[gentoo-user] nvidia-drivers-396.24-r1
I updated to the latest stable Nvidia-drivers-396.24-r1 , rebooted & 'startx' : the result was an X error "No devices detected ... no screens found". Downgrading to 390.48 got X working again. Nothing to see on the Forum or among Gentoo 'nvidia' bugs. My kernel is 4.9.16-gentoo. Has anyone else run into this ? Any other advice or comments ? -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca
Re: [gentoo-user] Enable "regular" network traffic when using VPN
Okay, with all that advice, I gave it another try. I'm also setting up a VirtualBox for my WFH stuff and VB wants to use 10.0.0.0 for its networking. I've changed this to 172.16.0.0 so now I can easily tell that network from work network (which seems to use 10.25.0.0) I wanted to add a route to NetworkManager's VPN connection. It wants Address, Network, Gateway, and Metric so I gave it "10.0.0.0", "255.0.0.0" (this one shows up automatically), "207.x.y.z", "1". But then VPN fails to start with the complaint that the configuration is invalid. So I tried what I think is the same on the CL: $> route add -net 10.0.0.0/8 gw "207.x.y.z" metric 1 SIOCADDRT: Network is unreachable So apparently, it's not quite as straightforward as I thought it might be. :-)
Re: [gentoo-user] NFS and user IDs
On Sat, Jun 9, 2018 at 4:31 PM Wol's lists wrote: > > On 09/06/18 18:09, Rich Freeman wrote: > > I feel like this is something that Windows natively gets "better" than > > POSIX. They have a concept of UIDs being specific to a machine or > > authentication server (or domain as they call it), and this concept is > > enforced at the host level. That said, I'm sure this approach has its > > downsides as well, in particular it is certainly more complex and at > > work we practically forbid any kind of windows ACLs at anything other > > than the top mount level because it is so hard to control. > > Windows is better than POSIX?! That doesn't say much for POSIX then, > seeing as I feel Windows ACLs are overly complex and difficult! I wasn't talking about the ACLs (in fact I pointed out the issues with those). I was talking about the UIDs, which in windows are made of two components so that users on one domain can have access to resources on another domain, without having to replicate the UID databases. -- Rich
Re: [gentoo-user] NFS and user IDs
On June 9, 2018 1:20:14 PM UTC, Tom H wrote: >On Sat, Jun 9, 2018 at 6:43 AM Ian Zimmerman >wrote: >> >> Is there _any_ way around the need to keep the user IDs matched on >NFS >> clients and servers? > >You have to use NIS, NIS+Kerberos, or LDAP+Kerberos. > >I've never tried it but "/etc/idmapd.conf" has a "[Static]" section in >which you can set up a map but it'd be unpractical for more than a few >users. No need to add Kerberos to the mix. I use LDAP along with nss_ldap. (Various howtos available online) It works fine. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] NFS and user IDs
On 09/06/18 18:09, Rich Freeman wrote: I feel like this is something that Windows natively gets "better" than POSIX. They have a concept of UIDs being specific to a machine or authentication server (or domain as they call it), and this concept is enforced at the host level. That said, I'm sure this approach has its downsides as well, in particular it is certainly more complex and at work we practically forbid any kind of windows ACLs at anything other than the top mount level because it is so hard to control. Windows is better than POSIX?! That doesn't say much for POSIX then, seeing as I feel Windows ACLs are overly complex and difficult! Okay, ACLs assume a directory structure, which have serious problems with Unix hard links, so I can understand the two features not mapping on to each other very well. In particular, if an object does not have a specific acl, it's supposed to inherit from its parent, but if you have hard links which parent does it inherit from? The system I used which had ACLs, I *think* when you logged in to any machine, you could tell it to authenticate against a different machine so it must have had some machine/identity pair. Then ACLs were simplicity itself as well, because they were user,group,other. If a user was named, that was what they got. If they weren't named, they got the sum of all the groups they belonged to. And if none of their groups were named, they just got the other permissions. So if you wanted someone to get LESS than the sum of their groups, you just gave them personally what you wanted, and that was that. Cheers, Wol
Re: [gentoo-user] spec_store_bypass mitigation
On Thursday, 7 June 2018 08:37:41 BST zless wrote: > Hello, > > I just finished installing kernel 4.14.48 on two > Intel laptops and I have different results for > > /sys/devices/system/cpu/vulnerabilities/spec_store_bypass > > On one of them it looks nice: > "Mitigation: Speculative Store Bypass disabled via prctl and seccomp" > but on the other it still says "Vulnerable". > > Any idea on what might influence this? The kernel configs are fairly > similar, the only thing that's different is the microcode, which is from > 2017 for the "vulnerable" one. > > Thanks I would think it is cause by the microcode. I have two really old Intel laptops and despite announcements to the contrary I noticed the latest (stable) sys-firmware/intel-microcode-20180527-r1 changed the Intel microcode version being loaded on both PCs, after I rebuilt the kernel (4.9.95) to incorporate it (no initrd on either of them). I see this for Spectre V2 which now includes IBPB and IBRS_FW: $ dmesg | grep Spectre [0.011385] Spectre V2 : Mitigation: Full generic retpoline [0.011507] Spectre V2 : Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier [0.011645] Spectre V2 : Enabling Restricted Speculation for firmware calls After you updated sys-firmware/intel-microcode did you rebuild and reboot the *rebuilt* kernel on both PCs? PS. For good measure I ran make clean first, but I'm not sure if this affects the firmware. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] NFS and user IDs
On Sat, Jun 9, 2018 at 12:34 PM Grant Taylor wrote: > > NFS will quite happily work with dissimilar IDs if you're using "other" > permission to access everything. }:-) > There are a few network filesystems with this property. As long as you just mount the whole filesystem with one user/group and umode and don't care that the remote server(s) will just discard any permissions changes you try to apply, they work fine without mapping UIDs. If you're using something like FUSE in a private mount namespace this can be done in a way that is reasonably secure as well (only the user logged into the remote server(s) can see the mountpoint). I feel like this is something that Windows natively gets "better" than POSIX. They have a concept of UIDs being specific to a machine or authentication server (or domain as they call it), and this concept is enforced at the host level. That said, I'm sure this approach has its downsides as well, in particular it is certainly more complex and at work we practically forbid any kind of windows ACLs at anything other than the top mount level because it is so hard to control. -- Rich
Re: [gentoo-user] NFS and user IDs
On 06/08/2018 10:42 PM, Ian Zimmerman wrote: Is there _any_ way around the need to keep the user IDs matched on NFS clients and servers? I can argue that the IDs don't have to be synchronized to use NFS. You just end up with unexpected complications from different IDs on different systems. NFS will quite happily work with dissimilar IDs if you're using "other" permission to access everything. }:-) I had a friend & colleague that used a feature of (I think) Webmin to synchronize IDs between machines. Purportedly it had an ability to edit the proper files to change IDs for accounts -and- walk the system chowning and chgrping things to reflect the change. -- Grant. . . . unix || die
Re: [gentoo-user] Re: Latest 4.9 kernels broken?
On Sat, Jun 9, 2018 at 5:26 PM Ian Zimmerman wrote: > > On 2018-06-09 14:15, Alexander Kapshuk wrote: > > > I had a look at the source code for kmod-25. If I read it right, dmesg > > should have records along the lines of: > > kmod-25/libkmod/libkmod-module.c:886: INFO(mod->ctx, "Failed > > to insert module '%s': %m\n", path); > > > > modprobe returns Exec format error. > > > Now, if my understanding of the source code above is right, you either > > have CONFIG_X86_32 set in your kernel, e.i. your Elf_Ehdr is set to > > Elf32_Ehdr, or the module's header is for the architecture that is > > different from what is expected by the kernel. > > The former is definitely false. If the latter holds, it is not due to > any action on my part, but due to how the module is built by the kernel > build system (at the same time as the kernel proper). Again, I strongly > suspect this is due to all the "objtool" churn in 4.9.106 and later. > > I'm afraid I'm at the limit of my patience diving into this for now. > You see, I have to remove the broken kernel from grub manually every > time (and then re-add it for another test), otherwise it breaks > unattended boots. > > Sorry about that. Maybe in a few days I'll have time to sit down and > track it properly. > > -- > Please don't Cc: me privately on mailing lists and Usenet, > if you also post the followup to the list or newsgroup. > To reply privately _only_ on Usenet and on broken lists > which rewrite From, fetch the TXT record for no-use.mooo.com. > I appreciate that this has been a frustrating experience for you, but when you get a change, could you please run 'readelf -h' on the module concerned and show the output below: readelf -h /path/to/module.ko ELF Header: Magic: Class: Machine: Size of this header: This will either confirm or refute my assumption about the ELF header being the wrong size and causing the 'Exec format error' message to be printed. Thanks.
[gentoo-user] Re: Latest 4.9 kernels broken?
On 2018-06-09 14:15, Alexander Kapshuk wrote: > I had a look at the source code for kmod-25. If I read it right, dmesg > should have records along the lines of: > kmod-25/libkmod/libkmod-module.c:886: INFO(mod->ctx, "Failed > to insert module '%s': %m\n", path); > > modprobe returns Exec format error. > Now, if my understanding of the source code above is right, you either > have CONFIG_X86_32 set in your kernel, e.i. your Elf_Ehdr is set to > Elf32_Ehdr, or the module's header is for the architecture that is > different from what is expected by the kernel. The former is definitely false. If the latter holds, it is not due to any action on my part, but due to how the module is built by the kernel build system (at the same time as the kernel proper). Again, I strongly suspect this is due to all the "objtool" churn in 4.9.106 and later. I'm afraid I'm at the limit of my patience diving into this for now. You see, I have to remove the broken kernel from grub manually every time (and then re-add it for another test), otherwise it breaks unattended boots. Sorry about that. Maybe in a few days I'll have time to sit down and track it properly. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Re: [gentoo-user] NFS and user IDs
On Sat, Jun 9, 2018 at 6:43 AM Ian Zimmerman wrote: > > Is there _any_ way around the need to keep the user IDs matched on NFS > clients and servers? You have to use NIS, NIS+Kerberos, or LDAP+Kerberos. I've never tried it but "/etc/idmapd.conf" has a "[Static]" section in which you can set up a map but it'd be unpractical for more than a few users.
Re: [gentoo-user] Enable "regular" network traffic when using VPN
On Saturday, 9 June 2018 01:20:18 BST Hilco Wijbenga wrote:
> On Fri, Jun 8, 2018 at 4:34 PM Mick wrote:
> > On Friday, 8 June 2018 23:21:52 BST Grant Taylor wrote:
> > > On 06/08/2018 03:31 PM, Hilco Wijbenga wrote:
> > > > Sigh, I take it back. That causes the internal sites to no longer
> > > > work.
> > >
> > > Okay.
> > >
> > > So you're on the proper track.
> > >
> > > I'm guessing the work network isn't a simple single prefix. Or at least
> > > the VPN client doesn't route enough through the VPN.
> > >
> > > Check your routing table with the VPN connected. Is enough being routed
> > > through? Do you need to add additional prefixes?
> > >
> > > If DNS is working properly for internal resources, make sure that what
> > > they resolve to is routed through the VPN.
> >
> > I don't know what networkmanager offers in terms of VPN settings, but as
> > Grant says you need to set split routing. As it currently is, everything
> > is sent out through the tunnel and your work's router is not set up to
> > route out to the Internet your VPN connection.
> >
> > If networkmanager does not get you what you want, you can do this with 'ip
> > route'. Delete the default route, then set again the default route via
> > the
> > your local gateway:
> >
> > # ip route del default via 192.168.1.254 dev wlan0
> > # ip route add default via 192.168.1.254 dev wlan0
> >
> > then create an additional route for the remote subnet if it's not there:
> >
> > # ip route add 10.10.20.0/24 via 172.16.1.1 dev wlan0
> >
> > Where 10.10.20.0/24 is your work's subnet and 172.16.1.1 is the local VPN
> > IP address for your PC. Something along these lines ought to work.
>
> I fooled around with "ip" but while removing ("del default") was easy,
> "add default" did not seem to do anything.
>
> Let me give some more information, perhaps that will help.
>
> Setup without VPN
> $ ip route
> default via 192.168.151.1 dev eth0 proto static metric 100
> 127.0.0.0/8 via 127.0.0.1 dev lo
> 192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric
> 100
>
> (192.168.151.1 is my own gateway, an old computer functioning as router)
>
>
> Setup with VPN (Gateway: vpn.company.com; Other DNS Servers:
> dns1,dns2; Search Domains:
> r1.i.company.com,r2.i.company.com,r3.i.company.com,r4.i.company.com,r5.i.com
> pany.com,r6.i.company.com,r7.i.company.com,r8.i.company.com,i.company.com,co
> nfig) $ ip route
> default via 192.168.151.1 dev eth0 proto static metric 100
> $SOME_COMPANY_IP_1 dev tun0 proto kernel scope link src
> $SOME_COMPANY_IP_1 metric 50
You can try adding a route against this link so the first IP is a subnet for
your connection to the remote LAN. If for example $SOME_COMPANY_IP_1 is
192.168.10.5 you can try:
# ip route add 192.168.10.0/24 via 192.168.10.5 dev tun0
> 127.0.0.0/8 via 127.0.0.1 dev lo
> 192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric
> 100 192.168.151.1 dev eth0 proto static scope link metric 100
> $VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100
>
> (where $SOME_COMPANY_IP is the IP of some internal server, and
I think you'll find $SOME_COMPANY_IP_1 is the remote LAN IP address offered by
the company's VPN gateway to your PC, so that you can connect to the company's
LAN subnet.
> $VPN_GATEWAY is the IP of vpn.company.com).
> ==> This does _not_ allow me to access (e.g.) *.i.company.com but
> everything else works fine.
>
>
> Same setup but without "Use only for resources on this connection":
> $ ip route
> default dev tun0 proto static scope link metric 50
> default via 192.168.151.1 dev eth0 proto static metric 100
> $SOME_COMPANY_IP_2 dev tun0 proto kernel scope link src
> $SOME_COMPANY_IP_2 metric 50
> 127.0.0.0/8 via 127.0.0.1 dev lo
> 192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric
> 100 192.168.151.1 dev eth0 proto static scope link metric 100
> $VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100
>
> (note that $SOME_COMPANY_IP_1 and $SOME_COMPANY_IP_2 differ only in
> the last digit; this seems to go up by one every time I connect to
> VPN, so probably irrelevant)
The company's VPN gateway will increment new VPN connections giving them the
next IP address allocated to the VPN pool. When you disconnect your client,
the VPN gateway ought to tear down the connection and release the IP address,
but this does not happen instantaneously in most implementations in case the
disconnection is temporary. So this is to be expected.
> ==> This allows me to access *.i.company.com but breaks everything else.
It would do so, because everything is sent out the default device tun0 and
your company's firewall will not route connections from your VPN allocated LAN
address to the Internet. Just curious, does it allow you to connect to the
Internet AND your company's LAN, if while under this set up you run:
# ip route del default via 192.168.151.1 dev eth0
# ip route add default via
Re: [gentoo-user] Re: Latest 4.9 kernels broken?
On Sat, Jun 9, 2018 at 8:56 AM Alexander Kapshuk
wrote:
>
>
>
> On Sat, Jun 9, 2018, 07:34 Ian Zimmerman wrote:
>>
>> On 2018-06-08 22:38, Alexander Kapshuk wrote:
>>
>> > On Fri, Jun 8, 2018, 22:30 Ian Zimmerman wrote:
>> >
>> > > On 2018-06-08 22:00, Alexander Kapshuk wrote:
>> > >
>> > > > What's the output of:
>> > > > uname -r
>> > > > strings /path/to/your/module.ko | grep vermagic=
>> > >
>> > > Here are the results for 4.9.105 (working):
>> > >
>> > > matica!6 ~$ uname -r
>> > > 4.9.105
>> > > matica!7 ~$ strings
>> > > /lib64/modules/4.9.105/kernel/drivers/video/console/fbcon.ko |
>> > > fgrep -e 'vermagic='
>> > > vermagic=4.9.105 SMP
>> > >
>> > > Let me know if you need to see the ones for the broken kernel ...
>> > >
>> >
>> > Yes, we want to make sure the vermagic of the modules you're trying to load
>> > matches the output of uname -r of the running kernel.
>>
>> Ok, here:
>>
>> Script started on 2018-06-08 21:11:04-0700
>> matica!501 ~# ls -l
>> /lib64/modules/4.9.107/kernel/drivers/video/console/fbcon.ko
>> -rw-r--r-- 1 root root 54280 Jun 8 20:57
>> /lib64/modules/4.9.107/kernel/drivers/video/console/fbcon.ko
>> matica!502 ~# uname -r
>> 4.9.107
>> matica!503 ~# strings
>> /lib64/modules/4.9.107/kernel/drivers/video/console/fbcon
>> .ko | fgrep -e 'vermagic='
>> vermagic=4.9.107 SMP
>> matica!504 ~# modprobe fbcon
>> modprobe: ERROR: could not insert 'fbcon': Exec format error
>> matica!505 ~# exit
>>
>> Script done on 2018-06-08 21:14:46-0700
>>
>> Sorry to ruin the low-hanging hypothesis :-P
>>
>
> Did dmesg have anything useful to say other than exec format error?
> Have you tried insmod'ing the modules instead of modprobe'ing them?
>>
>>
>> --
I had a look at the source code for kmod-25. If I read it right, dmesg
should have records along the lines of:
kmod-25/libkmod/libkmod-module.c:886: INFO(mod->ctx, "Failed
to insert module '%s': %m\n", path);
modprobe returns Exec format error.
errno -l | grep 'Exec format error'
ENOEXEC 8 Exec format error
/usr/include/asm-generic/errno-base.h:
#define ENOEXEC 8 /* Exec format error */
Here's the execution path I've been able to follow:
insmod()->kmod_module_probe_insert_module()->kmod_module_insert_module()->init_module()->copy_module_from_user();
init_module(2):
http://man7.org/linux/man-pages/man2/init_module.2.html
ENOEXEC
The binary image supplied in module_image is not an ELF image,
or is an ELF image that is invalid or for a different
architecture.
(1). kmod-25/tools/modprobe.c
ENOEXEC returned by kmod_module_probe_insert_module().
static int insmod(struct kmod_ctx *ctx, const char *alias,
const char *extra_options)
{
...
kmod_list_foreach(l, list) {
...
if (lookup_only)
printf("%s\n", kmod_module_get_name(mod));
else {
err = kmod_module_probe_insert_module(mod, flags,
extra_options, NULL, NULL, show);
}
if (err >= 0)
/* ignore flag return values such as a mod being blacklisted */
err = 0;
else {
switch (err) {
...
default:
ERR("could not insert '%s': %s\n", <- the error message reported by modprobe
kmod_module_get_name(mod),
strerror(-err));
break;
}
}
(2). kmod-25/libkmod/libkmod-module.c
KMOD_EXPORT int kmod_module_probe_insert_module(struct kmod_module *mod,
unsigned int flags, const char *extra_options,
int (*run_install)(struct kmod_module *m,
const char *cmd, void *data),
const void *data,
void (*print_action)(struct kmod_module *m,
bool install,
const char *options))
{
...
if (!(flags & KMOD_PROBE_DRY_RUN))
err = kmod_module_insert_module(m, flags,
options);
}
...
}
(3). KMOD_EXPORT int kmod_module_insert_module(struct kmod_module *mod,
unsigned int flags,
const char *options)
{
...
size = kmod_file_get_size(mod->file); <- the size of your modules elf file
...
err = init_module(mem, size, args);
...
}
(4). [init_module syscall]
kernel/module.c
SYSCALL_DEFINE3(init_module, void __user *, umod,
unsigned long, len, const char __user *, uargs)
{
int err;
struct load_info info = { };
err = may_init_module();
if (err)
return err;
pr_debug("init_module: umod=%p, len=%lu, uargs=%p\n",
umod, len, uargs);
err = copy_module_from_user(umod, len, );
if (err)
return err;
return load_module(, uargs, 0);
}
(5). kernel/module.c
/* Sets info->hdr and info->len. */
static int copy_module_from_user(const void __user *umod, unsigned long len,
struct load_info *info)
{
int err;
info->len = len;
if (info->len < sizeof(*(info->hdr))) <- here, size of your
module'e elf file is being compared against the size of the ELF header
as defined for your architecture. See below.
return -ENOEXEC;
...
}
kernel/module.c:310,313
struct load_info {
const char *name;
Elf_Ehdr *hdr; <- ELF header used in comparison above.
unsigned long len;
Elf_Ehdr is effected by
Re: [gentoo-user] Conkyrc and the troubles I have with it...
On 9 June 2018 at 06:28, wrote: > Where can I find a sufficient explanation and a description of the new > syntax ... I dont know lua enough to have a successful gues work > here... Most of it is converting the variables to the new format, which is explained on the github page. man conky also gives you the complete info A better way to learn is probably to look at the default config included, to see the new syntax in action, on my machine this is at /usr/share/doc/conky-1.10.8-r1/conky.conf.bz2 If you have something advanced that you're struggling with, we'll be happy to help with that. Cheers, Arve
Re: [gentoo-user] NFS and user IDs
On Saturday, June 9, 2018 6:42:56 AM CEST Ian Zimmerman wrote: > Is there _any_ way around the need to keep the user IDs matched on NFS > clients and servers? Not to my knowledge. I use OpenLDAP for my users and groups and this has worked perfectly ever since I implemented it. > Or, is there any other remote filesystem (other than the one originally > made by Microsoft) that avoids that chore? I am only familiar with CIFS/SMB and NFS. Not sure if any other shared filesystems handle this. A minimum requirement would be that you need to login to the fileserver using a username and password. > This is the main reason I have mostly stayed away from NFS all these > years. Recently sshfs has been a good enough substitute, but now it's > proving not reliable enough for long term connections. I found NFS to be stable for long term (months) connections. When working from mobile machines (Laptops), I use SMB/CIFS to access the same files. -- Joost
Re: [gentoo-user] NFS and user IDs
On 2018-06-09 09:41, Andrew Udvare wrote: On 2018-06-09, at 00:42, Ian Zimmerman wrote: Is there _any_ way around the need to keep the user IDs matched on NFS clients and servers? I checked and there is no way. It is recommended UID/GID be synced regularly on all client machines. NFSv4 requires user names and group names be synced. IDs do not have to match, which makes syncing easier. You should be controlling IDs/names from a central location and syncing as part of a deployment system, and not allowing client machine users to make modifications to those files. Andrew In fact, you can use the nfsidmap service to supply a mapping. I do not know the specifics of this but here's the manpage for it http://man7.org/linux/man-pages/man5/nfsidmap.5.html Greetings, Daniel
Re: [gentoo-user] NFS and user IDs
> On 2018-06-09, at 00:42, Ian Zimmerman wrote: > > Is there _any_ way around the need to keep the user IDs matched on NFS > clients and servers? I checked and there is no way. It is recommended UID/GID be synced regularly on all client machines. NFSv4 requires user names and group names be synced. IDs do not have to match, which makes syncing easier. You should be controlling IDs/names from a central location and syncing as part of a deployment system, and not allowing client machine users to make modifications to those files. Andrew
Re: [gentoo-user] NFS and user IDs
On 09/06/18 05:42, Ian Zimmerman wrote: > Is there _any_ way around the need to keep the user IDs matched on NFS > clients and servers? > > Or, is there any other remote filesystem (other than the one originally > made by Microsoft) that avoids that chore? Which filesystem do you mean? Do you mean SMB/CIFS? Because that is NOT originally an MS product, and unlike many things they stole, they never bought it. Read up on the history. Allison and whoever wrote Samba because they wanted to talk to DEC. Only later did they realise that MS had copied the same protocol. Cheers, Wol
