Announcement

Collapse
No announcement yet.

Systemd In Ten Years Has Redefined The Linux Landscape

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #81
    Originally posted by Paul Frederick View Post
    How does it say anything about me? I don't work on either project. I am just an end user.
    Lets get roll out I am just a user excuse. So you are person who uses a hammer to put in a screw then wonders why a screw does not hold its rated weight right. First thing todo is find out if the tools are in fact broken or is it simply that they are being used wrong/configured wrong.

    There is every possibility that the DE you had trouble running is now fixed and works perfectly with systemd.

    Originally posted by Paul Frederick View Post
    The tools are simply supposed to work. When they don't there's nothing I can do to fix them either.
    Bug reporting systems exist to end users who cannot fix problems can report faults in location that developers of projects and distributions hear about and then can fix them as well. So don't bring this garbage that you could have done nothing to fix them. You could have opened a bug and had a bug number to point to to say I reported X problem here and it was not fixed. So can I take this that you never attempted to get the problem fixed yet you want to complain about it and also don't know if the problem was fixed because some else could have reported it and you are dare to make noise. If that the case shut up you are wasting everyone time.

    Comment


    • #82
      Originally posted by oiaohm View Post

      https://aboutthebsds.wordpress.com/2...curity-danger/
      I stay well clear of talking about freebsd jails the above post covers why. This covers this history freebsd jails core design does not come from a trustworthy coder as well as performing badly. Performance problem cause lot of excess isolation.
      You should have steered clear of the site too. It's FUD with pretty low standards to written English. Known Linux troll has been authoring it. Next time actually do check the background and data presented for "facts" before trying to use it as an argument. Tho, grammar errors and over-the-top remarks should have been dead giveaway that author is anything but objective and factual.

      Comment


      • #83
        Originally posted by arokh View Post
        So basically what we're dealing with here is an army of newbies that are complaining because their equivalent of autoexec.bat is gone and they are incapable of reading the manual. It seems to me you are better off with a point and click type of OS, but I'll give you a helping hand:

        Code:
        [Unit]
        Description=Noobexec
        
        [Service]
        Type=oneshot
        ExecStart=/home/newbie/autoexec.bat
        
        [Install]
        WantedBy=multi-user.target
        There, now you can put your script in there shut up and get off the internet talking about stuff you have no clue about.
        Remember to tell them where to put the script.

        Also: you should probably tell them how to name it too or they might name the script something like noob.ini instead of noob.service

        Also remember to tell them the command to make systemd incorporate the script.

        Lots of stuff needs networking too, so you might want to give additional instructions on how to ensure networking is up. For that matter, there may be a whole bunch of services which the "noob" might want to have already started before their script runs, but with your service file may start in parallel with.

        You know what. Scratch all of the above. You might want to instead instruct the user on how to setup a custom target to ensure their script truly runs after all the services the script might need have already started. This guide may help that user: https://www.mauras.ch/systemd-run-it-last.html


        Totally noob friendly

        Comment


        • #84
          Originally posted by oiaohm View Post

          Lets get roll out I am just a user excuse. So you are person who uses a hammer to put in a screw then wonders why a screw does not hold its rated weight right. First thing todo is find out if the tools are in fact broken or is it simply that they are being used wrong/configured wrong.

          There is every possibility that the DE you had trouble running is now fixed and works perfectly with systemd.



          Bug reporting systems exist to end users who cannot fix problems can report faults in location that developers of projects and distributions hear about and then can fix them as well. So don't bring this garbage that you could have done nothing to fix them. You could have opened a bug and had a bug number to point to to say I reported X problem here and it was not fixed. So can I take this that you never attempted to get the problem fixed yet you want to complain about it and also don't know if the problem was fixed because some else could have reported it and you are dare to make noise. If that the case shut up you are wasting everyone time.
          I submitted 3 bug reports. Try again!

          Comment


          • #85
            Originally posted by cybertraveler View Post
            Remember to tell them where to put the script.
            Place it in ~/.config/system.d.

            Also: you should probably tell them how to name it too or they might name the script something like noob.ini instead of noob.service
            Name it .service.

            Also remember to tell them the command to make systemd incorporate the script.
            systemctl enable autoexec.service

            Lots of stuff needs networking too, so you might want to give additional instructions on how to ensure networking is up. For that matter, there may be a whole bunch of services which the "noob" might want to have already started before their script runs, but with your service file may start in parallel with.
            Add network-online.target and any other dependencies to Requires= and After=.

            You know what. Scratch all of the above. You might want to instead instruct the user on how to setup a custom target to ensure their script truly runs after all the services the script might need have already started. This guide may help that user: https://www.mauras.ch/systemd-run-it-last.html


            Totally noob friendly
            You must be f*cking joking. The argument for an rc.local to begin with is that they have all their custom stuff in there that should handle all they need. I don't see that they would require any other systemd function at all once they can run their script? In any case, what the hell is the problem? Dependencies and start order would need extra care in the script anyways. You haven't pointed out any fault in systemd at all, rather highlighted it's usefulness.

            I really don't get it, you're asking for a "noob friendly" way to do lots of "complicated" stuff, noobs need to click an icon and open the browser that's all.
            Last edited by arokh; 21 December 2019, 01:28 PM.

            Comment


            • #86
              Originally posted by arokh View Post

              I really don't get it
              Indeed.

              Comment


              • #87
                Originally posted by timofonic View Post
                As a desktop user...

                Other than that, I just see stuff mostly targeted at servers.
                I don't agree with this one. I'm using desktop system with systemd and utilizing heavily the user services for multiple things (including timers, services etc.) I actually start with "can this be a user service" before adding something as a system service. It works great and I've got nice statuses/logs & dependencies system to tie it all.

                Comment


                • #88
                  Originally posted by oiaohm View Post

                  https://aboutthebsds.wordpress.com/2...curity-danger/
                  I stay well clear of talking about freebsd jails the above post covers why. This covers this history freebsd jails core design does not come from a trustworthy coder as well as performing badly. Performance problem cause lot of excess isolation.

                  Solaris Zones and Linux cgroups/namespaces suffer from basically the same set of problems.

                  1) The first problem type I can point to a recent example of it in Linux.
                  https://lkml.org/lkml/2019/9/5/1132
                  This is example were full isolation can turn rapidly into a hindrance this was one of the cgroup goof ups this is a particular class of goof up resulting in extra memory usage. But Solaris Zones have in their implementation many goof ups like this.

                  This type goof ups fairly much look the same you isolate process and effectively duplicate the memory incorrectly for some reason. This duplicate memory means you memory management has to work harder to defragment memory. Not being able to get large continuous allocations of memory starts effecting IO performance. At this point your performance disappears into hell.

                  k1e0x this is really the board game I talked about. Perfect security you are going to duplicate up the memory so that some missing memory protection flag is not going to allow a cross breach but doing this undermines stability and performance. So that deduplication fix in the Linux kernel for slabs is incorrect for perfect security. Maybe we want configuration here why this may not be the answer is 3.

                  2) Then you have like the Linux PID/network... namespace or the Solaris Non-Global Zones problem. This is like the first problem with a extra side of hell. The applications in these namespace/zones have to presented with information that looks like the a full system even that they are only seeing part information this is mandatory memory duplication that may come back and bite. This is duplication also has to be kept synced in many cases. This syncing takes extra cpu time.

                  The second one if your workload is hitting it can be faster to run you workload in kvm instead. Again maybe we want configuration here so we can avoid using these things when they make no security sense.

                  So it really hard working out how to do cgroups and zones exactly right. Get it wrong you can have massive performance hits that appear absolutely random.

                  Linux kernel did start over with cgroups once already why we have cgroupsv1 and cgroupsv2. Cgroups v2 is way better designed than the first one. Cgroupv1 broke apart zone design way to far allowing multi trees. But allowing users to use of the namespaces when they are not required that cgroups allow gives it performance advantage over zones.

                  Container on Linux is a theory construct built on top of cgroups and namespaces.

                  .Basically k1e0x there is no single absolutely right answer for every usage case. So for this stuff we need a stack of setting right.

                  3) Welcome to the third nightmare. As you add options for configuring the system you add cpu overhead possible to the complete system as you need to check what options apply. Something Solaris managed todo. leading to it being nicknamed Slowaris.

                  Basically this is one very hard game to win. Every path you can think is a solution to the zones or cgroups/namespace problem can in fact end up killing performance or security or both with a extra side of sometimes completely screwed up stability.

                  Problem is a perfect implementation cgroups/namespaces and zones for security will be slow. Redox OS cannot avoid this. So you need to make a imperfect solution to have performance the problem is how to achieve imperfection for performance without reducing security too much. Basically we do not want to do a intel with speculative execution.
                  I don't believe this at all. Where as I can see some of this is true in the right light, I think this is a retroactive spin for cgroups shortcomings. It's mostly due to it not having a clear design goal as with Jails and Zones.

                  You can be critical of Jails.. but remember Jails invented the idea and inspired Zones 20 years ago. The purpose of Jails and Zones are different than Linux cgroups. The intention for jails wasn't virtualization as much as it was security. Hence the name, Jail.. and yes.. it started out with a lot of incomplete parts. I believe FreeBSD 10 finally isolated System V IPC, and FreeBSD 11 finally isolated the network stack making it mostly a feature complete implementation now. You can say this development was slow.. but containers weren't really very popular till recent times too so.. they were far ahead of the curve in a world where most people were doing hardware based virtualization to solve this problem.

                  Before Jails was chroot, (if this counts) it's main goal was probably ease of development. (So it shares that with Docker and Linux. and thus shares the security shortcomings)

                  Sun, Inspired by Jails created Zones and engineered it from the ground up to be full isolation for security. They did this to sell big iron and do multi tenant. Memory isolation is intentional due to the goal being security. Although I don't even know if that is true in the case of shared libraries may in fact not be duplicated, a jail doesn't appear to take any memory.. and if it does it's very small (like kb small). personally I put 6 jails on a host with 1024 megs of ram, each running services and it still had 50% to spare. There was no difference in memory usage from running those same processes on the host. Jails are a lot of things.. slow and bloated they are not. They are extremely thin compared to hardware based virtualization.

                  KVM is never faster, two OS's are never faster than one. The idea it can be is absurd. OS level virtualization is always going to be faster.

                  All of this really highlights the major single biting problem with Linux is that it evolves with small chunks of stuff cobbled together to make larger constructs. It isn't designed by in large like FreeBSD, Solaris or Redox because nobody is in control leading engineering projects. They just throw stuff at the wall and that is why you get cgroups/namespace being called a "container" or btrfs as opposed to ZFS or systemd as opposed to launchd. That model works clearly if you want to get something easy done fast.. but when you get to hard topics like containers or filesystems or process accounting it falls apart and NEEDS engineering.
                  Last edited by k1e0x; 21 December 2019, 07:51 PM.

                  Comment


                  • #89
                    Originally posted by k1e0x View Post
                    There was no difference in memory usage from running those same processes on the host. Jails are a lot of things.. slow and bloated they are not. They are extremely thin compared to hardware based virtualization.
                    Yes not that can measure simple. The extra memory usage of Jails or cgroup is kernel based stuff normally not directly linked to process accountancy. This is where you logic is wrong as at times it can be way heavier than hardware base virtualization.

                    Originally posted by k1e0x View Post
                    KVM is never faster, two OS's are never faster than one. The idea it can be is absurd. OS level virtualization is always going to be faster.
                    This is one of those horible thinks that people think is true but in reality is only sometime true. Yes the majority of cases it true but there are examples where it false..
                    https://indico.cern.ch/event/384358/...aru_takase.pdf
                    Page 11 here done with docker vs kvm there are old ones with solaris zones vs hypervisor I cannot find that were done by vmware that show the same kind of strangeness.

                    Notice the ping with docker is way faster than kvm but the sshd is way faster with kvm than docker. So one of those very warped things where a VM can be faster running 2 Linux instances or two freebsd instances than using cgroups/namespaces or jails

                    Its really horrible that KVM have such a wide performance profile with hardware acceleration is somewhere between the 0% to 80% performance loss . The advantage of docker, jails and zones you don't have this horrible wide profile normally 1 percent to 50% performance loss . So like it or not there are cases that docker, jails and zones lose vs kvm or other virtual machines.

                    Originally posted by k1e0x View Post
                    It isn't designed by in large like FreeBSD, Solaris or Redox because nobody is in control leading engineering projects.
                    But when it comes to process isolation due to the performance problems we see we know that FreeBSD and Solaris did not have the design right.

                    Originally posted by k1e0x View Post
                    All of this really highlights the major single biting problem with Linux is that it evolves with small chunks of stuff cobbled together to make larger constructs.
                    Kind of true.

                    Originally posted by k1e0x View Post
                    They just throw stuff at the wall and that is why you get cgroups/namespace being called a "container"
                    This is kind of what you call R&D. Thinking at this stage we don't have a design that is perfect for this the R&D process still has it place.

                    Btrfs was in fact designed by oracle funded developer so both Btrfs and ZFS were fully designed implementation of both have run into major problems like ZFS absolutely horrible memory usage. https://lwn.net/Articles/747633/ XFS lead developer is taking a different route that may render both Btrfs and ZFS design ideas totally invalid. XFS one asks a really good question if the Unix old saying that everything is a file as true why have we not been able to just straight up use file system drivers on files. Why is snapshotting not designed around files as well.

                    Originally posted by k1e0x View Post
                    That model works clearly if you want to get something easy done fast.. but when you get to hard topics like containers or filesystems or process accounting it falls apart and NEEDS engineering.
                    The horrible problem is the solution may not be exactly engineering. It may be the total inverse.

                    Think about this you give 2 art classes just a block of clay no tools. One class turns in all bricks because the clay was baked solid before you gave it to them and only 1 student is in fact happy because they did not have to do anything because it was exactly what they wanted this is kind of the engineered solution you made sure you got the result you wanted. The other class get unbaked clay and you have huge lot of variation and most of the students are happy bar the 1 that did not want to do anything.

                    What would be the equal of clay. This kind of would be bpf in the Linux kernel so you can upload highly optimised configuration for what you are doing.

                    These problems are serous-ally not simple.

                    Comment


                    • #90
                      Originally posted by Paul Frederick View Post
                      I submitted 3 bug reports. Try again!
                      To the correct projects and you had made your you where not having hammer hit in screw problem. Since there are 3 bug reports include them in your next post. I suspect the problems are most likely solved or you reported them in completely the wrong place because you were blaming the wrong thing.
                      Last edited by oiaohm; 21 December 2019, 09:35 PM.

                      Comment

                      Working...
                      X