There were a couple of years where the network bridge would lock up and take the main computer off the net unless you used the dedicated management connection. Other than that, around the same era, some BMCs would crash so that no management functions worked, but the main computer would keep going.
And of course, now that ME is cracked, no media company will trust it, no user ever had reason to trust it, and the gigantic security holes are baked in. The question now is will Intel admit they screwed up or will they double down.
Yeah, some are better than others. No design is so good that a crappy implementation can't mess everything up, but at least the various issues with the BMC didn't create security holes that couldn't be fixed.
BMC = baseboard management computer. A small embedded system built in to the main system. The difference is that it does not share memory access or the PCI bus. Instead, it is connected to one of the serial ports, the power and reset lines, and often the USB controller. The latter allows it to emulate a DVD drive to support virtual boot media. The serial connection allows for console over LAN (if the OS has a serial console configured). Newer ones also can snoop the video chip to support a built in KVM (for OSes that can't be used over a serial console).
The BMC often has it's own private LAN connection so management can be over a physically seperate network. They may also have a mini-bridge so they share a physical connection w/ the main system, but can be configured to use a private VLAN.
Since the BMC is not required to bring up the chipset, it can be truly disabled if desired. It is just a remote management system.
In general, the BMC supports IPMI. It may also allow ssh access (with a very limited shell) and/or http(s).
There are still significant security implications if someone does manage to exploit the BMC, but nowhere near as bad as if they exploit the ME.
NO, it can never be a good idea. It can only go from a terrible idea to a terrible idea with some upside. Having a BMC with limited access to the main system was a good idea, but we've had those for over a decade now.
For years now, servers have had a Baseboard Management Computer (BMC) that was always on and could control power, press reset, and provide serial console over LAN. Newer ones provide virtual media and built-in KVM capabilities. At first it was an add-on card that cost an extra $50-$100, then it got so cheap it was simply built in. They spoke IPMI and in some cases also provided http and ssh interfaces. Often they have the option of a physically seperate LAN interface so you can put them on a private LAN. Those are really great for remote management.
Since they had no access to the flash, main memory, or PCI bus, they had little of the nefarious capability of the ME. They couldn't read data off the drive or snoop the keyboard, for example.
The ME, on the other hand, is loaded with nefarious potential, so much so that exploiting the ME means game over for the main computer. It already has all of the capabilities TFA suggests, it's just that the chintzy bastards are holding out for more money to turn it on. You can have all the bad parts for free though.
That's the absolutely essential. Ideally though, they could also keep enough systems running to continue moving people through. That would be computer terminals, adequate emergency lighting, baggage handling, etc. While highly arguable, I suppose TSA would claim their scanners are essential for as well.
I'll grant the similarity, but at least the Debian scripts don't create hard dependencies. The boot won't stop as a result. That system might refuse to implement a new configuration if it detects that the advisory dependency cannot be met, but end of the day, the links in/etc/rcN.d will be control the boot and if one fails, it will move on.
The X- prefix provides some indication of knowledge that it's a dirty hack, but it is somewhat less problematic given the small number of init.d scripts all kept in one place rather than the huge number of such scripts swept under the rug in systemd. And, of course, you can override the whole thing using ln -s.
Meanwhile, that makes it even more confusing why there would be a claim that systemd somehow made things easier for Debian package maintainers.
Still, a better system would be X-Wants with the understanding that "you can't always get what you want".
Keep in mind that BGP is an automated process. After the fact, rules may be added to limit trust, but that doesn't prevent the initial problem.
Also keep in mind that in many cases, BGP is the only way you know anything about the routes. All you have is that router A says it has a 5 hop route to range X and router B says it has a 4 hop route to the same range. Neither A nor B is directly connected to the range in question and both are also depending on BGP.
The stability of BGP currently depends on the lower level routers having rules to enforce some level of plausibility but at the level of an exchange, there are a lot ofseemingly plausible routes that would be incorrect. It will take a good bit of analysis to come up with mostly good plausibility rules there.
Given what has just happened, it may be necessary to limit routes to Russia to a few choke points that are configured to only accept routes to IPs associated with Russia from Russian routers, but it would take a world-wide effort to really lock that down.
OTOH, it would be a Pence that knows the president can and will be hauled off in disgrace if necessary and a GOP that knows they're facing a really tough election soon. How anxious will they be to support the tattered remains of the Trump administration?
If they're smart, they may want to ask themselves that now.
Don't believe the political hype. The supposed deaths from rationing in socialized medicine are not what you think. They are just cases where fantastically expensive yet futile measures are withheld at end of life in favor of palliative care that allows for a decent last few weeks rather than a truly miserable month. Naturally, for-profit medicine offers the treatment leaving the family feeling obligated to approve it (unless they simply can't, then they get to feel guilty about not being rich and/or heavily insured). In socialized medicine, the doctors make the hard decision that is ultimately better for the patient and family so the family doesn't have to agonize over it.
For example, a couple years ago, there was a much touted "wonder drug" for liver cancer. It cost $60,000/month and a course of treatment was 6 months. The side effects were quite unpleasant. Once the dust settled, it was found to extend life by about 1 month. There were no remissions. So what'll it be, 7 really bad months or 5 good ones and 1 not so good?
If you watch the homeless people, a fair percentage of the older ones will be showing obvious signs of tardive dyskinesia (AKA the thorazine shuffle). They were in the mental institutions before they closed and were tossed out on the streets without regard for their ability to take care of themselves.
People coming home from WWII got ticket tape parades and a booming economy. In an era where a high school diploma could net you a decent job, they had advanced training on top of that. As a society, it was understood that the women pressed into the work force by necessity would be vacating those jobs en-masse as soon as the troops came home. Even manual laborers made enough for a single income to modestly support a married couple.
Does any of that ring true for Vietnam?
Gulf veterans get respect, but no booming economy, no jobs being vacated, and everyone thinks you need a degree to pump gas (I'm only slightly exaggerating on the last one).
How fortunate for them. Some people come through better than others, and some wars are worse than others.
I know a guy who got struck by lightning and suffered no ill effects. According to your reasoning, the only natural conclusion is that lightning is harmless and anyone who seems to have died from it is just malingering.
Actually, many of the homeless have varying degrees of mental illness. People on welfare often get stuck on it because they lose the benefits faster than earned income fills the gap.
I read just fine. The workaround is in initramfs, but that's just because systemd is incapable of handling it. Prior to that, the old sysV init handled it just fine.
Not that when I first tested systemd, it was on a working test dummy with a btrfs. It worked just fine before, including when I degraded btrfs. Then I 'upgraded' to systemd and it wouldn't boot. It wouldn't just fail to mount the btrfs (non-root), it just dropped to an emergency shell with no remote services running.
Note that at one time, systemd was supposed to be the init in initramfs as well, but that went away when systemd started depending on everything including the kitchen sink and it proved that design flaws meant it could never bring the system up without help from an old school init being involved first.
As for production, I never had a machine get stuck on the way to halt until systemd got involved. It was nice back when I could just run halt and expect the machine to power itself off within 5 minutes.
But thank you for exemplifying one of the other problems with systemd. In the face of genuine bug reports, the answer is generally NOTABUG, WONTFIX, CLOSED, no matter what the bug is. That includes such embarrassments as mistakingly thinking rm -r should traverse UP.
There are some ideas in systemd that might actually be useful if it lost it's my way or the highway attitude and was made to work cooperatively with other systems.
Funny thing is, you were so desperate to deny the systemd bug that you pulled up the wrong issue entirely.
The initramfs HAS to handle the RAID for the root filesystem, naturally. Non-root RAID is supposed to be handled after transferring control to the actual init.
Same for non-root btrfs.
If there's an idiot or liar in this thread, it isn't me.
Slashdot Mirror
There were a couple of years where the network bridge would lock up and take the main computer off the net unless you used the dedicated management connection. Other than that, around the same era, some BMCs would crash so that no management functions worked, but the main computer would keep going.
What were your experiences?
And of course, now that ME is cracked, no media company will trust it, no user ever had reason to trust it, and the gigantic security holes are baked in. The question now is will Intel admit they screwed up or will they double down.
Yeah, some are better than others. No design is so good that a crappy implementation can't mess everything up, but at least the various issues with the BMC didn't create security holes that couldn't be fixed.
BMC = baseboard management computer. A small embedded system built in to the main system. The difference is that it does not share memory access or the PCI bus. Instead, it is connected to one of the serial ports, the power and reset lines, and often the USB controller. The latter allows it to emulate a DVD drive to support virtual boot media. The serial connection allows for console over LAN (if the OS has a serial console configured). Newer ones also can snoop the video chip to support a built in KVM (for OSes that can't be used over a serial console).
The BMC often has it's own private LAN connection so management can be over a physically seperate network. They may also have a mini-bridge so they share a physical connection w/ the main system, but can be configured to use a private VLAN.
Since the BMC is not required to bring up the chipset, it can be truly disabled if desired. It is just a remote management system.
In general, the BMC supports IPMI. It may also allow ssh access (with a very limited shell) and/or http(s).
There are still significant security implications if someone does manage to exploit the BMC, but nowhere near as bad as if they exploit the ME.
That's just the international traffic. Try this link instead.
If the luggage doesn't move, people don't move either.
NO, it can never be a good idea. It can only go from a terrible idea to a terrible idea with some upside. Having a BMC with limited access to the main system was a good idea, but we've had those for over a decade now.
For years now, servers have had a Baseboard Management Computer (BMC) that was always on and could control power, press reset, and provide serial console over LAN. Newer ones provide virtual media and built-in KVM capabilities. At first it was an add-on card that cost an extra $50-$100, then it got so cheap it was simply built in. They spoke IPMI and in some cases also provided http and ssh interfaces. Often they have the option of a physically seperate LAN interface so you can put them on a private LAN. Those are really great for remote management.
Since they had no access to the flash, main memory, or PCI bus, they had little of the nefarious capability of the ME. They couldn't read data off the drive or snoop the keyboard, for example.
The ME, on the other hand, is loaded with nefarious potential, so much so that exploiting the ME means game over for the main computer. It already has all of the capabilities TFA suggests, it's just that the chintzy bastards are holding out for more money to turn it on. You can have all the bad parts for free though.
ATL is busier than all of those every day *Yes, including JFK). MIA is much smaller.
That's the absolutely essential. Ideally though, they could also keep enough systems running to continue moving people through. That would be computer terminals, adequate emergency lighting, baggage handling, etc. While highly arguable, I suppose TSA would claim their scanners are essential for as well.
I'll grant the similarity, but at least the Debian scripts don't create hard dependencies. The boot won't stop as a result. That system might refuse to implement a new configuration if it detects that the advisory dependency cannot be met, but end of the day, the links in /etc/rcN.d will be control the boot and if one fails, it will move on.
The X- prefix provides some indication of knowledge that it's a dirty hack, but it is somewhat less problematic given the small number of init.d scripts all kept in one place rather than the huge number of such scripts swept under the rug in systemd. And, of course, you can override the whole thing using ln -s.
Meanwhile, that makes it even more confusing why there would be a claim that systemd somehow made things easier for Debian package maintainers.
Still, a better system would be X-Wants with the understanding that "you can't always get what you want".
Keep in mind that BGP is an automated process. After the fact, rules may be added to limit trust, but that doesn't prevent the initial problem.
Also keep in mind that in many cases, BGP is the only way you know anything about the routes. All you have is that router A says it has a 5 hop route to range X and router B says it has a 4 hop route to the same range. Neither A nor B is directly connected to the range in question and both are also depending on BGP.
The stability of BGP currently depends on the lower level routers having rules to enforce some level of plausibility but at the level of an exchange, there are a lot ofseemingly plausible routes that would be incorrect. It will take a good bit of analysis to come up with mostly good plausibility rules there.
Given what has just happened, it may be necessary to limit routes to Russia to a few choke points that are configured to only accept routes to IPs associated with Russia from Russian routers, but it would take a world-wide effort to really lock that down.
OTOH, it would be a Pence that knows the president can and will be hauled off in disgrace if necessary and a GOP that knows they're facing a really tough election soon. How anxious will they be to support the tattered remains of the Trump administration?
If they're smart, they may want to ask themselves that now.
Don't believe the political hype. The supposed deaths from rationing in socialized medicine are not what you think. They are just cases where fantastically expensive yet futile measures are withheld at end of life in favor of palliative care that allows for a decent last few weeks rather than a truly miserable month. Naturally, for-profit medicine offers the treatment leaving the family feeling obligated to approve it (unless they simply can't, then they get to feel guilty about not being rich and/or heavily insured). In socialized medicine, the doctors make the hard decision that is ultimately better for the patient and family so the family doesn't have to agonize over it.
For example, a couple years ago, there was a much touted "wonder drug" for liver cancer. It cost $60,000/month and a course of treatment was 6 months. The side effects were quite unpleasant. Once the dust settled, it was found to extend life by about 1 month. There were no remissions. So what'll it be, 7 really bad months or 5 good ones and 1 not so good?
If you watch the homeless people, a fair percentage of the older ones will be showing obvious signs of tardive dyskinesia (AKA the thorazine shuffle). They were in the mental institutions before they closed and were tossed out on the streets without regard for their ability to take care of themselves.
I just have to wonder did it say in a raspy metallic voice "vision inpaired, I can not see!"?
Arbeit macht frei?
People coming home from WWII got ticket tape parades and a booming economy. In an era where a high school diploma could net you a decent job, they had advanced training on top of that. As a society, it was understood that the women pressed into the work force by necessity would be vacating those jobs en-masse as soon as the troops came home. Even manual laborers made enough for a single income to modestly support a married couple.
Does any of that ring true for Vietnam?
Gulf veterans get respect, but no booming economy, no jobs being vacated, and everyone thinks you need a degree to pump gas (I'm only slightly exaggerating on the last one).
How fortunate for them. Some people come through better than others, and some wars are worse than others.
I know a guy who got struck by lightning and suffered no ill effects. According to your reasoning, the only natural conclusion is that lightning is harmless and anyone who seems to have died from it is just malingering.
Actually, many of the homeless have varying degrees of mental illness. People on welfare often get stuck on it because they lose the benefits faster than earned income fills the gap.
I would be interested in knowing what one or more of those are.
I read just fine. The workaround is in initramfs, but that's just because systemd is incapable of handling it. Prior to that, the old sysV init handled it just fine.
Not that when I first tested systemd, it was on a working test dummy with a btrfs. It worked just fine before, including when I degraded btrfs. Then I 'upgraded' to systemd and it wouldn't boot. It wouldn't just fail to mount the btrfs (non-root), it just dropped to an emergency shell with no remote services running.
Note that at one time, systemd was supposed to be the init in initramfs as well, but that went away when systemd started depending on everything including the kitchen sink and it proved that design flaws meant it could never bring the system up without help from an old school init being involved first.
As for production, I never had a machine get stuck on the way to halt until systemd got involved. It was nice back when I could just run halt and expect the machine to power itself off within 5 minutes.
But thank you for exemplifying one of the other problems with systemd. In the face of genuine bug reports, the answer is generally NOTABUG, WONTFIX, CLOSED, no matter what the bug is. That includes such embarrassments as mistakingly thinking rm -r should traverse UP.
There are some ideas in systemd that might actually be useful if it lost it's my way or the highway attitude and was made to work cooperatively with other systems.
WOW, that was a whole bunch of backflips you did there to avoid saying The Donald just created new regulations.
Funny thing is, you were so desperate to deny the systemd bug that you pulled up the wrong issue entirely.
The initramfs HAS to handle the RAID for the root filesystem, naturally. Non-root RAID is supposed to be handled after transferring control to the actual init.
Same for non-root btrfs.
If there's an idiot or liar in this thread, it isn't me.
ISIS also uses guns. Lots and lots of guns. Do you see where things get interesting yet?