[smartos-discuss] are we vulnerable to CVE-2018-5390 ?

Those of you who wrangle multiple operating systems are no doubt aware of CVE-2018-5390 which was un-embargoed in the last couple of days. Its main emphasis is on the vulnerability of certain Linux kernels in the 4.9 release to DoS attack via a computationally expensive TCP reassembly

Re: [smartos-discuss] Error in Smartos Build: Connection timed out

Way out of date in the case of the IPv6 (I used to do it that way too!). "nics": [ { "nic_tag": "vlan", "ips": [ "192.148.252.18/26", "2610:178:1:1:0:252:18:1/64" ], "gateways": [ "192.148.252.1" ], "vlan_id": 100 } ], cheers, -r > On Jun

Re: [smartos-discuss] KVM built-in DHCP server

l disk is specified as the > boot device. > > -- > Brian Bennett > Systems Engineer, Cloud Operations > Joyent, Inc. | www.joyent.com > >> On Jun 11, 2018, at 1:19 PM, Rob Seastrom wrote: >> >> >> In a recent thread, Brian mentioned the

[smartos-discuss] KVM built-in DHCP server

In a recent thread, Brian mentioned the "mini DHCP server" in the KVM brand zone. I had a couple of questions about that that have been rattling around in the back of my head for a while... First off, is there a way to turn this off and allow the guest in the KVM zone to DHCP from another

Re: [smartos-discuss] Problems with IPF + IPv6

> On Apr 21, 2018, at 3:52 PM, marco wrote: > > On Fri, Apr 20, 2018 at 08:50:37PM -0400, you (H. William Welliver III) sent > the following to [smartos-discuss] : >> Hi all, >> >> I’m having some trouble trying to set up some firewall rules on a IPv6 >> router

Re: [smartos-discuss] Reprovisioning Best Practices

> On Apr 18, 2018, at 9:23 AM, Jussi Sallinen wrote: > > The actual email data resides in a delegated dataset mounted on /data. Delegated or loopback-mounted? I loopback-mount my (persistent) email stuff on /home. -r ---

Re: [smartos-discuss] Update CA Bundle

+1. I’ve tripped over this as well (not with docker but my letsencrypt certs appear invalid from the global zone. -r > On Apr 18, 2018, at 07:01, Eugene Lee wrote: > > Hi, > > Is it possible to update the root CA certificate files installed in SmartOS? > I am

Re: [smartos-discuss] smartos-latest is over a month old?

Good, so long as it was intentional. :) -r > On Mar 9, 2018, at 6:25 PM, Marsell K wrote: > > That's partly it -- the OS group is currently focussed on KPTI, bhyve, and > some surrounding technologies. > > The last releases were held off because of an odd shell script

[smartos-discuss] smartos-latest is over a month old?

It appears that the latest SmartOS versions linked from https://download.joyent.com/pub/iso/ are 20180203T031130Z - have there been any normal biweekly code drops in the almost five weeks since? Wondering if this is something broken, intentional/spectre/meltdown-related, or what. Cheers, -r

Re: [smartos-discuss] Remove ZIL from zones pool?

My bad, shoulda read the entire thread to see Jonathan’s comment about 2014. :) Sent from my iPad > On Jan 20, 2018, at 15:12, Rob Seastrom <r...@rs.hmail.seastrom.com> wrote: > > > Since this seems to be requests week, +1 on the request for S.M.A.R.T. tools. > ;) &

Re: [smartos-discuss] Remove ZIL from zones pool?

There's no svn or git in the global zone either... Those would be nice, but I never thought to ask, just created an IPv6-only zone which holds the checked out repos... -r > On Jan 19, 2018, at 7:10 AM, Jonathan Perkin wrote: > >> Background to this: before it got

Re: [smartos-discuss] IPv6 support in the global zone

> On Jan 8, 2018, at 3:43 PM, Brian Bennett wrote: > > While I am always a proponent of using IPv6 everywhere, you can use IPv6 in > non-global zones without having IPv6 enabled in the global zone. Each zone > has an exclusive IP stack. Right. Shamefully enough

Re: [smartos-discuss] Meaning of "compute_node_ntp_hosts" and spurious DHCP in Ethernet interface

Just a shot in the dark here, but is it possible it's DHCPing to get its netmask (don't know default behavior if you don't supply one)? This is the admin_nic stanza from the SmartOS machine in the basement. admin_nic=f4:ce:46:b0:39:7a admin_ip=172.30.250.100 admin_netmask=255.255.254.0

[smartos-discuss] native ipfilter from inside an LX zone with systemd

Hi folks, I suspect that most people who run host firewalls on LX zones are doing it from Triton, but for those of us running LX zones under non-SDC SmartOS, it can be appealing to get native ipfilter running from inside the zone, out of systemd , so it can be managed by one's automation

[smartos-discuss] Intel x520-da2 and DAC cables or third party optics?

Hi folks, Quick look through the archives doesn't find anything so I figured I'd ask here before trying to read the code... The Intel 10ge NIC family has a rep for being picky about third party pluggable optics that don't have the right vendor ID burned into them. In the Linux ecosystem

Re: [smartos-discuss] regression in haproxy 1.6 vs 1.7 on smartos

> On Aug 22, 2017, at 10:43 PM, Micky wrote: > > Would be worthwhile CCing it to ha-proxy mailing list. > Yeah, I'll do that in the morning. > I found this <1min: > https://www.mail-archive.com/haproxy@formilux.org/msg27079.html > > :-) Might or might not be the

Re: [smartos-discuss] vmadm create times out (but zone eventually starts) on DL360g6

On Aug 18, 2017, at 11:29 AM, Robert Mustacchi <r...@joyent.com> wrote:On 8/17/17 18:31 , Rob Seastrom wrote:Hi folks,I'm scratching my head over SmartOS on a DL360g6 which I've been trying to piece together for deployment in a remote datacenter (DR and DNS service), so it's smaller / less c

Re: [smartos-discuss] vmadm create times out (but zone eventually starts) on DL360g6

> On Aug 18, 2017, at 7:13 AM, Paul Sture <smar...@chingola.ch> wrote: > > On 18 Aug 2017, at 3:31, Rob Seastrom wrote: > >> OK, must be the disk subsystem right? Picked up some HP H220s (SAS2308 aka >> 9207s) and reflashed to IT mode. System boots but throws

[smartos-discuss] vmadm create times out (but zone eventually starts) on DL360g6

Hi folks, I'm scratching my head over SmartOS on a DL360g6 which I've been trying to piece together for deployment in a remote datacenter (DR and DNS service), so it's smaller / less capable than the machines that I usually run. Some time ago I tried running SmartOS on these machines with an

[smartos-discuss] Asterisx on native zone?

Haven't seen anyone here ask about Asterisk in a couple of years. Our situation is that we're running a very long in the tooth release of Astlinux on even more long in the tooth (PC Engines ALIX) hardware... oddly enough that platform is still supported. Needs are modest. Only a handful of

Re: [smartos-discuss] anyone else having issues with current Ansible?

> On Feb 21, 2017, at 7:51 AM, Jonathan Perkin <jper...@joyent.com> wrote: > > * On 2017-02-21 at 12:29 GMT, Rob Seastrom wrote: > >> This morning I decided I'd try upgrading to whatever version of >> Ansible pip gave me, which in this case was ansible 2.2

Re: [smartos-discuss] anyone else having issues with current Ansible?

> On Feb 21, 2017, at 7:51 AM, Jonathan Perkin <jper...@joyent.com> wrote: > > * On 2017-02-21 at 12:29 GMT, Rob Seastrom wrote: > >> This morning I decided I'd try upgrading to whatever version of >> Ansible pip gave me, which in this case was ansible 2.2

[smartos-discuss] anyone else having issues with current Ansible?

I've been "stuck" on Ansible 1.9.6 for several months now, due to some issues I ran into with Ansible 2.0.0-alpha-something-or-other, which I figured would get sorted out eventually. This morning I decided I'd try upgrading to whatever version of Ansible pip gave me, which in this case was

Re: [smartos-discuss] About quota in KVM

> On Dec 28, 2016, at 2:51 PM, Tiraen wrote: > > Demonstrating this to friends who are used to dealing with lesser hypervisors > will shock and amaze them. > > Thank you, I appreciated the humor, but he was not out of place. If you did > not work out, read the email

Re: [smartos-discuss] ipv6 firewall not working in smartos native zone

. I'll take care of pulling that in. Once that's done, > your /etc/ipf/ipf6.conf file should get detected and loaded. > > - Cody > > > On Tue, Nov 15, 2016 at 2:21 PM, Rob Seastrom <rs-li...@seastrom.com> wrote: >> >> Hi all, >> >> Apologies in

[smartos-discuss] ipv6 firewall not working in smartos native zone

Hi all, Apologies in advance for not actually getting my skills to a point where I can just fix this myself and send a pr after all the help rm gave me a couple of months ago. The autumn has been full of distractions. IPv6 firewall isn't working for me, and I hope I've got enough information

Re: [smartos-discuss] NFS "root" access not working when connecting via a vnic+etherstub

On Nov 7, 2016, at 11:54 AM, Jesus Cea wrote:The problem is NFS4_DOMAIN. If not defined, it is generated from the DNS(reverse DNS mapping of the IP). The IP in the global zone is a publicIP with reverse mapping. The IP of the internal zone (in the etherstub)is in the private range

Re: [smartos-discuss] Zpool command within zone

+1 - I've found lofs to be just the ticket for stuff like persistent /home. Just works, no surprises. -r > On Oct 19, 2016, at 12:01 PM, Patrick O'Sullivan via smartos-discuss > wrote: > > It might be helpful if you explain why you are using delegated

Re: [smartos-discuss] Standardized Benchmarks and various overheads.

> On Sep 30, 2016, at 7:43 PM, Matthew Parsons > wrote: > > FWIW, the main production workload that I will care about is a not-well > threaded java server app, so single-threaded performance, coupled with a > large-ish MySQL DB with frequent, random I/O both read

Re: [smartos-discuss] how to block init 6 on global zone

> On Sep 29, 2016, at 8:41 AM, Jonathan Perkin <jper...@joyent.com> wrote: > > * On 2016-09-29 at 13:29 BST, Rob Seastrom wrote: > >> Of course, now you have a problem: since you put the alias in >> ~root/.bashrc, it will be gone after you reboot, becau

Re: [smartos-discuss] how to block init 6 on global zone

> On Sep 29, 2016, at 7:02 AM, the outsider wrote: > > It would be nice to have shutdown and/or reboot functions on the global zone > protected with a yes/no option. > > It is just something to make the system fool proof, where sender considers > himself foolish >

[smartos-discuss] workflow question - contributing to smartos

I'm looking to make some trivial tweaks to the installer and offer them back, but can't seem to figure out what the preferred mechanism is for this. Being a github novice probably isn't helping. Past experience with vcses going back as far as RCS and Projector and current use of svn and pf

Re: [smartos-discuss] dual-stacking some Joyent infrastructure?

to add a dual stack proxy to > your infrastructure. > > -- > Brian Bennett > Systems Engineer, Cloud Operations > Joyent, Inc. | www.joyent.com > >> On Sep 3, 2016, at 5:40 PM, Rob Seastrom <rs-li...@seastrom.com> wrote: >> >> The LetsEncrypt folks recently

[smartos-discuss] ziostat not providing rolling stats?

Has anyone else noticed that ziostat does not seem to be providing correct rolling updates in current-ish SmartOS? Behavior observed when running "ziostat -Z 5" on 20160804T173241Z was plausible rollup stats on first output, and then zeroes for all metrics, even when deliberately flogging the

Re: [smartos-discuss] Four-drive raidz2...

> On Aug 10, 2016, at 8:53 PM, Robert Mustacchi <r...@joyent.com> wrote: > > On 8/10/16 6:54 , Rob Seastrom wrote: >> >> Apologies if a duplicate somehow makes it through; I accidentally sent >> previously from my non-lists account (which is not subscribed)

[smartos-discuss] Four-drive raidz2...

Apologies if a duplicate somehow makes it through; I accidentally sent previously from my non-lists account (which is not subscribed). Back before you got much of an install-time layout choice on the zpool, I set up some 1u machines with raidz2 on a 4 x LFF disk array by going behind SmartOS'

Re: [smartos-discuss] lx zone oddity: unable to run cross-compiler.

> On Jul 20, 2016, at 11:34 PM, Ian Collins wrote: > > I am trying to configure am ARM cross-compiler environment (from > yoctoproject.org) on an ubuntu 14.04 lx zone. Last September I tried to do exactly this while at an internal conference at work (RDK-B is

Re: [smartos-discuss] admin on vlan aggregation not working...

Actually you don't need to get away from running untagged on the admin interface in order to get where I think you want to be. Assuming that SmartOS doesn't barf and refuse "vlan_id": on the admin nic, it's completely OK from a protocol perspective to simultaneously run native (untagged) and

Re: [smartos-discuss] images.joyent.com sick?

4:57 PM, Jason Schmidt <jason.schm...@joyent.com> wrote: > > Hi Rob, > > Can you please try again? We should be good now, but wanted to verify with > you. > > Jay > > > Rob Seastrom wrote: >> Is images.joyent.com unhappy? I'm having trouble impor

[smartos-discuss] images.joyent.com sick?

Is images.joyent.com unhappy? I'm having trouble importing images from multiple locations, on systems running both 20151015T063628Z and 20160218T022556Z. Traceroute works, ping works, telnet to port 443 works... but no imgadm import joy. -r [root@78-e3-b5-12-d6-e0 ~]# imgadm import

Re: [smartos-discuss] promiscuous-mode nic passthrough (think Snort and SPAN)

> On Feb 29, 2016, at 5:27 PM, Robert Mustacchi wrote: >> I can see all traffic just fine when I run snoop in the global zone. >> >> A possible added difficulty is that the mirror port is spitting out 802.1q >> tagged traffic. I was only getting the LLDP traffic between the

[smartos-discuss] promiscuous-mode nic passthrough (think Snort and SPAN)

Hi folks, Maybe my Google-fu is failing me (and searching my archives of this list has failed me too)... but has anyone got a recipe for passing through a physical NIC in a mode where it can go promiscuous mode to a SmartMachine? Is that even possible with Crossbow in the middle? Use case