Very slow clock in Debian vmm guest
I have a debian testing guest running in vmm(4) on my -current system, and the internal clock is very slow. For example running `sleep 3` takes about 10 seconds of real time to run. This is too much for ntpd to correct, unfortunately. Anyone know what the problem is and how I might go about fixing it? Thanks! --Aaron OpenBSD 6.7-current (GENERIC.MP) #36: Sat Aug 22 11:27:03 MDT 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENE RIC.MP real mem = 16827916288 (16048MB) avail mem = 16302870528 (15547MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xccbfd000 (65 entries) bios0: vendor LENOVO version "N14ET37W (1.15 )" date 09/06/2016 bios0: LENOVO 20BSCTO1WW acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC ASF! HPET ECDT APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT TCPA SSDT UEFI MSDM BATB FPDT UEFI DMAR acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz, 798.30 MHz, 06-3d- 04 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT, PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,D TES64,MWAIT,DS- CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE 4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAG E1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI 1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,MD_CLEAR, IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz, 798.16 MHz, 06-3d- 04 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT, PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,D TES64,MWAIT,DS- CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE 4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAG E1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI 1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,MD_CLEAR, IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz, 798.17 MHz, 06-3d- 04 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT, PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,D TES64,MWAIT,DS- CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE 4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAG E1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI 1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,MD_CLEAR, IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz, 798.16 MHz, 06-3d- 04 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT, PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,D TES64,MWAIT,DS- CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE 4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAG E1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI 1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,MD_CLEAR, IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 3 (EXP1) acpiprt3 at acpi0: bus 4 (EXP2) acpiprt4 at acpi0: bus -1 (EXP3) acpiprt5 at acpi0: bus -1 (EXP6) acpicpu0 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: PUBS, resource for XHCI, EHC1 acpipwrres1 at acpi0: NVP3, resource for PEG_ acpipwrres2 at acpi0: NVP2, resource for PEG_ acpitz0 at acpi0: critical temperature is 128 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpipci0 at acpi0 PCI0: 0x
Re: multiple simultaneous X sessions?
On Mon, 2020-08-24 at 12:38 -0300, Gleydson Soares wrote: > Hi Luke, > > On Mon, Aug 24, 2020 at 09:24:35AM -0600, Luke A. Call wrote: > > What would it take for me to run more than one simultanous X > > session, each > > as a different user? -- I tried once a few years ago, > > searching, reading > > man pages, and chasing error messages, and failed at the time. > > Is it known whether it is reasonably possible with the current > > code? > > > > (This is so I can take advantage of the privilege separation > > provided by the OS, while doing different activities and > > programs > > programs with different informal trust levels, as separate > > users, but without the cpu overhead of using "ssh -[X|Y] > > ...". This was > > my normal practice in my Debian days, switching among them > > with > > Ctrl-Alt-FN.) > > > > Either way, thanks much for any info. > > > > Luke Call > > Maybe you are looking for a nested X11 via Xephyr. > > See this script as example [1] > > [1] https://github.com/gleydsonsoares/xdroprun > That link is broken for me. It shows 404. Maybe the project was taken down or made private? --Aaron
Re: install of 6.7 failed on acer Swift
>Restart now ... Use EFI USB device. After about a minute of black >screen I got a "Security boot fail: message with icon. You may have to disable BIOS secure boot option, and in some instances to enable the option to make this change you have to set a master/supervisor password first, then disable secure boot and try again.
Re: Can I boot without GPU ("headless")?
This is old and things may have changed since then, but for the simple PC without a graphics card that I used for a wireless AP running off of compact flash this is all I did: https://www.cyberciti.biz/faq/openbsd-connect-serial-console/ On Fri, Aug 28, 2020 at 12:29 PM Henry W. Peterson < henrywillpeter...@outlook.com> wrote: > Hello, > > I have several Asus A320M-K motherboards with AMD Ryzen 3 1200 (which does > not include a GPU) in very simple computers. > > I installed OpenBSD on them using a GigaByte GT710 graphics card. After > reboot, everything works perfectly. > > My idea was to install and configure the systems with the graphics card > and then remove it and control them by SSH (I only have one card). > > I disabled at the BIOS the "Wait for F1 if Error" option so it continues > booting without the GPU. I am pretty sure it does: > > I encrypted the disk during installation with bioctl and softraid; if I do > nothing, type intentionally a wrong password or simply press enter, the > "num lock" led stays on and pressing the power button shut the system down > in immediately. If I type the correct password, after 10 seconds the "num > lock" led turns off and the power button only works if pressed for 5 > seconds. > > So I assume the kernel panics because the GPU is missing. > > Do I need a graphics card installed all the time? > > The motherboard has pins for a COM serial port, during installation I was > asked if I wanted "com0" to become the default console. I said no. > > Could I be booting the system had I said yes (without actually using the > port, again, I would use ssh)? > > If so, can I change this after installation? > > If not, is there anything I can do to be able to boot without the graphics > card? > > Thank you. >
install of 6.7 failed on acer Swift
Hello all: I tried to install OpenBSD 6.7 on my acer Swift SF113 with amd64, 4GB RAM, 64GB HD. I downloaded the image from openbsd.org and used Rawrite under Win 10 to create a bootable USB key, then used Advanced startup options > Restart now ... Use EFI USB device. After about a minute of black screen I got a "Security boot fail: message with icon. I tried to boot from an older version (6.3), but then I got a blue screen with an old-style ASCII double-bordered box saying "This machine has no UEFI boot options.." Any ideas about what I am doing wrong? -- rick dot darwin at gmail dot com --Charles Darwin? He was my grandfather. Oh, *that* Charles. We share a common ancestor.
Re: pf, send(2) and EACCES
On Fri, 28 Aug 2020 22:33:30 +0200, Claudio Jeker wrote: > Have a look at the pf(4) stats. especially check if the congestion > counter increases when you see the error. If pf(4) detects a network > congestion then ruleset evaluation is skipped and only state matching > happens. In that case you can get EACCESS for connections that would > normally be allowed by pf(4). Thanks, I'll take a look at `systat pf` if it happens again. Daniel
Re: pf, send(2) and EACCES
On Fri, Aug 28, 2020 at 11:40:17AM -0400, Daniel Jakots wrote: > On Fri, 28 Aug 2020 16:06:48 +0200, Sebastien Marie > wrote: > > > - generate lot of postgresql access. from postgresql thread, the > > statement seems to be a SELECT, so it would be fine to ran in loop > > (hopping no cache and real traffic generated). > > > > - run pfctl -Treplace in a loop (with a set of different files as the > > kernel code takes care if host are added, changed, deleted) > > I ran the select on one machine and the pfctl -Treplace on db1 both in > a `while :` for about two hours and it didn't happen. > > I'll try again if the problem happens genuinely again. Have a look at the pf(4) stats. especially check if the congestion counter increases when you see the error. If pf(4) detects a network congestion then ruleset evaluation is skipped and only state matching happens. In that case you can get EACCESS for connections that would normally be allowed by pf(4). -- :wq Claudio
Re: Understanding of keydisk backup for FDE
On 2020-08-27, Andreas Menge wrote: > I try to wrap my head around why the FAQ > (https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk) says that one > should create a backup of the keydisk with bs=8192 and skip=1. > > From the FAQ: > > # dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img > # dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd1a This copies the relevant softraid meta data. > My personal inclination was to just dd the whole disk (like dd if=/dev/rsd1c) > ... That works, but it means the disks will now share the same disklabel with the same size (even if the USB sticks differ in size), the same label, the same "unique" disk ID. That won't matter for their use as keydisk, but if you ever re-use them for something else later, you'll need to remember to recreate the disklabel or weird things may happen. -- Christian "naddy" Weisgerber na...@mips.inka.de
Can I boot without GPU ("headless")?
Hello, I have several Asus A320M-K motherboards with AMD Ryzen 3 1200 (which does not include a GPU) in very simple computers. I installed OpenBSD on them using a GigaByte GT710 graphics card. After reboot, everything works perfectly. My idea was to install and configure the systems with the graphics card and then remove it and control them by SSH (I only have one card). I disabled at the BIOS the "Wait for F1 if Error" option so it continues booting without the GPU. I am pretty sure it does: I encrypted the disk during installation with bioctl and softraid; if I do nothing, type intentionally a wrong password or simply press enter, the "num lock" led stays on and pressing the power button shut the system down in immediately. If I type the correct password, after 10 seconds the "num lock" led turns off and the power button only works if pressed for 5 seconds. So I assume the kernel panics because the GPU is missing. Do I need a graphics card installed all the time? The motherboard has pins for a COM serial port, during installation I was asked if I wanted "com0" to become the default console. I said no. Could I be booting the system had I said yes (without actually using the port, again, I would use ssh)? If so, can I change this after installation? If not, is there anything I can do to be able to boot without the graphics card? Thank you.
WAF using OpenBSD relayd
Hi, The subject to the previous email below read 'solved'. this was by error. this has not been solved. Any assistance is highly appreciated. Kind regards, Kihaguru. -- Forwarded message -- From: Kihaguru Gathura Date: Sunday, August 23, 2020 Subject: Re: No WAF detected - Solved To: misc Hi, The following template has previously worked as far as WAF detection is concerned. However accessors keep updating their tools, this configuration is no longer effective. Anyone using relayd as WAF? What sort of configuration options do you have? Kind regards, Kihaguru. --- # $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $ # # Relay and protocol # http protocol httpp { pass request quick method "GET" block } relay httpr { # Listen on localhost, accept diverted connections from pf(4) listen on 127.0.0.1 port 8080 protocol httpp # Forward to the original target host forward to destination } http protocol httpsp { match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match response header remove "Server" pass request quick url file "/etc/mydomain-url.txt" pass request quick path file "/etc/mydomain-path.txt" pass request quick method "GET" block tls keypair mydomain.com } relay httpsr { # Listen on localhost, accept diverted connections from pf(4) listen on 127.0.0.1 port 8443 tls protocol httpsp # Forward to the original target host forward with tls to destination } -- Forwarded message - From: Kihaguru Gathura Date: Fri, Dec 27, 2019 at 10:40 PM Subject: Re: No WAF detected - Solved To: Kihaguru Gathura , misc Hi, WAF is detected when certain methods are filtered in relayd. Thanks, Kihaguru. On Monday, December 9, 2019, Kihaguru Gathura wrote: > > > Hi, > A message form assessors and further tests below. > > > > > I have configured relayd to serve a single url that accepts no parameters. This url is blocked by relayd with error 403 Forbidden if anything is appended to its end. > I would expect WAF detection in such a test case but this has not happened. > what other means are malicious payloads being delivered in this case? > > Thanks and regards, > Kihaguru > > > > > # $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $ > # > # Relay and protocol > # > http protocol httpp { > return error > match response header remove "Server" > > pass > block quick path "/cgi-bin/index.cgi" value "*command=*" > pass quick path "/net/index.html" value "" > block > } > > relay httpr { > # Listen on localhost, accept diverted connections from pf(4) > listen on 127.0.0.1 port 8080 > protocol httpp > > # Forward to the original target host > forward to destination > } > > http protocol httpsp { > return error > match response header remove "Server" > > pass > block quick path "/cgi-bin/index.cgi" value "*command=*" > pass quick path "/net/index.html" value "" > block > > tls keypair example.net > } > > relay httpsr { > # Listen on localhost, accept diverted connections from pf(4) > listen on 127.0.0.1 port 8443 tls > protocol httpsp > > # Forward to the original target host > forward with tls to destination > } > --- > > On Thu, Dec 5, 2019 at 2:11 PM Stuart Henderson wrote: >> >> On 2019/12/05 00:17, Kihaguru Gathura wrote: >> > >> > >> > >> > On Wed, Dec 4, 2019 at 11:58 PM Kihaguru Gathura wrote: >> > >> > >> > >> > >> Which is a better way to implement a WAF on OpenBSD using the base utilities? >> > > >> > > relayd configured in certain ways might be considered as a WAF. >> > >> > >> > All methods and all other security headers and path filters are coded in the web >> > application which had always been detected as a custom WAF until two weeks ago. >> > >> > I have now included relayd and a re-test passes all other requirements but does not detect >> > a WAF
Re: pf, send(2) and EACCES
On Fri, 28 Aug 2020 16:06:48 +0200, Sebastien Marie wrote: > - generate lot of postgresql access. from postgresql thread, the > statement seems to be a SELECT, so it would be fine to ran in loop > (hopping no cache and real traffic generated). > > - run pfctl -Treplace in a loop (with a set of different files as the > kernel code takes care if host are added, changed, deleted) I ran the select on one machine and the pfctl -Treplace on db1 both in a `while :` for about two hours and it didn't happen. I'll try again if the problem happens genuinely again. Thanks, Daniel
Re: pf, send(2) and EACCES
On Fri, Aug 28, 2020 at 09:27:10AM -0400, Daniel Jakots wrote: > On Fri, 28 Aug 2020 08:32:59 +0200, Sebastien Marie > wrote: > > > On Thu, Aug 27, 2020 at 03:27:58PM -0400, Daniel Jakots wrote: > > > Hi, > > > > > > I'm chasing a weird behavior with postgresql. Sometimes (it's very > > > infrequent) a sql request fails with "could not send data to client: > > > Permission denied". I reported the problem on pgsql-general@ [0] > > > and if I understood correctly, this happens when pgsql uses send(2) > > > and gets EACCES. > > > > > > According to send(2) this happens when "The connection was blocked > > > by pf(4)". I have a cron that modifies a table with > > > `pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH` > > > > > > The file is large so it's not exactly immediate. Could pf > > > temporarily block new connections while it loads the file? Or am I > > > looking at the wrong thing? > > > > > > > From your pf rules, does the postgresql connection could be blocked if > > TABLE_NAME is empty/inconsistent ? > > > > Could you add (if you don't have already tested it), an explicit > > allow rule for postgresql to ensure the connection will success ? > > They are distinct rules: > # grep -e api_bans -e 5432 /etc/pf.conf > table persist file "/etc/pf.api" > block drop in quick from > pass in on vio0 proto tcp from $docker3 to (self) port 5432 > pass in on vio0 proto tcp from $web1 to (self) port 5432 > > The thing is that it happens very rarely, and I'm not sure how to > reproduce it. > if the problem is related to `pfctl -Treplace', you could try: - generate lot of postgresql access. from postgresql thread, the statement seems to be a SELECT, so it would be fine to ran in loop (hopping no cache and real traffic generated). - run pfctl -Treplace in a loop (with a set of different files as the kernel code takes care if host are added, changed, deleted) - maybe doing it at a "safe" time when not used a lot, if the host is on production :) assuming the problem is a race somewhere, it should raise the possible occurences of it. -- Sebastien Marie
Re: pf, send(2) and EACCES
On Fri, 28 Aug 2020 08:32:59 +0200, Sebastien Marie wrote: > On Thu, Aug 27, 2020 at 03:27:58PM -0400, Daniel Jakots wrote: > > Hi, > > > > I'm chasing a weird behavior with postgresql. Sometimes (it's very > > infrequent) a sql request fails with "could not send data to client: > > Permission denied". I reported the problem on pgsql-general@ [0] > > and if I understood correctly, this happens when pgsql uses send(2) > > and gets EACCES. > > > > According to send(2) this happens when "The connection was blocked > > by pf(4)". I have a cron that modifies a table with > > `pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH` > > > > The file is large so it's not exactly immediate. Could pf > > temporarily block new connections while it loads the file? Or am I > > looking at the wrong thing? > > > > From your pf rules, does the postgresql connection could be blocked if > TABLE_NAME is empty/inconsistent ? > > Could you add (if you don't have already tested it), an explicit > allow rule for postgresql to ensure the connection will success ? They are distinct rules: # grep -e api_bans -e 5432 /etc/pf.conf table persist file "/etc/pf.api" block drop in quick from pass in on vio0 proto tcp from $docker3 to (self) port 5432 pass in on vio0 proto tcp from $web1 to (self) port 5432 The thing is that it happens very rarely, and I'm not sure how to reproduce it. > From my reading, pfctl -Treplace is using DIOCRSETADDRS ioctl. On > userland side, it tries to do it in one step (see > src/sbin/pfctl/pfctl_table.c line 228), but could iterate on > pfr_set_addrs() (I am unsure if the change is atomic or if the > iteration is to ensure the change will be atomic with large enough > buffer for result). > > The DIOCRSETADDRS ioctl on kernel side is done under PF_LOCK(). But I > didn't check if the match rule would be done under PF_LOCK() or not > (I am not familiar enough with pf(4) code to find the code which do > the check). Merci, Daniel
Re: routing ipv6 over wireguard
On 2020-08-26, Alarig Le Lay wrote: > Hi, > > On Tue 25 Aug 2020 15:27:27 GMT, Aisha Tammy wrote: >> (peer A)$ tcpdump -inet6 -i vio0 icmp6 >> 15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6: >> neighbor sol: who has 2001:19f0:5:5cd5::6942:6 >> >> (a lot of such lines) > > It seems that you have been provided a *connected* /64, so the router > tried to do NDP for your peer, which isn’t possible because the peer > isn’t on the same L2. > > You have ask your provider to *route* you a range. Then, it will be your > VM that will manage it. Or do proxy ndp(8) for the address (like you would do with proxy ARP for v4 in the same situation).
Re: Microsoft's war on plain text email in open source
Let's send patches through Teams or Discord. I think this is the way to go. On 26/08/2020 10:28, Frank Beuth wrote: "Linux kernel development which is driven by plain-text email discussion needs better or alternative collaborative tooling "to bring in new contributors and maintain and sustain Linux in the future," says Sarah Novotny, Microsoft's representative on the Linux Foundation board. Said tooling could be "a text-based, email-based patch system that can then also be represented in a way that developers who have grown up in the last five or ten years are more familiar with," she added. ... Should it migrate toward something more like, say, issues and pull requests on the Microsoft-owned GitHub? “I’m not saying that there will be a move in any time that I can see my crystal ball’s broken but I do think there needs to be expansions in the way people can enter that workflow,” said Novotny. “It is a fairly specific workflow that is a challenge for some newer developers to engage with. As an example, my partner submitted a patch to OpenBSD a few weeks ago, and he had to set up an entirely new mail client which didn’t mangle his email message to HTML-ise or do other things to it, so he could even make that one patch. That’s a barrier to entry that’s pretty high for somebody who may want to be a first-time contributor.”" https://www.theregister.com/2020/08/25/linux_kernel_email/
Re: pf, send(2) and EACCES
On Thu, Aug 27, 2020 at 03:27:58PM -0400, Daniel Jakots wrote: > Hi, > > I'm chasing a weird behavior with postgresql. Sometimes (it's very > infrequent) a sql request fails with "could not send data to client: > Permission denied". I reported the problem on pgsql-general@ [0] and if > I understood correctly, this happens when pgsql uses send(2) and gets > EACCES. > > According to send(2) this happens when "The connection was blocked by > pf(4)". I have a cron that modifies a table with > `pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH` > > The file is large so it's not exactly immediate. Could pf temporarily > block new connections while it loads the file? Or am I looking at the > wrong thing? > >From your pf rules, does the postgresql connection could be blocked if TABLE_NAME is empty/inconsistent ? Could you add (if you don't have already tested it), an explicit allow rule for postgresql to ensure the connection will success ? >From my reading, pfctl -Treplace is using DIOCRSETADDRS ioctl. On userland >side, it tries to do it in one step (see src/sbin/pfctl/pfctl_table.c line 228), but could iterate on pfr_set_addrs() (I am unsure if the change is atomic or if the iteration is to ensure the change will be atomic with large enough buffer for result). The DIOCRSETADDRS ioctl on kernel side is done under PF_LOCK(). But I didn't check if the match rule would be done under PF_LOCK() or not (I am not familiar enough with pf(4) code to find the code which do the check). Thanks. -- Sebastien Marie