antiX-23.2-full-runit isos for testing

Forum Forums antiX-development Development antiX-23.2-full-runit isos for testing

  • This topic has 254 replies, 26 voices, and was last updated Jul 21-2:37 pm by Robin.
Viewing 15 posts - 61 through 75 (of 255 total)
  • Author
    Posts
  • #146828
    Member
    Xunzi_23

      Testing live on an EEPC Seashell edition 1215B Amd E450 Radeon Graphics 825/1650 MHz
      Wireless AR928X.

      Just hovering over 200Mb memory usage after login.

      Up to now no new issues to mention.

      • This reply was modified 3 weeks, 6 days ago by Xunzi_23.
      #146844
      Member
      Robin

        – Please find out from which boot/startup file and runlevel this must be called to make sure it takes effect on all network interfaces of a PC.

        Possibly /etc/sv/connman/run is the proper place to call the antiX-IPv6-privacy script from? E.g. by adding the call as a last line after connman was started so all the separate connman folders for the network interfaces of a machine with all their separate connman settings files are present, ready to be edited by the antiX-IPv6-privacy script?

        #!/usr/bin/env /lib/runit/invoke-run
        set -e
        NAME="connman"
        DAEMON=/usr/sbin/connmand
        # Exit service if DAEMON is not installed
        if [ ! -x $DAEMON ]; then
        	exit 161
        fi
        # Start dbus first
        sv start dbus  &&  sv check dbus  ||  exit 170
        # Load defaults
        [ -f /etc/default/connman ] && . /etc/default/connman
        exec 2>&1
        exec $DAEMON -n ${OPTS}
        exec antiX-IPv6-privacy

        Somebody experienced in antiX startup procedure might confirm?

        Windows is like a submarine. Open a window and serious problems will start.

        #146854
        Member
        abc-nix

          Somebody experienced in antiX startup procedure might confirm?

          If a user decides to use ceni instead of connman, these changes will not work. Does ipv6 privacy work when running with ceni with the correct changes on /etc/sysctl.conf proposed in the Web security thread?

          For changing the connman behavior, if only the runit service is changed it will not work on sysvinit.

          The change proposed on runit cannot work (the changes should run before the connman daemon starts). Also, it would need a flag check first in case the user wants to opt-out of this behavior. We could add a variable to /etc/default/connman, something like:
          IPV6_PRIVACY="yes"
          or “true” or “1”.

          And then edit the run script in this way:
          # Load defaults

          [ -f /etc/default/connman ] && . /etc/default/connman
          if [ -x /usr/local/bin/antiX-IPv6-privacy ]; then
          	[ IPV6_PRIVACY == "yes" ] && /usr/local/bin/antiX-IPv6-privacy
          fi
          exec 2>&1
          exec $DAEMON -n ${OPTS}

          Changing the value to “yes” and restarting the connman service would set IPv6.privacy=preferred for all interfaces.

          Changing the value to “no” or anything else would disable this automatic behavior and the user can reconfigure their connman connections however they want.

          #146858
          Member
          Robin

            Many thanks for looking into this, @abc-nix !

            the changes should run before the connman daemon starts

            The problem is: Before connman daemon starts, there will be no files matching the /var/lib/connman/*/settings pattern. If I’m not mistaken, these are only created once connman daemon was started. This is why the script itself makes sure to restart the connman service once the privacy setup for IPv6 was written to all the settings files connman creates. This is why it should work properly in the very position where I had placed it in the runit service file (If not timing issues cause trouble, e.g. settings files not ready when the script tries to access them already, or the connman service not completed its startup sequence when the script tries to restart it again)

            if only the runit service is changed it will not work on sysvinit.

            This is obviously true, but unfortunately I have no clue where to place the pendant properly in sysvinit. Hopefully you know or somebody else knows where to put this call in the sysvinit universe.

            An additional opt-out flag is a good idea, so this safe setup can easily be deactivated, while it should default to IPv6 privacy enabled, at least when running antiX in Live mode. It could even be present as a bootcode, so user can enter ipv6privacy=no (or select it from F4 menu) if he doesn’t want the feature enabled?

            Does ipv6 privacy work when running with ceni with the correct changes on /etc/sysctl.conf proposed in the Web security thread?

            We’ll have to wait for reports from people using ceni. From what I have read about it, this setting in sysctl.conf should be respected by ceni and NetworkManager both, but not by ConnMan. This is why we need this extra script here for ConnMan.

            Windows is like a submarine. Open a window and serious problems will start.

            #146860
            Member
            PPC

              @Robin, @abc-nix and @anticapitalista – on IPv6:
              1 – I think my initial suggestion to not try to automate this, but offer an option to disable/enable IPv6 (a lá Pipewire toggler) may be the simplest way to go
              2 – But why not get in touch with PCLinuxOS devs and ask how they manage to pre-configure Connman?

              P.

              #146861
              Member
              abc-nix

                This is why it should work properly in the very position where I had placed it in the runit service file

                I don’t think so.
                exec $DAEMON
                will replace the current process with the $DAEMON process (in this case, connmand), and nothing “below it” (in the script) will run. Once the connmand process ends, it will not return to the main run script (so it will not execute anything under this exec entry).

                If you restart the connman service after connecting to an Access Point (or connman exits for some reason and runit restarts the service automatically), the run script for connman will run again (if using my proposal). This is the ideal way to make your script work, as you say that you need connman to first detect all available access points (or “services” as it likes to call them).

                There is no escaping this if you want this script to work. The alternative is studying the connman source-code and figure out what default value needs to be changed to achieve the same automatically. But then there would be no opt-out option.

                #146862
                Member
                abc-nix

                  2 – But why not get in touch with PCLinuxOS devs and ask how they manage to pre-configure Connman?

                  I understood from anticapitalista that PCLinuxOS also doesn’t have the ipv6 privacy option enabled by default.

                  I just tested PCLinuxOS Debian edition live and noticed it also uses ConnMan with IPv6.Privacy set to disabled!

                  EDIT:

                  1 – I think my initial suggestion to not try to automate this, but offer an option to disable/enable IPv6 (a lá Pipewire toggler) may be the simplest way to go

                  This would be great, but it would be an opt-in instead of an opt-out.

                  Maybe there is a way to get this to work if instead we used the /etc/rc.local (present and loaded for both runit and sysvinit) to call Robin’s script and make the corresponding change to connman and restart it there. /etc/rc.local should be the last process to run, though a delay could be added so that the specific change happens there with enough delay to ensure that connman already started. And PPC’s script could disable/remove those lines when turned off.

                  • This reply was modified 3 weeks, 6 days ago by abc-nix.
                  • This reply was modified 3 weeks, 6 days ago by abc-nix.
                  • This reply was modified 3 weeks, 6 days ago by abc-nix. Reason: Make it clearer
                  #146872
                  Member
                  Robin

                    not try to automate this, … offer an option to disable/enable IPv6

                    This is not about enabling/disabling IPv6 completely, which can be done from within ConnMan Tray Config popup if desired. For a broad spectrum of connectivity it is fine antiX comes with IPv6 enabled. The problem with connman is simply it disrespects privacy, and has no easy built in means to help that other than configuring each and every networking device manually. We can’t expect antiX first time users to know how to do this. There must be a safe default, which can be opted out by more experienced people, instead of propagating a unique machine ID across the internet unexpectedly. As said, even Microsoft knows better and defaults to IPv6 privacy enabled. Since Connman doesn’t respect a system wide privacy policy being applied to all the interfaces it manages, there is no way around automating the fix.

                    The alternative is studying the connman source-code and figure out what default value needs to be changed to achieve the same

                    I did so.
                    $ git clone https://git.kernel.org/pub/scm/network/connman/connman.git
                    But I was unable to locate the proper place in the sources. I simply don’t understand this complex level of C code scattered across literally hundreds of files in a dozen of folders. As said, I’m not a programmer…

                    will replace the current process with the $DAEMON process (in this case, connmand), and nothing “below it” (in the script) will run.

                    I see. Wasn’t aware that the service script wouldn’t proceed processing after connman is started.

                    If you restart the connman service after connecting to an Access Point (or connman exits for some reason and runit restarts the service automatically), the run script for connman will run again (if using my proposal). This is the ideal way to make your script work, as you say that you need connman to first detect all available access points (or “services” as it likes to call them).

                    I have to admit, I have no idea how this might work, nor do I understand how the script could run successfully before connman was started (what made me think it must be called only after the conmann deamon was called by the runit service script.) I don’t get how or why connman service could be caused to be restarted once it was successfully executed by the service script while antiX is starting up?

                    I’m confident you know way better than me how to implement this properly into antiX startup sequence.

                    Windows is like a submarine. Open a window and serious problems will start.

                    #146877
                    Member
                    PPC

                      offer an option to disable/enable IPv6 (a lá Pipewire toggler)

                      Sorry if I did not express myself correctly- I meant “disable/enable the IPv6 privacy setting”

                      If we can’t easily change the default, out of the box, it should be a nice and simple way to allow non geek users to change that setting.

                      P.

                      #146878
                      Member
                      Xunzi_23

                        Hi all, disabling IPV6 is a no go option, a lot of sites now depend on it.

                        My vote would be
                        studying the connman source-code and figure out what default
                        value needs to be changed to achieve the same automatically.
                        But then there would be no opt-out option.

                        Sadly I was lost in an alien language world when I tried
                        IPV6 Security should always be active, even US Govt agencys recommend that :-).

                        #146880
                        Member
                        Robin

                          Maybe there is a way to get this to work if instead we used the /etc/rc.local (present and loaded for both runit and sysvinit) to call Robin’s script and make the corresponding change to connman and restart it there. /etc/rc.local should be the last process to run, though a delay could be added so that the specific change happens there with enough delay to ensure that connman already started. And PPC’s script could disable/remove those lines when turned off.

                          Is this /etc/rc.local file run before or after /etc/sv/connman/run was executed? Since you state it will be observed by runit and sysvinit both, it looks like a fine solution.

                          And PPC’s script could disable/remove those lines when turned off.

                          No objections against an additional switch in antiX control centre network section. But as said, the default when booting antiX Live for the first time must be safe (which means privacy enabled), not unsafe like it is currently.

                          Windows is like a submarine. Open a window and serious problems will start.

                          #146881
                          Member
                          Robin

                            Sadly I was lost in an alien language world when I tried

                            :) that describes best ever what I also felt when looking into the ConnMan source code :)

                            …which caused me to write the workaround script for use in antiX startup sequence.

                            Windows is like a submarine. Open a window and serious problems will start.

                            #146883
                            Moderator
                            Brian Masinick

                              @abc-nix wrote: “/etc/rc.local should be the last process to run, …”

                              If unsure whether Connman has been started—
                              a check:

                              ps ax | grep conn
                                 5568 ?        Ss     0:00 runsv connman
                                 5569 ?        S      0:00 /usr/sbin/connmand -n --nodnsproxy
                                21058 pts/0    S+     0:00 grep conn

                              can be run. If all you see is grep conn, then Connman is NOT started, but if both the runsv connman and
                              /usr/sbin/connmand -n –nodnsproxy show as running processes, that is enough to know they are running.

                              Of course, runsv is for runit systems; the appropriate commands apply; the presence of /usr/sbin/connmand
                              indicates that the Connman daemon is running. While network connections may take a bit longer after
                              the daemon starts, the presence of the daemon is probably sufficient.

                              --
                              Brian Masinick

                              #146908
                              Member
                              abc-nix

                                (This is just an information notice)

                                I am moving back to the web security thread to continue discussing the ipv6 privacy issue instead of polluting this thread.

                                #147092
                                Member
                                Robin

                                  While working on the .desktop files update at transifex, I ran again accidentally into the trashbin issue, which is unfixed in antiX 23.2 testing still.

                                  See screenshot.

                                  I guess the file restore from trash would work properly if the underlying script zzzFM executes would just look in the right place for the trashinfo file, not hard coded to users home folder, but relatively to the actual trashed file position.

                                  Robin@birke:/media/sda4/.Trash-1001/files
                                  $ ls -l antix-wifi-switch.desktop_1
                                  -rw-r--r-- 1 Robin Robin 19939 27. Jun 19:57 antix-wifi-switch.desktop_1
                                  Robin@birke:/media/sda4/.Trash-1001/files
                                  $ ls -l ../info/antix-wifi-switch.desktop_1.trashinfo
                                  -rw------- 1 Robin Robin 200 27. Jun 19:57 ../info/antix-wifi-switch.desktop_1.trashinfo
                                  

                                  New users might think their file was lost actually, while it could be easily restored still. If somebody has time, please fix this. Shouldn’t be that difficult to fix.

                                  Btw, for all people claiming you don’t need a trashbin: This deletion happened completely unexpected; For some reason the wrong window was active (probably a mouse click wasn’t caught), and the del key meant for deleting a blank line in a file opened in text editor was caught by the zzzFM window alegedly being in the background… The file was gone the very moment. Glad there IS a trashbin, even when I actually need it very very rarely.

                                  Windows is like a submarine. Open a window and serious problems will start.

                                Viewing 15 posts - 61 through 75 (of 255 total)
                                • You must be logged in to reply to this topic.