Re: single user question
On 5/16/19 9:05 PM, James Huddle wrote: First of all, I must say that it is with genuine gratitude that I read your responses! Mov Probably the same reason that you would say "...I might trigger other people to say some rude things..." Often I feel that by merely stating my opinion, here, I have opened the door to the proverbial darkroom. Sorry! That, and a multi-user system has been the heart and cornerstone of Unix & co. for MILLENNIA. That's fine. But my laptop is not a 1985 VAX. I just think that pushing the idea forward of using the most popular multiuser OS in history - in single-user mode - might meet with a little friction. I think this is where you are fatally confused. 2) Also, what is a "user"? Good question. I am a user. Someone who has hacked into my multi-user system as a different user is a user. And apparently, so is the cups daemon? You are correct on the surface and very misled as to the underlying concept. In Unixish parlance, "single user" = a system running with no resource restrictions and all but the absolutely essential services and processes stopped "multi user" = a system operating with normal division of privilege and resources and all normal services available. A system in "single user" state is normally only accessed by one person, for a short time, to perform vital maintenance. In that state a mistake can destroy the system - even to make the system unrecoverable, a "brick" A "user" in the context of [multiprocess] computing is a label for a set of privileges [access, execute, etc.] & resources [storage, etc.] It can be assigned to a person, a functionality, a condition, or many other concepts. This restriction is vital for normal operation. Why? No program can be guaranteed to be perfect, and no person can be guaranteed to never make a mistake. By restricting what can be done by a process or a person in a given situation, the consequences of an error, a bug, or a deliberate intrusion can be minimized. In order to be useful, your laptop must perform many tasks invisibly and concurrently. To promote reliable operation, each task [process, thread, etc] is assigned resources and privileges. We hope that the set assigned to each is sufficient but does not allow destruction [overwriting, renaming, etc.] of resources necessary to other tasks or exposure of secrets. The CUPS daemon can delete files. Do you want it to be able to delete ANY file? It is given an identity [set of resources and privileges] to print and otherwise manage ONLY the files YOU give it. You can delete files. Do you want to be able to accidentally delete ANY file? Or do you want to be able to write-protect some of them? A prime example of a "single user" system according to your definition is MSDOS. No restrictions on anything. How reliable is/was it? A server may ordinarily have no people sitting at a console connected to the machine. It may have hundreds or thousands of different identities requesting service, none of which should be able to affect any other. So it, by custom parlance, has hundreds of users. You probably don't want to run your laptop in Unixish "single user" since most of the services (graphics, networking, Bluetooth, etc.) are not available and a simple typing error can erase every file on the system. I hope this brings you to an understanding of what the convention of "single user" and "multi user" mean and why running, for instance, your laptop in "single user" mode would make it useless for you. geoff steckel
Re: need docs about udp buffer size
16.05.2019 16:51, Claudio Jeker пишет: On Thu, May 16, 2019 at 12:18:53PM +0300, kasak wrote: Hello! I have a litle problem with my unbound: unbound: notice: sendto failed: No buffer space available I think, I should increase net.inet.udp.sendspace, but I don't really understand what size do i need. Is there any information about calculating needed buffer space? It is probably not net.inet.udp.sendspace since that value only affects how big a packet you can send per UDP. The send buffer is only used to move the packet to the kernel and is empty after every send. Please check a) if there are any failures to allocate mbufs (netstat -m and vmstat -m) and b) interface errors (netstat -i) I don't really know what all this numbers mean, netstat -m: 749 mbufs in use: 571 mbufs allocated to data 97 mbufs allocated to packet headers 81 mbufs allocated to socket names and addresses 20/2232 mbuf 2048 byte clusters in use (current/peak) 485/2565 mbuf 2112 byte clusters in use (current/peak) 0/1080 mbuf 4096 byte clusters in use (current/peak) 0/432 mbuf 8192 byte clusters in use (current/peak) 0/112 mbuf 9216 byte clusters in use (current/peak) 0/90 mbuf 12288 byte clusters in use (current/peak) 0/64 mbuf 16384 byte clusters in use (current/peak) 0/80 mbuf 65536 byte clusters in use (current/peak) 9708/27000/524288 Kbytes allocated to network (current/peak/max) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines vmstat -m it pretty long. The one string that has "fail" counter is pfstate: pfstate 328 78561518 90858 11156 92096 90849 1247 4167 0 8 0 and here is netstat: em1 1500 68:05:ca:22:d8:d3 1671803452 128 2136354673 21 0 em1 1500 172.16/12 gater 1671803452 128 2136354673 21 0 i have unbound binded to em1 Does this mean something?
Re: single user question
First of all, I must say that it is with genuine gratitude that I read your responses! Moving on... On Wed, May 15, 2019 at 3:05 PM James Huddle wrote: >> What I am trying to do (thank you Troy Martin), is work through >> the standard answers and missteps toward a more secure OS, >> starting with OpenBSD and a flashlight. It is my humble opinion >> that the optimal number of users for (say) a laptop is one. >> And the optimal number for a server is zero. I doubt many would >> agree with that assessment, but I'm looking for solutions, regardless. >I'm going to try to phrase this politely, but I might trigger other >people to say some rude things (not sure if they'll be aimed at >myself, or not). Anyways... I have two hypothetical questions you >should think about: >1) Why do you doubt that many would agree with that assessment? Probably the same reason that you would say "...I might trigger other people to say some rude things..." Often I feel that by merely stating my opinion, here, I have opened the door to the proverbial darkroom. Sorry! That, and a multi-user system has been the heart and cornerstone of Unix & co. for MILLENNIA. That's fine. But my laptop is not a 1985 VAX. I just think that pushing the idea forward of using the most popular multiuser OS in history - in single-user mode - might meet with a little friction. >2) Also, what is a "user"? Good question. I am a user. Someone who has hacked into my multi-user system as a different user is a user. And apparently, so is the cups daemon? >If by "user" you mean "person", that leads to some lines of discussion. >If by "user" you mean an integer value which appears under the label >"user_id" (or some variant, such as perhaps "uid") in a C structure, >that leads to other lines of discussion. >If by "user" you mean a line in the /etc/passwd file which identifies >a directory, that leads to yet other lines of discussion. Although I have some understanding of the three discussions, I feel that the "interchangeable parts" philosophy, which works great for firearms technology, has created more problems than we should be willing to accept in 21st century computing. A user is *usually* a human, and might better be defined as an *owner*. Not to be confused with the thousands of visitors to a web site. In short, If I am sitting at my laptop, no other humans should be using my laptop at that time, without an arm-twisting amount of authentication and my conscious awareness of said "other person". Having a bunch of background processes doing human-user things blurs that equation, unfavorably, IMO. ... >From skimming this thread, I don't think you mean any of those. But if >no one knows what you mean, it doesn't really matter whether they >agree or disagree with you. Hope that helps. Weather's calling for rain. Fingers crossed. -Jim On Wed, May 15, 2019 at 4:47 PM Raul Miller wrote: > On Wed, May 15, 2019 at 3:05 PM James Huddle > wrote: > > What I am trying to do (thank you Troy Martin), is work through > > the standard answers and missteps toward a more secure OS, > > starting with OpenBSD and a flashlight. It is my humble opinion > > that the optimal number of users for (say) a laptop is one. > > And the optimal number for a server is zero. I doubt many would > > agree with that assessment, but I'm looking for solutions, regardless. > > I'm going to try to phrase this politely, but I might trigger other > people to say some rude things (not sure if they'll be aimed at > myself, or not). Anyways... I have two hypothetical questions you > should think about: > > 1) Why do you doubt that many would agree with that assessment? > > 2) Also, what is a "user"? > > If by "user" you mean "person", that leads to some lines of discussion. > > If by "user" you mean an integer value which appears under the label > "user_id" (or some variant, such as perhaps "uid") in a C structure, > that leads to other lines of discussion. > > If by "user" you mean a line in the /etc/passwd file which identifies > a directory, that leads to yet other lines of discussion. > > ... > > From skimming this thread, I don't think you mean any of those. But if > no one knows what you mean, it doesn't really matter whether they > agree or disagree with you. > > Thanks, > > -- > Raul >
Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?
> RFC3513 says this: > > o An anycast address must not be used as the source address of > an IPv6 packet. > > o An anycast address must not be assigned to an IPv6 host, that > is, it may be assigned to an IPv6 router only. > > And to help ensure this, the kernel denies binding to an address marked > with the anycast flag (see netinet6/in6_pcb.c). > > This was obsoleted by RFC4291, including this change: > > o The restrictions on using IPv6 anycast addresses were removed because > there is now sufficient experience with the use of anycast addresses, > the issues are not specific to IPv6, and the GROW working group is > working in this area. > > So I think this restriction can now be removed, at least with this > change, but more might be needed > Certainly in my case the current OpenBSD situation represents a bit too much "nanny knows best". My use-case is anycast DNS with NSD and Unbound. Both NSD and unbound provide config parameters that allow distinguishing between listen address and source address. But then again, is there any real reason to use the anycast flag ? To make NSD and unbound work I reconfigured to remove the anycast flag from IPv6 addresses and nothing seems broken ?
Re: I want to use I2Pd on OpenBSD.
On Thu, May 16, 2019 at 1:36 AM wrote: > > I2P (Invisible Internet Protocol) is a universal anonymous network layer. > Ofcouse I2P(Java) is already exist on packages. > > but, I2P is Java application and so big. > > While Java I2P and i2pd are both clients for the I2P network. > > i2pd has some big differences and advantages: > i2pd is just a router which you can use with other software through I2CP > interface. > i2pd does not require Java. It's written in C++. > i2pd consumes less memory and CPU. > i2pd can be compiled everywhere gcc or clang presented (including > Raspberry and routers). > i2pd has some major optimizations for faster cryptography which leads to > less consumption of processor time and energy. Ok, so why don't you use it if it already works everywhere? I don't think I understand your problem, or is this mostly an ad for I2Pd?
Re: productivity/khard (or python) seem slow
On Thu 16/05 08:55, Paco Esteban wrote: > Hi Joel, > > On Wed, 15 May 2019, Joel Carnat wrote: > > > Hello, > > > > I've just setup vdirsync and khard to sync my addressbook from > > nextcloud. It works but querying the local vcf is damm slow. I also > > noticed that ranger felt a bit slow to start but thought it was the > > software ; so I switched to nnn. > > > > # time (khard list | wc -l) > > 112 > > 0m07.10s real 0m04.08s user 0m02.99s system > > > > Is this an issue with my VM (2 vCPU / 4GB RAM / 20GB SSD) or are Python > > software just slow? > > Can't say about your VM. On my desktop: > > $ time (khard list | wc -l) >104 > ( khard list | wc -l; ) 0.51s user 0.25s system 97% cpu 0.779 total > Is this on OpenBSD ? The time output looks different. Replaying the whole scenario on a real hardware (ThinkPad X260), things are a little bit better. But not that fast. # time (khard list | wc -l) 114 0m02.49s real 0m01.35s user 0m01.06s system Feels as slow as Firefox to start. Really annoying for a "simple" console application. It requires seconds to look for a contact when queried from Mutt. > Ranger works just fine. It takes less than a second to start. Ranger is also a bit better but not that much. About 1 or 2 seconds to launch. When top or mutt are starting nearly instantaneous.
Re: need docs about udp buffer size
On Thu, May 16, 2019 at 12:18:53PM +0300, kasak wrote: > Hello! I have a litle problem with my unbound: > > unbound: notice: sendto failed: No buffer space available > > I think, I should increase net.inet.udp.sendspace, but I don't really > understand what size do i need. > > Is there any information about calculating needed buffer space? It is probably not net.inet.udp.sendspace since that value only affects how big a packet you can send per UDP. The send buffer is only used to move the packet to the kernel and is empty after every send. Please check a) if there are any failures to allocate mbufs (netstat -m and vmstat -m) and b) interface errors (netstat -i) -- :wq Claudio
need docs about udp buffer size
Hello! I have a litle problem with my unbound: unbound: notice: sendto failed: No buffer space available I think, I should increase net.inet.udp.sendspace, but I don't really understand what size do i need. Is there any information about calculating needed buffer space?