IRC log of #maemo-ssu for Thursday, 2013-04-11

*** NIN101 has quit IRC00:07
*** Martix_ has quit IRC00:08
merlin1991kerio: I tried to but apt-mirror wants to dl 30GB each run00:19
merlin1991and I didn't find the time to debug that00:20
kerio:(00:20
freemangordonmerlin1991: http://talk.maemo.org/showpost.php?p=1335313&postcount=1484 , could you put those packages in cssu-thumb?00:20
freemangordonmerlin1991: from CSSU-T 7.2 ofc00:21
merlin1991freemangordon: done00:26
freemangordonmerlin1991: thanks00:27
merlin1991about the cssu repo, I did what I could, but the rights system is seriously foobar and I need a higher authority than me to do something00:27
freemangordonmerlin1991: hmm, who, doc?00:28
Pali[20:36:20] <DocScrutinizer05> merlin1991 has sufficient right to do what needs to be done on repos, if he's missing rights he will pester me and we'll fix stuff in 5min00:28
freemangordon:nod:00:29
merlin1991Pali: the problem isn't a simple fix anymore00:29
merlin1991it's a policy thing about users and groups on serveral machines00:29
freemangordonmerlin1991: it was about the rights00:29
merlin1991the setup is friggin silly00:29
DocScrutinizer05indeed00:30
kerio5 years of cruft?00:30
keriobureaucratic cruft00:30
DocScrutinizer05we got no write permissions on a NFS mount despite the group is +w00:30
DocScrutinizer05the group/user ids between both machines aren't in sync00:30
keriooh god D:00:31
Paliah NFS :-)00:31
PaliNFS (ver 1?) was maybe only one FS where mkdir was not atomic :D00:32
DocScrutinizer05my take is "it never will work flawlessly until we get those etc/passwd and etc/group files "synced", so num IDs for identical users/groups are identical on both machines00:32
merlin1991yeah but it makes no sense to sync all users and groups from drop to repo just for the cssu upload00:32
merlin1991we should simply ditch the old idea and set up something new00:32
DocScrutinizer05but it as well might be something completely different that what I suspect00:33
DocScrutinizer05I suggested to ditch the old cssu-testing group and add it anew on both machines, with identical numID00:33
DocScrutinizer05same for all related/involved users00:34
DocScrutinizer05can olnly be 2 or 300:34
*** Martix_ has joined #maemo-ssu00:35
DocScrutinizer05you need to chown all files owned by any of those users/groups as well, wehn you do that00:35
* DocScrutinizer05 wonders if there really isn't a script already to do that friggin task00:35
DocScrutinizer05not the first time somebody needs to change a user's numID on unix00:36
merlin1991DocScrutinizer05: the grage -> drop script would ruin that group on each run00:36
DocScrutinizer05err why?00:36
merlin1991hm actually not since it atm does not check group ids00:37
DocScrutinizer05look, aiui you log in on drop.m.o via ssh key, and you are member of group cssu-testing (or whatever) which is supposed to have write access to /mnt/incoming/foo/bar/dunnowhat00:39
DocScrutinizer05now that group has write access to the NFS seeding dir (I.E. on repo(?) side where the dir gets exported), and you have write access to it on the mounting side drop, if you are root, or you are others and the dir is others+w. You do NOT have write access on drop when you're member of cssu-testing group, despite the group has +w and numID is identical with the numID of your group on drop00:43
DocScrutinizer05and that's the bug00:43
DocScrutinizer05I think it can only be related to owner/group numID not in sync between the both machines00:44
DocScrutinizer05  1003 30550 4096 Apr  8 17:42 /var/repository/incoming/community-testing/fremantle/00:45
DocScrutinizer05  repository cssu-testing 4096 Apr  8 17:42 /var/repository/incoming/community-testing/fremantle/00:45
DocScrutinizer051003 cssu-stable 4096 Mar 30  2012 /mnt/incoming/community/fremantle/00:47
DocScrutinizer05root@vcs:/mnt/incoming/community-testing/fremantle# ll00:48
DocScrutinizer051003 cssu-testing 4096 May 30  2012 ./00:49
DocScrutinizer051005 falk         4096 Oct 26  2010 ../00:49
DocScrutinizer051003 and 1005 seem orphaned users on *both* machnes00:50
merlin19911003 is "respository" on repo00:50
DocScrutinizer05ooh, ok00:51
DocScrutinizer05I created cssu-testing on vcs anyway00:51
DocScrutinizer05drop==vcs, for lurkers info00:52
* merlin1991 currently fixes his win7 newest system update resulted in bluescreen on boot00:55
DocScrutinizer05joerg@vcs:~$ id00:57
DocScrutinizer05uid=30401(joerg) gid=30580(joerg) groups=30580(joerg),27(sudo),30550(cssu-testing)00:57
DocScrutinizer05joerg@vcs:~$ date >/mnt/incoming/community-testing/fremantle/xxx00:57
DocScrutinizer05-bash: /mnt/incoming/community-testing/fremantle/xxx: Permission denied00:57
DocScrutinizer05joerg@vcs:~$ ll -dn /mnt/incoming/community-testing/fremantle/00:58
DocScrutinizer05drwxrwxr-x 2 1005 1005 4096 Apr  9 05:18 /mnt/incoming/community-testing/fremantle//00:58
DocScrutinizer05do NFS mounts need permissions on parent dirs? like the mount is vcs:/mnt/incoming/community-testing owned by 999:999 770, but the dir/file I wanna write to is vcs:/mnt/incoming/community-testing/fremantle/xxxx and that dir is owned by me but still I mustn't write since I'm not owner of parent dir?01:07
*** Martix_ has quit IRC01:11
DocScrutinizer05sg when not fixed so at least solved the miracle01:13
ShadowJKI do not believe parent dir needs write permissions01:14
DocScrutinizer05yeah, evidently not01:14
DocScrutinizer05but afaik there are differing concepts about applying auxiliary groups of a user automatically01:15
ShadowJKconsidering users dont have write to / or /home either, but do have to /home/user/01:15
DocScrutinizer05while this might work on a local machine, since the local machine has access to /etc/groups01:15
DocScrutinizer05...it is prone to fail on a NFS mount01:15
*** Martix has joined #maemo-ssu01:16
DocScrutinizer05joerg@vcs:~$ id01:16
DocScrutinizer05uid=30401(joerg) gid=30580(joerg) groups=30580(joerg),27(sudo),30550(cssu-testing)01:16
DocScrutinizer05joerg@vcs:~$ date >/mnt/incoming/community-testing/fremantle/xxx01:16
DocScrutinizer05bash: /mnt/incoming/community-testing/fremantle/xxx: Permission denied01:16
DocScrutinizer05joerg@vcs:~$ sg cssu-testing01:16
DocScrutinizer05joerg@vcs:~$ id01:16
DocScrutinizer05uid=30401(joerg) gid=30550(cssu-testing) groups=30580(joerg),27(sudo),30550(cssu-testing)01:16
DocScrutinizer05joerg@vcs:~$ date >/mnt/incoming/community-testing/fremantle/xxxx01:16
DocScrutinizer05joerg@vcs:~$ ls -l /mnt/incoming/community-testing/fremantle/xxx01:17
DocScrutinizer05-rw-rw-r-- 1 dkothari hayrinenk 29 Apr  9 05:18 /mnt/incoming/community-testing/fremantle/xxx01:17
*** Pali has quit IRC01:18
DocScrutinizer05meh01:18
DocScrutinizer05-rw-r--r-- 1 joerg    cssu-testing 29 Apr 10 22:11 xxxx01:18
DocScrutinizer05the NFS server can't know about user's auxiliary groups on client01:19
*** MohammadAG has joined #maemo-ssu01:32
ShadowJKnfs usually doesn't care about user or group names, it's all numerical.. So, user 'jk' with uid 500 on machine 1, would not have access over nfs to machine 2 to a user 'jk' uid 501.. but would have access to user 'kj' uid 50002:02
ShadowJKthough there's modern stuff these days that might "fix" that, but I'm not up to date on it :/02:03
*** kolp has quit IRC02:10
DocScrutinizer05ShadowJK: the problem is more like: a user jk with primary group 999, aux-groups:12,13,20,21  will not have access to a dir with owner:group 4711:20, despite group:20 is in his aux-groups02:39
DocScrutinizer05he needs to do `sg 20` which is allowed any time to users who have that group in their auxgroups, and then access to that 4711:20 dir will work02:40
DocScrutinizer05see above! while I had no access as >>uid=30401(joerg) gid=30580(joerg)<<, I was allowed as >> uid=30401(joerg) gid=30550(cssu-testing)<< to write to /mnt/incoming/community-testing/fremantle root:cssu-testing02:43
DocScrutinizer05it's kinda like s(et)u(ser) but for group: s(et)g(roup) cssu-testing02:44
DocScrutinizer05just it's not needed (anymore?) on recent unix systems since on local dirs the fs checks your auxiliary groups if you *could* have done sg and thus would have been allowed to access that dir. This however doesn't work for NFS mounts, for relatively obvious reasons02:45
*** Martix has quit IRC02:47
DocScrutinizer05maybe NFS even has a mount parameter that allows feedback from server to client about "group doesn't match" and then client's nfs fs driver would check locally and do an implicit sg and repeat the request02:48
DocScrutinizer05if there's such a nfs mount parameter, then I don't know about it02:48
ShadowJKActually I thought access controls were done on nfs client03:09
*** M4rtinK has quit IRC03:36
DocScrutinizer05well, obviously not to the extent that it checks server's dir permissions and owner:group prior to sending a RPC03:45
DocScrutinizer05I duuno the details since I never looked at the gory internal details of NFS, but the diagnostics are unambiguous03:46
DocScrutinizer05see above03:46
DocScrutinizer05s/duuno/dunno/03:47
*** sunny_s has quit IRC04:20
*** arcean has quit IRC04:23
*** sunny_s has joined #maemo-ssu04:23
*** amiconn_ has joined #maemo-ssu05:01
*** amiconn has quit IRC05:02
*** amiconn_ is now known as amiconn05:02
*** tg has quit IRC05:03
*** tg has joined #maemo-ssu05:07
*** LauRoman has quit IRC05:14
*** tg has quit IRC05:44
*** tg has joined #maemo-ssu05:47
*** amiconn has quit IRC05:59
*** amiconn_ has joined #maemo-ssu05:59
*** amiconn_ is now known as amiconn05:59
*** tg has quit IRC06:02
*** DocScrutinizer05 has quit IRC06:04
*** DocScrutinizer05 has joined #maemo-ssu06:04
*** tg has joined #maemo-ssu06:05
*** Raimu-Z has quit IRC06:20
*** Raimu-Z has joined #maemo-ssu06:21
*** tg has quit IRC06:21
*** tg has joined #maemo-ssu06:25
*** int_ua has joined #maemo-ssu07:39
*** nox- has quit IRC07:50
*** FReaper has quit IRC09:17
*** FReaper has joined #maemo-ssu09:19
*** M13 has joined #maemo-ssu09:25
*** freemangordon has quit IRC09:44
*** entitled has quit IRC09:48
* amiconn didn't see the described nfs behaviour so far, but then didn't specifically test it either09:48
amiconnMaybe it depends on the nfs version in use?09:48
*** freemangordon has joined #maemo-ssu09:49
*** kolp has joined #maemo-ssu10:18
*** Raimu has quit IRC10:30
*** dhbiker has joined #maemo-ssu10:30
*** Raimu has joined #maemo-ssu10:31
*** M4rtinK has joined #maemo-ssu10:34
*** FlameReaper has joined #maemo-ssu10:40
*** FReaper has quit IRC10:40
*** M4rtinK has quit IRC11:24
*** Pali has joined #maemo-ssu11:35
*** futpib has joined #maemo-ssu12:19
*** futpib has quit IRC12:36
*** M13 has quit IRC12:37
*** futpib has joined #maemo-ssu12:39
*** futpib has quit IRC13:04
*** Martix has joined #maemo-ssu13:15
*** Martix has quit IRC13:22
*** sunny_s has quit IRC13:22
*** futpib has joined #maemo-ssu13:31
DocScrutinizer05any additional input appreciated13:49
DocScrutinizer05you just need a NFS mount with a dir that's 770 n:42(thegroup), and a user that has id UID=<x>(username ) group=<y>(somegroup) groups=...42(thegroup)...13:53
DocScrutinizer05or: cd <nfs-mount>; mkdir xy; chown :4711 xy; chmod 770 xy; adduser -G 4711 testuser; su - testuser; cd <nfs-mount>; date >xy/xyz; echo "this will have failed"; sg 4711; date >xy/xyz; echo "this will have succeded"13:57
*** unclouded has quit IRC13:58
DocScrutinizer05^^^ no warranties, those commands are typed 2blindly"13:59
*** futpib has quit IRC14:00
*** futpib has joined #maemo-ssu14:01
amiconnIf group ids and user ids of server and client are in sync, permissions defined by secondary groups should work as long as the user is in no more than 16 groups14:02
amiconnIf the user has more than 16 groups, the server should be started using the --manage-gids option, and then group membership on server and client must also match14:03
amiconnThis option will make the server look up the user's group membership locally14:04
DocScrutinizer05HEY! :-))14:05
DocScrutinizer05where from you got that?14:05
amiconnTeh incredible Google...14:06
DocScrutinizer05it perfectly explains our situation, since our user/group id's are _not_ in sync14:06
amiconnE.g. here: https://xkyle.com/solving-the-nfs-16-group-limit-problem/14:06
DocScrutinizer05thanks a ton!14:08
DocScrutinizer05https://xkyle.com/solving-the-nfs-16-group-limit-problem/comment-page-1/#comment-5294 is to the poibt14:52
DocScrutinizer05point even14:52
*** lizardo has joined #maemo-ssu14:56
*** futpib_ has joined #maemo-ssu15:29
*** futpib has quit IRC15:29
*** LauRoman has joined #maemo-ssu15:36
*** FlameReaper has quit IRC16:11
*** Martix has joined #maemo-ssu16:36
*** Martix_ has joined #maemo-ssu16:37
*** Martix has quit IRC16:37
*** DocScrutinizer51 has quit IRC17:00
*** DocScrutinizer51 has joined #maemo-ssu17:00
*** Martix_ has quit IRC17:01
*** DocScrutinizer51 has quit IRC17:18
*** DocScrutinizer51 has joined #maemo-ssu17:18
*** Martix has joined #maemo-ssu17:37
*** M13 has joined #maemo-ssu17:50
*** Martix has quit IRC18:10
*** NIN101 has joined #maemo-ssu19:01
*** tg has quit IRC19:37
*** tg has joined #maemo-ssu19:41
*** M13 has quit IRC19:56
*** M13 has joined #maemo-ssu19:56
*** amiconn has quit IRC19:57
*** amiconn has joined #maemo-ssu19:57
*** Vlad_on_the_road has joined #maemo-ssu19:59
*** FlameReaper has joined #maemo-ssu20:06
*** discopig has quit IRC20:37
*** discopig has joined #maemo-ssu20:45
*** discopig has joined #maemo-ssu20:47
*** discopig has joined #maemo-ssu20:47
*** freemangordon has left #maemo-ssu21:01
*** ruskie has quit IRC21:12
*** nox- has joined #maemo-ssu21:22
*** nox- has joined #maemo-ssu21:23
*** ruskie has joined #maemo-ssu21:25
*** luf has joined #maemo-ssu21:31
*** ruskie has quit IRC21:31
*** ruskie has joined #maemo-ssu21:33
lufDocScrutinizer05: Maybe I miss something but nfs v4 with rpc.idmapd doesn't need to have same uids gids on client and server.21:38
DocScrutinizer05luf: sorry, this is too fuzzy to help me out21:41
DocScrutinizer05https://xkyle.com/solving-the-nfs-16-group-limit-problem/comment-page-1/#comment-5294 is describing exactly what we see on maemo infra. And removing the --manage-gids option should fix stuff for that system21:44
lufhttp://mg.pov.lt/maemo-ssu-irclog/latest.log.html#t2013-04-11T00:32:2121:46
lufOk maybe I understood it wrong way.21:47
*** BCMM has joined #maemo-ssu21:48
DocScrutinizer05our IDs are not in sync on the NFS-linked mahines. Particularly on server side the groups are not defined as needed, so --manage-gids will make things fail for that configuration21:49
DocScrutinizer05NB that we're NOT sufering from >16 groups problem, we're suffering exactly from contrary: our system worked _without_ --manage-gids, and the supposed "fix" introduced by recent --manage-gids as default makes things start to fall apart, since our UID/GID and etc/group config never been in sync on both machines21:51
*** discopig has quit IRC21:54
*** luf has quit IRC21:58
*** discopig has joined #maemo-ssu22:02
*** discopig has joined #maemo-ssu22:02
*** M13 has quit IRC22:19
*** M4rtinK has joined #maemo-ssu22:21
*** FlameReaper has quit IRC22:30
*** MohammadAG has quit IRC22:32
*** futpib_ has quit IRC22:36
*** MohammadAG has joined #maemo-ssu22:39
*** Martix has joined #maemo-ssu23:07
*** LauRoman has quit IRC23:24
Pali~rescueos23:29
infobotextra, extra, read all about it, rescue-os is http://206.253.166.96/N900/rescueOS/23:29
*** dhbiker has quit IRC23:42
*** freemangordon has joined #maemo-ssu23:51
*** lizardo has quit IRC23:57

Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!