The Debian technical committee vote concludes
The Debian technical committee vote concludes
Posted Feb 17, 2014 17:51 UTC (Mon) by andresfreund (subscriber, #69562)In reply to: The Debian technical committee vote concludes by jspaleta
Parent article: The Debian technical committee vote concludes
Restart a crashed server?
2 - enable control of console logging level
4 - enable control of keyboard (SAK, unraw)
8 - enable debugging dumps of processes etc.
16 - enable sync command
32 - enable remount read-only
64 - enable signaling of processes (term, kill, oom-kill)
128 - allow reboot/poweroff
256 - allow nicing of all real-time tasks
I see pretty little reason to not allow 16, 32, 128 for local keyboards. And it's not like you easily hit those by accident like it was the case with the X key combo.
Posted Feb 17, 2014 18:02 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (2 responses)
Posted Feb 17, 2014 18:07 UTC (Mon)
by andresfreund (subscriber, #69562)
[Link] (1 responses)
Posted Feb 17, 2014 18:12 UTC (Mon)
by jspaleta (subscriber, #50639)
[Link]
Posted Feb 17, 2014 18:09 UTC (Mon)
by jspaleta (subscriber, #50639)
[Link] (10 responses)
The best value for a particular workload is arguable. I'm not arguing it isn't. All I'm saying is that 16 appears to be sufficient for my workloadand my usage pattern.
And I am saying is that whatever the _default_ is upstream, distribution vendors are going to have to evaluate that and then provide an override configuration and provide the _default_ that makes sense for their distro policy. And then individual admins will then override that distro default with a value that best meets their own local policy or need.
We are talking about a default config value. It needs to be something, and arguing over a reconfigurable default can quickly become bikeshedding.
Posted Feb 17, 2014 18:16 UTC (Mon)
by andresfreund (subscriber, #69562)
[Link] (9 responses)
Well, then make it "restart a crashed workstation". Trying to loose as little data as possible. In which case you want to do a sync, remount readonly, sync, boot. Which isn't possible anymore.
I think the cases where you do want it disabled primarily is internet cafes and such, but you need to change so much for that that one more sysctl to change isn't a problem.
> We are talking about a default config value. It needs to be something, and arguing over a reconfigurable default can quickly become bikeshedding.
Posted Feb 17, 2014 18:28 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (5 responses)
Posted Feb 17, 2014 18:30 UTC (Mon)
by andresfreund (subscriber, #69562)
[Link] (4 responses)
Posted Feb 17, 2014 18:38 UTC (Mon)
by mjg59 (subscriber, #23239)
[Link] (3 responses)
Posted Feb 18, 2014 10:21 UTC (Tue)
by nye (subscriber, #51576)
[Link] (2 responses)
Matthew, I know you're a smart guy: can you hear yourself right now? Do you realise how absurdly unreasonable your position has become in just a couple of posts?
Imagine you're trying to talk to somebody being as willfully obstructive as you currently are; would you feel that they are having a discussion in good faith, or just taking a position out of contrariness because they like to argue?
Posted Feb 18, 2014 15:17 UTC (Tue)
by mjg59 (subscriber, #23239)
[Link] (1 responses)
Posted Feb 20, 2014 13:05 UTC (Thu)
by nye (subscriber, #51576)
[Link]
No, the post you were responding to was not about servers; the topic was about workstations by that point. This is a crucial difference, because workstations often don't even have any kind of remote network access configured at all, and even when it is, it isn't the normal way to access them.
As it happens, I was actually bitten very mildly[0] by this problem last weekend while trying out OpenSUSE, though at the time I just assumed it was the distro that had made the weird choice of default. The situation there is that shutdown had apparently hung, and I wanted to reboot the machine without just hitting the reset button.
Doing that remotely would have required that I'd enabled the ssh server (not sure if I'd got that far), go downstairs, turn on my partner's computer, see if I could guess her password, download an SSH client, get my SSH key from a backup, and finally log in to the machine in question and start the laborious process of sending signal 15 to every process (I'm sure there's an easy way to do that, but I don't know it because the magic sysrq key has always been the easiest way to do it). Except that I'm pretty sure this happened after the network had been brought down, so all that would have been for naught.
Contrived? Maybe, but certainly less uncommon than somebody trying some kind of shared kiosk system using only out of the box default configurations.
>For no real change in your ability to recover servers
>you gain physical access to the keyboard no longer providing the ability to trivially DoS the running system.
One: You don't actually gain that, because that requires so many other changes that setting this one option is trivial in comparison. It is obviously the case that the default set up for any system requires that a person with access to the keyboard be able to reboot the machine, and changing that for some specific use case is going to mean massive changes to the running environment. So why bother setting just this one option, probably the easiest part of the job, when the actual task you appear to be doing it *for* is so much larger?
Two: You are giving some highly contrived example of an extremely specific, wildly unusual custom requirement, and using it as an explanation for changing the default for everyone. This is exactly the kind of thing people are talking about when they complain about insane defaults; defaults should be selected for the common case, not the most weird case you can think of, *especially* when that case will require enormous additional work anyway.
Both of these two points apply to servers just as well as workstations BTW, however for servers the effect is mitigated somewhat because remote login is a more realistic scenario.
[0] I say 'very mildly' because in this case it was a test system where I didn't care much about the outcome, and waiting a few minutes for some timeout to happen allowed it to continue anyway. The problem is correlated with having cifs shares in fstab, and I think the issue is that systemd doesn't know that bringing down the network needs to be done *after* unmounting those shares, but I've not yet investigated what the recommended modern way is of configuring network mount. Probably not 'just stick it in fstab like it's 1999', anyway.
Posted Feb 17, 2014 18:45 UTC (Mon)
by jspaleta (subscriber, #50639)
[Link] (2 responses)
But lets talk historic usage.
Now what is really interesting is that sysctl.conf file is owned by the initscripts package on centos 5. The initscripts package on centos requires sysvinit.
Now in fedora using systemd, this configuration has been expanded and abstracted so that you can use multiple files in sysctl.d directory similar to how udev rules layer.
Now if debian never had a configuration file similar to sysctl.conf for sysvinit scripts to use, then this configuration would be a new feature. Debian could choose to nuke all the sysctl.d files entirely, or replace the values in upstream shipped files, or drop in a vendor specific file to override the upstream supplied defaults. It's completely understandable if systemd provides new, configurable, functionality that Debian policy isn't ready to integrate yet. But again this is a debian policy issue on how to configure this. I'm not going to make any suggestions as to what default setting Debian should use.. its one of the integration issues Debian is going to have to figure out as part of the transition.
Posted Feb 17, 2014 18:53 UTC (Mon)
by andresfreund (subscriber, #69562)
[Link] (1 responses)
Well, there are goddamn good reasons to switch away from sysvinit. And I am happy debian does so. But I don't see good reasons for this particular change. And I have yet to see somebody argue why the new value is better.
This doesn't make systemd bad overall. There's no single nontrivial piece of software where I agree with everything. Not even if it's solely written by myself.
Posted Feb 17, 2014 19:34 UTC (Mon)
by smurf (subscriber, #17840)
[Link]
Actually, being more restrictive makes sense in RH's context. If you have physical access to a locked-down server, all you can do to wreak havoc is to pull the plug or press the power button, which is (a) immediately obvious to monitoring and (b) shouldn't hurt too badly.
On the other hand, if you plug in a keyboard (trivial) and press SysRq+Readonly, the machine will still respond positively to most attempts at monitoring … so that your tampering may not be discovered for hours.
Anyway, something minor like that won't affect my (positive) opinion about the switch.
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
We are talking about *changing* a longstanding default value.
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
The Debian technical committee vote concludes
Somebody obviously thought this feature was a real change, for it to have been implemented in the first place
The Debian technical committee vote concludes
On my centos 5 server, using sysvinit for init
the value for the defaults to a value of 0 and is configured in /etc/sysctl.conf
So the idea that this is outside of systemd's remit is arguable false in the context of Fedora and Red Hat. systemd as part of replacing sysvinit on these systems needs to also provide the equivalent of sysrq.conf for boot time configuration. systemd goes further and makes this configuration more flexible than what was previously provided.
The Debian technical committee vote concludes
The Debian technical committee vote concludes