ChanServ changed the topic of #picolisp to: PicoLisp language | Channel Log: https://irclog.whitequark.org/picolisp/ | Check also http://www.picolisp.com for more information
orivej has quit [Read error: Connection reset by peer]
orivej has joined #picolisp
orivej has quit [Ping timeout: 268 seconds]
orivej has joined #picolisp
shpx has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
shpx has joined #picolisp
shpx has quit [Client Quit]
shpx has joined #picolisp
ubLIX has joined #picolisp
andyjpb has quit [Ping timeout: 244 seconds]
ubLIX has quit [Quit: ubLIX]
orivej has quit [Ping timeout: 245 seconds]
xkapastel has quit [Quit: Connection closed for inactivity]
_whitelogger has joined #picolisp
shpx has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<Regenaxer> Hi all! I'm having trouble with iptables, I want to block all incoming UDP
<Regenaxer> iptables -A INPUT -i eth0 -p udp -j DROP
<Regenaxer> but this does not seem to work. What's wrong?
rob_w has joined #picolisp
<tankf33der> that list loaded, right?
<tankf33der> you can see it in list ?
<tankf33der> iptables -L
<beneroth> perfect, tankf33der
<Regenaxer> yes
<Regenaxer> 0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
<Regenaxer> But still UDP is received
<Regenaxer> : (task (port T 4444) (msg (udp @)))
<Regenaxer> and on another machine
<Regenaxer> : (udp "10.10.12.12" 4444 (usec))
<Regenaxer> ie in LAN
<Regenaxer> Via the external domain no UDP goes through, because of the router
<Regenaxer> eth0 is the only connectio that machine has
<beneroth> I have
<beneroth> # iptables -L
<beneroth> Chain INPUT (policy DROP)
<beneroth> target prot opt source destination
<beneroth> DROP all -- anywhere anywhere state INVALID
<beneroth> and then positive rules
<Regenaxer> I have iptables -F on top
<Regenaxer> for tcp all works fine
<Regenaxer> Haven't touched it for years ;)
<Regenaxer> This is how it looks now: http://ix.io/1y1T
<tankf33der> show
<tankf33der> iptables -L INPUT -n -v
<Regenaxer> yes, the above was generated by iptables -L -vn |vip
<Regenaxer> http://ix.io/1y1T
<Regenaxer> then used the :ix.io command :)
<Regenaxer> I want to use 'udp' to do remote 'wipe' calls in a distributed DB
<Regenaxer> all DBs on the same machine
<Regenaxer> So I must be sure no external UDB comes in
Regenaxer has left #picolisp [#picolisp]
Regenaxer has joined #picolisp
<Regenaxer> oops
<Regenaxer> ^D hit :)
<Regenaxer> So does the line "iptables -A INPUT -i eth0 -p udp -j DROP" look correct?
<tankf33der> looks correct.
<Regenaxer> Strange
<tankf33der> show "ifconfig -a"
<Regenaxer> I have no more ifconfig
<Regenaxer> ip adr or so?
<tankf33der> show
<tankf33der> ip a
<tankf33der> and
<tankf33der> ip r
<Regenaxer> http://ix.io/1y20
<Regenaxer> for 'a'
<Regenaxer> and
<Regenaxer> http://ix.io/1y21 for 'r'
<tankf33der> ok
<tankf33der> your interface not eth0
<tankf33der> but enp1s0
<Regenaxer> oh
<tankf33der> but you told:
<Regenaxer> enp1s0 ?
<tankf33der> 10:28 <Regenaxer> for tcp all works fine
<tankf33der> how it possible tcp blocked on eth0 interface ?
<tankf33der> yes, try replace to enp1s0
<Regenaxer> hmm, I don't remember
<beneroth> you don't need to specify an interface.. you could also apply to all interface, and then add exception rules for loopback ?
<Regenaxer> I think I locked myself out in the past
<beneroth> yeah that can happen
<Regenaxer> so I thought it is correct ;)
<beneroth> maybe your tcp appeared to work because you had no ports open besides the one you allow anyway?
<Regenaxer> yeah, embarrassing
<Regenaxer> in fact, this machine is not reachable from outside anyway
<Regenaxer> I opened only a few ports in the router
<Regenaxer> I did this to test the setup for 7fach.de
<Regenaxer> on 7fach.de also UDP gets through
<beneroth> use ferm https://wiki.debian.org/ferm or https://configserver.com/cp/csf.html for easier configuration :P
<Regenaxer> I think for now it is fine
<beneroth> csf also has other stuff in it, like blocking wrong logins after some attempts etc.
<Regenaxer> I add the line to iptables for 7fach.de and test there
<beneroth> kk :)
<beneroth> just keep your ssh connection alive :)
<Regenaxer> yeah!
<beneroth> or have a secondary remote reboot option somehow
<Regenaxer> I test first locally again, with the *right* interface
<Regenaxer> I think no big risk
<Regenaxer> I add only the line for udp
<Regenaxer> Thanks to both of you!!
<beneroth> tankf33der did all the work :)
<tankf33der> cool.
<Regenaxer> thanks tankf33der!
<beneroth> I was just eating my breakfast raclette :)
<Regenaxer> oh! raclette for breakfast?
<Regenaxer> Party yesterday?
<beneroth> no. but leftover cheese from the weekend (raclette with gf) and though, hey, big breakfast is meant to be healthy...
<beneroth> normal people don't eat raclette for breakfast :)
<Regenaxer> indeed :)
<Regenaxer> Cool, now udp is blocked!
<beneroth> gz
<Regenaxer> uh, now tcp is blocked too ;(
<Regenaxer> ah
<Regenaxer> no, works
<Regenaxer> but strange, *very* slow
<Regenaxer> Does not look right
<beneroth> some needless additional rules which cause extra checking/processing ?
<Regenaxer> hmm, it is very simple: http://ix.io/1y25
<beneroth> you probably should not bother to look at established connections
<Regenaxer> I opened a new one with browser
<Regenaxer> each click in the app now takes 10 sec or so
<Regenaxer> ha!
<Regenaxer> Now fast again
<Regenaxer> mysterious!!
<Regenaxer> hmm, again hanging
<tankf33der> maybe it tried do dns request ?
<tankf33der> check debug lock of blocked trafffic.
<tankf33der> check debug log of blocked trafffic.
<Regenaxer> where?
<tankf33der> i dont use iptables and never before.
<tankf33der> maybe dmesg? or try google.
<Regenaxer> ok
<beneroth> probably in syslog
<tankf33der> like this.
<tankf33der> input is slow or output ?
<Regenaxer> Perhaps something else is wrong. Manual connect goes throug immediately
<Regenaxer> only app in the browser
<Regenaxer> let me investigate
<tankf33der> try flush iptables and try again.
<Regenaxer> ok
<tankf33der> try open network inspector in browser and check network activities
<Regenaxer> it is firefox on Android
<Regenaxer> no debug
<tankf33der> ok
<Regenaxer> After iptables -F it is fast
<Regenaxer> so it is indeed in the new config
<Regenaxer> http://ix.io/1y25
shpx has joined #picolisp
shpx has quit [Client Quit]
<tankf33der> also try comment udp block, reload and get fast again
<Regenaxer> ok
<tankf33der> also try replace drop to reject
<tankf33der> if helped then add logginng only on udp block
<Regenaxer> OK, commenting the udp line makes it fast again
<Regenaxer> So I try REJECT
<Regenaxer> How is the syntax?
<Regenaxer> just replace DROP with REJECT
<Regenaxer> ?
<tankf33der> yea
<Regenaxer> Hangs too
<tankf33der> then add logging
<Regenaxer> So DROP seems better
<Regenaxer> Let me check my own code first
<Regenaxer> The demo app/ works
<Regenaxer> Perhaps I depend on UDP already?
<Regenaxer> I did too many changes at once ;)
shpx has joined #picolisp
<Regenaxer> strange, it is not the application
<Regenaxer> *Something* seems to depend on udp
<beneroth> maybe you do somewhere reverse dns lookups to log the tcp connections ?
<beneroth> no reverse dns lookup in httpGate or so?
<Regenaxer> not in httpGate, but perhaps in logging
<beneroth> the udp block might cause them to wait for timeout
<Regenaxer> But here on the test server I don't log
<Regenaxer> good point
<beneroth> syslog maybe?
<Regenaxer> Probably blocking All UDP is not a good idea
<Regenaxer> time server etc
<Regenaxer> ntp
<Regenaxer> How can I block a range?
<Regenaxer> or, more correct, open a range
<Regenaxer> I should allow all ports below 1024
<beneroth> maybe allow outgoing
<Regenaxer> yes, block only incoming above 1024
<beneroth> in principle I find it good to also block outgoing traffic, well limit to the known good stuff. because than an infection can do something so easily.
<Regenaxer> I see, with :
<Regenaxer> right
<Regenaxer> but it may be needed sometimes
<beneroth> if every one (every ISP) would block outgoing shit, defense would also be much easier (and lower cost for all). but people are lazy.
<Regenaxer> T
<beneroth> well as Regenaxer once wrote "you should be totally aware of everything going on your server, so you should be able to config it correctly" :P
<Regenaxer> exactly! :)
<beneroth> which I completely agree too! but in reality it is not so easy :(
<Regenaxer> it needs --match multiport ?
<Regenaxer> for colon?
<beneroth> only if its a non-continous range, see second answer
<beneroth> I have only colon notation in my rules, no multiport
<Regenaxer> What is a non-continous range?
<Regenaxer> So how about this? iptables -A INPUT -p udp 0:1023 -j ACCEPT
<Regenaxer> ah --dport is needed
<Regenaxer> and -i is probably also needed
<Regenaxer> grr
<Regenaxer> still hangs
<Regenaxer> Makes me crazy
<Regenaxer> Now I'm hanging here on this simple issue for hours
<beneroth> its not simple
<Regenaxer> seems so :)
<beneroth> only the syntax is rather dense and simple, but not the logic and concepts :)
<Regenaxer> yes, the concepts
<Regenaxer> *who* needs this UDP
<Regenaxer> iptable is probably correct
<Regenaxer> But something else breaks
<Regenaxer> So you don't block UDP on your servers?
<beneroth> I block everything incoming except exception. I currently allow everything going out (when initiated on the server)
<Regenaxer> All udp blocked? How does ntp work then?
<Regenaxer> or does it use tcp?
<Regenaxer> What might break here then as soon as I drop all udp?
<beneroth> ntp is requested, established incoming connections are allowed.
<beneroth> so ntp works because this server allows all outgoing connections.
<beneroth> thats my current understanding :D
<Regenaxer> So it must be TCP
<beneroth> ah right
<beneroth> of course
<Regenaxer> Probably you are right and it is some reverse DNS
* beneroth is not thinking properly yet
<beneroth> I have no other idea what it could be
<Regenaxer> DNS is via UDP?
<beneroth> normally
<beneroth> can also be via tcp, especially for larger requests. but normal udp
<beneroth> (e.g. TXT requests could be large)
<beneroth> up to the client afaik
<Regenaxer> I don't dare to try it on my production server yet
<Regenaxer> only locally here
<beneroth> my more complex hosting server has a lot more rules. I think there outgoing connections are also blocked except whitelisted ones. and some 5k IPs are banned.
<Regenaxer> Actually, I need this for BTG, and there UDP does not go through
<beneroth> well you only have to get it right once, basically :)
<Regenaxer> But still I want to get it right
<Regenaxer> yeah :)
<beneroth> see, not so easy to be in control of your own server :P
shpx has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
shpx has joined #picolisp
<Regenaxer> DNS seems to be port 5353, but opening it too does not help
<beneroth> DNS is 53
<Regenaxer> ok
<Regenaxer> should be open with --dport 0:1023
<Regenaxer> In strace I see it connects to my router, then does
<Regenaxer> sendto(20, "\23*\1\0\0\1\0\0\0\0\0\0\003122\
<Regenaxer> and hangs in poll()
<Regenaxer> Just *before* that it looked up "/lib/x86_64-linux-gnu/libnss_dns.so.2"
<Regenaxer> So indeed some dns stuff
<Regenaxer> The connect is connect(20, {sa_family=AF_INET, sin_port=htons(53),
<Regenaxer> as you say, 53
<Regenaxer> on socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
<Regenaxer> the connect returns zero, so it succeeded
<Regenaxer> Probably the router tries to send a response which does not arrive
<Regenaxer> so my UDP range rule must be wrong
<beneroth> yay so I was right.
<beneroth> nice find with strace :)
<beneroth> well
<Regenaxer> T
<beneroth> the new outgoing connection is probably choosing a high port at random on your end. its only 53 on the target host!
<beneroth> so you should allow established connections on the input queue
<Regenaxer> Yes, this could be
<Regenaxer> UDP has no connections
<beneroth> hm. true. but I don't know how it behaves with firewalls. could well be that iptables sees the outgoing UDP and can get the sender port (the one on your side) from it.
<beneroth> state ESTABLISHED RELATED stuff
<Regenaxer> I could check the router config, but that won't help on the rented server
<Regenaxer> I don't dare to test on the production server yet
<Regenaxer> perhaps sunday
<beneroth> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<beneroth> "RELATED" allows useful packets like "Since I sent a request to start a connection, allow the ICMP packet back which tells me this host is not reachable"
<beneroth> ICMP is also not a real connection, unlike TCP, but this rules cover it too
<beneroth> (getting the answer from a ping or traceroute you initiated)
<Regenaxer> I see
<Regenaxer> sounds good
<beneroth> try it
<Regenaxer> -m plus --state
<Regenaxer> works for udp too?
orivej has joined #picolisp
<Regenaxer> or is that global, for all protocols?
<Regenaxer> I try the above line 1:1
<Regenaxer> Looks good!!
<beneroth> for all protocols unless you specify one, afaik
<Regenaxer> Udp is blocked, but server starts fast
<Regenaxer> Nice!
<Regenaxer> This is it it seems!! :)
<Regenaxer> wow
<beneroth> well if you are not interested in the results of the reverse dns lookup, then you should disable it, to not waste energy and bandwith for nothing.
<Regenaxer> The pil server wants to set the *Adr global
<Regenaxer> It is used for logging, but also in 'retire' as a side-effect
<beneroth> *Adr is always IP I thought...
<beneroth> reverse dns lookup is for getting a hostname
<Regenaxer> yes, but in this test setup I do no logging
<beneroth> I mean: why is some component (probably below pil/httpGate) doing dns lookup (the one you see in strace)
<Regenaxer> Not httpGate, yes
<beneroth> might be a flag with the socket or some configuration in syslog or wherever
<Regenaxer> It must be the (host) function
<beneroth> ah you call it?
<Regenaxer> No, it is only lib/app.l which is not loaded here
<Regenaxer> only on production
<Regenaxer> (prinl *Pid " ! " (stamp) " [" *Adr " " (host *Adr) "] " *Agent)
<beneroth> ah, so you saw the performance problem only on production, and the strace is from there?
<beneroth> ok
<Regenaxer> no, I did not try on production server yet
<Regenaxer> So it is not (host) I think
<Regenaxer> The above prinl is from lib/app.l
<Regenaxer> which is loaded only on production
<beneroth> therefore my point: maybe you should find out why a reverse dns lookup is issued on every incoming request
<beneroth> its probably on OS level, not pil level
<Regenaxer> Oh
<Regenaxer> no, I'm wrong
<Regenaxer> Here I *do* load it!
<Regenaxer> It is a test setup via httpGate
<Regenaxer> so I use the standard call
<Regenaxer> :)
<beneroth> then its likely the (host) call. remove it, and test again with strace
<Regenaxer> No, this explains all
<beneroth> just for knowledge/control. the established/related rule in iptables is a good (and standard) idea anyways
<beneroth> ok
<beneroth> :)
<Regenaxer> I don't want to change the whole config now
<Regenaxer> iptables and httpGate
<beneroth> make a write up for next time :P
<Regenaxer> yes!
<Regenaxer> I keep this iptables config
<Regenaxer> with the state ESTABLISHED RELATED stuff
<Regenaxer> Can't be wrong, right?
<beneroth> likely not. but it would allow incoming stuff for every connection initiated on your machine. so if your machine is infected, it can use the internet. which you could restrict by putting strict rules on outgoing queue (what stuff is allowed to be initiated)
<beneroth> so far the theory, I think
<Regenaxer> uh
<Regenaxer> problem
<Regenaxer> I can't reach my production server any mmre
<Regenaxer> more
<Regenaxer> Not only my server, but whole domainfactory
<Regenaxer> I did not change on the server yet I think
<beneroth> you made exceptions for SSH etc no?
<Regenaxer> no
<Regenaxer> can you try https://admin.jiffybox.de ?
<Regenaxer> It has nothing to do with *my* server specifically
<Regenaxer> Perhaps my outgoing?
<Regenaxer> But other servers I can reach
<beneroth> well... I can't reach it. also not ping it. nothing.
<Regenaxer> Oh
<Regenaxer> So DomainFactory is down?
<beneroth> I tried telnet too, but not even the tcp connection can be established
<beneroth> maybe
<Regenaxer> Seems *I* killed it :)
<Regenaxer> grr
<Regenaxer> Now got 502 Bad Gateway
<beneroth> its domainfactory, you know the one where all support/customer data got stolen by an hacker who probably might also have otherwise control over their infrastructure :P
<Regenaxer> right
<Regenaxer> I should change
<beneroth> Derzeit ist unsere Netzwerkstruktur nur eingeschränkt erreichbar since 12:21
<Regenaxer> Customer calls already
<beneroth> so probably a network issue on their end
<beneroth> sounds like yu want to move from domainfactory like right now? :P
<beneroth> you got a replica somewhere else ?
<Regenaxer> yes, all data are here
<Regenaxer> But customers complain already :(
<beneroth> nothing to do with your iptables. domainfactory is down :)
<Regenaxer> yeah, I first though that I made something wrong
<Regenaxer> copied to the wrong machine or so
<Regenaxer> I hope they can quickly fix it
<beneroth> well maybe you can install the pil app on another host or your homeserver until its fixed. that's something you maybe can/want to offer our customers
<beneroth> but yeah, DNS changes are probably also needed, and they need time.
<beneroth> you would need to tell your client other domain name or so
<Regenaxer> right
<Regenaxer> I hope they fix it quickly
<beneroth> I can setup you a new dns entry/domain if you need it, server hosting would be a bit more difficult
<beneroth> just tell me
<Regenaxer> Thanks, but I have it all here
<beneroth> good
<Regenaxer> Could start it, but dns needs time
<Regenaxer> and switching back later is tedious
<Regenaxer> needs rsyncs
<beneroth> well give it another additional domain, so you can just tell your clients to go to the other url
<beneroth> T
<Regenaxer> cause the other direction does not replicate
<beneroth> maybe wait 20min or whatever timeout you and your clients are ok with, and then switch over if domainfactory is not reacting
<Regenaxer> There are many applications, also public stufflike the Sushi page
<beneroth> well yeah if they came back online and you moved, you have to shut down the instance immediatelly to prevent a data mess..
<Regenaxer> Anyway too bad
<beneroth> the old instance, I mean
<Regenaxer> yes
<Regenaxer> Good thing is that it is noon
<beneroth> and friday
<Regenaxer> Some have lunch break
<Regenaxer> yes
<Regenaxer> 2 of them are retail, they open even Saturday
<Regenaxer> I think I killed them by testing UDP :D
<beneroth> highly unlikely
<Regenaxer> :)
<beneroth> but yeah, the hacker trouble they had were a symptom for some troubling carelessness and lack of security processes and knowledge
<Regenaxer> In the future we planned to discard domainfactory
<Regenaxer> Josef moves to a new building
<Regenaxer> then we wanted to put the second server in his office
<beneroth> usually such signs are not isolated things, but show a general lack of skill/care in a company. often it was earlier better but good people left.
<Regenaxer> yes
<beneroth> then everything degenerates slowly over time
<Regenaxer> Interesting
<Regenaxer> Another customer says it still works for him
<beneroth> network problems
<Regenaxer> ah
<beneroth> not server
<Regenaxer> I can connect again!
<Regenaxer> My tmux session is gone
<beneroth> maybe some of their peerings to other ISPs failed. maybe their ISP still as connection to them. stuff like that.
<beneroth> their = other customer
<Regenaxer> uptime:
<Regenaxer> 12:45:05 up 18 min, 1 user, load average: 0,02, 0,06, 0,01
<Regenaxer> So it restarted immediately
<beneroth> lol, so it was NOT network problems
<Regenaxer> Lets hope nothing is broken
<Regenaxer> Perhaps a power outage?
<beneroth> so https://status.df.eu/ is kinda lying
<beneroth> then they can write stromausfall.
<beneroth> Regenaxer, now is the right time to add your iptables rules!
<beneroth> if something is broken because of them, you can blame it on df.eu :P
<Regenaxer> yeah
<Regenaxer> The apps started on boot
<beneroth> I use crontab @reboot for that
<Regenaxer> I use /etc/rc.local
<Regenaxer> The admin page is still down
<Regenaxer> New iptables installed. Works
<Regenaxer> :)
andyjpb has joined #picolisp
<beneroth> Regenaxer, btw I get 502 bad gateway at https://admin.jiffybox.de/
<beneroth> so their stuff is still not completely up and running
<beneroth> nice :)
<Regenaxer> yes, not all working yet
rob_w has quit [Remote host closed the connection]
orivej has quit [Ping timeout: 272 seconds]
orivej_ has joined #picolisp
shpx has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
shpx has joined #picolisp
shpx has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<tankf33der> next task
andyjpb has quit [Ping timeout: 258 seconds]
shpx has joined #picolisp
<tankf33der> Regenaxer: what is your current status of firewall issue
xkapastel has joined #picolisp
razzy has quit [Ping timeout: 258 seconds]
orivej_ has quit [Ping timeout: 258 seconds]
<Regenaxer> tankf33der, fine now
<Regenaxer> beneroth, Host Europe has trouble too! https://t.co/nrQffPpMWX
<Regenaxer> Strange!
<Regenaxer> Whats the matter today?
<beneroth> Regenaxer, it's the same crowd: "DomainFactory (zu Host Europe gehörend) hat ebenfalls mit Problemen zu kämpfen."
<Regenaxer> T
<beneroth> as they are owned by GoDaddy (which has also a rather bad reputation with FOSS/hacker community afaik), which is an US company, I would also move
<beneroth> US gov could make them give your/your customers data without ever informing you
<beneroth> well ok, we would notice, as new people would be interested in how to read pil DB ;-)
<beneroth> so.. their infrastructure (domainfactory) IS old, insecure and outdated (if this comment is true), as I suspected earlier today ;-)
<Regenaxer> Seems so :(
shpx has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
shpx has joined #picolisp
shpx has quit [Client Quit]
<Regenaxer> beneroth: I thought about the UDP ports again. I don't need to block all
<Regenaxer> Instead of -m state --state ESTABLISHED,RELATED I do now
<Regenaxer> iptables -A INPUT -i enp1s0 -p udp --dport 1024:32767 -j DROP
<Regenaxer> I.e. block only those ports I do really use
<Regenaxer> the non-ephemeral ports
orivej has joined #picolisp
freemint has joined #picolisp
<freemint> Hi Regenaxer i catched up with the logs
<freemint> wise idea to switch hoster after that.
<Regenaxer> Hi freemint
<Regenaxer> yes, I don't trust them any more
<freemint> but reliability gets really expensive, when you want to use your own infrastructure and have a statefull web app (as in not a CDN)
<Regenaxer> At the moment I'm checking the datatases
<Regenaxer> It was a hard crash, power loss or so
<freemint> How does it behave in power loss? Does it have a Journaling mechanism?
<Regenaxer> Yes, but I did not switch it on here
<Regenaxer> They promised they have an uninterruptible power supply
<Regenaxer> Not true it seems
<freemint> why did you leave it off?
<Regenaxer> It has some overhead. In PilBox it is switchen on of course
<Regenaxer> as Android kills processes the hard way sometimes
<freemint> i know
<Regenaxer> The server is mirrored, so not a big risk
<freemint> mirrored where?
<Regenaxer> Even with journalling data may be lost eg when the HD is damaged
<Regenaxer> mirrored to my server here in the basement
<freemint> ah but you can not run it from there ...
<Regenaxer> All production applications on several server mirror to here
<Regenaxer> I can
<freemint> but not for the public
<Regenaxer> it is all there, but takes time to switch DNS
<Regenaxer> no, works fine
<freemint> ok
<Regenaxer> I switched once
<freemint> did you get a call from your server first or from the users?
<Regenaxer> When DomainFactory moved from Strassburg to Köln
<Regenaxer> I noticed myself, and 2 mins later one customer called
<freemint> How big is your pipe at home?
<Regenaxer> What pipe?
<freemint> Internet speed
<Regenaxer> ah, only 50 M down and 10 up
<Regenaxer> But no problem, these apps need almost no speed on the line
<Regenaxer> I tried when I had only 1 M
<Regenaxer> was fine
<freemint> how many current users?
<Regenaxer> In total about 10 I think
<Regenaxer> in the business apps
<freemint> The way people seem to do reliability today is to have a machine with big pipes which tries to relay everything as fast as possible
<Regenaxer> 10 was wrong, rather 20
<Regenaxer> The BTG application has 40 users, but it is hosted on another machine
<Regenaxer> Speed doesn't give reliability (?)
<freemint> all dns points to that expensive machine and the machine realms every thing to the servers which are online
<freemint> instant roll over when something happens, maybe a few dropped connections
<Regenaxer> Still a single point of failure
<Regenaxer> Doesnt need to be fast at all
<freemint> depends on what you do
<Regenaxer> but if this single machine fails, you have the same problem
<Regenaxer> For my apps DNS is no issue
<Regenaxer> after the first connect the session lives
<Regenaxer> (you know)
<freemint> but they got a replacement machine wired up incase.
<Regenaxer> What if the network to that machine fails?
<freemint> also making a TCP relaxer reliable is easier than making servers reliable
<Regenaxer> The famoul Bagger
<Regenaxer> Perhaps 2 lines
<freemint> it is not perfect
<Regenaxer> one cable and one mobile
<Regenaxer> yeah
<freemint> but you can make a TCP thing reliable more easy than a server. and you can scale and load balance with that thing too
<Regenaxer> I don't think so
<Regenaxer> server is server
<Regenaxer> The hardware may fail, or the power
<Regenaxer> or the network
<freemint> this thing is not server, it is network infrastructure.
<Regenaxer> doesnt matter
<freemint> and router has less that can fail. No hard disk f.e.
<Regenaxer> Why should a server fail more easily?
<Regenaxer> ok
<freemint> server runs more flexible software
<Regenaxer> I see what you mean
<Regenaxer> true
<freemint> these routers do things on fpga/asic level sometimes routes backed in battery backed caches
<Regenaxer> But my concern is different
<freemint> anyway it get's expensive quickly on that route
<Regenaxer> If my server at home fails, I can plug in a second machine
<Regenaxer> Problem is if the network (provider) or power fails
<Regenaxer> it is not under my control
<freemint> power is slightly under your control
<freemint> but i get your point
<Regenaxer> yes, for a certain time we can hold power
<freemint> at least in the winter
<Regenaxer> Why in winter?
<Regenaxer> In summer we could use solar panel to fill the batteries
<freemint> exactly
<Regenaxer> With "at least" you mean "less in winter" then
<freemint> atleast in the winter we are limited to just holding for a certain time
<Regenaxer> ah, yes
<freemint> you could always have a oil generator in your basement
<freemint> or something like that
<freemint> diesel is easily resupplied if the tankers can drive on the road
<Regenaxer> But if power fails a long time, other infrastructure will fail too
<Regenaxer> Internet, mobile networks etc
<Regenaxer> DB checks passed
<Regenaxer> (dbCheck)
<Regenaxer> But because temp files were left over, I know it was a hard crash
<Regenaxer> no clean shutdown :(
<freemint> I see
<Regenaxer> Not nice
<freemint> if power fails for a long time you need sneaker net+client side app
<Regenaxer> difficult with multi-user DB
<Regenaxer> I do that now
<Regenaxer> with PilBox'es
<Regenaxer> Very complicated
<Regenaxer> The most complicated application setup I ever made
<Regenaxer> I regretted that I promised to do it
<freemint> maybe you need a new abstraction layer on the db to implement such a thing
<Regenaxer> of course
<Regenaxer> It works all
<Regenaxer> But it is like a can of worms
<Regenaxer> I need 4 versions of each piece of the GUI
<freemint> why that?
<Regenaxer> But I want to go with only one
<Regenaxer> So I have lots of read macros
<Regenaxer> The accesses to the databases are different depending on where you are
<Regenaxer> in fact it is 6 versions
<Regenaxer> because there is also a separate "core" DB
<Regenaxer> Not needed for the PilBoxes, but for common central data
<Regenaxer> In total the system consists of 1 + 3 + 40 separate databases
<Regenaxer> each DB is a separate application
<Regenaxer> well, no
<Regenaxer> separate parent process
<Regenaxer> then as ever one process per user
<Regenaxer> The user may be on the hub or on the pilbox
<Regenaxer> these are the 40 DBs
<Regenaxer> each mirrored between a hub DB and its pilbox
<Regenaxer> So '1' is the core
<Regenaxer> `3' are the three instances Augsburg, Suisse and Argentina
<Regenaxer> the 40 (roughly, perhaps more) are the "pib"s
<Regenaxer> a pib is a pilbox and its mirror in the hub
<Regenaxer> every change on every of these 50 or so DBs is mirrored to *all* others!
<freemint> i see your problem
<Regenaxer> Every pilbox has a full mirror of the whole system
<Regenaxer> A headache :)
<Regenaxer> Also the garbage collector
<freemint> that is the only way to do it when you want offline support
<Regenaxer> Yes, unfortunately
<Regenaxer> Most of the time it is not needed
<Regenaxer> for these users
<Regenaxer> They travel only sometimes
<Regenaxer> 90 percent they work on the hub
<freemint> if it is worth their money?
<Regenaxer> I hope so
<Regenaxer> They asked for it many times
<freemint> or they think it is ... as long as you get paid .
<Regenaxer> I always said impossible
<Regenaxer> Yes, no problem
<Regenaxer> But technically it is not worth
<Regenaxer> It is like you are a car manufacturer
<Regenaxer> and they want a car which can *also* fly
<freemint> could you port your solution over to a new project with the same problem?
<Regenaxer> 90 percent they drive normally
<freemint> nah it is not that bad.
<Regenaxer> And they want a normal car
<Regenaxer> Yes, I have always re-use in mind
<Regenaxer> I will need that in future more often
<freemint> ugghh
<freemint> if it is as ugly as it sounds something must be rotten somewhere deep dowb
<Regenaxer> Not rotten I think, it is just hard for the programmer not to lose overview
<Regenaxer> Needs mental models
<freemint> ok what prevents it from being simple?
<freemint> i mean distributed locking with over write
<freemint> is not complicated
<freemint> sync is not complicated
<Regenaxer> good question
<Regenaxer> All those DBs must be presented in a common GUI
<Regenaxer> ie several processes in a single GUI
<Regenaxer> clicking on objects switches processes, transparent to the user
<freemint> mhhh why does that make the database layer complicated?
<Regenaxer> Is it simple? Try it
<Regenaxer> Do you know of anybody who did that?
<Regenaxer> A multiuser DB working offline?
<freemint> yeah it is called git
<Regenaxer> That's not so complicated
<Regenaxer> you can merge sources
<Regenaxer> In that application you have big grapflhs of objects
<Regenaxer> and indexes
<freemint> why is distributed version control simpler than distributed state control?
<Regenaxer> Some objects are even split into 2 DBs
<Regenaxer> version, state?
<freemint> dvc = git
<Regenaxer> It is much easier
<freemint> d-(application)state-c your app
<freemint> why?
<Regenaxer> Everybody can work on his local copy
<Regenaxer> later it gets *merged*
<Regenaxer> I cannot merge objects
<Regenaxer> things must be closely synchronized
<Regenaxer> Simple example: Invoice numbers must increase monotonuosly
<freemint> ahh
<Regenaxer> Everything is very tightly coupled
<freemint> then you can not "finalize" invoices when you are not connected to the root db
<Regenaxer> Documents, shipments, invoices, orders etc
<Regenaxer> yes
<freemint> but this should happen anyhow
<Regenaxer> So I had to split some objects
<Regenaxer> one part is in the hub, one in the pib
<Regenaxer> Can be modified separately
<Regenaxer> But all such flows must be exactly defined
<freemint> ok. If were tasked to build such a thing. I would introduce a few new classes. Database objects can be shared or private.
<Regenaxer> I also needed to invent a new kind of +Joint
<Regenaxer> it connects 3 instead of 2 objects
<freemint> The user if he is only can change objects which are private or shared ones he got locked.
<Regenaxer> and may be temporarily dangling
<Regenaxer> when offline or only short online
<Regenaxer> It is not so simple
<Regenaxer> You don't change just single objects
<freemint> each change he makes is added to a list of his changes. which are synced with the server when he is online the next time.
<Regenaxer> changing a single attribute often triggers the change in severa oter objects
<Regenaxer> several other :)
<Regenaxer> You get inconsistent states immediately if you do it the naive way
<freemint> changes are formulated in a DSL. Like (trade Tepich (money User1 amount))
<freemint> if he syncs again all his actions are performed against the server. and he is notified if something no longer matches (a thing already being sold)
<Regenaxer> Haha, very easy
<freemint> Regenaxer it layers nicely.
<Regenaxer> It does not work that way
<Regenaxer> No layers
<freemint> where would my approach break?
<Regenaxer> And no delayed "actions"
<Regenaxer> Won't work
<Regenaxer> If you do local changes, the user wants to "see" it
<Regenaxer> search and navigate
<Regenaxer> print it
<freemint> he can do that in my model
<Regenaxer> You can't just record some actions
<Regenaxer> No, wont work
<freemint> why can't I?
<Regenaxer> too static
<Regenaxer> The DBs must be modified immediately
<Regenaxer> It is all interactive
<Regenaxer> You create new objects, and they interact with existing objects
<Regenaxer> it is all the *real* thing
<Regenaxer> just separated into a lot of DBs
<Regenaxer> which are locked or modifiable depending on the situation
<Regenaxer> The sync is not the problem
<Regenaxer> it runs automatically whenever connected
<Regenaxer> in both directions
<Regenaxer> The real work is to structure the application
<Regenaxer> Which objects reside in which DB
<freemint> why can't i leave the database static (last version from server) append all new changes which are parsed in first?
<Regenaxer> The user must understand it
<Regenaxer> Parts of the server keep changing too
<Regenaxer> (or most of it)
<freemint> Which objects reside in which DB is that a hard thing to communicate?
<Regenaxer> most is on the hub as I said
<Regenaxer> It must be intuitive
<Regenaxer> eg Customers, contacts, exhibitions are on the hub
<Regenaxer> can't be modified in the pib
<Regenaxer> The user must know that
<Regenaxer> When mobile in the pib, he can create new orders, documents, shipments, tax papers or so
<freemint> can you think of a minimal viable data model which contains all things that make it hard?
<Regenaxer> yes, I have it of course
<Regenaxer> Most of it runs
<Regenaxer> But only 20 % of all the nasty details
<Regenaxer> So the "hard" problems are solved
<Regenaxer> (I hope)
<Regenaxer> Some are not implemented yet
<Regenaxer> for example the distributed GC
<freemint> I would be interested in a minimal data model which has all the inherent complexity of the "non application specific"-part
<freemint> i think your problem is that you have everybody working on the same DB instead of the same data
<Regenaxer> I understand, but I cannot give away the sources
<Regenaxer> How on the same DB?
<Regenaxer> instead of same data?
<freemint> When you need an distributed GC, it looks like you attempt to garbage collect over all databases
<Regenaxer> right
<Regenaxer> thats the point of a "distributed" DB
<Regenaxer> Until now this same application run in a *single* DB
<Regenaxer> I need to split it
<Regenaxer> thats the hard point
<freemint> mhh ...
<Regenaxer> splitting the DB was the initial central decision
<freemint> do you clone the database over and clone the index too or do you generate the indexes on device?
<Regenaxer> everything else followed from that
<Regenaxer> no, each DB has its own part
<Regenaxer> each is a full stand-alone application
<Regenaxer> e/r, main, pool, go etc
<freemint> unrelated technical question can i have multiple databases open at the same time when i use a couritne to access each?
<Regenaxer> A single process can have only one DB open at a time
<Regenaxer> but you can *read* many DBs
<Regenaxer> Thats how I do it to navigate all of them
<freemint> i do not understand that distinction
<Regenaxer> A database is just a pool of symbols
<freemint> what is a pool?
<freemint> is memory a pool of cells?
<Regenaxer> A set of symbols
<Regenaxer> a bunch
<Regenaxer> The symbols are read from and written to the files of the current DB
<Regenaxer> Accessing symbols in non-open DBs is possible read-only with 'blk'
<freemint> A pool is a bunch of addressesable cells (addressable like {1})?
<Regenaxer> or via RPC to objects in remote processes
<Regenaxer> yes, but not cells. symbols
<Regenaxer> External symbols
<freemint> how can something be a pool of symbols?
<Regenaxer> {A7} is the name of the symbol
<freemint> i thought in picolisp all symbols are implemented as cells?
<Regenaxer> a "pool" means a bunch
<Regenaxer> In the heap a symbol is implemented as a cell, yes
<Regenaxer> Also an external symbol {A7}
<Regenaxer> But in the DB file only the value and the properties are stored
<freemint> ok
<Regenaxer> {A7} is the file and the block in the file
<Regenaxer> The name does not exist as UTF8
<Regenaxer> It encodes the file A and block 7 in that file
<Regenaxer> So when you do (val '{A7}) or (get '{A7} 'a)
<freemint> and how is a symbol loaded from the db file if it is stored in a cell on the hard disk?
<Regenaxer> the value and properties are fetched
<Regenaxer> not a cell in the file
<Regenaxer> a block
<Regenaxer> a stream of PLIO
<freemint> ok so the blocks numbers are the indexes?
<freemint> ahhh
<Regenaxer> not the B-tree indexes
<Regenaxer> The 7 is the block number, so also a kind of index
<freemint> ofc not B-tree indexes. But the way you access a certain symbol
<freemint> i recall that blocks can have different size
<Regenaxer> yes
<Regenaxer> all the same in one file
<freemint> so all 512 bit blocks are in one file
<Regenaxer> T
<freemint> and things stored in different block size end up in different files?
<Regenaxer> yes, you specify a size for each file
<Regenaxer> in fact a shift count
<freemint> lets assume i got some property list in 512 bit block but the list gets to long in pilIO to fit in one block, what happens
<Regenaxer> min is 64 bytes
<Regenaxer> Then more blocks are allocated
<Regenaxer> The old db had only 64 byte blocks
<freemint> how does list know where to continue when all blogs are (potential) beginnings of symbols
<Regenaxer> So many objects spanned many blocks
<freemint> *the pilio serialization of the list
<Regenaxer> yes, works
<Regenaxer> Blocks are tagged
<freemint> Regenaxer i know that it works but do not see how i would do it
<Regenaxer> It is documented in doc64/structures
<freemint> so each block has a "cdr" where it can point forward?
<Regenaxer> See line 292 ff
<freemint> doc64 is unparsable without context
<Regenaxer> parse?
<Regenaxer> it is ASCII
<freemint> i was unable to understand it everytime i read it beyond being able to see what i already knew
<Regenaxer> ok
<Regenaxer> +-------------+-+-------------+-+----+
<Regenaxer> Block 0: | Free 0| Next 0| << |
<Regenaxer> +-------------+-+-------------+-+----+
<Regenaxer> 0 BLK 2*Blk+1
<Regenaxer> Looks bad probably with non monospace
<freemint> i got monospace
<Regenaxer> This is the first block of a symbol
<Regenaxer> good! :)
<Regenaxer> no, mistake
<Regenaxer> it is the root block of the file
<Regenaxer> +-------------+-+----
<Regenaxer> ID-Block: | Link 1| Data
<Regenaxer> +-------------+-+----
<Regenaxer> 0 BLK
<Regenaxer> This is a symbol
<Regenaxer> Link points to the next block if needed
<Regenaxer> '1' is used for sequential traversal
<Regenaxer> or for consistency checks
<Regenaxer> BLK is a constant 6
<freemint> what is traverse sequentialay
<Regenaxer> this means the first 6 bytes in the block are used
<Regenaxer> The 'seq' function
<Regenaxer> goes from one sym to the next on the lowest level
<Regenaxer> Not used in application code
<Regenaxer> But helpful during debugging
<Regenaxer> or for a brute force traversal of a file
<Regenaxer> "Data" is PLIO, first the value, then the properties
<Regenaxer> (the name is implied by file and block number)
<freemint> 1 PilIO can contain more than one sexpr?
<Regenaxer> BlockNumber * BlockSize gives the file offset (seek)
<Regenaxer> no, only one expr
<Regenaxer> So first value, then plist iirc
<freemint> how can it contain two things?
<freemint> or does it contain a symbol which has value first and then plist?
<Regenaxer> Perhaps it is even val, key, val, key, val
<Regenaxer> terminated by null or NIL
<Regenaxer> I don't remember atm
<Regenaxer> Checking
<freemint> ok but if i would point an pilIO to it would get one object one rd at a time?
<Regenaxer> it is a stream as above
<Regenaxer> terminated by NIL
<Regenaxer> as NIL cannot be a property key in the DB
<Regenaxer> (volatile property)
<freemint> ahh good to know
<Regenaxer> So you could 'rd' that if you seek into the file
<Regenaxer> eg with 'dd'
<freemint> a stream is pilIO or a collection of pilIOs terminated by NIL?
<Regenaxer> a collection of pilIO items terminated by NIL
<freemint> so a pilIO can contain multiple items but not multiple sexpr?
<Regenaxer> an item *is* a sexpr
<Regenaxer> I would not say that a pilIO contains something
<Regenaxer> it is a marshalling format
<freemint> if that is true i think you contradicted yourself, unless my understanding is completely off
<Regenaxer> equivalent to print/read
<Regenaxer> You just 'rd', right?
<Regenaxer> No magic
<Regenaxer> One (rd) gives the next item from the stream
<Regenaxer> Where is the problem?
<Regenaxer> To get val and props of a symbol, it does a seek and then several reads
<Regenaxer> one read for the value
<freemint> No problem anymore. that explanation helped
<Regenaxer> then while (rd) is not NIL, it is a key and another (rd) is needed for he val
<Regenaxer> The reverse when writing
<Regenaxer> always the whole symbol is written
<Regenaxer> if it does not fit into the block, another block is used and linked
<freemint> makes sense since storage is designed blocksite today
<Regenaxer> If a symbol got shorter, a block is returned to free space
<Regenaxer> yes
<Regenaxer> and it is the easiest
<freemint> storage media is blockwise accessed
<Regenaxer> true, but here it is a logical thing
<Regenaxer> A disk block is usually 8 KiB
<freemint> i get that i was most worried about performance for a second
<Regenaxer> here we have smaller blocks
<freemint> (often ;))
<Regenaxer> yes, in fact performance is not critical
<Regenaxer> symbols are not so often read
<Regenaxer> as they are cached in the heap (as cells)
<Regenaxer> I tried imports on mag disks and ssd, and found no difference
<Regenaxer> Surely there may be use cases where a ssd is faster
<freemint> so the database access works by first choosing a file and the an offset which is generated by multiplying block size with offset of the symbol in the file
<freemint> how does pil know which offset to choose?
<freemint> (for a given file)
<Regenaxer> It is encoded in the name
<Regenaxer> {A7} means block 7
<Regenaxer> in the second file (first is "@")
<freemint> *which block size
<freemint> to encode a file
<Regenaxer> It is stored in the root block
<freemint> ok makes sense
<Regenaxer> +-------------+-+-------------+-+----+
<Regenaxer> Block 0: | Free 0| Next 0| << |
<Regenaxer> +-------------+-+-------------+-+----+
<Regenaxer> 0 BLK 2*Blk+1
<Regenaxer> it is the "<<"
<freemint> How does the B-tree know att which symbol it starts?
<Regenaxer> There are root and base objects stored in *DB (= {1})
<Regenaxer> Try (edit *DB) in a running app
<freemint> ok i get that
<Regenaxer> Then click with K on the symbols
<Regenaxer> So the raw DB is just a pool of external symbols
<Regenaxer> B-Trees and entities are a layer above that
<freemint> i know
<freemint> that B-tree are implemented on top
<Regenaxer> yes, just for the records
<freemint> i tried to run 'edit on @app but it did not give me a shell
<freemint> would family give me a shell to run stuff?
<Regenaxer> You started app/main.l ?
<Regenaxer> same as family
<Regenaxer> pil app/main.l -main +
<Regenaxer> or
<Regenaxer> pil app/main.l -main -go +
<Regenaxer> and connect browser
<freemint> did the second thing
<Regenaxer> in both cases you get a :
<Regenaxer> no prompt?
<freemint> now a prompt
<Regenaxer> ok
<Regenaxer> : (edit *DB)
<freemint> getting vim
<Regenaxer> ok
<Regenaxer> Here I have eg +Role {3}
<Regenaxer> clicking with K on {3}
<freemint> yes
<Regenaxer> gives the base object
<Regenaxer> it has a single index for 'nm'
<freemint> on the { bracket of {3}
<Regenaxer> here {D1}
<Regenaxer> anywhere in {3}
<freemint> me too
<Regenaxer> {D1} is the first node of the tree
<Regenaxer> a small tree
<freemint> nm ( 3 . {D1})
<Regenaxer> Q pops back
<Regenaxer> yes
<freemint> nothing more
<freemint> q does only ring a bell
<Regenaxer> +Role has only a nm index
<Regenaxer> Q
<Regenaxer> case sensitive
<freemint> works
<Regenaxer> I did {40} {I3} {I1}
<Regenaxer> gives a bigger tree node
<Regenaxer> Sorry, must stop now
<freemint> some that looks like a list of tags
<freemint> it is fine but it was very enlightening
<Regenaxer> yes, the substrings
<Regenaxer> :)
<freemint> does pilIO know itself if it is over?
<Regenaxer> (rd) returns NIL on EOF
<freemint> or do you need to ship it with a length?
<Regenaxer> but does not happen in the DB
<Regenaxer> there is a length encoded in atoms
<Regenaxer> numbers and names
<Regenaxer> The first byte of such atoms
<freemint> but the format itself has an NULL in ASCII analog?
<Regenaxer> 6 bits for the (initial) length
<freemint> format = pilIO?
<Regenaxer> So terminating NULL
<freemint> is pilIO null terminating?
<Regenaxer> A cell has BEG, DOT, END
<Regenaxer> right, no terminators anywhere
<freemint> oh ... hmm i won't get rid of all of my questions
<Regenaxer> well, END for lists
<Regenaxer> :)
<Regenaxer> END is the same as ')'
<freemint> take care of family
<Regenaxer> and BEG is '('
<Regenaxer> yeah
<freemint> DOT is?
<Regenaxer> have a nice evening!
<freemint> nice evening
<Regenaxer> hehe, it is '.'
<Regenaxer> :)
<freemint> so each cell in the db has a dot symbol in it?
<Regenaxer> So BEG 1a DOT 1b
<Regenaxer> is (a . b)
<freemint> END
<Regenaxer> '1' being tag and length
<Regenaxer> no END needed
<Regenaxer> (a . b
<Regenaxer> is enough :)
<freemint> mhh this why picolisp has a bus factor of 1
<Regenaxer> ok, nuff for today
<Regenaxer> Next time :)
<freemint> yes ebough
<Regenaxer> bye
<Regenaxer> afp
<freemint> everytime i said wr i should have said pr
shpx has joined #picolisp
ubLIX has joined #picolisp
mtsd has joined #picolisp
mtsd has quit [Quit: WeeChat 1.6]
<freemint> oh i would have never imagined that pilIO looks like it does. If anybody is interested in discovering it yourselves : 'hd and 'pr is your friend
orivej has quit [Ping timeout: 258 seconds]
<freemint> oh and i utterly broke pilIO. I mean really broke and i constructed circular stuff that circ? did not recognize
<freemint> (setq C (1 (2 3) 4)) (nil (set (cdadr C) C) )
<freemint> This C is not detected by circ?
<freemint> and it kills every serialization function i tested it with. when used with pr it produces a file which kills on 'rd
<freemint> Before today my understanding was that pilIO would handle such "lists" (i use the term loosely here)
powerbit has joined #picolisp
shpx has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
razzy has joined #picolisp
ubLIX has quit [Quit: ubLIX]