| cakebandit | I have a question about sysvinit. So I am working on a headless server with cryptsetup-initramfs, dropbear stuff. Well anyways I have a problem at boot but that not the problem, I was shocked when I hooked up my hdmi cable and the screen says press enter for maintenance or ctrl-d to continue. If I press enter I am in root without needing a password. How do I remove maintenance mode? I think it might be in /etc/inittab? Lets just say I want to | 02:39 |
|---|---|---|
| cakebandit | colocate my server, Im not real sure the best way to turn off tty and leave shh on. | 02:39 |
| cakebandit | *ssh, I know the line I need to put in rc.local to turn off the hdmi itself, but I would like to disable the physical serial ports and the maintenance mode. | 02:41 |
| cakebandit | If I press control + D it will ask for user name and password. | 02:42 |
| rrq | that maintenance mode is in the initrd init; not actyally a sysvinit thing | 04:00 |
| rrq | check the init scripting of initramfs-tools, and also how cryptsetup-initramfs injects itself into there | 04:02 |
| rrq | mainenance mode is before root filesystem is mounted | 04:04 |
| rrq | cakebandit: ^^^ | 04:04 |
| fluffywolf | what is this, and why is it crashed? | 04:10 |
| fluffywolf | 27547 ? S 0:00 /bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held | 04:10 |
| fluffywolf | 27577 ? S 3:05 apt-get -qq -y update | 04:10 |
| fluffywolf | also, why does that look like automatic updates somehow got enabled when upgrading to daedalus, and I absolutely do not want automatic updates? | 04:13 |
| rrq | agree totally. such are the things coming with the bath water as devuan tries to remain just "debian without systemd" and not asserting any QA control of any other aspect of debian packages | 04:20 |
| rrq | I do believe automatic upgrades remain disabled by default, but those dev's involved in it have chosen to rearrange the plumbing | 04:22 |
| rrq | I think in this case it's towards adding a control attachment from systemd to apt's "unattanded upgrades" "feature" (which some people find useful, I believe) | 04:26 |
| fluffywolf | something seems to be starting "apt.systemd.daily", and when it does it, apt-get is hanging (note long cpu usage time) and holding the lock file and breaking apt until I kill it. | 04:26 |
| fluffywolf | looks like a cronjob | 04:27 |
| * fluffywolf kills | 04:27 | |
| rrq | I think it's some /etc/cron*/* script | 04:27 |
| fluffywolf | I absolutely do not want apt doing ANYTHING daily, or any other time other than when I tell it to do something. | 04:28 |
| fluffywolf | and am most pissed that this got enabled without being asked | 04:28 |
| * onefang wonders which cron script? | 04:30 | |
| onefang | apt-compat, now what is that for? | 04:31 |
| fluffywolf | /etc/cron.daily/apt-compat | 04:31 |
| onefang | SNAP! | 04:31 |
| onefang | I mean the card game, not the package type. | 04:31 |
| fluffywolf | fortunately? it doesn't actually WORK, so it hasn't been upgrading anything, just hanging. | 04:32 |
| * onefang slaps an exit at the top of that script, and worries about it later. | 04:39 | |
| fluffywolf | LOL, that's exactly what I did too. :P | 04:40 |
| onefang | SNAP! | 04:40 |
| rrq | or compile "int main(){return 0;}" into an /nocanodo binary, and insert that after the ! of the first line | 04:41 |
| rrq | nocando | 04:42 |
| onefang | I have my own cron scripts for regularly checking for updates, and doing things like debsums. Actual upgrades and updates are manual though. | 04:42 |
| fluffywolf | #!/bin/false | 04:42 |
| rrq | yeah | 04:42 |
| onefang | Beat me to it. lol | 04:42 |
| fluffywolf | or maybe true to make cron not complain, don't remember | 04:43 |
| rrq | should be /bin/true, since the return code is of meaning | 04:43 |
| onefang | But the debsums checks will remind me I exit'ed that script. | 04:43 |
| fluffywolf | brb | 04:43 |
| onefang | Line 355 of /usr/lib/apt/apt.systemd.daily says that auto update is enabled by default, so you have to disable it, instructions for that are at the top. | 05:11 |
| fluffywolf | I don't like things being installed that do unwanted behaviors automatically by default. | 05:12 |
| onefang | That script is part of the apt package. | 05:12 |
| onefang | Those instructions work at least. | 05:13 |
| onefang | Put 'APT::Periodic::Enable "0";' into /etc/apt/apt.conf.d/10periodic | 05:14 |
| onefang | Or just leave exit at the to. of the cron script. B-) | 05:15 |
| fluffywolf | /etc/apt/apt.conf.d/20auto-upgrades:APT::Periodic::Update-Package-Lists "1"; | 05:16 |
| fluffywolf | /etc/apt/apt.conf.d/20auto-upgrades:APT::Periodic::Unattended-Upgrade "1"; | 05:16 |
| fluffywolf | looks like the default is definitely on | 05:16 |
| onefang | I don't have those files. | 05:17 |
| fluffywolf | ... according to the debian wiki, the tool to turn them on and off is part of the gnome desktop. | 05:19 |
| onefang | But now I have their contents, only with "0". | 05:19 |
| onefang | Wont help on my server. lol | 05:19 |
| fluffywolf | I could swear the installer asked me if I wanted it, and I said no. | 05:20 |
| fluffywolf | specifically, what you get when you run dpkg-reconfigure unattended-upgrades | 05:20 |
| onefang | I install with a script I wrote, which now has these changes. | 05:20 |
| onefang | What I'm wondering is if this has been running all this time, how come I'm not seeing anything actually upgraded? All the stuff I decided to leave not upgraded yesterday is still not upgraded. It's enabled, but buggy? | 05:23 |
| fluffywolf | yeah. it's buggy. lol | 05:24 |
| fluffywolf | I've never seen anything automatically upgrade... but now I know why sometimes there's a hung apt-get holding the locks. | 05:24 |
| onefang | Should be disabled now, on both desktop and server. | 05:24 |
| onefang | I didn't even have unattendend-upgrades installed. lol | 05:32 |
| fluffywolf | odd, I got its configure when installing... but you said you were doing custom installs. | 05:33 |
| fluffywolf | I don't know how it got changed to on, when I selected no. | 05:34 |
| onefang | Yep, it's not installed coz I don't want it, and nothing dragged it in as a dependency. | 05:34 |
| fluffywolf | this one was rare because it was voice coil, and was super, super fast. | 05:35 |
| fluffywolf | grr, wrong window | 05:35 |
| fluffywolf | hitachi still makes a very great gadjet; they just refuse to put their name on it. :P | 05:37 |
| fluffywolf | grr, also wrong window | 05:37 |
| * fluffywolf is talking in #hardware at same time | 05:38 | |
| onefang | Damn hitachi wrong windows, no wonder they wont put their name to it. | 05:38 |
| cakebandit | okay thanks rrq | 08:34 |
| freaxeh | hi | 09:28 |
| freaxeh | i'm getting a lot of events on mdadm --detail | 09:28 |
| freaxeh | https://paste.debian.net/hidden/485395d1/ | 09:29 |
| freaxeh | i just upgraded the motherboard which was kernel panicing the OS all of the time | 09:30 |
| freaxeh | the old motherboard was | 09:30 |
| freaxeh | I'm now using a sas controller instead of the onboard sata ports... | 09:30 |
| freaxeh | the drives are seagate ironwolf 8tb so i'm not expecting any problems with them... could it have been the old motherboard causing these events? | 09:36 |
| freaxeh | brand new drives | 09:36 |
| adhoc | freaxeh: what are the time stamps ? | 09:56 |
| freaxeh | adhoc: timestamps? where do I find that? | 09:57 |
| adhoc | in your paste above the "update time" is 2010 | 09:57 |
| adhoc | but the create time is 2024 ... ? | 09:58 |
| adhoc | unlikely to have had 8TB drives in 2010 | 09:58 |
| * adhoc is a little confused | 09:58 | |
| freaxeh | hmm the bios might be set incorrectly | 09:58 |
| freaxeh | in fact it probably is | 09:58 |
| freaxeh | i'll reboot the system and set the time correctly | 09:58 |
| adhoc | might pay to look at your NTP config? | 09:59 |
| adhoc | make sure it is using at least three pool servers | 09:59 |
| adhoc | or a local stratum 1, etc | 10:00 |
| adhoc | get your time close, use ntpdate to set it from a known good external gps server and then use ntp to maintain good time | 10:00 |
| adhoc | if the time is out that much, could explain it whinging about it in its log, the events ? | 10:01 |
| freaxeh | i checked the bios time and its correct | 10:01 |
| adhoc | saying things are in the future... | 10:01 |
| adhoc | oh | 10:01 |
| freaxeh | but that doesn't mean that it wasnt set correctly before i booted devuan | 10:01 |
| adhoc | you have ntp running ? | 10:01 |
| freaxeh | yes | 10:02 |
| adhoc | excellent =) | 10:02 |
| freaxeh | chrony actually | 10:02 |
| adhoc | oh | 10:02 |
| adhoc | i need to read up more on that | 10:02 |
| * adhoc uses ntpd to grab the 1PPS from GPS | 10:02 | |
| freaxeh | nods | 10:03 |
| adhoc | hmm .. is GPL2 | 10:03 |
| freaxeh | the time was slightly off, saying it was 8am instead of the local time which is 6:03pm | 10:03 |
| freaxeh | i corrected it in the bios | 10:03 |
| freaxeh | its showing the correct update time now | 10:04 |
| freaxeh | well... tomorrow its showing, friday the 30th, today is thursday the 29th | 10:04 |
| adhoc | hada look at the output of chronyc ? | 10:04 |
| adhoc | https://chrony-project.org/examples.html | 10:04 |
| adhoc | might give you some clues | 10:05 |
| freaxeh | the output seems correct | 10:05 |
| adhoc | nice =) | 10:05 |
| freaxeh | System time : 0.000043512 seconds fast of NTP time | 10:06 |
| adhoc | that seems acceptable =) | 10:06 |
| adhoc | you have more than one server upstream in your config ? | 10:06 |
| adhoc | ah excellent; "4. Server using reference clock on serial port" | 10:06 |
| gnarface | freaxeh: usually what you actually want to do is set the bios to UTC time, then tell NTP that, so it can maintain the time correctly even if you change timezones | 10:06 |
| freaxeh | thanks for that gnarface | 10:07 |
| gnarface | no problem | 10:07 |
| adhoc | yes | 10:07 |
| freaxeh | i only have one server, 0.au.pool.ntp.org iburst | 10:08 |
| freaxeh | but its a pool | 10:08 |
| * adhoc nods | 10:08 | |
| cakebandit | I think I need to change this line in /etc/inittab ---> ~~:S:wait:/sbin/sulogin --force <--- to disable automatic root login, I want the system to require authentication upon booting into single-user and maintenance modes. | 10:58 |
| CueXXIII | does your root account have a password? otherwise sulogin would not allow you to log in | 11:03 |
| cakebandit | yes it does, thats why I am shocked | 11:08 |
| CueXXIII | hm, so you were still in the initrd when it asked you? | 11:09 |
| CueXXIII | fluffywolf: it was running "apt-get update", not upgrade. that command only updates the list of available packages in the repository, it leaves the actual packages alone | 11:11 |
| cakebandit | So I am working on a setting up a encrypted system that gets unlocked remotely. It uses cryptsetup, dropbear, initramfs, but anyways if there is a error in the /etc/fstab, when I plug in a hdmi cable, it says press enter for maintenance or ctrl+d to continue. Enter takes me right to root with no password. | 11:12 |
| CueXXIII | ah, both /etc/init.d/checkroot.sh and checkfs.sh start sulogin --force in case there's an error… | 11:16 |
| CueXXIII | seems to be non-conditional, so you need to edit those files | 11:17 |
| cakebandit | If I press control+d I am asked to login. So in maintenance mode, if I type: runlevel -it comes back as unknown and most service do not start. Full root. I bet this gets overlooked allot becuase google searches do not pull much info up. | 11:17 |
| cakebandit | Thx Cue | 11:18 |
| CueXXIII | what happenes when you run "sulogin --force" yourself? | 11:18 |
| cakebandit | as a user ---> bash: sulogin: command not found | 11:19 |
| CueXXIII | no, must be run as root | 11:19 |
| CueXXIII | or just sulogin without --force | 11:19 |
| cakebandit | Press Enter for maintenance | 11:20 |
| cakebandit | (or press Control-D to continue): | 11:20 |
| CueXXIII | ok, so your root account does not allow login with password, it seems | 11:20 |
| cakebandit | Enter - I change to root from user with sudo | 11:20 |
| gnarface | freaxeh: sorry, correction, i think you actually tell the tzdata package about the bios being in UTC time, with "dpkg-reconfigure tzdata" or maybe "dpkg-reconfigure -plow tzdata" | 11:23 |
| freaxeh | gnarface, ok thanks | 11:24 |
| freaxeh | it sounds correct | 11:25 |
| cakebandit | I guess it is explained in- man sulogin -so should I just remove --force from /etc/inittab ---> ~~:S:wait:/sbin/sulogin --force | 11:31 |
| cakebandit | it also states: Only use the -e (--force) option if you are sure the console is physically protected against unauthorized access. | 11:33 |
| onefang | So --force means you need an armed guard at your console. Seems appropriate. | 11:57 |
| rrq | cakebandit: the "S" runlevel is a sysvinit thing, and that's after the initrd init has pivoted. I understood you were talking about the intird init's maintenance mode which it enters hen the root filesystem needs fsck | 12:16 |
| rrq | that stage is before sysvinit init has started, and inittab is not in play. You might want to change it as well, though. | 12:18 |
| rrq | otoh it all is only protected by the disk encryption key; having that and physical access is enough to bypass any "root can't login" barrier. | 12:22 |
| cakebandit | yes, this week I want to lock it down the best I can, high on the list is to disable the serial and uart stuff, maybe disable the usb as well. | 12:38 |
| cakebandit | I am making a tutorial that is pieced together from others, so when I finish I can share the url where I posted it. | 12:39 |
| rrq | mmm don't forget about netconsole, iscsi, pxe, nbd and the such... | 12:51 |
| rrq | still, only the disk encryption password is of significance; the rest are "Micky Mouse" security (IMO of course) | 12:53 |
| cakebandit | Thanks very much for your advice, I just did- cat checkfs.sh | grep force -and I see it too | 12:53 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!