From owner-freebsd-hackers@freebsd.org Sun Nov 29 05:27:02 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB9B8A3BAC5 for ; Sun, 29 Nov 2015 05:27:01 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm7-vm4.bullet.mail.ne1.yahoo.com (nm7-vm4.bullet.mail.ne1.yahoo.com [98.138.91.167]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B6FB51D8F for ; Sun, 29 Nov 2015 05:27:01 +0000 (UTC) (envelope-from noname.esst@yahoo.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1448774434; bh=1Kjxatwb2T8y0eRR8jD1mrLDhZTOHKadJg5bX815UaI=; h=Date:From:Reply-To:To:Subject:References:From:Subject; b=CKkevhHCz7yCI1jXUx7oWdNDMmkhLkNGkPTvIcDvakOF4jzviQBNI9PPa6bga/0VHWs0TJ99xJrgqU/elNSRxjO5DiT+z2Vl1uSWLjYXVS1X6j5ghIRDxLRxVjZT+AwmLCfrs8s8ME7IFJujSC5c537ceqgKhBblLq/KuOeK9PT3c0CqINhDb9x4Aq6W8/saNCQ9Js11j3KZOpwkTTZti9LvFEQPhqun+49YQVVnH0p5wRbFIA1zwNm+PGianwEpOv/F3qv2ZClgedkSxn8+YWhuSyZGg+Pd/3hZymLDEXG/i3XmCCPQ/uY3/JfI4jzEwEjjfy+HKdCpRSi3MYeQtw== Received: from [98.138.100.113] by nm7.bullet.mail.ne1.yahoo.com with NNFMP; 29 Nov 2015 05:20:34 -0000 Received: from [98.138.87.5] by tm104.bullet.mail.ne1.yahoo.com with NNFMP; 29 Nov 2015 05:20:34 -0000 Received: from [127.0.0.1] by omp1005.mail.ne1.yahoo.com with NNFMP; 29 Nov 2015 05:20:34 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 187727.9573.bm@omp1005.mail.ne1.yahoo.com X-YMail-OSG: afL1CnoVM1kCMLB9yiLU2gWAX5UUx3Wd3_KAzUOG3Ke5qAKSUnlcn4RAcA14_bv gns4a_52AKXiQr3Xs2T8iOwNdYt_xsqC5JpZe07zclHMjOZNTTBXoIbzuQRACuRXLWaFRkxb_3.q DHJrjVB3To2fXUmyKyZo3.Xo1sXtKJyGxf0EBYaRjDhQHb8GF2wSLmjYtoQMycJ0vSoTaGfUN646 krZqkH3n7l1HbozwmZC10kTMviBGmImtm3C2uJph5yeJMF37nTiTHK1S6wuTOOd4X0IKQPYfr.b5 7xm2MlPyFONKf6MkK80_b0OdXaqfbEUFqVqwg2rVhw1KnGhaZ2J4tohhyVXcndGjO1Xzw73xcsqw 9a2jq3apLT4t6jgJJq4pRFXV8fajGDlDhXMLfHrw8m0Nr38fatRvYeSDdLwoU_PAJPe9ShVac0Ii cqTVYXOVjROVuXXu_xISfpdjbMYojAkCgSO5OrY2FeZeY2VnH4MR3dFs- Received: by 98.138.101.171; Sun, 29 Nov 2015 05:20:33 +0000 Date: Sun, 29 Nov 2015 05:20:33 +0000 (UTC) From: Nomad Esst Reply-To: Nomad Esst To: Freebsd Hackers List , FreeBSD Hackers Message-ID: <346084679.550463.1448774433434.JavaMail.yahoo@mail.yahoo.com> Subject: kernel panic in igb driver MIME-Version: 1.0 References: <346084679.550463.1448774433434.JavaMail.yahoo.ref@mail.yahoo.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2015 05:27:02 -0000 During some performance tests and while a voice call was going through an i= gb interface, we attempt to disconnect and connect the cable. After the int= erface comes up this kernel panic occurs: Fatal trap 12: page fault while in kernel mode cpuid =3D 0; apic id =3D 00 fault virtual address=C2=A0=C2=A0 =3D 0xc fault code=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 =3D supervisor read data, page not present instruction pointer=C2=A0=C2=A0=C2=A0=C2=A0 =3D 0x20:0xffffffff80e189b9 stack pointer=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = =3D 0x28:0xffffff80ba3fe640 frame pointer=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = =3D 0x28:0xffffff80ba3feb20 code segment=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 =3D base 0x0, limit 0xfffff, type 0x1b =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D DPL 0, = pres 1, long 1, def32 0, gran 1 processor eflags=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D interrupt en= abled, resume, IOPL =3D 0 current process=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D 12 (irq= 268: +) [ thread pid 12 tid 100114 ] Stopped at=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 igb_start_locked+0x639:=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 movzbl=C2=A0 0xc(%rbx),%esi Thanks in advance. From owner-freebsd-hackers@freebsd.org Sun Nov 29 06:09:02 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 079ADA3C276 for ; Sun, 29 Nov 2015 06:09:02 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm9-vm1.bullet.mail.ne1.yahoo.com (nm9-vm1.bullet.mail.ne1.yahoo.com [98.138.90.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C16E912D1 for ; Sun, 29 Nov 2015 06:09:01 +0000 (UTC) (envelope-from noname.esst@yahoo.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1448777147; bh=iq7qHamdK4+qdkxavDfNtbWpF2kf7MFWGt0xJw+KAeA=; h=Date:From:Reply-To:To:Subject:References:From:Subject; b=mIPIeP/1Ugn3YSPVETEWcV9mCHBij6dNRZMpn0SWLdPcir5nLFTASbKhf2LwgvD8B5Y2gXh8ECry3WD86KzOzJEn7l9aWA2mENKfzQ/b1sZz92QrPwov66l9tA0QPnQ6sdfAu4tTYnzx264+AxBwWo/ttgqBCJwrBLycqPLm1Cu1RLgxw29W5f/YkKEYSiD164nJEWaMFI+50vPl6tR8DwQxVaqv/6OGOQ8B/J88NuZ5Z15fi6DiqiPmw4Hf+eQE5yHxzpduqGJGlD530heA4sD19c5qfjGNejWTq+QW3Y8IWiXZ3xIcTYtM024DxvPB/ykiZs+KUWExowtV28bsxA== Received: from [98.138.100.112] by nm9.bullet.mail.ne1.yahoo.com with NNFMP; 29 Nov 2015 06:05:47 -0000 Received: from [98.138.88.238] by tm103.bullet.mail.ne1.yahoo.com with NNFMP; 29 Nov 2015 06:05:47 -0000 Received: from [127.0.0.1] by omp1038.mail.ne1.yahoo.com with NNFMP; 29 Nov 2015 06:05:47 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 477972.96772.bm@omp1038.mail.ne1.yahoo.com X-YMail-OSG: cW.Vg0kVM1mNs4CQUAdb1xeJcPSl7uq7R9c4fHiMqk_c_29rK8eGacUf6wDzwZ5 St8YFhxbm9i1mYL7IzZKWZ8xFFmlzWPplICL1INF_fJrZtElsq.IzKLzIXszu_85R2EyEh.zBTNM 2BVqxKHWoFnxMCF5BEa0GwYf45ZERjh_zmkzYT0afhk4OhWJV1_Op1Q.TY9o_4OvL1_Iw_OTVfJd ZQqlV5Aw72ZiTQa9YXc2wBr94gfOby7bYIAHSWXs6o_yCDhwFTM2w7btf9BdcQdpZ5DSt4sCIma0 JWPfklo5miXTAi7w9.ge0iH5ozUOpaGqiyir6FMmeU2MQ8RZ6I3s06u6zt48CfLjlyh7p_ugnN8K rLfPBh7xOlSvoqUxI4l1O7yvwZnabUjVFOfED6KyxYfm.0bikHBFDcUeAGIXBencvc7Bu7DXeFCL hSkvMjrMY4kJIKaRQtstVTFTlCOzBQL2EO_6ys.WJhgAOuZTEGyGnJA-- Received: by 98.138.101.173; Sun, 29 Nov 2015 06:05:47 +0000 Date: Sun, 29 Nov 2015 06:05:46 +0000 (UTC) From: Nomad Esst Reply-To: Nomad Esst To: Freebsd Hackers List Message-ID: <1136502568.4253991.1448777146772.JavaMail.yahoo@mail.yahoo.com> Subject: kernel panic in igb driver - more info MIME-Version: 1.0 References: <1136502568.4253991.1448777146772.JavaMail.yahoo.ref@mail.yahoo.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2015 06:09:02 -0000 Any help would be appreciated=C2=A0 db> trace Tracing pid 12 tid 100125 td 0xfffffe0004ecf000 igb_start_locked() at igb_start_locked+0x639/frame 0xffffff80e3464b20 igb_msix_que() at igb_msix_que+0xb7/frame 0xffffff80e3464b60 intr_event_execute_handlers() at intr_event_execute_handlers+0xfd/frame 0xf= fffff80e3464b90 ithread_loop() at ithread_loop+0x9d/frame 0xffffff80e3464be0 fork_exit() at fork_exit+0x11f/frame 0xffffff80e3464c30 fork_trampoline() at fork_trampoline+0xe/frame 0xffffff80e3464c30 --- trap 0, rip =3D 0, rsp =3D 0xffffff80e3464cf0, rbp =3D 0 --- db> Thanks in advance From owner-freebsd-hackers@freebsd.org Mon Nov 30 11:39:47 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E866CA24F72 for ; Mon, 30 Nov 2015 11:39:47 +0000 (UTC) (envelope-from kuleshovmail@gmail.com) Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 71879160C for ; Mon, 30 Nov 2015 11:39:47 +0000 (UTC) (envelope-from kuleshovmail@gmail.com) Received: by lfdl133 with SMTP id l133so191769843lfd.2 for ; Mon, 30 Nov 2015 03:39:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=y8DC7Zriyw6Qk0/DbfDKQEhb0xkeNgujYp0jTewhuic=; b=vIr5Rbz66UAM3qSIHP2gGYurWfuQA4/AQTk3OtrBgDbCSAjVKTGmhLI529jBXTxUnB ZaVQ6bC1AELSEti+1c5MULogi2Rt5qeMcKUt8PJvoNI+d0GLJVCjoyL+fFvtYI+ENbng ugvXy7M1kHCCDphzb5N6fNBgxaHl75mtcaRoe6WbEvA8UtauxfQ8lSasxF5ZTq4K3zK4 NHPwYahT5HLW3Mgd/Qz2ybqQVhep+rKP+er4H3E0kSRp8gT8a9ze6xxT4siza44LCHLR fjJAs1QS6S89XQKmogMRSw+2zTx7abbZbKE/ynzBHs+jNSoKkjMpHiTX+46pu/9Bt5ID vVgg== X-Received: by 10.25.7.8 with SMTP id 8mr19914881lfh.111.1448883585261; Mon, 30 Nov 2015 03:39:45 -0800 (PST) Received: from localhost ([147.30.75.242]) by smtp.gmail.com with ESMTPSA id a75sm7390900lfe.34.2015.11.30.03.39.44 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Nov 2015 03:39:44 -0800 (PST) Date: Mon, 30 Nov 2015 17:37:12 +0600 From: Alexnader Kuleshov To: freebsd-hackers@freebsd.org Subject: Build only changes Message-ID: <20151130113712.GA10550@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: FreeBSD X-Date: Mon Nov 30 17:29:36 ALMT 2015 User-Agent: Mutt/1.6.0-rc0 ((null)) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 11:39:48 -0000 Hello All, I'm new in FreeBSD, so my question can be stupid, but I have just executed `make buildworld` and it was successful. Now I want to do some little changes for example in one of `usr.sbin` application. How can I recompile only changed application? If I'm executing `make buildworld` again, I see that there is new long-long-time compilation of the full base. I've started to look into the base's Makefiles and tried to execute: make buildworld -j4 -DMK_CDDL=no -DMK_KERBEROS=no -DMK_RESCUE=no -DMK_CRYPT=no -DMK_TEST=no -DNO_CLEAN=yes -DMK_CLANG_BOOTSTRAP=no -DMK_CLANG=no but anyway I see that contrib/llvm/tools/clang/* is compiling. Is there ability to compile only one separate dir in the FreeBSD base? Thank you. From owner-freebsd-hackers@freebsd.org Mon Nov 30 12:09:59 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 97003A3CDC0 for ; Mon, 30 Nov 2015 12:09:59 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5446219CE for ; Mon, 30 Nov 2015 12:09:59 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3NHB-000NqT-Bs; Mon, 30 Nov 2015 15:09:49 +0300 Date: Mon, 30 Nov 2015 15:09:49 +0300 From: Slawa Olhovchenkov To: Alexnader Kuleshov Cc: freebsd-hackers@freebsd.org Subject: Re: Build only changes Message-ID: <20151130120949.GZ31314@zxy.spb.ru> References: <20151130113712.GA10550@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151130113712.GA10550@localhost> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 12:09:59 -0000 On Mon, Nov 30, 2015 at 05:37:12PM +0600, Alexnader Kuleshov wrote: > Hello All, > > I'm new in FreeBSD, so my question can be stupid, but I have just executed > `make buildworld` and it was successful. Now I want to do some little changes > for example in one of `usr.sbin` application. How can I recompile only changed > application? If I'm executing `make buildworld` again, I see that there is > new long-long-time compilation of the full base. > > I've started to look into the base's Makefiles and tried to execute: > > make buildworld -j4 -DMK_CDDL=no -DMK_KERBEROS=no -DMK_RESCUE=no -DMK_CRYPT=no > -DMK_TEST=no -DNO_CLEAN=yes -DMK_CLANG_BOOTSTRAP=no -DMK_CLANG=no > > but anyway I see that contrib/llvm/tools/clang/* is compiling. > > Is there ability to compile only one separate dir in the FreeBSD base? May be `make buildworld -DNO_CLEAN` is enough? For some dirs I am do direct build. For other this is not work. From owner-freebsd-hackers@freebsd.org Mon Nov 30 12:56:22 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B7648A24A55 for ; Mon, 30 Nov 2015 12:56:22 +0000 (UTC) (envelope-from kuleshovmail@gmail.com) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D4921102 for ; Mon, 30 Nov 2015 12:56:22 +0000 (UTC) (envelope-from kuleshovmail@gmail.com) Received: by wmww144 with SMTP id w144so128130992wmw.1 for ; Mon, 30 Nov 2015 04:56:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=dM7kv1Za2GPqdoKfnjAl62mcTH4Vg0xNsHITGCaLmdU=; b=f+0QMgD5cDrBxMuS4h3v8ExgA84YfL9wxyk2sXP3J0GIik/DZr6AUxthObdXEpr1yK pz2l6LYuR9FZJd9SPROnMg8yWWCIIXWt5XbxfQ3jwvbxffaZHmQi9tqmCc1LaCEwwpKD +xI/vWMKoGOjhAQKbBW/C7rAjBFFYH34o9s8SLVNv6w4J74yotEqBnJ1Zp4kcWYhsbrT BZZyKePLUWH+bjQiWiReIg5Cxh2Ojbt0F07yt06Y43X/QzI2Scga8dF/aQFEMDnYIkPs rm+v2Bsgftcb4dSwiJTLn8bNhiPfqL8d6K2EWqBK5l5nimj3xqS5NZocaXQRomgKX9uj 1Pxw== X-Received: by 10.28.24.5 with SMTP id 5mr29047552wmy.3.1448888180925; Mon, 30 Nov 2015 04:56:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.27.4.195 with HTTP; Mon, 30 Nov 2015 04:56:01 -0800 (PST) In-Reply-To: <20151130120949.GZ31314@zxy.spb.ru> References: <20151130113712.GA10550@localhost> <20151130120949.GZ31314@zxy.spb.ru> From: Alexander Kuleshov Date: Mon, 30 Nov 2015 18:56:01 +0600 Message-ID: Subject: Re: Build only changes To: Slawa Olhovchenkov Cc: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 12:56:22 -0000 Hello Slawa, On Mon, Nov 30, 2015 at 6:09 PM, Slawa Olhovchenkov wrote: > > May be `make buildworld -DNO_CLEAN` is enough? > > For some dirs I am do direct build. For other this is not work. Thank you for reply, but anyway it's too long to wait. Would great to have options for skipping contrib/, usr.bin/ and other non-related to changes directories, but unfortunately didn't see it in Makefiles. Thank you again. From owner-freebsd-hackers@freebsd.org Mon Nov 30 13:29:48 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41CF9A3B336 for ; Mon, 30 Nov 2015 13:29:48 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 005DC12CB for ; Mon, 30 Nov 2015 13:29:48 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3OWW-000Pq4-1O; Mon, 30 Nov 2015 16:29:44 +0300 Date: Mon, 30 Nov 2015 16:29:43 +0300 From: Slawa Olhovchenkov To: Alexander Kuleshov Cc: freebsd-hackers@freebsd.org Subject: Re: Build only changes Message-ID: <20151130132943.GA31314@zxy.spb.ru> References: <20151130113712.GA10550@localhost> <20151130120949.GZ31314@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 13:29:48 -0000 On Mon, Nov 30, 2015 at 06:56:01PM +0600, Alexander Kuleshov wrote: > Hello Slawa, > > On Mon, Nov 30, 2015 at 6:09 PM, Slawa Olhovchenkov wrote: > > > > May be `make buildworld -DNO_CLEAN` is enough? > > > > For some dirs I am do direct build. For other this is not work. > > Thank you for reply, but anyway it's too long to wait. Would great to have > options for skipping contrib/, usr.bin/ and other non-related to > changes directories, > but unfortunately didn't see it in Makefiles. make _includes _libraries everything build32 ? From owner-freebsd-hackers@freebsd.org Mon Nov 30 13:42:52 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C103FA3B895 for ; Mon, 30 Nov 2015 13:42:52 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 57FC81CAD for ; Mon, 30 Nov 2015 13:42:52 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id tAUDgksE038005 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 30 Nov 2015 15:42:46 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua tAUDgksE038005 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id tAUDgk3n038004; Mon, 30 Nov 2015 15:42:46 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 30 Nov 2015 15:42:46 +0200 From: Konstantin Belousov To: Alexander Kuleshov Cc: freebsd-hackers@freebsd.org Subject: Re: Build only changes Message-ID: <20151130134246.GJ3448@kib.kiev.ua> References: <20151130113712.GA10550@localhost> <20151130120949.GZ31314@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 13:42:52 -0000 On Mon, Nov 30, 2015 at 06:56:01PM +0600, Alexander Kuleshov wrote: > Hello Slawa, > > On Mon, Nov 30, 2015 at 6:09 PM, Slawa Olhovchenkov wrote: > > > > May be `make buildworld -DNO_CLEAN` is enough? > > > > For some dirs I am do direct build. For other this is not work. > > Thank you for reply, but anyway it's too long to wait. Would great to have > options for skipping contrib/, usr.bin/ and other non-related to > changes directories, > but unfortunately didn't see it in Makefiles. If you already finished buildworld, it is usually easiest and fastest to execute make buildenv with the same options as buildworld (I mean things like TARGET/TARGET_ARCH and similar), then, in the shell prompt, do # cd usr.bin/program # make I use this when working e.g. on rtld and libc/libthr. A useful variation is # make DEBUG_FLAGS=-g WITHOUT_TESTS=yes From owner-freebsd-hackers@freebsd.org Mon Nov 30 14:07:46 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3BB8BA3BEA8 for ; Mon, 30 Nov 2015 14:07:46 +0000 (UTC) (envelope-from kuleshovmail@gmail.com) Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D2AD21B3E for ; Mon, 30 Nov 2015 14:07:45 +0000 (UTC) (envelope-from kuleshovmail@gmail.com) Received: by wmec201 with SMTP id c201so139718706wme.1 for ; Mon, 30 Nov 2015 06:07:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=J0tKyPo0MHM9KNrVCFPZcGheOPwPl7l9PBb1WPBowYY=; b=zEOUt780pWJNrIqw29CaBvscXfofF9lrOGG5xlJPMbaozqobXM2popYxfFA0fO7hrE bQnlOo1bKGUgLQhyrG3VLg87fHL0tHm5kInIzAdd7PlXVjRz58oiMcFYCsok0M3qtumi 9AJwi379YmViOyIXHHApkO3aj3oiwTujuB+lc2nxXgbRKDvXVUfHkxBrfGohVssh4d8B 9q9RLmfcF4JBKqn4Rq446RrPvbvEpaLvNwf1V66wTI1Rce3ecJT0mzCPfC29NkoYmOeZ mTmew9G3p2dyI0vzCBgKGcLMNusYgoUx6oZKshcGgXw0kjLMXVYWVbPLXim6XY4Fomu+ N8DA== X-Received: by 10.194.143.115 with SMTP id sd19mr82020628wjb.94.1448892464361; Mon, 30 Nov 2015 06:07:44 -0800 (PST) MIME-Version: 1.0 Received: by 10.27.4.195 with HTTP; Mon, 30 Nov 2015 06:07:25 -0800 (PST) In-Reply-To: <20151130134246.GJ3448@kib.kiev.ua> References: <20151130113712.GA10550@localhost> <20151130120949.GZ31314@zxy.spb.ru> <20151130134246.GJ3448@kib.kiev.ua> From: Alexander Kuleshov Date: Mon, 30 Nov 2015 20:07:25 +0600 Message-ID: Subject: Re: Build only changes To: Konstantin Belousov Cc: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 14:07:46 -0000 Hello Konstantin. On Mon, Nov 30, 2015 at 7:42 PM, Konstantin Belousov wrote: >> Thank you for reply, but anyway it's too long to wait. Would great to have >> options for skipping contrib/, usr.bin/ and other non-related to >> changes directories, >> but unfortunately didn't see it in Makefiles. > > If you already finished buildworld, it is usually easiest and fastest > to execute make buildenv with the same options as buildworld (I mean > things like TARGET/TARGET_ARCH and similar), then, in the shell prompt, > do > # cd usr.bin/program > # make > > I use this when working e.g. on rtld and libc/libthr. A useful variation > is > # make DEBUG_FLAGS=-g WITHOUT_TESTS=yes Thank you for advice. Besides this just knew about src.conf and add some WITHOUT_.* options there and now is much better. From owner-freebsd-hackers@freebsd.org Mon Nov 30 16:22:21 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7BCD4A3DD69 for ; Mon, 30 Nov 2015 16:22:21 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pa0-x232.google.com (mail-pa0-x232.google.com [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4E6971C43 for ; Mon, 30 Nov 2015 16:22:21 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: by padhx2 with SMTP id hx2so189250928pad.1 for ; Mon, 30 Nov 2015 08:22:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=efXLlduqItDxCUwC0J2fpaVqzXmC6E2T/bznyfYesgs=; b=dHhWDwwUd9Rh9Ap+CT71Ru2dppfR1ynUr6hoRl1xBh0nUJ/zv5EX7PKcP0T/CQlMrR gnIrBf2q//OphJYmDQIn3haKPzB/rAZMZNFQi8T59eiXjz5A3cT+dfoYWVMAbOBWYOtX YyZ5ZzP2B1NvUPMqNCTBj97/uEh+A5HCN5mDd4jhzEMRFJgq+DSAHXp4X1d80e2zsUtn FvoJ8HR8nKyNmr3YVGzUrh6CEI/68St4FFHBg+6brd9OELGFQSaBPZCB2p79pfTqq2B5 q6pE5mwtKJu9MWVYLc80KCd62eIG7iOQej4eWjnVtjaP6NG/dsIubjO96ki88b3ufFRw glwA== X-Received: by 10.66.254.39 with SMTP id af7mr92433069pad.43.1448900540889; Mon, 30 Nov 2015 08:22:20 -0800 (PST) Received: from [192.168.20.11] (c-24-16-212-205.hsd1.wa.comcast.net. [24.16.212.205]) by smtp.gmail.com with ESMTPSA id u64sm52220193pfa.89.2015.11.30.08.22.19 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 30 Nov 2015 08:22:19 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: Build only changes From: Garrett Cooper X-Mailer: iPhone Mail (13B143) In-Reply-To: <20151130113712.GA10550@localhost> Date: Mon, 30 Nov 2015 08:22:18 -0800 Cc: freebsd-hackers@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20151130113712.GA10550@localhost> To: Alexnader Kuleshov X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 16:22:21 -0000 > On Nov 30, 2015, at 03:37, Alexnader Kuleshov wro= te: >=20 > Hello All, >=20 > I'm new in FreeBSD, so my question can be stupid, but I have just executed= > `make buildworld` and it was successful. Now I want to do some little chan= ges > for example in one of `usr.sbin` application. How can I recompile only cha= nged > application? If I'm executing `make buildworld` again, I see that there is= > new long-long-time compilation of the full base. >=20 > I've started to look into the base's Makefiles and tried to execute: >=20 > make buildworld -j4 -DMK_CDDL=3Dno -DMK_KERBEROS=3Dno -DMK_RESCUE=3Dno -DM= K_CRYPT=3Dno > -DMK_TEST=3Dno -DNO_CLEAN=3Dyes -DMK_CLANG_BOOTSTRAP=3Dno -DMK_CLANG=3Dno >=20 > but anyway I see that contrib/llvm/tools/clang/* is compiling. >=20 > Is there ability to compile only one separate dir in the FreeBSD base? Alexnader, If you want to compile just one directory using buildworld and your tree= has already been built, use SUBDIR_OVERRIDE=3Dusr.bin/directory -DNO_CLEAN.= Cheers, -NGie= From owner-freebsd-hackers@freebsd.org Mon Nov 30 16:59:44 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DA78DA3C634 for ; Mon, 30 Nov 2015 16:59:44 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id BEF011370 for ; Mon, 30 Nov 2015 16:59:44 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id BCBDFA3C62D; Mon, 30 Nov 2015 16:59:44 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC67FA3C62B for ; Mon, 30 Nov 2015 16:59:44 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 73C6A136F for ; Mon, 30 Nov 2015 16:59:44 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3Rng-0004ey-8s; Mon, 30 Nov 2015 19:59:40 +0300 Date: Mon, 30 Nov 2015 19:59:40 +0300 From: Slawa Olhovchenkov To: Rick Macklem Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151130165940.GB31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151115152635.GB5854@kib.kiev.ua> <3AEC67FD-2E67-4EF9-9D46-818ABF3D8118@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 16:59:45 -0000 On Mon, Nov 16, 2015 at 06:00:16PM -0500, Rick Macklem wrote: > > But this is wrong: not only exported, access control too. > > May be for NFS guru this is trivia, but for ordinary users this is confused. > > > > > > What current status Kerberos support in NFS client/server? I found > > > > many posts and wiki pages about lack some functionality, but also see > > > > many works from you. > > > > > > > The main limitation (which comes from the fact that the RPCSEC_GSS > > > implementation > > > is version 1) is that it expects to use DES, which requires "weak > > > authentication" > > > to be enabled. Although parts about adding patches for initiator > > > credentials no longer > > > applies, this is still fairly useful. > > > > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be > > enabled, with mounted as > > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred > > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some > > commands don't working or something else?) > > > Well, if the mount is working, you aren't broken. I do recommend against > using "soft" or "intr" on NFSv4 mounts, because the locking stuff > (which includes file opens) breaks if an RPC gets interrupted. > That is on one of the man pages, maybe "man nfsv4". > > Usually you can't create the keytab entries unless you enable weak authentication, > but if you've gotten it working, be happy;-) > (DES is used for krb5p and none of the Kerberized NFS stuff works for > excryption types with larger keys than 8 bytes, from what I know. I > always used des-cbc-crc, because that is what all clients/servers are > supposed to support. Once you move away from that, you are experimenting > and it works or not.) mount is working, but all access (from any accounts) go from mounting credentials (if I mount allgssname,gssname=host -- as root and mapped to nobody, if I mount as user -- all access as user, root also as user). What I am missing or missunderstund? From owner-freebsd-hackers@freebsd.org Mon Nov 30 19:12:40 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA0B1A3C044 for ; Mon, 30 Nov 2015 19:12:40 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 9AE4A1C2F; Mon, 30 Nov 2015 19:12:40 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [IPv6:::1]) by freefall.freebsd.org (Postfix) with ESMTP id 9549D110E; Mon, 30 Nov 2015 19:12:40 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mail.xzibition.com (localhost [172.31.3.2]) by mail.xzibition.com (Postfix) with ESMTP id 3F2F0187ED; Mon, 30 Nov 2015 19:12:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at mail.xzibition.com Received: from mail.xzibition.com ([172.31.3.2]) by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new, port 10026) with LMTP id J7JhA2-QIlgj; Mon, 30 Nov 2015 19:12:36 +0000 (UTC) Subject: Re: Build only changes DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 4649B187E7 To: Alexander Kuleshov , Slawa Olhovchenkov References: <20151130113712.GA10550@localhost> <20151130120949.GZ31314@zxy.spb.ru> Cc: freebsd-hackers@freebsd.org From: Bryan Drewery Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Organization: FreeBSD Message-ID: <565C9FA4.60006@FreeBSD.org> Date: Mon, 30 Nov 2015 11:12:36 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sQLT3BUwULa7LotVeJg7iLxoHk0xrlu6a" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 19:12:40 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --sQLT3BUwULa7LotVeJg7iLxoHk0xrlu6a Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 11/30/2015 4:56 AM, Alexander Kuleshov wrote: > Hello Slawa, >=20 > On Mon, Nov 30, 2015 at 6:09 PM, Slawa Olhovchenkov wr= ote: >> >> May be `make buildworld -DNO_CLEAN` is enough? >> >> For some dirs I am do direct build. For other this is not work. >=20 > Thank you for reply, but anyway it's too long to wait. Would great to h= ave > options for skipping contrib/, usr.bin/ and other non-related to > changes directories, > but unfortunately didn't see it in Makefiles. >=20 > Thank you again. make buildworld -DNO_CLEAN SUBDIR_OVERRIDE=3Dusr.sbin/whatever It will still check bootstrap and library needs, but if they are already built then those steps should be fast. --=20 Regards, Bryan Drewery --sQLT3BUwULa7LotVeJg7iLxoHk0xrlu6a Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWXJ+vAAoJEDXXcbtuRpfPligH/ix7V8kfKaepJDcT2int6qk+ VikN2B2mln5DxNBbNdmMpDHplIlhv8UZFRwmrM5L6Y0/ovOB01txHUlhfqVV4gLW kwOet+iO17IQGJU8/MJar3C5h9COzVs9oXC2doAMa9jsHkapK27LxlcVBiRPSjCo +7VDnl9FR5smrj/q5msAVX98PqZFcOXmHVUvggiUmuDn+Gs592uq01RG0TKpf5Cm X3exYGpFbZsJQfFqa8wuwEC2jbJ0cE+FXcwxYOwVtzaOvkA3b9wOyVx0d6Mb99iF 1tJfjNrZEXXr+i+7GMkyxaC6J8kjqnl//Hxb8+pIDZsIjpbukiAq/xm+5hi4V/M= =ELak -----END PGP SIGNATURE----- --sQLT3BUwULa7LotVeJg7iLxoHk0xrlu6a-- From owner-freebsd-hackers@freebsd.org Mon Nov 30 21:19:57 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 55919A3DAD4 for ; Mon, 30 Nov 2015 21:19:57 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-qg0-x22e.google.com (mail-qg0-x22e.google.com [IPv6:2607:f8b0:400d:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1069B1EE3 for ; Mon, 30 Nov 2015 21:19:56 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by qgeb1 with SMTP id b1so130444875qge.1 for ; Mon, 30 Nov 2015 13:19:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=HAl638dzCv3NXEbzAZiJ+W8CC3bDiG+k4Nmn+ZR8s3Y=; b=evM9EILEph4wCiEbM8KzKBQ/Xg23OJxGIVwDpCxWgnGZsUKqQjjCzUxnKCeTxKrDYh BJWR7vaNL7bwiqCEx3lul+hjgCc8or3h6YUw2jdTSPhenlb670hwfHqbIbp5NtIRr1Pm z4s54kgw85Vo220w7Spm441dop2Ikt0yvQlPthunZH101UrhwH1dc/2FiN075rzgjwnm naiiCwJrLeL7oMnqiOxtKFEbDzvjVJg83SsFPK0rrmmQPI2IeE+seYkykWTlEStbsMoI 661NS2uU9H9zBPkGzHlOOHSEg7+MsT9qYSXtTi2Nhh11HV+2ZYQzgZeSwn205XBdIc4f iTZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=HAl638dzCv3NXEbzAZiJ+W8CC3bDiG+k4Nmn+ZR8s3Y=; b=g6e5yFqH68i5O2fL3kjbYggy14CQbHmO1gOUGoi0Va1+a7UkfOfamTxADQYFnp2svK 5kbM9s69wrHx2kHM9twOSD9cNh5R6Sg4mCgVF68tpK5ZLNpPMLZMDisF7koT/htLD4v6 tzCFPXTw7NHueCz2XG2LY26j9D3i/9TlrsYllFad+Pw4tobrZNzyYcruEvQplrakUTGu wlXGv7EJ6CLAJox62mBRTUZ2Uguo4XM7V7FC0H6lM0obCGImKUaeyZAmQpjUaKwrS+tD jnUkzv/OPgNy3EivvttBVbLnL1vKB4XxPNBCecMhYA++aNfrRkC9Gam0aLrpiXs8fF8r wnUA== X-Gm-Message-State: ALoCoQlGarZhCEn3G6acN8C277zbrJgK38G/CaFgu1BUPkFRZtaNgYF7DhCvRAQiChOdwN0xHOcb MIME-Version: 1.0 X-Received: by 10.140.196.69 with SMTP id r66mr81392602qha.40.1448918395953; Mon, 30 Nov 2015 13:19:55 -0800 (PST) Sender: wlosh@bsdimp.com Received: by 10.140.27.181 with HTTP; Mon, 30 Nov 2015 13:19:55 -0800 (PST) X-Originating-IP: [69.53.245.31] In-Reply-To: <1547195.8ivBxpzumr@ralph.baldwin.cx> References: <6ce779725aab266bc85e92f0ee2186b6@megadrive.org> <201510280727.19357.ganael.laplanche@corp.ovh.com> <1446064708.28809.77.camel@me.com> <1547195.8ivBxpzumr@ralph.baldwin.cx> Date: Mon, 30 Nov 2015 14:19:55 -0700 X-Google-Sender-Auth: XHILMmES8yv8MpUzJ7xTkptJBf4 Message-ID: Subject: Re: EFI Variables From: Warner Losh To: John Baldwin Cc: "freebsd-hackers@freebsd.org" , Rui Paulo , Ganael Laplanche , Emmanuel Vadot Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 21:19:57 -0000 On Tue, Nov 24, 2015 at 7:15 PM, John Baldwin wrote: > On Wednesday, October 28, 2015 01:38:28 PM Rui Paulo wrote: > > On Wed, 2015-10-28 at 07:27 +0100, Ganael Laplanche wrote: > > > On Tuesday, October 27, 2015 07:24:23 PM Emmanuel Vadot wrote: > > > > > > Hi Emmanuel, > > > > > > > I'm currently hacking around the loader.efi > > > > > > Great :) > > > > > > > I've also added the list and get command to the not working > > > > "nvram" > > > > command. > > > > > > I had myself posted a PR to fix that command as well as add a verbose > > > switch > > > and the ability to specify a variable name, see : > > > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202614 > > > > > > > For the "set" subcommand I think that the best way to handle it > > > > is : > > > > "nvram set myvar data" -> This will set the variable myvar to > > > > data with > > > > the freebsd guid (if there is any) > > > > > > > > and > > > > > > > > "nvram set myvar guid data" -> This will force the guid to > > > > > > It can be useful to set variables containing *strings*, but will > > > hardly handle > > > binary stuff :/ > > > > > > I am not sure whether it should be the loader's job to set > > > variables... I can > > > think of changing the boot order, but it may be difficult to get it > > > right by > > > hand and would probably require an upper-level tool, such as > > > efibootmgr on > > > Linux. > > > > > > > I'll look tomorrow how to access efivars once the kernel is > > > > booted so > > > > we can set some from some userland tool (especially the boot > > > > related > > > > one). > > > > > > Yes, this is interesting as the current kernel (amd64) does not > > > provide access > > > to EFI variables at all. > > > > > > 10.x/ia64 provided access to EFI variables through libefi(3) and > > > io(4). It > > > should be possible to import that code to other archs too, but you'll > > > have to > > > save the entry point to the Runtime Services Tables and maybe set a > > > Virtual > > > Address Map too (not sure about that point). > > > > > > > It would be nice to set some EFI variables in the loader, but you can't > > expect to handle binary data from the loader. Like you said, we need a > > special tool to change EFI variables on a system already running > > FreeBSD. > > I belive Warner has been working on adding more support for EFI runtime > services to FreeBSD multiuser which might permit this. > I'll see if I can get them in.... Warner From owner-freebsd-hackers@freebsd.org Mon Nov 30 23:08:25 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72EEBA3DEE6 for ; Mon, 30 Nov 2015 23:08:25 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 46A581F80 for ; Mon, 30 Nov 2015 23:08:25 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 45288A3DEE5; Mon, 30 Nov 2015 23:08:25 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43D74A3DEE4 for ; Mon, 30 Nov 2015 23:08:25 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id E82F81F7F for ; Mon, 30 Nov 2015 23:08:24 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:SlQhqhUKP+eq7CUSTTrs34iC46rV8LGtZVwlr6E/grcLSJyIuqrYZhGDt8tkgFKBZ4jH8fUM07OQ6PC9HzxRqs7e+Fk5M7VyFDY9wf0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3CwN5K6zPF5LIiIzvjqbpq8CVM1QD3GX1SIgxBSv1hD2ZjtMRj4pmJ/R54TryiVwMRd5rw3h1L0mYhRf265T41pdi9yNNp6BprJYYAu2pN5g/GIdcBSsve0cx5Mr1vhnOSwiI+DNISWEJughYEk7e9Bu8RIqn4QXgse8o4iiRPoXTRLs3XTmnp/NxTRbjiyMKMhYk927Kh8hojORQqUTy9FRE34fIbdTNZ7JFdaTHcIZCSA== X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DOAQAr1lxW/61jaINYBQGFA74qAQ2BZoYPAoFwFAEBAQEBAQEBgQmCLYIIAQEEIwRSEAIBCA4KAgINCAIPAgJXAgSIQasbkHoBAQEBAQEEAQEBAQEBARyBAYVThH6EQghuAYI8gUQFjSJ2iD+PE5cUg3ACHwEBQoIOIIF0IIUegQcBAQE X-IronPort-AV: E=Sophos;i="5.20,366,1444708800"; d="scan'208";a="253502262" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 30 Nov 2015 18:08:17 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 5BAE115F56D; Mon, 30 Nov 2015 18:08:17 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id kpYoYs-V1hn3; Mon, 30 Nov 2015 18:08:16 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id D874115F574; Mon, 30 Nov 2015 18:08:16 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dqmvBX2Wc2Ax; Mon, 30 Nov 2015 18:08:16 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 86D4B15F571; Mon, 30 Nov 2015 18:08:16 -0500 (EST) Date: Mon, 30 Nov 2015 18:08:16 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151130165940.GB31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <3AEC67FD-2E67-4EF9-9D46-818ABF3D8118@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.11] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: 2ngg8IZO4VTo+6TW+XnQmV20rniKVQ== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 23:08:25 -0000 Slawa Olhovchenkov wrote: > On Mon, Nov 16, 2015 at 06:00:16PM -0500, Rick Macklem wrote: > > > > But this is wrong: not only exported, access control too. > > > May be for NFS guru this is trivia, but for ordinary users this is > > > confused. > > > > > > > > What current status Kerberos support in NFS client/server? I found > > > > > many posts and wiki pages about lack some functionality, but also see > > > > > many works from you. > > > > > > > > > The main limitation (which comes from the fact that the RPCSEC_GSS > > > > implementation > > > > is version 1) is that it expects to use DES, which requires "weak > > > > authentication" > > > > to be enabled. Although parts about adding patches for initiator > > > > credentials no longer > > > > applies, this is still fairly useful. > > > > > > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be > > > enabled, with mounted as > > > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred > > > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some > > > commands don't working or something else?) > > > > > Well, if the mount is working, you aren't broken. I do recommend against > > using "soft" or "intr" on NFSv4 mounts, because the locking stuff > > (which includes file opens) breaks if an RPC gets interrupted. > > That is on one of the man pages, maybe "man nfsv4". > > > > Usually you can't create the keytab entries unless you enable weak > > authentication, > > but if you've gotten it working, be happy;-) > > (DES is used for krb5p and none of the Kerberized NFS stuff works for > > excryption types with larger keys than 8 bytes, from what I know. I > > always used des-cbc-crc, because that is what all clients/servers are > > supposed to support. Once you move away from that, you are experimenting > > and it works or not.) > > mount is working, but all access (from any accounts) go from mounting > credentials (if I mount allgssname,gssname=host -- as root and mapped > to nobody, if I mount as user -- all access as user, root also as > user). What I am missing or missunderstund? > Yes, that sounds correct. The mapping of "root" is somewhat more unusual. It depends on what you called the host-based principal in your /etc/krb5.keytab. If you use "root@.", then system operations are done as "root", assuming you have "root" in your KDC (most don't). Otherwise, "root" ends up as "nobody". The most common variant of the mount (which requires a host-based credential in /etc/krb5.keytab on the client) is done with gssname=host (but not "allgssname"). (Note that "host" here implies that the principal for the host-based credential is "host@.". --> What is after the "=" above is what is before the "@" in the host based principal name.) Then system operations are done as nobody, but users are done as that user (they need to "kinit"). The "allgssname" is an odd case for some server no one logs into, which says "do everything as the host based credential. --> If you need "root" access, you must put a "root" principal name in your KDC and then create the host-based credential for /etc/krb5.keytab using the principal name "root@.". Yes, it is confusing, but that's Kerberos for you;-) rick > > > From owner-freebsd-hackers@freebsd.org Mon Nov 30 23:16:20 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 79226A3C02C for ; Mon, 30 Nov 2015 23:16:20 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 4D3661318 for ; Mon, 30 Nov 2015 23:16:20 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 4C15EA3C02B; Mon, 30 Nov 2015 23:16:20 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 333D2A3C02A for ; Mon, 30 Nov 2015 23:16:20 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id DCC2D1317 for ; Mon, 30 Nov 2015 23:16:19 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:sbkXoRKf6qF8ZQTkhtmcpTZWNBhigK39O0sv0rFitYgUL/jxwZ3uMQTl6Ol3ixeRBMOAu68C27ud6viocFdDyKjCmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBybrysXNWC0oLnhqvro9X6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO9MxGlldhq5lhf44dqsrtY4q3wD86Fpy8kVaqHzYK1warhYCyotM20z58r1/U3YSRSn9GsNFH4OmFxSHl6Wwgv9W8LLsyD5/s900yqeMMi+GaoxUD+h66puYALvhzoKMyY5tmre3J8jxJlHqQ6s8kQsi7XfZ5uYYaJz X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DPAQB+2FxW/61jaINYBQGEDm8GvioBDYFmFwqFJEoCgXAUAQEBAQEBAQGBCYItggcBAQEDAQEBASAEJyALBQcEAgEIDgoCAg0IAg8CAicBCSYCBAgCBQQBHASIBQgNqxmQeQEBAQEBAQEDAQEBAQEBAQEBFgSBAYVThH6EOwEBBQgXVwGCPIFEBY0idog/hSqFIoRHlxSDcAIfAQFCgg4ggXQgNAeEKTqBBwEBAQ X-IronPort-AV: E=Sophos;i="5.20,366,1444708800"; d="scan'208";a="254993983" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-annu.net.uoguelph.ca with ESMTP; 30 Nov 2015 18:15:49 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id B043315F56D; Mon, 30 Nov 2015 18:15:49 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 9tL6zyl3D0wM; Mon, 30 Nov 2015 18:15:48 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id CC97B15F56E; Mon, 30 Nov 2015 18:15:48 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id fSjVB_n49ZYh; Mon, 30 Nov 2015 18:15:48 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id B11CF15F56D; Mon, 30 Nov 2015 18:15:48 -0500 (EST) Date: Mon, 30 Nov 2015 18:15:48 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.12] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: 2ngg8IZO4VTo+6TW+XnQmV20rniKVW4HpmIO X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 23:16:20 -0000 Oops, I wrote the principal names in GSS form and not the Kerberos ones. See a correction below. ----- Original Message ----- > Slawa Olhovchenkov wrote: > > On Mon, Nov 16, 2015 at 06:00:16PM -0500, Rick Macklem wrote: > > > > > > But this is wrong: not only exported, access control too. > > > > May be for NFS guru this is trivia, but for ordinary users this is > > > > confused. > > > > > > > > > > What current status Kerberos support in NFS client/server? I found > > > > > > many posts and wiki pages about lack some functionality, but also > > > > > > see > > > > > > many works from you. > > > > > > > > > > > The main limitation (which comes from the fact that the RPCSEC_GSS > > > > > implementation > > > > > is version 1) is that it expects to use DES, which requires "weak > > > > > authentication" > > > > > to be enabled. Although parts about adding patches for initiator > > > > > credentials no longer > > > > > applies, this is still fairly useful. > > > > > > > > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be > > > > enabled, with mounted as > > > > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred > > > > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some > > > > commands don't working or something else?) > > > > > > > Well, if the mount is working, you aren't broken. I do recommend against > > > using "soft" or "intr" on NFSv4 mounts, because the locking stuff > > > (which includes file opens) breaks if an RPC gets interrupted. > > > That is on one of the man pages, maybe "man nfsv4". > > > > > > Usually you can't create the keytab entries unless you enable weak > > > authentication, > > > but if you've gotten it working, be happy;-) > > > (DES is used for krb5p and none of the Kerberized NFS stuff works for > > > excryption types with larger keys than 8 bytes, from what I know. I > > > always used des-cbc-crc, because that is what all clients/servers are > > > supposed to support. Once you move away from that, you are experimenting > > > and it works or not.) > > > > mount is working, but all access (from any accounts) go from mounting > > credentials (if I mount allgssname,gssname=host -- as root and mapped > > to nobody, if I mount as user -- all access as user, root also as > > user). What I am missing or missunderstund? > > > Yes, that sounds correct. The mapping of "root" is somewhat more unusual. > It depends on what you called the host-based principal in your > /etc/krb5.keytab. > If you use "root@.", then system operations are done as > "root", assuming you have "root" in your KDC (most don't). Otherwise, "root" > ends up as "nobody". > > The most common variant of the mount (which requires a host-based credential > in > /etc/krb5.keytab on the client) is done with gssname=host (but not > "allgssname"). > (Note that "host" here implies that the principal for the host-based > credential is > "host@.". --> What is after the "=" above is what is > before the > "@" in the host based principal name.) > Then system operations are done as nobody, but users are done as that user > (they need > to "kinit"). The "allgssname" is an odd case for some server no one logs > into, which > says "do everything as the host based credential. > --> If you need "root" access, you must put a "root" principal name in your > KDC and > then create the host-based credential for /etc/krb5.keytab using the > principal > name "root@.". > In GSS, the host based principal is @.. This translates to: /.@ in the KDC. For example: nfs-client.my.home - DNS name of the client machine MYREALM - Realm for Kerberos KDC - I want to have root work as "root". --> I go to the KDC and create a principal name: root/nfs-client.my.home@MYREALM --> Then I create a keytab entry for this principal and transfer it to /etc/krb5.keytab on the client machine (nfs-client.my.home). --> Then I mount with: -o nfsv4,gssname=root and non-root users will have to kinit to access the server as themselves. rick > Yes, it is confusing, but that's Kerberos for you;-) rick > > > > > > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > From owner-freebsd-hackers@freebsd.org Mon Nov 30 23:26:40 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 81685A3C249 for ; Mon, 30 Nov 2015 23:26:40 +0000 (UTC) (envelope-from arlie@worldash.org) Received: from ansuz.worldash.org (ansuz.worldash.org [198.144.201.100]) by mx1.freebsd.org (Postfix) with ESMTP id 5D4361898; Mon, 30 Nov 2015 23:26:39 +0000 (UTC) (envelope-from arlie@worldash.org) Received: by ansuz.worldash.org (Postfix, from userid 1000) id 1E286E1923; Mon, 30 Nov 2015 15:22:35 -0800 (PST) Date: Mon, 30 Nov 2015 15:22:35 -0800 From: Arlie Stephens To: Dan Partelly Cc: Mark Heily , freebsd-hackers@freebsd.org, Allan Jude Subject: Re: libUCL / UCL as FreeBSD config question Message-ID: <20151130232235.GA11581@worldash.org> References: <5B598F72-C5DD-48FD-866D-F90E117D646E@rdsor.ro> <564F6118.5030702@freebsd.org> <5576AC9A-791F-4B52-9433-32D2806D35C9@rdsor.ro> <564F8E1F.8060600@freebsd.org> <663FAC89-8B0B-4E20-85F2-36C346A3AC73@rdsor.ro> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <663FAC89-8B0B-4E20-85F2-36C346A3AC73@rdsor.ro> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 23:26:40 -0000 On Nov 24 2015, Dan Partelly wrote: > A proper solution might need kernel support,and quit using text > files for OS config. Hence IMO a proper solution has very few > chances to be implemented. Most people seem to have some fetish > with text files, and like to be stuck in past. It is like somehow > magically .txt files are immune to corruption, but any other format > is not. Ugh! Text files tend to make things human comprehensible, in ways that configuration tools do not. I continue to adminster my Macintosh systems via "sudo" from a shell window, because the result makes sense. Show me a system that's 1) convenient 2) comprehensible 3) backwards compatible (upgrading from before isn't a PITA) 4) forwards compatible (I don't have to reprogram my brain every other release) 5) accessible when the system is somewhat crippled (single user mode after a failure) And I might get over my "fetish" for text files. And for the record, I've used various "registry" solutions to kernel config., notably the one added to HPUX around about their 11.0, and even developed code that used this system. It's doubtless possible to design a non-text system that provides the benefits that text based systems get for free. Unfortunately, I've never seen such a system where that remained a consistent priority. -- Arlie (Arlie Stephens arlie@worldash.org) From owner-freebsd-hackers@freebsd.org Tue Dec 1 07:44:30 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A19BEA3D192 for ; Tue, 1 Dec 2015 07:44:30 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 866A51CC9 for ; Tue, 1 Dec 2015 07:44:30 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id 85D0BA3D191; Tue, 1 Dec 2015 07:44:30 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 856E5A3D190 for ; Tue, 1 Dec 2015 07:44:30 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3DB601CC8 for ; Tue, 1 Dec 2015 07:44:30 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3fbt-000NgQ-O6; Tue, 01 Dec 2015 10:44:25 +0300 Date: Tue, 1 Dec 2015 10:44:25 +0300 From: Slawa Olhovchenkov To: Rick Macklem Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151201074425.GD31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <3AEC67FD-2E67-4EF9-9D46-818ABF3D8118@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 07:44:30 -0000 On Mon, Nov 30, 2015 at 06:08:16PM -0500, Rick Macklem wrote: > Slawa Olhovchenkov wrote: > > On Mon, Nov 16, 2015 at 06:00:16PM -0500, Rick Macklem wrote: > > > > > > But this is wrong: not only exported, access control too. > > > > May be for NFS guru this is trivia, but for ordinary users this is > > > > confused. > > > > > > > > > > What current status Kerberos support in NFS client/server? I found > > > > > > many posts and wiki pages about lack some functionality, but also see > > > > > > many works from you. > > > > > > > > > > > The main limitation (which comes from the fact that the RPCSEC_GSS > > > > > implementation > > > > > is version 1) is that it expects to use DES, which requires "weak > > > > > authentication" > > > > > to be enabled. Although parts about adding patches for initiator > > > > > credentials no longer > > > > > applies, this is still fairly useful. > > > > > > > > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be > > > > enabled, with mounted as > > > > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred > > > > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some > > > > commands don't working or something else?) > > > > > > > Well, if the mount is working, you aren't broken. I do recommend against > > > using "soft" or "intr" on NFSv4 mounts, because the locking stuff > > > (which includes file opens) breaks if an RPC gets interrupted. > > > That is on one of the man pages, maybe "man nfsv4". > > > > > > Usually you can't create the keytab entries unless you enable weak > > > authentication, > > > but if you've gotten it working, be happy;-) > > > (DES is used for krb5p and none of the Kerberized NFS stuff works for > > > excryption types with larger keys than 8 bytes, from what I know. I > > > always used des-cbc-crc, because that is what all clients/servers are > > > supposed to support. Once you move away from that, you are experimenting > > > and it works or not.) > > > > mount is working, but all access (from any accounts) go from mounting > > credentials (if I mount allgssname,gssname=host -- as root and mapped > > to nobody, if I mount as user -- all access as user, root also as > > user). What I am missing or missunderstund? > > > Yes, that sounds correct. The mapping of "root" is somewhat more unusual. > It depends on what you called the host-based principal in your /etc/krb5.keytab. > If you use "root@.", then system operations are done as > "root", assuming you have "root" in your KDC (most don't). Otherwise, "root" > ends up as "nobody". > > The most common variant of the mount (which requires a host-based credential in > /etc/krb5.keytab on the client) is done with gssname=host (but not "allgssname"). Yes, my mount use "allgssname", I am think "gssname=host" require "allgssname" too. > (Note that "host" here implies that the principal for the host-based credential is > "host@.". --> What is after the "=" above is what is before the > "@" in the host based principal name.) > Then system operations are done as nobody, but users are done as that user (they need This is strange. I am mount (by automount) as: /NFS -nfsv4,intr,soft,sec=krb5i,gssname=host storage01:/ in rc.conf: gssd_enable="YES" gssd_flags="-h" In this case, I am can't login to user with $HOME on this NFS -- root (sshd run as root and PAM accounting run as root -- check .k5login and etc) totaly don't have access (10016). I am avoid this by "kinit -k host/`hostname`" in crontab and startup script, but may be gssd is best for this functionality? > to "kinit"). The "allgssname" is an odd case for some server no one logs into, which > says "do everything as the host based credential. I am confused by "allgssname", I am don't think that is like -mapall= in exports, I am think this is only for mount and for case absent user principal. > --> If you need "root" access, you must put a "root" principal name in your KDC and > then create the host-based credential for /etc/krb5.keytab using the principal > name "root@.". > > Yes, it is confusing, but that's Kerberos for you;-) rick From owner-freebsd-hackers@freebsd.org Tue Dec 1 07:51:20 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0BB01A3D46C for ; Tue, 1 Dec 2015 07:51:20 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id E47E310FE for ; Tue, 1 Dec 2015 07:51:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id E3E69A3D46A; Tue, 1 Dec 2015 07:51:19 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E3783A3D469 for ; Tue, 1 Dec 2015 07:51:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9D28810FD for ; Tue, 1 Dec 2015 07:51:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3fiX-000NpY-DD; Tue, 01 Dec 2015 10:51:17 +0300 Date: Tue, 1 Dec 2015 10:51:17 +0300 From: Slawa Olhovchenkov To: Rick Macklem Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151201075117.GE31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 07:51:20 -0000 On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote: > In GSS, the host based principal is @.. This > translates to: /.@ in the KDC. > For example: > nfs-client.my.home - DNS name of the client machine > MYREALM - Realm for Kerberos KDC > - I want to have root work as "root". > --> I go to the KDC and create a principal name: > root/nfs-client.my.home@MYREALM > --> Then I create a keytab entry for this principal and transfer it to > /etc/krb5.keytab on the client machine (nfs-client.my.home). > --> Then I mount with: -o nfsv4,gssname=root > and non-root users will have to kinit to access the server as themselves. Is there a difference between gssname=host (host/nfs-client.my.home@MYREALM and already exist) and gssname=root (and create and expoprt additional root/nfs-client.my.home@MYREALM)? From owner-freebsd-hackers@freebsd.org Tue Dec 1 08:47:40 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D66FA35623 for ; Tue, 1 Dec 2015 08:47:40 +0000 (UTC) (envelope-from kuleshovmail@gmail.com) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 394011DC1; Tue, 1 Dec 2015 08:47:40 +0000 (UTC) (envelope-from kuleshovmail@gmail.com) Received: by wmvv187 with SMTP id v187so195198199wmv.1; Tue, 01 Dec 2015 00:47:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=6KMZNbIRrTZULusEDhWGT/CV7Jx0h6cZSvKYSZB4Uic=; b=uszkZ52z40nJvImx43aOZ2miaVz0Jst6WGXcrYLTded/V4AtuZ1nMPrOlZWK1yHavK vJFRUerZLVhnoD5YSI1fCq62EPGroa2bchXFLgQhv1NdGP+4v7cWHckf32nV/X8x8Bcl le8I22CAyWugnfC/RseLgGtol3Pw4H7utiGJ9EYpxZah296wOA9NAcs0ZpDnEY4jS/DV y2wcgtF9HXi/vE4PfpRJikuW5lxRKN0swj1vMbKuNGWi7mfVHKL5MrVgEIEuNNXQyk+4 jDGMOJVVL79m0q8vMi5WTrxGinmAsXNbfRO2KGD4akH4tg1JpfJgDf6dVX8127g7pV5/ 6kPw== X-Received: by 10.28.88.5 with SMTP id m5mr35875565wmb.54.1448959658717; Tue, 01 Dec 2015 00:47:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.27.4.195 with HTTP; Tue, 1 Dec 2015 00:47:19 -0800 (PST) In-Reply-To: <565C9FA4.60006@FreeBSD.org> References: <20151130113712.GA10550@localhost> <20151130120949.GZ31314@zxy.spb.ru> <565C9FA4.60006@FreeBSD.org> From: Alexander Kuleshov Date: Tue, 1 Dec 2015 14:47:19 +0600 Message-ID: Subject: Re: Build only changes To: Bryan Drewery Cc: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 08:47:40 -0000 Thank you Bryan On Tue, Dec 1, 2015 at 1:12 AM, Bryan Drewery wrote: > On 11/30/2015 4:56 AM, Alexander Kuleshov wrote: >> Hello Slawa, >> >> On Mon, Nov 30, 2015 at 6:09 PM, Slawa Olhovchenkov wrote: >>> >>> May be `make buildworld -DNO_CLEAN` is enough? >>> >>> For some dirs I am do direct build. For other this is not work. >> >> Thank you for reply, but anyway it's too long to wait. Would great to have >> options for skipping contrib/, usr.bin/ and other non-related to >> changes directories, >> but unfortunately didn't see it in Makefiles. >> >> Thank you again. > > make buildworld -DNO_CLEAN SUBDIR_OVERRIDE=usr.sbin/whatever > > It will still check bootstrap and library needs, but if they are already > built then those steps should be fast. > > > -- > Regards, > Bryan Drewery > From owner-freebsd-hackers@freebsd.org Tue Dec 1 10:11:53 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DC24A3CD5A for ; Tue, 1 Dec 2015 10:11:53 +0000 (UTC) (envelope-from dan_partelly@rdsor.ro) Received: from mail.rdsor.ro (mail.rdsor.ro [193.231.238.10]) by mx1.freebsd.org (Postfix) with ESMTP id 0478E183A; Tue, 1 Dec 2015 10:11:52 +0000 (UTC) (envelope-from dan_partelly@rdsor.ro) Received: from [192.168.1.100] (unknown [79.119.24.18]) by mail.rdsor.ro (Postfix) with ESMTP id F067BF0C4; Tue, 1 Dec 2015 12:11:44 +0200 (EET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) Subject: Re: libUCL / UCL as FreeBSD config question From: Dan Partelly In-Reply-To: <20151130232235.GA11581@worldash.org> Date: Tue, 1 Dec 2015 12:11:44 +0200 Cc: freebsd-hackers@freebsd.org, Allan Jude , Mark Heily Content-Transfer-Encoding: quoted-printable Message-Id: <1912F461-882E-462A-A3C6-6BC1A15D4353@rdsor.ro> References: <5B598F72-C5DD-48FD-866D-F90E117D646E@rdsor.ro> <564F6118.5030702@freebsd.org> <5576AC9A-791F-4B52-9433-32D2806D35C9@rdsor.ro> <564F8E1F.8060600@freebsd.org> <663FAC89-8B0B-4E20-85F2-36C346A3AC73@rdsor.ro> <20151130232235.GA11581@worldash.org> To: Arlie Stephens X-Mailer: Apple Mail (2.3096.5) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 10:11:53 -0000 > I continue to adminster my Macintosh > systems via "sudo" from a shell window, because the result makes > sense. And Windows is often administered with powershell. I think the result = also make=20 =E2=80=9Csense=E2=80=9D. > 1) convenient Convenience is the only advantage of text files. It is often easier/more = ingrained to=20 just vi /etc/rc.conf than using a tool sysrc(8) to adminster it. But = sysrc(8) exists for a reason. It is safer to use. And , I personally would trade some = convenience for atomicity and transactions any time of the day. > 2) comprehensible I think all systems are equal comprehensible. Practically, there is 0 = difference=20 between the human readbale format you see in a text file, and the output = of=20 system tools. They do output text for most of the information. > 3) backwards compatible (upgrading from before isn't a PITA)=20 When talking about OS databases, backwards compatibility means =E2=80=94 keep the same language. Using a different language than the one in which=20= the ad-hoc databases are specified today (a language with no formal = specification) will automatically break backwards compatibility. Various levels of = PITA will=20 always exist. > 4) forwards compatible (I don't have to reprogram my brain every other = release)=20 All solutions are forward compatible if minimal good engineering = principles are applied. You can break a text based databases in countless way and ditch = compatibility as easily=20 as you can doit for binary databases. > 5) accessible when the system is somewhat crippled (single user mode > after a failure) implementation detail. Are sane solutions are implemented this way. > It's doubtless possible to design a non-text system that provides the > benefits that text based systems get for free. It is indeed possible. But as far as text files goes, the only advantage = IMO is on the=20 lines of convenience. All others are just biases. The future is IMO a = web of=20 interconnected machines at different scales, a world where issues of=20 concurrency - the ability to guarantee atomic and transactional aceeses = to OS databases - is increasingly important.=20 Traditional OS databases in Unix do not have a special language, but = they are easy=20 to understand and humanly read. UCL is both easy to to humanly and = machine read. If introduced in freeBSD , the only thing it would accomplish is = uniformity of language, and easier programtic access. (and this is desirable and by all means no = small feat). But=20 thats where any advantage stops. Nobody in this UCL for FreeBSD woking = group seems=20 to have thought at the future, and did not posed any questions = regarding concurrency and=20 transactions. It=E2=80=99s the same as with the init system. There is a working = solution , which is a glorified=20 autoexec.bat. It doesnt offer any real facilities to monitor services, = configure actions to be take on faults, log faults, manage cron jobs and their lifecycles and the = list can go on and on. In my opinion 3 areas in BSDs are problematic and coherent, future = proof , solutions to those=20 problems must be found: 1. OS services system (service management, fault management, reporting = , cron management )=20 2. OS configuration. Powerful OS databases and system management = demons. 3. Binary code reuse. IMO key utilities in base should be lib-ified , = and frameworks of libs should be built over key system demons (config demons, fault management demons, log demons, = systemwide=20 notification demon (funnelling from multiple sources , as devd, file = system events, service fault events, service=20 normal lifetime events. > On 01 Dec 2015, at 01:22, Arlie Stephens wrote: >=20 > On Nov 24 2015, Dan Partelly wrote: >> A proper solution might need kernel support,and quit using text >> files for OS config. Hence IMO a proper solution has very few >> chances to be implemented. Most people seem to have some fetish >> with text files, and like to be stuck in past. It is like somehow >> magically .txt files are immune to corruption, but any other format >> is not.=20 >=20 > Ugh! Text files tend to make things human comprehensible, in ways > that configuration tools do not. I continue to adminster my Macintosh > systems via "sudo" from a shell window, because the result makes > sense. >=20 > Show me a system that's=20 > 1) convenient > 2) comprehensible > 3) backwards compatible (upgrading from before isn't a PITA)=20 > 4) forwards compatible (I don't have to reprogram my brain every other = release)=20 > 5) accessible when the system is somewhat crippled (single user mode > after a failure) >=20 > And I might get over my "fetish" for text files. =20 >=20 > And for the record, I've used various "registry" solutions to kernel > config., notably the one added to HPUX around about their 11.0, and > even developed code that used this system.=20 >=20 > It's doubtless possible to design a non-text system that provides the > benefits that text based systems get for free. Unfortunately, I've > never seen such a system where that remained a consistent priority.=20 >=20 > --=20 > Arlie >=20 > (Arlie Stephens = arlie@worldash.org) > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to = "freebsd-hackers-unsubscribe@freebsd.org" From owner-freebsd-hackers@freebsd.org Tue Dec 1 13:19:31 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49A02A3D26E for ; Tue, 1 Dec 2015 13:19:31 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 1D22E1A6A for ; Tue, 1 Dec 2015 13:19:31 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 1BA1BA3D26D; Tue, 1 Dec 2015 13:19:31 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 01779A3D26C for ; Tue, 1 Dec 2015 13:19:31 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id AC1B51A69 for ; Tue, 1 Dec 2015 13:19:29 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:Klrijh0+uq9iUt/VsmDT+DRfVm0co7zxezQtwd8ZsegTLvad9pjvdHbS+e9qxAeQG96LtbQc06GM6OjJYi8p39WoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09fr2zQd6MyZzvnLrps7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP5Xz247bXianhL7+9vitMU7q3cY6Lod8Jt7VazlduwfSbxfEj8mPmY249Oj4QLHUiOd9mpaSX0c1ABVVVvr9hb/C63wuSiyk+N22y2XOIWiV7U9Ujem4qJDVRjnlSoDLz5/+2iB2Z84t75SvB/0/083+IXTeozAbPc= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DPAQDonV1W/61jaINehA5vBr4yAQ2BZhcKhSRKAoICFAEBAQEBAQEBgQmCLYIIAQEEAQEBIAQnIAsFCwIBCA4KAgINGQICJwEJJgIECAIFBAEcBIgNDasrhTKLUgEBAQEBAQEDAQEBAQEBAQEXBIEBhVOEfoQ7AQEFgzOBRAWNInaIP4UqhSKfSwIfAQFCghEdgXQgNAeEKTqBBwEBAQ X-IronPort-AV: E=Sophos;i="5.20,369,1444708800"; d="scan'208";a="255069349" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-annu.net.uoguelph.ca with ESMTP; 01 Dec 2015 08:19:28 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 82EA815F56D; Tue, 1 Dec 2015 08:19:28 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id XQBsI9v7jFoo; Tue, 1 Dec 2015 08:19:28 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 02CA415F56E; Tue, 1 Dec 2015 08:19:28 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id fSCBdIlHQ9kX; Tue, 1 Dec 2015 08:19:27 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id D970715F56D; Tue, 1 Dec 2015 08:19:27 -0500 (EST) Date: Tue, 1 Dec 2015 08:19:27 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <1739189176.113176689.1448975967722.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151201075117.GE31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> <20151201075117.GE31314@zxy.spb.ru> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.10] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: Z8dr4yuqizDXbtMw39vK0hpJxnnorA== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 13:19:31 -0000 Slawa Olhovchenkov wrote: > On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote: > > > In GSS, the host based principal is @.. This > > translates to: /.@ in the KDC. > > > > > For example: > > nfs-client.my.home - DNS name of the client machine > > MYREALM - Realm for Kerberos KDC > > - I want to have root work as "root". > > --> I go to the KDC and create a principal name: > > root/nfs-client.my.home@MYREALM > > --> Then I create a keytab entry for this principal and transfer it to > > /etc/krb5.keytab on the client machine (nfs-client.my.home). > > --> Then I mount with: -o nfsv4,gssname=root > > and non-root users will have to kinit to access the server as > > themselves. > > Is there a difference between gssname=host > (host/nfs-client.my.home@MYREALM and already exist) and gssname=root > (and create and expoprt additional root/nfs-client.my.home@MYREALM)? Oops, I was wrong. It shouldn't matter what the name before "@" is in the client's keytab entry. On old code I did for this (OpenBSD way back when), I had an option on the gssd that would look up the name in the passwd database and create credentials for that user. >From "man gssd" and a look at the code, that was never done for FreeBSD. Sorry for misleading you, rick ps: If I had done it and you used the option, then "root@..." would have become "root" on the server, etc. > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > From owner-freebsd-hackers@freebsd.org Tue Dec 1 13:40:20 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4D2EA3DA96 for ; Tue, 1 Dec 2015 13:40:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id CA7CB18EC for ; Tue, 1 Dec 2015 13:40:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id C729BA3DA95; Tue, 1 Dec 2015 13:40:19 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C6BCEA3DA94 for ; Tue, 1 Dec 2015 13:40:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7F2E518EB for ; Tue, 1 Dec 2015 13:40:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3lA9-0006HZ-P1; Tue, 01 Dec 2015 16:40:09 +0300 Date: Tue, 1 Dec 2015 16:40:09 +0300 From: Slawa Olhovchenkov To: Rick Macklem Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151201134009.GG31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> <20151201075117.GE31314@zxy.spb.ru> <1739189176.113176689.1448975967722.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1739189176.113176689.1448975967722.JavaMail.zimbra@uoguelph.ca> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 13:40:20 -0000 On Tue, Dec 01, 2015 at 08:19:27AM -0500, Rick Macklem wrote: > Slawa Olhovchenkov wrote: > > On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote: > > > > > In GSS, the host based principal is @.. This > > > translates to: /.@ in the KDC. > > > > > > > > > For example: > > > nfs-client.my.home - DNS name of the client machine > > > MYREALM - Realm for Kerberos KDC > > > - I want to have root work as "root". > > > --> I go to the KDC and create a principal name: > > > root/nfs-client.my.home@MYREALM > > > --> Then I create a keytab entry for this principal and transfer it to > > > /etc/krb5.keytab on the client machine (nfs-client.my.home). > > > --> Then I mount with: -o nfsv4,gssname=root > > > and non-root users will have to kinit to access the server as > > > themselves. > > > > Is there a difference between gssname=host > > (host/nfs-client.my.home@MYREALM and already exist) and gssname=root > > (and create and expoprt additional root/nfs-client.my.home@MYREALM)? > Oops, I was wrong. It shouldn't matter what the name before "@" is in the > client's keytab entry. > On old code I did for this (OpenBSD way back when), I had an option on the > gssd that would look up the name in the passwd database and create credentials > for that user. > > >From "man gssd" and a look at the code, that was never done for FreeBSD. > > Sorry for misleading you, rick > ps: If I had done it and you used the option, then "root@..." would have become > "root" on the server, etc. > You plan to use (in this case) in gssd principal root@`hostname`@MYREALM? Or `gssname_from_mount`@`hostname`@MYREALM for root access? Last case is prefered for me, I am create host/`hostname` in any case (for ssh access), and unnecessary to create additional root/`hostname`. From owner-freebsd-hackers@freebsd.org Tue Dec 1 13:41:50 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8534BA3DBFF for ; Tue, 1 Dec 2015 13:41:50 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 581B81BCC for ; Tue, 1 Dec 2015 13:41:50 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 56F30A3DBFE; Tue, 1 Dec 2015 13:41:50 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C8DBA3DBFD for ; Tue, 1 Dec 2015 13:41:50 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id E69471BC8 for ; Tue, 1 Dec 2015 13:41:49 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:XelSch1LfoihEnWKsmDT+DRfVm0co7zxezQtwd8ZsegTLvad9pjvdHbS+e9qxAeQG96LtbQc06GM7ejJYi8p39WoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09fr2zQd6MyZzvnLrss7ToICx2xxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP5Xz247bXianhL7+9vitMU7q3cY6Lod8Jt7VazlduwfSbxfEj8mPmY249Oj4QLHUiOd9mpaSX0c1ABVVVvr9hb/C63wuSiyk+N22y2XOIWiV7U9Ujem4qJDVRjnlSoDLz5/+2iB2Z84t75SvB/0/083+IXTeozAbPc= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DPAQCHol1W/61jaINYBQGEDm8GvjIBDYFmFwqFJEoCgXwUAQEBAQEBAQGBCYItggcBAQEDAQEBASAEJyALBQsCAQgOCgICDQUBAgIPAgInAQkmAgQIBwQBHASIBQgNq0WRAwEBAQEBAQQBAQEBAQEZBIEBhVOEfoQ7AQEFCA9KARQBgjyBRAWNInaIP4UqhSIkhCOXFINwAh8BAUKCDgMdgXQgNAeEIgcXI4EHAQEB X-IronPort-AV: E=Sophos;i="5.20,369,1444708800"; d="scan'208";a="253581247" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 01 Dec 2015 08:41:47 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id C247615F56D; Tue, 1 Dec 2015 08:41:47 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id N-twSm6q8sEw; Tue, 1 Dec 2015 08:41:47 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id ED79915F56E; Tue, 1 Dec 2015 08:41:46 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id V2U3F5bHdGGG; Tue, 1 Dec 2015 08:41:46 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id BF78515F56D; Tue, 1 Dec 2015 08:41:46 -0500 (EST) Date: Tue, 1 Dec 2015 08:41:46 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <1745794347.113212991.1448977306722.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151201074425.GD31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <20151201074425.GD31314@zxy.spb.ru> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.10] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: DYdT3s+JzO1Uhu3o12KW2ACUwUn1aw== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 13:41:50 -0000 Slawa Olhovchenkov wrote: > On Mon, Nov 30, 2015 at 06:08:16PM -0500, Rick Macklem wrote: > > > Slawa Olhovchenkov wrote: > > > On Mon, Nov 16, 2015 at 06:00:16PM -0500, Rick Macklem wrote: > > > > > > > > But this is wrong: not only exported, access control too. > > > > > May be for NFS guru this is trivia, but for ordinary users this is > > > > > confused. > > > > > > > > > > > > What current status Kerberos support in NFS client/server? I > > > > > > > found > > > > > > > many posts and wiki pages about lack some functionality, but also > > > > > > > see > > > > > > > many works from you. > > > > > > > > > > > > > The main limitation (which comes from the fact that the RPCSEC_GSS > > > > > > implementation > > > > > > is version 1) is that it expects to use DES, which requires "weak > > > > > > authentication" > > > > > > to be enabled. Although parts about adding patches for initiator > > > > > > credentials no longer > > > > > > applies, this is still fairly useful. > > > > > > > > > > Hmm, I am have setup Kerberized NFS w/o "weak authentication" to be > > > > > enabled, with mounted as > > > > > 'nfsv4,intr,soft,sec=krb5i,allgssname,gssname=root'. What is requred > > > > > DES in RPCSEC_GSS? (for me as user, how I can see what broken? some > > > > > commands don't working or something else?) > > > > > > > > > Well, if the mount is working, you aren't broken. I do recommend > > > > against > > > > using "soft" or "intr" on NFSv4 mounts, because the locking stuff > > > > (which includes file opens) breaks if an RPC gets interrupted. > > > > That is on one of the man pages, maybe "man nfsv4". > > > > > > > > Usually you can't create the keytab entries unless you enable weak > > > > authentication, > > > > but if you've gotten it working, be happy;-) > > > > (DES is used for krb5p and none of the Kerberized NFS stuff works for > > > > excryption types with larger keys than 8 bytes, from what I know. I > > > > always used des-cbc-crc, because that is what all clients/servers are > > > > supposed to support. Once you move away from that, you are > > > > experimenting > > > > and it works or not.) > > > > > > mount is working, but all access (from any accounts) go from mounting > > > credentials (if I mount allgssname,gssname=host -- as root and mapped > > > to nobody, if I mount as user -- all access as user, root also as > > > user). What I am missing or missunderstund? > > > > > Yes, that sounds correct. The mapping of "root" is somewhat more unusual. > > It depends on what you called the host-based principal in your > > /etc/krb5.keytab. > > If you use "root@.", then system operations are done > > as > > "root", assuming you have "root" in your KDC (most don't). Otherwise, > > "root" > > ends up as "nobody". > > > > The most common variant of the mount (which requires a host-based > > credential in > > /etc/krb5.keytab on the client) is done with gssname=host (but not > > "allgssname"). > > Yes, my mount use "allgssname", I am think "gssname=host" require > "allgssname" too. > > > (Note that "host" here implies that the principal for the host-based > > credential is > > "host@.". --> What is after the "=" above is what is > > before the > > "@" in the host based principal name.) > > Then system operations are done as nobody, but users are done as that user > > (they need > > This is strange. I am mount (by automount) as: > > /NFS -nfsv4,intr,soft,sec=krb5i,gssname=host storage01:/ > I'd recommend that you never use "intr" or "soft" on NFSv4 mounts. (It's somewhere in a man page and basically if you use these and an RPC that does locking times out, you break the locking horribly.) Also, I never use automount. I'd suggest you try the mount command typed manually and then once you have it working, then try the automount and see if it works. > in rc.conf: > gssd_enable="YES" > gssd_flags="-h" > On the client, this looks correct. > In this case, I am can't login to user with $HOME on this NFS -- > root (sshd run as root and PAM accounting run as root -- check > .k5login and etc) totaly don't have access (10016). > This means that the client fell back to AUTH_SYS and the server doesn't accept that. Getting a home directory to work is harder than it should be and I don't even know how to make it work, because I haven't done it. The login must do a "kinit" so the user has access to the volume and I don't know how to set FreeBSD up to do the kinit as a part of the login. It also must be done early enough in the login, so that it happens before any access to the home dir is attempted. (To be honest, unless there is a way to do this in FreeBSD, you can forget about Kerberized NFS mounts for home dirs.) I would start by testing a mount that isn't a home directory, so you can log into the machine (home dir not Kerberized NFS mounted) and then the user can "kinit" and them "cd /kerberized/mount" and see if it works. --> Once that works, I don't know how to do the rest. (I'm an NFS guy, not a Kerberos one.;-) Also, I don't know what effect having sshd etc running as root will be, since they will then be seen as running by "nobody" on the server. > I am avoid this by "kinit -k host/`hostname`" in crontab and startup > script, but may be gssd is best for this functionality? > Shouldn't matter. "gssd -h" does exactly the same stuff as "kinit -k". (I wrote the code essentially cloning what "kinit -k" did.) > > to "kinit"). The "allgssname" is an odd case for some server no one logs > > into, which > > says "do everything as the host based credential. > > I am confused by "allgssname", I am don't think that is like -mapall= > in exports, I am think this is only for mount and for case absent user > principal. > It simply says "do all RPCs with the host based credential" which means the uid etc is completely ignored. This works for cases where users can't "kinit", but everything is run as "nobody" and not the user, so it isn't very useful. (Other Kerberized NFS setups like Linux don't even have this as far as I remember.) > > --> If you need "root" access, you must put a "root" principal name in your > > KDC and > > then create the host-based credential for /etc/krb5.keytab using the > > principal > > name "root@.". I don't think this is true for FreeBSD. It was what I did in the code I wrote long ago for OpenBSD and this wasn't ported to FreeBSD. Sorry for the confusion. I don't use Kerberos and avoid it like the plague. Good luck with it, rick > > > > Yes, it is confusing, but that's Kerberos for you;-) rick > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > From owner-freebsd-hackers@freebsd.org Tue Dec 1 13:48:09 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DEEBA3DD21 for ; Tue, 1 Dec 2015 13:48:09 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 014E61E1C for ; Tue, 1 Dec 2015 13:48:09 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 0043BA3DD20; Tue, 1 Dec 2015 13:48:09 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F402DA3DD1F for ; Tue, 1 Dec 2015 13:48:08 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id A96261E1B for ; Tue, 1 Dec 2015 13:48:08 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:f7ciuhGY3Er6vjNn2AwzGp1GYnF86YWxBRYc798ds5kLTJ75osiwAkXT6L1XgUPTWs2DsrQf27SQ6/irAz1IyK3CmU5BWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4Ov7yUtaLyZ/niabqo9aJMk1hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYPlc3mhyJFiezF7W78a0+4N/oWwL46pyv50IbaKvRKAxUrUQKzAmNH4+5MDtth7dBV+U4mQ0QHUH1AFQCU7f8UepcI32t37At+F+kAyTNs7yQLV8DS6n5qxoTBLtoDoAOCM09HnXzMd52vEI6Cm9rgByltaHKLqeM+BzK/vQ X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DPAQDNo11W/61jaINehA5vBr4yAQ2BZhcKhSRKAoF8FAEBAQEBAQEBgQmCLYIIAQEEAQEBIAQnIAsFCwIBCA4KAgINGQICJwEJJgIECAIFBAEcBIgNDas9hTKLUQEBAQEBAQEDAQEBAQEBAQEXBIEBhVOEfoQ7AQEFgzOBRAWNInaIP4UqhSKfSwIfAQFCghEdgXQgNAeEKTqBBwEBAQ X-IronPort-AV: E=Sophos;i="5.20,369,1444708800"; d="scan'208";a="253582228" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 01 Dec 2015 08:48:07 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 8A33415F56D; Tue, 1 Dec 2015 08:48:07 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 63ZmClBGT-Ev; Tue, 1 Dec 2015 08:48:06 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id D3B0015F56E; Tue, 1 Dec 2015 08:48:06 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id r6f_oHg-vo_L; Tue, 1 Dec 2015 08:48:06 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id B607515F56D; Tue, 1 Dec 2015 08:48:06 -0500 (EST) Date: Tue, 1 Dec 2015 08:48:06 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <182789855.113222942.1448977686720.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151201134009.GG31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <1530363546.112649399.1448925348701.JavaMail.zimbra@uoguelph.ca> <20151201075117.GE31314@zxy.spb.ru> <1739189176.113176689.1448975967722.JavaMail.zimbra@uoguelph.ca> <20151201134009.GG31314@zxy.spb.ru> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.11] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: uH7yHcZCbBtuQmLVdOn5XLPuaUQO+Q== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 13:48:09 -0000 Slawa Olhovchenkov wrote: > On Tue, Dec 01, 2015 at 08:19:27AM -0500, Rick Macklem wrote: > > > Slawa Olhovchenkov wrote: > > > On Mon, Nov 30, 2015 at 06:15:48PM -0500, Rick Macklem wrote: > > > > > > > In GSS, the host based principal is @.. This > > > > translates to: /.@ in the > > > > KDC. > > > > > > > > > > > > > For example: > > > > nfs-client.my.home - DNS name of the client machine > > > > MYREALM - Realm for Kerberos KDC > > > > - I want to have root work as "root". > > > > --> I go to the KDC and create a principal name: > > > > root/nfs-client.my.home@MYREALM > > > > --> Then I create a keytab entry for this principal and transfer it > > > > to > > > > /etc/krb5.keytab on the client machine (nfs-client.my.home). > > > > --> Then I mount with: -o nfsv4,gssname=root > > > > and non-root users will have to kinit to access the server as > > > > themselves. > > > > > > Is there a difference between gssname=host > > > (host/nfs-client.my.home@MYREALM and already exist) and gssname=root > > > (and create and expoprt additional root/nfs-client.my.home@MYREALM)? > > Oops, I was wrong. It shouldn't matter what the name before "@" is in the > > client's keytab entry. > > On old code I did for this (OpenBSD way back when), I had an option on the > > gssd that would look up the name in the passwd database and create > > credentials > > for that user. > > > > >From "man gssd" and a look at the code, that was never done for FreeBSD. > > > > Sorry for misleading you, rick > > ps: If I had done it and you used the option, then "root@..." would have > > become > > "root" on the server, etc. > > > > You plan to use (in this case) in gssd principal > root@`hostname`@MYREALM? Or `gssname_from_mount`@`hostname`@MYREALM > for root access? Last case is prefered for me, I am create > host/`hostname` in any case (for ssh access), and unnecessary to > create additional root/`hostname`. > Actually I avoid Kerberos like the plague, so I don't plan on doing anything with it. I can't even remember if the host based credential becomes nobody or root on the server, although I thought it was nobody. The traditional "security" game is "don't let any RPC be run as root". If someone thinks having a way for the host-based credential work as root is a needed feature, they'll either need to come up with a patch or talk to me really nicely and try and convince me to do it. (Remember I don't get paid $$$ to do this and since I hate working with Kerberos...;-) Personally, I wish there was a public key system supported by the GSS, since using something like that would make more sense to me than messing with Kerberos, but that isn't what the protocol gods have done. rick > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > From owner-freebsd-hackers@freebsd.org Tue Dec 1 13:53:18 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A55AA3DF15 for ; Tue, 1 Dec 2015 13:53:18 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 6F50712C9 for ; Tue, 1 Dec 2015 13:53:18 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id 6E22CA3DF13; Tue, 1 Dec 2015 13:53:18 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 53BEEA3DF12 for ; Tue, 1 Dec 2015 13:53:18 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0D34D12C8 for ; Tue, 1 Dec 2015 13:53:18 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3lMp-0006a0-UI; Tue, 01 Dec 2015 16:53:15 +0300 Date: Tue, 1 Dec 2015 16:53:15 +0300 From: Slawa Olhovchenkov To: Rick Macklem Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151201135315.GH31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <20151201074425.GD31314@zxy.spb.ru> <1745794347.113212991.1448977306722.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1745794347.113212991.1448977306722.JavaMail.zimbra@uoguelph.ca> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 13:53:18 -0000 On Tue, Dec 01, 2015 at 08:41:46AM -0500, Rick Macklem wrote: > > > (Note that "host" here implies that the principal for the host-based > > > credential is > > > "host@.". --> What is after the "=" above is what is > > > before the > > > "@" in the host based principal name.) > > > Then system operations are done as nobody, but users are done as that user > > > (they need > > > > This is strange. I am mount (by automount) as: > > > > /NFS -nfsv4,intr,soft,sec=krb5i,gssname=host storage01:/ > > > I'd recommend that you never use "intr" or "soft" on NFSv4 mounts. > (It's somewhere in a man page and basically if you use these and an > RPC that does locking times out, you break the locking horribly.) W/o "intr" and "soft" I can got staled mount and process (till reboot). This is prodaction servers and this is unacceptable. Correct locking for me least important, as last resort I am do `umount -f` > Also, I never use automount. I'd suggest you try the mount command > typed manually and then once you have it working, then try the automount > and see if it works. I am debuging this manualy, yes. > > in rc.conf: > > gssd_enable="YES" > > gssd_flags="-h" > > > On the client, this looks correct. > > > In this case, I am can't login to user with $HOME on this NFS -- > > root (sshd run as root and PAM accounting run as root -- check > > .k5login and etc) totaly don't have access (10016). > > > This means that the client fell back to AUTH_SYS and the server > doesn't accept that. > > Getting a home directory to work is harder than it should be and I > don't even know how to make it work, because I haven't done it. > The login must do a "kinit" so the user has access to the volume > and I don't know how to set FreeBSD up to do the kinit as a part of > the login. It also must be done early enough in the login, so that > it happens before any access to the home dir is attempted. > (To be honest, unless there is a way to do this in FreeBSD, you > can forget about Kerberized NFS mounts for home dirs.) First access to home directory do as root, not as user. After root access ticket created in /tmp/krb5cc_UID and home succesuful accesed. > I would start by testing a mount that isn't a home directory, so you > can log into the machine (home dir not Kerberized NFS mounted) and > then the user can "kinit" and them "cd /kerberized/mount" and see > if it works. > --> Once that works, I don't know how to do the rest. > (I'm an NFS guy, not a Kerberos one.;-) > > Also, I don't know what effect having sshd etc running as root will > be, since they will then be seen as running by "nobody" on the server. As last resort I can export with -maproot=root. > > I am avoid this by "kinit -k host/`hostname`" in crontab and startup > > script, but may be gssd is best for this functionality? > > > Shouldn't matter. "gssd -h" does exactly the same stuff as "kinit -k". > (I wrote the code essentially cloning what "kinit -k" did.) For mount only, not for root access from sshd, as I see. From owner-freebsd-hackers@freebsd.org Tue Dec 1 19:44:11 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B521CA3E67F for ; Tue, 1 Dec 2015 19:44:11 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 874DA1474 for ; Tue, 1 Dec 2015 19:44:11 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: by mailman.ysv.freebsd.org (Postfix) id 85097A3E67D; Tue, 1 Dec 2015 19:44:11 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 849B6A3E67C for ; Tue, 1 Dec 2015 19:44:11 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 26BA51472 for ; Tue, 1 Dec 2015 19:44:10 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190f-f79d06d000004b20-d3-565df755169a Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 49.1B.19232.557FD565; Tue, 1 Dec 2015 14:39:01 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id tB1Jd0vm020469; Tue, 1 Dec 2015 14:39:01 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tB1JcvZv010952 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 1 Dec 2015 14:39:00 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id tB1JcvuU009748; Tue, 1 Dec 2015 14:38:57 -0500 (EST) Date: Tue, 1 Dec 2015 14:38:57 -0500 (EST) From: Benjamin Kaduk To: Rick Macklem cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations In-Reply-To: <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> Message-ID: References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <3AEC67FD-2E67-4EF9-9D46-818ABF3D8118@cs.huji.ac.il> <661673285.88370232.1447682409478.JavaMail.zimbra@uoguelph.ca> <20151116141433.GA31314@zxy.spb.ru> <1489367909.88538127.1447688459383.JavaMail.zimbra@uoguelph.ca> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixCmqrBv6PTbMYEuvmsWGBYUWD5ddY3Jg 8pjxaT6Lx+/Ne5kCmKK4bFJSczLLUov07RK4MuYfPsFc8JKp4tLvp+wNjHOZuhg5OSQETCQ2 NGxnhbDFJC7cW8/WxcjFISSwmEni4/uVrBDOBkaJN/+mQmUOMklMmrGfGaRFSKBeomvGUjCb RUBLYs/3qywgNpuAisTMNxvZQGwRAXWJzav7wWqYBcQlFt7rBasRFtCVeLXyDdgZnAI+Ehcu 3gGr5xVwlLj+aCkTxLJHzBJ9n/aBNYgK6Eis3j+FBaJIUOLkzCcsEEO1JJZP38YygVFwFpLU LCSpBYxMqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3RN9HIzS/RSU0o3MYJDVZJ/B+O3g0qHGAU4 GJV4eCXWxoQJsSaWFVfmHmKU5GBSEuVVfxkbJsSXlJ9SmZFYnBFfVJqTWnyIUYKDWUmEd9Fz oBxvSmJlVWpRPkxKmoNFSZx37hffMCGB9MSS1OzU1ILUIpisDAeHkgTv869AjYJFqempFWmZ OSUIaSYOTpDhPEDDj4DU8BYXJOYWZ6ZD5E8x6nIs+HF7LZMQS15+XqqUOO9KkCIBkKKM0jy4 OeAUs5tJ9RWjONBbwrzB34CqeIDpCW7SK6AlTEBLPvyJBllSkoiQkmpgbJ0g0/LpTbpMyPe9 7xRjgg6Wz1+7KTu2NPB14eRtd8urLp7htGLKd3gwYf2ha1s3n74dwbfAfXO40badc1wuLAxj 8jbuWPfl+U7pQ1X7PYMj3ryf/mX2x102Fy/0bd9x9n2Dy5MjHhKlz3g7zf5Y/1/74/Vpk4SZ D1nMnfpaZ/+003e9847V5JISS3FGoqEWc1FxIgDtjACoDAMAAA== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 19:44:11 -0000 On Mon, 30 Nov 2015, Rick Macklem wrote: > Yes, it is confusing, but that's Kerberos for you;-) rick Well, just Kerberos by itself is hardly this bad. The way it has been integrated with NFS is all kinds of special and diverges from Kerberos best practices in several ways, as if it was designed by someone without prior Kerberos experience. -Ben From owner-freebsd-hackers@freebsd.org Tue Dec 1 21:56:28 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2547CA3C3D3 for ; Tue, 1 Dec 2015 21:56:28 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id EE143112F for ; Tue, 1 Dec 2015 21:56:27 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id EAACAA3C3D0; Tue, 1 Dec 2015 21:56:27 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA3A7A3C3CF for ; Tue, 1 Dec 2015 21:56:27 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id A09B0112D for ; Tue, 1 Dec 2015 21:56:27 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:7sKRBBzVfcycd5DXCy+O+j09IxM/srCxBDY+r6Qd0e4eIJqq85mqBkHD//Il1AaPBtWFraocw8Pt8IneGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwudrqzQtaapv/0/t7x0qWbWx9Piju5bOE6BzSNhiKViPMrh5B/IL060BrDrygAUe1XwWR1OQDbxE6ktY/jtKJkph9Usu0ov+lEUaLkdKQ1S79fEnxyKGQqzN/7pF/YVQHJ/GZKAUsMlR8dOQnO71nfV5zytib//r5n3SCRPsn7SJgpXju/4qNzSFnjgXFUZHYC7GjLh5ko3+pgqxW7qkknzg== X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DPAQAOF15W/61jaINWCIQObwa+NAENgWYXCoUkSgKCCBQBAQEBAQEBAYEJgi2CBwEBAQMBAQEBIAQnIAsFCwIBCA4KAgINBQETAgInAQkmAgQIBwQBGgIEiAUIDa0MkGkBAQEBAQEEAQEBAQEBGQSBAYVThH6ENgUBAQUGWwGCUYFEBY0idog/hSqFIiSEI5cUg3ACHwEBQoIRHYF0IDQHhCIHFyOBBwEBAQ X-IronPort-AV: E=Sophos;i="5.20,370,1444708800"; d="scan'208";a="253696205" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 01 Dec 2015 16:56:25 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 9057F15F565; Tue, 1 Dec 2015 16:56:25 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id INI3MP60ven3; Tue, 1 Dec 2015 16:56:24 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id BDB7915F55D; Tue, 1 Dec 2015 16:56:24 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OarmzOzpu556; Tue, 1 Dec 2015 16:56:24 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id A4FD015F565; Tue, 1 Dec 2015 16:56:24 -0500 (EST) Date: Tue, 1 Dec 2015 16:56:24 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <1491578361.114386779.1449006984539.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151201135315.GH31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <20151201074425.GD31314@zxy.spb.ru> <1745794347.113212991.1448977306722.JavaMail.zimbra@uoguelph.ca> <20151201135315.GH31314@zxy.spb.ru> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.12] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: UX+/tIjAdcfviszliEXlGAOGKjp6mw== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 21:56:28 -0000 Slawa Olhivchenkov wrote: > On Tue, Dec 01, 2015 at 08:41:46AM -0500, Rick Macklem wrote: > > > > > (Note that "host" here implies that the principal for the host-based > > > > credential is > > > > "host@.". --> What is after the "=" above is what > > > > is > > > > before the > > > > "@" in the host based principal name.) > > > > Then system operations are done as nobody, but users are done as that > > > > user > > > > (they need > > > > > > This is strange. I am mount (by automount) as: > > > > > > /NFS -nfsv4,intr,soft,sec=krb5i,gssname=host storage01:/ > > > > > I'd recommend that you never use "intr" or "soft" on NFSv4 mounts. > > (It's somewhere in a man page and basically if you use these and an > > RPC that does locking times out, you break the locking horribly.) > > W/o "intr" and "soft" I can got staled mount and process (till > reboot). This is prodaction servers and this is unacceptable. Correct > locking for me least important, as last resort I am do `umount -f` > When I was a sysadmin, I just made sure my NFS server stayed up and the network fabric was stable. I never recall having a problem using "hard" mounts. But I agree it is a tradeoff. If you don't need file locking visible across multiple clients, use nfsv3,nolockd and intr if it works for you. If you need file locking to work and be visible across multiple clients, then the tradeoff is a hung system if your NFS server fails or your network fabric is flakey. (Do you want file locking to work, but only when things are running smoothly?) You can use "umount -f" but I will admit you can get stuck. If you do a "umount" without "-f" the mount point gets locked and "umount -f" doesn't work. I, for one, do not believe that NFSv4 is a replacement for NFSv3. It is a very different protocol (some say "NFS in name only") and fills a different somewhat overlapping solution space. > > Also, I never use automount. I'd suggest you try the mount command > > typed manually and then once you have it working, then try the automount > > and see if it works. > > I am debuging this manualy, yes. > > > > in rc.conf: > > > gssd_enable="YES" > > > gssd_flags="-h" > > > > > On the client, this looks correct. > > > > > In this case, I am can't login to user with $HOME on this NFS -- > > > root (sshd run as root and PAM accounting run as root -- check > > > .k5login and etc) totaly don't have access (10016). > > > > > This means that the client fell back to AUTH_SYS and the server > > doesn't accept that. > > > > Getting a home directory to work is harder than it should be and I > > don't even know how to make it work, because I haven't done it. > > The login must do a "kinit" so the user has access to the volume > > and I don't know how to set FreeBSD up to do the kinit as a part of > > the login. It also must be done early enough in the login, so that > > it happens before any access to the home dir is attempted. > > (To be honest, unless there is a way to do this in FreeBSD, you > > can forget about Kerberized NFS mounts for home dirs.) > > First access to home directory do as root, not as user. That's going to be a problem. I'm not sure how that will work unless the access as root can be done by "nobody". Normally it is assumed that a user accesses files on the NFS mount as that user. (ie. This just might not be doable unless you get rid of the access as root during the login.) > After root access ticket created in /tmp/krb5cc_UID and home > succesuful accesed. > > > I would start by testing a mount that isn't a home directory, so you > > can log into the machine (home dir not Kerberized NFS mounted) and > > then the user can "kinit" and them "cd /kerberized/mount" and see > > if it works. > > --> Once that works, I don't know how to do the rest. > > (I'm an NFS guy, not a Kerberos one.;-) > > > > Also, I don't know what effect having sshd etc running as root will > > be, since they will then be seen as running by "nobody" on the server. > > As last resort I can export with -maproot=root. > I don't think this works as you'd expect. The server doesn't see "root" as the principal for the host-based credential in the keytab file. To be seen as "root" on the server: - I think you need a root@YOUR.REALM user principal in your KDC. - The client must "kinit" this to get a TGT in /tmp/krb5cc_0. - You can create a keytab entry for root@YOUR.REALM and "kinit -k" it, I think? --> Most would consider putting a keytab entry in /etc/krb5.keytab for "root" too large a security risk, but maybe it's ok for your environment. (Someone could move the keytab entry to another machine and it would still work.) (You mentioned doing something like this in your crontab.) Btw, you can use Kerberos with NFSv3. It works about the same and doen't require a host-based credential in /etc/krb5.keytab. It does require that the login do "kinit" before attempting to access the home dir. > > > I am avoid this by "kinit -k host/`hostname`" in crontab and startup > > > script, but may be gssd is best for this functionality? > > > > > Shouldn't matter. "gssd -h" does exactly the same stuff as "kinit -k". > > (I wrote the code essentially cloning what "kinit -k" did.) > > For mount only, not for root access from sshd, as I see. > Yes, for Kerberos root access, I think you will need "root@YOUR.REALM" in your KDC and need to kinit for that. rick > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > From owner-freebsd-hackers@freebsd.org Tue Dec 1 22:13:01 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42952A3C8C7 for ; Tue, 1 Dec 2015 22:13:01 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 1DF8E1BE9 for ; Tue, 1 Dec 2015 22:13:01 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 1A1BEA3C8C4; Tue, 1 Dec 2015 22:13:01 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18B4BA3C8C3 for ; Tue, 1 Dec 2015 22:13:01 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id 9B1181BE8 for ; Tue, 1 Dec 2015 22:13:00 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:L+/dvxZoRzZ0kr3O2wyP/nD/LSx+4OfEezUN459isYplN5qZpcq/bnLW6fgltlLVR4KTs6sC0LqI9fi4EUU7or+/81k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZvIaytQ8iJ35rxj7j60qaQSjsLrQL1Wal1IhSyoFeZnegtqqwmFJwMzADUqGBDYeVcyDAgD1uSmxHh+pX4p8Y7oGx48sgs/M9YUKj8Y79wDfkBVGxnYCgJ45jBuB/BRA6O4DM/W2kLkVIcAAHJ8RLSW5bt9Cb2q7wu9jOdOJjMTLs3ERGr5KRvRRqg3D0CPjU69GzSotF3g79WpAqh4Rd2ld2HKLqJPeZzK/uONegRQnBMC4MID3RM X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2CmBABcGl5W/61jaINeDoR1vkKBZoYPggsTAQEBAQEBAQGBCYItgggBAQQjVhIBCBgCAg0ZAlsEiEGtF5B0AQEIAQEBAR+BAYVThH6HdYFEBY4YiD+qFwIiAUCDRlwghR6BBwEBAQ X-IronPort-AV: E=Sophos;i="5.20,370,1444708800"; d="scan'208";a="253698504" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 01 Dec 2015 17:12:59 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 9CA4215F55D; Tue, 1 Dec 2015 17:12:59 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id T5G4JxiurfLp; Tue, 1 Dec 2015 17:12:59 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id 3BF2615F565; Tue, 1 Dec 2015 17:12:59 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qSz-Hw_O-yOS; Tue, 1 Dec 2015 17:12:59 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id E982C15F55D; Tue, 1 Dec 2015 17:12:58 -0500 (EST) Date: Tue, 1 Dec 2015 17:12:58 -0500 (EST) From: Rick Macklem To: Benjamin Kaduk Cc: hackers@freebsd.org Message-ID: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.11] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: /njrSbXaibGSrXDDCpj+w4SssJooOQ== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 22:13:01 -0000 Benjamin Kaduk wrote: > On Mon, 30 Nov 2015, Rick Macklem wrote: > > > Yes, it is confusing, but that's Kerberos for you;-) rick > > Well, just Kerberos by itself is hardly this bad. The way it has been > integrated with NFS is all kinds of special and diverges from Kerberos > best practices in several ways, as if it was designed by someone without > prior Kerberos experience. > > -Ben I wasn't involved in the Kerberized NFS design (it was done at Sun before IETF took over NFS stuff). They chose a "user authentication" model and not a "host authentication" (or per mount if you'd prefer) and I'm not sure that was the correct choice. Are you able to explain how sshd is configured to do a kinit for the user as they ssh into a machine? rick From owner-freebsd-hackers@freebsd.org Tue Dec 1 23:24:56 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 16BFBA3EBDF for ; Tue, 1 Dec 2015 23:24:56 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id F15C818CF for ; Tue, 1 Dec 2015 23:24:55 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id EEBA3A3EBDE; Tue, 1 Dec 2015 23:24:55 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D46CCA3EBDD for ; Tue, 1 Dec 2015 23:24:55 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8D57618CE for ; Tue, 1 Dec 2015 23:24:55 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a3uHy-000JNT-P4; Wed, 02 Dec 2015 02:24:50 +0300 Date: Wed, 2 Dec 2015 02:24:50 +0300 From: Slawa Olhovchenkov To: Rick Macklem Cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151201232450.GI31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151116155710.GB31314@zxy.spb.ru> <1312967974.89238067.1447714816355.JavaMail.zimbra@uoguelph.ca> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <20151201074425.GD31314@zxy.spb.ru> <1745794347.113212991.1448977306722.JavaMail.zimbra@uoguelph.ca> <20151201135315.GH31314@zxy.spb.ru> <1491578361.114386779.1449006984539.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1491578361.114386779.1449006984539.JavaMail.zimbra@uoguelph.ca> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 23:24:56 -0000 On Tue, Dec 01, 2015 at 04:56:24PM -0500, Rick Macklem wrote: > Slawa Olhivchenkov wrote: > > On Tue, Dec 01, 2015 at 08:41:46AM -0500, Rick Macklem wrote: > > > > > > > (Note that "host" here implies that the principal for the host-based > > > > > credential is > > > > > "host@.". --> What is after the "=" above is what > > > > > is > > > > > before the > > > > > "@" in the host based principal name.) > > > > > Then system operations are done as nobody, but users are done as that > > > > > user > > > > > (they need > > > > > > > > This is strange. I am mount (by automount) as: > > > > > > > > /NFS -nfsv4,intr,soft,sec=krb5i,gssname=host storage01:/ > > > > > > > I'd recommend that you never use "intr" or "soft" on NFSv4 mounts. > > > (It's somewhere in a man page and basically if you use these and an > > > RPC that does locking times out, you break the locking horribly.) > > > > W/o "intr" and "soft" I can got staled mount and process (till > > reboot). This is prodaction servers and this is unacceptable. Correct > > locking for me least important, as last resort I am do `umount -f` > > > When I was a sysadmin, I just made sure my NFS server stayed up and the network > fabric was stable. I never recall having a problem using "hard" mounts. > > But I agree it is a tradeoff. If you don't need file locking visible across > multiple clients, use nfsv3,nolockd and intr if it works for you. Yes, my expirense (with soft, intr) is from nfsv3. But (for me) nfsv4 benefits by requrimentsless identical numeric UID accross all systems and support file attributes. And, perhaps, limitless (by file size), better mapping nobody (nfsv3 on zfs mapping nobody to 4294967294) > If you need file locking to work and be visible across multiple clients, then > the tradeoff is a hung system if your NFS server fails or your network fabric > is flakey. (Do you want file locking to work, but only when things are running > smoothly?) I am don't need locking specialy, only indirect (for example: svn and etc). I am plan to use it as may (and other people) roaming $HOME. > You can use "umount -f" but I will admit you can get stuck. If you do a "umount" > without "-f" the mount point gets locked and "umount -f" doesn't work. currenly (w/o using file locks) "umount -f" work on busy (but not stucked) file system. > I, for one, do not believe that NFSv4 is a replacement for NFSv3. It is a very > different protocol (some say "NFS in name only") and fills a different somewhat > overlapping solution space. What you mean "replacement"? "drop-in but better"? Or better compliance with may requirements? > > > Getting a home directory to work is harder than it should be and I > > > don't even know how to make it work, because I haven't done it. > > > The login must do a "kinit" so the user has access to the volume > > > and I don't know how to set FreeBSD up to do the kinit as a part of > > > the login. It also must be done early enough in the login, so that > > > it happens before any access to the home dir is attempted. > > > (To be honest, unless there is a way to do this in FreeBSD, you > > > can forget about Kerberized NFS mounts for home dirs.) > > > > First access to home directory do as root, not as user. > That's going to be a problem. I'm not sure how that will work unless > the access as root can be done by "nobody". Normally it is assumed > that a user accesses files on the NFS mount as that user. > (ie. This just might not be doable unless you get rid of the > access as root during the login.) > > > After root access ticket created in /tmp/krb5cc_UID and home > > succesuful accesed. > > > > > I would start by testing a mount that isn't a home directory, so you > > > can log into the machine (home dir not Kerberized NFS mounted) and > > > then the user can "kinit" and them "cd /kerberized/mount" and see > > > if it works. > > > --> Once that works, I don't know how to do the rest. > > > (I'm an NFS guy, not a Kerberos one.;-) > > > > > > Also, I don't know what effect having sshd etc running as root will > > > be, since they will then be seen as running by "nobody" on the server. > > > > As last resort I can export with -maproot=root. > > > I don't think this works as you'd expect. The server doesn't see "root" > as the principal for the host-based credential in the keytab file. > To be seen as "root" on the server: > - I think you need a root@YOUR.REALM user principal in your KDC. No. > - The client must "kinit" this to get a TGT in /tmp/krb5cc_0. I can do by using host principal. Kerberos only accpet ticket by check correctly decrypting, i.e. I can got TGT for host/`hostname` and because do it from root account place it in /tmp/krb5cc_0. > - You can create a keytab entry for root@YOUR.REALM and "kinit -k" > it, I think? No, host/`hostname` enough. > --> Most would consider putting a keytab entry in /etc/krb5.keytab for "root" > too large a security risk, but maybe it's ok for your environment. > (Someone could move the keytab entry to another machine and it would still > work.) > (You mentioned doing something like this in your crontab.) "kinit -k host/`hostname`" as root create TGT /tmp/krb5cc_0 obtained for host/`hostname` principal. Now /tmp/krb5cc_0 may be used gssd for using where root (system daemons) try access some files. I see this mapped to nobody on server side, but this is acceptably for may currently use -- checking sshd .k5login and other files in $HOME. > Btw, you can use Kerberos with NFSv3. It works about the same and doen't > require a host-based credential in /etc/krb5.keytab. It does require that > the login do "kinit" before attempting to access the home dir. I don't see why NFSv3 must be distinct from NFSv4. I am also need some ticket for root for accessing files from sshd as root, right? > > > > I am avoid this by "kinit -k host/`hostname`" in crontab and startup > > > > script, but may be gssd is best for this functionality? > > > > > > > Shouldn't matter. "gssd -h" does exactly the same stuff as "kinit -k". > > > (I wrote the code essentially cloning what "kinit -k" did.) > > > > For mount only, not for root access from sshd, as I see. > > > Yes, for Kerberos root access, I think you will need "root@YOUR.REALM" in > your KDC and need to kinit for that. For root access as root on server side. From owner-freebsd-hackers@freebsd.org Wed Dec 2 00:02:51 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8F557A3E798 for ; Wed, 2 Dec 2015 00:02:51 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 63152112B for ; Wed, 2 Dec 2015 00:02:51 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: by mailman.ysv.freebsd.org (Postfix) id 6058DA3E797; Wed, 2 Dec 2015 00:02:51 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 461E7A3E796 for ; Wed, 2 Dec 2015 00:02:51 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id E0B4E1129 for ; Wed, 2 Dec 2015 00:02:50 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) IronPort-PHdr: 9a23:fNGqVRWCL6Xeco9C1h6YTZZNbW/V8LGtZVwlr6E/grcLSJyIuqrYZhCPt8tkgFKBZ4jH8fUM07OQ6PC+HzRYqb+681k8M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJPK/jvHcaK1oLsh770o8WbSj4LrQT+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf9d32JiKAHbtR/94sCt4MwrqHwI6Lpyv/JHBJ7+drsxBZtcDDM4OGA44s7sq1GXVg+QzmkMQyMNihAOGRWTvz/gWZKkiCrxtaJY0SKZOcDzBeQuXD2p7KNmTTf1jygaOjoh8Cfcg5oj3+pgvBu9qkknkMbva4aPOa8mcw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2DQAQAdNF5W/61jaINWCIQObwa+NAENgWYXCoUkSgKCABQBAQEBAQEBAYEJgi2CBwEBAQMBAQEBIAQnIAsFCwIBCA4KAgINBAEBEwICJwEJGAENAgQIBwQBGgIEiAUIDa0akHgBAQEBAQEBAwEBAQEBAQEBFwSBAYVTg3iBBoQgFgUBAQUCBFIJAYJRgUQFjSJ2iD+FKoUiJIQjlxSDcAIfAQFCghEdgXQgNAeEIQEHFyOBBwEBAQ X-IronPort-AV: E=Sophos;i="5.20,370,1444708800"; d="scan'208";a="253713117" Received: from nipigon.cs.uoguelph.ca (HELO zcs1.mail.uoguelph.ca) ([131.104.99.173]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 01 Dec 2015 19:02:43 -0500 Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id B689915F55D; Tue, 1 Dec 2015 19:02:43 -0500 (EST) Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id mDu6Ggohcuk9; Tue, 1 Dec 2015 19:02:42 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id C324015F56D; Tue, 1 Dec 2015 19:02:42 -0500 (EST) X-Virus-Scanned: amavisd-new at zcs1.mail.uoguelph.ca Received: from zcs1.mail.uoguelph.ca ([127.0.0.1]) by localhost (zcs1.mail.uoguelph.ca [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6vsfACTIFKyg; Tue, 1 Dec 2015 19:02:42 -0500 (EST) Received: from zcs1.mail.uoguelph.ca (zcs1.mail.uoguelph.ca [172.17.95.18]) by zcs1.mail.uoguelph.ca (Postfix) with ESMTP id A95B915F55D; Tue, 1 Dec 2015 19:02:42 -0500 (EST) Date: Tue, 1 Dec 2015 19:02:42 -0500 (EST) From: Rick Macklem To: Slawa Olhovchenkov Cc: hackers@freebsd.org Message-ID: <2030822608.114589048.1449014562660.JavaMail.zimbra@uoguelph.ca> In-Reply-To: <20151201232450.GI31314@zxy.spb.ru> References: <9BC3EFA2-945F-4C86-89F6-778873B58469@cs.huji.ac.il> <20151130165940.GB31314@zxy.spb.ru> <183609075.112643195.1448924896262.JavaMail.zimbra@uoguelph.ca> <20151201074425.GD31314@zxy.spb.ru> <1745794347.113212991.1448977306722.JavaMail.zimbra@uoguelph.ca> <20151201135315.GH31314@zxy.spb.ru> <1491578361.114386779.1449006984539.JavaMail.zimbra@uoguelph.ca> <20151201232450.GI31314@zxy.spb.ru> Subject: Re: NFSv4 details and documentations MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [172.17.95.11] X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF34 (Win)/8.0.9_GA_6191) Thread-Topic: NFSv4 details and documentations Thread-Index: ESxySHJri68P0umsR9bFFkG0fwPG3A== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 00:02:51 -0000 Slawa Olhovchenkov wrote: > On Tue, Dec 01, 2015 at 04:56:24PM -0500, Rick Macklem wrote: > > > Slawa Olhivchenkov wrote: > > > On Tue, Dec 01, 2015 at 08:41:46AM -0500, Rick Macklem wrote: > > > > > > > > > (Note that "host" here implies that the principal for the > > > > > > host-based > > > > > > credential is > > > > > > "host@.". --> What is after the "=" above is > > > > > > what > > > > > > is > > > > > > before the > > > > > > "@" in the host based principal name.) > > > > > > Then system operations are done as nobody, but users are done as > > > > > > that > > > > > > user > > > > > > (they need > > > > > > > > > > This is strange. I am mount (by automount) as: > > > > > > > > > > /NFS -nfsv4,intr,soft,sec=krb5i,gssname=host storage01:/ > > > > > > > > > I'd recommend that you never use "intr" or "soft" on NFSv4 mounts. > > > > (It's somewhere in a man page and basically if you use these and an > > > > RPC that does locking times out, you break the locking horribly.) > > > > > > W/o "intr" and "soft" I can got staled mount and process (till > > > reboot). This is prodaction servers and this is unacceptable. Correct > > > locking for me least important, as last resort I am do `umount -f` > > > > > When I was a sysadmin, I just made sure my NFS server stayed up and the > > network > > fabric was stable. I never recall having a problem using "hard" mounts. > > > > But I agree it is a tradeoff. If you don't need file locking visible across > > multiple clients, use nfsv3,nolockd and intr if it works for you. > > Yes, my expirense (with soft, intr) is from nfsv3. > But (for me) nfsv4 benefits by requrimentsless identical numeric UID > accross all systems and support file attributes. > And, perhaps, limitless (by file size), better mapping nobody (nfsv3 > on zfs mapping nobody to 4294967294) > NFSv3 is stateless, which means each RPC is independent and the server doesn't need to "remember anything" about previous RPCs. (A repeat of the same RPC can result in undesired outcomes, do the DRC was invented to try and avoid the same RPC being done multiple times on a server, but that was an implementation issue and not a protocol requirement.) NFSv4 is stateful. It keeps track of Opens (a form of Windows lock done when a file is opened) and byte range locks. It requires strick sequencing of these operations. If you have an RPC fail due to timeout, this sequencing is broken and the results will be nasty errors from the server like NFS4ERR_BAD_SEQID. Since the client has no way to fix a bad seqid, it needs to be avoided. Since every file open is a form of "lock", the problem still exists even if the client never does byte range locks. --> Using "intr" or "soft" will break the mount sooner or later and all that can be done is a umount/mount to fix it. (That's why I recommend "umount -f" if you have to.) > > If you need file locking to work and be visible across multiple clients, > > then > > the tradeoff is a hung system if your NFS server fails or your network > > fabric > > is flakey. (Do you want file locking to work, but only when things are > > running > > smoothly?) > > I am don't need locking specialy, only indirect (for example: svn and > etc). I am plan to use it as may (and other people) roaming $HOME. > > > You can use "umount -f" but I will admit you can get stuck. If you do a > > "umount" > > without "-f" the mount point gets locked and "umount -f" doesn't work. > > currenly (w/o using file locks) "umount -f" work on busy (but not > stucked) file system. > > > I, for one, do not believe that NFSv4 is a replacement for NFSv3. It is a > > very > > different protocol (some say "NFS in name only") and fills a different > > somewhat > > overlapping solution space. > > What you mean "replacement"? "drop-in but better"? > Or better compliance with may requirements? > Some would see NFSv4 is the next version of NFS, just like FreeBSD-10 is the next version of FreeBSD after FreeBSD-9. I see NFSv3 vs NFSv4 as more a "UFS vs ZFS" situation. Both UFS and ZFS have their advantages and disadvantages and choosing one vs the other is a tradeoff, although either can be used for local FreeBSD file storage. So, I guess I'd say "Or better compliance with my requirements". > > > > Getting a home directory to work is harder than it should be and I > > > > don't even know how to make it work, because I haven't done it. > > > > The login must do a "kinit" so the user has access to the volume > > > > and I don't know how to set FreeBSD up to do the kinit as a part of > > > > the login. It also must be done early enough in the login, so that > > > > it happens before any access to the home dir is attempted. > > > > (To be honest, unless there is a way to do this in FreeBSD, you > > > > can forget about Kerberized NFS mounts for home dirs.) > > > > > > First access to home directory do as root, not as user. > > That's going to be a problem. I'm not sure how that will work unless > > the access as root can be done by "nobody". Normally it is assumed > > that a user accesses files on the NFS mount as that user. > > (ie. This just might not be doable unless you get rid of the > > access as root during the login.) > > > > > After root access ticket created in /tmp/krb5cc_UID and home > > > succesuful accesed. > > > > > > > I would start by testing a mount that isn't a home directory, so you > > > > can log into the machine (home dir not Kerberized NFS mounted) and > > > > then the user can "kinit" and them "cd /kerberized/mount" and see > > > > if it works. > > > > --> Once that works, I don't know how to do the rest. > > > > (I'm an NFS guy, not a Kerberos one.;-) > > > > > > > > Also, I don't know what effect having sshd etc running as root will > > > > be, since they will then be seen as running by "nobody" on the server. > > > > > > As last resort I can export with -maproot=root. > > > > > I don't think this works as you'd expect. The server doesn't see "root" > > as the principal for the host-based credential in the keytab file. > > > To be seen as "root" on the server: > > - I think you need a root@YOUR.REALM user principal in your KDC. > > No. > > > - The client must "kinit" this to get a TGT in /tmp/krb5cc_0. > > I can do by using host principal. Kerberos only accpet ticket by check > correctly decrypting, i.e. I can got TGT for host/`hostname` and > because do it from root account place it in /tmp/krb5cc_0. > Yes, but the server will see the "principal name" and not a uid of 0. It will then choose to map that "principal name" to the uid for "nobody". (Essentially the gssd on the NFS server will get the principal name "host/'hostname'". Then it will getpwnam() for that, which will fail and it will assign the uid for "nobody".) > > - You can create a keytab entry for root@YOUR.REALM and "kinit -k" > > it, I think? > > No, host/`hostname` enough. > This will get you a credential, but that credential won't be "root" on the server as far as I know. The main use in NFSv4 is for the protocol's "administrative operations" for things like renewing lock leases. The NFSv4 server simply requires that the principal name is the same one used when the first lock state was acquired. (ie. The NFSv4 server uses the principal name like "host" and doesn't turn it into "root". It does turn it into the uid for "nobody" for a credential when used to access files, etc. It really isn't intended to be used to access files etc, but the code does fall back to "nobody" so it works for "world access".) If "nobody" is sufficient, then it will work. > > --> Most would consider putting a keytab entry in /etc/krb5.keytab for > > "root" > > too large a security risk, but maybe it's ok for your environment. > > (Someone could move the keytab entry to another machine and it would > > still > > work.) > > (You mentioned doing something like this in your crontab.) > > "kinit -k host/`hostname`" as root create TGT /tmp/krb5cc_0 obtained > for host/`hostname` principal. Now /tmp/krb5cc_0 may be used gssd for > using where root (system daemons) try access some files. > I see this mapped to nobody on server side, but this is acceptably for > may currently use -- checking sshd .k5login and other files in $HOME. > > > Btw, you can use Kerberos with NFSv3. It works about the same and doen't > > require a host-based credential in /etc/krb5.keytab. It does require that > > the login do "kinit" before attempting to access the home dir. > > I don't see why NFSv3 must be distinct from NFSv4. > I am also need some ticket for root for accessing files from sshd as > root, right? > > > > > > I am avoid this by "kinit -k host/`hostname`" in crontab and startup > > > > > script, but may be gssd is best for this functionality? > > > > > > > > > Shouldn't matter. "gssd -h" does exactly the same stuff as "kinit -k". > > > > (I wrote the code essentially cloning what "kinit -k" did.) > > > > > > For mount only, not for root access from sshd, as I see. > > > > > Yes, for Kerberos root access, I think you will need "root@YOUR.REALM" in > > your KDC and need to kinit for that. > > For root access as root on server side. > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > From owner-freebsd-hackers@freebsd.org Wed Dec 2 07:10:08 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9070A3EB2B for ; Wed, 2 Dec 2015 07:10:08 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 8185818BA for ; Wed, 2 Dec 2015 07:10:08 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: by mailman.ysv.freebsd.org (Postfix) id 7FFE8A3EB2A; Wed, 2 Dec 2015 07:10:08 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F988A3EB29 for ; Wed, 2 Dec 2015 07:10:08 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2651118B9 for ; Wed, 2 Dec 2015 07:10:07 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074423-f797f6d0000023d0-9c-565e9819b3b4 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 49.BF.09168.9189E565; Wed, 2 Dec 2015 02:04:57 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id tB274vsx011951; Wed, 2 Dec 2015 02:04:57 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tB274rK2024128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 2 Dec 2015 02:04:56 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id tB274rFu006230; Wed, 2 Dec 2015 02:04:53 -0500 (EST) Date: Wed, 2 Dec 2015 02:04:53 -0500 (EST) From: Benjamin Kaduk To: Rick Macklem cc: hackers@freebsd.org Subject: Re: NFSv4 details and documentations In-Reply-To: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> Message-ID: References: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixCmqrCs5Iy7MYEWbjcWGBYUWD5ddY3Jg 8pjxaT6Lx+/Ne5kCmKK4bFJSczLLUov07RK4Ml6ta2IqOMxZsbd7M0sD4yX2LkZODgkBE4ld X5tYIGwxiQv31rN1MXJxCAksZpJ4veYkK4SzgVHi68z/jBDOQSaJKXdXMYO0CAnUSzx+MAOs nUVAS+LexS1gNpuAisTMNxvZQGwRAXWJzav7weqZBcQlFt7rBasRFtCVeLXyDROIzSngK3F3 8Umwel4BR4lJ//YBLeMAmu8j8fu7KkhYVEBHYvX+KSwQJYISJ2c+YYEYqSWxfPo2lgmMgrOQ pGYhSS1gZFrFKJuSW6Wbm5iZU5yarFucnJiXl1qka6aXm1mil5pSuokRFKbsLso7GP8cVDrE KMDBqMTDG8AVFybEmlhWXJl7iFGSg0lJlJd1IlCILyk/pTIjsTgjvqg0J7X4EKMEB7OSCK+X DFCONyWxsiq1KB8mJc3BoiTOO/eLb5iQQHpiSWp2ampBahFMVoaDQ0mC13M6UKNgUWp6akVa Zk4JQpqJgxNkOA/QcDeQGt7igsTc4sx0iPwpRkUpcd4KkIQASCKjNA+uF5xGdjOpvmIUB3pF mDccpIoHmILgul8BDWYCGvzhTzTI4JJEhJRUA6NX+2bV9rbXMRrmymddJu1JtSjarBWXe7yc f5HeOxWNMseXEaHf7vuq/VSqrXzmk1arzPw66nWkxrncXqtHDdLWzteLwmbWtSoY1f30PtMw 5bSy7dvPZ5l3cb8QaDoi9eteqY/4vZqL77eYVNRf+Ft72HxyzafYC9v5zly9pL6otEjuEwvH NCWW4oxEQy3mouJEAHURcHH+AgAA X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 07:10:08 -0000 On Tue, 1 Dec 2015, Rick Macklem wrote: > Are you able to explain how sshd is configured to do a kinit for the > user as they ssh into a machine? I had been planning to say something when I caught up on the thread, yes. Slawa and I have a pre-existing disagreement about the nature of "single sign-on" and how kerberos should "most properly" be used, but in the case where one is planning to type one's kerberos password into sshd and authenticate to the system, pam_krb5 should suffice. We use AFS at MIT, not NFS, but still have network homedirs that require kerberos tickets for authentication, so we combine pam_krb5 and pam_afs_session to do the necessary authentication. Unfortunately, I never got the time to properly port that setup from Linux to FreeBSD, so I don't have direct experience with FreeBSD pam configuration for such a setup. There is still the limitation that things like .k5login must be world-readable in order for the login to work, which as I understand it is acceptable for Slawa. I'm not sure what the ordering is between pam and whatever part of the login stack would be actually mounting the home directories, though. Perhaps Slawa has some insight. -Ben From owner-freebsd-hackers@freebsd.org Wed Dec 2 10:07:16 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4B353A3CEDE for ; Wed, 2 Dec 2015 10:07:16 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 33C191294 for ; Wed, 2 Dec 2015 10:07:16 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: by mailman.ysv.freebsd.org (Postfix) id 33846A3CEDB; Wed, 2 Dec 2015 10:07:16 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3318DA3CEDA for ; Wed, 2 Dec 2015 10:07:16 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E42601293 for ; Wed, 2 Dec 2015 10:07:15 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a44JY-0007ZU-EC; Wed, 02 Dec 2015 13:07:08 +0300 Date: Wed, 2 Dec 2015 13:07:08 +0300 From: Slawa Olhovchenkov To: Benjamin Kaduk Cc: Rick Macklem , hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151202100708.GJ31314@zxy.spb.ru> References: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 10:07:16 -0000 On Wed, Dec 02, 2015 at 02:04:53AM -0500, Benjamin Kaduk wrote: > On Tue, 1 Dec 2015, Rick Macklem wrote: > > > Are you able to explain how sshd is configured to do a kinit for the > > user as they ssh into a machine? > > I had been planning to say something when I caught up on the thread, yes. > > Slawa and I have a pre-existing disagreement about the nature of "single > sign-on" and how kerberos should "most properly" be used, but in the case > where one is planning to type one's kerberos password into sshd and > authenticate to the system, pam_krb5 should suffice. We use AFS at MIT, > not NFS, but still have network homedirs that require kerberos tickets for > authentication, so we combine pam_krb5 and pam_afs_session to do the > necessary authentication. Unfortunately, I never got the time to properly > port that setup from Linux to FreeBSD, so I don't have direct experience > with FreeBSD pam configuration for such a setup. FreeBSD ssh'd use thread emulations by fork, as result Kerberos token got at pam_krb5:auth can't be accessed at pam_krb5:session (for writing in /tmp/krb5cc_UID. Recompile with -DUNSUPPORTED_POSIX_THREADS_HACK resove this issuse (and I can login with kerberos password to host with kerberoized NFSv4 and w/o additional kinit or password sshd to another host. DES against UNSUPPORTED_POSIX_THREADS_HACK, but I am unable to follow his (PAM can change locale setting? ok, this is legally for may PAM's understund -- PAM designed for this. Vulnerability in PAM? In any case, PAM run as root and not chrooted) > There is still the limitation that things like .k5login must be > world-readable in order for the login to work, which as I understand it is > acceptable for Slawa. > > I'm not sure what the ordering is between pam and whatever part of the > login stack would be actually mounting the home directories, though. > Perhaps Slawa has some insight. I am use autofs (automount) for this. From owner-freebsd-hackers@freebsd.org Wed Dec 2 11:02:50 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F173A3DE4E; Wed, 2 Dec 2015 11:02:50 +0000 (UTC) (envelope-from joerg@britannica.bec.de) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 90A8512AA; Wed, 2 Dec 2015 11:02:48 +0000 (UTC) (envelope-from joerg@britannica.bec.de) X-RZG-AUTH: :JiIXek6mfvEEUpFQdo7Fj1/zg48CFjWjQuEfXeSt/nWoxdY2dvuAIbsw5PvjGQjhWhuTqzG+sku6nCLOwS/GcDYMru/f1Q== X-RZG-CLASS-ID: mo00 Received: from britannica.bec.de (p20030057E21B0F002DDD2AD414CD8739.dip0.t-ipconnect.de [IPv6:2003:57:e21b:f00:2ddd:2ad4:14cd:8739]) by smtp.strato.de (RZmta 37.14 AUTH) with ESMTPSA id j005e7rB2B2iMCK (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate); Wed, 2 Dec 2015 12:02:44 +0100 (CET) Date: Wed, 2 Dec 2015 12:02:43 +0100 From: Joerg Sonnenberger To: freebsd-hackers@freebsd.org, hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151202110243.GA17480@britannica.bec.de> Mail-Followup-To: freebsd-hackers@freebsd.org, hackers@freebsd.org References: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> <20151202100708.GJ31314@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151202100708.GJ31314@zxy.spb.ru> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 11:02:50 -0000 On Wed, Dec 02, 2015 at 01:07:08PM +0300, Slawa Olhovchenkov wrote: > FreeBSD ssh'd use thread emulations by fork, as result Kerberos token > got at pam_krb5:auth can't be accessed at pam_krb5:session (for > writing in /tmp/krb5cc_UID. Recompile with > -DUNSUPPORTED_POSIX_THREADS_HACK resove this issuse (and I can login > with kerberos password to host with kerberoized NFSv4 and w/o > additional kinit or password sshd to another host. Please try UsePrivilegeSeparation=no instead. The pthread hack should just die complete. Joerg From owner-freebsd-hackers@freebsd.org Wed Dec 2 11:23:19 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C4763A3E4B6; Wed, 2 Dec 2015 11:23:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7E7B81070; Wed, 2 Dec 2015 11:23:19 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1a45VD-0009RM-J5; Wed, 02 Dec 2015 14:23:15 +0300 Date: Wed, 2 Dec 2015 14:23:15 +0300 From: Slawa Olhovchenkov To: freebsd-hackers@freebsd.org, hackers@freebsd.org Subject: Re: NFSv4 details and documentations Message-ID: <20151202112315.GK31314@zxy.spb.ru> References: <1162872124.114408327.1449007978859.JavaMail.zimbra@uoguelph.ca> <20151202100708.GJ31314@zxy.spb.ru> <20151202110243.GA17480@britannica.bec.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151202110243.GA17480@britannica.bec.de> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 11:23:19 -0000 On Wed, Dec 02, 2015 at 12:02:43PM +0100, Joerg Sonnenberger wrote: > On Wed, Dec 02, 2015 at 01:07:08PM +0300, Slawa Olhovchenkov wrote: > > FreeBSD ssh'd use thread emulations by fork, as result Kerberos token > > got at pam_krb5:auth can't be accessed at pam_krb5:session (for > > writing in /tmp/krb5cc_UID. Recompile with > > -DUNSUPPORTED_POSIX_THREADS_HACK resove this issuse (and I can login > > with kerberos password to host with kerberoized NFSv4 and w/o > > additional kinit or password sshd to another host. > > Please try UsePrivilegeSeparation=no instead. The pthread hack should > just die complete. Don't work and can't be work. pthread/thread fork emulation to be foreign to the priveledge seperation. From owner-freebsd-hackers@freebsd.org Wed Dec 2 17:39:02 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 45171A3F0D7; Wed, 2 Dec 2015 17:39:02 +0000 (UTC) (envelope-from superbisquit@gmail.com) Received: from mail-vk0-x243.google.com (mail-vk0-x243.google.com [IPv6:2607:f8b0:400c:c05::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F095B1243; Wed, 2 Dec 2015 17:39:01 +0000 (UTC) (envelope-from superbisquit@gmail.com) Received: by vkca188 with SMTP id a188so2546650vkc.1; Wed, 02 Dec 2015 09:39:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=fz5J5j39PUi8np3IesmrtrsjRftFSWBXtdLgUVzOpwk=; b=0pyet/eBN5NA6BxGik1nV2Ual8jWdilbylNG85IMw760MVrdvxhssqxvJtf1DdeP46 SzLte8bQhY+efJsTNZgFCON7kLPwfH90YqgBwEW88yM0RmmCbWJ7x90i7AT9a2fC3VUb 8RfvSlI43rxomZ7trLytYMGjR4nTQhPoDkj37361DWrmUp0LmF4if23DKAQlpUpTWffS h8MIi7ap8PsVQUg5BSv2sZ8hbVLP8k0oOPkKvMB76nZ4P5C5kK799+5thQaqfkHKxbG4 haY/Br2HBdM8/Kbr0CUv0TSUtMVl0iHvah3Sbjc1KldAEO1y3GXinMUCEfNz1mOSpNV2 QoPQ== MIME-Version: 1.0 X-Received: by 10.31.49.147 with SMTP id x141mr3014324vkx.1.1449077940848; Wed, 02 Dec 2015 09:39:00 -0800 (PST) Received: by 10.103.9.195 with HTTP; Wed, 2 Dec 2015 09:39:00 -0800 (PST) Date: Wed, 2 Dec 2015 12:39:00 -0500 Message-ID: Subject: A proposal and a challenge From: Joe Nosay To: FreeBSD PowerPC ML , Eric Oyen , FreeBSD Hackers , freebsd-advocacy@freebsd.org, "www@openbsd.org" , Bill Buros , vinux-support@googlegroups.com, "SELCommunityAffairs@am.sony.com" , SCA_CSR@sonyusa.com, "qemu-ppc@nongnu.org" , Torfinn Ingolfsen , Debian powerpc Mailinglist , Juergen Lock , outro.pessoa@gmail.com, Paul Davis , team@powerpc-notebook.org X-Mailman-Approved-At: Wed, 02 Dec 2015 18:26:16 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 17:39:02 -0000 I know that everyone is familiar with the one laptop per child program; and, that is good. Let's take it one step further. The debian team wants to build a powerpc laptop. FreeBSD is working on the POWER8 with the PPC team. The problem is convincing IBM to publicly open the CPU for a good purpose. What's the sale's pitch? Let it be for education. Four operating systems on a single machine - the apm layout is capable of doing it with a boot, main, and swap. That's only twelve spaces used. Yes, it can be concentrated down to 64 GB. What can be done with it? It's a POWER machine, load-store, learn. 64 bit. How many free registers usually? About five? Yes? Enough for one application. Two would do for the application and system. Let's make it real. Two chips. Four processors each. Running about 2.0 to 2.25 GHz. Let the kernel match that. Debian at 1Khz - unless someone can do a patch to make the kernel go the necessary mile. Open and Net BSD have their own thing; so, this is for FreeBSD for the kernel rate. Latency should match frequency. GRUB should be able to handle four options on a screen. Oh, Open graphics and sound. Accessibility. Development. Creativity. Show it. Let them know what it can do. Sound. Music. Art. Design. Programming. Let them see it from the start to finish. Make it affordable. For students, children, people to learn. All of you can do this. Why not me? I am not able to afford it. Yet, the rest of you are able to do such. It will pay for itself and you know it. Don't reply, just think on it. You know my requirements: Don't pay me, just do it. And respect. Ladies and gentlemen, thank you for taking the time to read this. Enjoy life. From owner-freebsd-hackers@freebsd.org Wed Dec 2 19:13:10 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DC23A3E414; Wed, 2 Dec 2015 19:13:10 +0000 (UTC) (envelope-from lsorense@csclub.uwaterloo.ca) Received: from mail.csclub.uwaterloo.ca (mail.csclub.uwaterloo.ca [129.97.134.52]) by mx1.freebsd.org (Postfix) with ESMTP id 559921B4A; Wed, 2 Dec 2015 19:13:10 +0000 (UTC) (envelope-from lsorense@csclub.uwaterloo.ca) Received: from caffeine.csclub.uwaterloo.ca (caffeine.csclub.uwaterloo.ca [129.97.134.17]) by mail.csclub.uwaterloo.ca (Postfix) with SMTP id 8DCC22DD20; Wed, 2 Dec 2015 14:05:53 -0500 (EST) Received: by caffeine.csclub.uwaterloo.ca (sSMTP sendmail emulation); Wed, 02 Dec 2015 14:05:53 -0500 From: "Lennart Sorensen" Date: Wed, 2 Dec 2015 14:05:53 -0500 To: Joe Nosay Cc: FreeBSD PowerPC ML , Eric Oyen , FreeBSD Hackers , freebsd-advocacy@freebsd.org, "www@openbsd.org" , Bill Buros , vinux-support@googlegroups.com, "SELCommunityAffairs@am.sony.com" , SCA_CSR@sonyusa.com, "qemu-ppc@nongnu.org" , Torfinn Ingolfsen , Debian powerpc Mailinglist , Juergen Lock , outro.pessoa@gmail.com, Paul Davis , team@powerpc-notebook.org Subject: Re: A proposal and a challenge Message-ID: <20151202190553.GC25177@csclub.uwaterloo.ca> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Mailman-Approved-At: Wed, 02 Dec 2015 19:48:50 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2015 19:13:10 -0000 On Wed, Dec 02, 2015 at 12:39:00PM -0500, Joe Nosay wrote: > I know that everyone is familiar with the one laptop per child program; > and, that is good. Let's take it one step further. The debian team wants to > build a powerpc laptop. FreeBSD is working on the POWER8 with the PPC team. > The problem is convincing IBM to publicly open the CPU for a good purpose. > What's the sale's pitch? Let it be for education. Do you know what the power consumption of a POWER8 chip is? > Four operating systems on a single machine - the apm layout is capable of > doing it with a boot, main, and swap. That's only twelve spaces used. > Yes, it can be concentrated down to 64 GB. > What can be done with it? > It's a POWER machine, load-store, learn. ARM and MIPS are load-store machines too, and usually much cheaper and more power friendly. Sure powerpc has 32 registers and arm only has 16, but so what? That's what each core has and many things have multiple cores these days. Mips has 32 as well. > 64 bit. How many free registers usually? About five? Yes? > Enough for one application. Two would do for the application and system. > Let's make it real. Two chips. Four processors each. > Running about 2.0 to 2.25 GHz. ARM chips certainly exist that are 64bit and run that kind of speeds. Not sure what speeds mips are at these days but it has had 64bit versions for a long time. > Let the kernel match that. Debian at 1Khz - unless someone can do a patch > to make the kernel go the necessary mile. > Open and Net BSD have their own thing; so, this is for FreeBSD for the > kernel rate. Latency should match frequency. I have no idea what BSD has to do with this, but then again I am not sure what you are even trying to describe. Besides have you heard of kvm? Virtual machines are a commodity these days and simple to do. > GRUB should be able to handle four options on a screen. > > Oh, Open graphics and sound. > Accessibility. Development. Creativity. > Show it. > > Let them know what it can do. > > Sound. Music. > > Art. Design. > > Programming. > > Let them see it from the start to finish. > > > Make it affordable. > > For students, children, people to learn. > > All of you can do this. > > Why not me? > > I am not able to afford it. > > Yet, the rest of you are able to do such. > > It will pay for itself and you know it. Well OLPC certainly seems to have been a flop done by someone without a clue what actual problems needed to be solved. > Don't reply, just think on it. > > You know my requirements: Don't pay me, just do it. > > > And respect. > > > > Ladies and gentlemen, thank you for taking the time to read this. > Enjoy life. I wish it had made sense what I read, but it did not. -- Len Sorensen From owner-freebsd-hackers@freebsd.org Thu Dec 3 11:58:13 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90453A40410; Thu, 3 Dec 2015 11:58:13 +0000 (UTC) (envelope-from wojtek@puchar.net) Received: from puchar.net (puchar.net [188.252.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "puchar.net", Issuer "puchar.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 13F1D1D7E; Thu, 3 Dec 2015 11:58:12 +0000 (UTC) (envelope-from wojtek@puchar.net) Received: Received: from 127.0.0.1 (localhost [127.0.0.1]) by puchar.net (8.15.2/8.14.9) with ESMTPS id tB3BPLiB079798 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 3 Dec 2015 12:25:22 +0100 (CET) (envelope-from wojtek@puchar.net) Received: from laptop.wojtek.intra (localhost [127.0.0.1]) by laptop.wojtek.intra (8.14.9/8.14.9) with ESMTP id tB3BPP3H005262; Thu, 3 Dec 2015 12:25:25 +0100 (CET) (envelope-from wojtek@puchar.net) Received: from localhost (wojtek@localhost) by laptop.wojtek.intra (8.14.9/8.14.9/Submit) with ESMTP id tB3BPFLF005259; Thu, 3 Dec 2015 12:25:15 +0100 (CET) (envelope-from wojtek@puchar.net) X-Authentication-Warning: laptop.wojtek.intra: wojtek owned process doing -bs Date: Thu, 3 Dec 2015 12:25:15 +0100 (CET) From: Wojciech Puchar X-X-Sender: wojtek@laptop.wojtek.intra To: Joe Nosay cc: FreeBSD PowerPC ML , Eric Oyen , FreeBSD Hackers , freebsd-advocacy@freebsd.org, "www@openbsd.org" , Bill Buros , vinux-support@googlegroups.com, "SELCommunityAffairs@am.sony.com" , SCA_CSR@sonyusa.com, "qemu-ppc@nongnu.org" , Torfinn Ingolfsen , Debian powerpc Mailinglist , Juergen Lock , outro.pessoa@gmail.com, Paul Davis , team@powerpc-notebook.org Subject: Re: A proposal and a challenge In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (puchar.net [10.0.1.1]); Thu, 03 Dec 2015 12:25:22 +0100 (CET) X-Mailman-Approved-At: Thu, 03 Dec 2015 12:15:32 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2015 11:58:13 -0000 > I know that everyone is familiar with the one laptop per child program; > and, that is good. Really? Poor children, make them poorer. From owner-freebsd-hackers@freebsd.org Thu Dec 3 14:44:19 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82A74A3F3AB; Thu, 3 Dec 2015 14:44:19 +0000 (UTC) (envelope-from cym224@gmail.com) Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1818A1039; Thu, 3 Dec 2015 14:44:19 +0000 (UTC) (envelope-from cym224@gmail.com) Received: by wmeo63 with SMTP id o63so4283738wme.2; Thu, 03 Dec 2015 06:44:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ZTObLQ4CZ/mbui/SThlmqkW+ypI2kSwlhsbFcvGeiag=; b=tka5ZMu0IzeLxCXMvso8RDRMZBPRBkcmQGUCEsxt1Gp/bSoggY2wLo2IKD8v0C65DT 687kZ0srUYMgh5YDUT64vjOLqCmaS0JrhGJJUtckOaxKYS3PtOjXrDydPUMZYH4DNc6R 5o6tzTBP6qWttW5qQ+gdrENVuVKp+Oc99+m74Sg7zxcTp2KozWcdwztWPZuzp2pvQZNK mngj5A0kNTirkNl/o3p66NMQXpypwuyuZfWrDGmd/lBRYMDVO2mUEKY3lfsi2Vk2Mpqi KaqIJzDqGoG8ViTxqIQrxoUEwDCk8BtY+QTs5gxXIce/6BOnbLjS/DQqdIlR/jFMAFMP OpRw== MIME-Version: 1.0 X-Received: by 10.28.210.74 with SMTP id j71mr12408058wmg.96.1449153857477; Thu, 03 Dec 2015 06:44:17 -0800 (PST) Received: by 10.28.107.13 with HTTP; Thu, 3 Dec 2015 06:44:17 -0800 (PST) In-Reply-To: References: Date: Thu, 3 Dec 2015 09:44:17 -0500 Message-ID: Subject: Re: A proposal and a challenge From: Nemo To: Joe Nosay Cc: FreeBSD PowerPC ML , Eric Oyen , FreeBSD Hackers , freebsd-advocacy@freebsd.org, "www@openbsd.org" , Bill Buros , vinux-support@googlegroups.com, "SELCommunityAffairs@am.sony.com" , SCA_CSR@sonyusa.com, "qemu-ppc@nongnu.org" , Torfinn Ingolfsen , Debian powerpc Mailinglist , Juergen Lock , outro.pessoa@gmail.com, Paul Davis , team@powerpc-notebook.org Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Thu, 03 Dec 2015 15:18:32 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2015 14:44:19 -0000 On 2 December 2015 at 12:39, Joe Nosay wrote (in part): > The problem is convincing IBM to publicly open the CPU for a good purpose. OpenPower, perhaps? N. From owner-freebsd-hackers@freebsd.org Fri Dec 4 16:31:20 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8EE66A410EE; Fri, 4 Dec 2015 16:31:20 +0000 (UTC) (envelope-from danny@cs.huji.ac.il) Received: from kabab.cs.huji.ac.il (kabab.cs.huji.ac.il [132.65.116.210]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 44B5F153A; Fri, 4 Dec 2015 16:31:17 +0000 (UTC) (envelope-from danny@cs.huji.ac.il) Received: from e-bsd.cs.huji.ac.il ([132.65.80.241] helo=outmail.cs.huji.ac.il ident=exim) by kabab.cs.huji.ac.il with esmtp id 1a4tGF-000C8n-Ps; Fri, 04 Dec 2015 18:31:07 +0200 Received: from [132.65.179.20] (helo=mbpro2.bs.cs.huji.ac.il) by outmail.cs.huji.ac.il with esmtpsa id 1a4tGF-0008PB-LT; Fri, 04 Dec 2015 18:31:07 +0200 From: Daniel Braniss Subject: cross compiling Message-Id: <4E33BE7E-5443-438A-A45C-04B4B90528F9@cs.huji.ac.il> Date: Fri, 4 Dec 2015 18:31:13 +0200 To: freebsd-arm , freebsd-hackers@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) X-Mailer: Apple Mail (2.3096.5) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2015 16:31:20 -0000 Hi, I can cross compile for armv6 (raspberry Pi B), and I do get a working = version, and till about July, I was able to cross compile a module doing something like this: $ cd $SRC $ make kernel-toolchain TARGET_ARCH=3Darmv6 $ make buildenv TARGET_ARCH=3Darmv6 BUILDENV_SHELL=3D/usr/local/bin/shell $ cd $ make but today, after a fresh svn update of current, I get: Warning: Object directory not changed from original = /a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc cc -O -pipe -mfloat-abi=3Dsoftfp -DMFRC_DEBUG=3D8 -Werror -D_KERNEL = -DKLD_MODULE -nostdinc = -I/a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc/../.= . -I. -I@ -I@/contrib/altq -fno-common -ffreestanding -c = /a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc/../../= dev/mfrc/mfrc.c -o mfrc.o cc: error: argument unused during compilation: '-mfloat-abi=3Dsoftfp' *** Error code 1 so, what magic am I missing? From owner-freebsd-hackers@freebsd.org Fri Dec 4 16:33:09 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8722FA41252 for ; Fri, 4 Dec 2015 16:33:09 +0000 (UTC) (envelope-from imp@bsdimp.com) Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com [IPv6:2607:f8b0:400e:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D1C31C45 for ; Fri, 4 Dec 2015 16:33:09 +0000 (UTC) (envelope-from imp@bsdimp.com) Received: by pfnn128 with SMTP id n128so28443927pfn.0 for ; Fri, 04 Dec 2015 08:33:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=ofsF7F0cdH4OeT5DeFocUe9W1A5Kni+dRpp0N4F0zAs=; b=EC2NqIMlARLLSIBEl0jV4JkrA/eqR9lrxCFc7rbLYNLhXueV9nouDRmP/+IvtCOkKi u73JQukWW1boAxm4RS/NftL6UOtJBdK2nxGZJGGg8KCciSWkdX/EkK4BmnfB1QGOtrHH Cm6S8Dv1sl40hX3MQGi8EWNJLw9JIilRFtibG0xCKoTci+L9IitDQHl5JPE2JosCjzre nZ6a2N1VI97Ob1GXAMFTlbb12UwVtnEJ/Vv2tbd5HBH3mwkAHuSxWyo6jPmZhHfyOakJ E0k49P3UJbQ1NIryVDKGTb07pz6IJVzb0bXrrse6Hqg1QZqY6M1eTGp4xYW2g4gAu7w+ 7N8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; bh=ofsF7F0cdH4OeT5DeFocUe9W1A5Kni+dRpp0N4F0zAs=; b=ZVboZmB7VUeTpGMSbRKzn/7zBCyc6BANGDXoUxU4E6LkkoRSXSIWogYNLvPHoKxeY/ ekNbhJm6If+q6UWlpjZHidUh5HAal7LgPvF37xkWM0SGi6rZPwXFfhObpw1fysaud03+ MnEHoXZLTiKHfR56RethtHdlOMgbHiyF2bVJgtx7ylKzBC+/YFyvVymeGPf5vMFjoXWh fjfUoYR5sd1fSB9GquNH5B7fUoqtoWVQcNalDJtBw9dgvg2eWDGc+sUh6dh7Tem7HdNU he/OubBHr94D0NV/RsjqQbUD/lHsGbVPx+Piirla9b1IPl69kBIBV9X4odA5IxwVJhFQ OYtQ== X-Gm-Message-State: ALoCoQkme8JKl1IabDqesAyIKv2OS8UfKKukFdyrPgLTS4oB3n1UZ0Gkgkc9N1O8htOgUDLdjmwQ X-Received: by 10.98.42.9 with SMTP id q9mr22526304pfq.142.1449246788896; Fri, 04 Dec 2015 08:33:08 -0800 (PST) Received: from [100.127.145.191] ([69.53.245.39]) by smtp.gmail.com with ESMTPSA id 1sm18129949pfo.72.2015.12.04.08.33.07 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 Dec 2015 08:33:08 -0800 (PST) Sender: Warner Losh Subject: Re: cross compiling Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Content-Type: multipart/signed; boundary="Apple-Mail=_80B0E88C-4C77-4B36-AF18-AA44C222C3A1"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail 2.5.2 From: Warner Losh In-Reply-To: <4E33BE7E-5443-438A-A45C-04B4B90528F9@cs.huji.ac.il> Date: Fri, 4 Dec 2015 09:33:05 -0700 Cc: freebsd-arm , freebsd-hackers@FreeBSD.org Message-Id: References: <4E33BE7E-5443-438A-A45C-04B4B90528F9@cs.huji.ac.il> To: Daniel Braniss X-Mailer: Apple Mail (2.2104) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2015 16:33:09 -0000 --Apple-Mail=_80B0E88C-4C77-4B36-AF18-AA44C222C3A1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Dec 4, 2015, at 9:31 AM, Daniel Braniss = wrote: >=20 > Hi, > I can cross compile for armv6 (raspberry Pi B), and I do get a working = version, and till about July, I was > able to cross compile a module doing something like this: > $ cd $SRC > $ make kernel-toolchain TARGET_ARCH=3Darmv6 > $ make buildenv TARGET_ARCH=3Darmv6 = BUILDENV_SHELL=3D/usr/local/bin/shell > $ cd > $ make >=20 > but today, after a fresh svn update of current, I get: >=20 > Warning: Object directory not changed from original = /a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc > cc -O -pipe -mfloat-abi=3Dsoftfp -DMFRC_DEBUG=3D8 -Werror -D_KERNEL = -DKLD_MODULE -nostdinc = -I/a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc/../.= . -I. -I@ -I@/contrib/altq -fno-common -ffreestanding -c = /a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc/../../= dev/mfrc/mfrc.c -o mfrc.o > cc: error: argument unused during compilation: '-mfloat-abi=3Dsoftfp' > *** Error code 1 >=20 > so, what magic am I missing? What does which cc say? Warner --Apple-Mail=_80B0E88C-4C77-4B36-AF18-AA44C222C3A1 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWYcBBAAoJEGwc0Sh9sBEA7b0P/AsUXBoK5IvAgEfD8lhhSnt4 gexJpfmGajxSjHUF9FG+SMvfTgI0PER0ehI5Q1stXmiCwtJ4WQkI4hs0McB5kTwz MaZ9u30T/xE8NAg7lx3HJXhhdmfVnQe3fclzDS/NhtA3W84ktQPPujwikkmkDvSj JCdghhJ7tyiZ1pkrFHD0lLFa5CJ421SzcpcecYi99Q671U4q5Ea+mbp9j6vCCbSg IrBlJQYazpGTDASD/FrrAjUiP5TsiGbSYj05uz8vr9wejteUWqqZrTY08uOZF0tB P+Dm8pGxwQt+bHTBLC00z3urgHjSHKLnWN1Ix+jTwvx1AW1G0w9c+6kIWk1cmFge PiasqhzGW9ccaMqPrtQme+ovRzaV9XbD9VGTUSdlmovAdBwT4LzV6Y+hfzdh9Fd6 7FSz1brncXc8iTvh1NLnS+h0RsGSnVqBFkkzTO79CEyqKhFcarl3EnTH8na1A4j6 CZbUrcd5IMeVpSm5JoCTa887noadZGTFI6I2yCcKUI6k7HLWmGLB1BgbiDe4XdJQ Lec/0Hn+JQ2q2S50upzD/rX4fNRqFq23LKapTexQ2YYQLsP/ge/FjV5Wd127/iMX W5li8wUbimOh4sQx6FRnwpqUI4NA2b9w8x0bogbvgJdr7w2aNNxa0cEwlI58Hz8W PUc0XLVWNiqNRljHdlBE =ZnMe -----END PGP SIGNATURE----- --Apple-Mail=_80B0E88C-4C77-4B36-AF18-AA44C222C3A1-- From owner-freebsd-hackers@freebsd.org Fri Dec 4 17:39:16 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A61DA41D5E; Fri, 4 Dec 2015 17:39:16 +0000 (UTC) (envelope-from danny@cs.huji.ac.il) Received: from kabab.cs.huji.ac.il (kabab.cs.huji.ac.il [132.65.116.210]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1E953122D; Fri, 4 Dec 2015 17:39:16 +0000 (UTC) (envelope-from danny@cs.huji.ac.il) Received: from e-bsd.cs.huji.ac.il ([132.65.80.241] helo=outmail.cs.huji.ac.il ident=exim) by kabab.cs.huji.ac.il with esmtp id 1a4uK6-000DDf-1d; Fri, 04 Dec 2015 19:39:10 +0200 Received: from [132.65.179.20] (helo=mbpro2.bs.cs.huji.ac.il) by outmail.cs.huji.ac.il with esmtpsa id 1a4uK5-0008cZ-Sh; Fri, 04 Dec 2015 19:39:09 +0200 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) Subject: Re: cross compiling From: Daniel Braniss In-Reply-To: Date: Fri, 4 Dec 2015 19:39:16 +0200 Cc: freebsd-arm , freebsd-hackers@FreeBSD.org Message-Id: References: <4E33BE7E-5443-438A-A45C-04B4B90528F9@cs.huji.ac.il> To: Warner Losh X-Mailer: Apple Mail (2.3096.5) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2015 17:39:16 -0000 > On 4 Dec 2015, at 6:33 PM, Warner Losh wrote: >=20 >>=20 >> On Dec 4, 2015, at 9:31 AM, Daniel Braniss = wrote: >>=20 >> Hi, >> I can cross compile for armv6 (raspberry Pi B), and I do get a = working version, and till about July, I was >> able to cross compile a module doing something like this: >> $ cd $SRC >> $ make kernel-toolchain TARGET_ARCH=3Darmv6 >> $ make buildenv TARGET_ARCH=3Darmv6 = BUILDENV_SHELL=3D/usr/local/bin/shell >> $ cd >> $ make >>=20 >> but today, after a fresh svn update of current, I get: >>=20 >> Warning: Object directory not changed from original = /a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc >> cc -O -pipe -mfloat-abi=3Dsoftfp -DMFRC_DEBUG=3D8 -Werror -D_KERNEL = -DKLD_MODULE -nostdinc = -I/a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc/../.= . -I. -I@ -I@/contrib/altq -fno-common -ffreestanding -c = /a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc/../../= dev/mfrc/mfrc.c -o mfrc.o >> cc: error: argument unused during compilation: '-mfloat-abi=3Dsoftfp' >> *** Error code 1 >>=20 >> so, what magic am I missing? >=20 > What does which cc say? >=20 the host I use to cross compile is running 10.1, /usr/bin/cc but I also tried CC=3Dclang there is another error, which appeared before, and I solve it by setting = MK_FORMAT_EXTENSIONS=3Dno (which out it complains =E2=80=A6 malformed conditional = (${MK_FORMAT_EXTENSIONS) =3D=3D =E2=80=9Cno=E2=80=9D) > Warner From owner-freebsd-hackers@freebsd.org Sat Dec 5 05:32:19 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22B74A41577 for ; Sat, 5 Dec 2015 05:32:19 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C829A1536 for ; Sat, 5 Dec 2015 05:32:18 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by qgeb1 with SMTP id b1so107700646qge.1 for ; Fri, 04 Dec 2015 21:32:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=N774fAu1CighCXEbwD9e+S0seduhePKBlQZGFlncILY=; b=rDkrgyi7XHAnKNEmnpIiNHVMMlv8oSIm9YOMz1OD8ow2GYlzCXtIrjMeo/ndG8S0ik NAtWtlnV4jIKuOMyCKiwdBK+RheOhyVH1h0yKrHdDmNyRTtpFDhVUCHXxOO0xY4mzkOX oaOe1W00vyWctLWvGMBPEodhqVW6kQ4heD46I9mUPU+qTEVjvIGfhz3vEkoVA4xAR+qz FHhKsIwxncmE5pelO6YyUzadMEFLcYyTgwG9VsB8d43gZNHNsD2FXunpd+TZvUAX90oz H2Qmr3jrdg+mqL+26uo15eSrrzI58WFV9L+V0yKal+sR9dYWyQ2nv4/1jAYp8Hmji+H9 mx4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=N774fAu1CighCXEbwD9e+S0seduhePKBlQZGFlncILY=; b=c9nL+YPkExDRfgLnRoI0iVOZiBPG5kE3+kNuvmu/lyKu3Nhpeby3f+LhVDSHReR62X nJsRcfwXXD2fFAF8zO7tijx/fm8mCQUgT7WvZ3kSrOJvOnZGRM64G66es11YyLmVFv5q 1JKOdAYgcK1mDlIWULUlciLIff+sQY0eMx44b4eERPlujfBZ3wgyeoJSM6xMvZyVj0r3 /6nqFhNfCsvCq+nNijEHNMmENMuUB00848gYRSUxaH2U3axZeSy17LbjQ9bN5pFCUc6S ovBk+HBda3OoTPOgQz22HgZwYbOmGRY3JDKuHCskED0DTw1FS/e5ZY+zVfQ+jv+6bYcG pWqQ== X-Gm-Message-State: ALoCoQl9kQ7DFSow5fGwUX+OUzUEhYqTk3mncYXrtSPhGBX7GktszvdnVw+aThn4N3zCJx3mNW4l MIME-Version: 1.0 X-Received: by 10.140.29.195 with SMTP id b61mr23468057qgb.50.1449293537946; Fri, 04 Dec 2015 21:32:17 -0800 (PST) Sender: wlosh@bsdimp.com Received: by 10.140.27.181 with HTTP; Fri, 4 Dec 2015 21:32:17 -0800 (PST) X-Originating-IP: [50.253.99.174] In-Reply-To: References: <4E33BE7E-5443-438A-A45C-04B4B90528F9@cs.huji.ac.il> Date: Fri, 4 Dec 2015 22:32:17 -0700 X-Google-Sender-Auth: 81NQRFr42TUgblYSp5lowAoY97w Message-ID: Subject: Re: cross compiling From: Warner Losh To: Daniel Braniss Cc: freebsd-arm , "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2015 05:32:19 -0000 On Fri, Dec 4, 2015 at 10:39 AM, Daniel Braniss wrote= : > > On 4 Dec 2015, at 6:33 PM, Warner Losh wrote: > > > On Dec 4, 2015, at 9:31 AM, Daniel Braniss wrote: > > Hi, > I can cross compile for armv6 (raspberry Pi B), and I do get a working > version, and till about July, I was > able to cross compile a module doing something like this: > $ cd $SRC > $ make kernel-toolchain TARGET_ARCH=3Darmv6 > $ make buildenv TARGET_ARCH=3Darmv6 BUILDENV_SHELL=3D/usr/local/bin/shell > $ cd > $ make > > but today, after a fresh svn update of current, I get: > > Warning: Object directory not changed from original > /a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc > cc -O -pipe -mfloat-abi=3Dsoftfp -DMFRC_DEBUG=3D8 -Werror -D_KERNEL > -DKLD_MODULE -nostdinc > -I/a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc/..= /.. > -I. -I@ -I@/contrib/altq -fno-common -ffreestanding -c > /a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc/../..= /dev/mfrc/mfrc.c > -o mfrc.o > cc: error: argument unused during compilation: '-mfloat-abi=3Dsoftfp' > *** Error code 1 > > so, what magic am I missing? > > > What does which cc say? > > the host I use to cross compile is running 10.1, > > /usr/bin/cc > > but I also tried CC=3Dclang > there is another error, which appeared before, and I solve it by setting > MK_FORMAT_EXTENSIONS=3Dno > (which out it complains =E2=80=A6 malformed conditional (${MK_FORMAT_EXTE= NSIONS) > =3D=3D =E2=80=9Cno=E2=80=9D) > > If which cc returns /usr/bin/cc, then you haven't built the toolchain. Warner From owner-freebsd-hackers@freebsd.org Sat Dec 5 09:06:43 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F4D1A41FEE; Sat, 5 Dec 2015 09:06:43 +0000 (UTC) (envelope-from danny@cs.huji.ac.il) Received: from kabab.cs.huji.ac.il (kabab.cs.huji.ac.il [132.65.116.210]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 50A71192E; Sat, 5 Dec 2015 09:06:39 +0000 (UTC) (envelope-from danny@cs.huji.ac.il) Received: from e-bsd.cs.huji.ac.il ([132.65.80.241] helo=outmail.cs.huji.ac.il ident=exim) by kabab.cs.huji.ac.il with esmtp id 1a58na-0003An-4S; Sat, 05 Dec 2015 11:06:34 +0200 Received: from [132.65.179.20] (helo=mbpro2.bs.cs.huji.ac.il) by outmail.cs.huji.ac.il with esmtpsa id 1a58nZ-000BeA-V0; Sat, 05 Dec 2015 11:06:34 +0200 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) Subject: Re: cross compiling From: Daniel Braniss In-Reply-To: Date: Sat, 5 Dec 2015 11:06:33 +0200 Cc: freebsd-arm , "freebsd-hackers@freebsd.org" Message-Id: <9BF2F5EC-E6B6-4E35-B637-389A571A8687@cs.huji.ac.il> References: <4E33BE7E-5443-438A-A45C-04B4B90528F9@cs.huji.ac.il> To: Warner Losh X-Mailer: Apple Mail (2.3096.5) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2015 09:06:43 -0000 > On 5 Dec 2015, at 7:32 AM, Warner Losh wrote: >=20 >=20 > On Fri, Dec 4, 2015 at 10:39 AM, Daniel Braniss > wrote: >=20 >> On 4 Dec 2015, at 6:33 PM, Warner Losh > wrote: >>=20 >>>=20 >>> On Dec 4, 2015, at 9:31 AM, Daniel Braniss > wrote: >>>=20 >>> Hi, >>> I can cross compile for armv6 (raspberry Pi B), and I do get a = working version, and till about July, I was >>> able to cross compile a module doing something like this: >>> $ cd $SRC >>> $ make kernel-toolchain TARGET_ARCH=3Darmv6 >>> $ make buildenv TARGET_ARCH=3Darmv6 = BUILDENV_SHELL=3D/usr/local/bin/shell >>> $ cd >>> $ make >>>=20 >>> but today, after a fresh svn update of current, I get: >>>=20 >>> Warning: Object directory not changed from original = /a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc >>> cc -O -pipe -mfloat-abi=3Dsoftfp -DMFRC_DEBUG=3D8 -Werror = -D_KERNEL -DKLD_MODULE -nostdinc = -I/a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc/../.= . -I. -I@ -I@/contrib/altq -fno-common -ffreestanding -c = /a/fr-05/vol/home/system/danny/src/FreeBSD/ARM/elc/sys/modules/mfrc/../../= dev/mfrc/mfrc.c -o mfrc.o >>> cc: error: argument unused during compilation: '-mfloat-abi=3Dsoftfp' >>> *** Error code 1 >>>=20 >>> so, what magic am I missing? >>=20 >> What does which cc say? >>=20 >=20 > the host I use to cross compile is running 10.1, >=20 > /usr/bin/cc >=20 > but I also tried CC=3Dclang > there is another error, which appeared before, and I solve it by = setting MK_FORMAT_EXTENSIONS=3Dno > (which out it complains =E2=80=A6 malformed conditional = (${MK_FORMAT_EXTENSIONS) =3D=3D =E2=80=9Cno=E2=80=9D) >=20 >=20 > If which cc returns /usr/bin/cc, then you haven't built the = toolchain. ok, the problem is solved by setting BUILDING_SHELL=3D/bin/sh there is still a small problem, apart from the MK_FORMAT issue, in my = module directory, make =E2=80=A6 symlinks @ and machine to /usr/src/ and = /usr/src/sys/arm/include instead of the one from which buildenv was = lauchend, in my case /r+d/vanilla/11/src. setting it by hand gets me a working = loadable module. >=20 > Warner