You are not logged in.

#151 2021-05-11 12:07:40

JustSomeGeek
Member
From: Scotland
Registered: 2018-08-13
Posts: 41

Re: Reflector reborn

thiagowfx wrote:

@JustSomeGeek Could you post:

stat /etc/resolv.conf
cat /etc/resolv.conf

I happen to have experienced the same issue and in my case the culprit was an empty (sans comments) /etc/resolv.conf file.

Assuming you're using systemd-resolved, you'll need to symlink /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf.

This is covered in the wiki: https://wiki.archlinux.org/title/Systemd-resolved#DNS.

I can't troubleshoot the root cause, but for some reason, when running under systemd (as of the current package), proper config of /etc/resolv.conf is needed for reflector. When running it stand-alone, /etc/resolv.conf is not needed.

stat /etc/resolv.conf
File: /etc/resolv.conf
  Size: 65              Blocks: 8          IO Block: 4096   regular file
Device: 1ah/26d Inode: 479         Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-05-10 20:04:39.527080221 +0100
Modify: 2021-01-19 01:32:10.000000000 +0000
Change: 2021-05-09 13:44:07.680347807 +0100
Birth: 2021-05-09 13:44:07.680347807 +0100


cat /etc/resolv.conf
# Resolver configuration file.
# See resolv.conf(5) for details.

I use DHCPD as client, and not had any apparent DNS issues, so never thought to look at this, as the direct command line invocation works fine. I'll have a read, and give your solution a try. I'm guessing it's the same cause, as my resolv.conf is empty. Thanks!

EDIT: That seems to have done it. Thanks muchly! :-D

Last edited by JustSomeGeek (2021-05-11 12:20:12)

Offline

#152 2021-05-31 02:51:11

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 6,668
Website

Re: Reflector reborn

thiagowfx wrote:

Feature Request: What do you think of adding a "Worldwide" option to the list of countries supported by reflector? Rationale:

pacman-mirrorlist comes with a Worldwide section. Currently, it looks like this:

## Worldwide
#Server = http://mirrors.evowise.com/archlinux/$repo/os/$arch
#Server = http://mirror.rackspace.com/archlinux/$repo/os/$arch
#Server = https://mirror.rackspace.com/archlinux/$repo/os/$arch

Sorry, I missed your post (the one after it started a new page). The Mirror Status server's JSON response sets an empty string as the country and country code for the "worldwide" servers. You can therefore include them by passing an empty country code to reflector. To use your example, replace "Worldwide" with the empty string (but keep the comma):

reflector --protocol https --country 'Canada,'

I could modify reflector to replace "Worldwide" with the empty string but I prefer to avoid hard-coded keywords that may change in the future.


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#153 2021-06-06 02:10:16

thiagowfx
Member
Registered: 2013-07-09
Posts: 586

Re: Reflector reborn

Thanks Xyne, that makes sense. There's no need to modify reflector for that, it's just a matter of documentation. I've gone ahead and added it as a Tip to the wiki (https://wiki.archlinux.org/title/Reflector#Examples). Dunno if it's worth to add that to the man page as well, I'll leave that to your judgment.

Last edited by thiagowfx (2021-06-06 02:27:23)

Offline

#154 2021-07-08 10:36:38

pyfisch
Member
Registered: 2021-07-08
Posts: 2

Re: Reflector reborn

Hi Xyne,

I'm learning about the systemd unit hardening settings right now. Reflector has a comprehensive list of settings but I wonder if it can be made somewhat simpler:

CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_SYS_TIME CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYS_RESOURCE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM

Instead of enumerating all capabilities that reflector doesn't one can write just CapabilityBoundingSet= as reflector doesn't need any capabilities. In addition this is future-proof against capabilities that are added to new kernel releases.

RestrictAddressFamilies=~AF_AX25 AF_IPX AF_APPLETALK AF_X25 AF_DECnet AF_KEY AF_NETLINK AF_PACKET AF_RDS AF_PPPOX AF_LLC AF_IB AF_MPLS AF_CAN AF_TIPC AF_BLUETOOTH AF_ALG AF_VSOCK AF_KCM AF_UNIX AF_XDP

Here the line RestrictAddressFamilies=AF_INET AF_INET6 is sufficient and again future-proofs against new address families.

(Right now reflector runs as root, one can also use DynamicUser= and grant AmbientCapabilities=CAP_DAC_OVERRIDE to allow editing the mirrorlist file. Not sure if this is more secure/better.)

Thanks for providing reflector to the community!

Offline

#155 2021-07-08 20:04:23

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 6,668
Website

Re: Reflector reborn

I've updated CapabilityBoundingSet to a whitelist. RestrictAddressFamilies had already been updated to a whitelist (with the addition of AF_UNIX, but maybe that's superfluous), but I forgot to push it after letting it sit in my repo.

I don't really have an opinion about switching to the dynamic user with CAP_DAC_OVERRIDE. My understanding is that the read and write paths are already locked down so it shouldn't make a difference but I understand that conceptually it's better to avoid running as root. I'm open to changing that too.

If you have any good sources beyond that systemd man pages for learning about hardening settings, please share. I need to dive into it seriously at some point instead of just dabbling and re-using submitted settings.


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#156 2021-07-09 08:55:18

pyfisch
Member
Registered: 2021-07-08
Posts: 2

Re: Reflector reborn

> I don't really have an opinion about switching to the dynamic user with CAP_DAC_OVERRIDE. My understanding is that the read and write paths are already locked down so it shouldn't make a difference but I understand that conceptually it's better to avoid running as root. I'm open to changing that too.

I agree, I don't think there is a difference because the paths are locked down. So I would keep it with root for now.

> If you have any good sources beyond that systemd man pages for learning about hardening settings, please share. I need to dive into it seriously at some point instead of just dabbling and re-using submitted settings.

No I mainly used the man pages and systemd-analyze security. I found the analyze command useful as it shows me which settings are already good and where it is important to improve. However I am unsure if the suggested options aren't redundant: for example most services shouldn't change the system clock. If I have DynamicUser=true or specified a regular account the service already can't modify the clock. Then systemd-analyze suggests to add CapabilityBoundingSet=~CAP_SYS_TIME, SystemCallFilter=~@clock and then it still wants me to add ProtectClock=true. I know that these options restrict access to the clock in different ways but as a user of systemd I don't really want to care.

I found a few tutorials but I think most are for an older version of systemd (with fewer options) or contain errors. I looked at a few ArchLinux service files but unfortunately most don't make use of the new settings yet.

Offline

#158 2021-07-10 00:32:22

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 6,668
Website

Offline

#159 2021-08-25 01:03:07

alex.forencich
Member
Registered: 2011-05-29
Posts: 96

Re: Reflector reborn

On the subject of mirror speed testing; I think a reasonable compromise is to ping all of the servers in parallel, throw out all servers that timed out, then speed test the remainder sequentially.  It seems that it is common for a number of servers to time out, and waiting 5 seconds for each of them is rather annoying.  Sending (some of) the pings out in parallel should have little effect on the accuracy of the latency figures.

Offline

#160 Yesterday 08:28:35

digitalone
Member
Registered: 2011-08-19
Posts: 300

Re: Reflector reborn

Can't use it as service on my system.

sudo reflector --save /etc/pacman.d/mirrorlist --protocol https --country AU,BA,HR,FR,DE,IT,MC,RS,SI,CH --sort score --number 5

from command line works, but as service it fails:

systemd[1]: Starting Refresh Pacman mirrorlist with Reflector....
reflector[3466]: error: Permission denied
systemd[1]: reflector.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: reflector.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Refresh Pacman mirrorlist with Reflector..

Offline

Board footer

Powered by FluxBB