From nobody Sun Jun 18 21:00:54 2023 X-Original-To: fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qklft6Q4zz4dwlJ for ; Sun, 18 Jun 2023 21:00:54 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qklft4cD6z3rTR for ; Sun, 18 Jun 2023 21:00:54 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687122054; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cOoXkOT/+LDARA2GP7Nj1yHsfBVBEWxMc1hZtjmyzQc=; b=bljf08qLEnCzpU5dpgNDoWeyTLNN8bJC+0IiJHlZylq3cCzZy1Mnqc+C3XBV3Bp8mLdAYc FlbRIL/oUtWsmRxIdiMMjpjmDZ4LOPqd5SbJ5jg8AkDcAg8A17nIjkO9CJM26gCUyMCQ2r wMGTu1l35xeh05alNRO/I6QI8AdUJ+1RoWSCrlDuDd22zzadC0MsObGlnNLrrx6sE0h26O 7FK+dDFGnNH76xAVABI8p1q7XJLtW3YALmz8T3QgQLhO2LJLWZn23f3L6Ge4H95HRooDN9 l0bljC7i+jicfPYqjOqfwamfCKOX1fhuSRB4tjT4xDvMIr3bJRXcWeLW2ZhiSQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687122054; a=rsa-sha256; cv=none; b=g5unrObt2Gh+ocZNj2cRekVMK17ALpw0q6hfV42ONqOKcJSfo8PQ+wTDbjsc2VtiWPU+z3 dQ+g1xy8EKWHb3seGrix3p6au9tbIoUi2vkS4nl7xV6DbalR6kG5Lx8yfe9f4CxzPrczvz 6lAEV9ymB3EIufLerSgcMQBU/KANEYwLxYHB1n0up9tEBocUVD/IfBA4i8Jj95v8BfZ8sC IY4FJDglW9vu7sIzrAdij9x1mQJQ0H4475CzO7ZGsP+bSfWh75ofs2nR/k3/ocuwml9Lpw SHrRWIm10ek5ysOGReZ8xdnDym6bhgQKTkLakjSuYGkXv5fglbC2FQ5sEd8l8g== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Qklft3jRZzqQw for ; Sun, 18 Jun 2023 21:00:54 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35IL0skt030609 for ; Sun, 18 Jun 2023 21:00:54 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35IL0sSO030607 for fs@FreeBSD.org; Sun, 18 Jun 2023 21:00:54 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202306182100.35IL0sSO030607@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: fs@FreeBSD.org Subject: Problem reports for fs@FreeBSD.org that need special attention Date: Sun, 18 Jun 2023 21:00:54 +0000 List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16871220541.ebed0.23281" Content-Transfer-Encoding: 7bit X-ThisMailContainsUnwantedMimeParts: N --16871220541.ebed0.23281 Date: Sun, 18 Jun 2023 21:00:54 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237067 | ZFS: Crash in vdev_dtl_reassess when using GELI w Open | 244692 | gjournal: Does not support TRIM Open | 269503 | docs.freebsd.org: default vfs.zfs.arc.meta_limit Open | 271384 | zfs_load is not suitably documented 4 problems total for which you should take action. --16871220541.ebed0.23281 Date: Sun, 18 Jun 2023 21:00:54 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" 
The following is a listing of current problems submitted by FreeBSD users,
which need special attention. These represent problem reports covering
all versions including experimental development code and obsolete releases.

Status      |    Bug Id | Description
------------+-----------+---------------------------------------------------
Open        |    237067 | ZFS: Crash in vdev_dtl_reassess when using GELI w
Open        |    244692 | gjournal: Does not support TRIM
Open        |    269503 | docs.freebsd.org: default vfs.zfs.arc.meta_limit
Open        |    271384 | zfs_load is not suitably documented

4 problems total for which you should take action.
--16871220541.ebed0.23281-- From nobody Mon Jun 19 15:38:00 2023 X-Original-To: fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QlDRs079jz4f86Z for ; Mon, 19 Jun 2023 15:38:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QlDRr6CCwz4RP1 for ; Mon, 19 Jun 2023 15:38:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687189080; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EuKCn5593Bk6E4BhHvt6b0GmHaoIDXkjbC4JlmAAJSk=; b=XCyPJ146SPq4ivtjHGwa3FJqGx011AYRBLl2J/mNqsrk+6Bq18nzoy28Y4zIS4LgEI/0/M jHAj1CHNLocnMvUiHpz7872wbp5E8Jw2GqO92PVAYjSgu0cv6J8z2pJ//l8n3V5oCmAR2g RVrZWTXHS//C+4TE3FDiBJrPDjgm53miHNw2c9RNaUxpvuTbFtnrR7xFMx409UCAbslRcv GbZvHfIgj/rEiSZBovlwRNM8kku/OUDcpmeF8kiW2Z+1stbJH/0+DfUtvugNT5Vssp14fd 8hiNTIhMuqiwan8Dktcs3FIvWr3MoRqmKjoTCnWWp0+oGvTp0dMiQpAzNiQojg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687189080; a=rsa-sha256; cv=none; b=lVIb+W3ZS8ns91RJVElsIGoF5ZAIZaugpknGWCo2l2OTYliOtm1JTmJ6RQd0shwNB9haTS BH1bF/3HnEqtM8gjU0kA0vbeuFxvQzkM6LuBrcjQ4GntTLTavqUMIwgSQ/o3nLIbMQVSFM U7KBrmyYuWJuKxJTbkSbMMzAtHOoUsINTNeNfvywppwEBDkrMocBaVJt2hj+ZmGiiN9nL0 r7sXhUte9Q7Aj3RjcFnltOfcfzyR8qKd/Hw+TS5NExY/bHYx6+nxUgWZ3h1s1te8Ypl1+F j8zz6r9Tgm1LP1lWrhaJLfKIPQybsdWz/uS23ZC0LdajfXZPf8o0OA0PUVPh3w== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QlDRr5ByZzMYb for ; Mon, 19 Jun 2023 15:38:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35JFc0dw086567 for ; Mon, 19 Jun 2023 15:38:00 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35JFc0Pb086566 for fs@FreeBSD.org; Mon, 19 Jun 2023 15:38:00 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: fs@FreeBSD.org Subject: [Bug 244899] zfs: xattr on a symlink target > 136 causes "bad file descriptor" (on 12.1) and panic on (13 CURRENT) in sa_build_index() Date: Mon, 19 Jun 2023 15:38:00 +0000 X-Bugzilla-Reason: CC AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: crash, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: olgeni@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: fs@FreeBSD.org X-Bugzilla-Flags: mfc-stable12? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D244899 --- Comment #10 from Jimmy Olgeni --- Just a quick note that I'm seeing this regularly on some VMs, and physical hosts to a lesser degree. For some reason running "pkg upgrade" on py39-ansible seems to be a sure wa= y to trigger this on the affected boxes. =3D=3D=3D The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: py39-ansible: 7.1.0 -> 7.6.0 Number of packages to be upgraded: 1 The process will require 10 MiB more space. [1/1] Upgrading py39-ansible from 7.1.0 to 7.6.0... [1/1] Extracting py39-ansible-7.6.0: 38% pkg: Fail to chmod /usr/local/lib/python3.9/site-packages/ansible_collections/community/genera= l/plugins/modules/__pycache__/.pkgtemp.django_manage.cpython-39.pyc.ub2f8mx= mwp9S:Bad file descriptor [1/1] Extracting py39-ansible-7.6.0: 100% =3D=3D=3D The affected path is never the same. I ran "script LOG truss -f pkg upgrade -y py39-ansible" in the hope of gett= ing useful data - it was very slow but it worked on the first try, so there may= be some timing issue involved? :| --=20 You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.= From nobody Wed Jun 21 19:22:06 2023 X-Original-To: fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QmYKX4YN5z4gH5q for ; Wed, 21 Jun 2023 19:22:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QmYKX2GWfz44qx for ; Wed, 21 Jun 2023 19:22:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687375328; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=llGPI7WHWThKmQCPAoy+GOqk6z4gKWOVqYaF+EmPAV0=; b=bW5G3Z6FZy3TescMmiMMxXa714AHVmX/wj61BCTIJiaHHA3tut7fSSUE68+Yc6jyTy0ESD 2J0DaKqTWeh01beLo5eCw35WMscoDZGNRMApsCavOZPgiZabuprHgzFSgiD/HvJcojqfMF u1Jbf/FeANXFh+UGUEHro00A8IFgMC5QLugpNgHrblKRAStPOC5GOdD/DuTYVA5JwV4QMP d+BpO9XS1OVKzDrTqYcHuzeaMVJydOggaCuzJZbV9e7/E8myRWKOmtzbsCRRSFWDaU4HVE lws9vA7SPkrM4OfUoUf1W6+8+SYByvwEG0xg5otvNZRtJMoVoRfLoWH7Oz0GIA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687375328; a=rsa-sha256; cv=none; b=Xb8kKDuDurSQyUq+YqrtdRtMQQvFPbi17AC735t5TKPqgJZ2ZJG7ER5dqm64vicHvDFqI0 l7K5lAnB648xo52eLRUxOQA5/D11c9QSEdUXn5IF664hso1nb18ehM3+hnMJmJQtoCECVu 5xZTHRXlXS9XqGFOEdad8KMIjDkgjdZzC+ooDEHaXnAaaS6twZia1/l8Av3PLqNB2cFfnd 9SUiXXnZv2rFOMf0j+dM6ux7eDWaDWMPTsnRsm7xuA7EXIRH1GX23LWILFcyLz/6UOponO djhGEoMYPiuz3FTxw/EJ0isPZZDqWUHmI5BM+BGss7sOE5Mz3CCfIG68PoqwMg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QmYKX1N2WztRv for ; Wed, 21 Jun 2023 19:22:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35LJM8qL022608 for ; Wed, 21 Jun 2023 19:22:08 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35LJM8wH022607 for fs@FreeBSD.org; Wed, 21 Jun 2023 19:22:08 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: fs@FreeBSD.org Subject: [Bug 264141] nvme(4): Heavy load to SSD wedges 13.1 system: Controller in fatal status, resetting ... Resetting controller due to a timeout and possible hot unplug. Date: Wed, 21 Jun 2023 19:22:06 +0000 X-Bugzilla-Reason: AssignedTo CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: emaste@freebsd.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: fs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: see_also Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264141 Ed Maste changed: What |Removed |Added ---------------------------------------------------------------------------- See Also|https://bugs.freebsd.org/bu | |gzilla/show_bug.cgi?id=3D2629 | |69 | --=20 You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.= From nobody Fri Jun 23 01:03:14 2023 X-Original-To: fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QnJrf540yz4h9JC for ; Fri, 23 Jun 2023 01:03:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QnJrf3zvxz3v7L for ; Fri, 23 Jun 2023 01:03:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687482194; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PwmW2TMsEoRgE1aSiEAgu7xDhEs230MoU5dxsefTqOA=; b=WMjBBy/62aReQv9tBF9c+2pHltK6ECTiLRWwEQ2o2qfMjuhsFXwfesQQazBhi9V3GoiiGW eXfzDWQBhZsMZ404TSQV/c55b/YXd34Y3GbgS+m1efrijZ74ypuAecLNNCVijw2nT0xcqK Z7FNNguRwdJHuHHuvUh6X0Y8YK61hLeRdawmpNuttnP0gHQN4kgFUs7dKnwxiKvLsk/9ZL ziSZPOXKqZpTDWzRya6W6TnGHYshcb80KZHylOiKc0ROP1d4pBgTsIVvHdiKJgAayaXOjb jSRm1G3zuK7Ym5BlpfMdbC8ypOxLGR6cgrNBmrTNruRoZonLW5uMgGQozsbV2w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687482194; a=rsa-sha256; cv=none; b=hMnDRuvG9vNQYMEog8/25+i1T2LxCQee5P+5Yb+wkryDWxYlNSZtKB64wkWNFBHTaV/WIP Ld44dk/m+ICfTOqi2VbwBZuxPymLpejUmLvZ2qK4tkPv0HN17pPGoGExwzWedESuoRawXz 6TsOTPYzhg1UmVembVWyT4ESlJoKj6AqzT/cdcE3Zzz78bxrefntMP6mvO//qB5TsLAcnp vKWByRe+ai98T/IXsLNTREnIE/w7yzpTG6B1pHDGktDApg9FKi+b89jEfKPuFIm+NtSJce w+AzE2ymYM6l/X2vSbGxIUzNUA9VtlR7jfTjC7NPF9P0SFmPkLuAXJCGIacHXQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QnJrf34Kmzl2Q for ; Fri, 23 Jun 2023 01:03:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35N13EJN049095 for ; Fri, 23 Jun 2023 01:03:14 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35N13Epl049094 for fs@FreeBSD.org; Fri, 23 Jun 2023 01:03:14 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: fs@FreeBSD.org Subject: [Bug 271925] chflags(1) fails to remove uarch flag with hardlinked files (ZFS) Date: Fri, 23 Jun 2023 01:03:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: jamie@catflap.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: fs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271925 --- Comment #5 from Jamie Landeg-Jones --- (In reply to Stefan E=C3=9Fer from comment #1) TThanks for the quick response! Apologies for the late reply, I haven't been at home for the last 2 weeks, = so online time is more sporadic. The problem with /bin/chflags is more generic - it's just that this ZFS qui= rk highlighted the difference. The more general case is that whilst /bin/chfla= gs will not modify a file if the modification isn't needed, the logic fails wh= en files are hardlinked... Though fixing this may be not worth the effort, it's just pedantry at the end of the day, and might even be considered "correct" behaviour - i.e. "if a file is hardlinked then expect it to be accessed for each link found." Anyway, if it was fixed, I think filtering out duplicate inodes would be the cleanest and most efficient solution. For example, (and I forgot to mention in my post, sorry) I did a quick chflags(2) syscall wrapper code to set the flags on a file to 0: #include #include #include #include #include #include int main (int argc, char **argv) { while (*++argv !=3D NULL) if (lchflags (*argv, 0) =3D=3D -1) warnx("%s: %s", *argv, strerror (errno)); } On tmpfs, UFS, and ZFS,touching a test file, and setting some flags, then running the above program resets the flags, and updates ctime, as expected. On all three filesystems, running it again always updates the ctime on all 3 filesystems, but on ZFS it switches on uarch. Running it again switches off uarch. Using /bin/chflags, on all three filesystems, running it again doesn't upda= te the ctime, or on ZFS, toggle the uarch. So the consensus seems to be "chflags(2)" updates regardless, whilst /bin/chflags will stat the file and only make the chflags(2) call if necess= ary (of course, this gets tripped up in the hardlinked case mentioned in this b= ug report) > This seems to be caused by ZFS collecting multiple flag updates and by ef= fectively mapping the setting of flags to toggling of flags. I don't think it's that - try the above test program - whilst filesystems h= ave the logic "any change updates the ctime", ZFS has the additional "any change other than one that unsets uarch will also set uarch" - this seems to break down because when you attempt to remove uarch on a file that doesn't have u= arch set, this fails the "we are removing uarch" logic. This, I suspect, should = be fixed in ZFS. > but I guess that the second call sees that the new attributes are identi= cal to the (already altered) current attributes of the file and then marks = it to not need a vnode update on stable storage. I think it's the other way around. The chflags system call (and therefore Z= FS) run the code even if the attributes are identical. /bin/chflags doesn't run the call if the new attributes are identical, but = this logic fails if a file is hardlinked, because the initial stat shows "both" = need to be updated, There are also consistencies in chmod(1) - chmod on ZFS causes an update ev= en if no actual chmod takes place - i haven't looked more closely at this, but this opens up a whole can of worms. I guess the first question should be "If any metdata change is attempted on= a file that doesn't actually result in the data being changed (because it's "changing" it to the value it already has) then whose responsibility is it = to not attempt the change, and consequently update ctime? Is it userland, or is it the syscall, or is it the filesystem code itself? Cheers, Jamie --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat Jun 24 08:52:15 2023 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qp7CV02wcz4hJxZ for ; Sat, 24 Jun 2023 08:52:22 +0000 (UTC) (envelope-from peterj@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qp7CT6dr3z3sJq for ; Sat, 24 Jun 2023 08:52:21 +0000 (UTC) (envelope-from peterj@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687596741; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=UIR9+v00pTnD5NM33FYxkCiMAFGNDh7nRK8E19isZZs=; b=I9puOJcJXKuR/vmtU8JhB+Myphg1VMVVYcDkxb+tgzOUYGoUJxqdUjDc8VTLUZ/+/ussXe 9GX5G3TodzhJWZdSFlONquOPfwUR6hHeBEIiWdDrUygv87r/apG8LJJrwPfIsVC8c+Zn0H mpy5rgLHcVLtvn0IxIQzigyWcxZ8agGkMGby53lUYcNfAeoNt24EWW4tOv002/acZomQvV juiqyl/MWAo4O3hzjDTq2wlT28RhHBKJatoIZwhWFWzqyxbVcYYFV5wVlb+eh6P4TvdOeW w3OEHYMsf8OPAb+hPqzgYS/y//uX3XYpobKpZrHmmrWkKouRUXASIfODkpe43Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687596741; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=UIR9+v00pTnD5NM33FYxkCiMAFGNDh7nRK8E19isZZs=; b=v0hLnOXp95//gZ+fWfQAB1LnaNSFVVsVaVCQHwtgehwlZ+Zy0XAOJOTgoEkwKr7+gnbSsX OKi1iAXebmonFA/zJBKUa1EkkmGVKlXBcsdxa/uu/vk0RuKUJq7wPVYsFFBKvjVDXJdMK0 6rzV2kyOb+i2tdxe9vYrF/2Q7h41JFe6Uzq65NeKI9eGKycg4r0tNzvpPV9usPDMtvC8XL IKXPk1KHd2Vn0/kK0Ko2NUcwL4eYsybr9dEYc/s3Ovh3e47dPiSWIp6hESt8bxR4j6wlzG bwk9pKsgv9U9yYryt1OYpNmjA5sDSKdV1YMEIfu83CEI6ENCbaBfEPpGB0oHzA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687596741; a=rsa-sha256; cv=none; b=Sucnk1an/YoLYI+PLH952ewFxLEBKchgy1BHMeTsoNbySxqUXb8tVuAT0uHbQIKeXvpBdH k0yutqux7FKn2OoojC0hz6AF/V8xnOhBih2nNsz1fzgscHJ1/1p66AQuj27xxpOaid5WBN 7DPMO0ucpScr5UGv+cR5xC5402AG/hFz2hSk3NbSdMCGOoQWtOBLMEQzHOjbwfUScwyIyD 34/p1CRUQ5mMJL9zg9ZsBJrJMBYN7FWhu+zooxpwLbJNFwLGiW7VvAmJs3Kwmil7rif743 o00Iz6EJh6Y32y+IVN0h32HjPq0GPumTKkhuFNiHnAQzYscHAh44t8xMT1KrgA== Received: from server.rulingia.com (ppp239-208.static.internode.on.net [59.167.239.208]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) (Authenticated sender: peterj) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Qp7CT0hYfzqy5 for ; Sat, 24 Jun 2023 08:52:20 +0000 (UTC) (envelope-from peterj@freebsd.org) Date: Sat, 24 Jun 2023 18:52:15 +1000 From: Peter Jeremy To: freebsd-fs@freebsd.org Subject: Verifying NFS over TLS Message-ID: List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="LYneE4ka4yrhdx1+" Content-Disposition: inline X-PGP-Key: http://www.rulingia.com/keys/peter.pgp X-ThisMailContainsUnwantedMimeParts: N --LYneE4ka4yrhdx1+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've recently been configuring NFS over TLS[*] and one issue that came up was how to verify that it's actually using using TLS. * "mount -v" doesn't provide any indication of mount options. * Various kern.ipc.tls sysctls can confirm that *something* is using ktls but not that a specific NFS mount is using TLS. * tcpdump's inability to decode traffic on port 2049 is a fairly good indication but isn't as direct as I'd like. What is the recommended way to distinguish TLS from non-TLS mounts? [*] Thanks very much rmacklem@ for your work. --=20 Peter Jeremy --LYneE4ka4yrhdx1+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmSWrq5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzRVaxAAjy6hEz+AsAx2puk81G39oYlzCESTvf8Bl4GshK0RrHMyzzTA0iBaXK6B CTnfZhORKHAWazWhMxP+Ac4Mk+RTN/zPay1xca9C9h/DNeF87PzZmmEOr4NGSJqb FgKM7tQ5CXdwkHH05X9ufw588iw37LTbYjVFQ7FTDLuqZFtW+QcbYeEIC/d9lAT+ EqC/JHNWSDgFmB8IOlEofi0HWy57Gsq2jWVRfGTN0PckhaSCTMCMcl53tn52Chsv vGCJzf2JERoPdiP3caCR1ihdWCb0FE1mrTe5irBrjh5LTc8E5/8aH99UvCuwAOQz OVUsNcnOfnXskeu1OTJvesA+0gBKsG5z9YjHvMbYQ3pZGOa6/t6v87pcIoKN+5OF kEkJ44l46agol/VzP1+yZN32z7ljIYNpZ7ibW45nk6lldNOj1tzu9MSDz3cErVm2 GH0XQtKKAWH/AU2d2zFT8KHoXG4gsrM809VOtfY8eaG2Fh0aQsTYf1WD5WtB90k3 X5IxLqQRNRyAb51F6rJk5KWC/q4hFUVF2Xw7FxwrHIyqbg5yFlRbPv/HT/Jld0aU DMxqPRIA3U25SQlkb9mm80NvyvJeHxPDspyPDEhp0IlDiXEEs0PyBXxDPAtGUFhA d6/jg/SZ11gHRhDpjHBUnvPGtZ7myPgz0RVTfHmabaMzbY/nlIg= =pAZ0 -----END PGP SIGNATURE----- --LYneE4ka4yrhdx1+-- From nobody Sat Jun 24 09:23:47 2023 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qp7vt14kqz4gQFV for ; Sat, 24 Jun 2023 09:23:54 +0000 (UTC) (envelope-from peterj@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qp7vt0gX7z46dt for ; Sat, 24 Jun 2023 09:23:54 +0000 (UTC) (envelope-from peterj@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687598634; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=HqdlSLATwK0NH6Vfbvahio+jx3WZ4CrhvRIs12QehoE=; b=I7FTVLp9nAEQNiPOggVp+7nvYEX3GZ0PgcSnaVDLiyzAOvm3IXrr4H3rxG0W/46kiEPGMN zf/FF4aNeU9EZqUcDIJqGbjWLlV7ktDXl2EfhrA2Cf9vpNPxKMpH0Jz1p7zDjIBu1v26U/ UzW9O7o3MIt3gqep2d9rp/dpVoBi1/+Fo5Jq5X0iLOyi27mC3qzfQ82o4LkL4NpWw2a9V8 rBaD4VLl1tHD3aZioKhL7Vcm4OIoG3J4mp/EXEXHjOZ364+S8puKc7PVqP3Y0b/0AfpS7L Ki3po0akdgvjseo8Cm2LhRP7RR0GJbUKmslZiuoyKsNIMjzZ2Gc7yHRiHmzY7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687598634; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=HqdlSLATwK0NH6Vfbvahio+jx3WZ4CrhvRIs12QehoE=; b=Kyinsw44077IJg/v4IzBbnwDuku/YRweWio8cHRIMXKnH82kqDutYNmS422M4gvzwVcFmU Eu3yLJFi1U1wrgNJVxaE4v5HHr4FELrEWeHhKlwATGPhqJhXA1TdmevfGUsQWb6kelnFAg pdduv9o9LZpr/Zi7xm1rMlV9haoMiPQZ053GQ1c5D0YIj1Zhc9bizgLhASkWceiRJjy23s 57Qi1KcovZzP7bpTO7TXbvXgq8h65CR1annALaxm3iQ+oFRKDSpaJSFhOGMYoJO4cueOOd La2C6C+HVGHLTHrXQmVlDUfYHcl0QZxL3rdESC7qhB12NY2KVYhHfc7yYytjAw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687598634; a=rsa-sha256; cv=none; b=VxVGxUgeWiNftoWFBM6c8VBRqevJR8/6HvrVPJJ/qqNOdm6PvRH3WHIiP8MLmeVeOgpJXq Nc25km71nj96AovwLFP3KBfS/xI28z4Mjho0f5YZ2drBoReIdlWJdT4ZtdRQepT5EYQd1u XcT35sbNtf1k1sLQTNZapgmu1N2vY9034UTy9guq/7wbHHLaWen5MayjhTV3p4M13REfQJ GA2zySuoevfUuHGL80XcuBMX9vP5JjJ9Y8aWrSY5neOBl1WVnKt6GvLRg0Ie+MS5E+URaY q3OvXBzVkHkn2VjomLQWlzxaoFJDq7M2Mnq1GHRaPTXnHgkXL3nDbvISsEw1TQ== Received: from server.rulingia.com (ppp239-208.static.internode.on.net [59.167.239.208]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) (Authenticated sender: peterj) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Qp7vs1qPgzt13 for ; Sat, 24 Jun 2023 09:23:53 +0000 (UTC) (envelope-from peterj@freebsd.org) Date: Sat, 24 Jun 2023 19:23:47 +1000 From: Peter Jeremy To: freebsd-fs@freebsd.org Subject: Diskless NFS over TLS Message-ID: List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="pMMMsGAub9mTKzPv" Content-Disposition: inline X-PGP-Key: http://www.rulingia.com/keys/peter.pgp X-ThisMailContainsUnwantedMimeParts: N --pMMMsGAub9mTKzPv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I have a number of aarch64 SBCs that run "diskless": U-Boot loads boot.scr.uimg, loader.efi and the DTB via TFTP, EFI loads the loader config and kernel via NFS and passes the NFS root details to the kernel. I am contemplating whether it's possible to use secure NFS for at least the root mount[*]. The problem is that NFS-over-TLS relies on rpc.tlsclntd to perform the STARTTLS and that needs a functional userland to run it. Does anyone have any idea how to proceed? Maybe something like mfsroot with the real root then overlaid over it (though I haven't thought this through). (And I realise that protecting the keys is problematic). [*] It would be nice to secure TFTP and the kernel load but that's less feasible. --=20 Peter Jeremy --pMMMsGAub9mTKzPv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmSWthxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzQw9w/9GIO5/gqmwPda+myzM2Nu0U8OpmlEuNRQUIkbCY4+5qkqM9Sr1MBB8Cwy Ofy/CF9dPfPdvozxvNzmEIaeP8dvNvhcMmGGWoEVZuDlQyoK/Z5jhA5c/Saqfdzk A81eQEJQPZslxlQCb5XuObyeA2uV+Fvbjw/32Waf4bVaXt2fYDJ2TkCH55JLi0S7 MrPsQBB81heTKZHtfI0u8ZZgxLb763pvFIPZ2+fUqFPU+e83QeJK3xfch48ocRTj pKIQFLtYUUNW2aaUfacYzql5amaTtRvA0VCgzGCHQB1KPdotO40oTRYHHl/U9MVh AgS2/xFGnycWp3w5ZnKITr0wg3S/toDjpKCSF0FTd6SsKYiuzVroIRBYafZ3lNSH CpEIuw6r2BfJLfdjRlxUlLLn1JGxUT4ayDC5QlvSb9ipdMuCIQmGKjzIok7axwTN TZTErX/sTkbZAsWg+yiSGxImsgWZeLyf2IIRRoKatHePiw7SWPTP52MtXvA6dyrZ KiiBCzFPxGLy56FbYyu/ELYdVymSE4PpNKYkgwmuLaKmjn2dODVM/IR0ibUe2f71 SsCI0CIRk84nCYivLJWrzdG8KhXv07My0+Ja5JWmiXahp7SkSRkeC/gV5l3sPEqo 2TwEscodW+4oXniWdVGLlkx5/EcqeI0vRacNGOqnzJ/aKZEWS28= =krth -----END PGP SIGNATURE----- --pMMMsGAub9mTKzPv-- From nobody Sat Jun 24 13:09:07 2023 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QpDvz6c1rz4hJpd for ; Sat, 24 Jun 2023 13:09:19 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-oo1-xc33.google.com (mail-oo1-xc33.google.com [IPv6:2607:f8b0:4864:20::c33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QpDvz4pLFz3n4W; Sat, 24 Jun 2023 13:09:19 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-oo1-xc33.google.com with SMTP id 006d021491bc7-562fc14c4f6so1126747eaf.1; Sat, 24 Jun 2023 06:09:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687612158; x=1690204158; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=f0n5dpaTOHY9Hx+St3K97ueyuRe5bsyU72KMwebkL9c=; b=Cdk7CUYsHsdCnSMWEd6j3BCbk0qThQYXSvPISedFiBy1YxkB2NjnRwuxlPQJf76xxT bBfO3RJKh0wW6MaKOMUPpXp9ESbDDVARZg0dktQcqTbFN3JUd+7sMymc7BVoUBcrTaBZ 8t6uafNDGoOY58s6mEhCq5M84oWLpQKsk+6Sp74caOuAoaTMO+lbKlhzEp0JOhyLdzCM NHYgJUfaconTZAyid5RxvFQKt7YelKKatAigD6adf7IDpO6cO88VIrTrEutExBaX/u1q OWwRCQiCMmlFbW8++vuqiLpslBuiRgkI9lVho9wICK9G1TsDb7B14fRY3mCgbrhffhd4 7zQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687612158; x=1690204158; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f0n5dpaTOHY9Hx+St3K97ueyuRe5bsyU72KMwebkL9c=; b=eroHXiKt+hSjNAb+T+40MdqtN/pQibxxuUs6NYMlzJC8Iq2pblqanJFnVIOdQYglGZ 9c18Gl36jSo2INNI9KyLWFsTYYbeis0ntjprJCsaMMfkyiyTz6BsZjeXpYJNWvGlw2Xd kdZmp7g89X6mLL2o2IKKN6OWMGiv/e26FqVEpMZEqmTZay/kLFzF15Tp0YoH/AwGZ19C M3ELfsFv1ld/65Ps6Sf92paj8bCMilLpienPUE3BH/ai6BLueQKoOGOnVrYIvm0CriDN wF60X9gfQ9Bzv4lVMbJz/EkxmYIinYWbc/MRM8mYaXnnzv0EV9Miw+sND2ENjJgrF7pl I44g== X-Gm-Message-State: AC+VfDz1/pJmbsEy+z1iz8kZgzQJEHKcU3hFkXb5UrGFlV/B702f30ML 51tCij02QERBCUORi1tUexMZYZGIoj3Fsuulqs49lZ0= X-Google-Smtp-Source: ACHHUZ4OJOBfkIpSOAAQeJ3oSptWh54cVU0Os/rZ8JmewjVQerm70b5+U5sRHTRkx2IHtWpBQZpDkXoINQladaLzE50= X-Received: by 2002:a05:6808:138e:b0:3a0:662a:e0c1 with SMTP id c14-20020a056808138e00b003a0662ae0c1mr8486575oiw.31.1687612158102; Sat, 24 Jun 2023 06:09:18 -0700 (PDT) List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Rick Macklem Date: Sat, 24 Jun 2023 06:09:07 -0700 Message-ID: Subject: Re: Verifying NFS over TLS To: Peter Jeremy Cc: freebsd-fs@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4QpDvz4pLFz3n4W X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On Sat, Jun 24, 2023 at 1:52=E2=80=AFAM Peter Jeremy w= rote: > > I've recently been configuring NFS over TLS[*] and one issue that came > up was how to verify that it's actually using using TLS. > * "mount -v" doesn't provide any indication of mount options. > * Various kern.ipc.tls sysctls can confirm that *something* is using > ktls but not that a specific NFS mount is using TLS. > * tcpdump's inability to decode traffic on port 2049 is a fairly good > indication but isn't as direct as I'd like. > > What is the recommended way to distinguish TLS from non-TLS mounts? "nfsstat -m" on the client shows what mount options are actually being used= . (If "tls" is in the list, it should be happening.) You can capture packets via tcpdump and then look at them in wireshark and you should be able to see that TLS application data records are what is going on the wire. If you attempt an NFS mount with the "tls" option against a server not configured to do NFS-over-TLS (the original authors use RPC-with-TLS, which is more accurate but, to me, less informative), the mount should fail= . rick > > [*] Thanks very much rmacklem@ for your work. > -- > Peter Jeremy From nobody Sat Jun 24 13:15:24 2023 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QpF3D0ksBz4hQl4 for ; Sat, 24 Jun 2023 13:15:36 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QpF3C6DKKz3qs2; Sat, 24 Jun 2023 13:15:35 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ot1-x32a.google.com with SMTP id 46e09a7af769-6b2c3ec38f0so1134760a34.1; Sat, 24 Jun 2023 06:15:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687612534; x=1690204534; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=WxpVDXwCONP1VcwVyktmnZT3p7v2/ulBE9znRvyUs3c=; b=ffkGQJdstANTkOLfGg85EcPpKUFL70l7MwD9f6Z6DwDTaBTXL2tCKpuq6CTGm6Y2zo bYsYWsCnzLJ7HRyNGQe1HTM7RI/K0nuN4SgTMivFju1z0/qHvLEJCbq/HIGrxLVyYZT6 f4by8p6FLAhqtg7CHSArdFeG8yStCaauLNY8os6eL3hVOxqdlYEhWz6I6Le0IsNxWU1m 7Z/B3F5/Co61c9E+Q9XQX16/rPXlrNm4Xa7JoHmhpdebTbcW+avdYJRKX59wPmnwG1Sc 1pLZWV6UOgSpDfsDBxMM1HwOTl/3wTFDC44YJDFROLye8r8EKFinKCck4gPIOm1xeUdd zFIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687612534; x=1690204534; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WxpVDXwCONP1VcwVyktmnZT3p7v2/ulBE9znRvyUs3c=; b=jHPpNy8UNpKiqvYSVwf77bay3rzcbCjViqBxvBBAmdaWCjCf0/m/lAe7oB4SS8IC53 Mhst1fUnwi8b+c18rUB+woQFzs8J5XAl/pnbzz8/AYXmCxeBtJjstxLg6vwou7eN0Bda dHH8dMvG2/c0v3q0KjPKZCJew8YXVIzRCpkjY+oqGZUaTNF1wCIaeAuBMS+qUte9CMte LYGAy6rV+bm7jrUIO8QedmI4jq7wasXz7qZ1M8IVfKK4S0IDVjFD5GWmP3uTNJYT3My7 CHzBS/UuKJ4ydiEcVFspsSH6C6avKizaFodmRFFmFJK2YZZnAojRYe9a+S1yH0yVCy4V GPJw== X-Gm-Message-State: AC+VfDwPCCTgXhV3HHJ/oC1lgX7RWcDDr6inR+CiJzUqj58aeCL/UQL3 HpE3pjz+jZD3kIx2DP8tx46NIfvCkLiJhdBs1XS+A7g= X-Google-Smtp-Source: ACHHUZ70TakM+fzUt9j6+ex4wDJ9r7rIHJQiiRhqoYIlXsZEjV/lSgh+cC/jtBmGwe35+fqdnEQxykJbWiB5XTdMsR0= X-Received: by 2002:a05:6808:1788:b0:3a1:a90d:c796 with SMTP id bg8-20020a056808178800b003a1a90dc796mr3759833oib.46.1687612534063; Sat, 24 Jun 2023 06:15:34 -0700 (PDT) List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Rick Macklem Date: Sat, 24 Jun 2023 06:15:24 -0700 Message-ID: Subject: Re: Diskless NFS over TLS To: Peter Jeremy Cc: freebsd-fs@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4QpF3C6DKKz3qs2 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On Sat, Jun 24, 2023 at 2:24=E2=80=AFAM Peter Jeremy w= rote: > > I have a number of aarch64 SBCs that run "diskless": U-Boot loads > boot.scr.uimg, loader.efi and the DTB via TFTP, EFI loads the loader > config and kernel via NFS and passes the NFS root details to the kernel. > > I am contemplating whether it's possible to use secure NFS for at least > the root mount[*]. The problem is that NFS-over-TLS relies on > rpc.tlsclntd to perform the STARTTLS and that needs a functional > userland to run it. At this point, I do not think the "tls" option can be added via "mount -u". I had assumed that users would want "on the wire encryption, etc" to be done right away, before any non-encrypted data travels across the wire. I suppose allowing "tls" to be added via "mount -u" could be added to the code. What do others think about this? (It means that the file system mount would be running insecure for a while.= ) Can you put all the data that needs to be secured on a separate volume and mount that from /etc/fstab? (I'm sure you have thought of this, but...) Note that there is overhead in using NFS-over-TLS (mostly CPU overhead, assuming you do not have hardware offload), so you only want to use it when there is data that needs to be secured. rick > > Does anyone have any idea how to proceed? Maybe something like mfsroot > with the real root then overlaid over it (though I haven't thought this > through). (And I realise that protecting the keys is problematic). > > [*] It would be nice to secure TFTP and the kernel load but that's less > feasible. > -- > Peter Jeremy