On Thu, Jul 15, 2010 at 10:37, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > On Thu, 15.07.10 11:52, Simo Sorce (ssorce@xxxxxxxxxx) wrote: > > >> We have a bug open with CUPS trying to generate SSL certs on the first >> connections, being too slow and causing the client to timeout. >> So no, you can't make assumptions here. > > Well, Apple as CUPS upstream manages to pull this off, and so should we. > > Maybe another option is to create those certs and keys at install time > instead of first boot/use. Should we one day go for a read-only root dir > doing key generation on first boot/use won't fly anyway. > > I am aware that doing things during package installation instead of > first-boot is problematic for system images that are distributed and > booted from multiple machines. Maybe for those cases (where r/o root > isn't doable) we should provide some easy infrastructure to generate all > keys on boot, controlled by some central switch. I think this was looked at way in the past.. the issue was that there wasn't enough entropy to build all of them during install or first boot. This caused things to lock up as it was using /dev/random as /dev/urandom was not considered good enough for this. >> So you are just re-invented sysconfig ? >> sysconfig was added exactly so that admins could change configurations >> without touching init scripts so that rpm updates would be able to >> deploy new init scripts without blowing away customizations. >> >> Why re-inventing the wheel here ? > > It's not "reinventing". It's just simpler. > > I mean, my reading of this is that historically init scripts where > considered configuration, that's why they are in /etc. Then people > noticed that they are actually more code than configuration and hence > created sysconfig, to seperate both things. But since native systemd > unit files removed all the "code" part from the startup files it should > be fine to edit them directly and consider that configuration. Actually historically, /etc was only purely configuration in theory. Most early UNIX's actually had binaries and whatnot actually in /etc because they found it worked for small disk bootups. (no /sbin just stuff in /etc). IIRC Convex I worked on had an overlay system where /etc was actually mounted on top of a minimal /etc to get the system booted. Some early Linux's kept up this standard and you would find ping in /etc. After binaries were made verbotten, the scripts inside of /etc were very deep to deal with all the corner cases that showed up in real world situations. This was ok until packaging systems started coming into play. Then you end up with /etc/rc.d/init.d/frizzleblatch being changed to meet site requirements and then either getting moved out of the way when the new RPM/Deb is installed or some important fix not getting applied because the old frizzleblatch stayed there. And while sysconfig had been there before this really became an out-cry.. it was where every sysadmin of the last 10 years is going to look first off for important files. And sysadmins being old and cranky by nature and choice.. there will probably be in-ordinate blowback on not using it or saying its time has come. [This is meant as forewarning for Act II of this play.] > But anway, I have no strong opinions on this. As mentioned we have a bit > of support for sysconfig. All I am asking for is that people think twice > before making everything configurable, because often enough it is > smarter to make things non-configurable. For example, there is no > reason to configure the uid/gid of the ntpd daemon. Hence there doesn't > have to be and option in sysconfig for it. Hehehe I actually have had to do that. Many large sites have ancient UID/GID's that sit outside of the rules Linux set up 20 years ago. NTPD ended up being one of those that was used by an old cost account that would have required too much mainframe fixing to change. While it may sound like a one-off, it was about 2000 systems that needed to be changed. And from what I remember I wasn't the only one dealing with that problem (another one was that ntpd had a system ldap account set up and every box needed to match that.. all 40,000 hosts). > Lennart > > -- > Lennart Poettering - Red Hat, Inc. > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > -- Stephen J Smoogen. “The core skill of innovators is error recovery, not failure avoidance.” Randy Nelson, President of Pixar University. "We have a strategic plan. It's called doing things."" — Herb Kelleher, founder Southwest Airlines -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
