07:59:42 https://wiki.smartos.org/persistent-configuration-for-the-global-zone/ -- here it says: "/usbkey/ssh/sshd_config is in here so if you want to do things like require MFA or refuse Password login, you change it here and reboot" ... in FreeBSD i use "pam_google_authenticator-1.09,1 PAM module for two-step authentication from Google" to achieve that ... but the module does not seem to be available for smartos (at least the gz) on pkgsrc. 08:00:40 so how does one go about setting up 2FA via TOTP for SSH logins on the GZ? 08:01:34 also, what was the command to reread /usbkey/config ? so that i could re-apply the configuration without a long reboot 08:02:47 also also (lol coffee) what is a modern tool to generate service manifests? back in the day manifold was the thing 08:06:14 also also also, i'm sharing the administration of this gz with 2 other people, it would be nice not to have to share tmux sessions and what not. how much pain am I getting into if I try to create admin accounts and make them persist across reboots? 08:11:42 for 2FA, we ship a duo package, but as yet don't provide a 32-bit version of it for the GZ to work with PAM - you might be able to bodge the regular version though in the meantime 08:12:17 restarting smartdc-config _might_ reread /usbkey/config, but I can't guarantee it, and you get to keep both pieces if it fails (I'd just reboot tbh) 08:12:52 for SMF I just copy/edit one of the many existing ones in pkgsrc, they're generally 99% identical 08:13:15 there are docs on creating users in the gz, but again not recommended, you keep both pieces when it breaks, etc 08:13:39 generally once you have multiple people administrating things you're better off with triton 08:15:35 looks like the google-authenticator package in pkgsrc could do with an update, would also be interesting to know if it actually works! 09:22:39 gonzosysadm[m]: serious question, but why use TOTP and not FIDO keys with split key? 10:24:30 Did anyone notices that from, say, the begining of this year or so, console output in, say man and while searching man is very slow, much slower then before.. (on Smartos global zone, over SSH, but it is the same on VGS console).. 15:01:51 I don't know if mailing-list participant "thomas" is on here, but I apologize for mismerging vioscsi(4D) into SmartOS, and am constructing a deliverable (PI tgz, ISO, or USB) with a fix for it. https://smartos.org/bugview/OS-8418 fix is https://github.com/TritonDataCenter/illumos-joyent/pull/425 19:38:46 So I did some googling, maybe not enough, but is there a packing list of opensource projects/dependencies with licensing for SmartOS/Triton/etc? Like a packing slip for PI's and API's/agent....blah blah 19:39:10 Sort of... 19:39:59 illumos-joyent and smartos-live are CDDL. Things in illumos-extra have licensing included 19:40:11 when I was at CA we had to distribute a list of opensource software that was in our dom0 hosts in order to repackage our proprietary stuff 19:40:35 illumos-kvm is GPL, and IIRC illumos-kvm-cmd is also gpl? But I'm not 100% sure on that one. 19:41:00 At California? 19:41:05 Yeah, I figured, but most of the binaries in /usr/bin,etc are illumos right? 19:41:17 Like to get gnu binaries you go through pkgsrc? 19:41:28 Computer Associates 19:41:30 Stuff from illumos-extra are also in /usr/bin 19:42:02 I guess the general question should have been phrased like, besides KVM, are there GPL licensed binaries in the GZ? 19:42:09 For Triton it's all MPL-2.0, or some of the node modules we produce are MIT. Each repo has its own license. 19:42:37 Cool so no separately licensed binary dependencies in the node projects? 19:42:56 3rd party node modules are used under the 3rd party license, and the licence declaration should be included in the package.json for every node module. 19:43:15 Ah, you see my limited node knowledge now :) 19:44:16 There's also a few other 3rd party things that are part of Triton. E.g., postgres for manatee, zookeeper (and by proxy Java) for binder 19:44:37 openjdk or sun/oracle? 19:45:12 OpenJDK 8 currently 19:45:33 Good to know, I wouldn't have figured Joyent would repackage oracle java lol 19:46:47 Okay so I should be able in a sense just clone the github repo's and generate a list of whats included in the 'pi' under CDDL. 19:46:56 from illumos that is 19:47:28 Outside of bug fixes, drivers, enhancements,etc, the GZ doesn't get new binaries added regularly in my experience, or is that an incorrect assumption? 19:47:46 No, it doesn't get new binaries added very often 19:48:00 Thanks man always a pleasure chatting 19:48:03 New versions of existing things are much more frequent. 19:48:10 not that you asked, but if anyone happened to want something similar for packages that are installed then "pkg_info -Q LICENSE '*' | sort | uniq" 19:48:30 Thank you jperkin, that is an excellent shortcut 19:49:13 I wonder if I can generate a decent list if it could be commited to illumos-joyent as a packing slip in the PI for others to use if needed 19:49:33 It's something that would need to be generated on every build. 19:49:48 hmmm, so a build tool perhaps might be the better route 19:49:52 or a make target even 19:50:29 Yeah. 19:50:51 Surprised this doesn't exist already, I'll go see if something already exists on github 19:50:53 Compiling a static list is nice, but I wouldn't accept that as a pull request, because then it's perpetually on me to always update it every time. 19:51:49 What would you require to get it in? Like entirely automatic? I'm thinking packing slip with licenses and maybe even a hash column 19:51:59 We do already ship a manifest which enumerates every file included on the platform image. 19:52:10 Aha 19:52:15 entirely automatic 19:52:16 That might be all that I need 19:52:22 Where is it located? 19:52:27 usbkey? 19:52:30 It's /usr/share/smartos/manifest 19:52:45 Wow I had no idea 19:53:05 Hopefully IRC is still archived somewhere on the web in case someone is looking for this in the future. 19:53:30 I think the manifest file itself is the only file not included in the manifest. 19:53:43 hard to manifest yourself 19:53:57 Because calculating its hash so that we can include the hash in the manifest is a tricky problem. 19:54:06 chicken+egg lol 19:54:54 jperkin: I maybe sending you a pkgsrc commit in the next couple of days. May need to DM with you though its for a pkg in the joyent repo 19:55:13 you can just send a PR to pkgsrc-joyent 19:55:22 K 19:55:37 I'll get around to renaming it at some point, need to sort out SUPERSEDES support in pkgin first 19:55:38 Now, if you're going to cross reference that manifest with every file present on a running system, you need to know that some files are auto generated at boot, so wouldn't be in the manifest. 19:56:01 And some things get modified during the normal course of operation, so the hash will differ 19:56:09 (e.g., /etc/zones/index) 19:56:14 I'm not worried about dynamic changes 19:56:18 Mainly just binaries 19:56:40 Like binaries present on the system. 19:57:04 I know that we're using openssh as well which I believe is BSD licensed 19:57:16 So there must be some projects that are not CDDL included in the PI 19:57:47 Well like I said, things that are in illumos-extra have their own license 19:58:08 Also, not *everything* in illumos-joyent is CDDL. Bhyve, for example is BSD. 19:58:44 Also, following up on that CMON issue that I was having yesterday, I ran `cns-hook update_remotevm ` but the cert's are still not updating on remote zones. I just copied them manually for the time being 19:58:52 https://github.com/TritonDataCenter/illumos-joyent/blob/master/usr/src/README.license-files 19:59:02 Excellent 19:59:18 Sorry for all the questions I haven't dug into the source and done a build in ages 19:59:33 Well, it uses sdc-oneachnode to copy the files over, so maybe look at that? 20:00:15 Yeah, I `set -x` before I ran it and saw the oneachnode commands run, but didn't pay enough attnetion to see if there was a failure. I'll give it another shot 20:00:51 I'll dig through the script some more too. Just thought you might know of an issue before I spent too much time on it. 20:01:37 anyways, thanks again, maybe I can return all the help you guys have given me in the future. 20:07:16 I will say that triton-dehydrated expects there to be a working Triton :-) 20:07:35 If that's not the case, there's no guarantee it will work :-) 20:07:39 is libumem the right place to look for querying vmm through syscalls btw? Just wondering for telegraf ram metrics 20:07:53 Oh there is a full triton/manta deployment in the environment 20:08:11 Now where I am hacking/cheating a bit is I want to get cmon working on a vanilla smartOS node 20:08:24 But I mean if your sdc-oneachnode is broken, then there's nothing that triton-dehydrated can do about it. 20:08:39 sdc-oneachnode is working perfectly currently 20:08:58 I don't think cmon on standalone smartos will work. 20:09:08 It has heavy dependencies on sapi. 20:09:21 Damn even with manually written configs? 20:09:31 Or does it look for config-agent/registrar stuff? 20:09:34 And if you're standing up sapi, you'll need moray, manatee, and binder 20:09:44 It uses config-agent 20:09:46 Right so may as well just run triton haha 20:10:07 You might be able to fudge enough to get cmon-agent running on standalone smartos 20:10:14 but that's not the same as cmon itself. 20:10:42 cmon also requires vmapi, cnapi, and ufds 20:10:56 Ah shit I didn't think about that 20:11:09 So you're not far away from full triton at that point. 20:11:22 Is there another metric interface written for smartOS like CMON that could run standalone and be scraped by prometheus? 20:11:37 Triton isn't really a bunch of reusable components. 20:11:44 The reusable parts we publish as node modules 20:12:08 but like any one Triton service, generally has strong dependencies on other Triton services. 20:12:10 So I guess glue the node modules together haha 20:12:34 Sounds like we're getting deep into node at that point. 20:13:04 I have SmartOS nodes sprinkled about the globe that I want to monitor but really dont want to keep replying on Zabbix 20:13:23 Plus I haven't built zabbix on current platform in ages 20:13:56 Guess my telegraf plugins will have to do if there isn't another native interface like cmon 20:15:07 I mean, cmon-agent fundamentally is just a prometheus exporter that happens to be zone-aware. 20:15:35 So hack away at cmon-agent and configure it connect to a prom? 20:15:48 bypassing cmon proxy altogether? 20:16:36 Does it rely in anyway on promtail libraries maybe ported to node? 20:17:22 cmon handles account based authentication, once the request is authenticated, it's just a pure proxy to cmon-agent 20:18:27 Forgot about the UFDS aspect 20:18:50 but cmon-agent is just an open ended api right? 20:19:23 It's an unauthenticated exposition endpoint. 20:19:45 I feel a bit more clear on this 20:19:50 I hesitate to even call it an API, because all you can do is GET 20:20:35 true, but would one need a prometheus zone locally to query cmon-agent directly? I guess cmon doesn't do metric shipping since prom pulls the metrics 20:20:56 This getting hackier by the moment :) 20:21:41 Oh well, guess I'll go back to ansible hell for the time being hehe. Maybe I'll get time to mess with this another day 20:24:09 Did you see my previous question about libumem? Curious if that is the correct system library name for querying ram 20:25:24 I missed your question about libumem, but it's not for querying ram. 20:25:32 It's a debugger for memory allocation. 20:26:00 I know that you can use kstat for that but like which system header would you call on illumos for ram? 20:26:12 You LD_PRELOAD it into your app, and it tracks memory allocation, then when you get a core of the process you can use mdb to better account for memory usage in the dore dump 20:26:26 s/dore/core/ 20:26:31 libumem is a bit more than that 20:26:31 ah that makes much more sense 20:27:04 I was doing some reading on it last night, saw that it has been ported to windows and linux, but didn't get super deep 20:27:18 it's a malloc/free replacement that implements similar memory management as the kernel does (slab allocation, magazines) for higher performance allocation 20:27:35 the debugging aspects are additional features 20:28:05 But you wouldn't be able to import a libumem header to query memory usage or statitics from a monitoring plugin perspective right? 20:28:48 maybe a dtrace script would be better for that 20:29:04 yeah, if you're wanting to know about system memory usage, kstats is basically your main option 20:31:08 I was trying to build something with rust not long ago and I remember it lacked malloc calls or something I do not remember the exact detail but while I was trying to hack something together to make it build and get memory but couldn't determine the correct system libraries for that 20:31:17 On illumos that is 20:31:26 Was made for linux like everything else 20:33:26 i thought rust on illumos is already using libumem for it's allocations.. but maybe i'm misremembering 20:33:35 it's been a while since I worked on the illumos target 20:34:08 It probably is now, I know that perkin did a lot for the rust bootstrap on pkgsrc 20:35:25 I was only wondering for future issues that I may hit on project or another. Whether its go or rust or whatever, just wanted to try to figure out how to translate memory syscalls from linux to illumos if needed. Figured if I could just find the right library it wouldn't be much effort. But hell finding the correct library is an effort in and of itself lol 21:41:54 yeh I've always built everything in pkgsrc with libumem, though I believe rust ensures it's always linked against it by default for the illumos target too