Re: [HEADS-UP] The systemd unit files I'll post

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jul 15, 2010 at 10:37, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote:
> On Thu, 15.07.10 11:52, Simo Sorce (ssorce@xxxxxxxxxx) wrote:
>

>
>> We have a bug open with CUPS trying to generate SSL certs on the first
>> connections, being too slow and causing the client to timeout.
>> So no, you can't make assumptions here.
>
> Well, Apple as CUPS upstream manages to pull this off, and so should we.
>
> Maybe another option is to create those certs and keys at install time
> instead of first boot/use. Should we one day go for a read-only root dir
> doing key generation on first boot/use won't fly anyway.
>
> I am aware that doing things during package installation instead of
> first-boot is problematic for system images that are distributed and
> booted from multiple machines. Maybe for those cases (where r/o root
> isn't doable) we should provide some easy infrastructure to generate all
> keys on boot, controlled by some central switch.

I think this was looked at way in the past.. the issue was that there
wasn't enough entropy to build all of them during install or first
boot. This caused things to lock up as it was using /dev/random as
/dev/urandom was not considered good enough for this.


>> So you are just re-invented sysconfig ?
>> sysconfig was added exactly so that admins could change configurations
>> without touching init scripts so that rpm updates would be able to
>> deploy new init scripts without blowing away customizations.
>>
>> Why re-inventing the wheel here ?
>
> It's not "reinventing". It's just simpler.
>
> I mean, my reading of this is that historically init scripts where
> considered configuration, that's why they are in /etc. Then people
> noticed that they are actually more code than configuration and hence
> created sysconfig, to seperate both things. But since native systemd
> unit files removed all the "code" part from the startup files it should
> be fine to edit them directly and consider that configuration.

Actually historically, /etc was only purely configuration in theory.
Most early UNIX's actually had binaries and whatnot actually in /etc
because they found it worked for small disk bootups. (no /sbin just
stuff in /etc). IIRC Convex I worked on had an overlay system where
/etc was actually mounted on top of a minimal /etc to get the system
booted. Some early Linux's kept up this standard and you would find
ping in /etc. After binaries were made verbotten, the scripts inside
of /etc were very deep to deal with all the corner cases that showed
up in real world situations. This was ok until packaging systems
started coming into play. Then you end up with
/etc/rc.d/init.d/frizzleblatch being changed to meet site requirements
and then either getting moved out of the way when the new RPM/Deb is
installed or some important fix not getting applied because the old
frizzleblatch stayed there.

And while sysconfig had been there before this really became an
out-cry.. it was where every sysadmin of the last 10 years is going to
look first off for important files. And sysadmins being old and cranky
by nature and choice.. there will probably be in-ordinate blowback on
not using it or saying its time has come. [This is meant as
forewarning for Act II of this play.]

> But anway, I have no strong opinions on this. As mentioned we have a bit
> of support for sysconfig. All I am asking for is that people think twice
> before making everything configurable, because often enough it is
> smarter to make things non-configurable. For example, there is no
> reason to configure the uid/gid of the ntpd daemon. Hence there doesn't
> have to be and option in sysconfig for it.

Hehehe I actually have had to do that. Many large sites have ancient
UID/GID's that sit outside of the rules Linux set up 20 years ago.
NTPD ended up being one of those that was used by an old cost account
that would have required too much mainframe fixing to change. While it
may sound like a one-off, it was about 2000 systems that needed to be
changed. And from what I remember I wasn't the only one dealing with
that problem (another one was that ntpd had a system ldap account set
up and every box needed to match that.. all 40,000 hosts).

> Lennart
>
> --
> Lennart Poettering - Red Hat, Inc.
> --
> devel mailing list
> devel@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/devel
>



-- 
Stephen J Smoogen.
“The core skill of innovators is error recovery, not failure avoidance.”
Randy Nelson, President of Pixar University.
"We have a strategic plan. It's called doing things.""
— Herb Kelleher, founder Southwest Airlines
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux