Re: [9fans] Porting plan9
quans...@quanstro.net: u-boot has several drawbacks that have hindered my development ... i worked on an embedded pcie endpoint, and all these factors cost me 4-5 weeks of dev time, time enough that i could have brought the board up myself directly with plan 9 as a bootloader in tht amount of time. One of the functions u-boot performs is configuring the various subsystems in the SoC (individual clocks and power settings for subcomponents, gpio pin functions, ...) -- things a BIOS would do in a more old-timey computer. In my experience these are typically undocumented (or worse, incorrectly documented), so doing this initialisation in Plan 9 would require reverse engineering of u-boot to figure out what to do. It's easier just to be lazy and let u-boot do it.
Re: [9fans] Factotum vs SASL
To mimic the usual Unix behaviour, I would need some getty/login-alike program, which asks for login credentials and then starts up things like shell or gui (some window-manager-/DE-alike program) as the corresponding, which then is _not_ the hostowner. For this sort of functionality the computer needs to be running as a plan 9 cpu server, not a terminal in which by definition hostowner controls everything. Somewhere in /contrib there is a patch which makes a few changes to the cpu kernel to allow a login on the console by a user different from hostowner, who then becomes termowner with permissions over some but not all of the local hardware (eg keyboard and mouse but not disk). It's not hard to do. But it's only pretend security if the user has physical access to the machine. The plan 9 way is to keep the cpu server in a locked box and get another computer to be a terminal. A raspberry pi doesn't cost much.
Re: [9fans] Porting plan9
On Tuesday 02 December 2014 09:32:22 Richard Miller wrote: It's easier just to be lazy and let u-boot do it. Sorry for hijacking a bit. There was a mention on this list a couple of months ago about work on getting Plan9 working on UEFI/GPT machines... whoever that was - any progress?
Re: [9fans] Porting plan9
UEFI support was written for 9front by ci ap. It has been tested on the x230 and in OVMF. I have an working gpt editor but it needs cleanup.
Re: [9fans] Porting plan9
by 'ci ap' i meant cinap_lenrek.
Re: [9fans] Porting plan9
One of the functions u-boot performs is configuring the various subsystems in the SoC (individual clocks and power settings for subcomponents, gpio pin functions, ...) -- things a BIOS would do in a more old-timey computer. In my experience these are typically undocumented (or worse, incorrectly documented), so doing this initialisation in Plan 9 would require reverse engineering of u-boot to figure out what to do. It's easier just to be lazy and let u-boot do it. that's interesting. with the marvell chip and board i had, there was almost no setup code required. and what setup code there was, the hardware guy had got wrong. - erik
Re: [9fans] Porting plan9
On Tue, Dec 2, 2014 at 8:10 AM, erik quanstrom quans...@quanstro.net wrote: One of the functions u-boot performs is configuring the various subsystems in the SoC (individual clocks and power settings for subcomponents, gpio pin functions, ...) -- things a BIOS would do in a more old-timey computer. In my experience these are typically undocumented (or worse, incorrectly documented), so doing this initialisation in Plan 9 would require reverse engineering of u-boot to figure out what to do. It's easier just to be lazy and let u-boot do it. that's interesting. with the marvell chip and board i had, there was almost no setup code required. and what setup code there was, the hardware guy had got wrong. That project was a little different. Off the shelf SoC's (particularly those targeted for mobile) usually have firmware blobs that have to be loaded at specific addresses, (undocumented) clock trees, signed stage 1 loaders, and other bits. Many times, using u-boot is your only choice. You can pick apart the source if you like, but honestly why do the work? I'm more interested in porting the kernel than writing a bootloader. Frankly, purity in a software system only exists if you've also designed the hardware. Steve
Re: [9fans] Factotum vs SASL
On Mon, Dec 01, 2014 at 08:08:04PM -0800, erik quanstrom wrote: On Sat, 29 Nov 2014 20:46:08 +0100, Enrico Weigelt, metux IT consult wrote: So, how would a Plan9 solution for these usecases look like ? In fact, I intend to rewrite network-manager to some 9p-based solution, so I'd like to discuss this carefully before starting to lennert up something stupid. has it occured to you to try the system out as is? nobody else has asked for it to be more unix like in the same way. perhaps there's good reason for it to be the way it is. To be fair, he's not talking about using Plan 9, just leveraging something factotum-like under Linux. I think he should be commended for spreading the 9love in the face of rampant Lennartism, quixotic though it may be.
[9fans] Adding a new user.
Hi guys! I think the doc about adding a new user is outdated (or it's just me that can't make it work properly) so I would be very grateful if someone could describe the steps of adding a new user in terms so that even I can understand. Thanks a lot! Kind regards, Mats
Re: [9fans] Adding a new user.
what didn't work? Are you using the labs distribution, 9front or 9atom?
Re: [9fans] Factotum vs SASL
On 12/02/2014 10:40 AM, plann...@sigint.cs.purdue.edu wrote: On Mon, Dec 01, 2014 at 08:08:04PM -0800, erik quanstrom wrote: On Sat, 29 Nov 2014 20:46:08 +0100, Enrico Weigelt, metux IT consult wrote: So, how would a Plan9 solution for these usecases look like ? In fact, I intend to rewrite network-manager to some 9p-based solution, so I'd like to discuss this carefully before starting to lennert up something stupid. has it occured to you to try the system out as is? nobody else has asked for it to be more unix like in the same way. perhaps there's good reason for it to be the way it is. To be fair, he's not talking about using Plan 9, just leveraging something factotum-like under Linux. I think he should be commended for spreading the 9love in the face of rampant Lennartism, quixotic though it may be. Lennartism is about breaking with orthodoxy. This is entirely in keeping with it. -- Wes Kussmaul The Authenticity Institute “Try this fruit, and by the way if a bunch of people collectively calling themselves Arthur Andersen signs something it’s the same as if a person named Arthur Andersen signed it.” - The Serpent
Re: [9fans] Adding a new user.
I think the doc about adding a new user is outdated (or it's just me that can't make it work properly) so I would be very grateful if someone could describe the steps of adding a new user in terms so that even I can understand. Thanks a lot! Which doc? What steps did you take? What happened when you tried? sl
Re: [9fans] Adding a new user.
what 'doc' do you refer to? what didn't work properly? nobody can help you if you don't explain what the problem is.
Re: [9fans] Factotum vs SASL
if i understand correctly, the basic issues you're trying to solve (beyond authentication), are delegation and authorization. because you're targeting non-plan9 environments, my comments will be focused on those environments. any decent IT with heterogeneous OS environments will have a Kerberos+LDAP (most likely embodied in ActiveDirectory) setup to do this. all sharable resources (services) will be located on servers which can authenticate and authorize users. the rest of my comments are inline: On Sat, Nov 29, 2014 at 11:46 AM, Enrico Weigelt, metux IT consult enrico.weig...@gr13.net wrote: On 18.11.2014 09:22, Skip Tavakkolian wrote: snip thanks folks ... seems I need to think through all of this more deeply. If I'm not completely mistaken, factotum can also handle various authentication protocols, and may be the only one who really knows the actual secrets. One scenario I'm thinking about is replacing the password-stores in certain browsers by an factotum (maybe it could also be useful for cert handling ?) A really cool feature, IMHO, would be able to connect my local factotum to remote ones easily, so I'll get a similar feature like eg. lastpass is doing for the web. For example, somebody like to give me access to some remote application, but for some reason can't add my pubkey there (eg. it doesn't even support such things), but doesn't want to give me cleartext passwords, he could set things up in his (publically accessible) factotum instance, which then handles all the auth stuff for that application. delegation would require some sort of initial trust relationship. for example, Kerberos includes the ability to setup trust relationships between different realms. once trust is established, a user vouched for by a KDC in one realm can be authenticated and authorized to receive service in another realm. what you've described above would be like having two realms (yours and the other person's) each having a KDC (factotum) that handles a single identity. btw, Plan 9's authentication in similar to Kerberos. auth server is the KDC, and factotum is the client side (but factotum can also talk other protocols and can keep secrets). because all things are files in Plan 9, delegation between parties in the same realm can be accomplished by importing factotum's file system. cross-realm delegation might be possible with some changes but in practice it is more convenient to give factotum the credentials for all authdom's and let it deal with them. By the way, that leads me to another topic, which is annoying me for quite some time: policykit. For those, who have been spared of it: It's an invention of the freedesktop folks (or should I call them Lennartists ? ;-o), some kind of proxy, which routes certain dbus calls (based on certain policies) between several users (and root). This way, eg. unprivileged users can still be given access to system level stuff, like network-manager. And that's exactly the point which regularily hit me (eg. some day my primary account suddenly wasn't able to choose wireless networks anymore, and even the old fashioned way via unix groups didn't help either). So, I'm thinking about a cleaner solution - obviously not dbus, but 9P. If i understand it correctly, in 9P, the server is in charge of handling all the access control. So, I can't just write some simple 9P server, mount it anywhere and magically expect it working just by file ownerships (by the way: do they have any practical meaning at all ?). Obviously, the server needs to know who the calling user is and whether he shall be allowed to access certain items - more precisely whether he is in the right role right now. And these things could be depending on other parameters (defined by other parties), eg. when reboot shall only be allowed when logged-in locally, and no other blocking parts (eg. important tasks) currently running. as pointed out above, a shared trusted authority between the user and the service has to exist. once authenticated, authorization can then be handled by other means (e.g. unix or ldap group membership, etc). examples of this in plan9 are things like consolefs' /lib/ndb/consoledb (and because the root filesystem is served from the fileserver there's no need for ldap). Pretty clear, that these things shouldn't be implemented in each single service separately, and not every service that might have an influence here shall have to talk to everybody else. So, how would a Plan9 solution for these usecases look like ? In fact, I intend to rewrite network-manager to some 9p-based solution, so I'd like to discuss this carefully before starting to lennert up something stupid. cu -- Enrico Weigelt, metux IT consulting +49-151-27565287
Re: [9fans] Factotum vs SASL
9love is tough love. On Tue, Dec 2, 2014 at 7:40 AM, plann...@sigint.cs.purdue.edu wrote: On Mon, Dec 01, 2014 at 08:08:04PM -0800, erik quanstrom wrote: On Sat, 29 Nov 2014 20:46:08 +0100, Enrico Weigelt, metux IT consult wrote: So, how would a Plan9 solution for these usecases look like ? In fact, I intend to rewrite network-manager to some 9p-based solution, so I'd like to discuss this carefully before starting to lennert up something stupid. has it occured to you to try the system out as is? nobody else has asked for it to be more unix like in the same way. perhaps there's good reason for it to be the way it is. To be fair, he's not talking about using Plan 9, just leveraging something factotum-like under Linux. I think he should be commended for spreading the 9love in the face of rampant Lennartism, quixotic though it may be.
Re: [9fans] Adding a new user.
OK my bad. The question I asked was like thinking out loud without giving details. So I'm using Plan 9 on the Raspberry Pi (Plan 9 from Bell Labs that is). The problem is that after running uname user user (can't reproduce right now since my screen/TV is occupied) the rc shell is put on hold and in the documentation (just have a single side printout so I can't give any accurate source of it right now) says that you can give sys and adm rights to that user by continuing with: uname sys +user and uname +user witch gives you error messages (can't be more specific now because of the forementioned reasons). Then we also have the problem with this specific platform that defaults to user glenda without prompt. The cmdline.txt looks like this; readparts=1 nobootprompt=local user=glenda ipconfig= so the system must be halted to change the user. The file cmdline.txt is kind of the init file in several OS's for the Raspberry Pi. My first test would be to run uname user user and ctrl+alt+del to reboot and cut the powed to change the user in the cmdline.txt file. Hopefully (I think it was possible to get into the system again) I get i to Plan 9 and can run: /sys/lib/newuser as said in the doc I have. Now I should have asked (and do) if this is the right thing to do? or what could get me another user than the default? I hope you bear with me even if this whole thing went backwards. First the question and then the problem or more correct the situation. Thankful for any hints in the right direction or just what you guys think about the situation. I'll give it a try tomorrow anyhow. Thanks for showing interest! Kind regards, Mats 2014-12-02 19:08 GMT+01:00, misch...@9.offblast.org misch...@9.offblast.org: what 'doc' do you refer to? what didn't work properly? nobody can help you if you don't explain what the problem is.
Re: [9fans] Adding a new user.
Hi again! Missed adm in adm +user in my brief explanation earlier. Think I'll first check for a command in /bin/rc that would be more appropriate than 'uname'. There just must be one more obvious that I've missed. Well, will see tomorrow. Best wishes, Mats 2014-12-02 21:54 GMT+01:00, Mats Olsson plan9@gmail.com: OK my bad. The question I asked was like thinking out loud without giving details. So I'm using Plan 9 on the Raspberry Pi (Plan 9 from Bell Labs that is). The problem is that after running uname user user (can't reproduce right now since my screen/TV is occupied) the rc shell is put on hold and in the documentation (just have a single side printout so I can't give any accurate source of it right now) says that you can give sys and adm rights to that user by continuing with: uname sys +user and uname +user witch gives you error messages (can't be more specific now because of the forementioned reasons). Then we also have the problem with this specific platform that defaults to user glenda without prompt. The cmdline.txt looks like this; readparts=1 nobootprompt=local user=glenda ipconfig= so the system must be halted to change the user. The file cmdline.txt is kind of the init file in several OS's for the Raspberry Pi. My first test would be to run uname user user and ctrl+alt+del to reboot and cut the powed to change the user in the cmdline.txt file. Hopefully (I think it was possible to get into the system again) I get i to Plan 9 and can run: /sys/lib/newuser as said in the doc I have. Now I should have asked (and do) if this is the right thing to do? or what could get me another user than the default? I hope you bear with me even if this whole thing went backwards. First the question and then the problem or more correct the situation. Thankful for any hints in the right direction or just what you guys think about the situation. I'll give it a try tomorrow anyhow. Thanks for showing interest! Kind regards, Mats 2014-12-02 19:08 GMT+01:00, misch...@9.offblast.org misch...@9.offblast.org: what 'doc' do you refer to? what didn't work properly? nobody can help you if you don't explain what the problem is.
Re: [9fans] Adding a new user.
The following is 9front-specific but is still generally useful: http://code.google.com/p/plan9front/issues/detail?id=207 sl
Re: [9fans] Porting plan9
On 02.12.2014 16:21, Steven Stallion wrote: snip apropos kernel/bootloader: I just recently had a look at the code and somewhat got the impression that 9load seems to be a specially tailored plan9 kernel, which then loads the real kernel. is that correct or am I mistaken here ? cu -- Enrico Weigelt, metux IT consulting +49-151-27565287
Re: [9fans] Porting plan9
Em 02/12/2014 19:59, Enrico Weigelt, metux IT consult enrico.weig...@gr13.net escreveu: On 02.12.2014 16:21, Steven Stallion wrote: snip apropos kernel/bootloader: I just recently had a look at the code and somewhat got the impression that 9load seems to be a specially tailored plan9 kernel, which then loads the real kernel. is that correct or am I mistaken here ? cu -- Enrico Weigelt, metux IT consulting +49-151-27565287 Correct.
Re: [9fans] Factotum vs SASL
On 02.12.2014 10:50, Richard Miller wrote: For this sort of functionality the computer needs to be running as a plan 9 cpu server, not a terminal in which by definition hostowner controls everything. Somewhere in /contrib there is a patch which makes a few changes to the cpu kernel to allow a login on the console by a user different from hostowner, who then becomes termowner with permissions over some but not all of the local hardware (eg keyboard and mouse but not disk). It's not hard to do. Okay, that seems to go in the direction, I'm looking for. To get the traditional unix behaviour, we'd also need some virtual terminal multiplexer (which allows switching between VTs with different sessions), supporting multiple framebuffers/GPUs, keyboards, etc (eg. multiseat environments) - just giving the logged-in users only these virtual devices. Shouldn't be that hard to implement. Anyways, for now I'm not so much focused on doing that on real Plan9 system, instead using its concepts/tools (9P, factotum, ...) on a GNU/Linux system. But it's only pretend security if the user has physical access to the machine. Of course, you could still replace the disks, etc .. but that's an entirely different area. The plan 9 way is to keep the cpu server in a locked box and get another computer to be a terminal. A raspberry pi doesn't cost much. Well, not very suited for mobile purposes (notebook, etc) :P cu -- Enrico Weigelt, metux IT consulting +49-151-27565287
Re: [9fans] Factotum vs SASL
On 02.12.2014 16:40, plann...@sigint.cs.purdue.edu wrote: To be fair, he's not talking about using Plan 9, just leveraging something factotum-like under Linux. Exactly. I wanna get rid of dbus and polkit, replace it by something 9P-based. Before hacking up something on my own, I'm just looking how Plan9 handles such things. And once I'm starting to hack up something, I'd prefer (at least most of) it being usable in both worlds. I think he should be commended for spreading the 9love in the face of rampant Lennartism, quixotic though it may be. Interesting to see that the term Lennartism is used more and more in these days. I'm using it for quite a while, but still unsure whether I may claim the copyright for it ;-) hmm, waiting for the day when it gets its own wikipedia article ;-o cu -- Enrico Weigelt, metux IT consulting +49-151-27565287
Re: [9fans] Porting plan9
On 02.12.2014 23:02, Iruatã Souza wrote: apropos kernel/bootloader: I just recently had a look at the code and somewhat got the impression that 9load seems to be a specially tailored plan9 kernel, which then loads the real kernel. is that correct or am I mistaken here ? Correct. hmm, interesting. What's the exact reason behind that ? I'm really not an expert for bootloaders, but I always got the impression, that bootloaders need to be extremly minimal (eg. on PC you'll have only about 0.5k for the first stage) and serve an entirely different purpose than an OS kernel. OTOH, having a complete OS/Kernel as preboot environment of course also has it's charm - allows easily adding lots of setup things, even rescue stuff, etc. Can 9front also boot other operating systems, eg. Linux ? Could it become a replacement for other bootloaders like grub ? cu -- Enrico Weigelt, metux IT consulting +49-151-27565287
Re: [9fans] Porting plan9
as far as I can remember, Plan 9 (Bell Labs) as 9load expect each other. 9front, on the other hand, got rid of 9load for its own good. On Tue, Dec 2, 2014 at 8:28 PM, Enrico Weigelt, metux IT consult enrico.weig...@gr13.net wrote: On 02.12.2014 23:02, Iruatã Souza wrote: apropos kernel/bootloader: I just recently had a look at the code and somewhat got the impression that 9load seems to be a specially tailored plan9 kernel, which then loads the real kernel. is that correct or am I mistaken here ? Correct. hmm, interesting. What's the exact reason behind that ? I'm really not an expert for bootloaders, but I always got the impression, that bootloaders need to be extremly minimal (eg. on PC you'll have only about 0.5k for the first stage) and serve an entirely different purpose than an OS kernel. OTOH, having a complete OS/Kernel as preboot environment of course also has it's charm - allows easily adding lots of setup things, even rescue stuff, etc. Can 9front also boot other operating systems, eg. Linux ? Could it become a replacement for other bootloaders like grub ? cu -- Enrico Weigelt, metux IT consulting +49-151-27565287
Re: [9fans] Porting plan9
I think one of the reason 9load is quite complicated is because they wanted to boot a kernel from the network, so you need a network stack and the drivers for the ethernet card, so you really need lots of OS code in the end. On Dec 2, 2014, at 2:28 PM, Enrico Weigelt, metux IT consult enrico.weig...@gr13.net wrote: On 02.12.2014 23:02, Iruatã Souza wrote: apropos kernel/bootloader: I just recently had a look at the code and somewhat got the impression that 9load seems to be a specially tailored plan9 kernel, which then loads the real kernel. is that correct or am I mistaken here ? Correct. hmm, interesting. What's the exact reason behind that ? I'm really not an expert for bootloaders, but I always got the impression, that bootloaders need to be extremly minimal (eg. on PC you'll have only about 0.5k for the first stage) and serve an entirely different purpose than an OS kernel. OTOH, having a complete OS/Kernel as preboot environment of course also has it's charm - allows easily adding lots of setup things, even rescue stuff, etc. Can 9front also boot other operating systems, eg. Linux ? Could it become a replacement for other bootloaders like grub ? cu -- Enrico Weigelt, metux IT consulting +49-151-27565287
Re: [9fans] Adding a new user.
On Tue Dec 2 13:48:46 PST 2014, s...@9front.org wrote: The following is 9front-specific but is still generally useful: http://code.google.com/p/plan9front/issues/detail?id=207 i believe the user is running kfs, so see kfscmd(8) for details. - erik
Re: [9fans] Adding a new user.
On Tue Dec 2 16:40:27 PST 2014, quans...@quanstro.net wrote: On Tue Dec 2 13:48:46 PST 2014, s...@9front.org wrote: The following is 9front-specific but is still generally useful: http://code.google.com/p/plan9front/issues/detail?id=207 i believe the user is running kfs, so see kfscmd(8) for details. sorry, it's a rpi. nevermind. i'm misfiring today. - erik