*** NIN101 has quit IRC | 00:07 | |
*** Martix_ has quit IRC | 00:08 | |
merlin1991 | kerio: I tried to but apt-mirror wants to dl 30GB each run | 00:19 |
---|---|---|
merlin1991 | and I didn't find the time to debug that | 00:20 |
kerio | :( | 00:20 |
freemangordon | merlin1991: http://talk.maemo.org/showpost.php?p=1335313&postcount=1484 , could you put those packages in cssu-thumb? | 00:20 |
freemangordon | merlin1991: from CSSU-T 7.2 ofc | 00:21 |
merlin1991 | freemangordon: done | 00:26 |
freemangordon | merlin1991: thanks | 00:27 |
merlin1991 | about the cssu repo, I did what I could, but the rights system is seriously foobar and I need a higher authority than me to do something | 00:27 |
freemangordon | merlin1991: hmm, who, doc? | 00:28 |
Pali | [20:36:20] <DocScrutinizer05> merlin1991 has sufficient right to do what needs to be done on repos, if he's missing rights he will pester me and we'll fix stuff in 5min | 00:28 |
freemangordon | :nod: | 00:29 |
merlin1991 | Pali: the problem isn't a simple fix anymore | 00:29 |
merlin1991 | it's a policy thing about users and groups on serveral machines | 00:29 |
freemangordon | merlin1991: it was about the rights | 00:29 |
merlin1991 | the setup is friggin silly | 00:29 |
DocScrutinizer05 | indeed | 00:30 |
kerio | 5 years of cruft? | 00:30 |
kerio | bureaucratic cruft | 00:30 |
DocScrutinizer05 | we got no write permissions on a NFS mount despite the group is +w | 00:30 |
DocScrutinizer05 | the group/user ids between both machines aren't in sync | 00:30 |
kerio | oh god D: | 00:31 |
Pali | ah NFS :-) | 00:31 |
Pali | NFS (ver 1?) was maybe only one FS where mkdir was not atomic :D | 00:32 |
DocScrutinizer05 | my take is "it never will work flawlessly until we get those etc/passwd and etc/group files "synced", so num IDs for identical users/groups are identical on both machines | 00:32 |
merlin1991 | yeah but it makes no sense to sync all users and groups from drop to repo just for the cssu upload | 00:32 |
merlin1991 | we should simply ditch the old idea and set up something new | 00:32 |
DocScrutinizer05 | but it as well might be something completely different that what I suspect | 00:33 |
DocScrutinizer05 | I suggested to ditch the old cssu-testing group and add it anew on both machines, with identical numID | 00:33 |
DocScrutinizer05 | same for all related/involved users | 00:34 |
DocScrutinizer05 | can olnly be 2 or 3 | 00:34 |
*** Martix_ has joined #maemo-ssu | 00:35 | |
DocScrutinizer05 | you need to chown all files owned by any of those users/groups as well, wehn you do that | 00:35 |
* DocScrutinizer05 wonders if there really isn't a script already to do that friggin task | 00:35 | |
DocScrutinizer05 | not the first time somebody needs to change a user's numID on unix | 00:36 |
merlin1991 | DocScrutinizer05: the grage -> drop script would ruin that group on each run | 00:36 |
DocScrutinizer05 | err why? | 00:36 |
merlin1991 | hm actually not since it atm does not check group ids | 00:37 |
DocScrutinizer05 | look, aiui you log in on drop.m.o via ssh key, and you are member of group cssu-testing (or whatever) which is supposed to have write access to /mnt/incoming/foo/bar/dunnowhat | 00:39 |
DocScrutinizer05 | now that group has write access to the NFS seeding dir (I.E. on repo(?) side where the dir gets exported), and you have write access to it on the mounting side drop, if you are root, or you are others and the dir is others+w. You do NOT have write access on drop when you're member of cssu-testing group, despite the group has +w and numID is identical with the numID of your group on drop | 00:43 |
DocScrutinizer05 | and that's the bug | 00:43 |
DocScrutinizer05 | I think it can only be related to owner/group numID not in sync between the both machines | 00:44 |
DocScrutinizer05 | 1003 30550 4096 Apr 8 17:42 /var/repository/incoming/community-testing/fremantle/ | 00:45 |
DocScrutinizer05 | repository cssu-testing 4096 Apr 8 17:42 /var/repository/incoming/community-testing/fremantle/ | 00:45 |
DocScrutinizer05 | 1003 cssu-stable 4096 Mar 30 2012 /mnt/incoming/community/fremantle/ | 00:47 |
DocScrutinizer05 | root@vcs:/mnt/incoming/community-testing/fremantle# ll | 00:48 |
DocScrutinizer05 | 1003 cssu-testing 4096 May 30 2012 ./ | 00:49 |
DocScrutinizer05 | 1005 falk 4096 Oct 26 2010 ../ | 00:49 |
DocScrutinizer05 | 1003 and 1005 seem orphaned users on *both* machnes | 00:50 |
merlin1991 | 1003 is "respository" on repo | 00:50 |
DocScrutinizer05 | ooh, ok | 00:51 |
DocScrutinizer05 | I created cssu-testing on vcs anyway | 00:51 |
DocScrutinizer05 | drop==vcs, for lurkers info | 00:52 |
* merlin1991 currently fixes his win7 newest system update resulted in bluescreen on boot | 00:55 | |
DocScrutinizer05 | joerg@vcs:~$ id | 00:57 |
DocScrutinizer05 | uid=30401(joerg) gid=30580(joerg) groups=30580(joerg),27(sudo),30550(cssu-testing) | 00:57 |
DocScrutinizer05 | joerg@vcs:~$ date >/mnt/incoming/community-testing/fremantle/xxx | 00:57 |
DocScrutinizer05 | -bash: /mnt/incoming/community-testing/fremantle/xxx: Permission denied | 00:57 |
DocScrutinizer05 | joerg@vcs:~$ ll -dn /mnt/incoming/community-testing/fremantle/ | 00:58 |
DocScrutinizer05 | drwxrwxr-x 2 1005 1005 4096 Apr 9 05:18 /mnt/incoming/community-testing/fremantle// | 00:58 |
DocScrutinizer05 | do NFS mounts need permissions on parent dirs? like the mount is vcs:/mnt/incoming/community-testing owned by 999:999 770, but the dir/file I wanna write to is vcs:/mnt/incoming/community-testing/fremantle/xxxx and that dir is owned by me but still I mustn't write since I'm not owner of parent dir? | 01:07 |
*** Martix_ has quit IRC | 01:11 | |
DocScrutinizer05 | sg when not fixed so at least solved the miracle | 01:13 |
ShadowJK | I do not believe parent dir needs write permissions | 01:14 |
DocScrutinizer05 | yeah, evidently not | 01:14 |
DocScrutinizer05 | but afaik there are differing concepts about applying auxiliary groups of a user automatically | 01:15 |
ShadowJK | considering users dont have write to / or /home either, but do have to /home/user/ | 01:15 |
DocScrutinizer05 | while this might work on a local machine, since the local machine has access to /etc/groups | 01:15 |
DocScrutinizer05 | ...it is prone to fail on a NFS mount | 01:15 |
*** Martix has joined #maemo-ssu | 01:16 | |
DocScrutinizer05 | joerg@vcs:~$ id | 01:16 |
DocScrutinizer05 | uid=30401(joerg) gid=30580(joerg) groups=30580(joerg),27(sudo),30550(cssu-testing) | 01:16 |
DocScrutinizer05 | joerg@vcs:~$ date >/mnt/incoming/community-testing/fremantle/xxx | 01:16 |
DocScrutinizer05 | bash: /mnt/incoming/community-testing/fremantle/xxx: Permission denied | 01:16 |
DocScrutinizer05 | joerg@vcs:~$ sg cssu-testing | 01:16 |
DocScrutinizer05 | joerg@vcs:~$ id | 01:16 |
DocScrutinizer05 | uid=30401(joerg) gid=30550(cssu-testing) groups=30580(joerg),27(sudo),30550(cssu-testing) | 01:16 |
DocScrutinizer05 | joerg@vcs:~$ date >/mnt/incoming/community-testing/fremantle/xxxx | 01:16 |
DocScrutinizer05 | joerg@vcs:~$ ls -l /mnt/incoming/community-testing/fremantle/xxx | 01:17 |
DocScrutinizer05 | -rw-rw-r-- 1 dkothari hayrinenk 29 Apr 9 05:18 /mnt/incoming/community-testing/fremantle/xxx | 01:17 |
*** Pali has quit IRC | 01:18 | |
DocScrutinizer05 | meh | 01:18 |
DocScrutinizer05 | -rw-r--r-- 1 joerg cssu-testing 29 Apr 10 22:11 xxxx | 01:18 |
DocScrutinizer05 | the NFS server can't know about user's auxiliary groups on client | 01:19 |
*** MohammadAG has joined #maemo-ssu | 01:32 | |
ShadowJK | nfs usually doesn't care about user or group names, it's all numerical.. So, user 'jk' with uid 500 on machine 1, would not have access over nfs to machine 2 to a user 'jk' uid 501.. but would have access to user 'kj' uid 500 | 02:02 |
ShadowJK | though there's modern stuff these days that might "fix" that, but I'm not up to date on it :/ | 02:03 |
*** kolp has quit IRC | 02:10 | |
DocScrutinizer05 | ShadowJK: the problem is more like: a user jk with primary group 999, aux-groups:12,13,20,21 will not have access to a dir with owner:group 4711:20, despite group:20 is in his aux-groups | 02:39 |
DocScrutinizer05 | he needs to do `sg 20` which is allowed any time to users who have that group in their auxgroups, and then access to that 4711:20 dir will work | 02:40 |
DocScrutinizer05 | see above! while I had no access as >>uid=30401(joerg) gid=30580(joerg)<<, I was allowed as >> uid=30401(joerg) gid=30550(cssu-testing)<< to write to /mnt/incoming/community-testing/fremantle root:cssu-testing | 02:43 |
DocScrutinizer05 | it's kinda like s(et)u(ser) but for group: s(et)g(roup) cssu-testing | 02:44 |
DocScrutinizer05 | just it's not needed (anymore?) on recent unix systems since on local dirs the fs checks your auxiliary groups if you *could* have done sg and thus would have been allowed to access that dir. This however doesn't work for NFS mounts, for relatively obvious reasons | 02:45 |
*** Martix has quit IRC | 02:47 | |
DocScrutinizer05 | maybe NFS even has a mount parameter that allows feedback from server to client about "group doesn't match" and then client's nfs fs driver would check locally and do an implicit sg and repeat the request | 02:48 |
DocScrutinizer05 | if there's such a nfs mount parameter, then I don't know about it | 02:48 |
ShadowJK | Actually I thought access controls were done on nfs client | 03:09 |
*** M4rtinK has quit IRC | 03:36 | |
DocScrutinizer05 | well, obviously not to the extent that it checks server's dir permissions and owner:group prior to sending a RPC | 03:45 |
DocScrutinizer05 | I duuno the details since I never looked at the gory internal details of NFS, but the diagnostics are unambiguous | 03:46 |
DocScrutinizer05 | see above | 03:46 |
DocScrutinizer05 | s/duuno/dunno/ | 03:47 |
*** sunny_s has quit IRC | 04:20 | |
*** arcean has quit IRC | 04:23 | |
*** sunny_s has joined #maemo-ssu | 04:23 | |
*** amiconn_ has joined #maemo-ssu | 05:01 | |
*** amiconn has quit IRC | 05:02 | |
*** amiconn_ is now known as amiconn | 05:02 | |
*** tg has quit IRC | 05:03 | |
*** tg has joined #maemo-ssu | 05:07 | |
*** LauRoman has quit IRC | 05:14 | |
*** tg has quit IRC | 05:44 | |
*** tg has joined #maemo-ssu | 05:47 | |
*** amiconn has quit IRC | 05:59 | |
*** amiconn_ has joined #maemo-ssu | 05:59 | |
*** amiconn_ is now known as amiconn | 05:59 | |
*** tg has quit IRC | 06:02 | |
*** DocScrutinizer05 has quit IRC | 06:04 | |
*** DocScrutinizer05 has joined #maemo-ssu | 06:04 | |
*** tg has joined #maemo-ssu | 06:05 | |
*** Raimu-Z has quit IRC | 06:20 | |
*** Raimu-Z has joined #maemo-ssu | 06:21 | |
*** tg has quit IRC | 06:21 | |
*** tg has joined #maemo-ssu | 06:25 | |
*** int_ua has joined #maemo-ssu | 07:39 | |
*** nox- has quit IRC | 07:50 | |
*** FReaper has quit IRC | 09:17 | |
*** FReaper has joined #maemo-ssu | 09:19 | |
*** M13 has joined #maemo-ssu | 09:25 | |
*** freemangordon has quit IRC | 09:44 | |
*** entitled has quit IRC | 09:48 | |
* amiconn didn't see the described nfs behaviour so far, but then didn't specifically test it either | 09:48 | |
amiconn | Maybe it depends on the nfs version in use? | 09:48 |
*** freemangordon has joined #maemo-ssu | 09:49 | |
*** kolp has joined #maemo-ssu | 10:18 | |
*** Raimu has quit IRC | 10:30 | |
*** dhbiker has joined #maemo-ssu | 10:30 | |
*** Raimu has joined #maemo-ssu | 10:31 | |
*** M4rtinK has joined #maemo-ssu | 10:34 | |
*** FlameReaper has joined #maemo-ssu | 10:40 | |
*** FReaper has quit IRC | 10:40 | |
*** M4rtinK has quit IRC | 11:24 | |
*** Pali has joined #maemo-ssu | 11:35 | |
*** futpib has joined #maemo-ssu | 12:19 | |
*** futpib has quit IRC | 12:36 | |
*** M13 has quit IRC | 12:37 | |
*** futpib has joined #maemo-ssu | 12:39 | |
*** futpib has quit IRC | 13:04 | |
*** Martix has joined #maemo-ssu | 13:15 | |
*** Martix has quit IRC | 13:22 | |
*** sunny_s has quit IRC | 13:22 | |
*** futpib has joined #maemo-ssu | 13:31 | |
DocScrutinizer05 | any additional input appreciated | 13:49 |
DocScrutinizer05 | you just need a NFS mount with a dir that's 770 n:42(thegroup), and a user that has id UID=<x>(username ) group=<y>(somegroup) groups=...42(thegroup)... | 13:53 |
DocScrutinizer05 | or: cd <nfs-mount>; mkdir xy; chown :4711 xy; chmod 770 xy; adduser -G 4711 testuser; su - testuser; cd <nfs-mount>; date >xy/xyz; echo "this will have failed"; sg 4711; date >xy/xyz; echo "this will have succeded" | 13:57 |
*** unclouded has quit IRC | 13:58 | |
DocScrutinizer05 | ^^^ no warranties, those commands are typed 2blindly" | 13:59 |
*** futpib has quit IRC | 14:00 | |
*** futpib has joined #maemo-ssu | 14:01 | |
amiconn | If group ids and user ids of server and client are in sync, permissions defined by secondary groups should work as long as the user is in no more than 16 groups | 14:02 |
amiconn | If the user has more than 16 groups, the server should be started using the --manage-gids option, and then group membership on server and client must also match | 14:03 |
amiconn | This option will make the server look up the user's group membership locally | 14:04 |
DocScrutinizer05 | HEY! :-)) | 14:05 |
DocScrutinizer05 | where from you got that? | 14:05 |
amiconn | Teh incredible Google... | 14:06 |
DocScrutinizer05 | it perfectly explains our situation, since our user/group id's are _not_ in sync | 14:06 |
amiconn | E.g. here: https://xkyle.com/solving-the-nfs-16-group-limit-problem/ | 14:06 |
DocScrutinizer05 | thanks a ton! | 14:08 |
DocScrutinizer05 | https://xkyle.com/solving-the-nfs-16-group-limit-problem/comment-page-1/#comment-5294 is to the poibt | 14:52 |
DocScrutinizer05 | point even | 14:52 |
*** lizardo has joined #maemo-ssu | 14:56 | |
*** futpib_ has joined #maemo-ssu | 15:29 | |
*** futpib has quit IRC | 15:29 | |
*** LauRoman has joined #maemo-ssu | 15:36 | |
*** FlameReaper has quit IRC | 16:11 | |
*** Martix has joined #maemo-ssu | 16:36 | |
*** Martix_ has joined #maemo-ssu | 16:37 | |
*** Martix has quit IRC | 16:37 | |
*** DocScrutinizer51 has quit IRC | 17:00 | |
*** DocScrutinizer51 has joined #maemo-ssu | 17:00 | |
*** Martix_ has quit IRC | 17:01 | |
*** DocScrutinizer51 has quit IRC | 17:18 | |
*** DocScrutinizer51 has joined #maemo-ssu | 17:18 | |
*** Martix has joined #maemo-ssu | 17:37 | |
*** M13 has joined #maemo-ssu | 17:50 | |
*** Martix has quit IRC | 18:10 | |
*** NIN101 has joined #maemo-ssu | 19:01 | |
*** tg has quit IRC | 19:37 | |
*** tg has joined #maemo-ssu | 19:41 | |
*** M13 has quit IRC | 19:56 | |
*** M13 has joined #maemo-ssu | 19:56 | |
*** amiconn has quit IRC | 19:57 | |
*** amiconn has joined #maemo-ssu | 19:57 | |
*** Vlad_on_the_road has joined #maemo-ssu | 19:59 | |
*** FlameReaper has joined #maemo-ssu | 20:06 | |
*** discopig has quit IRC | 20:37 | |
*** discopig has joined #maemo-ssu | 20:45 | |
*** discopig has joined #maemo-ssu | 20:47 | |
*** discopig has joined #maemo-ssu | 20:47 | |
*** freemangordon has left #maemo-ssu | 21:01 | |
*** ruskie has quit IRC | 21:12 | |
*** nox- has joined #maemo-ssu | 21:22 | |
*** nox- has joined #maemo-ssu | 21:23 | |
*** ruskie has joined #maemo-ssu | 21:25 | |
*** luf has joined #maemo-ssu | 21:31 | |
*** ruskie has quit IRC | 21:31 | |
*** ruskie has joined #maemo-ssu | 21:33 | |
luf | DocScrutinizer05: Maybe I miss something but nfs v4 with rpc.idmapd doesn't need to have same uids gids on client and server. | 21:38 |
DocScrutinizer05 | luf: sorry, this is too fuzzy to help me out | 21:41 |
DocScrutinizer05 | https://xkyle.com/solving-the-nfs-16-group-limit-problem/comment-page-1/#comment-5294 is describing exactly what we see on maemo infra. And removing the --manage-gids option should fix stuff for that system | 21:44 |
luf | http://mg.pov.lt/maemo-ssu-irclog/latest.log.html#t2013-04-11T00:32:21 | 21:46 |
luf | Ok maybe I understood it wrong way. | 21:47 |
*** BCMM has joined #maemo-ssu | 21:48 | |
DocScrutinizer05 | our IDs are not in sync on the NFS-linked mahines. Particularly on server side the groups are not defined as needed, so --manage-gids will make things fail for that configuration | 21:49 |
DocScrutinizer05 | NB that we're NOT sufering from >16 groups problem, we're suffering exactly from contrary: our system worked _without_ --manage-gids, and the supposed "fix" introduced by recent --manage-gids as default makes things start to fall apart, since our UID/GID and etc/group config never been in sync on both machines | 21:51 |
*** discopig has quit IRC | 21:54 | |
*** luf has quit IRC | 21:58 | |
*** discopig has joined #maemo-ssu | 22:02 | |
*** discopig has joined #maemo-ssu | 22:02 | |
*** M13 has quit IRC | 22:19 | |
*** M4rtinK has joined #maemo-ssu | 22:21 | |
*** FlameReaper has quit IRC | 22:30 | |
*** MohammadAG has quit IRC | 22:32 | |
*** futpib_ has quit IRC | 22:36 | |
*** MohammadAG has joined #maemo-ssu | 22:39 | |
*** Martix has joined #maemo-ssu | 23:07 | |
*** LauRoman has quit IRC | 23:24 | |
Pali | ~rescueos | 23:29 |
infobot | extra, extra, read all about it, rescue-os is http://206.253.166.96/N900/rescueOS/ | 23:29 |
*** dhbiker has quit IRC | 23:42 | |
*** freemangordon has joined #maemo-ssu | 23:51 | |
*** lizardo has quit IRC | 23:57 |
Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!