From nobody Sun Nov 5 18:13:57 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SNjKj0dP8z4yqQQ for ; Sun, 5 Nov 2023 18:14:01 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SNjKj09sWz3SS2; Sun, 5 Nov 2023 18:14:01 +0000 (UTC) (envelope-from bapt@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699208041; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CA7SFS0VmU7CJFCbxpnFCG2HeB/aPDcTTzz1nwsH6Sw=; b=Wax7B36+v75qWkZcURZp7KazfrqGOej9IQCwH46S3zA9MLPOl23804CtMJpUArCxoMD7lT uWjrgA0uuLiYedT+pGTfb5LYgqHblVRy3VdGgD7WSShTBqy7ILXIlSQuf6jcfE/V3v59XC wG1DDd4m0fYSs68oosxFjrpiYT5DxBQzoKl8QPfqCwGvyEOqPOoPR8qefOfihstC717Ajh sNxRwfwLQSQhJZox9TcJsLEQ2OD7JGelXA6cEN5RxNbxbyGXxRy+lVbEuBhEMXl0dSs4z6 8HZfI9vO1FCA+m91neO6HZdBNr2wLeUuBttv+MskOsZsHjIfuP2mjKN9BnjEmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699208041; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CA7SFS0VmU7CJFCbxpnFCG2HeB/aPDcTTzz1nwsH6Sw=; b=Nq7BkmgM3TqHxnd0PycHCtu+3uNH9tuTdveC8l7/OAaNnD7Ox5EHeOicKe7jP6fWTSV2po ZWISeBdSgymHGhMiZZz+mqh2IXJBjX2jCgC2ZwussQ4kRSGTxRuebGiqRD0QcvqmiR+Vja necOj8+oU+HfX/QBv+pISh4iJWSycPlbUnpdh1PPLb2K/kFUWoU3ujPikAuOGAb5Fa57yO 7DsiOBmca1fmzbiePXBtddCMc+Tfy8cT/OcKCSMIYx07sJ0Neu9U5KQFJe9sanPKuO6mJ+ 8DK+8iGYm3pCzG2NBwJtI+W2h7Z0BCRrZqTDanYcIX0ZGe1OR4E9w3Zz83+z3w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699208041; a=rsa-sha256; cv=none; b=ngjgTpY2vLLVCMgJAopzgu6/4E389Je/ErP0Th5covqiAiQKqczMy9Y90L3rmQErIIHYHt bqqJJQDsct684b4npyZdvCNuPQnT8m3uYOqvs06zfDCIrybbGahx8IosPmuCUrb3zoBc1E XoHdt1og7KmmWfQl+gyJS5fzU92FnPDbpXiHC6yzL1ES+HAhN1VCC7m1zQ7ah7ohb1wrx/ DElpGNhBwzKD+wdPax4RFLJQQpsuF+XTvpbTxminNsePl/PzhcqzWLQmM4GRvqBnpHsCSh tffjNCIMw9Vl4Vjbg4oWoIBCL8t6LZgNofkW/9cnd9Arid/rDVBi9cC3SIZwiA== Received: from aniel.nours.eu (nours.eu [176.31.115.77]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: bapt) by smtp.freebsd.org (Postfix) with ESMTPSA id 4SNjKh5hQbzr42; Sun, 5 Nov 2023 18:14:00 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from [IPv6:::1] (2a02-8428-078f-2201-2aa0-5be6-e594-6084.rev.sfr.net [IPv6:2a02:8428:78f:2201:2aa0:5be6:e594:6084]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by aniel.nours.eu (Postfix) with ESMTPSA id A37D819C794; Sun, 5 Nov 2023 19:13:57 +0100 (CET) Date: Sun, 05 Nov 2023 19:13:57 +0100 From: Baptiste Daroussin To: freebsd-arch@freebsd.org, Christos Margiolis , Warner Losh CC: Gary Jennejohn , bojan.novkovic@fer.hr, imp@freebsd.org Subject: Re: HEADS UP: IUTF8 to be enabled by default User-Agent: K-9 Mail for Android In-Reply-To: References: <20231103081529.016be29d@ernst.home> Message-ID: List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Le 3 novembre 2023 14:54:23 GMT+01:00, Christos Margiolis a =C3=A9crit=C2=A0: >Warner Losh wrote: >> This string is set too late for the default=2E Also, drivers don't have >> access to process data=2E > >Do you think we should just enable it in TTYDEF_IFLAG in >sys/sys/ttydefaults=2Eh? > >Christos > Yes please! Bapt From nobody Mon Nov 6 14:55:33 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SPDtR63JBz4ytVL for ; Mon, 6 Nov 2023 14:55:43 +0000 (UTC) (envelope-from christos@freebsd.org) Received: from margiolis.net (mail.margiolis.net [95.179.159.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SPDtQ72zkz3PGs; Mon, 6 Nov 2023 14:55:42 +0000 (UTC) (envelope-from christos@freebsd.org) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=mail; bh=+a7eJ1Txe//Y7sY eDvZJbRtCYUG+B33rTEhTHSSm5r8=; h=in-reply-to:references:subject:cc:to: from:date; d=margiolis.net; b=KG+Y/lDh9bxhv9Y7mg8++b58lCuy9Cas+aaoX2oF j0AuLhMzKzDh552YUi7kJ7r8SwlydXNMHkSqmc+KXp3r1LqvBipQBeRYhyqJkf1rzXPueM cO5zIFacCK1D4vTX+1PaeAdViVLXaBaJ0RvOsLyh6nw+gXClzdzvTCHy0DjQI= Received: from pleb (ppp-94-66-59-115.home.otenet.gr [94.66.59.115]) by margiolis.net (OpenSMTPD) with ESMTPSA id 7efe9d29 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Mon, 6 Nov 2023 14:55:35 +0000 (UTC) Date: Mon, 6 Nov 2023 16:55:33 +0200 From: Christos Margiolis To: Baptiste Daroussin Cc: Gary Jennejohn , bojan.novkovic@fer.hr, imp@freebsd.org, freebsd-arch@freebsd.org Subject: Re: HEADS UP: IUTF8 to be enabled by default Message-ID: References: <20231103081529.016be29d@ernst.home> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:20473, ipnet:95.179.144.0/20, country:US] X-Rspamd-Queue-Id: 4SPDtQ72zkz3PGs Baptiste Daroussin wrote: > Le 3 novembre 2023 14:54:23 GMT+01:00, Christos Margiolis a écrit : > >Do you think we should just enable it in TTYDEF_IFLAG in > >sys/sys/ttydefaults.h? > > > >Christos > > > > Yes please! > > Bapt Committed in https://cgit.freebsd.org/src/commit/?id=bb830e346bd50545e9868a1802d631afb6b50bb0 Christos From nobody Mon Nov 6 15:00:11 2023 X-Original-To: arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SPDzd3nQpz4yv8w for ; Mon, 6 Nov 2023 15:00:13 +0000 (UTC) (envelope-from bapt@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SPDzd35Xqz3Prh; Mon, 6 Nov 2023 15:00:13 +0000 (UTC) (envelope-from bapt@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699282813; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NL/8MXFnPbmNlXT4CHjU6lyTt76yHxFo+e2HxM89hzg=; b=XFlyq57fawlxXPLHLNHL9VVDeL3rtM0KVzDm83QL0iGHn0D2oX0jcLRFCKsYUepU/5bVNP zfjWtj6IuR5S2BiKKnFr+23P4Iw6bCJDys5NKoY42AUu2/oqtSS2hpyCLyiWsM/NZ8Gq28 CJyauGvkYuMFRVSMriT/qYFOKpBk2NieqtV/SC0rQltSs2ws9ueJXm5Kf4ecQqe5g4SdCb cGI0/R5vB95L8PyUyDQN+26Y08sC7LmwtF9pNO9iH9SJO4C0fDnygpaNjTiESYubl/Rq+r dIoHokU3c+6m8QT15Q1b7T4z9aXgit0kqOP8lDR5JN+YO+VZZbNPqR9AuTzeww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699282813; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NL/8MXFnPbmNlXT4CHjU6lyTt76yHxFo+e2HxM89hzg=; b=nxkJvujDbLxjP8npuMXJjs69lPEog6aa6tSmxKcJfSI1JxwYPBrtR7lUL0WlV6P0n8kLQY kDRWoD0hx3/wWDoBPDq7PnohHz4C+FU6zmgPjiGSBOUXoEqSxmMd2+DOKvKCbvXYdI9DkO jtBiRkDULBMm+25yTrGP+/lwoFmkRyN/QbVOZasn/ss7/BGOUwfc3VV+Uxp6of925E+Hfc wMQiW8g3Cts49x0FuK67662bB/dGzyJVLvbOUPI5P1kMp6PrsLzkVy1ZvLQ9ZUR8Rsz2Ql 4Z5DheJWao2gJ+GrQrf1VrSQuC2MqSJiBwqxlKuqWQAW/gCASZDh3o/+sPwzmQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699282813; a=rsa-sha256; cv=none; b=apvkt4SY8RRQ1kezRlg1FBZTQDbOwRhbGM/NPVlmo+0rLfZsDLMbTKYrHwNTxFujFkFWJM 27+M9V5Cb0Asb/WIgezD3NFr7afxOq4SfMzKVcAGRy95Wk7YTIzacyF8B/U42c7CBNksf6 9yFHiU1mKoKiZ1ox88lKML/2M/qjVPOvuEWKL99NARL4q04dBk9bkG7Bfkt4DzgxrIjTYD S8dnBH61hxl/ymflpTO9snAn+eL4iAyY6eORrREzM8QmSYCjxG9lTY7Z7mjWDmD0Pjb02e dq4sTKrwx1KwBBPiMX9uqljkpkx021o1/Rgb/YCzFxnMn7mBeOQjeQEUlqFZbA== Received: from aniel.nours.eu (nours.eu [176.31.115.77]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) (Authenticated sender: bapt) by smtp.freebsd.org (Postfix) with ESMTPSA id 4SPDzd1Tb4z1Gp3; Mon, 6 Nov 2023 15:00:13 +0000 (UTC) (envelope-from bapt@freebsd.org) Received: by aniel.nours.eu (Postfix, from userid 1001) id A6A9E19F836; Mon, 6 Nov 2023 16:00:11 +0100 (CET) Date: Mon, 6 Nov 2023 16:00:11 +0100 From: Baptiste Daroussin To: Christos Margiolis Cc: arch@freebsd.org Subject: Re: HEADS UP: IUTF8 to be enabled by default Message-ID: References: <20231103081529.016be29d@ernst.home> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Mon, Nov 06, 2023 at 04:55:33PM +0200, Christos Margiolis wrote: > Baptiste Daroussin wrote: > > Le 3 novembre 2023 14:54:23 GMT+01:00, Christos Margiolis a écrit : > > >Do you think we should just enable it in TTYDEF_IFLAG in > > >sys/sys/ttydefaults.h? > > > > > >Christos > > > > > > > Yes please! > > > > Bapt > > Committed in > https://cgit.freebsd.org/src/commit/?id=bb830e346bd50545e9868a1802d631afb6b50bb0 > > Christos Thank you! Please add a RELNOTE entry it really deserves to be in freebsd 15.0 release notes! Best regards, Bapt From nobody Thu Nov 9 07:54:22 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SQvPX6hhxz50Y0D for ; Thu, 9 Nov 2023 07:54:56 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SQvPW4BVmz3KGZ for ; Thu, 9 Nov 2023 07:54:55 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=hoPDP96a; spf=pass (mx1.freebsd.org: domain of Alexander@Leidinger.net designates 2a00:1828:2000:313::1:5 as permitted sender) smtp.mailfrom=Alexander@Leidinger.net; dmarc=pass (policy=quarantine) header.from=leidinger.net List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1699516478; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=V/gXYHjoLj2cFMy58jMFH4dhAs1lYNkn33XGgckpwHI=; b=hoPDP96aeGvxs0+xfi43l7YcAJVAs6X6/Tj2SSG8EXjFuZ+MFxrBulvpjtAH7t0YCCJPJe ussAvn3OlfFTuQgrqeXAoOAuPcvk3pkc4RP8fd2hfXkn+BOl44jNyBjMVJWCpby7fXk+yn opCu3QpIzXVjTNbyzsni+5JDIkka7Xus1Qj77XcqARHtM+z21L1fOJqAzyz87AoUatJyNj 3xIgi+MhP7YfCFvj9NquJgOO81/zai3E1nb0OpOuJ2BCM9K2u72KkikZ2wBNe8mGvZkKiN WNOBs08XrUps6HJr3GCRgXGx3dhwy/pFV3/ZJv+FCoJGspCVsQxqJngCZCNEKQ== Date: Thu, 09 Nov 2023 08:54:22 +0100 From: Alexander Leidinger To: freebsd-arch@freebsd.org Subject: Any particular reason we don't have sshd oomprotected by default? Message-ID: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> X-Sender: Alexander@Leidinger.net Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_c0696647e76353b3b51420dd4c3878ba"; micalg=pgp-sha256 X-Spamd-Result: default: False [-5.09 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.989]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; RCVD_COUNT_ZERO(0.00)[0]; ARC_NA(0.00)[]; HAS_ORG_HEADER(0.00)[]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; HAS_ATTACHMENT(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4SQvPW4BVmz3KGZ X-Spamd-Bar: ----- This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_c0696647e76353b3b51420dd4c3878ba Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hi, We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is there a particular reason we don't have sshd protected the same way? Any objections if I would commit such a change (sshd_oomprotect=YES in defaults/rc.conf)? I was also thinking about which other daemon we should protect by default, but apart from the need to make sure important logs are written to find issues which may have caused the oom trigger, and the need to be able to login to such a troubled system, I didn't see any other service as such critical (we could argue about ntpd, but I send to be on the "may be protected" (not for my use cases) and not to be on the "has to be protected" side) to include it in this proposal. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_c0696647e76353b3b51420dd4c3878ba Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmVMkDsACgkQEg2wmwP4 2IbMmw/+KfSo+UBe1QKGjgx1z/Ba/JLs7NzYi12nlVqFFWuLsIn0Tv/sMWvzoIQ/ 5NNFpGmlz58tg0hHTPzBlqwnd7ScQZDHJRqhIfDathIGlFhuJjuHD7HCCwXsbJu5 e90sS3pHMf2IlY0xp47A9BFYwjNNCIkpHaIDjsrO2ravMu7ZSK14nhF+9hNuBeNQ npXohY5Ky7E+s7AhYo2zr8Z8UtyjcvFxaCe84AzyxxW/wKtQNCl0qNOpzNL/OvBg 20l4/VQe3y7ii1chhphbzopPzzlSf9n5KT7RRbR2rSC15Tenws1fW28at+vKmsvH kKbvy5kFlhJi5n194Pk3hOS/QeEeH2i6j0CViYwNbEwUHijvcbnSF8mQn8vcrld/ LXzhNU0/HmjRfZmsEvQ6W6jaP2h7p1M2re8vNGMa3GE8cOJANwcUs+jPQCdUnK6p lvLALw/k2E68OG1aL3gzktbxQhXZRFMVQrEgiGQNaNDT+nxA6SJa/M+HNtqSc99z 6afXonid5tTfJ5ejqXYBt6GpncbR3303tAcTFZM3GwAZ8CqAj6xHwBN38+519xMj 2uAZXIUdDEZETIrfjUHsMz7x/EuOJczVg+sIRP0AxvwtHqUmK0jO1OHw7AIKbRl0 +S6HyAHyP/qQjN1X2DGdjanWVyfOCZl7Yl6lrKhywGryq/VH/LM= =Rvod -----END PGP SIGNATURE----- --=_c0696647e76353b3b51420dd4c3878ba-- From nobody Thu Nov 9 08:09:00 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SQvjy6v1xz50brM for ; Thu, 9 Nov 2023 08:09:10 +0000 (UTC) (envelope-from fuz@fuz.su) Received: from fuz.su (fuz.su [IPv6:2001:41d0:8:e508::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "fuz.su", Issuer "fuz.su" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SQvjx6gbLz3LxQ for ; Thu, 9 Nov 2023 08:09:09 +0000 (UTC) (envelope-from fuz@fuz.su) Authentication-Results: mx1.freebsd.org; none Received: from fuz.su (localhost [127.0.0.1]) by fuz.su (8.17.1/8.17.1) with ESMTPS id 3A98906t031322 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 9 Nov 2023 09:09:00 +0100 (CET) (envelope-from fuz@fuz.su) Received: (from fuz@localhost) by fuz.su (8.17.1/8.17.1/Submit) id 3A98906I031321; Thu, 9 Nov 2023 09:09:00 +0100 (CET) (envelope-from fuz) Date: Thu, 9 Nov 2023 09:09:00 +0100 From: Robert Clausecker To: Alexander Leidinger Cc: freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? Message-ID: References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16276, ipnet:2001:41d0::/32, country:FR] X-Rspamd-Queue-Id: 4SQvjx6gbLz3LxQ Hi Alexander, I encountered the same issue a while ago, leaving my system in a vegetative state. I would propose to add syslogd and cron to the list. Syslogd because when it dies and you don't notice, you may go for a long time without syslogs, cron because a dead cron means no housekeeping tasks happen, including some which the administrator may have intended to fix an issue causing an OOM condition (e.g. periodically restarting services with known memory leaks or cleaning tmpfs-based file systems). Yours, Robert Clausecker Am Thu, Nov 09, 2023 at 08:54:22AM +0100 schrieb Alexander Leidinger: > Hi, > > We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is there a > particular reason we don't have sshd protected the same way? > > Any objections if I would commit such a change (sshd_oomprotect=YES in > defaults/rc.conf)? > > I was also thinking about which other daemon we should protect by default, > but apart from the need to make sure important logs are written to find > issues which may have caused the oom trigger, and the need to be able to > login to such a troubled system, I didn't see any other service as such > critical (we could argue about ntpd, but I send to be on the "may be > protected" (not for my use cases) and not to be on the "has to be protected" > side) to include it in this proposal. > > Bye, > Alexander. > > -- > http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF > http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF -- () ascii ribbon campaign - for an 8-bit clean world /\ - against html email - against proprietary attachments From nobody Thu Nov 9 08:17:03 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SQvw3754Sz50dPX for ; Thu, 9 Nov 2023 08:17:55 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (P-256)) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SQvw35PZpz3Nj9 for ; Thu, 9 Nov 2023 08:17:55 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; none List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1699517870; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kHTec/is8KllECCA+HRzDWO/oWTvWEZ8s27NCH+Bmbw=; b=bp/q5BFIJJzMq3l9sR47WOnyNlERcWEqx32i9i6ZLi0AWs0VpDV82pSAkWT1RgT6yRkIjJ V3ZlYzUWRUehWfqm2twQN/XZmCSR7xXyYzmehs5POu98NUmLEzuCdxdJ+aJSqpHJocJD5K DYe2RyCwbvYOYb0zZ5LFU9BjVwB3pllFyJu7kiq+yLNwDLd7THkEcw97WJkOIwAGrNhONJ P0S4wKnjBz3INIUz4rw8MtAOvBD1C6WvpZQFGpNmm743c1khVWL0GOyh1+GZEBPldDEbHh I2K5+WakpLJQhPMYhjbE8aLN7p+fxmlSKsYAn7fkH4n09gGsAfo8njno3b02Gg== Date: Thu, 09 Nov 2023 09:17:03 +0100 From: Alexander Leidinger To: Robert Clausecker Cc: freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? In-Reply-To: References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> Message-ID: <79e9ef768da7ce9be14d3922b80c8104@Leidinger.net> X-Sender: Alexander@Leidinger.net Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_4ee35c77ecd409f9e475616bcd7da65c"; micalg=pgp-sha256 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE] X-Rspamd-Queue-Id: 4SQvw35PZpz3Nj9 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_4ee35c77ecd409f9e475616bcd7da65c Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Am 2023-11-09 09:09, schrieb Robert Clausecker: > Hi Alexander, > > I encountered the same issue a while ago, leaving my system in a > vegetative state. I would propose to add syslogd and cron to the syslogd is already protected (at least in 14 and -current). > list. Syslogd because when it dies and you don't notice, you may go > for > a long time without syslogs, cron because a dead cron means no > housekeeping tasks happen, including some which the administrator may > have intended to fix an issue causing an OOM condition (e.g. > periodically restarting services with known memory leaks or cleaning > tmpfs-based file systems). I thought about crond. I agree with your reasoning (I have some cronjobs which are supposed to fix/workaround some issues which for whatever reason can not be handled in a better way). On the other hand I disagree as it can also be the cause of such an oom situation (that's the reason why I didn't include it in my proposal). If the general consensus is to add sshd and cron, I offer to do the work to add it. Bye, Alexander. > Yours, > Robert Clausecker > > Am Thu, Nov 09, 2023 at 08:54:22AM +0100 schrieb Alexander Leidinger: >> Hi, >> >> We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is >> there a >> particular reason we don't have sshd protected the same way? >> >> Any objections if I would commit such a change (sshd_oomprotect=YES in >> defaults/rc.conf)? >> >> I was also thinking about which other daemon we should protect by >> default, >> but apart from the need to make sure important logs are written to >> find >> issues which may have caused the oom trigger, and the need to be able >> to >> login to such a troubled system, I didn't see any other service as >> such >> critical (we could argue about ntpd, but I send to be on the "may be >> protected" (not for my use cases) and not to be on the "has to be >> protected" >> side) to include it in this proposal. >> >> Bye, >> Alexander. >> >> -- >> http://www.Leidinger.net Alexander@Leidinger.net: PGP >> 0x8F31830F9F2772BF >> http://www.FreeBSD.org netchild@FreeBSD.org : PGP >> 0x8F31830F9F2772BF -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_4ee35c77ecd409f9e475616bcd7da65c Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmVMlY0ACgkQEg2wmwP4 2IbuThAAhG4l47SbPjvzfJZIw0Om3G0DGeHF+Vv9FWkf8tw/fmRmT+F/xtpFPFuu 70stE4fuBGWjPii5BfUITsFLFS2I37rGaKQEOhype+/WqikfOp2h3UoaSTwH4bY7 O+te2tbXt6w0NFgSnI3PJkNPJ3ORSjYIr/Gsd1b1JVKmoax/3l3nfMC4EThnWX7t piaGkGC0IVKWma0j7defjlkt2DFVzTVwsyzE1W3ywN+Q5JpgRRei1/T5ckSy+Vpc vzNgQoggbPv/tL02c+5VxJxwwl6VbZZFNdgeqZbhdQ9IlFefeHbcUt2KJFXA3frb jCfLQxph2Fqv9Ghu+Ag1HcQxFUchZiX1eFReQK5/f3NsU0xuexElx35K31qDMgHy lMJZ6svJPOtIMP+QqxPYHwbrv22+qNvkxuSBz7yjFt2OVQwnqNSCRwjJfIxPivw5 bkX67Xf5y75e2SIzU3JnyZ5aJCsOoDmCewZIEXwwaZHkg5EWtVr2mz7o1chcBl3I cDwbHcNejWBIZ88LFLbvVwF2GyKGxywGS9t1AKayiLGmFfVVNQaxxp8hmWARmyWL lqCcTDIxyeuT1BK7oxJvczGfCR0IPoPxbcaTabr87DsRnxiw7Kp9De37jmAtu38D 38frD8vnSgH1cvjfiKRv2BtgbJaeRn8sqVMpJ+t/vqydU/sqmok= =YR79 -----END PGP SIGNATURE----- --=_4ee35c77ecd409f9e475616bcd7da65c-- From nobody Thu Nov 9 11:18:53 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SQzwy2Qm8z50NW2 for ; Thu, 9 Nov 2023 11:18:58 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SQzwy1vrmz4PGH; Thu, 9 Nov 2023 11:18:58 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699528738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=WuktPmH0PMN+5D+wEDMwzEDKrCNP2t4I0V+M/xW9vkE=; b=Z/PemLOYbPwWlxbaXqsvkjzgGspzxYCuaOaYxbdGwyi0e+Ak6ui0lpBlTdeBytpruxL1GR Pz9VBTQc0mOgxR+2efylq5y77snU/j2d3oGXiZ4owgduYyAl9R/Dux7N+TyNn5H5owDkow 19ivrCOc+Zlvi+2KpERhCKlWeALSUvgw4VXsCWZ7eV4ePpxIIQqAPtAdkSrvEY+FG6CWsO 3pEFrNYsqVXSzG6x6NLYdGwC93u7GZ19TCMD+/kLHgF9VO2GdMiKGwzM7Ft3HApFUHzlYA dfNbnwT2oBXXVs15SHqUXYPW325gnSlvrvtZ7dAJct5ioufqynrblAWZ/ufrRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699528738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=WuktPmH0PMN+5D+wEDMwzEDKrCNP2t4I0V+M/xW9vkE=; b=EQ6WZL5MCtd240fKyn+TVym2XCnGg9a+EXTrht86TlUysAD2ob7DxpP17TnGOO3UgVRnSj evXN0BCl5qFiyxyCARUZvEvu+Y2WnIlVWkxSRT5C+6hIu5xvnC748e/+5IRTtAN6Ok33Cu /Dg/ub3/MLtw088iFidlRr+7UFGmbiHi9JDgidvYaKfGCWXrfIGayK9l8sS4pitDLmOlII 1DgXuZ+mWhf6ONLzyHmht52XC4czwWyvFKSFuUFvk/8seK1jVrI9OwIPRGpo9AfbV690u/ SNmV6B4O3nURO358VAF4mSYEzlzS0tLIeVTKXktYJUqy9geXVunmd4XlyDQFKA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699528738; a=rsa-sha256; cv=none; b=b+MrG8sEjudNGthLKvk0YMuqi697HqNEO8DgegtKoS/MbGqayWbw2zq00gsxwt56+VosM9 g4EhEUNMASeYQLrAU2f1/C0fZk/CLuoS5DNh93V93HlemQXKHMD4lcDfuUW5cMVZdgQ2qB rWjfgSLaS+gKB0ddbRZQfTZ7x5uDWI0NEa+LK47wf8jaGFfEQma7bK0s9VDp+zeBnWVyeb mMj9WkuHem+xyz8gtywJNR9FL4jUfOqYXNJTmTkJKy4gvfQGgXTRQWVvG9DGst2Q05iYOx uAQCUQtNizkcYWhmcJmFv2TSrbQdLs+oUVV9r5HXzEtak82t/LyNkGtaJi5KDw== Received: from auth1-smtp.messagingengine.com (auth1-smtp.messagingengine.com [66.111.4.227]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4SQzwy0npzz7kM; Thu, 9 Nov 2023 11:18:58 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailauth.nyi.internal (Postfix) with ESMTP id 5FACC27C0054; Thu, 9 Nov 2023 06:18:57 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Thu, 09 Nov 2023 06:18:57 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedruddvuddgvdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffokfgjfhggtgesthdtmhdtredttdenucfhrhhomheprfhhihhl ihhpucfrrggvphhsuceophhhihhlihhpsehfrhgvvggsshgurdhorhhgqeenucggtffrrg htthgvrhhnpedvueeivdelledvvdefhfeutdevtdeludeihfelhfevkeejudegfeektedu udejjeenucffohhmrghinheptghonhhfrdhishdpfhhrvggvsghsugdrohhrghenucevlh hushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehphhhilhhiphdo mhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqudduieeivdeivdegkedqvdefhe dukedttdekqdhphhhilhhipheppehfrhgvvggsshgurdhorhhgsehtrhhouhgslhgvrdhi sh X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 9 Nov 2023 06:18:55 -0500 (EST) From: Philip Paeps To: Alexander Leidinger Cc: freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? Date: Thu, 09 Nov 2023 19:18:53 +0800 X-Mailer: MailMate (1.14r5998) Message-ID: <5F066A40-CD1D-4D32-850E-0A85D86AE499@freebsd.org> In-Reply-To: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed On 2023-11-09 15:54:22 (+0800), Alexander Leidinger wrote: > We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is > there a particular reason we don't have sshd protected the same way? > > Any objections if I would commit such a change (sshd_oomprotect=YES in > defaults/rc.conf)? I don't have feelings about it either way. It probably makes sense to optimise for installations that don't have out of band access. > I was also thinking about which other daemon we should protect by > default, but apart from the need to make sure important logs are > written to find issues which may have caused the oom trigger, and the > need to be able to login to such a troubled system, I didn't see any > other service as such critical (we could argue about ntpd, but I send > to be on the "may be protected" (not for my use cases) and not to be > on the "has to be protected" side) to include it in this proposal. In the FreeBSD.org cluster, we set local_unbound_oomprotect="YES" too. Without DNS, everything grinds to a halt. Including SSH. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises From nobody Thu Nov 9 11:20:30 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SQzyp22Kzz50NrN for ; Thu, 9 Nov 2023 11:20:34 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SQzyp1cwCz4PlZ; Thu, 9 Nov 2023 11:20:34 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699528834; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=zVq6ypEF7A1ui9SmHdd/dO9I/ocEVS5Zek5QZYcaflM=; b=aTS4S+sNnhT3FTWVoxVYQ/Mr7PODxzL+ntxi/lLY/X/Jcl20Qm2b37xeWQojRnvIfMps9N K6UnwPXgXRVRDBM6WqSUYFMHq4Rp5OWNjia5uMq+uklcIkYfGf2130Oa3tsxW/tZ65Q4/k PrCbps4Ynlw8R8azUeJzkQa/aC7uyvne1q17WIqBfSRmiS9/JLR1r8SBaljjrDCr2/lJ0F YE3XbPZP3U0CTwY/Fgka5qZARCG2a8hrXASgAlUIOmvsYfCh5srBqRyizT9rJzU89p1P5m I4a57wtvzUh3m98TtZ9O0M0tny1E6MnVpQDo4le1RTfQxcIAu1ataYwVD1EZgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699528834; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=zVq6ypEF7A1ui9SmHdd/dO9I/ocEVS5Zek5QZYcaflM=; b=SrRlnLck1PIf0cObSYBaiP5IGAcmPIAhc1/RuqfUuRLT6sMflmEwrrPxpY61v1ApjmWLLi iddtfNwxWJpPvMfLWgBy4+rI8VPR4VdNKJgXzBGlaCUzxD216t+xcy4QSqW6aw5lcuEs/n U4X2bQ2fSJOFgGlAPL4+3fnNp9FPhibUx/9/ienRyOedCAmT7Z8KarDQTPK0sGXQSO1ac5 F3aoCkxqjQYKOrNtrl37sYXB9UyTXG6MO9pnMTjhPzy8p9cIuWE9Bks8Kh40FttQOp+a13 Ed7kuxi4WrthCD1Rgujt9cWh6Bhdtapk8ftOcMYrbvtQkXEMD5TnitnSuThtrA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699528834; a=rsa-sha256; cv=none; b=dkdgCPzV580eYJiXWFdw1EpTra4N3CvS29hEJuCt99EWL2YiAfJ31/H7lVSAdjBO09ukDb aeDJRmvG77SnHUxkqF6470FVRiXHHrPUl9T1Ipl7wQJKh5yF/ZBWsWWWiSMDj7v0uBEsCl Rs6tGFhgGsWEh8M1UAE9Vvq5nQSFvii1oJUiNXKkyQGwwdnRoJ4+HjER99BdF8dQ08UmTu McZ4iDHaheghGNhtGiFjpG1hqMqEAlYUel1O3oRGxT5VAUnsiSVGXzASaolL4wm772RCsr jJo1CBwHj/crwpCLYYjM9pJA7kOrZ9OsVY6SDhT7rF9UAZMdWuAgi9M5/+RYwQ== Received: from auth1-smtp.messagingengine.com (auth1-smtp.messagingengine.com [66.111.4.227]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4SQzyp0W0Bz78c; Thu, 9 Nov 2023 11:20:34 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailauth.nyi.internal (Postfix) with ESMTP id E673427C005A; Thu, 9 Nov 2023 06:20:33 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Thu, 09 Nov 2023 06:20:33 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedruddvuddgvdehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffokfgjfhggtgesthdtmhdtredttdenucfhrhhomheprfhhihhl ihhpucfrrggvphhsuceophhhihhlihhpsehfrhgvvggsshgurdhorhhgqeenucggtffrrg htthgvrhhnpefggfefieegtedtledtgfevtdfftdegvdehueeiteehteefieefveevtedv vdekgeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hphhhilhhiphdomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqudduieeivdei vdegkedqvdefhedukedttdekqdhphhhilhhipheppehfrhgvvggsshgurdhorhhgsehtrh houhgslhgvrdhish X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 9 Nov 2023 06:20:32 -0500 (EST) From: Philip Paeps To: Robert Clausecker Cc: Alexander Leidinger , freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? Date: Thu, 09 Nov 2023 19:20:30 +0800 X-Mailer: MailMate (1.14r5998) Message-ID: In-Reply-To: References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed On 2023-11-09 16:09:00 (+0800), Robert Clausecker wrote: > I encountered the same issue a while ago, leaving my system in a > vegetative state. I would propose to add syslogd and cron to the > list. Syslogd because when it dies and you don't notice, you may go > for > a long time without syslogs, cron because a dead cron means no > housekeeping tasks happen, including some which the administrator may > have intended to fix an issue causing an OOM condition (e.g. > periodically restarting services with known memory leaks or cleaning > tmpfs-based file systems). In my experience, cron is more often the cause of an OOM condition than a help to making it stop. :-) Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises From nobody Thu Nov 9 19:59:59 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SRCVB2Yqwz50Fy9 for ; Thu, 9 Nov 2023 20:00:02 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SRCVB1kM7z3S2g; Thu, 9 Nov 2023 20:00:02 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTPS id 14mVra9518jpT1BC5rOEB9; Thu, 09 Nov 2023 20:00:01 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id 1BC3rDz35mxE21BC4rXDsI; Thu, 09 Nov 2023 20:00:01 +0000 X-Authority-Analysis: v=2.4 cv=Cvasz10D c=1 sm=1 tr=0 ts=654d3a41 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=kj9zAlcOel0A:10 a=BNY50KLci1gA:10 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=IyCreL5s2kJ_fr6SCQ0A:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 8175C12BF; Thu, 9 Nov 2023 11:59:59 -0800 (PST) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 7B33B348; Thu, 9 Nov 2023 11:59:59 -0800 (PST) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Philip Paeps cc: Robert Clausecker , Alexander Leidinger , freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? In-reply-to: References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> Comments: In-reply-to Philip Paeps message dated "Thu, 09 Nov 2023 19:20:30 +0800." List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 09 Nov 2023 11:59:59 -0800 Message-Id: <20231109195959.7B33B348@slippy.cwsent.com> X-CMAE-Envelope: MS4xfJK3d6l/2j1/P/fp4lrTAgrmdAY+WFp7vgxxoFq1d3zQTDSPOPcXoy43PhC8yxaMAXH0UZvv1YqwN500Z+9PNCD1mRIxyBcyNTJFWwI0vM0PhmGhGgJP 3av6pRdepi57YVClwGEQaxGQ1Mx3CM+I0FCvTHy6tqhVJlpR8UjLKTA+QHrIq068pLbBPrp/YaDbUXdBcgJtlK3KIdDr6he6N+Ln4eFPYO3k7ZvCwy+EwTXV 4iPyv/RUotDAcc7Q6dCTz+VwXdF1u0bdsv+6NUGqdMW6h771l196uhbjK4QEscT/ X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Queue-Id: 4SRCVB1kM7z3S2g In message , Philip Paeps wri tes: > On 2023-11-09 16:09:00 (+0800), Robert Clausecker wrote: > > I encountered the same issue a while ago, leaving my system in a > > vegetative state. I would propose to add syslogd and cron to the > > list. Syslogd because when it dies and you don't notice, you may go > > for > > a long time without syslogs, cron because a dead cron means no > > housekeeping tasks happen, including some which the administrator may > > have intended to fix an issue causing an OOM condition (e.g. > > periodically restarting services with known memory leaks or cleaning > > tmpfs-based file systems). > > In my experience, cron is more often the cause of an OOM condition than > a help to making it stop. :-) Would that be cron or something that cron has started? -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0 From nobody Fri Nov 10 02:31:53 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SRNBR18fkz50bXd for ; Fri, 10 Nov 2023 02:31:59 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SRNBR0jLgz3RWr; Fri, 10 Nov 2023 02:31:59 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699583519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NxYf6IyL5NJaIGKpl3uvRf2zkXS6kugzl5Hyuq+2UhE=; b=H7Su4k0lRIi89oa5EdAWdXXvK/GzXvcsOVnV3T1l0tq/qF1e3j9z0dod94TOmkS5yHsoFp Fp/WKG19cweIuR1DdBAxEYhvjy6txZ9mZ4eZVtDq43Axc+W1t5KnvQFMezqFjZ0zPlkiEO N4KKrMiGD2CijhgwFG4dG48xmUmxAUR9NWnVPjS/q6hLVkvSTKS1lm9ow1ALG7oK8HJv4s siXZjtMNoX6ksJgrzgT0cyOE937PfXpQjzUXeaWvVl4Uobz4KmzfE/8SQguTFFKLgF+5Jo ot53W+wV4f4DTx4aeDJykODkmj5Jd852bwQGHHrDNhmYIMB8WDWn02WHvA3mtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699583519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NxYf6IyL5NJaIGKpl3uvRf2zkXS6kugzl5Hyuq+2UhE=; b=O1epclCgHE96ntGUHyh0Hyel6PZJY9b2Q6qioBwxj1TIOqplwiTdN/mqw7BtYa0KTsxXCi iBq7ifvWgV9+30371U1F29Spc0XWTn3zyV/cSCrugTqS+gBzKXAzd4NaFiowBCx/S9kbWx wGvMz9nMci47+DfjMNv9NNCIr2HV6EIGAquCvix9Tt+ZwAjTS1S7xlG1aAEfeb4Cmw3omp EoVvMTOTMOEHrE8+/+AhswZCIEsk+w2CEYtFZGx647pVS7/tXIR3FaYXAcsUCMH/uU3Key mcvPoVoCbePllnt2CzsymHV+LOKdPQzZRAvGtZ8kJrPLrQUSvOEPoLJ76b3Vgg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699583519; a=rsa-sha256; cv=none; b=oWkfi976gKyXzDC18EXureHSgrYkLLBIl0hN4n1W5IuZNzNLil9TWogZTEDhJD3NSq2ERb m+xr3yG3Rqbf64XSU2h71smDwW/qgwsnHq2G7WFXztKw12n6RPZIci/8hnXZdI3ohOuz54 uh70sFcdHXJykfdVgnXVBXYgJdnw7fjiHZOiL7CZN1/NkduD7FrAKyDytq69BkLGWqSZ6s oJwc4n1cDJATuryv2a5uwwF8/Y6decZAORW/odxg9iEyyckaJ61B9A/SdoC9bMjEBz2b1s rWgrBaUqeaNeWlU2kciflrEMP7Kl+Fytr3BuMOAJzFp8Z8poqoQIUeQ9s4hJLw== Received: from auth2-smtp.messagingengine.com (auth2-smtp.messagingengine.com [66.111.4.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4SRNBQ6ltxzvww; Fri, 10 Nov 2023 02:31:58 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailauth.nyi.internal (Postfix) with ESMTP id CD7B227C0054; Thu, 9 Nov 2023 21:31:57 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Thu, 09 Nov 2023 21:31:57 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedruddvvddggeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffokfgjfhggtgesthdtmhdtredttdenucfhrhhomheprfhhihhl ihhpucfrrggvphhsuceophhhihhlihhpsehfrhgvvggsshgurdhorhhgqeenucggtffrrg htthgvrhhnpefggfefieegtedtledtgfevtdfftdegvdehueeiteehteefieefveevtedv vdekgeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hphhhilhhiphdomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqudduieeivdei vdegkedqvdefhedukedttdekqdhphhhilhhipheppehfrhgvvggsshgurdhorhhgsehtrh houhgslhgvrdhish X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 9 Nov 2023 21:31:55 -0500 (EST) From: Philip Paeps To: Cy Schubert Cc: Robert Clausecker , Alexander Leidinger , freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? Date: Fri, 10 Nov 2023 10:31:53 +0800 X-Mailer: MailMate (1.14r5998) Message-ID: <281A373B-E3E2-480E-AE00-C8C691463106@freebsd.org> In-Reply-To: <20231109195959.7B33B348@slippy.cwsent.com> References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> <20231109195959.7B33B348@slippy.cwsent.com> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed On 2023-11-10 03:59:59 (+0800), Cy Schubert wrote: > Philip Paeps writes: >> On 2023-11-09 16:09:00 (+0800), Robert Clausecker wrote: >>> I encountered the same issue a while ago, leaving my system in a >>> vegetative state. I would propose to add syslogd and cron to the >>> list. Syslogd because when it dies and you don't notice, you may go >>> for >>> a long time without syslogs, cron because a dead cron means no >>> housekeeping tasks happen, including some which the administrator >>> may >>> have intended to fix an issue causing an OOM condition (e.g. >>> periodically restarting services with known memory leaks or cleaning >>> tmpfs-based file systems). >> >> In my experience, cron is more often the cause of an OOM condition >> than >> a help to making it stop. :-) > > Would that be cron or something that cron has started? A common pathology is something that is started every few minutes in the expectation that it will take less than a few minutes to run. Instead, it runs away with all memory. I'd rather let cron die of starvation than have it make the situation worse. So yes: something that has started. cron itself is not eating all memory. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises From nobody Fri Nov 10 09:07:30 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SRXzN1mlpz512C5 for ; Fri, 10 Nov 2023 09:08:00 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SRXzM5n8lz4sCd; Fri, 10 Nov 2023 09:07:59 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; none List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1699607267; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=OmRgE6haUY6cRcQc19M1+LCR92NlW8sP1QiaBpgvitU=; b=HkVbsYRIEmEmIRtZ6TEvlLLv1BfmKVKt/SbAkyuT50NqijwUTG6wiR0jpOsSxHFWby+cb5 tkSN/C+FitqIfq5v6zfFoI7mzZ2oLfqL2FrSOafoZ2ihaofAVXptxDqoG/krE/2FlYLz0c 66wqxUsM/ytsRs5s7vuSQoIOPQSrIYOi5TeOgHTAWY46dbdeVi7Q39VFBWq5cX0U4QlqQf OF9G0nWodAMYU1DcifWnZoOnWWeEaoOgS3BFeDUQypXSwAbl4/PbKfrSisg13CdmRqCqEq j08Gd88zxNJoHgZOLYFmm+MFDvUbvvHbvB+MynpEs0+JJGxowtdcAqXdZIduSw== Date: Fri, 10 Nov 2023 10:07:30 +0100 From: Alexander Leidinger To: Philip Paeps Cc: freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? In-Reply-To: <5F066A40-CD1D-4D32-850E-0A85D86AE499@freebsd.org> References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> <5F066A40-CD1D-4D32-850E-0A85D86AE499@freebsd.org> Message-ID: X-Sender: Alexander@Leidinger.net Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_7d939384733ee467b14b759bc28f552f"; micalg=pgp-sha256 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE] X-Rspamd-Queue-Id: 4SRXzM5n8lz4sCd This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_7d939384733ee467b14b759bc28f552f Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Am 2023-11-09 12:18, schrieb Philip Paeps: > On 2023-11-09 15:54:22 (+0800), Alexander Leidinger wrote: >> We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is >> there a particular reason we don't have sshd protected the same way? >> >> Any objections if I would commit such a change (sshd_oomprotect=YES in >> defaults/rc.conf)? > > I don't have feelings about it either way. It probably makes sense to > optimise for installations that don't have out of band access. > >> I was also thinking about which other daemon we should protect by >> default, but apart from the need to make sure important logs are >> written to find issues which may have caused the oom trigger, and the >> need to be able to login to such a troubled system, I didn't see any >> other service as such critical (we could argue about ntpd, but I send >> to be on the "may be protected" (not for my use cases) and not to be >> on the "has to be protected" side) to include it in this proposal. > > In the FreeBSD.org cluster, we set local_unbound_oomprotect="YES" too. > Without DNS, everything grinds to a halt. Including SSH. https://reviews.freebsd.org/D42544 Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_7d939384733ee467b14b759bc28f552f Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmVN8uAACgkQEg2wmwP4 2IYPHA//SuvdPb34B7t9bLoXk4WdWfYxC7+Msfo+8ewdxA3F2JQ+2BOeVDGm3Psb rcOS46goBpG7ksQpg+0CCfh1Po8xOSJoUpKePHE9xdYCwj+hMVz50pElhEunHYN6 Ws/vKSpX+S/yGcFNheoLWUMT6SGutJq1gIjc7nGDccjl9rafxoFpuKur4erm/lyM nreRYmdFfuEwkgYK4ekzbFWh5WTbcxx0dArd7MtjfGFR+V4PwtzZ24jHiq58W6m6 RudkuLM5Bidh5NCBSejQjHqGLY9+Fa90Qnja7RK2hV9DMJ8MRDWGqLRByuGP92Ot 1CRLoU46DcUCmGi7M+4pWBVpd6Wh2hpADnR1JJXbUYj2kDLi4z6LkX//kuczma78 dqZsCgwJxBxovEte9ElxFparS6U6YU0bJpsnyody3oS7kxpZ7UoZ4m2Mn/uvQ1n5 7/PWzgimjDuElOKXONmDCIN+Fq2qHzmmBLbAhrcemFs9S5jLKkCyRApuXKcO8APy v88oT4qk02ANQpMW/0bKgih9hTGq6B3BBU2th1e3zmMbJLK6N5vCnyxo7eJ/2xLu mqOoLKCBUwCBADanTi6zIZdt1s0NPAFU67EtfHK8OM1E7gB+AB2VwdNsoZIOJMa8 4LUF05c/Xoh0ONt97jJx9KGNgMZymuhRk0G5ROHArM0kVHJO5lI= =PSYD -----END PGP SIGNATURE----- --=_7d939384733ee467b14b759bc28f552f-- From nobody Fri Nov 10 10:20:39 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SRZbL5hjMz504TZ for ; Fri, 10 Nov 2023 10:20:46 +0000 (UTC) (envelope-from garyj@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "Telekom Security ServerID OV Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SRZbL1yGtz3PDB; Fri, 10 Nov 2023 10:20:46 +0000 (UTC) (envelope-from garyj@gmx.de) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1699611640; x=1700216440; i=garyj@gmx.de; bh=IhPjGk5Gpe1WmLY6Tts50TK4M2qodGio4flbcM+TlTc=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:In-Reply-To:References: Reply-To; b=NGN4Bsdy3OoaAqaguTi1RODcQWruJ/75348E+zkopVP3tF3PET5jiiB369OpY+FW jzf0XGDwjw60FkrlU1p0lm+4DV+viFk0gIT6b2/jALMOVp3fvm77drMPaFsrmKxvq OgbCf74CH3fEogAfhoCsb29xPUT7DgLjynFiQ6ztU1tFMUjjfniqUHnFkE9U1K0BJ +su59EhDjArUmfdf81Iv9aP/hhu0/5rts5Vch0S5E5bq6vq2xA+hTGz7rBY4BHAQT 1iVg3ZL5CgGxeZVfE8UQ+3XS8XGktffK3E69QLYsZZydEh07JwAY0Evm3YcmQ9mN+ 9WgEfhQ4lfT+VIw7TQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from ernst.home ([217.226.57.134]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1N6KUd-1rUX9F0ts9-016fAe; Fri, 10 Nov 2023 11:20:40 +0100 Date: Fri, 10 Nov 2023 10:20:39 +0000 From: Gary Jennejohn To: Alexander Leidinger Cc: Philip Paeps , freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? Message-ID: <20231110112039.214c6343@ernst.home> In-Reply-To: References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> <5F066A40-CD1D-4D32-850E-0A85D86AE499@freebsd.org> Reply-To: garyj@gmx.de X-Mailer: Claws Mail 3.19.1 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:Ef1bqofMVTboslThVoAyR+EvGYnrfhKwB+l6HhFWT/eo9j7u6va fQa/W9N6nQE6gXahfK+39p9rcf0dF/aWhXc8kDQ9MY4bf/ICcoEEpTvEO4hLNd8jYPqbicu H6Q28SVSM8C0YcKaxd1KjJF4ABMOgGO7AZaXXWb45aUX1fX132vQaG/T+qcD5T888W9XCYo YmuN/5b0kMcFzWG/YO+pg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:At0cCfAUoN4=;mWlmQbqoROMAC7KqCR45TAk571h YgwqHp4yfVqMREq9A6RbZHc9yUsv4DW8MtQzITpjDiso/pOLMbWkOn0iQoaRAyuIxSbcHFWnd m2+sixnKruurCshvMz/6+6V3Ry8KfZ2eXoVKGz48pcMVrjPDh+sOl4FsGMVfFjzSixOhAgX1a iVaQ9C5JCK4HuX3/KiXFS9l94mv9Pwg7ZGedi8cK0N0x2gkm6Vn6EaVqgQlEjcLKhTkZnsIR+ UysDkOk9eRrf9xfFmTSApk4m8984Lhkten+oqkqQmfvbssL2LpxnxkZFDXhtVgOnSbr+gXPzV 3gNI2Cju2RYkSOt+/Jzd19M9vtQ57sO0dc2oY3l1WFd6z0PO3J+/lmGsNWMzELXMXu55OdKEe 6k6HLuzerNq3Rg6TzzvtdV4JkmIbPfPJuCe3HgJGfxYADsxZ4juH6lISFOE4wowU4f59bBRI7 A2WABHlNYmcJ8rIGd2gym4nyeptlEd/I9R38xNuq2VKUqdIjcGHwM4Vh9Vw/H9RGWt48nsY7A 3FKwSbslinlA4MR7Y+/O85DC3hZPTfJnKujpxVt3BUn8DzbdQhopJjLY1he8vzFt0UQ1orLO+ dXjgvmc9avNeZETCu/ltGP3Yd1D02xmsk6IVcVlTVp4taWOGfCsfiZFcjvawsBkM7CzCKKZ1G guc31sap/itjrCBWRANuIRp+jSFi8j3rJ5jIt5AEqZHel6mdKVhLAcHXw+nFE+BknnvNAVqV7 n+l2oS7BP1JE9V26FWym+HhO9iUqzy51uk5Ad76tichc0cF46H0YKq/rsdU5uTNphtbL8iJr4 VUT3DmYEETtN8zphB7eQY8fDvxe6BBfhmTJsugpIC4Q0C6xjFdiRnnHbnJPOdM59PbhWURH5A HtJQrNK6MK3UsYa61/xNIbrs0npff15Bq75TgTMi/X1DupyIbOKkBhU85cSONdGqErUixMIRs RsodSi2RpU9FVRN31GxSdIUWlyM= X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE] X-Rspamd-Queue-Id: 4SRZbL1yGtz3PDB On Fri, 10 Nov 2023 10:07:30 +0100 Alexander Leidinger wrote: > Am 2023-11-09 12:18, schrieb Philip Paeps: > > On 2023-11-09 15:54:22 (+0800), Alexander Leidinger wrote: > >> We have syslogd oomprotected by default (/etc/defaults/rc.conf). Is > >> there a particular reason we don't have sshd protected the same way? > >> > >> Any objections if I would commit such a change (sshd_oomprotect=3DYES= in > >> defaults/rc.conf)? > > > > I don't have feelings about it either way. It probably makes sense to > > optimise for installations that don't have out of band access. > > > >> I was also thinking about which other daemon we should protect by > >> default, but apart from the need to make sure important logs are > >> written to find issues which may have caused the oom trigger, and the > >> need to be able to login to such a troubled system, I didn't see any > >> other service as such critical (we could argue about ntpd, but I send > >> to be on the "may be protected" (not for my use cases) and not to be > >> on the "has to be protected" side) to include it in this proposal. > > > > In the FreeBSD.org cluster, we set local_unbound_oomprotect=3D"YES" to= o. > > Without DNS, everything grinds to a halt. Including SSH. > > https://reviews.freebsd.org/D42544 > Fix the typos which bcr mentions and it will be ready to commit. =2D- Gary Jennejohn From nobody Fri Nov 10 10:55:50 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SRbMr5JMyz50CMC for ; Fri, 10 Nov 2023 10:55:52 +0000 (UTC) (envelope-from debdrup@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SRbMr4mngz3T6M for ; Fri, 10 Nov 2023 10:55:52 +0000 (UTC) (envelope-from debdrup@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699613752; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=0uSwtp2iyYtEzWD9X6AEyzmw4lU62AnV/o3+A4RlRCU=; b=yjUPZdyu+ETq4niDZ4sAf/yFUqR/XrSrvFSXoDpt83uCyalVtBG9saX2hnZysvZ6SvW4zd yTxwZLjM+F/jlsnJtDVHLdX/dm/9hz6TxmANBubm/r/8tLjTXKNl4Oc/4JjzoDDL1pUKFb pJDej5slVySbO15oiJBFVSaNSpk28fx9/Dw22grfKPwJvVNcimpNrdIqmVwT/Sb/YoeNN5 /pNxJL86Idw2ND8DdSpCbHTRMIzmh+TXlayCXlMtyEBQhlp12+PilMRn9ntD4k3GJDixem OyfvZx4yol21jLV4dtxoOUiX/ruFJKNP4A1eNDCrL8K9xbEls4bZ8emVpVivJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699613752; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=0uSwtp2iyYtEzWD9X6AEyzmw4lU62AnV/o3+A4RlRCU=; b=r2zFmlFsre8ZSIZy7jqscfsUv0dVxt6dCCNlQoMuiKASZEeozPlS7G13kTdq7r2bVPpC0e oNCEdI1ylKOX7ECSvw92jqXis0nMcwLqFiR6nHEOW0j7ETxQUbTjBkalDGo5Z1+s5ifdh5 mDJqdEdsETZ/iVJIgD4LO8URVxXdxTVHIDo+zHFa164mYSROB8MS5jrdsXTaXJ4MA/isxN AOkcQGpgwaVGVCTgVhaVz5jNQKZb0jj786HhTX/uI7gOSy558tWLckRxzgfK0sErZUuzv7 wZv0+WfjcgioZ8DRF7bNyhZtxva4BuVyyy1mZPnNwuTm5e2wl3U7y2vSd8Cglg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699613752; a=rsa-sha256; cv=none; b=CgGP1y1NGhNxdW/5C1cvt42AatGu76skDr0BJjVgfFvg1ed5JZSneBzbYScwroiorie4Y7 XzseH8IbvsFdocuBWoNM6La9mqI8G+DluwsKKgfz3mrzozx6Y0BxWBJ+LwHPi4zIfHVIzZ e43Sjr0iDPIv1Q5WMbThVgSwXpEYShxKDJoMsEImwt+nA1uzDWh5dg5leMofjEg9CzqW6H cSlWeFUVjFVxAFLwZjYoTen0e4ZUvRjlQHRZRT05qXwbZZde8C2QSdaI9wQkscjkGrTy6C P5scYAvrSCvVEqL0FtnnxACRuKqpxA0aWT81jz4ah2Bo423q3eyzON0eD3gucQ== Received: by freefall.freebsd.org (Postfix, from userid 1471) id 9667670E; Fri, 10 Nov 2023 10:55:52 +0000 (UTC) Date: Fri, 10 Nov 2023 11:55:50 +0100 From: Daniel Ebdrup Jensen To: freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? Message-ID: References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> <20231109195959.7B33B348@slippy.cwsent.com> <281A373B-E3E2-480E-AE00-C8C691463106@freebsd.org> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="s3wjmut3inbtwaux" Content-Disposition: inline In-Reply-To: <281A373B-E3E2-480E-AE00-C8C691463106@freebsd.org> --s3wjmut3inbtwaux Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 10, 2023 at 10:31:53AM +0800, Philip Paeps wrote: >On 2023-11-10 03:59:59 (+0800), Cy Schubert wrote: >>Philip Paeps writes: >>>On 2023-11-09 16:09:00 (+0800), Robert Clausecker wrote: >>>>I encountered the same issue a while ago, leaving my system in a >>>>vegetative state. I would propose to add syslogd and cron to the >>>>list. Syslogd because when it dies and you don't notice, you may go >>>>for >>>>a long time without syslogs, cron because a dead cron means no >>>>housekeeping tasks happen, including some which the=20 >>>>administrator may >>>>have intended to fix an issue causing an OOM condition (e.g. >>>>periodically restarting services with known memory leaks or cleaning >>>>tmpfs-based file systems). >>> >>>In my experience, cron is more often the cause of an OOM condition=20 >>>than >>>a help to making it stop. :-) >> >>Would that be cron or something that cron has started? > >A common pathology is something that is started every few minutes in=20 >the expectation that it will take less than a few minutes to run. =20 >Instead, it runs away with all memory. I'd rather let cron die of=20 >starvation than have it make the situation worse. > >So yes: something that has started. cron itself is not eating all=20 >memory. > >Philip > >--=20 >Philip Paeps >Senior Reality Engineer >Alternative Enterprises > Hi folks, This is a relatively common scenario, yes - but interestingly enough, FreeBSDs version has not only the @ invocation with a bunch of different values, it can do arbitrary time-lengths as specified with seconds. The best part about the @ invocation, though, is that it attempts waits that many seconds after the previous run has exited successfully - so it's much harder to get into a situation as described above. My only reason for mentioning this, is that I think it's a pretty neat little feature that not enough people know about, given its usefulness. Yours, Daniel Ebdrup Jensen --s3wjmut3inbtwaux Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEDonNJPbg/JLIMoS6Ps5hSHzN87oFAmVODDZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDBF ODlDRDI0RjZFMEZDOTJDODMyODRCQTNFQ0U2MTQ4N0NDREYzQkEACgkQPs5hSHzN 87pC7AgApFf9xs8dtfI7W5L6Sckw9APWgtG60+YAHCMD4IX1IXalJrhu4HrdRHZW sU15uDzg5JowedMDhCz5peUl4UlRMNWGadRw6MKL03Rs7ijWNhb90OdOFmHF1/0j 9HVL6KSBWr8w6NptRrXQj793LEBMXuaE3FUTBiHhENcFBu7im80UP0S/iscw1gOY D9YZ+cpKXXuIxmEfZYfVa6RwRHKYePz0vzC3O3GP6PvfMnd+kwEqlzd73YVlP+C+ blDKQaY91Ut4BuHQCFlJNijz3kE5YR7V3pz50RYJcYeLpUVq3Z5snD6GdXdQRxIE u8Kn5et6I9K1EE++TyA8U8+zse3POw== =dsLU -----END PGP SIGNATURE----- --s3wjmut3inbtwaux-- From nobody Fri Nov 10 11:16:46 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SRbrN5V3Zz50Gtp for ; Fri, 10 Nov 2023 11:17:08 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SRbrN3H67z3Wyc; Fri, 10 Nov 2023 11:17:08 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; none List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1699615022; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=afh9G/VUeFex5HXQ5ptamqEdMsk5gBBsyTqir1X0SC8=; b=1rGcfJa8pTb1kWBZ+Q4uUaEnINodz41sB9gETCVRPbq6JgELYPSnnAEcoKeZqOmYV1TW2q Su9qAWqtq2+3qwn63gyPvWapM7RgTuvK6ZI+Atj+e4+NE0y3jqVqgI8h5dRH+wRncyVno/ FJ2wOu8hLl1TKDLnMs0Iwu3Z/fWErsUp1tKxBYyPheBZyQO+QPkZj9YCDuxbCcSsIL1WUl hVqL1Ei1b4J0jPkMX99CXPwXHk46VyacaI/zv7IIxJUUWa2Pd+HQC4A6lw9lep3uAg9e3I 6CdBYF6NlVBvMmd3pig1Y9lJNFNGnRnV/GO8x7JKDLwT3sSbdIZWAM2s75ngCQ== Date: Fri, 10 Nov 2023 12:16:46 +0100 From: Alexander Leidinger To: garyj@gmx.de Cc: Philip Paeps , freebsd-arch@freebsd.org Subject: Re: Any particular reason we don't have sshd oomprotected by default? In-Reply-To: <20231110112039.214c6343@ernst.home> References: <8b9484ba83e373ece0e322e14c924da6@Leidinger.net> <5F066A40-CD1D-4D32-850E-0A85D86AE499@freebsd.org> <20231110112039.214c6343@ernst.home> Message-ID: <20d9d67fd88d120f9aa54e791c195a80@Leidinger.net> X-Sender: Alexander@Leidinger.net Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_0b17c2397d3af9fb32ab004fe6b3753e"; micalg=pgp-sha256 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE] X-Rspamd-Queue-Id: 4SRbrN3H67z3Wyc This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_0b17c2397d3af9fb32ab004fe6b3753e Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Am 2023-11-10 11:20, schrieb Gary Jennejohn: > On Fri, 10 Nov 2023 10:07:30 +0100 > Alexander Leidinger wrote: >> https://reviews.freebsd.org/D42544 >> > > Fix the typos which bcr mentions and it will be ready to commit. Fixed. I let the rest of the world a chance to wake up and have a look... no need to hurry this in within some hours. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_0b17c2397d3af9fb32ab004fe6b3753e Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmVOESsACgkQEg2wmwP4 2IbsvRAAhJv8hyXh2jFIjkyFxi+YWvwFcmm/JG8R1l9k1xuukDKkd6cJXumndG47 FSsMsAeNiyDQNj61/jdBzZ2ZZeAG4CC/X7cJRTSJAcem5z0hm7Bxze79lHWx05zE +4QTkPQSR10C/dxs5FoqFWCsQYOAITSqB8rPT0Kar7yl8IEgaSkPeQk78kKz+G8P 6CNj11lhdmOmFuKft52Dx6bmejCxRkt3PFXxgimmhcYIAeHRc9jIQSMGfFBWiNhu Q02YITKDmEA4ehzqLQp4rXbDrLpEW1gErdfKUnaUavArxreIDRJC5vSNoZ/a+ab8 QDL3FVTSjcK/Tbvn7fTfF/cIlbi9WFF96JJacVmXABY4Ocmp8y+o7Nq5cKnhJQfM msI4nxIyGh2/0dCQxrX8YMHkMUTmgiRRu9rVVbEHgm1PuUB2ademV/EIap9gDH3X htEn65eWI3SrC3aO6O1Hf/3lKgGnj7YDSonMFekI3JYGlAIQb9oj7tyBAT/yNoSc udcWGm7sG2z4d+nundwgZMSu8w2aYhqDTrRoGztsqfpCq08bw5T019AubF/wqUWo S7FUl7X9Z5+omM0hAndg7gFeN6192Si6YRzwEB1yKEdj7gmnFRoiB6oApJD2L+lX qAvTA6D3OX27lFI66zIh2wpG1j/HM+UDASKNlsCYyGOCg5lxbMg= =9ee+ -----END PGP SIGNATURE----- --=_0b17c2397d3af9fb32ab004fe6b3753e--