>
</div>
<p>needle uses <b>gentoo linux</b> for <i>working</i> and does <code>IP</code> for living. Since years.
</p><p>Building and breaking IP networks using the most flexible, most configurable and the most <i>stable</i> tool available out there: <b>gentoo linux</b>.
</p><p>My main area of interest is:
</p>
<ul><li>networking</li>
<li>IP networks</li>
<li>IP network related software</li>
<li>IP routing</li></ul>
<p>And all kinds of <i>cross</i> - <b>$vendor</b>/<b>$platform</b>/<b>$implementation</b>/<b>$protocol</b> related issues.
</p><p>Yes, <a rel="nofollow" class="external text" href="https://rfc.fyi">I read RFC's</a>. Operating IP networks, troubleshooting IP related or protocol related issues, in different networking environements, using different implementations, needs one <i>common</i> basis - That is what <b>RFC's</b> are good for.
You will spot all kind issues among the <i>above</i> mentioned <b>$variables</b>, you really would not belive it is real. Specifically, RFC's that are:
</p>
<ol><li>Partially implemented</li>
<li>Wrong implemented</li>
<li>Not implemented at all</li>
<li>Implemented, but in that <b>one specific implementation detail</b> it differs from the RFC, root of $EVENT_CASCADE</li></ol>
<p>In the worst imabinable network or protocol troubleshooting situation, do not trust that all involved parties:
</p>
<ul><li><b>$vendor</b></li>
<li><b>$hardware-platform</b></li>
<li><b>$operating-system</b></li>
<li><b>$software</b></li></ul>
<p>comply to listed RFC's own websites. Read it, look it up, troubleshoot or debug this <b>$issue</b> using the listed RFC.
</p><p>Most sighted <b>$issues</b> are really just stupid bugs, or the <i>typo in the code</i> manner.
</p><p>If they are professionals, and on a rare ocassion you might get feedback like this:
</p>
<pre><b>$feature</b> on <b>$implementation</b> was not planned at THIS <b>$scale</b>, you hit specific <b>$edge</b> case. You are the first to notice this, thanks for reporting. It is already fixed in the latest code. We will get back to you, for testing.
</pre>
<p>I am lurking in the <a rel="nofollow" class="external text" href="irc://irc.libera.chat/gentoo">#gentoo</a> Gentoo Linux Support and the <a rel="nofollow" class="external text" href="irc://irc.libera.chat/gentoo-wiki">#gentoo-wiki</a> Gentoo Wiki channels on the <a rel="nofollow" class="external text" href="https://libera.chat/">Libera.Chat</a> IRC network.
</p>
<ul><li><a href="/wiki/Gentoo_for_Network_Admins" title="Gentoo for Network Admins">Gentoo_for_Network_Admins</a></li></ul>
<div id="toc" class="toc" role="navigation" aria-labelledby="mw-toc-heading"><input type="checkbox" role="button" id="toctogglecheckbox" class="toctogglecheckbox" style="display:none" /><div class="toctitle" lang="en" dir="ltr"><h2 id="mw-toc-heading">Contents</h2><span class="toctogglespan"><label class="toctogglelabel" for="toctogglecheckbox"></label></span></div>
<ul>
<li class="toclevel-1 tocsection-1"><a href="#iproute2"><span class="tocnumber">1</span> <span class="toctext">iproute2</span></a>
<ul>
<li class="toclevel-2 tocsection-2"><a href="#OATH_Toolkit_-_PAM_authentication_error"><span class="tocnumber">1.1</span> <span class="toctext">OATH Toolkit - PAM authentication error</span></a></li>
<li class="toclevel-2 tocsection-3"><a href="#less_is_more"><span class="tocnumber">1.2</span> <span class="toctext"><i>less is more</i></span></a>
<ul>
<li class="toclevel-3 tocsection-4"><a href="#MPD_minimal_USE_flag_combo"><span class="tocnumber">1.2.1</span> <span class="toctext">MPD minimal USE flag combo</span></a></li>
</ul>
</li>
<li class="toclevel-2 tocsection-5"><a href="#SMW"><span class="tocnumber">1.3</span> <span class="toctext">SMW</span></a></li>
<li class="toclevel-2 tocsection-6"><a href="#SHA-512_to_Blowfish_migration_testing"><span class="tocnumber">1.4</span> <span class="toctext">SHA-512 to Blowfish migration testing</span></a>
<ul>
<li class="toclevel-3 tocsection-7"><a href="#.28glibc.29bcrypt_implementation_status"><span class="tocnumber">1.4.1</span> <span class="toctext">(glibc)bcrypt implementation status</span></a></li>
<li class="toclevel-3 tocsection-8"><a href="#Emerge"><span class="tocnumber">1.4.2</span> <span class="toctext">Emerge</span></a></li>
<li class="toclevel-3 tocsection-9"><a href="#Generate"><span class="tocnumber">1.4.3</span> <span class="toctext">Generate</span></a></li>
<li class="toclevel-3 tocsection-10"><a href="#Replace"><span class="tocnumber">1.4.4</span> <span class="toctext">Replace</span></a></li>
<li class="toclevel-3 tocsection-11"><a href="#Sanitize"><span class="tocnumber">1.4.5</span> <span class="toctext">Sanitize</span></a></li>
<li class="toclevel-3 tocsection-12"><a href="#Verify"><span class="tocnumber">1.4.6</span> <span class="toctext">Verify</span></a></li>
<li class="toclevel-3 tocsection-13"><a href="#Clean_up"><span class="tocnumber">1.4.7</span> <span class="toctext">Clean up</span></a></li>
</ul>
</li>
<li class="toclevel-2 tocsection-14"><a href="#etckeeper_whitelist_configuration"><span class="tocnumber">1.5</span> <span class="toctext">etckeeper whitelist configuration</span></a></li>
<li class="toclevel-2 tocsection-15"><a href="#Automated_rebuild_of_portage_packages"><span class="tocnumber">1.6</span> <span class="toctext">Automated rebuild of portage packages</span></a></li>
<li class="toclevel-2 tocsection-16"><a href="#laptop_mode_laptop_roaming_howto"><span class="tocnumber">1.7</span> <span class="toctext">laptop_mode laptop roaming howto</span></a>
<ul>
<li class="toclevel-3 tocsection-17"><a href="#Additional_software"><span class="tocnumber">1.7.1</span> <span class="toctext">Additional software</span></a></li>
<li class="toclevel-3 tocsection-18"><a href="#Configuration"><span class="tocnumber">1.7.2</span> <span class="toctext">Configuration</span></a>
<ul>
<li class="toclevel-4 tocsection-19"><a href="#OpenRC"><span class="tocnumber">1.7.2.1</span> <span class="toctext">OpenRC</span></a></li>
</ul>
</li>
<li class="toclevel-3 tocsection-20"><a href="#Laptop-mode-tools"><span class="tocnumber">1.7.3</span> <span class="toctext">Laptop-mode-tools</span></a></li>
<li class="toclevel-3 tocsection-21"><a href="#Verification"><span class="tocnumber">1.7.4</span> <span class="toctext">Verification</span></a></li>
</ul>
</li>
<li class="toclevel-2 tocsection-22"><a href="#Enable_IPv6_privacy_extensions_.28RFC4941.29"><span class="tocnumber">1.8</span> <span class="toctext">Enable IPv6 privacy extensions (RFC4941)</span></a></li>
<li class="toclevel-2 tocsection-23"><a href="#Wiki_templates_for_templates"><span class="tocnumber">1.9</span> <span class="toctext">Wiki templates for templates</span></a></li>
<li class="toclevel-2 tocsection-24"><a href="#Command_sequence_for_old_gentoo_boxes_to_update_after_a_long_time"><span class="tocnumber">1.10</span> <span class="toctext">Command sequence for old gentoo boxes to update after a long time</span></a></li>
</ul>
</li>
</ul>
</div>
<h1><span class="mw-headline" id="iproute2">iproute2</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=1" title="Edit section: iproute2">edit</a><span class="mw-editsection-bracket">]</span></span></h1>
<p>serious <i>net-tools</i> 2 <i>iproute</i> syntax converstion wiki entries:
</p>
<ul><li><a rel="nofollow" class="external free" href="https://wiki.gentoo.org/wiki/Vpnc">https://wiki.gentoo.org/wiki/Vpnc</a></li>
<li><a rel="nofollow" class="external free" href="https://wiki.gentoo.org/wiki/Handbook:Parts/Networking/Modular">https://wiki.gentoo.org/wiki/Handbook:Parts/Networking/Modular</a></li></ul>
<h2><span class="mw-headline" id="OATH_Toolkit_-_PAM_authentication_error">OATH Toolkit - PAM authentication error</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=2" title="Edit section: OATH Toolkit - PAM authentication error">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<p><b>Error:</b>
</p>
<div class="alert alert-danger gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-exclamation-triangle"></i> Warning</strong><br />If the system files involved in authentication are <b>corrupt</b>, this might generate following PAM authentication syslog error:
<ul><li><code>error: PAM: User not known to the underlying authentication module for znurt from 192.0.2.10</code></li></ul></div>
<p>Authentication issue related to corrupt files on the test system:
</p>
<ul><li><span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/shadow</span></li>
<li><span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/passwd</span></li></ul>
<p><b>Fix:</b>
</p><p>Sanitize using the tool <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">pwck</span>:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>pwck</code></div><span class="mw-collapsible mw-collapsed"><pre>user 'adm': directory '/var/adm' does not exist
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/usr/lib/news' does not exist
user 'games': directory '/usr/games' does not exist
user 'polkituser': no group 1011
pwck: no change</pre></span></div>
<h2><span class="mw-headline" id="less_is_more"><i>less is more</i></span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=3" title="Edit section: less is more">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<p>USE flag ebuild suggestions for <i>more</i> out of the box gentoo 'fun' by simply <i>using</i> 'less' of all that USE flags where not necessarily needed.
</p><p>Resulting in:
</p>
<ul><li>less maintanance</li>
<li>less corner cases</li>
<li>less snakeflow configurations</li>
<li>less annoying preset default behaviours</li>
<li>less pulled package dependencies</li>
<li>less code</li>
<li>less bugs</li>
<li>less attack vector</li>
<li>less ressources usage CPU/RAM</li>
<li>less CPU cycles wasted on unused code</li>
<li>less complexity</li>
<li>less time spent on troubleshooting complex systems</li>
<li>less build packages</li>
<li>less electrical energy used</li></ul>
<p>That is resulting in:
</p>
<ul><li>more easy configuration</li>
<li>more easy setup</li>
<li>more unification</li>
<li>more chance for automating stuff</li>
<li>more automation</li>
<li>more time for important stuff</li></ul>
<h3><span class="mw-headline" id="MPD_minimal_USE_flag_combo">MPD minimal USE flag combo</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=4" title="Edit section: MPD minimal USE flag combo">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>only 6 USE flags is good enough for the gentoo system to be playing most audio files. Shown used libraries, could be swapped out as drop-in replacement, if minimal configuration should be kept. No extencive libraries testing done here, more pragmatical approach. work for me(tm). If something is missing just add this on top of that USE flag combo, recompile, and you are done. A good starting point for minimal configuration of for troubleshooting, sorting out libraries etc.
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>equery uses mpd | grep +</code></div><span class="mw-collapsible mw-collapsed"><pre>+alsa
+curl
+flac
+mad
+vorbis
+wavpack
</pre></span></div>
<h2><span class="mw-headline" id="SMW">SMW</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=5" title="Edit section: SMW">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<p>This wiki has SMW support, create easy examples for demonstration using: <a href="/wiki/Special:Version#mw-version-ext" title="Special:Version">Special:Version#mw-version-ext</a>
</p><p>Perfect example collections for SMW:
</p>
<ul><li><a href="/wiki/Logging" title="Logging">Logging</a></li>
<li><a href="/wiki/Network_Time_Protocol" title="Network Time Protocol">Network_Time_Protocol</a></li></ul>
<p>Here are few <a rel="nofollow" class="external text" href="https://www.semantic-mediawiki.org/wiki/Help:Getting_started">simple SMW examples</a> for the beginning.
</p>
<h2><span class="mw-headline" id="SHA-512_to_Blowfish_migration_testing">SHA-512 to Blowfish migration testing</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=6" title="Edit section: SHA-512 to Blowfish migration testing">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<h3><span id="(glibc)bcrypt_implementation_status"></span><span class="mw-headline" id=".28glibc.29bcrypt_implementation_status">(glibc)bcrypt implementation status</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=7" title="Edit section: (glibc)bcrypt implementation status">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>List of events why <b>bcrypt</b> still not is availble in the mainstream linux distribution sector: <a rel="nofollow" class="external free" href="https://access.redhat.com/articles/1519843">https://access.redhat.com/articles/1519843</a>.
</p>
<ul><li><a rel="nofollow" class="external text" href="https://sourceware.org/bugzilla/show_bug.cgi?id=2100">TL;DR version - (glibc)bcrypt #2100 official implementation tracking bug.</a></li></ul>
<p>A bug reported, in the year 2006. Now nearly 2 decades ago.
</p>
<hr />
<div class="alert alert-warning gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-exclamation-circle"></i> Important</strong><br />Before reading furhter. Read about bcrypt <code>rounds</code> or <code>cost</code>, take a close look at the generated <code>salt</code>. Use a <b>professional</b> password when using bcrypt.</div>
<p>This is a test, done before migration. If the test succeeds, the target system is considered safe for migration. The steps described here, should work for every other user that is to be migrated. This short description is meant for nodes only with few users.
</p><p>Take sure your target system supports Blowfish, apparently it is not available everywhere on every linux:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>man 3 crypt</code></div></div>
<p>Over here it looks like in depicted table, this man 3 crypto
</p>
<pre> ID Method
────────────────────────────────────────────────────────────────────────────
1 MD5
2a Blowfish (not in mainline glibc; added in some Linux distributions)
5 SHA-256 (since glibc 2.7)
6 SHA-512 (since glibc 2.7)
</pre>
<p>Create a test user here larry the target system:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>useradd -m -G users,wheel,audio -s /bin/bash larry</code></div></div>
<h3><span class="mw-headline" id="Emerge">Emerge</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=8" title="Edit section: Emerge">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>Review and set USE flags before emerging the package, enable the <var>bcrypt</var> USE flag
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge --ask sys-apps/shadow</code></div></div>
<div class="alert alert-info gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-sticky-note-o fa-rotate-180"></i> Note</strong><br />Verify the package <span style="white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the sys-apps/shadow package."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/sys-apps/shadow"><span style="font-family: monospace; font-size: 95%; color: MidnightBlue;">sys-apps/shadow</span></a><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-hdd-o fa-fw"></span></span> has the <code>bcrypt</code> USE flag enabled. And the package has been rebuild using that flag.</div>
<h3><span class="mw-headline" id="Generate">Generate</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=9" title="Edit section: Generate">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>Now, configure bcrypt to create really safe password hashes. If you are an expert in fastfood security done is 5 seconds, here a quick cli to generate a hash:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>htpasswd -bnBC 15 "" G3n70o_L1nuX-r0ck5?! | tr -d ':\n'</code></div><pre>$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK%
</pre></div>
<p>Generated prefix, here <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">$2y$</span> is NOT interesting. There is NO difference between <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">$2a$</span> or <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">$2y$</span> in any sense. If implemented correctly, all created hashes are working the same. No matter which prefix, is generated using Blowfish.
</p><p>Generated crypto prefix, is only important in the context of the specific application, operating system, and used libraries to distinguish kaputt crypto <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">$2a$</span> from fixed crypto <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">$2y$</span>.
</p>
<h3><span class="mw-headline" id="Replace">Replace</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=10" title="Edit section: Replace">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>Now using a text editor edit the <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/shadow</span> file
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>vim /etc/shadow</code></div></div>
<p>And replace following test user created SHA-512 hash
</p>
<pre> ...
larry:<b>$6$W2LZ5IsI$KVrGRLf7YbTPKA.t/4gvwOr4wtHBdvF6DYpSV93ZvkdkNy0qZFu0VMt7Igy7EzW8GIEED8tVdD5vq2/HpMn7b0</b>:16134:0:99999:7:::
...
</pre>
<p>With this generated bcrypt hash, notice the cost of bcrypt, it is not the real time of rounds depicted below, it is fake here for the example:
</p>
<pre> ...
larry:<b>$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK</b>:16134:0:99999:7:::
...
</pre>
<h3><span class="mw-headline" id="Sanitize">Sanitize</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=11" title="Edit section: Sanitize">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>Run <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">pwck</span> to assure file consistency and to sanitize system files involved.
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>pwck</code></div></div>
<div class="alert alert-success gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-check-circle"></i> Tip</strong><br /><b>Best practice</b>: Always sanitize files if there is a <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">$tool</span> for it. This <i>saves</i> a lot of <b>time</b> spent on needless troubleshooting.</div>
<h3><span class="mw-headline" id="Verify">Verify</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=12" title="Edit section: Verify">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>Open a SSH connection to localhost, using that changed test username, here larry:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>ssh larry@localhost</code></div></div>
<p>If authentication succeeds, then you are ready to plan the migration, on working users.
</p>
<h3><span class="mw-headline" id="Clean_up">Clean up</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=13" title="Edit section: Clean up">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>After the testing is finished, remove larry from the system
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>userdel larry</code></div></div>
<h2><span class="mw-headline" id="etckeeper_whitelist_configuration">etckeeper whitelist configuration</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=14" title="Edit section: etckeeper whitelist configuration">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<div class="alert alert-info gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-sticky-note-o fa-rotate-180"></i> Note</strong><br />Create a <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">.gitignore</span> file <b>before</b> running the etckeeper initialization.</div>
<p>This example below shows how to save <i>explicit</i> files to the <a href="/wiki/Etckeeper" title="Etckeeper">etckeeper</a> repository. This is the <b>reverse</b> approach, compared to the default etckeeper configuration, which
</p><p>The first entry <code>*</code> ignores ALL files in the /etc directory, following <code>!</code> negated entries mark the <i>interesting</i> files that will be saved to the repository.
</p><p>Configuration example for saving these 3 files:
</p>
<ul><li><span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/crontab</span></li>
<li><span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/inittab</span></li>
<li><span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/resolv.conf</span></li></ul>
<div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/.gitignore</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-ini mw-content-ltr" dir="ltr"><pre><span></span><span class="c1"># ignore everything</span>
<span class="na">*</span>
<span class="c1"># now add interesting files</span>
<span class="na">!crontab</span>
<span class="na">!inittab</span>
<span class="na">!resolv.conf</span>
</pre></div>
<p>Configuration example for <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/apache2/</span> directory:
</p>
<div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/.gitignore</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-ini mw-content-ltr" dir="ltr"><pre><span></span><span class="c1"># ignore everything</span>
<span class="na">* </span>
<span class="c1"># now add interesting files and dirs</span>
<span class="na">!apache2/</span>
<span class="na">!apache2/*</span>
</pre></div>
<p>Configuration example for directories containing subdirectcories with interesting files:
</p>
<ul><li><span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/apache2/httpd.conf</span></li>
<li><span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/apache2/vhosts.d/</span></li>
<li><span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/apache2/modules.d/</span></li></ul>
<div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/.gitignore</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-ini mw-content-ltr" dir="ltr"><pre><span></span><span class="c1"># ignore everything </span>
<span class="na">* </span>
<span class="c1"># now add interesting files and dirs </span>
<span class="na">!apache2/</span>
<span class="na">!apache2/httpd.conf</span>
<span class="na">!apache2/modules.d/</span>
<span class="na">!apache2/modules.d/*</span>
<span class="na">!apache2/vhosts.d/</span>
<span class="na">!apache2/vhosts.d/*</span>
</pre></div>
<h2><span class="mw-headline" id="Automated_rebuild_of_portage_packages">Automated rebuild of portage packages</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=15" title="Edit section: Automated rebuild of portage packages">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<p>This solution relies on the <span style="white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the sys-process/cronie package."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/sys-process/cronie"><span style="font-family: monospace; font-size: 95%; color: MidnightBlue;">sys-process/cronie</span></a><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-hdd-o fa-fw"></span></span> and the usage of anacron USE flag.
</p><p>What does that anacron USE flag do, verify using the euse tool:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>euse -i anacron</code></div><pre>[- ] anacron (sys-process/cronie):
Install the periodic anacron command scheduler.
</pre></div>
<p>it is a added feature or function to cronie. The anacron USE flag re-schedules missed cron jobs for machines that are not 24/7 online, like f.e. laptops, workstations. Apart from that it is working like an usual cron scheduler. This feature does not rely on the separate anacron package.
</p><p>Install cronie:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge --ask sys-process/cronie</code></div></div>
<p>Schedule daily rebuild by adding following file in the <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/cron.daily/</span> directory:
</p>
<div class="alert alert-info gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-sticky-note-o fa-rotate-180"></i> Note</strong><br /><a href="/wiki/User:Sam" title="User:Sam">user:Sam</a> suggested sanity checks are missing the <i>pre-upgrade</i> and <i>post-emerge</i> routines are not handled by this script. Read <a href="/wiki/Portage_log" title="Portage log">Portage_log</a> and <a href="/wiki/Elogv" title="Elogv">elogv</a> for final solution.</div>
<div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/cron.daily/portage</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-bash mw-content-ltr" dir="ltr"><pre><span></span><span class="ch">#!/bin/sh</span>
<span class="c1">#</span>
<span class="c1"># Sync portage using eix-sync</span>
<span class="c1"># -U Do not touch the database, do not show differences</span>
<span class="c1"># -T Do not measure time</span>
/usr/bin/eix-sync<span class="w"> </span>-U<span class="w"> </span>-T
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$?</span><span class="w"> </span>-eq<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span>logger<span class="w"> </span><span class="s2">"eix-sync has finished."</span>
<span class="k">else</span>
<span class="w"> </span>logger<span class="w"> </span><span class="s2">"eix-sync has exited with error code: </span><span class="nv">$?</span><span class="s2">"</span>
<span class="k">fi</span>
<span class="c1"># Now update the database</span>
/usr/bin/eix-update
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$?</span><span class="w"> </span>-eq<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span>logger<span class="w"> </span><span class="s2">"eix-update has finished."</span>
<span class="k">else</span>
<span class="w"> </span>logger<span class="w"> </span><span class="s2">"eix-update has exited with error code: </span><span class="nv">$?</span><span class="s2">"</span>
<span class="k">fi</span>
<span class="c1"># Emerge world packages. For skipping bugged ebuild, </span>
<span class="c1"># add "EMERGE_DEFAULT_OPTS= --keep-going"* to make.conf file</span>
emerge<span class="w"> </span>-uDN<span class="w"> </span>@world
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$?</span><span class="w"> </span>-eq<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span>logger<span class="w"> </span><span class="s2">"emerge --world has finished."</span>
<span class="k">else</span>
<span class="w"> </span>logger<span class="w"> </span><span class="s2">"emerge --world has exited with error code: </span><span class="nv">$?</span><span class="s2">"</span>
<span class="k">fi</span>
<span class="c1"># And keep everything working</span>
emerge<span class="w"> </span>@preserved-rebuild
<span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$?</span><span class="w"> </span>-eq<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span>logger<span class="w"> </span><span class="s2">"emerge @preserved-rebuild has finished."</span>
<span class="k">else</span>
<span class="w"> </span>logger<span class="w"> </span><span class="s2">"emerge @preserved-rebuild has exited with error code: </span><span class="nv">$?</span><span class="s2">"</span>
<span class="k">fi</span>
<span class="c1"># Write a message to syslog portage rebuild has finished now.</span>
logger<span class="w"> </span><span class="s2">"daily cron portage update has finished with exit status: </span><span class="nv">$?</span><span class="s2">"</span>
</pre></div>
<p>Make the <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/cron.daily/portage</span> file executable by adding the +x flag:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>chmod +x /etc/cron.daily/portage</code></div></div>
<p>This will schedule run the eix-sync and ebuild jobs, at ~03:00 AM. And if the job has been missed because host was turned off, the job gets scheduled after a the host has been turned on again.
</p><p>Now it would be nice to see, what has been rebuild and how it worked out without using any complex commands. Add a bash script to the ~/bin directory of the root user. The script runs 2 qlop commands showing the results from beginning of the day. qlop is part of <span style="white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the app-portage/portage-utils package."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/app-portage/portage-utils"><span style="font-family: monospace; font-size: 95%; color: MidnightBlue;">app-portage/portage-utils</span></a><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-hdd-o fa-fw"></span></span> ebuild.
</p>
<div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/root/bin/emergelog.sh</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-bash mw-content-ltr" dir="ltr"><pre><span></span><span class="ch">#!/bin/sh</span>
qlop<span class="w"> </span>-H<span class="w"> </span>-s<span class="w"> </span>-d<span class="w"> </span>today
qlop<span class="w"> </span>-H<span class="w"> </span>-m<span class="w"> </span>-u<span class="w"> </span>-d<span class="w"> </span>today
</pre></div>
<p>Make the <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/root/bin/emergelog.sh</span> file executable by adding the +x flag:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>chmod +x ~/bin/emergelog.sh</code></div></div>
<p>Because I am even to tazy to run that command manually, I add following lines to the <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/root/.profile</span> file, this calls the upper <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/root/bin/emergelog.sh</span>, each time the root user authenticates to this host. Additionally this lists the last 8 lines of the <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/var/log/emerge.log</span> file:
</p>
<div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/root/.profile</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-bash mw-content-ltr" dir="ltr"><pre><span></span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Last emerged packages:"</span>
sh<span class="w"> </span>~/bin/emergelog.sh
<span class="nb">echo</span><span class="w"> </span><span class="s2">""</span>
<span class="nb">echo</span><span class="w"> </span><span class="s2">"Last emerge.log entries:"</span>
tail<span class="w"> </span>-n<span class="w"> </span><span class="m">8</span><span class="w"> </span>/var/log/emerge.log
<span class="nb">echo</span><span class="w"> </span><span class="s2">""</span>
</pre></div>
<p>And this is the prompt how it looks like after successful authentication:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code><pre>Last emerged packages:
2020-04-21T02:30:13 *** gentoo
2020-04-21T03:22:44 >>> dev-util/re2c
2020-04-21T03:32:45 >>> net-misc/whois
2020-04-21T08:20:39 >>> dev-libs/libpcre2
Last emerge.log entries:
1587455666: *** Finished. Cleaning up...
1587455669: *** exiting successfully.
1587455669: *** terminating.
1587455675: Started emerge on: Apr 21, 2020 09:54:34
1587455675: *** emerge --keep-going @preserved-rebuild
1587455687: *** Finished. Cleaning up...
1587455690: *** exiting successfully.
1587455691: *** terminating.
</pre></code></div></div>
<p>This is a optional step and could be useful on always on systems, for the update routine to be sane. If the update routine has changed the daemons libriaries, that particular service would need a unattended restart. To accomplish ths use following tool:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge --ask app-admin/needrestart</code></div></div>
<p>Default configuration needs to be adjusted to the own system. Do not rely on defaults. <span style="white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the app-admin/needstart package."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/app-admin/needstart"><span style="font-family: monospace; font-size: 95%; color: MidnightBlue;">app-admin/needstart</span></a><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-hdd-o fa-fw"></span></span> needs further configuration. The list of all configuration files:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>tree /etc/needrestart</code></div></div>
<p>This solution works 99% of the time. If packages fail to build, this needs to be resolved manually by doing a world rebuild, and inspecting what has gone wrong.
</p>
<h2><span class="mw-headline" id="laptop_mode_laptop_roaming_howto">laptop_mode laptop roaming howto</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=16" title="Edit section: laptop mode laptop roaming howto">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<h3><span class="mw-headline" id="Additional_software">Additional software</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=17" title="Edit section: Additional software">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>These packages are all needed to get it to run:
</p>
<ul><li><a href="/wiki/Openrc" class="mw-redirect" title="Openrc">openrc</a> — a dependency-based <a href="https://en.wikipedia.org/wiki/Init" class="extiw" title="wikipedia:Init">init system</a> for Unix-like systems that maintains compatibility with the system-provided <a href="/wiki/Init_system" title="Init system">init system</a> - with enabled <b>USE</b> flag <i>netifrc</i></li>
<li><a href="/wiki/Wpa_supplicant" title="Wpa supplicant">wpa_supplicant</a> — a <a href="/wiki/Wi-Fi" title="Wi-Fi">Wi-Fi</a> supplicant</li>
<li><span style="white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the sys-apps/ifplugd package."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/sys-apps/ifplugd"><span style="font-family: monospace; font-size: 95%; color: MidnightBlue;">sys-apps/ifplugd</span></a><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-hdd-o fa-fw"></span></span> - Brings up/down ethernet ports automatically with cable detection</li>
<li><a href="/wiki/Dhcpcd" title="Dhcpcd">dhcpcd</a> — a popular DHCP client capable of handling both IPv4 and IPv6 configuration.</li>
<li><span style="white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the app-laptop/laptop-mode-tools package."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/app-laptop/laptop-mode-tools"><span style="font-family: monospace; font-size: 95%; color: MidnightBlue;">app-laptop/laptop-mode-tools</span></a><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-hdd-o fa-fw"></span></span> - Linux kernel laptop_mode user-space utilities</li></ul>
<h3><span class="mw-headline" id="Configuration">Configuration</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=18" title="Edit section: Configuration">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<h4><span class="mw-headline" id="OpenRC">OpenRC</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=19" title="Edit section: OpenRC">edit</a><span class="mw-editsection-bracket">]</span></span></h4>
<p>Managing daemon status and interfaces reflecting the current powerlevel AC or running on battery. This can be accomplished by using <span style="white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the sys-apps/openrc package."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/sys-apps/openrc"><span style="font-family: monospace; font-size: 95%; color: MidnightBlue;">sys-apps/openrc</span></a><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-hdd-o fa-fw"></span></span>. OpenRC configuration and management is more complex compared to the <span style="white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the app-laptop/laptop-mode-tools package."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/app-laptop/laptop-mode-tools"><span style="font-family: monospace; font-size: 95%; color: MidnightBlue;">app-laptop/laptop-mode-tools</span></a><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-hdd-o fa-fw"></span></span> configuration approach, but also much more flexible.
A simplified openrc configuration is needed. Dynamic services are handled by laptop-mode-tools. Overview of running daemons handled by openrc runlevel default, note laptop_mode daemon is started here:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>rc-status default</code></div><pre>Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
acpid [ started ]
cupsd [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
sshd [ started ]
</pre></div>
<p>Following daemons need to be managed by laptop-tools:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>rc-status default</code></div><pre> net.eth0 [ started ]
net.wlan0 [ started ]
sshd [ started ]
cupsd [ started ]
</pre></div>
<p>Remove the daemons from the openrc default startup level
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>rc-update del net.eth0 default</code></div></div>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>rc-update del net.wlan0 default</code></div></div>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>rc-update del net.sshd default</code></div></div>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>rc-update del net.cupsd default</code></div></div>
<p>Verify the default startup of openrc:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>rc-status default</code></div><pre>Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
</pre></div>
<h3><span class="mw-headline" id="Laptop-mode-tools">Laptop-mode-tools</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=20" title="Edit section: Laptop-mode-tools">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>The laptop_mode tools dynamic configuration relies on default 2 ACPI levels:
</p>
<ul><li>laptop is running on AC power</li>
<li>laptop is running on battery</li></ul>
<p>laptop-mode tools has 2 according ACPI states named <b>batt</b> and <b>lm-ac</b>:
</p>
<ul><li>batt</li>
<li>lm-ac</li>
<li>nolm-ac</li></ul>
<p>The 3-rd state <b>nolm-ac</b> (laptop-mode tools daemon NOT running) is not used.
</p><p>Get an overview of the laptop-mode directory:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>tree -L 1 /etc/laptop-mode</code></div><pre> /etc/laptop-mode
├── batt-start
├── batt-stop
├── conf.d
├── laptop-mode.conf
├── lm-ac-start
├── lm-ac-stop
├── lm-profiler.conf
├── modules
├── nolm-ac-start
└── nolm-ac-stop
</pre></div>
<p>Each of the 3 predefined states <b>batt</b> <b>lm-ac</b> and <b>nolm-ac</b> have a <i>-start</i> and <i>-stop</i> suffix in the directory structure. There is also a conf.d directory for services configuration that would be handled by laptop-mode and a modules directory for modules to be used explicitelly.
</p><p>The goal is reached when the laptop automatically determines which daemons need to be started and which need to be stopped depending on the ACPI battery level.
</p><p>There are 2 states in which the laptop is working:
</p>
<ul><li>laptop is docked, ac connected, wired access, printing available, ssh daemon running</li>
<li>laptop is not docked, battery, wireless access, no priting available, no ssh daemon runni</li></ul>
<p>Adjust the previosly removed daemons to laptop-mode. Change to the battery level. wlan is the only one service needed while running on battery.
</p><p>Change to the directory:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>cd /etc/laptop-mode/batt-start/</code></div></div>
<p>Create a symlink to daemons to be run while on battery:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>ln -s /etc/init.d/net.wlan0 . </code></div></div>
<p>Change to the directory /etc/laptop-mode/batt-stop/:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>cd /etc/laptop-mode/batt-stop/</code></div></div>
<p>Create a symlink to deamons to be stopped while on battery:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>ln -s /etc/init.d/cupsd . </code></div></div>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>ln -s /etc/init.d/net.eth0 . </code></div></div>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>ln -s /etc/init.d/sshd . </code></div></div>
<p>Start and Stop daemons handled by the battery status after configuration:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>tree -L 1 /etc/laptop-mode/batt-st*</code></div><pre>tree -L 1 /etc/laptop-mode/batt-st*
/etc/laptop-mode/batt-start
└── net.wlan0 -> /etc/init.d/net.wlan0
/etc/laptop-mode/batt-stop
├── cupsd -> /etc/init.d/cupsd
├── net.eth0 -> /etc/init.d/net.eth0
└── sshd -> /etc/init.d/sshd
</pre></div>
<p>Start and Stop daemons handled by the battery status:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>tree -L 1 /etc/laptop-mode/lm-ac-st*</code></div><pre>/etc/laptop-mode/lm-ac-start
├── cupsd -> /etc/init.d/cupsd
├── net.eth0 -> /etc/init.d/net.eth0
└── sshd -> /etc/init.d/sshd
/etc/laptop-mode/lm-ac-stop
└── net.wlan0 -> /etc/init.d/net.wlan0
</pre></div>
<h3><span class="mw-headline" id="Verification">Verification</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=21" title="Edit section: Verification">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>Docked laptop and service status:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>rc-status default</code></div><pre>Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
mpd [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
net.eth0 [ started ]
cupsd [ started ]
Dynamic Runlevel: manual
sshd [ started ]
</pre></div>
<p>Undocked status:
</p>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>rc-status default</code></div><pre>Runlevel: default
lm_sensors [ started ]
sysklogd [ started ]
sensord [ started ]
alsasound [ started ]
mpd [ started ]
acpid [ started ]
cronie [ started ]
chronyd [ started ]
laptop_mode [ started ]
local [ started ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
net.wlan0 [ started ]
</pre></div>
<p>This is a ready, easy to use, running configuration.
</p>
<h2><span id="Enable_IPv6_privacy_extensions_(RFC4941)"></span><span class="mw-headline" id="Enable_IPv6_privacy_extensions_.28RFC4941.29">Enable IPv6 privacy extensions (RFC4941)</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=22" title="Edit section: Enable IPv6 privacy extensions (RFC4941)">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<p>IPv6 privacy extensions are disabled by default on GNU/linux, they lead to problems if users are not aware of this.
To enable privacy extensions on gentoo permanently add following lines and reboot the system:
</p>
<div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/sysctl.conf</code></strong><strong>Enabling IPv6 privacy extensions</strong></div> <div class="mw-highlight mw-highlight-lang-ini mw-content-ltr" dir="ltr"><pre><span></span><span class="na">...</span>
<span class="c1"># Enabling IPv6 privacy extensions for specified interfaces. </span>
<span class="c1"># here eth0 and wlan0</span>
<span class="c1"># net.ipv6.conf.eth0.use_tempaddr = 2</span>
<span class="c1"># net.ipv6.conf.wlan0.use_tempaddr = 2</span>
<span class="na">net.ipv6.conf.all.use_tempaddr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">2</span>
<span class="na">net.ipv6.conf.default.use_tempaddr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">2</span>
<span class="c1"># Setting q shorter timeout for a temporary IPv6 prefix</span>
<span class="c1"># default setting is one day</span>
<span class="na">net.ipv6.conf.eth0.temp_prefered_lft</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">14400</span>
<span class="na">net.ipv6.conf.wlan0.temp_prefered_lft</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">14400</span>
</pre></div>
<p>The setting <i>net.ipv6.conf.all.use_tempaddr</i> is used to propagate its value to all interfaces currently attached to the system. This setting might not work reliably for all interfaces. At least not on my own tested gentoo installations up to kernel 4.14.
</p><p>There are two old bugs in the Linux kernel bugtracker for this issue:
</p>
<ul><li><a rel="nofollow" class="external free" href="https://bugzilla.kernel.org/show_bug.cgi?id=11655">https://bugzilla.kernel.org/show_bug.cgi?id=11655</a></li>
<li><a rel="nofollow" class="external free" href="https://bugzilla.kernel.org/show_bug.cgi?id=9224">https://bugzilla.kernel.org/show_bug.cgi?id=9224</a></li></ul>
<h2><span class="mw-headline" id="Wiki_templates_for_templates">Wiki templates for templates</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=23" title="Edit section: Wiki templates for templates">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<ul><li><a href="/wiki/Category:Templates_for_templates" title="Category:Templates for templates">Category:Templates_for_templates</a></li></ul>
<h2><span class="mw-headline" id="Command_sequence_for_old_gentoo_boxes_to_update_after_a_long_time">Command sequence for old gentoo boxes to update after a long time</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=User:Needle&action=edit&section=24" title="Edit section: Command sequence for old gentoo boxes to update after a long time">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<p>This is a basic sequence of commands for updating older gentoo boxes.
</p><p>Divide and conquer:
Update the toolchain first, then resolve the blocks manually afterwards.
</p><p>Sync portage tree:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>eix-sync</code></div></div>
<p>Update the portage application:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge --oneshot portage</code></div></div>
<p>Emerge latest linux kernel first:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge gentoo-sources</code></div></div>
<p>Show available kernel sources:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>eselect kernel list</code></div></div>
<p>Set the latest linux kernel version:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>eselect kernel set <input></code></div></div>
<p>Emerge GCC first:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge --oneshot gcc</code></div></div>
<p>Show availabe GCC compilers:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>eselect gcc list</code></div></div>
<p>Set the latest available GCC compiler in the list:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>eselect gcc set <input></code></div></div>
<p>Check if the desired GCC has been set, apply portage postinstall hint:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>eselect gcc list</code></div></div>
<p>Emerge latest glibc
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge --oneshot glibc</code></div></div>
<p>Check the latest gentoo related toolchain changes on the wiki, bugs, etc: <a href="/wiki/Project:Toolchain" title="Project:Toolchain">Project:Toolchain</a>
</p><p>Emerge latest binutils:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge binutils</code></div></div>
<p>Show current available binutils:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>eselect binutils list</code></div></div>
<p>Set the latest binutils version:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>eselect binutils set <input></code></div></div>
<p>Verify binutils setting:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>eselect binutils list</code></div></div>
<p>Emerge latest python
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge --oneshot python</code></div></div>
<p>Emerge latest perl:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge --oneshot perl</code></div></div>
<p>Emerge latest iproute2
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge --oneshot iproute2</code></div></div>
<p>Update the system with following command, resolve dependency errors:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge -vauDN system</code></div></div>
<p>Update the system with following command, resolve dependency errors:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>emerge -vauDN world</code></div></div>
<p>Now it is done.
</p>
' |
Unix timestamp of change (timestamp) | 1705685521 |