Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Oct 18 12:14

    YanChii on master

    [FIX] Security - use Safeloader… (compare)

  • Oct 18 12:14
    YanChii closed #560
  • Oct 18 12:14
    YanChii commented #560
  • Oct 17 06:30
    b1nslashsh commented #560
  • Oct 12 08:16
    marcheschi opened #564
  • Oct 11 08:44
    marcheschi commented #533
  • Oct 11 07:51
    marcheschi commented #561
  • Oct 09 15:47
    YanChii synchronize #563
  • Oct 09 15:47

    YanChii on issue-561

    print to stderr (compare)

  • Oct 09 14:44
    YanChii milestoned #563
  • Oct 09 14:44
    YanChii assigned #563
  • Oct 09 14:44
    YanChii opened #563
  • Oct 09 14:43

    YanChii on issue-561

    check real disk space before cr… (compare)

  • Oct 09 12:37
    YanChii commented #561
  • Oct 09 12:37
    YanChii commented #561
  • Oct 09 11:18
    YanChii commented #561
  • Oct 07 13:07
    marcheschi commented #561
  • Oct 07 11:43
    marcheschi commented #561
  • Oct 07 10:46
    marcheschi commented #561
  • Oct 07 09:21
    marcheschi commented #561
FilipFrancis
@FilipFrancis
tried that and i can see the key in the sandbox
but it always complains about a secret key
so no way to sign for the moment
yanchii
@yanchii:matrix.org
[m]
did you import also the secret key?
FilipFrancis
@FilipFrancis
yes i think so
outside the sandbox i can see the secret key
but inside the sandbox it gives me the following error
gpg2 --list-secret-keys
gpg: NOTE: trustdb not writable
yanchii
@yanchii:matrix.org
[m]
try adding
--no-default-keyring --keyring /opt/local/etc/gnupg/pkgsrc.gpg
FilipFrancis
@FilipFrancis
in the sandbox?
yanchii
@yanchii:matrix.org
[m]
yes
and also with the private key import command
FilipFrancis
@FilipFrancis
hmm not much is happening
gpg2 --no-default-keyring --keyring /opt/local/etc/gnupg/pkgsrc.gpg
gpg: Go ahead and type your message ...
still waiting
yanchii
@yanchii:matrix.org
[m]
I don't remember exactly… it was always pain to setup it… so I try to avoid doing it by keeping the same env running as long as possible
FilipFrancis
@FilipFrancis
yeah i guess man this is a pain in the ....
yanchii
@yanchii:matrix.org
[m]
you miss the subcommand there
gpg --list-secret-keys --no-default-keyring --keyring /opt/local/etc/gnupg/pkgsrc.gpg
FilipFrancis
@FilipFrancis
getting the same error with trustdb
gpg --list-secret-keys --no-default-keyring --keyring /opt/local/etc/gnupg/pkgsrc.gpg
yanchii
@yanchii:matrix.org
[m]
gpg --no-default-keyring --keyring /opt/local/etc/gnupg/pkgsrc.gpg --import secretkey.asc
not sure what's going on
FilipFrancis
@FilipFrancis
gpg2 --list-secret-keys --no-default-keyring --keyring /opt/local/etc/gnupg/pkgsrc.gpg
gpg: NOTE: trustdb not writable
yanchii
@yanchii:matrix.org
[m]
and is the pkgsrc.gpg or /root dir really writable?
FilipFrancis
@FilipFrancis
no i checked and that is not writable
and tried to run sandbox with that /root/.gpg as RW then it does not boot the sandbox
but running outside the sandbox i see the keys and secrets
yanchii
@yanchii:matrix.org
[m]
for some reason you have gpg2 command and I have only gpg
either something has changed since I did it last time or there's something wrong
FilipFrancis
@FilipFrancis
the doc of Joyent was using gpg2
so did everything in gpg2
but even with gpg it still gives me the same error
tried both
yanchii
@yanchii:matrix.org
[m]
ok, now I'm officially out of ideas. Maybe try to start over with older zone. Last zone I've set up from scratch was 2018Q4 (official smartos compile image).
FilipFrancis
@FilipFrancis
k will try tomorrow need to do some other stuff now
thanks
yanchii
@yanchii:matrix.org
[m]
after that I've just updated git and pkgsrc bootstrap
klebed
@klebed:matrix.org
[m]

After moving to dns02 when dns01 died with the server, I realized that my dns01 had some custom settings, which I have to reproduce. I have 2 public bind9 servers which serve all my zones to the public. I've just made pdns to forcefully notify them both of all changes and allow them to query axfr after that. It's simple and versatile way to spread all zones to own nameservers. Maybe it's worth making configurrable options in DC for allow-axfr-ips, also-notify. And also I had to change db connection to the vIPб because by defail it was pointed to mgmt01.

So bringing up dns02 machine isn't just setting metadata and run from image though. =)

BTW, yanchii , What I have to change if I swapping the motherboard? Only change MAC addresses in /usbkey/config ?
yanchii
@yanchii:matrix.org
[m]
yes, that should be all
yanchii
@yanchii:matrix.org
[m]
you're probably lucky… I've implemented zone transfers in latest DC version :)
I won't say Danube cloud / SmartOS is more secure, but the above news surely gives us back some credits for not using the manstream VM providers 🤭
Jan Poctavek
@YanChii
nice zero day :)
Solaris had very good security… AFAIK no break out of the zone was ever discovered
Jan Poctavek
@YanChii
but there certainly are some possible attack vectors (e.g. metadata daemon running in GZ connectable from every VM, vxlans open kernel port, no ipsec2… and DC GUI on top of it)
infinity202
@infinity202

grrrr ;-( It's me again) I rebooted headnode and compute node which both boot from iPXE.
headnode should be booting from https://pxe.danubecloud.org/pxe/esdc-hn-latest.ipxe but it doesn't do that (or at least the OS SmartOS version is still 2020xxxx)
Compute node has rebooted and is running latest version.

Headnode esdc_20200715T230801Z
Compute node esdc_20210711T112647Z

Both servers are at ESD version 4.5