IRC chat logs for #ltsp on irc.libera.chat (webchat)


Channel log from 12 July 2015   (all times are UTC)

00:37gbaman has joined IRC (gbaman!~gbaman@host81-139-247-109.in-addr.btopenworld.com)
00:41gbaman has left IRC (gbaman!~gbaman@host81-139-247-109.in-addr.btopenworld.com, Ping timeout: 252 seconds)
01:39gbaman has joined IRC (gbaman!~gbaman@host81-139-247-109.in-addr.btopenworld.com)
01:53gbaman has left IRC (gbaman!~gbaman@host81-139-247-109.in-addr.btopenworld.com, Ping timeout: 256 seconds)
03:04Phantomas has left IRC (Phantomas!~Phantomas@ubuntu/member/phantomas, Ping timeout: 256 seconds)
04:04AlexPortable has left IRC (AlexPortable!uid7568@gateway/web/irccloud.com/x-xkawlbscnkdctaiw, Quit: Connection closed for inactivity)
05:36cyberorg has left IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg, Remote host closed the connection)
05:36cyberorg has joined IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg)
05:56ricotz has joined IRC (ricotz!~rico@ubuntu/member/ricotz)
05:57Freejack has left IRC (Freejack!~Freejack@unaffiliated/freejack, Ping timeout: 256 seconds)
06:00Freejack has joined IRC (Freejack!~Freejack@unaffiliated/freejack)
06:40work_alkisg is now known as alkisg
06:42
<alkisg>
maldridge: I don't think ansible can help in this case though, as it's probably missing all the functionality we'll need... check the directives at the lts.conf manpage, does ansible contain the code to implement any of them?
06:42vmlintu has joined IRC (vmlintu!~vmlintu@a91-152-200-70.elisa-laajakaista.fi)
06:42
<alkisg>
Hi vmlintu
06:42
<maldridge>
alkisg: I don't think ansible can handle any of it
06:42
<vmlintu>
hi
06:43
<maldridge>
as per my statement from yesterday, I'm pretty sure that you'll be writing most of this from scratch; above I was stating that ldap is a real pain to work with, and that my team had to use huge amounts of automation to make it palletable
06:43
<alkisg>
Yes I'm a bit worried about that... although, we still haven't got any good solution for authentication in ltsp
06:44
While vmlintu's team is successfully using ldap, kerberos etc...
06:44
<maldridge>
the alternative to full on ldap could be nis and kerberos
06:44
the problem with ldap is that it is part of the larger X.509 spec that is massively over-engineered, and as a result its upkeep requires lots of obscure and specialized knowledge
06:45
<alkisg>
I was looking at samba 4 some time ago, it seems less complicated and it would also support windows clients
06:45
<vmlintu>
maldridge: which ldap implementation did you use?
06:45
<maldridge>
vmlintu: openLDAP
06:46
vmlintu: I'm actually still waiting to hear back from ICANN on an OID ARC allocation request
06:47
alkisg: samba 4 looks awesome, the problem I ran into is that on several distros the default build flags are dumb
06:47
<vmlintu>
we got the oid allocation done without problems
06:47
<maldridge>
noteably freebsd, which is a shame since a samba file server on freebsd would be unstoppable
06:48
vmlintu: I don't expect to have any problems, but the point remains I shouldn't have to write ASN1 to specify additions to, for all intents and purposes, is a database
06:49
that, and its 2015, how is there not a field for storing pubkeys!?
06:49
<alkisg>
vmlintu: your code is using ruby while most of ltsp is using shell. Seeing that it's mostly about running sed, appending files etc, maybe shell is enough, and it would make contributions easier. Did you ever regret selecting ruby for this project?
06:50
<maldridge>
for clarity, which project do you work on vmlintu
06:50
<vmlintu>
alkisg: I'm pushing more and more code from shell to ruby, actually. Instead of sed'ing and appending, we are using templates. Also doing DNS and REST queries is a pain with shell..
06:51
maldridge: Puavo.. e.g. https://github.com/opinsys/puavo-users and everything else under https://github.com/opinsys
06:52
<alkisg>
And about python vs ruby, was it just about what you guys already knew better?
06:53
<vmlintu>
alkisg: we didn't really know either one back then.. python's ldap support was just worse, so we went with ruby on rails for the server side with activeldap
06:55
There are pieces that would be horrible with shell, like this printer discovery tool for laptops: https://github.com/opinsys/puavo-ltsp/blob/master/client/puavo-dnssd-printer-client
06:55
<alkisg>
vmlintu: about user management, are you using one of the existing ldap GUIs, or do you have something custom?
06:55
I wasn't proposing shell for everything, e.g. one can develop a python script to process templates, and then call it from the shell,
06:56
I was mainly referring to the language that the sysadmins would need to know in order to adapt the solution to their local needs
06:56
<maldridge>
alkisg: if you find a tool that can handle ldap and kerberos simultaneously, and that doesn't suck, please share
06:57
<alkisg>
I'd like to keep everything open, even the authentication system... so that it would be possible for contributors to create scripts for anything pam-based
06:57
<vmlintu>
alkisg: we built our own as none of the existing tools supported school structures - so that many schools share a single ldap directory and they can have local admins for their part
06:57
<alkisg>
Meh those are the parts that suck... we also had to develop our own tool here because none fit our needs
06:58
There's too much code duplication in the open source world :)
06:58
<vmlintu>
We had to create parts like smbkrb5pwd that syncs ldap, kerberos and samba passwords for openldap+mit krb5: https://github.com/opinsys/smbkrb5pwd
06:59
alkisg: also we didn't want to have uid numbers or ip addresses or anything else that wasn't actually required in the tool that configures users and client devices
06:59
<alkisg>
Ouch, so no clean solutions available there
06:59
<maldridge>
same, we wrote all our own tools to manage stuff
07:00
<vmlintu>
alkisg: smbkrb5pwd does have quite a few users nowadays, it seems, and it's been rock solid for the past year
07:00
<alkisg>
I think that this ^ means exactly that there's great need for such a tool in the distro repositories
07:00
<maldridge>
it'd be great, but it would have to support soo much stuff
07:01
<vmlintu>
maldridge: what kind of things do you mean?
07:01
<alkisg>
I think it would just need to be properly designed so that people could adapt it to their needs without forking it
07:02
<maldridge>
vmlintu: my site runs: a solaris ldap domain, 4 windows domains, an opendirectory, 2 full kerberos+ldap realms, and a legacy NIS domain; and all of those can talk to each other and auth from each other
07:03
if there was a tool that I could just plug in additional modules to to manage, that would be great
07:03
<vmlintu>
If you want something easy to use, you have to take opinions. It's not possible to make a tool that supports everything for everyone
07:03
<alkisg>
Isn't NIS considered a bit deprecated and insecure? Would it be wise to depend on it in some newly developed tool?
07:04
<maldridge>
alkisg: our NIS systems are solely on this one backplane that has to be kept up for... reasons
07:04
<alkisg>
Understood
07:04
<maldridge>
what would be awesome is if there was one tool where I could have a generic "user" and then it would go fetch through modules to all the backends a site might be running
07:05
I think that is the type of tool that would really take off for managing this stuff
07:06
<alkisg>
ltsp already supports customization and it's great in that regard... it's just not about "terminal services" anymore
07:06
<maldridge>
yeah, Active Directory Users and Computers really has been the gold standard for a long time with its generic objects
07:07
<alkisg>
We've tried using it for many years and failed, because it was very hard for I.T. teachers
07:08
<vmlintu>
If I've understood correctly, samba4's ldap doesn't allow customisation
07:09
<maldridge>
vmlintu: my understanding was that you could compile it to do passthrough ldap, which was the preferred way of customisation
07:09gbaman has joined IRC (gbaman!~gbaman@host81-139-247-109.in-addr.btopenworld.com)
07:09
<maldridge>
alkisg: agreed, its a very tough setup to grasp, but its something like that, where the user could be stored on any backend, that makes it work
07:10
<alkisg>
maldridge: can I specify that "computer X needs a resolution of 1024x768" in active directory?
07:10* alkisg would like to find better names for some directives like XRANDR_MODE_0, which sounds a bit silly...
07:11
<vmlintu>
Here's the schema Puavo uses: https://github.com/opinsys/puavo-ds/blob/master/master/schema/puavo.ldif
07:12
<maldridge>
alkisg: yes, but it is non-trivial
07:12
<alkisg>
vmlintu: which one is XRANDR_MODE_0 there?
07:12
maldridge: can I find the name of that configuration somewhere? How it would be called in active directory terms?
07:13
<maldridge>
alkisg: so AD has a concept of nodes, so that one is under machine policy, then under system, then graphics I think?
07:13
vmlintu: so are you not loading cosine or inetOrgPerson?
07:13
<alkisg>
http://www.kouti.com/tables/userattributes.htm does this one list the possible user attributes?
07:13
<vmlintu>
puavoDeviceResolution is the resolution for non-xrandr devices and puavoDeviceXrandr for xrandr
07:14gbaman has left IRC (gbaman!~gbaman@host81-139-247-109.in-addr.btopenworld.com, Ping timeout: 246 seconds)
07:14
<alkisg>
It would require the sysadmin to check if the device supports xrandr though...
07:14
<vmlintu>
maldridge: https://github.com/opinsys/puavo-ds/blob/master/master/lib/puavo-ds/templates/init_ldap.ldif.erb#L43
07:14
<maldridge>
alkisg: that's many of them, but there are more depending on what modules are loaded at runtime
07:15
vmlintu: do you have ldif for an example user anywhere?
07:15
it just looks like there's a lot of duplicated fields under your puavo.ldif
07:16
<alkisg>
maldridge, do you know why some variables are Separated-With-Dashes, others are camelCase, and others TitleCase? https://msdn.microsoft.com/en-us/library/ms675090%28v=vs.85%29.aspx
07:16
<vmlintu>
alkisg: actually, the resolution is set also for xrandr clients.. the puavoDeviceXrandr is for the actual xrandr commands if something special is needed
07:17
<alkisg>
vmlintu: cool, did you search for existing naming schemes or did you just select your own?
07:17* alkisg is trying to reuse existing knowledge and documentation as much as possible...
07:18
<vmlintu>
maldridge: not everything is actually in use anymore from the schema.. and we haven't tried really hard to reuse everything existing in the world..
07:18
<maldridge>
alkisg: it depends on what schema defines it as to how its names
07:18
<vmlintu>
So yes, there are probably attributes that might be defined in some other schema in the world
07:19
alkisg: naming scheme?
07:19
<maldridge>
vmlintu: ah, I've tried very hard to not define any new fields, I've only got 3 custom fields in play across the entire system
07:20
<alkisg>
vmlintu: I mean that e.g. MS has already defined a long list of attributes, https://msdn.microsoft.com/en-us/library/ms675090%28v=vs.85%29.aspx, and maybe for people that are already using those, it would make it easier to learn the puavo* or new lts.conf directives
07:20
As an example, Xorg already has a PreferredMode variable, why do we have to call it XRANDR_MODE_0?>
07:21
<maldridge>
careful, as vmlintu hinted at, chasing existing fields is a neverending challange
07:21
<vmlintu>
alkisg: normal users never see the attributes as they only use the web gui, so I don't think there's much sense to use some ms defined names that they don't know either
07:21
<alkisg>
vmlintu: the web gui doesn't list names? Just big combo boxes with a description like "The device resolution"?
07:22
<vmlintu>
maldridge: we use existing fields in all the places where there are other tools that use the information
07:22
alkisg: the web gui has human readable names that are different from the ldap attribute names
07:23
<alkisg>
I think that all scripts that implement directives should 1) define the directive name, 2) its short description, i.e. tooltip, and 3) its long description, i.e. manpage text
07:23
And the type and the possible values etc
07:23
So that the manpages and the GUIs would easily and correctly list all variables
07:24
<vmlintu>
alkisg: The resolution attributes are one of the oldest attributes and nowadays we don't add anything that describes only a value for some exotic script
07:24
<alkisg>
The ltsp-docs project proved that documenting it outside of the source tree doesn't work :)
07:24
<maldridge>
lol, the problem with doing that with ldap is that you have to define a lot of other things beyond short/long names
07:24
<alkisg>
gconf-editor can be used as the editor, I don't think there's need to develop a new one
07:25
...unless one wants something similar over the web, ok
07:25* maldridge has never figured out how to actually *use* gconf
07:26
<vmlintu>
Nowadays we are much better at taking opinions so that configuration values are not needed
07:26
<alkisg>
Waht are "opinions"?
07:26
<vmlintu>
E.g. we don't actually have a configuration variable to enable usb sticks on thin clients - they are always enabled
07:27
<alkisg>
Ah, you mean autodetection of things?
07:27
<vmlintu>
We support only lightdm, no ldm/gdm/kdm/xdm..
07:28
Only kerberos for authentication, no ldm or ldap or some other pam modules for it
07:28
<alkisg>
And if someone wanted something else, would he be able to do it without forking your code?
07:28
By just adding a few local scripts of his own?
07:29
So that he would still be able to get updates from you, without having to re-apply patches etc?
07:29
<vmlintu>
Without good reason I'm a bit against using something else..
07:29telex has left IRC (telex!teletype@freeshell.de, Remote host closed the connection)
07:30
<vmlintu>
But the lightdm part is encapsulated behind upstart, so disabling lightdm from upstart and running something else should work
07:30telex has joined IRC (telex!teletype@freeshell.de)
07:30
<vmlintu>
Since the configuration is done dynamically when lightdm starts, there are no scripts messing up settings if you did use something else
07:31
<alkisg>
Well suppose that someone is using stock fedora, he doesn't have lightdm and upstart... it would make it difficult for your package to get accepted in the fedora repositories if you weren't willing to accept contributions from the fedora packager to allow other DMs
07:32
<vmlintu>
Right now the Puavo client code is so dependant on upstart that it would require also other changes
07:32
<alkisg>
So at that point, you could say "ok, I expect a hook "dm-started", if the distro maintainers provide it, then my code will still work"
07:33
Gotcha... ltsp is also too dependant on netboot... I think a new, more generic tool is needed...
07:33
<vmlintu>
After systemd conversion everything should be more portable
07:33
<maldridge>
but only within systemd based distros
07:33
alkisg: nbd is awesome, that should be in more places
07:34
<vmlintu>
alkisg: removing the netboot requirement led us to abandon most of ltsp code
07:34
<alkisg>
We support NBD, AoE, NFS, and squashfs over NFS...
07:35
And opensuse supports clickfs or something... but they don't want to push their code to upstream ltsp because they're using their kiwi framework if I understand well
07:35
<maldridge>
I was more stating that I don't know of other places where NBD is in use, and I wish there were
07:35
<vmlintu>
Currently our code supports only NBD or image mounting from local partition
07:36
<alkisg>
iscsi is more widespread than nbd
07:37
Even aoe is...
07:37
<vmlintu>
alkisg: about opinions - after we decided that we go fully kerberos based and use puavo-rest for load balancing etc, ldm was replaced with this script: https://github.com/opinsys/puavo-ltsp/blob/master/client/puavo-desktop-session
07:37
<alkisg>
NBD can also be a bit unstable :-/
07:37
<maldridge>
yeah, but iscsi requires significant overhead to be stable at scale
07:38
<vmlintu>
alkisg: try nbd from our repos to see if it's more stable..
07:39
<alkisg>
vmlintu: you hardcode sessions there... I think that code shouldn't use hardcoded values, they should be in configuration files instead
07:40
<vmlintu>
alkisg: you mean the gnome-session?
07:40
<alkisg>
Yes
07:41
<vmlintu>
yes, that could be made configurable if we had a need for it
07:41
<alkisg>
Yup, I understand
07:41
Your solution is fine and it serves your needs very well
07:42
I'm afraid it's not very customizable though, I don't know if it could be ported to other distributions etc
07:42
And to other site's needs
07:43
Thanks for all the chat guys, /me goes on to do some work...
07:44
<maldridge>
gl;hf
07:44
<vmlintu>
Even if there was a configuration option there, the desktop settings are completely different if you run something else that gnome-session
07:47
alkisg: just to add - the server side of Puavo does not depend on some specific desktop environment, only the client code is coded with strong opinions on how the desktop should work
08:57Phantomas has joined IRC (Phantomas!~phantomas@ubuntu/member/phantomas)
09:11gbaman has joined IRC (gbaman!~gbaman@host81-139-247-109.in-addr.btopenworld.com)
09:16gbaman has left IRC (gbaman!~gbaman@host81-139-247-109.in-addr.btopenworld.com, Ping timeout: 240 seconds)
09:35gbaman has joined IRC (gbaman!~gbaman@host81-139-247-109.in-addr.btopenworld.com)
12:57uXus has left IRC (uXus!~uXus@217.77.222.72, Ping timeout: 256 seconds)
13:08uXus has joined IRC (uXus!~uXus@217.77.222.72)
14:54jammcq has joined IRC (jammcq!~jam@c-107-4-115-38.hsd1.mi.comcast.net)
14:56
<jammcq>
good morning friends
15:08
<alkisg>
Hi jammcq :)
15:08
<jammcq>
hey alkisg. hows it going? Things seem to still be pretty unstable there in your part of the world
15:09
<alkisg>
Very true :-/
15:09
Hopefully we won't lose our savings
15:09
<jammcq>
I try to read whatever I can to understand what's going on, but even after that, I don't really know what to think
15:17
<alkisg>
Things are indeed complicated, there are many sides that are neither white nor black
15:18
What I do know is that Greeks were working exactly the same 20 years ago and didn't have those issues
15:18
(and politicians weren't any better then, either...)
15:21
<jammcq>
it seems like the EU is acting like a bank. giving greece loans, but greece doesn't have the resources to make the loan payments
15:22
and the greek people are feeling the pressure of it
15:22
<alkisg>
I think the main problem there is that we didn't need the loans in the first place...
15:22
Or, that we shouldn't have gotten them
15:23
It was between politicians and the EU... the politicians were using them either for themselves or for the people in order to get votes, without real investments,
15:23
<jammcq>
corruption?
15:23
<alkisg>
and the EU was working as a bank, here's a loan, in a few years you'll pay it back double
15:23
Politicians that want votes... is normal, can't say it's sign of corruption
15:23
At that point the EU shouldn't have given any loans, but it's how they want to control countries
15:24vmlintu has left IRC (vmlintu!~vmlintu@a91-152-200-70.elisa-laajakaista.fi, Ping timeout: 246 seconds)
15:24
<jammcq>
yeah, I can see that
15:25vmlintu has joined IRC (vmlintu!~vmlintu@a91-152-200-70.elisa-laajakaista.fi)
15:26
<alkisg>
Now of course people in all countries have the right to yell, and the politicians and the eu officials that arranged all that have gone away, so it just sucks now, you can't easily pinpoint the blame
15:30F-GTSC has joined IRC (F-GTSC!~phantom@ppp121-44-32-254.lns20.syd4.internode.on.net)
15:33FGXR6 has left IRC (FGXR6!~phantom@ppp121-44-15-142.lns20.syd4.internode.on.net, Ping timeout: 244 seconds)
16:15vmlintu has left IRC (vmlintu!~vmlintu@a91-152-200-70.elisa-laajakaista.fi, Ping timeout: 255 seconds)
16:41alkisg is now known as work_alkisg
17:07vmlintu has joined IRC (vmlintu!~vmlintu@a91-152-200-70.elisa-laajakaista.fi)
17:36AlexPortable has joined IRC (AlexPortable!uid7568@gateway/web/irccloud.com/x-rtlwrfpqeaydgpdg)
17:49telex has left IRC (telex!teletype@freeshell.de, Remote host closed the connection)
17:50telex has joined IRC (telex!teletype@freeshell.de)
19:09vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)
19:21Phantomas1 has joined IRC (Phantomas1!~Phantomas@ubuntu/member/phantomas)
20:07ricotz has left IRC (ricotz!~rico@ubuntu/member/ricotz, Quit: Ex-Chat)
20:14vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Ping timeout: 256 seconds)
20:24AlexPortable has left IRC (AlexPortable!uid7568@gateway/web/irccloud.com/x-rtlwrfpqeaydgpdg, Quit: Connection closed for inactivity)
20:31QwerT has joined IRC (QwerT!5337d451@gateway/web/freenode/ip.83.55.212.81)
20:31
<QwerT>
sdfgh
20:33
hiii, when i am inside the initramfs, who can i enter in the desktop?
21:02
<maldridge>
QwerT: can you be more specific? the initramfs has no desktop in it, you'd need some external volume mounted
21:03QwerT has left IRC (QwerT!5337d451@gateway/web/freenode/ip.83.55.212.81, Ping timeout: 246 seconds)
21:15jammcq has left IRC (jammcq!~jam@c-107-4-115-38.hsd1.mi.comcast.net, Quit: WeeChat 0.4.2)
22:00AlexPortable has joined IRC (AlexPortable!uid7568@gateway/web/irccloud.com/x-xyjppcfsssdvewqa)
22:31cyberorg has left IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg, Ping timeout: 252 seconds)
22:32cyberorg has joined IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg)
23:53staffencasa_ has joined IRC (staffencasa_!~staffenca@8-220.ptpg.oregonstate.edu)
23:56staffencasa has left IRC (staffencasa!~staffenca@8-220.ptpg.oregonstate.edu, Ping timeout: 250 seconds)