Slashdot Mirror
Domain: serverfault.com
Stories and comments across the archive that link to serverfault.com.
Comments · 68
-
Re:How will it work for businesses?
"Our business is lagging behind on Windows 10 feature updates. They have to be initiated manually and take hours to install for each PC, which makes it very difficult to schedule with the users, especially since most of them have portables."
You need to buy system center to fix this problem. You need to install the updates with system center.
"Also the latest version of Windows 10 (1809) broke unattended installs where a batch file calls exe programs residing on a server location, which is typical for our large CAD software deployments."
This might be because of hardened paths, which have been there a while. part of my install is to whitelist the ones that i dont want any security on like so:
https://serverfault.com/a/7549...otherwise its another setting and configurable. Win10 is garbage but there are ways to make it work in a way approaching usability.
-
Re:Address space collisions...
Short answer: you can either hide them behind different switches, or the network is going to keep alternately connecting one (which disconnects the other), then the other, since it can't tell them apart.
-
Re:Ubuntu seems to be faltering
Also, as a followup, the mysql bug also happens on fresh installs (it just isn't included in that particular bug report):
https://serverfault.com/questi...
There is no excuse for this.
-
Relevant Server Fault question:
-
Re:It violates fundamental Unix principles
Does it send email yet?
Not really. https://serverfault.com/a/8762... -
Re:Fuck off with this security bullshit.
Do not use an invented TLD. If ICANN were to delegate it, you would be in big trouble. Same thing if you merge with another organization which happens to use the same dummy TLD. That's why globally unique domain names are preferred. The standard, RFC 2606 reserves names for examples, documentation, testing, but nothing for general use, and for good reasons: today, it is so easy and cheap to get a real and unique domain name that there is no good reason to use a dummy one. So, buy megacorp.com and use it to name your devices. https://serverfault.com/questi...
-
Re: CentOS/RHEL on the desktop?
When I install yum-cron and only select security updates, how is that not the same?
Doesn't work. The security updates are not tagged as such in those repos, that's a feature available only in paid versions of RH repos.
See this discussion for instance: https://serverfault.com/questi...
or
https://bugs.centos.org/view.p...I don't know what exactly you see in your list but it's probably everything, not just security ones.
The only way to do it would be to piggyback on the updates in a valid RHEL subscription to pick & choose, but I'm pretty sure that would break the EULA.
-
Re: Speed is less important than no data caps
The cron tool can be used to run a command at a given time, provided that the computer is on and the command exists.
The computer is on This answer by jeff on Server Fault states that cron runs only if the computer is on, not if it is shut down or asleep. This means that if the computer is on at midnight but off at 8 AM, the policy will get set to not metered at midnight but not set back to metered at 8 AM. A tool that runs missed jobs after restart or resume exists, called anacron, but it doesn't handle tasks that must execute on a schedule more precise than once per day. The command exists What is the command to change a particular network connection's policy between assuming upstream is unmetered and assuming upstream is metered? This answer by philsf on Ask Ubuntu claims that this feature didn't exist as of January 2016. Has it been implemented since then?set a connection as metered. W
-
Re:Honest question: what is the best...
[...]Windows tablet that can run full Windows programs (not "apps")?
At the moment every Windows 10 tablet can run full Windows programs...
This is news to me! Previous AC explicitly excluded Universal Apps, which means you're saying that a $70 arm tablet will run x86 binaries?
UPDATE: so it seems that even the cheapest Win10 tablet at has an intel atom(x86_64) processor.
Furthermore, It seems microsoft has included an x86 emulation layer allowing 32-bit x86 code to be run on arm devices.Sorta makes sense. Apple did the same thing when moving to Intel via Rosetta. On linux, qemu has a way of directly running linux binaries of one arch on hardware of any other supported arch (no vm!)
-
Re:Great!
-
Re:Competency
You might want to read this:
http://serverfault.com/questio... -
Re:I don't need a registered luser acct
You are so delusional it is cute. Keep it up, maybe one day you will score a point, but for now, you are a failure.
I'll leave you with some reading, others recommending against using hosts files:
http://superuser.com/questions...
http://serverfault.com/questio...Keep up the good fight APQuixote, one day that windmill will bow to your "superiority".
-
Re:Has IPv6's reputation just been destroyed?
-
ServerFault Meta Admins Have Confirmed It A Hoax
ServerFault Meta admins have confirmed that it was a deliberate "Guerilla Marketing" promotional hoax. Seems it was highly effective. The original thread has been deleted, though admins are still deciding what to do, if/how to punish user account, etc.
-
Re: Three words
In other words the story is bullshit -- which is perhaps why it is no longer on server fault.
http://serverfault.com/questions/769357/recovering-from-a-rm-rf
-
Re:Facebook -- ???
Certificate pinning doesn't help when each server in a load-balanced cluster generates its own private key and CSR and thus needs its own certificate. IIS is believed to do this by default.
-
Re:Sigh. She is NOT an engineer.
A nice theory. But this is how it works really.
-
Re:Khyber, if ANYONE's a moron, it's you... apk
http://www.computerworld.com/a...
http://simpleprogrammer.com/20...
https://lonesysadmin.net/2008/...
http://windowssecrets.com/lang...
http://serverfault.com/questio...
*YAWN* Try again when you're an actual competent system admin, APK. You're completely fucking useless, outdated, and even 5 year olds know better than you.
-
Re:Every customer of mine
Try this:
-
Re:I want to get paid
Poke it into a VM. I've got old hardware that doesn't have drivers supported on the host machine, but work fine through the VM. Should you not want to be tied to a particular machine this is an option you may want to look into.
I'm not so sure this will work with Windows XP, at least not as "easily" as described in your link. Windows XP likes to BSoD on boot if you restore an image from one set of hardware onto another set of hardware; something to do with XP blindly loading the installed motherboard drivers I think.
-
Re:I want to get paid
Poke it into a VM. I've got old hardware that doesn't have drivers supported on the host machine, but work fine through the VM. Should you not want to be tied to a particular machine this is an option you may want to look into.
-
Re:Man vs Machine?
Even Windows has implemented NTP (albeit a crappy implementation that's "only" good to within a second or two) by default for more than a decade now.
The default for Windows 7 (non-domain) is to update once a week, and I routinely found my PVR system off by a minute or more. There is a way to change the update interval but you either need to download a special program to make the changes or edit the registry by hand.
-
ID's NeXT hard drive images?
It is great to see more of ID's early work opened up.
A while back there was even some talk about releasing the hard drive images from some of their NeXT computers used to create DOOM. http://serverfault.com/questio...
I wonder if anything will come of that? It would be doubly awesome right about now because the NeXT emulator "Previous" has gotten far along enough where it can actually boot to a 68K NeXTSTEP desktop!
-
Re:It's not just the implementationOpenVPN does its own transport protocol (on top of UDP or whatever was configured) to wrap the SSL control connection in. And for that reason OpenVPN implements its own heartbeat protocol. Let me repeat that: there is no use for TLS heartbeats with OpenVPN.
Side-note: as OpenVPN does not use vanilla SSL sockets, simple-minded Heartbleed exploits that work against HTTPS etc. won't be usable against it, but it is possible to hand-craft a Heartbleed attack against OpenVPN servers (or clients) running with unpatched libopenssl (although AFAIK such an attack has not been seen in the wild yet).
-
Re:reduce the amount
> RAIDZ can be dynamically expanded
--To the best of my knowledge, not so much. You can create a pool of mirrors and expand that, but expanding a RAIDZ (ideally) should be done with the same number (and capacity) of drives that was in the original RAIDZ - for balancing purposes. Otherwise you get weird errors and possible performance impact. Building asymmetrical pools is fine in a VM, but on bare-metal you kinda have to start to question what to do if there's data loss.
http://serverfault.com/questio...
--You can expand the underlying disks in a pool, but it's a PITA and requires repetitive resilvers.
http://jsosic.wordpress.com/20...
http://www.itsacon.net/compute...
--Honestly, adding a 4-port SATA card to an existing system and using all-new drives is probably the best bet for expanding existing storage. You can buy 2-4TB drives depending on budget, copy the data over, and repurpose the existing pool of old/smaller drives until the HW starts failing.
PROTIP: With newer drives (4k sectors) you're better off setting the ASHIFT to 12 on your ZFS pool right off the bat. Will save you trouble later -- I speak from experience.
https://www.icts.uiowa.edu/con...
/ Btrfs has some promising features, but practically I would give it another ~2 years to get to production-ready as of this writing. Just my $2.02
-
Re:Android already has this...
I don't know what you're talking about with Exchange.... Activesync doesn't allow your Exchange Administrator to wipe your phone. He can only wipe the emails on your mail server, and THAT'S IT!
Must be a troll, given the bait-y capitalizations.
I'll just leave this right here Control + F , type remote wipe.
If "they" let YOU administer it from your own webmail interface, why WOULDN'T the server administrator with a vested interest in their company-attached device be mightier than the BYOD peons?
I turned it off and killed the permissions when I realized that vengeance, incompetence, or a virus might trigger this stuff.They don't even implement this on laptops, which are more likely to have your work files than cellphones. So why so aggressive on the security hole of their preference anyway?
It's not access to data they're safeguarding, since they don't enforce even half of the wipe privs if you just browse your email on the smartphone. -
Parts of Australia require two licences
I lack the time to search through current city codes worldwide, but this answer to a question on Server Fault and this forum post and these comments to a Lifehacker article claim that at least one Australian state requires that even licensed electricians need or needed a separate data cabling licence.
-
Re:Hidden performance when on the cheap
Let's say that you have 8 CPU's, you may need to wait for 8 CPU's to be unused on the physical host your are on before you get to do any work at all. If you have 1 or 2 CPU's than this is far less of an issue. The greater the core count the bigger the issue.
You seem to be describing a "feature" in versions of VMware that are very old these days.
See some of the answers e.g. at http://serverfault.com/questions/218823/can-a-vm-perform-better-when-only-two-cores-instead-of-four-cores-are-presented
Not only VMware. I've seen discussions about VirtualBox that suggests it has a similar constraint, at least in some versions. I have found references stating that KVM does not suffer from this problem, but have been unable to determine whether or not Xen does.
-
Re:Hidden performance when on the cheap
Let's say that you have 8 CPU's, you may need to wait for 8 CPU's to be unused on the physical host your are on before you get to do any work at all. If you have 1 or 2 CPU's than this is far less of an issue. The greater the core count the bigger the issue.
You seem to be describing a "feature" in versions of VMware that are very old these days.
See some of the answers e.g. at http://serverfault.com/questions/218823/can-a-vm-perform-better-when-only-two-cores-instead-of-four-cores-are-presented
-
Re:So... no separation between system and userspac
Hum, in most large deployments, the databases are not even in the same machine, let alone VM, as the web server. This is the only way to ensure you can scale (adding more web servers dynamically) and optimize the systems for their workloads.
For example, see the Stack Overflow architecture: http://blog.serverfault.com/2011/09/
Frankly, if you're running the RDBMS on the same server as the web service, you're - like me - running a toy database.
-
Re:stop trying, use git instead
-
Re:IT the bottleneck?
Here's why IT doesn't use those 100 buck 1TB hard drives: http://serverfault.com/questions/263694/why-is-enterprise-storage-so-expensive/263695#263695
-
PS is also..
An example of 'NIH' After years of people pretty much wanting a damn bourne shell, they... made something totally different. People wanted nicely interopable ssh access, they got the hellish monster of powershell remoting over WebServices.
Now if you are a *pure* MS shop, then *anything* but cmd was a great help and the extraordinarily complex nasty crap underlying all their remoting and WMI is tucked away so you can't see just how much it is terrible.
Now MS recognizes that most datacenters are hetereogenuous. What is their answer? Linux should just start acting like Windows: http://blog.serverfault.com/2013/06/03/cross-platform-configuration-management-is-hard/
Seriously, in their efforts to be more 'friendly' in a mixed datacenter, they decide the answer is the world would be so much easier if they can continue to ignore decades of established behaviors of others and just get those competitors to simply change their mind.
-
Re:Package maintainers don't test this use case
As a simple google search will show you
From the first result: "A lot of Linux software will be expecting to find its resource files in standard locations specified at compile-time, such as
To which you can typically specify where to search for libraries on the command-line - by prepending LD_LIBRARY_PATH to the command, or adding it to a shell script. They don't typically hard-code the whole path, just the library name. Your new environment needs to ensure it can find libraries that are not installed in the host OS.
It's not typically done
The very fact that this is not typically done discourages package maintainers from testing this use case, leading to lack of this capability in the application files extracted from the package. Nor is there an easily discoverable tool to create a chroot in which to install a package in one's home directory.
It's not typically done because most people don't need to do it any more. It was a rather common thing prior to the general use of Linux and FLOSS with the *nix community; that's changed mostly because you can typically just build the source yourself and build it to install there, or not install it at all and just run it. (I know not a good answer for non-technies.)
But that doesn't mean the original solution won't continue to work; and deboostrap+schroot rocks. you just have to be careful as a 'root' user in the schroot environment can effectively have root permissions in the host OS as well - especially on anything that is shared between the two environments. -
Package maintainers don't test this use case
As a simple google search will show you
From the first result: "A lot of Linux software will be expecting to find its resource files in standard locations specified at compile-time, such as
It's not typically done
The very fact that this is not typically done discourages package maintainers from testing this use case, leading to lack of this capability in the application files extracted from the package. Nor is there an easily discoverable tool to create a chroot in which to install a package in one's home directory.
-
Re:Uh, I get this with lacp
According to both the article which silas linked below (which is the original source for what I said), as well as a whole boatload of other documentation, thats not correct; its an 802.1ad issue.
I did find this on serverfault which indicates that ONLY balance-roundrobin can get you 2gbps on a single tcp connection; and it also notes that some protocols dont like it, which means that its not really a transparant bonding technology. All of the other methods of distributing packets rely on a hash of various values, for instance source mac and destination mac IDs, and regardless of method the hash will ALWAYS be the same on a single TCP connection, which means that the same single link will be used.
Regardless, the Linux Bonding driver is NOT the same thing as LACP, and its not something you implement on the switch.
-
Re:A copy of the article:
-
Seamless + opensource, only two options: NX, Xpra
- * NX is now closed source (v4 onwards) and the old branch (v3) is no longer maintained.
- * Xpra absolutely kills everything else in terms of performance and features.
If you need a GUI on top of that (not sure you really do):
- * Xpra has a limited GUI session launcher (but only for connecting to existing sessions at the moment)
- * NX has a number of management tools - beware, most of them are abandoned or buggy and insecure..
- * winswitch handles both and more (VNC, RDP, ssh -X,
Disclaimer: Xpra and winswitch maintainer.
You did do a google search first, right? Did you miss this answer?
AFAICT, most of the other posts talk about virtualizing and other irrelevant topics. -
Re:non-Oracle ZFS FTW
For Mac, try the free Zevo ZFS from Greenbytes: http://www.getgreenbytes.com/ZEVO
For Windows, if you are willing to use NTFS on an iSCSI volume hosted on ZFS by a FreeBSD NAS, you could still benefit from the checksumming provided by ZFS. See the comments by 3dinfluence here: http://serverfault.com/a/122408/79266
Or you could run a ZFS NAS in a FreeBSD VM on Windows, of course, and use it via SMB from Windows.
-
Re:Heh
Spinrite hasn't been useful for years. There's a good analysis why at Does SpinRite do what it claims to do?. Everything the program does can be done more efficiently with a simpler program run from a Linux boot CD. And the fact that it takes so long is a problem--you want to get data off a dying drive as quickly as possible. Here's what I wrote on that question years ago, and the rise of SSDs make this even more true now:
SpinRite was a great program in the era it was written, a long time ago. Back then, it would do black magic to recover drives that were seemingly toast, by being more persistent than the drive firmware itself was.
But here in 2009, it's worthless. Modern drives do complicated sector mapping and testing on their own, and SpinRite is way too old to know how to trigger those correctly on all the drives out there. What you should do instead is learn how to use smartmontools, probably via a Linux boot CD (since the main time you need them is when the drive is already toast).
My usual routine when a drive starts to go back is to back its data up using dd, run smartmontools to see what errors its reporting, trigger a self-test and check the errors again, and then launch into the manufacturer's recovery software to see if the problem can be corrected by it. The idea that SpinRite knows more about the drive than the interface provided by SMART and the manufacturer tools is at least ten years obsolete. Also, getting the information into the SMART logs helps if you need to RMA the drive as defective, something SpinRite doesn't help you with.
Note that the occasional reports you see that SpinRite "fixes" problems are coincidence. If you access a sector on a modern drive that is bad, the drive will often remap it for you from the spares kept around for that purpose. All SpinRite did was access the bad sector, it didn't actually repair anything. This is why you still get these anecdotal "it worked for me" reports related to it--the same thing would have been much better accomplished with a SMART scan.
-
Re:Don't squabble with Bob
He could just keep the system as it is, but slap a search interface onto it and have it index its files and their content -- to make them easier to find.
http://serverfault.com/questions/40356/open-source-alternative-to-google-appliance-for-intranet-search
http://university-web-developers.1112205.n2.nabble.com/Moving-away-from-a-Google-Search-Appliance-GSA-advice-td6509523.html
https://developers.google.com/search-appliance/documentation/68/secure_search/secure_search_crwlsrv
http://docfetcher.sourceforge.net/en/index.htmlI assume that Google Drive will get that capability soon, but right now, it doesn't have it.
-
Re:SSD wear cliff
Can't help beyond
http://serverfault.com/questions/385446/how-do-you-monitor-ssd-wear-in-windows-when-the-drives-are-presented-as-genericNote that real enterprise RAID stuff provides really good information about wear.
See the IBM tools linked above (and likely the HP ones mentioned). -
Re:BTRFS experiences?
LVM has some issues of its own, and requires careful setup to avoid data loss. Also its snapshots are quite buggy and slow. See http://serverfault.com/questions/279571/lvm-dangers-and-caveats/279577#279577 for details.
-
I have a dream
A dream that all web sites use https for everything. Why do so many web sites still not use https? Do they *like* third-parties being able to snoop on their visitors?
https://www.eff.org/https-everywhere/faq
https://httpsnow.org/
http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/
http://arstechnica.com/business/2011/03/https-is-great-here-is-why-everyone-needs-to-use-it-so-ars-can-too/
http://serverfault.com/questions/161854/how-to-set-up-https-without-paying-anything-anywhere-but-with-no-warnings-from -
A good description and postmortem here...
This was covered well on ServerFault yesterday as someone noticed sudden system instability across their servers.
-
Does this affect desktop distros?
Will this affect desktop distros such as Ubuntu? Seems like a few Debian based servers have crashed. http://serverfault.com/questions/403732/anyone-else-experiencing-high-rates-of-linux-server-crashes-today
-
Re:How is this an issue?
Watch the excitement unfold as recent kernel patches unravel http://serverfault.com/questions/403732/anyone-else-experiencing-high-rates-of-linux-server-crashes-today
-
The trouble with IPMI is the defaults
IPMI is useful but a huge security hole with some bad default settings. Some servers come with ADMIN/ADMIN as the factory default. Some Dell servers use "admin/calvin". The problem of securely getting a server from in the box to in service wasn't well worked out.
IPMI systems themselves can be vulnerable. Some are small ARM systems running Linux. Badly configured Linux. "Older versions of the X8SIL-F IPMI code accepted ssh connections no matter what password was given. The software would then check the password and reject or accept the connection, but there was a brief window to create ssh port forwards. People were getting spam/abuse complaints for their IPMI IPs because of this. "
There's also the question of whether there might be a built-in factory password/key that you can't detect. If someone wanted to build a backdoor into servers, the IPMI interface firmware would be a very good place to do it. Especially since the article linked above found one.
-
Re:Where's the incentive?
You appear to be confused about the issue. This is not about capacity and oversubscription. This is about a pathology of queueing.
To be fair, it's about both.
Large queues are a problem, but they can be mitigated by adding more capacity (bandwidth). It doesn't matter how deep the queue can be if it's never used -- it doesn't matter how many packets can be queued if there's enough bandwidth to push every packet out as soon as it's put in the queue.
That said, your point about AQM being a valid solution to congestion is, of course, right on:
To avoid large (tens of milliseconds or more) queue backlogs on congested links, you use Active Queue Management. The idea with AQM is, if you have to queue packets (because you don't have enough bandwidth to push everything out in under 10 or 20 milliseconds), then start dropping packets (or ECN-marking them), so TCP's congestion control algorithms kick in.
Dropping packets before they get put in the queue is known as tail-drop AQM. Tail-drop AQM is actually one of the worst ways to do AQM. RED (marking or dropping packets *before* the queue becomes full) and head-drop AQM are better for latency and throughput. However, even a simple tail-drop AQM can *drastically* reduce latency on an oversubscribed (congested) link. AQM really works, and it works quite well.
TCP attempts to divide traffic for different streams evenly among all the flows passing through it.
Well, no, it doesn't. Each stream tries to fight for its own bandwidth, backing off when it notices congestion (dropped or ECN-marked packets). That means that the first stream that is going over the congested link will use the bulk of the bandwidth, because it will already be transmitting at full speed before other streams try to ramp up. The other streams won't be able to ramp up to match the first stream, as they will constantly encounter congestion, and the first stream won't back off enough to let other streams ramp up to match it. To truly enforce fairness between streams, you need AQM technologies, such as SFQ.
ISPs have a VERY LARGE incentive to do this.
ISPs certainly use AQM on their core routers, but they have an incentive NOT to use AQM where it really matters: on the congested link between your computer and the gateway. In other words, they don't set up proper AQM on the cable modem or DSL modem.
They don't set up AQM there because they have another incentive: maximizing speed-test results. AQM by definition slows traffic down, and slower speed-test results are what customers seem to care about above all else. People don't call support to say they're seeing over 100ms of latency, they call support saying they're paying for 10mbits and they want to see 10mbits on the speed-test site.
I don't have any faith that ISPs are going to fix this any time soon. However, AQM really does make a huge different in the quality of one's internet connection. So much so that the first thing I do when setting up any new shared network (e.g. home or office network) is put a Linux box in between the cable/DSL modem and the rest of the network. There are many AQM scripts out there, but this one is mine: http://serverfault.com/questions/258684/automatically-throttle-network-bandwidth-for-users-causing-bulk-traffic/277868#277868
My script sets up HFSC and SFQ, as well as an ingress filter, to drop packets before they start filling up the large cable/DSL modem buffers. It does a bang-up job of reducing latency; I can hardly internet without AQM in place any more.
You can do the same thing (or at least a similar thing) with some of the SoHo Linux routers running DD-WRT and the like. Most of the scripts for those focus on QoS first and AQM second (if at all), which is a huge mistake. Maybe someday we'll have off-the-shelf SoHo routers that can do *proper* AQM. Now there's a start-up idea if I ever had one.
-
Re:Let's hope
It had nothing to do with idiots like these: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants
Good read... From the story:
PCI SSC have responded and are investigating him and the company. Our software has now moved on[...]
Phew!
[...]to PayPal so we know it's safe,
ah FUCK