@Nubuki said: In case it wasn't really clear I just wasn't clear if open Source here meant running only Linux kvms , running open source code and what not.
Can you maybe elaborate what count as open source and what doesn't?
Maybe something more or less like:
If the executable is present on the server we all should be able to see the source code. We also ought to be able to see and modify and share any compiler or intermediate tool that was used to create the executable as well as any low level executable (assembly or machine language) that's present on the server. If we can't see, modify, and share the source, the code isn't "Open Source."
@somik said: @Not_Oles forgot to mention, but please ensure that apache is not running as "root". It should be running as user "www-data" and group "www-data", otherwise certain scripts can be used to get shell access to the server as root user.
Do not enable cgi-bin or perl scripts for apache for the same reason.
What's running now is the default which came out of apt-get install apache2. Root didn't start apache2, apt seems to start stuff. Does the following look right?
@RtedPro said:
Hello @Not_Oles
Could you add my ssh key again? ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAdxnYG6YQ7yl/JpMl1v2+NS9fnaf+NiWWyWLsC7PUcg
Want to provide identity information?
Can i also ask you about the vms (if they are allowed or no?) simply whats not allowed real quick if you can.
I don't want to have a bunch of rules about what is and isn't allowed. Right now I'm thinking about asking guys to run only open source software and not automatically adding new Neighbors to the kvm group.
Have a good day! Thanks for your continuing interest!
@Not_Oles said:
Neighbors from certain countries may have to overcome increased challenges to providing identity verification. These neighbors need additional support. But, how?
I like the post card idea! Think of it as writing to a pen pal.
I am sure you'll be delighted to receive post cards from different places as well.
Unless you will get into trouble for writing to a pen pal outside of the country... Which i don't think is the case for most people wishing to use MetalVPS.
@Not_Oles said:
Hmm. The following might not seem right. Any user can run the apache2 command?
Yes, any user can run any service on any port >=1024. To bind to a low-numbered port, such as 80 (HTTP) or 443 (HTTPS) requires root privileges. A non-root user will override the default configuration file path, otherwise it'll default to the one in /etc which will fail because they can't bind to the port.
nice is old enough that I know about it. I think I might know what you mean by cpulimit too. I might understand a little about child process inheritance.
I see great then
Would it be too crazy to imagine that you might want to share a bit about what exactly it is you have been doing on the server and about how you have been doing it? Thanks!
Best wishes!
Tom
Well I have been encoding videos 😑
Basically it's more of archiving though
A telegram bot is deployed, I forward a video to the bot on tg, bot compresses it and uploads the compressed file to my drive or returns the file on telegram
Basically it's more of archiving though
A telegram bot is deployed, I forward a video to the bot on tg, bot compresses it and uploads the compressed file to my drive or returns the file on telegram
Can one do this with Open Source software exclusively?
@Not_Oles said:
Hmm. The following might not seem right. Any user can run the apache2 command?
Yes, any user can run any service on any port >=1024. To bind to a low-numbered port, such as 80 (HTTP) or 443 (HTTPS) requires root privileges. A non-root user will override the default configuration file path, otherwise it'll default to the one in /etc which will fail because they can't bind to the port.
How does a "non-root user . . . override the default configuration file path?" Is it by making an alternate configuration and pointing Apache to the alternate configuration, or perhaps by specifying the configuration through command line options? Hmm. I probably should Google this before posting. Bad boy!
No issue that process 6892 is running as root? Why?
@RtedPro said:
Hello @Not_Oles
Could you add my ssh key again? ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAdxnYG6YQ7yl/JpMl1v2+NS9fnaf+NiWWyWLsC7PUcg
Want to provide identity information?
Can i also ask you about the vms (if they are allowed or no?) simply whats not allowed real quick if you can.
I don't want to have a bunch of rules about what is and isn't allowed. Right now I'm thinking about asking guys to run only open source software and not automatically adding new Neighbors to the kvm group.
Have a good day! Thanks for your continuing interest!
Hi @RtedPro! The proposed identity information types are specified explicitly in the public draft of the upcoming new MetalVPS ad. If you have time, could you please take a look and tell me how the draft could be improved? Best! Tom
@Not_Oles said:
Hmm. The following might not seem right. Any user can run the apache2 command?
Yes, any user can run any service on any port >=1024. To bind to a low-numbered port, such as 80 (HTTP) or 443 (HTTPS) requires root privileges. A non-root user will override the default configuration file path, otherwise it'll default to the one in /etc which will fail because they can't bind to the port.
How does a "non-root user . . . override the default configuration file path?" Is it by making an alternate configuration and pointing Apache to the alternate configuration,
Yes, -f config_file defaults to /etc/apache2/apache2.conf
or perhaps by specifying the configuration through command line options?
There are far too many for that! The config file includes a whole load of other files too.
No issue that process 6892 is running as root? Why?
I'm guessing that's for when it needs to re-read the config files and possibly needs to bind to a new port.
I believe the startup is somewhat complicated - worker processes are created that setuid(www-data) to protect against vulnerabilities. Then the config file is read and the worker processes communicate with the original root process to say what ports need to be listened on. The root process creates these as it has permission, and these are then shared with the worker processes to accept() and process the incoming requests.
Basically it's more of archiving though
A telegram bot is deployed, I forward a video to the bot on tg, bot compresses it and uploads the compressed file to my drive or returns the file on telegram
Can one do this with Open Source software exclusively?
Yup everything is run using Python and the repository is public the dependencies like ffmpeg (which is actually used in encoding) is open source too
Basically it's more of archiving though
A telegram bot is deployed, I forward a video to the bot on tg, bot compresses it and uploads the compressed file to my drive or returns the file on telegram
Can one do this with Open Source software exclusively?
Yup everything is run using Python and the repository is public the dependencies like ffmpeg (which is actually used in encoding) is open source too
Excellent! If you have time, can you post an example or a link? Thanks!
Basically it's more of archiving though
A telegram bot is deployed, I forward a video to the bot on tg, bot compresses it and uploads the compressed file to my drive or returns the file on telegram
Can one do this with Open Source software exclusively?
Yup everything is run using Python and the repository is public the dependencies like ffmpeg (which is actually used in encoding) is open source too
Excellent! If you have time, can you post an example or a link? Thanks!
Basically it's more of archiving though
A telegram bot is deployed, I forward a video to the bot on tg, bot compresses it and uploads the compressed file to my drive or returns the file on telegram
Can one do this with Open Source software exclusively?
Yup everything is run using Python and the repository is public the dependencies like ffmpeg (which is actually used in encoding) is open source too
Excellent! If you have time, can you post an example or a link? Thanks!
Thanks! I took a quick look at the README.md. Sometime, when you have a chance, could you please link to an example video? Sorry, I've never used Telegram, and so I have no idea what kinds of videos would be forwarded to Telegram. And you say that the Telegram bot compresses the video file. Does "forwarded" plus "bot compression" mean something akin to posting the video? Thanks!
@Not_Oles said:
New Terms of Service for MetalVPS Neighbors might include:
Run open source software only?
I'm OK with this actually.
No transfer of account or sub-accounts?
Surely this is a must.
kvm group membership deferred?
I don't think this is actually a good idea, this may make people lost interest in MetalVPS. Maybe just limit them to use not more than 8GB RAM and 4 CPU cores. Or maybe limit it to people who has verified their identity by using any method.
sudo group membership deferred?
I'm OK with no sudo access, at least I still need to use KVM
New Benefits for MetalVPS Neighbors might include:
Shared hosting, maybe /home/neighbor/www/ is served?
@Not_Oles said:
Hmm. The following might not seem right. Any user can run the apache2 command?
Yes, any user can run any service on any port >=1024. To bind to a low-numbered port, such as 80 (HTTP) or 443 (HTTPS) requires root privileges. A non-root user will override the default configuration file path, otherwise it'll default to the one in /etc which will fail because they can't bind to the port.
How does a "non-root user . . . override the default configuration file path?" Is it by making an alternate configuration and pointing Apache to the alternate configuration,
Yes, -f config_file defaults to /etc/apache2/apache2.conf
or perhaps by specifying the configuration through command line options?
There are far too many for that! The config file includes a whole load of other files too.
No issue that process 6892 is running as root? Why?
I'm guessing that's for when it needs to re-read the config files and possibly needs to bind to a new port.
I believe the startup is somewhat complicated - worker processes are created that setuid(www-data) to protect against vulnerabilities. Then the config file is read and the worker processes communicate with the original root process to say what ports need to be listened on. The root process creates these as it has permission, and these are then shared with the worker processes to accept() and process the incoming requests.
The config file /etc/apache2/apache2.conf should contain the default user and group
User www-data
Group www-data
If it is something different, change and restart apache2
@Not_Oles said:
Hmm. The following might not seem right. Any user can run the apache2 command?
Yes, any user can run any service on any port >=1024. To bind to a low-numbered port, such as 80 (HTTP) or 443 (HTTPS) requires root privileges. A non-root user will override the default configuration file path, otherwise it'll default to the one in /etc which will fail because they can't bind to the port.
How does a "non-root user . . . override the default configuration file path?" Is it by making an alternate configuration and pointing Apache to the alternate configuration,
Yes, -f config_file defaults to /etc/apache2/apache2.conf
or perhaps by specifying the configuration through command line options?
There are far too many for that! The config file includes a whole load of other files too.
No issue that process 6892 is running as root? Why?
I'm guessing that's for when it needs to re-read the config files and possibly needs to bind to a new port.
I believe the startup is somewhat complicated - worker processes are created that setuid(www-data) to protect against vulnerabilities. Then the config file is read and the worker processes communicate with the original root process to say what ports need to be listened on. The root process creates these as it has permission, and these are then shared with the worker processes to accept() and process the incoming requests.
The config file /etc/apache2/apache2.conf should contain the default user and group
User www-data
Group www-data
If it is something different, change and restart apache2
Thanks so much @somik! Your help is greatly appreciated!
root@fsn ~ # cat /etc/apache2/apache2.conf
[ . . . ]
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
[ . . . ]
root@fsn ~ # cat /etc/apache2/envvars
[ . . . ]
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
[ . . . ]
root@fsn ~ #
It's interesting to read the comments in /etc/apache2/apache2.conf ("Apache 2 web server configuration in Debian is quite different to upstream's. . . .") and /etc/apache2/envvars (". . . there is no sane way to get the parsed apache2 config in scripts. . . .")
@Not_Oles said:
Hmm. The following might not seem right. Any user can run the apache2 command?
Yes, any user can run any service on any port >=1024. To bind to a low-numbered port, such as 80 (HTTP) or 443 (HTTPS) requires root privileges. A non-root user will override the default configuration file path, otherwise it'll default to the one in /etc which will fail because they can't bind to the port.
How does a "non-root user . . . override the default configuration file path?" Is it by making an alternate configuration and pointing Apache to the alternate configuration,
Yes, -f config_file defaults to /etc/apache2/apache2.conf
or perhaps by specifying the configuration through command line options?
There are far too many for that! The config file includes a whole load of other files too.
No issue that process 6892 is running as root? Why?
I'm guessing that's for when it needs to re-read the config files and possibly needs to bind to a new port.
I believe the startup is somewhat complicated - worker processes are created that setuid(www-data) to protect against vulnerabilities. Then the config file is read and the worker processes communicate with the original root process to say what ports need to be listened on. The root process creates these as it has permission, and these are then shared with the worker processes to accept() and process the incoming requests.
The config file /etc/apache2/apache2.conf should contain the default user and group
User www-data
Group www-data
If it is something different, change and restart apache2
Thanks so much @somik! Your help is greatly appreciated!
root@fsn ~ # cat /etc/apache2/apache2.conf
[ . . . ]
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
[ . . . ]
root@fsn ~ # cat /etc/apache2/envvars
[ . . . ]
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
[ . . . ]
root@fsn ~ #
It's interesting to read the comments in /etc/apache2/apache2.conf ("Apache 2 web server configuration in Debian is quite different to upstream's. . . .") and /etc/apache2/envvars (". . . there is no sane way to get the parsed apache2 config in scripts. . . .")
Ya, i was worried about that... Maybe someone here with more knowledge about apache2 on debian can help...
@Not_Oles said:
What is the program you want to run inside Qemu-KVM?
How could you run your program directly on the metal so that Qemu-KVM would not be needed?
For now I'm not sure yet. Probably something that runs inside Linux and is interesting for me.
To run the program directly sometimes I may need sudo because of dependecies issues.
@Not_Oles said:
What is the program you want to run inside Qemu-KVM?
How could you run your program directly on the metal so that Qemu-KVM would not be needed?
For now I'm not sure yet. Probably something that runs inside Linux and is interesting for me.
To run the program directly sometimes I may need sudo because of dependecies issues.
Seems reasonable. . . .
The i9-13900 isn't really ready yet, but I will make an account for you. kvm group and sudo group 🔜
The i9-9900K is turned off, which seems a shame. Could you please let me know which one of the following distros you would like?
AlmaLinux 8.7 base
Arch Linux latest minimal
CentOS 7.9 minimal
CentOS Stream 8 base
Debian 10 base
Debian 10 LAMP
Debian 11 base
Rocky Linux 8.7 base
Ubuntu 18.04.5 LTS minimal
Ubuntu 18.04.5 LTS Nextcloud
Ubuntu 20.04.3 (HWE) LTS minimal
Ubuntu 20.04.3 LTS base
Ubuntu 22.04.1 LTS base
Thanks! Best wishes and welcome, again, to MetalVPS.
@Not_Oles said:
What is the program you want to run inside Qemu-KVM?
How could you run your program directly on the metal so that Qemu-KVM would not be needed?
For now I'm not sure yet. Probably something that runs inside Linux and is interesting for me.
To run the program directly sometimes I may need sudo because of dependecies issues.
Fyi, you can still run the program on LXC containers inside metalVPS without KVM or sudo access. That brings me to the question, is KVM group membership required for LXC or should there be a seperate LXC group membership?
Thanks for your message. kvm is "not right away." If that's okay, how do you want to verify your identity? Send
Name
Address
Email
Phone number
Scan of government ID
to the email address on my LES profile? Send by LES PM? Another way?
Best wishes!
Tom
Create me an account using the previous SSH key btw
Hi @iamvinh123! As a result of the port scan that Hetzner caught, MetalVPS has an identity requirement now. How do you want to verify your identity? You could send
Name
Address
Email
Phone number
Scan of government ID
to the email address on my LES profile? Or send by LES PM? Or maybe you prefer another way?
Thanks for your message. kvm is "not right away." If that's okay, how do you want to verify your identity? Send
Name
Address
Email
Phone number
Scan of government ID
to the email address on my LES profile? Send by LES PM? Another way?
Best wishes!
Tom
Create me an account using the previous SSH key btw
Hi @iamvinh123! As a result of the port scan that Hetzner caught, MetalVPS has an identity requirement now. How do you want to verify your identity? You could send
Name
Address
Email
Phone number
Scan of government ID
to the email address on my LES profile? Or send by LES PM? Or maybe you prefer another way?
Thanks! Best!
Tom
Hmmmm, I would prefer the another way as I'm 13 yo old
yo = years
Thanks for your message. kvm is "not right away." If that's okay, how do you want to verify your identity? Send
Name
Address
Email
Phone number
Scan of government ID
to the email address on my LES profile? Send by LES PM? Another way?
Best wishes!
Tom
Create me an account using the previous SSH key btw
Hi @iamvinh123! As a result of the port scan that Hetzner caught, MetalVPS has an identity requirement now. How do you want to verify your identity? You could send
Name
Address
Email
Phone number
Scan of government ID
to the email address on my LES profile? Or send by LES PM? Or maybe you prefer another way?
Thanks! Best!
Tom
Hmmmm, I would prefer the another way as I'm 13 yo old
yo = years
Comments
Maybe something more or less like:
If the executable is present on the server we all should be able to see the source code. We also ought to be able to see and modify and share any compiler or intermediate tool that was used to create the executable as well as any low level executable (assembly or machine language) that's present on the server. If we can't see, modify, and share the source, the code isn't "Open Source."
Um, approximately.
MetalVPS
What's running now is the default which came out of
apt-get install apache2
. Root didn't start apache2, apt seems to start stuff. Does the following look right?Hmm. The following might not seem right. Any user can run the
apache2
command?Thanks!
@yqua
MetalVPS
Hello @Not_Oles
What identify information?
I like the post card idea! Think of it as writing to a pen pal.
I am sure you'll be delighted to receive post cards from different places as well.
Unless you will get into trouble for writing to a pen pal outside of the country... Which i don't think is the case for most people wishing to use MetalVPS.
The all seeing eye sees everything...
Yes, any user can run any service on any port >=1024. To bind to a low-numbered port, such as 80 (HTTP) or 443 (HTTPS) requires root privileges. A non-root user will override the default configuration file path, otherwise it'll default to the one in /etc which will fail because they can't bind to the port.
I see great then
Well I have been encoding videos 😑
Basically it's more of archiving though
A telegram bot is deployed, I forward a video to the bot on tg, bot compresses it and uploads the compressed file to my drive or returns the file on telegram
Teehee!
Can one do this with Open Source software exclusively?
MetalVPS
How does a "non-root user . . . override the default configuration file path?" Is it by making an alternate configuration and pointing Apache to the alternate configuration, or perhaps by specifying the configuration through command line options? Hmm. I probably should Google this before posting. Bad boy!
No issue that process 6892 is running as root? Why?
Thanks!!!
MetalVPS
Hi @RtedPro! The proposed identity information types are specified explicitly in the public draft of the upcoming new MetalVPS ad. If you have time, could you please take a look and tell me how the draft could be improved? Best! Tom
MetalVPS
Yes,
-f config_file
defaults to/etc/apache2/apache2.conf
There are far too many for that! The config file includes a whole load of other files too.
I'm guessing that's for when it needs to re-read the config files and possibly needs to bind to a new port.
I believe the startup is somewhat complicated - worker processes are created that
setuid(www-data)
to protect against vulnerabilities. Then the config file is read and the worker processes communicate with the original root process to say what ports need to be listened on. The root process creates these as it has permission, and these are then shared with the worker processes toaccept()
and process the incoming requests.Yup everything is run using Python and the repository is public the dependencies like ffmpeg (which is actually used in encoding) is open source too
Teehee!
Excellent! If you have time, can you post an example or a link? Thanks!
MetalVPS
Okay Here!
Teehee!
Thanks! I took a quick look at the README.md. Sometime, when you have a chance, could you please link to an example video? Sorry, I've never used Telegram, and so I have no idea what kinds of videos would be forwarded to Telegram. And you say that the Telegram bot compresses the video file. Does "forwarded" plus "bot compression" mean something akin to posting the video? Thanks!
MetalVPS
I'm OK with this actually.
Surely this is a must.
I don't think this is actually a good idea, this may make people lost interest in MetalVPS. Maybe just limit them to use not more than 8GB RAM and 4 CPU cores. Or maybe limit it to people who has verified their identity by using any method.
I'm OK with no sudo access, at least I still need to use KVM
This looks like a great idea!
Thanks for your helpful comment!
What is the program you want to run inside Qemu-KVM?
How could you run your program directly on the metal so that Qemu-KVM would not be needed?
MetalVPS
The config file
/etc/apache2/apache2.conf
should contain the default user and groupIf it is something different, change and restart apache2
Somik.org - Server admins cheat codes
Thanks so much @somik! Your help is greatly appreciated!
However
Nevertheless
It's interesting to read the comments in /etc/apache2/apache2.conf ("Apache 2 web server configuration in Debian is quite different to upstream's. . . .") and /etc/apache2/envvars (". . . there is no sane way to get the parsed apache2 config in scripts. . . .")
MetalVPS
Ya, i was worried about that... Maybe someone here with more knowledge about apache2 on debian can help...
Somik.org - Server admins cheat codes
Hi, I want to create a NAT kvm with IPv6; then I want to establish an ip6tnl between two different IPv6 KVMs. Can I join this party?
Here is my pub key
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXNzoL4Y7b+LDxR9tdR5jGzc7Vce0a15U3mdM/dnP77
For now I'm not sure yet. Probably something that runs inside Linux and is interesting for me.
To run the program directly sometimes I may need sudo because of dependecies issues.
Seems reasonable. . . .
The i9-13900 isn't really ready yet, but I will make an account for you. kvm group and sudo group 🔜
The i9-9900K is turned off, which seems a shame. Could you please let me know which one of the following distros you would like?
Thanks! Best wishes and welcome, again, to MetalVPS.
MetalVPS
Fyi, you can still run the program on LXC containers inside metalVPS without KVM or sudo access. That brings me to the question, is KVM group membership required for LXC or should there be a seperate LXC group membership?
Somik.org - Server admins cheat codes
Hi @dwight!
Thanks for your message. kvm is "not right away." If that's okay, how do you want to verify your identity? Send
Name
Address
Email
Phone number
Scan of government ID
to the email address on my LES profile? Send by LES PM? Another way?
Best wishes!
Tom
MetalVPS
Create me an account using the previous SSH key btw
I think usually, but not always. For example, an unprivileged LXC user can't mount file systems.
kvm group membership is not required for LXC. The user needs to be in /etc/subuid, /etc/subgid, and /etc/lxc/lxc-usernet. Please see https://linuxcontainers.org/lxc/getting-started/ .
Maybe what @itsmepaddi and what @dwight want to do could be done with LXC containers. @itsmepaddi @dwight Have you guys tried LXC yet?
Best wishes!
MetalVPS
BTW = by the way
Hi @iamvinh123! As a result of the port scan that Hetzner caught, MetalVPS has an identity requirement now. How do you want to verify your identity? You could send
Name
Address
Email
Phone number
Scan of government ID
to the email address on my LES profile? Or send by LES PM? Or maybe you prefer another way?
Thanks! Best!
Tom
MetalVPS
Hmmmm, I would prefer the another way as I'm 13 yo old
yo = years
Since I'm from Vietnam, I don't have any gov ID