eCryptfs slow on CIFS share

[Michael Luecke]

Hello,

I tried to set up an eCryptfs onto an CIFS share which resulted in an 
incredibly slow transfer rate. The CIFS share is located on a QNAP NAS 
with Gbit-Ethernet connection.


The CIFS share was normally mounted with:
$ mount -o username=guest,password=guest -t cifs //nas/Public /tmp/test/

Test of the bare CIFS transfer rate, looks good:
$ dd if=/dev/zero of=test.bin bs=1M count=1000
1048576000 bytes (1.0 GB) copied, 10.2111 s, 103 MB/s

Then I mounted a eCryptfs into the CIFS share with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=d395309aaad4de06
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=d395309aaad4de06
$ mount -t ecryptfs .ecryptfs_test/ ecryptfs_test/
Mounted eCryptfs

And then tried again the transfer rate into the eCryptfs:
$ dd if=/dev/zero of=test.bin bs=1M count=100
104857600 bytes (105 MB) copied, 22.5929 s, 4.6 MB/s

Let's try the same again on a NFS share:
$ mount -t nfs nas:/Public test/
$ dd if=/dev/zero of=test.bin bs=1M count=1000
1048576000 bytes (1.0 GB) copied, 10.5861 s, 99.1 MB/s

$ mount -t ecryptfs .ecryptfs_test/ ecryptfs_test/
(with same options)

$ dd if=/dev/zero of=test.bin bs=1M count=1000
1048576000 bytes (1.0 GB) copied, 13.8161 s, 75.9 MB/s

This is a speedup of 16.5 from CIFS -> NFS. But there is no big speed 
difference between the bare CIFS and NFS.


Is there any way to speedup the eCryptfs on CIFS or is this a known issue?

--
Michael

Re: [Offtopic]: Compress Downloads on the fly

[Michael Luecke]

On 01/28/2017 08:10 PM, Rainer Dorsch wrote:

I would like to download a large csv file from a JavaScript intensive web page. 
My client system has not enough storage for the file, but if I could compress 
the file on the fly, things would work, since the file has a huge compression 
ratio.


If you could fetch the URL, then use wget or curl to do this:

wget -O- http://www.example.com | bzip2 >your.file.bz2
curl http://www.example.com | bzip2 >your.file.bz2

-- Michael

Re: NTP insecure defaults

[Michael Luecke]

On 01/07/2017 09:33 AM, Mart van de Wege wrote:

Turns out the Debian default is indeed to provide time service if you
install NTP. Shouldn't that be limited to localhost only, so that an
admin must deliberately open up the service if they want to provide NTP
service to the outside world?


Did you install any package that suggested or depended on the ntp 
package? Because on my system, the ntp package is not installed. ntp is 
handled by systemd-timesyncd. So the current Debian installer does not 
install the ntp by default in my opinion.


I downloaded the ntp_4.2.6.p5+dfsg-7+deb8u2_amd64 package and looked 
into the /etc/ntp.conf and it is restricted to 127.0.0.1 and ::1 by default.



I thought of opening a bug, but I'd like a second opinion
first. Thoughts anyone?


I think you should give us a little more details before filing a bug 
report (what did you install, which files did you change, ...).


-- Michael

Re: jessie: ALSA fails on first use after reboot

[Michael Luecke]

D. R. Evans wrote:

D. R. Evans wrote:

Is there some way to find out what process is using ALSA when
snd_pcm_open() returns that error? (If indeed there is such a process.)


Still, if anyone has any suggestions as to how to discover what is going on,
I'd appreciate it. I'm not a great fan of mysterious happenings on my computers.


Maybe you could try this to find out if there is some process blocking 
the sound device:


$ fuser -v /dev/snd/* /dev/dsp*

--Michael

Re: sudo + gpg - howto?

[Michael Luecke]

On 11/27/2016 10:10 AM, Kamil Jońca wrote:

2. cannot run pinentry (my guess is that tty is owned by user kjonca and
pinentry should be as user backup)


That's the problem. The owner of ttyX must match with the user for which 
pinentry is running.


You could change the permissions of tty to the backup user with
# chown backup /dev/ttyX


So my questions are:
1. is it possible to use passphrase-fd/passphrase-file options?
2. if not, how can I configure gpg/gpgagen/sudo/whatever in order to
enter passphrase as sudo target  user?



You could also try putting the option "allow-loopback-pinentry" to 
~/.gnupg/gpg-agent.conf and restarting the agent.


Then you could start gpg with '--pinentry-mode loopback' or put 
"pinentry-mode loopback" to ~/.gnupg/gpg.conf.


That worked for me with GnuPG 2 some time ago when I had a similar 
problem with duplicity.


Best Regards,
Michael

Re: Zero filling my HDD before installation

[Michael Luecke]

On Mon, May 2, 2016 at 7:39 PM, Ralph Sanchez  wrote:
> I can't find a reply to list, I tried reply all, does that work?

It seems so, make sure you're replying to the list's address (here:
"debian-user@lists.debian.org"). It's usually not neccessary to reply
to all [1].  In this lists code of conduct [2] there's the rule, that
one should not send a CC to the original poster unless he requested
it.

> I currently use PGP for disk encryption, I haven't delved much into
> learning about LUKS, etc but I will now. I also don't use passphrases,
> I use a minisd card so keylogging software can't catch me entering my
> phrase.  Thanks for all the advice, I'm pretty sure I know what
> direction I'm heading at this point, and I'll continue researching
> these other encryption methods.

You could use a usb drive or a SD card with a keyfile on it with
dm-crypt/LUKS. Maybe you want to read [3] which is a quiet good howto
for dm-crypt.

Michael

[1] http://david.woodhou.se/reply-to-list.html
[2] https://www.debian.org/MailingLists/index.en.html#codeofconduct
[3] https://wiki.archlinux.org/index.php/Dm-crypt

On Mon, May 2, 2016 at 7:39 PM, Ralph Sanchez  wrote:
> I can't find a reply to list, I tried reply all, does that work? I
> currently use PGP for disk encryption, I haven't delved much into
> learning about LUKS, etc but I will now. I also don't use passphrases,
> I use a minisd card so keylogging software can't catch me entering my
> phrase.  Thanks for all the advice, I'm pretty sure I know what
> direction I'm heading at this point, and I'll continue researching
> these other encryption methods.
>
> On Mon, May 2, 2016 at 1:16 PM, heqami...@runbox.com
>  wrote:
>> Ralph, Again, use the button reply to list.
>>
>> Disk encryption don't use gpg. You just have to remember a pass pharase
>> that you use for unlock your hard disk.
>>
>> Installer will overwrite all your disk, but if you want you can skip
>> this step by pressing "cancel" button
>>
>>
>> please learn what gpg is and what is luks and use the reply to list button.
>>
>> https://wiki.archlinux.org/index.php/disk_encryption
>>
>

Re: Installation of openssh-client stops with error in groupadd

[Michael Luecke]

Hi,

On 04/26/2016 09:03 PM, Michael Luecke wrote:

My gut feeling tells me that one should blame filesystem (btrfs)
implementation in cases such as this.


It's nothing to blame btrfs for, the same thing happens at this system 
with ext4.


Sent a bug-report. Bug#822808

Best regards
Michael

Re: Installation of openssh-client stops with error in groupadd

[Michael Luecke]

Hello,

On 04/26/2016 08:54 PM, Reco wrote:

For the sake of the purity of the experiment, it would be nice to reboot
the system with "init=/bin/sh" added to kernel commandline (to exclude
systemd interference), but I foresee that the result would be the same.

I'll try this if I have a little bit time and come back to this topic then.


So, to sum it up. Your current kernel + root filesystem combo prevents
you to overwrite /etc/group (and I suspect any existing file) with
another file by means of conventional rename(2) syscall, which returns
anomalous return code.
My gut feeling tells me that one should blame filesystem (btrfs)
implementation in cases such as this.
This behavior justifies a bug report with severity 'serious' against
'linux-image' package as I don't see any easy way to fix this short of
kernel patch or replacing the filesystem with something more
conventional (ext4 comes to mind).
I'll prepare a bug-report also. As this is a freshly set-up computer, 
I'll also try to reinstall it with ext4.


So thank you for your help until here.

Best regards
Michael

Re: Installation of openssh-client stops with error in groupadd

[Michael Luecke]

Hi,

I've done your commands:

On 04/26/2016 08:04 PM, Reco wrote:
> unshare -m /bin/bash
> mount -o bind / /mnt
> mount -o bind /proc /mnt/proc
> mount -o bind /dev /mnt/dev
> chroot /mnt
Without failure until here.

> strace groupadd -g 1234 test
The known failure again:
rename("/etc/group+", "/etc/group") = -1 EBUSY (Device or resource busy)

> exit
> exit

Thank you for your patient help. I attached the complete strace output.

//Michael


strace.out.gz
Description: application/gzip

Re: Installation of openssh-client stops with error in groupadd

[Michael Luecke]

Hi,

as I restarted my computer today. I wanted to install lsof via apt-get 
and at least it configured openssh-client without failure. So I thought 
that problem fixed itself, but it didn't.


I tried to add another group manually so I typed as root:

# groupadd -g 1234 test
groupadd: failure while writing changes to /etc/group

and

# strace groupadd -g 1234 test
showed the known error:
...
rename("/etc/group+", "/etc/group") = -1 EBUSY (Device or resource busy)

On 04/25/2016 10:57 PM, Reco wrote:
> /bin/fuser /etc/group
# fuser /etc/group
[ no output ]

> /usr/bin/lsof /etc/group
# lsof /etc/group
[ no output ]

//Michael

Re: Installation of openssh-client stops with error in groupadd

[Michael Luecke]

> Please post the output of:
...

++
# strace /usr/sbin/groupadd -g 117 ssh
execve("/usr/sbin/groupadd", ["/usr/sbin/groupadd", "-g", "117", "ssh"], 
[/* 25 vars */]) = 0

brk(0)  = 0x7f17b521
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or 
directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x7f17b432

access("/etc/ld.so.preload", R_OK)  = 0
open("/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
close(3)= 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=44647, ...}) = 0
mmap(NULL, 44647, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f17b4315000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or 
directory)

open("/lib/x86_64-linux-gnu/libaudit.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20*\0\0\0\0\0\0"..., 
832) = 832

fstat(3, {st_mode=S_IFREG|0644, st_size=113024, ...}) = 0
mmap(NULL, 2249344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x7f17b3ccd000

mprotect(0x7f17b3ce7000, 2093056, PROT_NONE) = 0
mmap(0x7f17b3ee6000, 12288, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19000) = 0x7f17b3ee6000
mmap(0x7f17b3ee9000, 37504, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f17b3ee9000

close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or 
directory)

open("/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20c\0\0\0\0\0\0"..., 
832) = 832

fstat(3, {st_mode=S_IFREG|0644, st_size=142728, ...}) = 0
mmap(NULL, 2246896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x7f17b3aa8000

mprotect(0x7f17b3ac9000, 2097152, PROT_NONE) = 0
mmap(0x7f17b3cc9000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x21000) = 0x7f17b3cc9000
mmap(0x7f17b3ccb000, 6384, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f17b3ccb000

close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or 
directory)

open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\34\2\0\0\0\0\0"..., 
832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=1738176, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x7f17b4314000
mmap(NULL, 3844640, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x7f17b36fd000

mprotect(0x7f17b389f000, 2093056, PROT_NONE) = 0
mmap(0x7f17b3a9e000, 24576, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a1000) = 0x7f17b3a9e000
mmap(0x7f17b3aa4000, 14880, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f17b3aa4000

close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or 
directory)

open("/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\27\0\0\0\0\0\0"..., 
832) = 832

fstat(3, {st_mode=S_IFREG|0644, st_size=448440, ...}) = 0
mmap(NULL, 2543976, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x7f17b348f000

mprotect(0x7f17b34fb000, 2097152, PROT_NONE) = 0
mmap(0x7f17b36fb000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6c000) = 0x7f17b36fb000

close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or 
directory)

open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0\0\0\0\0"..., 
832) = 832

fstat(3, {st_mode=S_IFREG|0644, st_size=14664, ...}) = 0
mmap(NULL, 2109712, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x7f17b328b000

mprotect(0x7f17b328e000, 2093056, PROT_NONE) = 0
mmap(0x7f17b348d000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f17b348d000

close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or 
directory)

open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, 
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20o\0\0\0\0\0\0"..., 
832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=137440, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x7f17b4313000
mmap(NULL, 2213008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 
0) = 0x7f17b306e000

mprotect(0x7f17b3086000, 2093056, PROT_NONE) = 0
mmap(0x7f17b3285000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f17b3285000
mmap(0x7f17b3287000, 13456, PROT_READ|PROT_WRITE, 

Installation of openssh-client stops with error in groupadd

[Michael Luecke]

Hello,

I have a fresh installation of Debian jessie. As I wanted to install 
'openssh-client' it stops with an error in groupadd. It seems that I 
cannot add any groups, because I get the error also when I try to add 
the group manually. In /etc there are two files, group and group+. Their 
difference is the ssh group I and apt tried to add before.


++
michael@michael-wst:~$ sudo apt-get install openssh-client
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  ssh-askpass libpam-ssh keychain monkeysphere
The following NEW packages will be installed:
  openssh-client
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 691 kB of archives.
After this operation, 3,765 kB of additional disk space will be used.
Get:1 http://security.debian.org/ jessie/updates/main openssh-client 
amd64 1:6.7p1-5+deb8u2 [691 kB]

Fetched 691 kB in 0s (2,823 kB/s)
Selecting previously unselected package openssh-client.
(Reading database ... 57582 files and directories currently installed.)
Preparing to unpack .../openssh-client_1%3a6.7p1-5+deb8u2_amd64.deb ...
Unpacking openssh-client (1:6.7p1-5+deb8u2) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up openssh-client (1:6.7p1-5+deb8u2) ...
groupadd: failure while writing changes to /etc/group
addgroup: `/usr/sbin/groupadd -g 117 ssh' returned error code 10. Exiting.
dpkg: error processing package openssh-client (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 openssh-client
E: Sub-process /usr/bin/dpkg returned an error code (1)
++
root@michael-wst:/etc# /usr/sbin/groupadd -g 117 ssh
groupadd: failure while writing changes to /etc/group
++
root@michael-wst:/etc# ls -lh group*
-rw-r--r-- 1 root root 813 Apr 25 20:45 group
-rw--- 1 root root 813 Apr 25 20:45 group-
-rw-r--r-- 1 root root 824 Apr 25 21:27 group+
++
root@michael-wst:/etc# diff group group+
56a57
> ssh:x:117:
++

//Michael