@travisdh1 said in XO-Lite beta:

I also think having XO Lite available will make XCP-NG more approachable for less experienced techs. I'll still use XO to manage my XCP-NG servers, but XO Lite will make that initial server rollout and XO install more approachable.

For the home lab crowd it will probably be better for sure. But why mess with xcp-ng at all when they can get a full featured web interface with proxmox?

Which is kind of my point. Why even put the effort into a simplified web interface running in dom0 when XO is the real thing and can be deployed with a one-liner? And it comes in a free version.

For me at this point all this is more of an theoretical question though as we are moving to pure KVM instead. I feel that the world is moving towards automation and away from pretty web UI. And also away from self-hosting and towards services that someone else will be responsible for.

@Pete-S said in DISM /Remove-ProvisionedAppxpackage vs Remove-AppxPackage?:

@Obsolesce said in DISM /Remove-ProvisionedAppxpackage vs Remove-AppxPackage?:

@Pete-S said in DISM /Remove-ProvisionedAppxpackage vs Remove-AppxPackage?:

I'm trying to clean up some unneeded Windows 10 apps. But I'm not sure about what method to use.

Does anyone know the difference between using:

DISM /Online /Remove-ProvisionedAppxPackage /PackageName:Microsoft.WindowsCamera_2018.826.98.0...

versus using:

Get-AppxPackage *camera* | Remove-AppxPackage

Dism is an exe, the other is a PowerShell cmdlet.

I don't recall which one, but I think the verb-appxprovisionedpackage is more similar to dism?

I don't remember anymore, it's been like 6 years now since I dove I to it when I wrote the Win10 crApp Remover.

But here's the docs

https://learn.microsoft.com/en-us/powershell/module/appx/remove-appxpackage?view=windowsserver2022-ps

https://learn.microsoft.com/en-us/powershell/module/dism/remove-appxprovisionedpackage?view=windowsserver2022-ps

Awesome thanks!

Links are great, it looks like there is all the information I need.

I can see that you've put in an impressive amount of work making your Win10 crApp remover. I'll take a closer look at how you disable and uninstall things in your code.

To save you some time looking through that crAppy code, it basically comes down to two lines, 626 and 640.

@JaredBusch said in Eaton Rack Mount 5P: power on issue:

@Pete-S said in Eaton Rack Mount 5P: power on issue:

So this has nothing to do with Eaton. It's just how the battery chemistry works.

Not true, it is a new unit. It is Eaton's responsibility. That or the distributor, depending on how it was purchased.

Either way, it is RMA as failed/bad on delivery.

Yes, the "problem" could be the battery, but still a vendor issue.

Sure, the vendor have to replace it.

I'm just saying in case you buy an UPS of any brand and you have it as a spare sitting on the shelf in it's box for three years. Then there is a very high probablility the battery is damaged - even if you are covered under warranty. The higher the temperature, the lower the life span.

I brought this up just because it was mentioned that it's possible it has been sitting on the shelf for a while.

Examples in known open source worlds...

If you run ProxMox with DRBD on the Debian (host) layer, it's RLS assuming ProxMox has local disks.

If you then make that block storage available over the network, it becomes a SAN (a traditional / physical SAN.) A SAN with replication for resiliency.

If you run ProxMox and make a VM of Ubuntu and in that VM install DRBD it may or may not be RLS depending on where the host is getting its storage from for that VM. To the VM it will appear as if it is RLS, but we really don't know unless we check the stack. It's just the replication piece here.

If you then make that DRBD block layer in the VM available over the network, it becomes a vSAN.

@scottalanmiller said in ZeroTier rules to limit freelancer access:

@Pete-S said in ZeroTier rules to limit freelancer access:

Or you can just rely on authentication and authorization for every service and have no network segmentation. More risky but less work.

To me this is what makes more sense. I get the value is DOUBLE protection. But at a minimum this should be there first, ZT only as a completely additional layer of protection.

I agree. Network access control and segmentation is just to make it freakishly hard to traverse for malicious actors and software.

@Obsolesce said in User migration to azure:

The alternative to signing into the web browser to sync is so much worse, even in the off chance you chose to use 4 web browsers at the same time, and sign into them all with your work account to sync. Any other method is going to end up costing way more effort in the end anyways.

No real arguement from me there. But it's still 3 (IE is dead and as far as I know never had sync) accounts, one for each browser.

I use three browsers - I personally use FF, I have to use Chrome/Edge for our EMR - it refuses FF, and I use Chrome and Edge because I have need for multiple sessions in the EMR as different users... now I could do profiles in Chrome for that - but that's like making multiple accounts in Chrome.. so - meh.

@dagors said in Configure ZTE F670L for NAT on LAN Ethernet Ports:

This was it. What a dumb way to have that worded!!

Sorry, google translate.
But it's good that it was fixed.

I mean dumb way that ZTE worded it.

We find that if we rename the PC, then allow more than a day to go by before restarting, this can happen.

Also, if we rename a PC, then the user allows the PC to go into Lock mode (screen saver timeout with login required to return) they will encounter this upon wake up/re-logon.

In the above two cases a reboot usually resolves it, when it doesn't, we go in as local admin and disjoin then rejoin the domain to resolve it.

Also, in the above two cases, we did not lose the computer in active directory, so after the disjoin/rejoin you'd want to remove the orphan computer from AD.

There's an article online somewhere about why you should NOT disjoin and rejoin the domain in this case, but we have always done it this way and have never experienced ill effects.

@Pete-S said in WordPress Site Lost Its Mind - Ten Minutes of Maintenance Over and Over Again:

This is how you do that:
https://developer.wordpress.org/plugins/cron/hooking-wp-cron-into-the-system-task-scheduler/

Nice, good info. Thanks.

@scottalanmiller said in Bind Linux Process to Well Known Web Ports When Not Root:

If you have ever tried to run a user space program on Linux with a port below 1024 you know that this is a security problem and you are not allowed to do so. There is a simple fix for this, but it is not well known.

Once you know the binary that you will be using to open the low number (well known) port you can use this command to grant it permission to use these ports without otherwise compromising security.

setcap cap_net_bind_service+ep /my/binary/file

Now you can run your application. This is most commonly used for user space web applications that want to use port 80 or 443 without requiring that you run a reverse proxy in front of them.

Good to know!

I found this as an example of how to use it and also commands to remove the permission:
https://cwiki.apache.org/confluence/display/HTTPD/NonRootPortBinding

The setcap utility seems to be available in the libcap2-bin package on debian distros.

I haven't checked if it's installed by default.

@IRJ said in Helpdesk - PC replacement routines:

@scottalanmiller said in Helpdesk - PC replacement routines:

@IRJ said in Helpdesk - PC replacement routines:

The Helpdesk team exists to be a human shield for users. Your main job is keep users away from the rest of IT. Customer service and user support is the job. Since your Helpdesk should be made up of entry level with fair turnover, I'm not sure you're gonna ever be efficient nor is that really the goal.

I started in Helpdesk as did many others I've met in higher IT positions. The employees that you have that are really good are not meant to stay there too long. If your company doesn't have the foresite to promote top performers, they will just leave and go somewhere else.

The TLDR is Helpdesk is supposed to be a a human shield for IT. It should be a starting place for aspiring IT professionals, and if they are knowledgeable enough to improve these processes they won't be around long (one way or another).

That said, some people like the interaction and choose to stay there. But that's not the norm. But even then, it's a customer service role for sure and "performance" will always be difficult. In fact, you might dislike performance if it means less human interactions with end users.

Yep. I've seen it. There's one guy that I worked with that just loved everything about Helpdesk. Far more capable than the desk. He could be working with servers, cloud, etc. He just decided he loved what he was doing and stayed there for many years. I kept in touch for many years beyond us working together and he was always there. Big fish in little pond so to speak, and I think he likes that.

We've had staff like that. Pure gold if you find them. Someone actually happy with "what they are doing."

@Danp said in How to use different accounts on the same website/service with profiles:

With Firefox, you also have the option of using the Multi-Account Containers extension.

been using this for 3+ years - damn I just wish Chrome supported it.

@jt1001001

Thank you, about what I expected…. Just needed confirmation.

@JaredBusch said in Fedora 33 SSH Access Denied But Webmin Works Fine:

@scottalanmiller said in Fedora 33 SSH Access Denied But Webmin Works Fine:

Root is disabled by default in SSH configs most of the time.

Not until the last couple years. Sure we always disabled it, but it was not default that way until recently.

Ubuntu disabled it by default in 14.04 (2014) and Debian in version 8 (2015).

This probably coincide when openssh developers decided that disabled should be the default in the source code.

It's up to the distro to set defaults for installed packages so RedHat based distros like Fedora might have been much later.

@scottalanmiller said in Proxmox hates security:

@Pete-S said in Proxmox hates security:

@scottalanmiller said in Proxmox hates security:

@Pete-S said in Proxmox hates security:

I'm not saying Proxmox is insecure, I'm just saying it wasn't designed with security as it's primary focus.
KVM by default for instance is managed by libvirt and by default doesn't open any tcp ports at all. That gives the administrator the option to decide what level of security versus convenience they want.

Ignoring "by default" in that, ProxMox can be the same. You can close everything up and only manage however you like. You don't have to use the web interface on it, it can be totally shut down. Obviously defeating lots of the purpose, but plausible.

I spend far more time on ProxMox via command line via MeshCentral than via the web interface and the web interface, while we don't lock it down from the LAN in most cases (we run a LOT of ProxMox these days) we primarily access it from the PM host itself from a jump box running on top of it for the cases when the web interface is needed. So while we don't go to the degree of locking it off from the LAN, we could and we wouldn't notice the difference most of the time.

That's not a default, so obviously totally different. But it's a really simple setting.

That's good to know.

We don't use gui anymore either but we're moving away from pre-packaged hypervisors and to pure KVM with libvirt compatible management tools.

We have found that to be the best solution for our use case (high degree of automation and customization).

I'd like to see that for sure. There's a lot of benefit to that, potentially at least.

We're automating a lot.

But the real problem is not the automation itself. The real problem is that automation and standardization is time consuming.

New quotes this week...

Planning is only useful when it can be used for preparation.

and

When deploying software we should never be concerned with how long the vendor will continue to provide support, but rather by how soon we get to update.

@JasGot said in What to use for new Windows network domain:

No need for split DNS this way.

That is a huge reason.

Thanks guys, I'll check out AHK.