Recent comments on posts in the blog:

lxc-net configuration


about network configuration on LXC in debian stretch, it is possible to easy the setup through the lxc-net script (it's shipped with-in the lxc package itself). This way you only need:

  • to fill parameters in /etc/default/lxc-net
  • add bridge configuration for lxcbr0 in /etc/network/interfaces

All of other steps pointed out in your "Network setup" are done by lxc-net itself.

The only downside of the script is that it would be nice to use, instead of a script, an horde of systemd units (if using systemd). I tried to fill a request for it [1] but it's still a work in progress.


Comment by risca
NTP synchro


I'm interested cause my NTP synchronized is always :no I done exactly the same commands on the blog and no change appears.

Thank you for advice.

Comment by Patrick
How long after enabling NTP should it show sync?

systemd-timesyncd seems to have some nice features - it touches /var/lib/systemd/clock (or perhaps /var/lib/systemd/timesync/clock on Debian) after each successful sync, so it will at least move forward after reboot even before the network is up.

On the other hand there are situations where I would like a whole set of services to have a hard dependency on a successful time synchronisation before they will even try and start up, and this does not seem to be well-supported by systemd (see for more detail).

You say you had to timedatectl set-ntp true after you got timesyncd running, but that's not working for me and I'm curious about how long I should spend watching it before I see a "Yes" in the NTP sync status, and I wonder what I might be missing if I'm not seeing this even though timesyncd appears to be running without errors.

Comment by Andrew McMillan
tumesyncd logging

In Jessie, systemd-timesyncd put out some logging information to syslog, everytime that it pinged the time server that gave you a time stamp, time correction and frequency correction information. With Stretch, these log reports have been suppressed. Does anyone know how to get them back? I can't find anything in the documentation. Thanks, --- Graham


Comment by Graham
LUKS key

Good post and good comments. I was wondering about the passphrase LUKS requires to decrypt.

Where should I setup it up to decrypt files upon user login?


Comment by julio

You can edit /var/cache/debconf/config.dat manually instead, but be aware that you can really break things by editing this.

The file it uses for configuration is defined in /etc/debconf.conf, should it not be where you expect on your system

# World-readable, and accepts everything but passwords.
Name: config
Driver: File
Mode: 644
Reject-Type: password
Filename: /var/cache/debconf/config.dat
Comment by draeath
what about auto-discovery?

i also wonder if we could get this simplified somehow. i don't mind configuring the server so much, but it's kind of painful to have to edit config files by hand on each client that needs to be configured...

can't Avahi take care of this for us, just like it does for CUPS and printing? i looked around for this feature but so far all I've found are bug reports saying that it doesn't work (ubuntu LP#508866, debian #743420). and indeed, with SANE_DEBUG_NET=128 scanimage -L says:

[net] sane_get_devices: local_only = 0
[net] sane_get_devices: finished (0 devices)
[net] net_avahi_browse_callback: CACHE_EXHAUSTED
[net] net_avahi_browse_callback: ALL_FOR_NOW

No scanners were identified.

So I'm not sure what's going on, but clearly this is not working...

Comment by anarcat
why network and central docs

i setup a network scanner here because it is also a printer and already connected, by USB, to a print server so that many people can print on it without having to worry about cabling.

yes, they need to move their feet to get actual paper in and out of there. crazy physics. but it beats fiddling with wires. :)

also i figured i would mention there is a similar guide in the Debian wiki - which seems to have slightly better SEO, so it comes up first. Therefore, I have reworked it to include the excellent suggestions here that were missing there. See if you can improve it further! :)

Comment by anarcat
Taking a sledgehammer to an egg?

That pwned list of a password is a fantastic resource. Thanks for posting a pointer to it.

But Egad! - using postgres to index and search it?? You must have the patience of a saint.

Given a false positive isn't a death sentence, a bloom filter is a better choice. Setting the parameters to give a false positive range of 1e-9 (roughly 50/50 chance of getting 1 false positive if I checked a password with it every second for my entire life), the resulting filter occupies 2.6G - about 1/2 the size of the compressed original. Creating the filter takes about 3 hours on my laptop (please forgive the butt ugly inline python):

sudo apt-get install python, python-pybloomfilter
wget http://.../pwned-*.txt.7z; for f in *.7z; do 7z x $f; done
python -c "import pybloomfilter, sys; b = pybloomfilter.BloomFilter(500000000, 0.000000001, ''); [b.update(open(f)) for f in sys.argv[1:]]" pwned-passwords-*.txt

Querying it:

python -c 'import hashlib,sys,pybloomfilter; b =""); sys.stdout.write("".join("%s is pwned: %r\n" % (p, hashlib.sha1(p).hexdigest().upper() + "\r\n" in b) for p in sys.argv[1:]))' password1 password2 ...
Comment by Russell Stuart