The Debian technical committee vote concludes
The Debian technical committee vote concludes
Posted Feb 12, 2014 0:17 UTC (Wed) by jspaleta (subscriber, #50639)In reply to: The Debian technical committee vote concludes by proski
Parent article: The Debian technical committee vote concludes
Let me sum up for you...
systemd upstream ships what they consider as safe default for the general case. It is possible for local admins and distribution vendors to override this default with an additional config file on the system.
Debian systemd maintainers so far don't see a reason to diverge from the default value as local admins who are choosing to switch over the systemd as an alternative init can drop in local systemd config to get whatever mask is appropriate for local policy. There is an expectation that when flipping over to an alternative init, you are going to need to reconfig to some extent.
Now that systemd is going to be the new default, this is one of the integration issues that is going to end up being a Debian policy discussion as to what is the best default mask to use for new installs and the debian systemd maintainers may need to diverge from upstream to accommodate Debian policy on that.
And the harder problem is how to adequately deal with upgrades for systems that have a different mask value set locally via legacy mechanisms. Answering this question may require developing a technical solution to migrate local configs as part of that upgrade. This is exactly the sort of work that was blocking on systemd being chosen as a default. Now the systemd is a default choice, the upgrade case becomes much more important.
Posted Feb 12, 2014 7:51 UTC (Wed)
by ovitters (guest, #27950)
[Link] (1 responses)
Posted Feb 12, 2014 8:19 UTC (Wed)
by jspaleta (subscriber, #50639)
[Link]
Posted Feb 17, 2014 14:19 UTC (Mon)
by nye (subscriber, #51576)
[Link] (16 responses)
> Let me sum up for you...
> systemd upstream ships what they consider as safe default for the general case.
Woah, that's pretty eye-opening. Suddenly I'm finding myself less pro-systemd, and far more sympathetic to those complaining about overreach.
First, that's a setting that systemd has no business touching; it's entirely outside its remit.
This is the sort of policy change that you'd never notice until it bit you, and it makes me wonder how many other unrelated policy changes systemd might be making behind my back when I start using it, and how I would know about them before it's too late. I'm especially worried about this because that particular choice is a strong signal that the people in question have dangerously poor judgement when it comes to picking defaults.
Posted Feb 17, 2014 17:44 UTC (Mon)
by jspaleta (subscriber, #50639)
[Link] (15 responses)
What in particular am I unable to do on my Fedora workstation right now with the mask set to 16 that I have so far not noticed?
The default is arguable. Fine. Most defaults are. Your distribution vendor can ship the config that makes sense to meet their distribution policy.
Posted Feb 17, 2014 17:51 UTC (Mon)
by andresfreund (subscriber, #69562)
[Link] (14 responses)
Restart a crashed server?
2 - enable control of console logging level
I see pretty little reason to not allow 16, 32, 128 for local keyboards. And it's not like you easily hit those by accident like it was the case with the X key combo.
Posted Feb 17, 2014 18:02 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (2 responses)
Posted Feb 17, 2014 18:07 UTC (Mon)
by andresfreund (subscriber, #69562)
[Link] (1 responses)
Posted Feb 17, 2014 18:12 UTC (Mon)
by jspaleta (subscriber, #50639)
[Link]
Posted Feb 17, 2014 18:09 UTC (Mon)
by jspaleta (subscriber, #50639)
[Link] (10 responses)
The best value for a particular workload is arguable. I'm not arguing it isn't. All I'm saying is that 16 appears to be sufficient for my workloadand my usage pattern.
And I am saying is that whatever the _default_ is upstream, distribution vendors are going to have to evaluate that and then provide an override configuration and provide the _default_ that makes sense for their distro policy. And then individual admins will then override that distro default with a value that best meets their own local policy or need.
We are talking about a default config value. It needs to be something, and arguing over a reconfigurable default can quickly become bikeshedding.
Posted Feb 17, 2014 18:16 UTC (Mon)
by andresfreund (subscriber, #69562)
[Link] (9 responses)
Well, then make it "restart a crashed workstation". Trying to loose as little data as possible. In which case you want to do a sync, remount readonly, sync, boot. Which isn't possible anymore.
I think the cases where you do want it disabled primarily is internet cafes and such, but you need to change so much for that that one more sysctl to change isn't a problem.
> We are talking about a default config value. It needs to be something, and arguing over a reconfigurable default can quickly become bikeshedding.
Posted Feb 17, 2014 18:28 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (5 responses)
Posted Feb 17, 2014 18:30 UTC (Mon)
by andresfreund (subscriber, #69562)
[Link] (4 responses)
Posted Feb 17, 2014 18:38 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (3 responses)
Posted Feb 18, 2014 10:21 UTC (Tue)
by nye (subscriber, #51576)
[Link] (2 responses)
Matthew, I know you're a smart guy: can you hear yourself right now? Do you realise how absurdly unreasonable your position has become in just a couple of posts?
Imagine you're trying to talk to somebody being as willfully obstructive as you currently are; would you feel that they are having a discussion in good faith, or just taking a position out of contrariness because they like to argue?
Posted Feb 18, 2014 15:17 UTC (Tue)
by mjg59 (subscriber, #23239)
[Link] (1 responses)
Posted Feb 20, 2014 13:05 UTC (Thu)
by nye (subscriber, #51576)
[Link]
No, the post you were responding to was not about servers; the topic was about workstations by that point. This is a crucial difference, because workstations often don't even have any kind of remote network access configured at all, and even when it is, it isn't the normal way to access them.
As it happens, I was actually bitten very mildly[0] by this problem last weekend while trying out OpenSUSE, though at the time I just assumed it was the distro that had made the weird choice of default. The situation there is that shutdown had apparently hung, and I wanted to reboot the machine without just hitting the reset button.
Doing that remotely would have required that I'd enabled the ssh server (not sure if I'd got that far), go downstairs, turn on my partner's computer, see if I could guess her password, download an SSH client, get my SSH key from a backup, and finally log in to the machine in question and start the laborious process of sending signal 15 to every process (I'm sure there's an easy way to do that, but I don't know it because the magic sysrq key has always been the easiest way to do it). Except that I'm pretty sure this happened after the network had been brought down, so all that would have been for naught.
Contrived? Maybe, but certainly less uncommon than somebody trying some kind of shared kiosk system using only out of the box default configurations.
>For no real change in your ability to recover servers
>you gain physical access to the keyboard no longer providing the ability to trivially DoS the running system.
One: You don't actually gain that, because that requires so many other changes that setting this one option is trivial in comparison. It is obviously the case that the default set up for any system requires that a person with access to the keyboard be able to reboot the machine, and changing that for some specific use case is going to mean massive changes to the running environment. So why bother setting just this one option, probably the easiest part of the job, when the actual task you appear to be doing it *for* is so much larger?
Two: You are giving some highly contrived example of an extremely specific, wildly unusual custom requirement, and using it as an explanation for changing the default for everyone. This is exactly the kind of thing people are talking about when they complain about insane defaults; defaults should be selected for the common case, not the most weird case you can think of, *especially* when that case will require enormous additional work anyway.
Both of these two points apply to servers just as well as workstations BTW, however for servers the effect is mitigated somewhat because remote login is a more realistic scenario.
[0] I say 'very mildly' because in this case it was a test system where I didn't care much about the outcome, and waiting a few minutes for some timeout to happen allowed it to continue anyway. The problem is correlated with having cifs shares in fstab, and I think the issue is that systemd doesn't know that bringing down the network needs to be done *after* unmounting those shares, but I've not yet investigated what the recommended modern way is of configuring network mount. Probably not 'just stick it in fstab like it's 1999', anyway.
Posted Feb 17, 2014 18:45 UTC (Mon)
by jspaleta (subscriber, #50639)
[Link] (2 responses)
But lets talk historic usage.
Now what is really interesting is that sysctl.conf file is owned by the initscripts package on centos 5. The initscripts package on centos requires sysvinit.
Now in fedora using systemd, this configuration has been expanded and abstracted so that you can use multiple files in sysctl.d directory similar to how udev rules layer.
Now if debian never had a configuration file similar to sysctl.conf for sysvinit scripts to use, then this configuration would be a new feature. Debian could choose to nuke all the sysctl.d files entirely, or replace the values in upstream shipped files, or drop in a vendor specific file to override the upstream supplied defaults. It's completely understandable if systemd provides new, configurable, functionality that Debian policy isn't ready to integrate yet. But again this is a debian policy issue on how to configure this. I'm not going to make any suggestions as to what default setting Debian should use.. its one of the integration issues Debian is going to have to figure out as part of the transition.
Posted Feb 17, 2014 18:53 UTC (Mon)
by andresfreund (subscriber, #69562)
[Link] (1 responses)
Well, there are goddamn good reasons to switch away from sysvinit. And I am happy debian does so. But I don't see good reasons for this particular change. And I have yet to see somebody argue why the new value is better.
This doesn't make systemd bad overall. There's no single nontrivial piece of software where I agree with everything. Not even if it's solely written by myself.
Posted Feb 17, 2014 19:34 UTC (Mon)
by smurf (subscriber, #17840)
[Link]
Actually, being more restrictive makes sense in RH's context. If you have physical access to a locked-down server, all you can do to wreak havoc is to pull the plug or press the power button, which is (a) immediately obvious to monitoring and (b) shouldn't hurt too badly.
On the other hand, if you plug in a keyboard (trivial) and press SysRq+Readonly, the machine will still respond positively to most attempts at monitoring … so that your tampering may not be discovered for hours.
Anyway, something minor like that won't affect my (positive) opinion about the switch.
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
Second, assuming I've understood the meaning of the mask correctly, that default is mad; it's clearly not in any way sane for the general case. An argument could be made for setting it to 48 or 80 (I'd disagree vehemently, but I can see that the argument could be made), but just 16 is almost completely useless because there's no point in being able to sync buffers if you can't also stop them being dirtied.
The Debian technical committee vote concludes
The Debian technical committee vote concludes
4 - enable control of keyboard (SAK, unraw)
8 - enable debugging dumps of processes etc.
16 - enable sync command
32 - enable remount read-only
64 - enable signaling of processes (term, kill, oom-kill)
128 - allow reboot/poweroff
256 - allow nicing of all real-time tasks
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
We are talking about *changing* a longstanding default value.
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
Somebody obviously thought this feature was a real change, for it to have been implemented in the first place
The Debian technical committee vote concludes
On my centos 5 server, using sysvinit for init
the value for the defaults to a value of 0 and is configured in /etc/sysctl.conf
So the idea that this is outside of systemd's remit is arguable false in the context of Fedora and Red Hat. systemd as part of replacing sysvinit on these systems needs to also provide the equivalent of sysrq.conf for boot time configuration. systemd goes further and makes this configuration more flexible than what was previously provided.
The Debian technical committee vote concludes
The Debian technical committee vote concludes