Re: [CFT] packaging the base system with pkg(8)

[Gleb Kurtsou]

On (19/04/2016 13:36), Adrian Chadd wrote:
> It's cool. I have positive and negative reactions, and I'm totally
> happy to let people try it out at a larger scale and learn from
> mistakes.
> 
> Because, honestly - fuck it, we've been behind for too long. We need
> more mature tools and knowledge with this.
> 
> The irony of course is the people rolling out docker are doing it
> after finding that OS packages aren't the best granularity, but
> "whatever the package systems in the software stack we're using, and
> then tar the whole mess up and distribute it" method. Kinda like
> FreeBSD

It's close to the way I see the packaging issue..

Our use case may not be the most common one -- we sell software in 2U
form factor (hardware included) :) Once in a while one has to roll
updates for the base system as well as our firmware. Packages has never
been much of a help but rather another obstacle to deal with for me
personally and I bet for our support as well. The thing I care about
most is to have the same base system for all customers who have
installed updates. It's really hard to troubleshoot assuming that some
package updates might have failed for a customer. Distributing images
comes very handy in this situation.

Although packages are useful in development:
- Being able to install complete development environment into the base
  system (debug symbols, compilers).
- Installing updates on *dev* machines. Which I'd rather avoid for
  release builds. By having packages for both release and dev one would
  need to have release and dev package repositories.  Much like
  stable/unstable repositories in many linux distros. Revision control
  systems tend to be much better at this at much lower cost.  Being able
  to do 'make happyworld whatever' out of the box on dev machine as well
  as installing packages built by CI is huge improvement comparing to
  packaging as it's often done in linux.
- Keeping any package metadata up to date in dev is painful (version
  bump in most cases).

How do we intend to do base system package versioning? Is it going to be
the same version for all packages or do we intend to bump versions in
individual Makefiles? Sorry if it has been discussed already, I must
have missed it.

IMHO >700 hardly makes any sense. I see no point in having individual
package for each binary under /bin and .so. I'd rather tweak a couple
Makefiles to remove stuff I don't need. WITH_* options in src.conf could
be a great list of packages to start with. Having -doc and -include in
separate packages would be appreciated as well.
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: libc.so dependency on libssp_nonshared.a

[Gleb Kurtsou]

On (02/02/2015 17:06), Jeremie Le Hen wrote:
 Hi Gleb,
 On Sun, Feb 1, 2015 at 9:24 PM, Gleb Kurtsou g...@freebsd.org wrote:
  I came across some build issues in libc.so and SSP.
 
  libc.ldscript (aka libc.so) unconditionally includes 
  @@LIBDIR@@/libssp_nonshared.a
 
  libssp* are not built if WITHOUT_SSP defined.
 
  ObsoleteFiles.inc doesn't mention libssp*.
 
  Consider WITHOUT_SSP=yes case.  As soon as one does clean installworld
  and/or removes stale libssp_nonshared.a ld fails to link anything
  because of missing libssp_nonshared.a
 
 I think nowadays it would make sense to get it of WITHOUT_SSP
 altogether.  This will turn this into a non-issue.

Do you mean building libssp_nonshared unconditionally? It makes perfect
sense. The library is a single stub function.

By building libssp* conditionally we may expect that -fstack-protector
complier option won't work. I wasn't able to reproduce this potential
problem. libc provides __stack_chk_fail and __stack_chk_guard. And I
failed to create a test case that would generate code using anything
like __memcpy_chk.

Perhaps we should change MK_SSP to operate as documented (add
-fstack-protector to CFLAGS) and consider adding MK_SSP_SUPPORT option
for libraries.  Although there is no reason to have MK_SSP_SUPPORT if
that would imply failure to run binaries or compile with
-fstack-protector.


  libc.so during buildworld (as found under /usr/obj) is symlink to the
  actual shared library, but not ldscript.  Is it intentional?  I wouldn't
  expect make -C /usr/src/bin/cat to match buildworld result closely
  assuming src and world are in sync, but they seem to have different idea
  of what libc is..
 
 I don't remember the details except this was pretty twisted :).  I
 don't work enough on this subject to keep it warm in my head and each
 time I need to go back to it, it takes me hours.
 
 The code is here if you want to give a try:
 http://svnweb.freebsd.org/base/head/share/mk/bsd.lib.mk?view=annotate#l335

indeed.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

libc.so dependency on libssp_nonshared.a

[Gleb Kurtsou]

I came across some build issues in libc.so and SSP.

libc.ldscript (aka libc.so) unconditionally includes 
@@LIBDIR@@/libssp_nonshared.a

libssp* are not built if WITHOUT_SSP defined.

ObsoleteFiles.inc doesn't mention libssp*.

Consider WITHOUT_SSP=yes case.  As soon as one does clean installworld
and/or removes stale libssp_nonshared.a ld fails to link anything
because of missing libssp_nonshared.a

libc.so during buildworld (as found under /usr/obj) is symlink to the
actual shared library, but not ldscript.  Is it intentional?  I wouldn't
expect make -C /usr/src/bin/cat to match buildworld result closely
assuming src and world are in sync, but they seem to have different idea
of what libc is..

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Committing PEFS to CURRENT

[Gleb Kurtsou]

Hello,

I would like to ask everybody's opinion regarding committing PEFS to
CURRENT.

PEFS is a stacked cryptographic file system for FreeBSD. Development
started as Google Summer of Code project in 2009. It has been in ports
since Sept 2011. I maintain the project.

Conceptually PEFS is similar to nullfs adding encryption layer on top of
it. But it differs technically by not using vop_bypass. Another popular
stacked cryptographic file systems include eCryptfs (linux) and encfs
(fuse). There is also pam_pefs pam module to allow user authentication
with their PEFS-encrypted home directory password.

For those interested in high level introduction I would highly recommend
article by Kris Moore in the BSD Magazine Issue 09/2013(50) -
http://bsdmag.org/magazine/1848-day-to-day-bsd-administration

We are very close to branching 10-STABLE now, but patch is
non-intrusive, it only adds new functionality, enabling PEFS for i386
and amd64 (platforms it's known to work on). Patch passes make universe.

Patch is available here:
https://github.com/glk/freebsd-head/commit/b4d2c4a5f42f88fdd07cb75feba3467e4d4c043c.patch

Pros/cons:

- Having PEFS in base would be a huge maintenance help for PCBSD/TrueOS
  who are already committed to use PEFS in next product releases, e.g.
  PCBSD provides encrypted home directories.

- There is steady interest in the project from users (emails, etc).
  Many of them note that file system is not well known yet.  Moving PEFS
  to base would greatly increase its exposure.

- Committing PEFS to base would also simplify maintenance by keeping it
  in sync with other subsystems, e.g. it will be updated on large scale
  changes like VM locking.

- There are no bugs known at the moment. I've been using it to encrypt
  home directory since day one. pho@ ran stress test suite on it a
  while back, number of bugs was fixed.

- PEFS is known to work on amd64 and i386 only. Big endian system and
  systems with page size larger than 4k are not tested.

- NOTE! There has been no cryptography review.  I'd like to suggest to
  add warning about file system and crypto used is experimental and hasn't
  undergone professional review. Similar to one we had in tmpfs.


BSD Magazine article:
http://bsdmag.org/magazine/1848-day-to-day-bsd-administration

Port:
http://www.freshports.org/sysutils/pefs-kmod/

Source code repository:
https://github.com/glk/pefs

FreeBSD DevSummit'2011 - pefs presentation slides:
https://pefs.googlecode.com/files/pefs-devsummit.pdf

FreeBSD wiki page:
https://wiki.freebsd.org/PEFS


I would really appreciate any comments or suggestions.


Thank you,
Gleb.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Committing PEFS to CURRENT

[Gleb Kurtsou]

On Mon, Oct 7, 2013 at 9:53 AM, Nikolai Lifanov
lifa...@mail.lifanov.com wrote:
 On 10/07/13 12:31, Gleb Kurtsou wrote:
 Hello,

 I would like to ask everybody's opinion regarding committing PEFS to
 CURRENT.

 PEFS is a stacked cryptographic file system for FreeBSD. Development
 started as Google Summer of Code project in 2009. It has been in ports
 since Sept 2011. I maintain the project.

 Conceptually PEFS is similar to nullfs adding encryption layer on top of
 it. But it differs technically by not using vop_bypass. Another popular
 stacked cryptographic file systems include eCryptfs (linux) and encfs
 (fuse). There is also pam_pefs pam module to allow user authentication
 with their PEFS-encrypted home directory password.

 For those interested in high level introduction I would highly recommend
 article by Kris Moore in the BSD Magazine Issue 09/2013(50) -
 http://bsdmag.org/magazine/1848-day-to-day-bsd-administration

 We are very close to branching 10-STABLE now, but patch is
 non-intrusive, it only adds new functionality, enabling PEFS for i386
 and amd64 (platforms it's known to work on). Patch passes make universe.

 Patch is available here:
 https://github.com/glk/freebsd-head/commit/b4d2c4a5f42f88fdd07cb75feba3467e4d4c043c.patch

 Pros/cons:

 - Having PEFS in base would be a huge maintenance help for PCBSD/TrueOS
   who are already committed to use PEFS in next product releases, e.g.
   PCBSD provides encrypted home directories.

 - There is steady interest in the project from users (emails, etc).
   Many of them note that file system is not well known yet.  Moving PEFS
   to base would greatly increase its exposure.

 - Committing PEFS to base would also simplify maintenance by keeping it
   in sync with other subsystems, e.g. it will be updated on large scale
   changes like VM locking.

 - There are no bugs known at the moment. I've been using it to encrypt
   home directory since day one. pho@ ran stress test suite on it a
   while back, number of bugs was fixed.

 - PEFS is known to work on amd64 and i386 only. Big endian system and
   systems with page size larger than 4k are not tested.

 - NOTE! There has been no cryptography review.  I'd like to suggest to
   add warning about file system and crypto used is experimental and hasn't
   undergone professional review. Similar to one we had in tmpfs.


 BSD Magazine article:
 http://bsdmag.org/magazine/1848-day-to-day-bsd-administration

 Port:
 http://www.freshports.org/sysutils/pefs-kmod/

 Source code repository:
 https://github.com/glk/pefs

 FreeBSD DevSummit'2011 - pefs presentation slides:
 https://pefs.googlecode.com/files/pefs-devsummit.pdf

 FreeBSD wiki page:
 https://wiki.freebsd.org/PEFS


 I would really appreciate any comments or suggestions.


 Thank you,
 Gleb.

 Just a personal note: I hoped that you would commit pefs to base
 someday. It works well, and is the type of a core functionality that
 would be nice to have as early as the install ISO, before skel is copied
 over for the first user. I would be happy if this happened.


Agree. It would also be nice to have standard way to mount pefs file
systems because they need to be mounted at later point during boot
after other file systems mounted. Small rc.d script should do the trick.

I think those issues should be addressed after PEFS is committed

 - Nikolai Lifanov

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Committing PEFS to CURRENT

[Gleb Kurtsou]

On Mon, Oct 7, 2013 at 12:58 PM, Julian H. Stacey j...@berklix.com wrote:
 Hi Gleb  All
 Gleb Kurtsou wrote:
 Hello,

 I would like to ask everybody's opinion regarding committing PEFS to
 CURRENT.

 PEFS is a stacked cryptographic file system for FreeBSD. Development
 started as Google Summer of Code project in 2009. It has been in ports
 since Sept 2011. I maintain the project.

 Conceptually PEFS is similar to nullfs adding encryption layer on top of
 it. But it differs technically by not using vop_bypass. Another popular
 stacked cryptographic file systems include eCryptfs (linux) and encfs
 (fuse). There is also pam_pefs pam module to allow user authentication
 with their PEFS-encrypted home directory password.

 2 others are also already in FreeBSD src/ (not just ports) gbde  geli.

geli and gbde are different concept, they provide encrypted block level devices.
PEFS transparently encrypts data on existing file system.

Here is what you can do with PEFS:
% mkdir ~/Private
% pefs mount ~/Private ~/Private
% pefs addkey ~/Private
% echo Hello WORLD  ~/Private/test
% ls -Al ~/Private
total 1
-rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 test
% cat ~/Private/test
Hello WORLD
% pefs unmount ~/Private
% ls -Al ~/Private
total 1
-rw-r--r-- 1 gleb gleb 12 Oct 1 12:55 .DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq
% hd ~/Private/.DU6eudxZGtO8Ry_2Z3Sl+tq2hV3O75jq
 7f 1e 1b 05 fc 8a 5c 38 fc d8 2d 5f |..\8..-_|
000c

Take a look a great article in the BSD Magazine or
http://glebkurtsou.blogspot.com/2009/10/encrypting-private-directory-with-pefs.html



 Whether moved from ports to src or not, either way,
 I sggest add to man section SEE ALSO gbde(8)  geli(8)

Good point, thanks.


 Also, SEE ALSO of gbde  geli should probably ref ports/sysutils/pefs-kmod
 ft: Command not found.

 No pefs yet i SEE ALSO of
 http://www.freebsd.org/cgi/man.cgi?query=gbdeapropos=0sektion=8manpath=FreeBSD+9.2-RELEASEarch=defaultformat=html
 http://www.freebsd.org/cgi/man.cgi?query=geliapropos=0sektion=8manpath=FreeBSD+9.2-RELEASEarch=defaultformat=html

 I suggest add an href inside:
 http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html
 Even if just a 1 liner to start, to expand to a section later.
 (None there for 'pefs', I just searched)

 Personaly I've been using gbde based on top of a file inside a UFS
 for a long time, I can't remember why I chose gbde rather than geli,
 I guess because it was there first ?

 A dummy's guide short notes along the lines of Which of these 3 should I 
 use?
 might also later be nice at the top of that web page :-)


There is no answer for the question, each system does it's own thing
and does it differently:
* With PEFS backups are much easier:
 - Use regular backup software for backing up encrypted data (lower
level file system), that would allow delta backup only.
 - Create file system snapshots, e.g. zfs, then zfs send/receive,
regardless whether file system is encrypted or not.
* Setting up multiple encrypted file system is much easier -- no need
to preallocate storage and create file system.
* With PEFS it's possible to add key to encrypted home directory
during login (pam_pefs).
* PEFS let's you use multiple key in same file system.

Thanks,
Gleb.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Committing PEFS to CURRENT

[Gleb Kurtsou]

On Mon, Oct 7, 2013 at 4:17 PM, John-Mark Gurney j...@funkthat.com wrote:
 Gleb Kurtsou wrote this message on Mon, Oct 07, 2013 at 09:31 -0700:
 Patch is available here:
 https://github.com/glk/freebsd-head/commit/b4d2c4a5f42f88fdd07cb75feba3467e4d4c043c.patch

 Is there a reason you are writing your own AES-NI implementation instead
 of using the OpenCrypto framework?

It reuses the same AES-NI implementation used by opencrypto,
but code doesn't use opencrypto directly. Main limitation in opencrypto is
that is incomplete implementation AES-XTS -- it doesn't implement ciphertext
stealing. opencrypto contexts seemed to be too much overhead list time I
looked at them especially in the case of multiple keys per file system in PEFS.
AES-NI interface is not designed to be used outside of opencrypto thus
some minor copy-past.


 I updated the kernel's AES-NI implementation to have a very fast
 AES-XTS...   Upon looking at your implementation, you have a very
 slow implementation as you do not pipeline AES-XTS at all...  Please
 switch to using the opencrypto version..  You'll then be able to make
 use of any accelerators that other platforms may have...

I was looking into incorporating AES_XTS pipeline changes in PEFS.
I'd like to avoid switching to opencrypto at this point. But pipelining is
doable without opencrypto and copying code around.


 Are there plans to add authentication to this scheme?  See that as a
 todo, but w/o authentication, you can't store anything reliably on it..
 And w/ XTS, the attacker can take pot shots at your file in 16 byte
 chuncks...

I have data authentication prototype. It's too far from being complete,
and I keep working on it as time permits. There are a few more ideas
I'd like to work on while redesigning the file system.

Patch also includes hmac and pkcs5v2 implementations which in fact
were generic versions to go under sys/crypto until yesterday.
Considering we are late in code freeze already I've merged them
into PEFS not to touch geli code with the patch.


 The only reason I'm running zfs on geli w/o authentication is that I'm
 using a 256bit checksum, so the chances of someone modifing two blocks
 to fool zfs into decrypting the correct new checksum value for their
 modified block is very small...  In short, I'm trusting zfs to do the
 authentication for me...

 --
   John-Mark Gurney  Voice: +1 415 225 5579

  All that I will do, has been done, All that I have, has not.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Committing PEFS to CURRENT

[Gleb Kurtsou]

On Mon, Oct 7, 2013 at 5:23 PM, John-Mark Gurney j...@funkthat.com wrote:
 Gleb Kurtsou wrote this message on Mon, Oct 07, 2013 at 16:47 -0700:
 On Mon, Oct 7, 2013 at 4:17 PM, John-Mark Gurney j...@funkthat.com wrote:
  Gleb Kurtsou wrote this message on Mon, Oct 07, 2013 at 09:31 -0700:
  Patch is available here:
  https://github.com/glk/freebsd-head/commit/b4d2c4a5f42f88fdd07cb75feba3467e4d4c043c.patch
 
  Is there a reason you are writing your own AES-NI implementation instead
  of using the OpenCrypto framework?

 It reuses the same AES-NI implementation used by opencrypto,
 but code doesn't use opencrypto directly. Main limitation in opencrypto is
 that is incomplete implementation AES-XTS -- it doesn't implement ciphertext
 stealing. opencrypto contexts seemed to be too much overhead list time I

 I remember noticing that when I was working on it.. but as there are
 different modes of packing/padding, I decided not to do anything with
 that...

 I also don't like your lack of comments arround xts_lastblock and about
 why it is accessing dst - 1...  To me, you should pass in the previous
 block as an arg to xts_lastblock instead of doing dst[-1]...  You did
 comment what you're doing (m - 1), but not why it is safe to do that...
 There is no comment that you're implementing ciphertext stealing w/ the
 function which makes it even harder to understand that you'd going it
 properly...

The code comes from University of Tsukuba. The function is internal to
the module and is safe to use that way if you look at pefs_xts_block_encrypt
and pefs_xts_block_decrypt.


 It wouldn't be hard to add ciphertext stealing to the opencrypto
 implementation if that is really all that is missing...  but..

 looked at them especially in the case of multiple keys per file system in 
 PEFS.
 AES-NI interface is not designed to be used outside of opencrypto thus
 some minor copy-past.

 We have discovered that by the minor copy/paste we now have an
 inferior implementation of AES-XTS...  If it performed similar to the
 one before it, it is over 10x slower than the one that I committed..

  I updated the kernel's AES-NI implementation to have a very fast
  AES-XTS...   Upon looking at your implementation, you have a very
  slow implementation as you do not pipeline AES-XTS at all...  Please
  switch to using the opencrypto version..  You'll then be able to make
  use of any accelerators that other platforms may have...

 I was looking into incorporating AES_XTS pipeline changes in PEFS.
 I'd like to avoid switching to opencrypto at this point. But pipelining is
 doable without opencrypto and copying code around.

 I really don't like the idea of adding yet anothe AES-XTS implementation
 to our tree (especially considering how bad both the previous one and
 this one is)...  Even if you do bring over the pipeline changes...
 It'll be yet another copy of code to maintain and port performance
 improvements too...

 We could always refactor the AES-NI code to make it more usable outside
 the opencrypto framework as a stepping stone to possibly using pjd's
 improved opencrypto framework...

Refactoring AES-NI would be ideal, it would also be great to extract AES-XTS
implementation and make it usable outside of opencrypto adding ciphertext
stealing.


 But copy/pasting just because we don't want to do a bit more work isn't
 good justification...

It's not that I don't want to do a bit more work I never said that,
it's rather
about avoiding changes after KBI freeze.


  Are there plans to add authentication to this scheme?  See that as a
  todo, but w/o authentication, you can't store anything reliably on it..
  And w/ XTS, the attacker can take pot shots at your file in 16 byte
  chuncks...

 I have data authentication prototype. It's too far from being complete,
 and I keep working on it as time permits. There are a few more ideas
 I'd like to work on while redesigning the file system.

 Patch also includes hmac and pkcs5v2 implementations which in fact
 were generic versions to go under sys/crypto until yesterday.
 Considering we are late in code freeze already I've merged them
 into PEFS not to touch geli code with the patch.

 Can't you keep them named the same under sys/crypto and just link w/ them
 as necessary to prevent repo churn when you finally integrate them into
 sys/crypto?  That seems better than moving them arround, though I guess
 w/ svn, it isn't as big of a deal...  Someone w/ a repo hat on should
 chime in here...

It won't be possible at least because of pkcs5v2_genkey() (name collision)
being defined internally in geli and pkcs5v2 using hmac from geli. Moving
them to sys/crypto in 11-CURRENT is a minor issue IMHO. I was pushing
those changes to HEAD years ago, but they got stuck somewhere in
review process.


  The only reason I'm running zfs on geli w/o authentication is that I'm
  using a 256bit checksum, so the chances of someone modifing two blocks
  to fool zfs into decrypting the correct new checksum

Re: Committing PEFS to CURRENT

[Gleb Kurtsou]

On Mon, Oct 7, 2013 at 6:24 PM, John-Mark Gurney j...@funkthat.com wrote:

 But will the work get done to clean it up after the freeze is over?  What
 happens if it doesn't, will it get removed before 10.1 or will we have
 to live w/ the code?

I still hope not to get hit by bus any time soon..
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Committing PEFS to CURRENT

[Gleb Kurtsou]

On (07/10/2013 21:59), Outback Dingo wrote:
 On Mon, Oct 7, 2013 at 9:42 PM, Gleb Kurtsou gleb.kurt...@gmail.com wrote:
 
  On Mon, Oct 7, 2013 at 6:24 PM, John-Mark Gurney j...@funkthat.com wrote:
  
   But will the work get done to clean it up after the freeze is over?  What
   happens if it doesn't, will it get removed before 10.1 or will we have
   to live w/ the code?
 
  I still hope not to get hit by bus any time soon..
 
 
 on a side note, i applied the patch to stable/9 out of curiosity and the
 kernel failed to build the module
 however i could install fine from ports.

Correct, there is no support for old kernels in the patch.
Port will be maintained and will provide support for older versions in
case PEFS finds its way to 10.0.

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: r248583 Kernel panic: negative refcount 0xfffffe0031b59168

[Gleb Kurtsou]

On (30/06/2013 13:18), Mateusz Guzik wrote:
 On Sun, Jun 30, 2013 at 05:21:42PM +1000, Kubilay Kocak wrote:
  I'm seeing what I believe is related panic, reliably being generated by
  the Python regression test suite on a newly created FreeBSD 10-CURRENT
  buildbot.
  
  Symptoms first seen in an freebsd.org FTP snapshot dated Thu May 30
  20:01:46 UTC 2013 and also reproducible on a freshly updated r252400
  
  It is additionally reproducible after checking out pure upstream python
  sources, using the following steps:
  
  hg clone http://hg.python.org/cpython
  cd cpython  configure  make buildbottest
  
  An interesting possible correlation is that it seems to drop out
  during/around test_socket
  
 
 Turns out the bug is quite funny ;)

Patch fixes chrome for me.

Thanks!

 
 Try this:
 diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
 index 5d8e814..7a4db04 100644
 --- a/sys/kern/uipc_usrreq.c
 +++ b/sys/kern/uipc_usrreq.c
 @@ -1764,8 +1764,8 @@ unp_externalize(struct mbuf *control, struct mbuf 
 **controlp, int flags)
   }
   for (i = 0; i  newfds; i++, fdp++) {
   fde = fdesc-fd_ofiles[*fdp];
 - fde-fde_file = fdep[0]-fde_file;
 - filecaps_move(fdep[0]-fde_caps,
 + fde-fde_file = fdep[i]-fde_file;
 + filecaps_move(fdep[i]-fde_caps,
   fde-fde_caps);
   if ((flags  MSG_CMSG_CLOEXEC) != 0)
   fde-fde_flags |= UF_EXCLOSE;
 -- 
 Mateusz Guzik mjguzik gmail.com
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Audio Hints, T520?

[Gleb Kurtsou]

On (05/05/2013 19:43), Sean Bruno wrote:
 On Mon, 2013-05-06 at 03:25 +0200, Michael Schmiedgen wrote:
  On 04.05.2013 06:14, Sean Bruno wrote:
   Speaker/headphones working great on Current.
  
   Was trying to get the microphone working, but it seems to not quite be
   working.
  
  I got the same problem with my X220. Before the last Lenovo
  HDA quirk commits everything worked fine, but I had to set
  the default sound unit to 1.
  Now I do not need to set the sound unit, audio output works
  out of the box but recording does not work anymore. I fiddled
  with nid config but got bored after the fifth reboot.
  
  The behaviour changed at my last world build a month ago.
  
  I can supply dmesg or sysctl output if you want.
  
  Thanks
 Michael
  
 
 Ok, this smells like a recent regression.

Likely so. Works for me on  10.0-CURRENT r247601 with following in
loader.conf:
# Out : speaker + headphones
hint.hdac.0.cad0.nid25.config=as=1 seq=15
# In : mic + external mic
hint.hdac.0.cad0.nid35.config=as=2
hint.hdac.0.cad0.nid27.config=as=2 seq=15

 
 Sean


___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: r248583 Kernel panic: negative refcount 0xfffffe0031b59168

[Gleb Kurtsou]

On (15/04/2013 10:35), Pawel Jakub Dawidek wrote:
 On Sat, Apr 13, 2013 at 09:43:14PM -0700, Gleb Kurtsou wrote:
  On (22/03/2013 11:51), Shawn Webb wrote:
   Hey All,
   
   I'm not sure if this is a result of r248583 or a different commit, but I
   hit a kernel panic when closing Chrome. I've linked to the info and
   core.txt files below. If you need me to ship you the vmcore file, let me
   know. It's 1.1GB in size.
   
   Other than the pasted files, I'm not too sure where to go from here. If
   there's any other info you need, please let me know. I'm a newb at
   submitting this kind of stuff.
   
   Paste of info file: http://ix.io/4Qo
   Paste of core.txt file: http://ix.io/4Qp
  
  Shawn, did you find workaround for the problem?
  
  I've just upgraded to recent HEAD and see the same panic on closing
  chrome. Switching back to r247601 just before Merge Capsicum overhaul
  commit makes panic disappear.
 
 I did receive Shawn's report some time ago, I even installed Chromium to
 try to reproduce it, but it didn't crash for me yet.

I could send you chrome binary I'm using. It's a outdated
chromium-22.0.1229.92.


 If there are some easy, but reliable steps to reproduce it, like open
 this webpage in tab 1, then this webpage in tab 2, then close tab 1
 that would be great. This kernel coredump is not really useful, as we
 this is legitimate case of decrementing reference counter. The problem
 is that something decremented it earlier when it shouldn't or it wasn't
 incremented somewhere. DTrace might be useful tool here if we could
 instrument it to log backtrace of all increments and decrements done by
 the Chromium processes.

I'll try to reproduce it in vm.. which is not that easy because
virtualbox kmod needs patching to work on month old CURRENT and there is
no binary packages to install vm in the first place.

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: r248583 Kernel panic: negative refcount 0xfffffe0031b59168

[Gleb Kurtsou]

On (22/03/2013 11:51), Shawn Webb wrote:
 Hey All,
 
 I'm not sure if this is a result of r248583 or a different commit, but I
 hit a kernel panic when closing Chrome. I've linked to the info and
 core.txt files below. If you need me to ship you the vmcore file, let me
 know. It's 1.1GB in size.
 
 Other than the pasted files, I'm not too sure where to go from here. If
 there's any other info you need, please let me know. I'm a newb at
 submitting this kind of stuff.
 
 Paste of info file: http://ix.io/4Qo
 Paste of core.txt file: http://ix.io/4Qp

Shawn, did you find workaround for the problem?

I've just upgraded to recent HEAD and see the same panic on closing
chrome. Switching back to r247601 just before Merge Capsicum overhaul
commit makes panic disappear.


~ # kgdb -n 1
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB.  Type show warranty for details.
This GDB was configured as amd64-marcel-freebsd...

Unread portion of the kernel message buffer:
VNASSERT failed
0xfe0196700760: tag none, type VBAD
usecount 0, writecount 0, refcount 0 mountedhere 0
flags (VV_NOSYNC|VI_DOOMED)
lock type zfs: UNLOCKED
panic: No vop_advlock(0xfe0196700760, 0xff823adb9908)
cpuid = 3
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xff823adb9740
kdb_backtrace() at kdb_backtrace+0x39/frame 0xff823adb97f0
vpanic() at vpanic+0x127/frame 0xff823adb9830
kassert_panic() at kassert_panic+0x136/frame 0xff823adb98a0
VOP_ADVLOCK_APV() at VOP_ADVLOCK_APV+0x92/frame 0xff823adb98d0
closef() at closef+0x9a/frame 0xff823adb9960
closefp() at closefp+0xa0/frame 0xff823adb99b0
amd64_syscall() at amd64_syscall+0x1f9/frame 0xff823adb9ab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xff823adb9ab0
--- syscall (6, FreeBSD ELF64, sys_close), rip = 0x80aeaaa8a, rsp = 
0x7ebf3f38, rbp = 0x7ebf3f50 ---
[...]
(kgdb) fr 0
#0  doadump (textdump=1) at pcpu.h:231
231 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) up
#1  0x804f5827 in kern_reboot (howto=260) at 
/freebsd-src/local/sys/kern/kern_shutdown.c:447
447 doadump(TRUE);
(kgdb) 
#2  0x804f5d36 in vpanic (fmt=value optimized out, ap=value 
optimized out)
at /freebsd-src/local/sys/kern/kern_shutdown.c:754
754 kern_reboot(bootopt);
(kgdb) 
#3  0x804f5bc6 in kassert_panic (fmt=value optimized out)
at /freebsd-src/local/sys/kern/kern_shutdown.c:642
642 vpanic(fmt, ap);
(kgdb) 
#4  0x80747aa2 in VOP_ADVLOCK_APV (vop=value optimized out, 
a=0xff823adb9908)
at vnode_if.c:2522
2522VNASSERT(vop != NULL, a-a_vp, (No vop_advlock(%p, %p), 
a-a_vp, a));
(kgdb) 
#5  0x804b8eaa in closef (fp=0xfe014da8ccd0, td=0xfe0014aea920) 
at vnode_if.h:1041
1041vnode_if.h: No such file or directory.
in vnode_if.h
(kgdb) 
#6  0x804b7030 in closefp (fdp=0xfe001c8c4800, fd=value optimized 
out, fp=0xfe014da8ccd0, 
td=0xfe0014aea920, holdleaders=value optimized out)
at /freebsd-src/local/sys/kern/kern_descrip.c:1136
1136error = closef(fp, td);
(kgdb) p *fp
$5 = {f_data = 0xfe0196700760, f_ops = 0x80a477b8, f_cred = 
0xfe0067907600, 
  f_vnode = 0xfe0196700760, f_type = 1, f_vnread_flags = 0, f_flag = 3, 
f_count = 0, f_seqcount = 0, 
  f_nextoff = 16388, f_vnun = {fvn_cdevpriv = 0x0, fvn_advice = 0x0}, f_offset 
= 16388, f_label = 0x0}
(kgdb) p *fp
$6 = {f_data = 0xfe0196700760, f_ops = 0x80a477b8, f_cred = 
0xfe0067907600, 
  f_vnode = 0xfe0196700760, f_type = 1, f_vnread_flags = 0, f_flag = 3, 
f_count = 0, f_seqcount = 0, 
  f_nextoff = 16388, f_vnun = {fvn_cdevpriv = 0x0, fvn_advice = 0x0}, f_offset 
= 16388, f_label = 0x0}
(kgdb) p fp-f_vnode
$7 = (struct vnode *) 0xfe0196700760
(kgdb) p *fp-f_vnode
$8 = {v_tag = 0x807a3e35 none, v_op = 0x0, v_data = 0x0, v_mount = 
0x0, v_nmntvnodes = {
tqe_next = 0xfe014fd95760, tqe_prev = 0xfe011d500958}, v_un = 
{vu_mount = 0x0, vu_socket = 0x0, 
vu_cdev = 0x0, vu_fifoinfo = 0x0}, v_hashlist = {le_next = 0x0, le_prev = 
0x0}, v_cache_src = {
lh_first = 0x0}, v_cache_dst = {tqh_first = 0x0, tqh_last = 
0xfe01967007b0}, v_cache_dd = 0x0, 
  v_lock = {lock_object = {lo_name = 0x80dddbb1 zfs, lo_flags = 
91881472, lo_data = 0, 
  lo_witness = 0x0}, lk_lock = 1, lk_exslpfail = 0, lk_timo = 51, lk_pri = 
96}, v_interlock = {
lock_object = {lo_name = 0x807bfbb9 vnode interlock, lo_flags = 
16908288, lo_data = 0, 
  lo_witness = 0x0}, mtx_lock = 6}, v_vnlock = 0xfe01967007c8, 
v_actfreelist = {
tqe_next = 0xfe0031985b10, tqe_prev = 

Re: Tmpfs panic in -current

[Gleb Kurtsou]

On (27/06/2012 13:29), Kevin Lo wrote:
 Kevin Lo wrote:
  Konstantin Belousov wrote:
   On Tue, Jun 26, 2012 at 12:38:25PM +0800, Kevin Lo wrote:
Konstantin Belousov wrote:
 On Mon, Jun 25, 2012 at 10:03:28AM +0800, Kevin Lo wrote:
  I've observed a panic in recent -current several times but I only
  have a picture of the backtrace:
  http://people.freebsd.org/~kevlo/panic_tmpfs.jpg
  
  Does this look at all familiar to anyone?
 
 Can you look up the line corresponding to tmpfs_reg_resize + 0x627 
 address
 in your kernel ?

Sure.

 The screenshot looks strange. The instruction on which the kernel 
 trapped
 is int 0x28 which should not appear in the compiled code.

Kevin, do you have fuse modules loaded? It looks much like memmory
corruption issue.

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: GCC update for testing

[Gleb Kurtsou]

On (17/05/2012 10:44), Pedro Giffuni wrote:
 Hi;
 
 I took a bunch of patches that were merged into the GCC 4.1 branch
 (under GPLv2) and prepared a patch for merging them into our base
 gcc. These are supposed to be bug fixes only.
 
 You can get the patch here:
 http://people.freebsd.org/~pfg/patches/patch-contrib-gcc
 And, for those really interested, the log is here:
 http://people.freebsd.org/~pfg/patches/gcc41-pr-log

Could you check if patch fixes this issue:
http://marc.info/?l=freebsd-hackersm=132348021530691w=2

I've disabled gcc from base locally since discovering it.

Thanks,
Gleb.


 It may be my imagination but the patch seems to be causing more
 warnings than usual and it breaks the kernel here:
 
 
 $ make
 cc -c -O2 -Os -pipe -fno-strict-aliasing -march=athlon64 -std=c99 -g 
 -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes  
 -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -Wundef 
 -Wno-pointer-sign -fformat-extensions  -Wmissing-include-dirs 
 -fdiagnostics-show-option   -nostdinc  -I. -I../../.. 
 -I../../../contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include 
 opt_global.h -fno-common -finline-limit=8000 --param 
 inline-unit-growth=100 --param large-function-growth=1000  
 -fno-omit-frame-pointer -mcmodel=kernel -mno-red-zone -mno-mmx -mno-sse 
 -msoft-float  -fno-asynchronous-unwind-tables -ffreestanding 
 -fstack-protector -Werror  ../../../cam/scsi/scsi_sa.c
 cc1: warnings being treated as errors
 ../../../cam/scsi/scsi_sa.c: In function 'samount':
 ../../../cam/scsi/scsi_sa.c:1887: warning: 'comp_supported' may be used 
 uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:1888: warning: 'write_protect' may be used 
 uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:1887: warning: 'comp_enabled' may be used 
 uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:2728: warning: 'current_speed' may be used 
 uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:2728: note: 'current_speed' was declared here
 ../../../cam/scsi/scsi_sa.c:2727: warning: 'current_density' may be used 
 uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:2727: note: 'current_density' was declared here
 ../../../cam/scsi/scsi_sa.c:2725: warning: 'current_blocksize' may be 
 used uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:2725: note: 'current_blocksize' was declared 
 here
 ../../../cam/scsi/scsi_sa.c:2728: warning: 'current_speed' may be used 
 uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:2728: note: 'current_speed' was declared here
 ../../../cam/scsi/scsi_sa.c:2725: warning: 'current_blocksize' may be 
 used uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:2725: note: 'current_blocksize' was declared 
 here
 ../../../cam/scsi/scsi_sa.c:2728: warning: 'current_speed' may be used 
 uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:2728: note: 'current_speed' was declared here
 ../../../cam/scsi/scsi_sa.c:2725: warning: 'current_blocksize' may be 
 used uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:2725: note: 'current_blocksize' was declared 
 here
 ../../../cam/scsi/scsi_sa.c:2728: warning: 'current_speed' may be used 
 uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:2728: note: 'current_speed' was declared here
 ../../../cam/scsi/scsi_sa.c:2725: warning: 'current_blocksize' may be 
 used uninitialized in this function
 ../../../cam/scsi/scsi_sa.c:2725: note: 'current_blocksize' was declared 
 here
 *** Error code 1
 ...
 
 
 Other stuff I tested (Apache OpenOffice) builds fine.
 
 cheers,
 
 Pedro.
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Intel GPU driver import

[Gleb Kurtsou]

On (13/05/2012 00:39), Konstantin Belousov wrote:
 With r235375, all required VM support for new Intel GPU driver was
 committed into HEAD. There are still some things to improve and
 change, but now the all.14.9.patch does not touch anything outside agp
 or drm.  This allows to start the process of importing the new Intel
 GPU driver into HEAD.
 
 I am writing this as initial head-up and to discuss some questions,
 for which I do have answers but would prefer to have additional
 feedback from people doing Xorg work.
 
 The patch as-is just replaces the Intel DRI1 bits with DRI2
 driver. Patch added most of the KMS infrastructure into DRM
 core. Also, patch completely changed the locking model used by Intel
 driver. I made absolutely minimal efforts needed to keep other DRI1
 drivers compilable. Despite that, I got several surpising reports that
 Radeon DRI1 still works.
 
 That said, for import I can (first choice) just apply the patch,
 replacing the Intel driver with new one. Or (second choice) I may
 create another directory, say sys/dev/drm2, and import _only_ Intel
 driver together with updated DRM core, there.
 
 The positive points to the second approach is that we still have older
 kernel drivers around. Also, I have more freedom in changing the DRM
 core, without fearing breakage in the DRI1 land. Since I do not really
 want to deal with Gen2-3 hardware, and VGA console does not work with
 new driver (yet), there are definite advantages.
 
 On the other hand, driver automatic loading will not work with
 dev/drm2 approach. New driver have to use different module name to
 co-exist with dri1 driver, so ddx driver cannot load new driver by old
 name. As result, users need to manually kldload new driver before
 starting Xorg.
 
 My own preference is to implement second choice and put the driver
 into dev/drm2.

We had somewhat similar situation with new USB stack import. First
imported as 'usb2' then renamed to 'usb'. Considering there will be no
new DRI1 drivers in tree we could import drm2 into sys/dev/drm and
move old implementation under sys/dev/drm_compat1. It will break POLA
until automatic driver loading by X fixed.

Thanks,
Gleb.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Status on X220

[Gleb Kurtsou]

On (23/04/2012 08:16), Ganael LAPLANCHE wrote:
 On Fri, 20 Apr 2012 08:14:17 +0200, Lars Engels wrote
 
 Hi everyone,
 
  This is the same for my x200, but you can make it work:
  On 9.0-RELEASE you have to configure through device.hints(5),
   in CURRENT you can configure it on thy fly. See snd_hda(4)
   how to do this.
 
 FYI, this is what I had to put in /boot/devices.hint to have headset
 working properly on my x220 (on 10-CURRENT) :
 
 # Out : speaker + headphones
 # hint.hdac.0.cad0.nid31.config=as=1
 hint.hdac.0.cad0.nid25.config=as=1 seq=15
 # In : mic + external mic
 hint.hdac.0.cad0.nid35.config=as=2
 hint.hdac.0.cad0.nid27.config=as=2 seq=15

Just for the record, it also works for ThinkPad T520. I've always been
too lazy to read man page myself ;)

Thanks!
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Using TMPFS for /tmp and /var/run?

[Gleb Kurtsou]

On (04/04/2012 06:38), David Wolfskill wrote:
 On Wed, Apr 04, 2012 at 12:50:35PM +0300, Gleb Kurtsou wrote:
  ...
  tmpfs-32bit-size_max.patch.txt should fix the problem. I don't have i386
  installations to test it myself.
  
  Do you run PAE kernel? Could you try filling up /tmp at least to 10g.
  ...
 
 After updating source to r233868, applying the patch, then updating,
 here are the results of my testing so far (not using PAE).
 
 Summary: as before, I believe that the patch didn't hurt anything, but
 it also doesn't restrict the usable size of /tmp to the specified size
 (from /etc/fstab):
 

I've checked on i386 and patch worked as expected, but it required
previous patch. I've combined both patches. Could you try it.

Thanks,
Gleb.

 
 Script started on Wed Apr  4 06:23:25 2012
 
 g1-227(10.0-C)[1] _do
 uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
 /dev/ada0s2a on / (ufs, local, soft-updates)
 devfs on /dev (devfs, local, multilabel)
 tmpfs on /tmp (tmpfs, local)
 /dev/ada0s2d on /usr (ufs, local, soft-updates)
 /dev/ada0s4e on /var (ufs, local, soft-updates)
 /dev/ada0s4g on /common (ufs, local, soft-updates)
 fdescfs on /dev/fd (fdescfs)
 FreeBSD g1-227.catwhisker.org 10.0-CURRENT FreeBSD 10.0-CURRENT #2 233868M: 
 Wed Apr  4 06:02:25 PDT 2012 
 r...@g1-227.catwhisker.org:/usr/obj/usr/src/sys/CANARY  i386
 Wed Apr  4 06:23:27 PDT 2012
  Removing old libraries
 Please be sure no application still uses those libraries, else you
 can not start such an application. Consult UPDATING for more
 information regarding how to cope with the removal/revision bump
 of a specific library.
  Old libraries removed
 Wed Apr  4 06:23:28 PDT 2012
 g1-227(10.0-C)[2] exit
 
 Script done on Wed Apr  4 06:23:29 2012
 Script started on Wed Apr  4 06:23:35 2012
 
 g1-227(10.0-C)[1] df -hi /tmp
 FilesystemSizeUsed   Avail Capacity iused ifree %iused  Mounted on
 tmpfs  23G 12k 23G 0%  17  2.1G0%   /tmp
 g1-227(10.0-C)[2] grep tmpfs /etc/fstab
 # tmpfs /tmptmpfs   rw,size=2147483648  0 
   0
 tmpfs   /tmptmpfs   rw,size=8g  0   0
 
 g1-227(10.0-C)[3] ls -lhT /bkp/tmp/test 
 -rw-r--r--  1 david  wheel   8.0G Mar 25 10:42:49 2012 /bkp/tmp/test
 g1-227(10.0-C)[4] dd bs=1m if=!$ of=/tmp/test
 dd bs=1m if=/bkp/tmp/test of=/tmp/test
 8192+0 records in
 8192+0 records out
 8589934592 bytes transferred in 186.178099 secs (46138266 bytes/sec)
 g1-227(10.0-C)[5] df -hi /tmp
 FilesystemSizeUsed   Avail Capacity iused ifree %iused  Mounted on
 tmpfs  23G8.0G 15G35%  18  2.1G0%   /tmp
 g1-227(10.0-C)[6] dd bs=1m if=/bkp/tmp/test of=/tmp/test1
 8192+0 records in
 8192+0 records out
 8589934592 bytes transferred in 220.254916 secs (3868 bytes/sec)
 g1-227(10.0-C)[7] df -hi /tmp
 FilesystemSizeUsed   Avail Capacity iused ifree %iused  Mounted on
 tmpfs  23G 16G7.0G70%  19  2.1G0%   /tmp
 g1-227(10.0-C)[8] exit
 
 Script done on Wed Apr  4 06:33:12 2012
 g1-227(10.0-C)[5]
 
 
 Peace,
 david
 -- 
 David H. Wolfskillda...@catwhisker.org
 Depriving a girl or boy of an opportunity for education is evil.
 
 See http://www.catwhisker.org/~david/publickey.gpg for my public key.


diff --git a/sys/fs/tmpfs/tmpfs.h b/sys/fs/tmpfs/tmpfs.h
index efa7c6d..3fc72ab 100644
--- a/sys/fs/tmpfs/tmpfs.h
+++ b/sys/fs/tmpfs/tmpfs.h
@@ -337,11 +337,10 @@ struct tmpfs_mount {
 * system, set during mount time.  This variable must never be
 * used directly as it may be bigger than the current amount of
 * free memory; in the extreme case, it will hold the SIZE_MAX
-* value.  Instead, use the TMPFS_PAGES_MAX macro. */
+* value. */
size_t  tm_pages_max;
 
-   /* Number of pages in use by the file system.  Cannot be bigger
-* than the value returned by TMPFS_PAGES_MAX in any case. */
+   /* Number of pages in use by the file system. */
size_t  tm_pages_used;
 
/* Pointer to the node representing the root directory of this
@@ -486,58 +485,32 @@ int   tmpfs_truncate(struct vnode *, off_t);
  * Memory management stuff.
  */
 
-/* Amount of memory pages to reserve for the system (e.g., to not use by
+/*
+ * Amount of memory pages to reserve for the system (e.g., to not use by
  * tmpfs).
- * XXX: Should this be tunable through sysctl, for instance? */
-#define TMPFS_PAGES_RESERVED (4 * 1024 * 1024 / PAGE_SIZE)
+ */
+#define TMPFS_PAGES_MINRESERVED(4 * 1024 * 1024 / PAGE_SIZE)
 
 /*
- * Returns information about the number of available memory pages,
- * including physical and virtual ones.
- *
- * Remember to remove TMPFS_PAGES_RESERVED from the returned value to avoid
- * excessive memory usage.
- *
+ * Number of reserved swap pages should not be lower than
+ * swap_pager_almost_full high water mark

Re: Using TMPFS for /tmp and /var/run?

[Gleb Kurtsou]

On (29/03/2012 21:49), O. Hartmann wrote:
 Am 03/29/12 18:14, schrieb David Wolfskill:
  On Thu, Mar 29, 2012 at 04:18:06PM +0200, O. Hartmann wrote:
  I was wondering if there are some objections using TMPFS for /tmp and
  /var/run.
  ...
  My question is whether there are objections using TMPFS for bot /tmp/
  and /var/run/ at this stage on FreeBSD 10.0-CURRENT/amd64?
  
  
  I have no experience using tmpfs for /var/run, but I have been using it
  for /tmp for some time (mostly in i386, though).
  
  While I use it quite successfully on machines with a small number of
  folks actively busy -- e.g., my desktop; my laptop; my home machines), I
  encountered some issues when I tried to do so on machines that were
  intended for significantly heavier use.  Specifically:
  
  * Compared to an md-resident /tmp, a tmpfs-resident /tmp has much less
flexibility for specifying the size.  Per mdconfig(8), the former
uses:
  
   -s size
   Size of the memory disk.  Size is the number of 512 byte 
  sectors
   unless suffixed with a b, k, m, g, or t which denotes byte, 
  kilo-
   byte, megabyte, gigabyte and terabyte respectively. Options -a
   and -t swap are implied if not specified.
  
while the latter uses:
  
   sizeSpecifies the total file system size in bytes.  If zero (the
   default) or a value larger than SIZE_MAX - PAGE_SIZE is given,
   the available amount of memory (including main memory and swap
   space) will be used.
  
In this configuration, I would have preferred to have specified
about 10GB for /tmp.  I wouldn't mind if it spilled to swap space,
but I certaianly didn't want it using 10GB of RAM -- especially since
the machines only had 6GB RAM.
  
Nor did I especially want *all* of the swap space used for /tmp.  I
would have allocated (say) 20GB for swap.  I wouldn't mind if half of
that were used for /tmp -- but a reason I allocate so much swap is
that I've seen what happens when a machine runs out of swap, and it
wasn't pretty.
  
  
In any case, effective maximum usable size for tmpfs involves SIZE_MAX
(~4G)  PAGE_SIZE (4K, in my case).

size_t is 64-bit on 64-bit archs.

  
  * Even when I went ahead and created a tmpfs for /tmp, I'd get ENOSPC
whenever I tried to allocate anything on it -- until I dropped the
size specification to 2G (2**32).  Well, 2GB for /tmp just wasn't at
all likely to be useful for my purposes in this case.

Are you using ZFS alongside tmpfs? It should be fixed in 9-STABLE.

  So I continue to use tmpfs for /tmp for machines with fewer folks
  logging in, but I'm a bit less enthusiastic about its use unless the
  workload and other requirements are fairly carefully considered
  beforehand.
  
  Peace,
  david
 
 
 It seems there is only one switch which determines the size of the tmpfs
 in question (size) and there is no convenient way to say what amount of
 RAM is being used before using the swap space. I'd like to have at least
 a knob determining the limit of RAM being used.

There is no way to force tmpfs to use given amount of RAM only. It's VM
subsystem that decides what pages to swap. Although some tweaking for VM
to prefer swapping tmpfs pages prior to process pages would be nice.

You could try the patch attached. It adds support for size option suffixes
(like 1g) and introduces swap limit (part of the older patch, not sure
if it's any use).

Patch is against 10-CURRENT.
Older version: https://github.com/glk/freebsd-head/commit/3bd8f7d

Thanks,
Gleb.

 
 On the other hand - my view of those things is really naiv. I think
 having tmpfs isn't even a benefit in terms of security, it should also
 offer a speedy access to files kept in memory, doesn't it?
 
 Linux is using TMPFS filesystems a lot for these purposes. How do they
 overcome restrictions of the size or not flloding RAM and/or swap?
 
 Regards,
 Oliver
 


diff --git a/sys/fs/tmpfs/tmpfs.h b/sys/fs/tmpfs/tmpfs.h
index efa7c6d..3fc72ab 100644
--- a/sys/fs/tmpfs/tmpfs.h
+++ b/sys/fs/tmpfs/tmpfs.h
@@ -337,11 +337,10 @@ struct tmpfs_mount {
 * system, set during mount time.  This variable must never be
 * used directly as it may be bigger than the current amount of
 * free memory; in the extreme case, it will hold the SIZE_MAX
-* value.  Instead, use the TMPFS_PAGES_MAX macro. */
+* value. */
size_t  tm_pages_max;
 
-   /* Number of pages in use by the file system.  Cannot be bigger
-* than the value returned by TMPFS_PAGES_MAX in any case. */
+   /* Number of pages in use by the file system. */
size_t  tm_pages_used;
 
/* Pointer to the node representing the root directory of this
@@ -486,58 +485,32 @@ int   tmpfs_truncate(struct vnode *, off_t);
  * Memory management stuff.
  */
 
-/* Amount of memory pages to reserve for 

Re: Using TMPFS for /tmp and /var/run?

[Gleb Kurtsou]

On (02/04/2012 06:26), David Wolfskill wrote:
 On Mon, Apr 02, 2012 at 01:31:19PM +0300, Gleb Kurtsou wrote:
  ...
  You could try the patch attached. It adds support for size option suffixes
  (like 1g) and introduces swap limit (part of the older patch, not sure
  if it's any use).
  
  Patch is against 10-CURRENT.
  Older version: https://github.com/glk/freebsd-head/commit/3bd8f7d
  
 
 OK; here's a summary of what I found so far, now running:
 
 FreeBSD g1-227.catwhisker.org 10.0-CURRENT FreeBSD 10.0-CURRENT #0 233772M: 
 Mon Apr  2 05:42:48 PDT 2012 
 r...@g1-227.catwhisker.org:/usr/obj/usr/src/sys/CANARY  i386
 
 * First, the patch applied cleanly (via patch -p1).
 
 * Resulting sources build with no issues.
 
 * Prior specification I had in /etc/fstab:
 
   tmpfs/tmptmpfsrw,size=214748364800
 
   worked same as before the patch; df -h /tmp reported a size of 2.0G.
 
 * Changing the above to read:
 
   tmpfs/tmptmpfsrw,size=2g00
 
   also provided the same result, so the unit-specification code looks
   as if it's working as expected.
 
 * I have 20G specified for swap, and 4G RAM (and, as above, I'm running
   i386).  Changing the above tmpfs line in /etc/fstab to
 
   tmpfs/tmptmpfsrw,size=8g00
 
   (still) yields:
 
 g1-227(10.0-C)[3] df -h /tmp
 FilesystemSizeUsed   Avail Capacity  Mounted on
 tmpfs  23G 12k 23G 0%/tmp
 g1-227(10.0-C)[4] 

tmpfs-32bit-size_max.patch.txt should fix the problem. I don't have i386
installations to test it myself.

Do you run PAE kernel? Could you try filling up /tmp at least to 10g.

 
 (Yes, I'm using a whopping total of 12kB while running X.  I know of
 *very* few folks who use the window manager I prefer. :-})
 
 I'll try exercising it a bit during the day at work  report anything
 noteworthy.  But so far, I see no evidence of regression, and there is
 some measure of usability improvement (IMO).  So it's looking
 encouraging.  :-)
 
 Peace,
 david
 -- 
 David H. Wolfskillda...@catwhisker.org
 Depriving a girl or boy of an opportunity for education is evil.
 
 See http://www.catwhisker.org/~david/publickey.gpg for my public key.


commit 44f68235e23ab4bababeafe07d31e07feabb84ba
Author: Gleb Kurtsou gleb.kurt...@gmail.com
Date:   Tue Apr 3 00:02:33 2012 +0300

tmpfs: Support file system sizes up to 4GB*PAGE_SIZE on 32 bit archs

diff --git a/sys/fs/tmpfs/tmpfs_vfsops.c b/sys/fs/tmpfs/tmpfs_vfsops.c
index 29f2ca4..6b3ecc0 100644
--- a/sys/fs/tmpfs/tmpfs_vfsops.c
+++ b/sys/fs/tmpfs/tmpfs_vfsops.c
@@ -233,17 +233,13 @@ tmpfs_mount(struct mount *mp)
 * allowed to use, based on the maximum size the user passed in
 * the mount structure.  A value of zero is treated as if the
 * maximum available space was requested. */
-   if (size_max  PAGE_SIZE || size_max  SIZE_MAX - PAGE_SIZE)
+   if (size_max  PAGE_SIZE || size_max  UINT64_MAX - PAGE_SIZE ||
+   (SIZE_MAX  UINT64_MAX  size_max / PAGE_SIZE = SIZE_MAX))
pages = SIZE_MAX;
else
pages = howmany(size_max, PAGE_SIZE);
MPASS(pages  0);
 
-   if (pages  SIZE_MAX / PAGE_SIZE)
-   size_max = pages * PAGE_SIZE;
-   else
-   size_max = SIZE_MAX;
-
if (nodes_max = 3) {
if (pages  INT_MAX / nodes_per_page)
nodes_max = pages * nodes_per_page;
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: /usr/bin/tar creates invalid lib file

[Gleb Kurtsou]

On (25/03/2012 10:53), Tim Kientzle wrote:
 
 On Mar 25, 2012, at 5:53 AM, Boris Samorodov wrote:
 
  On 24.03.2012 21:00, Tim Kientzle wrote:
  
  On Mar 23, 2012, at 9:51 PM, Boris Samorodov wrote:
  
  Can you send me the output of:
  
  tar -cvf /tmp/test.tar 
  /usr/ports/devel/nspr/work/nspr-4.9/mozilla/nsprpub/build/dist/lib/../../pr/src/./libnspr4.so.1
  
  (A tar archive containing only that one source file.)
  
  This looks similar to a bug that we found in libarchive recently
  I didn't think that bug impacted FreeBSD, but I may have been
  wrong….  if it did, it will be obvious from the structure of the
  created archive.
  
  The following file is extracted after tarring:
  -
  % hd libnspr4.so.1
    32 0a 30 0a 30 0a 32 34  31 39 37 31 0a 30 0a 00 
  |2.0.0.241971.0..|
  0010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
  ||
  *
  0200
  -
  
  The tar file itself attached (3KB in length).
 
 Ugh.  I'll probably need your help to diagnose this more precisely.
 
 Here is the root problem:   tar thinks this is a sparse file
 with nothing in it.On FreeBSD, bsdtar now uses
 lseek(SEEK_HOLE) to identify holes in the file.  For
 some reason, bsdtar is storing this file as just one big hole.

I experience a related issue. lseek(SEEK_HOLE) error checks are too
strict. Files are not added to archive if lseek(SEEK_HOLE) fails.
Ignoring lseek(SEEK_HOLE) at least in ENOTTY case would be preferable.

I run stacked file system (PEFS) on top of ZFS. ZFS reports
_PC_MIN_HOLE_SIZE, but ioctls to lower level fs disabled are in PEFS.
I work around it by properly handling _PC_MIN_HOLE_SIZE.

Test case:
% for i in a b c; do echo $i  $i; done
% tar cf 1.tar a b c
tar: lseek(SEEK_HOLE) failed: Inappropriate ioctl for device
tar: lseek(SEEK_HOLE) failed: Inappropriate ioctl for device
tar: lseek(SEEK_HOLE) failed: Inappropriate ioctl for device
% ls -l 1.tar 
-rw-r--r--  1 gleb  gleb  1024 Mar 26 00:28 1.tar
% tar tf 1.tar # -- no files in archive
%

truss log:
__acl_get_link(0x801c8c100,0x2,0x801d82000,0x0,0x1000,0x0) ERR#22 'Invalid 
argument'
extattr_list_link(0x801c8c100,0x1,0x0,0x0,0x7fffc530,0x0) ERR#45 'Operation 
not supported'
pathconf(a,0x15)   = 512 (0x200)
open(a,O_NONBLOCK,03751270)= 5 (0x5)
lseek(5,0x0,0x3) ERR#25 'Inappropriate ioctl 
for device'
close(5) = 0 (0x0)
tar: write(2,tar: ,5)  = 5 (0x5)

Thanks,
Gleb.

 
 There are a lot of things here that don't make sense:
 
   * The extracted file should be all zero bytes.  (The 2.0.0.241971.0. is the 
 sparse file map, it's not really part of the file.)  How are you extracting 
 this?
 
   * Can you run the tar command under truss or ktrace and look for calls to 
 lseek()?  That would help verify that this is really a tar bug and not a 
 filesystem or kernel bug.
 
 I'll spend some time today to see if I can reproduce the problem here.
 
 Tim
 
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Idea for GEOM and policy based file encryption

[Gleb Kurtsou]

On (21/03/2012 11:13), Vincent Hoffman wrote:
 On 21/03/2012 10:47, Andrey V. Elsukov wrote:
  On 21.03.2012 14:09, Victor Balada Diaz wrote:
  You would need to modify UFS, or maybe do something like CFS[1]. CFS works
  as an NFS server and you could modify it to only cipher the needed files.
 
  Also you could write a simple FS on FUSE, but last time i checked, our
  FUSE support had some problems.
 
  Yet another link:
  http://www.arg0.net/encfs
 
 or pefs
 FreeBSD wiki page: http://wiki.freebsd.org/PEFS
 blog: http://glebkurtsou.blogspot.com/search/label/pefs

It's also in ports:
http://www.freshports.org/sysutils/pefs-kmod/

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Processes getting stuck in state tmpfs

[Gleb Kurtsou]

On (08/03/2012 01:20), Bernhard Froehlich wrote:
 On 01.03.2012 23:25, Florian Smeets wrote:
  On 01.03.12 20:31, Gleb Kurtsou wrote:
  Could you test the patch attached.
 
  It's also available here as seperate commits:
  https://github.com/glk/freebsd-head/commits/tmpfs-rename
 
 
  The test that used to hang within a minute has now been running
  successfully for almost 2 hours.
 
  Looks good to me.
 
 I have also re-enabled tmpfs on redports.org main tinderbox with
 this patch applied and it runs smooth so far! Very good work.
 Thanks a lot!

Thanks,

Patch is under review now. And will be committed afterwards.

 
 FreeBSD tb3.bluelife.at 10.0-CURRENT FreeBSD 10.0-CURRENT #3: Wed Mar  
 7 23:47:56 CET 2012 
 r...@tb3.bluelife.at:/usr/obj/usr/src/sys/GENERIC  amd64
 
 -- 
 Bernhard Froehlich
 http://www.bluelife.at/
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Processes getting stuck in state tmpfs

[Gleb Kurtsou]

Could you test the patch attached.

It's also available here as seperate commits:
https://github.com/glk/freebsd-head/commits/tmpfs-rename

Thanks,
Gleb.

On (23/02/2012 21:20), Florian Smeets wrote:
 On 11.02.12 11:20, Gleb Kurtsou wrote:
  On (10/02/2012 22:41), Florian Smeets wrote:
  Hi,
 
  if you set WRKDIRPREFIX to a tmpfs mountpoint and try to build audio/gsm
  from ports one of the mv processes gets stuck in state tmpfs quite
  often. Traces from a kernel with WITTNESS and DEBUG_VFS_LOCKS are
  available here http://tb.smeets.im/~flo/tmpfs.txt
  
  It's because of incorrect vnode locking order in tmpfs_rename. Issue is
  known and tmpfs is not the only file system suffering from it (e.g. ext2).
  
  There two ways of working around it in tree:
  * UFS: try locking vnode, unlock all vnodes on failure, restart,
  relookup vnodes needed.
  * ZFS: introduce directory entry locks to guarantee fvp won't disappear,
  fdvp can be safely traversed, etc. That won't be easy..
  
  UFS-way would be a good temporal solution, but I think we should work on
  improving VOP_RENAME() in a long run.
  
  I'll try to prepare a patch in several days.
  
 
 Hey Gleb,
 
 did you get anywhere with this?
 
 Thanks,
 Florian
 


diff --git a/sys/fs/tmpfs/tmpfs_subr.c b/sys/fs/tmpfs/tmpfs_subr.c
index d2b2245..fe596aa 100644
--- a/sys/fs/tmpfs/tmpfs_subr.c
+++ b/sys/fs/tmpfs/tmpfs_subr.c
@@ -42,6 +42,7 @@ __FBSDID($FreeBSD$);
 #include sys/proc.h
 #include sys/stat.h
 #include sys/systm.h
+#include sys/sysctl.h
 #include sys/vnode.h
 #include sys/vmmeter.h
 
@@ -56,6 +57,8 @@ __FBSDID($FreeBSD$);
 #include fs/tmpfs/tmpfs_fifoops.h
 #include fs/tmpfs/tmpfs_vnops.h
 
+SYSCTL_NODE(_vfs, OID_AUTO, tmpfs, CTLFLAG_RW, 0, tmpfs file system);
+
 /* - */
 
 /*
@@ -320,9 +323,11 @@ loop:
MPASS((node-tn_vpstate  TMPFS_VNODE_DOOMED) == 0);
VI_LOCK(vp);
TMPFS_NODE_UNLOCK(node);
-   vholdl(vp);
-   (void) vget(vp, lkflag | LK_INTERLOCK | LK_RETRY, curthread);
-   vdrop(vp);
+   error = vget(vp, lkflag | LK_INTERLOCK, curthread);
+   if (error != 0) {
+   vp = NULL;
+   goto out;
+   }
 
/*
 * Make sure the vnode is still there after
@@ -420,11 +425,13 @@ unlock:
 out:
*vpp = vp;
 
-   MPASS(IFF(error == 0, *vpp != NULL  VOP_ISLOCKED(*vpp)));
 #ifdef INVARIANTS
-   TMPFS_NODE_LOCK(node);
-   MPASS(*vpp == node-tn_vnode);
-   TMPFS_NODE_UNLOCK(node);
+   if (error == 0) {
+   MPASS(*vpp != NULL  VOP_ISLOCKED(*vpp));
+   TMPFS_NODE_LOCK(node);
+   MPASS(*vpp == node-tn_vnode);
+   TMPFS_NODE_UNLOCK(node);
+   }
 #endif
 
return error;
diff --git a/sys/fs/tmpfs/tmpfs_vnops.c b/sys/fs/tmpfs/tmpfs_vnops.c
index 93fea8b..dd54679 100644
--- a/sys/fs/tmpfs/tmpfs_vnops.c
+++ b/sys/fs/tmpfs/tmpfs_vnops.c
@@ -46,6 +46,7 @@ __FBSDID($FreeBSD$);
 #include sys/sf_buf.h
 #include sys/stat.h
 #include sys/systm.h
+#include sys/sysctl.h
 #include sys/unistd.h
 #include sys/vnode.h
 
@@ -58,6 +59,13 @@ __FBSDID($FreeBSD$);
 #include fs/tmpfs/tmpfs_vnops.h
 #include fs/tmpfs/tmpfs.h
 
+SYSCTL_DECL(_vfs_tmpfs);
+
+static volatile int tmpfs_rename_restarts;
+SYSCTL_INT(_vfs_tmpfs, OID_AUTO, rename_restarts, CTLFLAG_RD,
+__DEVOLATILE(int *, tmpfs_rename_restarts), 0,
+Times rename had to restart due to lock contention);
+
 /* - */
 
 static int
@@ -920,6 +928,118 @@ out:
 /* - */
 
 static int
+tmpfs_rename_relock(struct vnode *fdvp, struct vnode **fvpp,
+struct vnode *tdvp, struct vnode **tvpp,
+struct componentname *fcnp, struct componentname *tcnp)
+{
+   struct vnode *nvp;
+   struct mount *mp;
+   struct tmpfs_dirent *de;
+   int error;
+
+   VOP_UNLOCK(tdvp, 0);
+   if (*tvpp != NULL  *tvpp != tdvp)
+   VOP_UNLOCK(*tvpp, 0);
+   mp = fdvp-v_mount;
+
+relock:
+   atomic_add_int(tmpfs_rename_restarts, 1);
+   error = vn_lock(fdvp, LK_EXCLUSIVE);
+   if (error)
+   goto releout;
+   if (vn_lock(tdvp, LK_EXCLUSIVE | LK_NOWAIT) != 0) {
+   VOP_UNLOCK(fdvp, 0);
+   error = vn_lock(tdvp, LK_EXCLUSIVE);
+   if (error)
+   goto releout;
+   VOP_UNLOCK(tdvp, 0);
+   goto relock;
+   }
+   /*
+* Re-resolve fvp to be certain it still exists and fetch the
+* correct vnode.
+*/
+   de = tmpfs_dir_lookup(VP_TO_TMPFS_DIR(fdvp), NULL, fcnp);
+   if (de == NULL) {
+   VOP_UNLOCK(fdvp, 0);
+   VOP_UNLOCK(tdvp, 0);
+   if ((fcnp-cn_flags  ISDOTDOT) != 0

Re: how to cross-build a single application ?

[Gleb Kurtsou]

On (01/03/2012 18:52), Luigi Rizzo wrote:
 On Thu, Mar 01, 2012 at 12:24:13PM -0500, Alexander Kabaev wrote:
  On Thu, 1 Mar 2012 18:38:19 +0100
  Luigi Rizzo ri...@iet.unipi.it wrote:
  
   What is the way to properly cross-build a single program
   (after having gone throught the 'toolchain' and possibly
   even a full 'buildworld') 
   from the top-level directory of a FreeBSD source tree ?
   
   right now i do something like
   
 cd $SOURCE_ROOT
 make MAKEOBJDIRPREFIX=/my_obj_tree TARGET=amd64 buildworld
   
   but i seem to remember that there is a more efficient way
   when you want to rebuild only one program or one subtree.
   I think i have seen this question being answered from time to time
   but i can't find how now.
   
   any hints ?
   
   cheers
   luigi
   
  
  Something like this should work:
  
  cd src/
  make buildenv TARGET=...
  cd usr.bin/blah
  make
 
 close:
 
   eval `make buildenvvars TARGET=... `  cd usr.bin/blah  make

There is tools/tinder.sh in src tree.

 
 thanks!
 luigi
 
 
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: devd based AUTOMOUNTER

[Gleb Kurtsou]

On (18/02/2012 10:48), vermaden wrote:
 Added a check if ntfs-3g is available, if not then mount_ntfs is used instead.
 Added deleting of empty directories at ${MNTPREFIX}.
 Added ${MNTPREFIX} to be set to /mnt or /media according to preference
 
 #! /bin/sh
 
 PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
 MNTPREFIX=/media
 LOG=/var/log/automount.log
 STATE=/var/run/automount.state
 DATEFMT=%Y-%m-%d %H:%M:%S
 
 __create_mount_point() { # /* 1=DEV */
   MNT=${MNTPREFIX}/$( basename ${1} )
   mkdir -p ${MNT}
 }
 
 __state_lock() {
   while [ -f ${STATE}.lock ]; do sleep 0.5; done
   : ${STATE}.lock
 }

Why not keep it stateless, unmounting by hand would kill integrity.

Usage of `file` is a big security concern.

I think geom config and list of mounted file systems should be
sufficient for collecting information at runtime. Although it may not be
that easy for disks without partitioning.

I'm using a python script for mounting/unmounting removable disks,
but having similar tool written in sh would be great.

https://github.com/glk/mmount

Thanks,
Gleb.

 
 __state_unlock() {
   rm ${STATE}.lock
 }
 
 __state_add() { # /* 1=DEV 2=PROVIDER 3=MNT */
   __state_lock
   grep -E ${3} ${STATE} 1 /dev/null 2 /dev/null  {
 __log ${1}:duplicated '${STATE}'
 return 1
   }
   echo ${1} ${2} ${3}  ${STATE}
   __state_unlock
 }
 
 __state_remove() { # /* 1=MNT 2=STATE 3=LINE */
   BSMNT=$( echo ${1} | sed 's/\//\\\//g' )
   sed -i '' /${BSMNT}\$/d ${2}
 }
 
 __log() { # /* @=MESSAGE */
   echo $( date +${DATEFMT} ) ${@}  ${LOG}
 }
 
 case ${2} in
   (attach)
 for I in /dev/${1}*
 do
   case $( file -L -s ${I} | sed -E 's/label:\ \.*\//g' ) in
 (*NTFS*)
   dd  ${I} count=1 2 /dev/null \
 | strings \
 | head -1 \
 | grep -q NTFS  {
   __create_mount_point ${I}
   which ntfs-3g 1 /dev/null 2 /dev/null  {
 ntfs-3g ${I} ${MNT} # /* sysutils/fusefs-ntfs */
   } || {
 mount_ntfs ${I} ${MNT}
   }
   __log ${I}:mount (ntfs)
   }
   ;;
 (*FAT*)
   dd  ${I} count=1 2 /dev/null \
 | strings \
 | grep -q FAT32  {
   __create_mount_point ${I}
   fsck_msdosfs -y ${I}
   mount_msdosfs -o large -l -L pl_PL.ISO8859-2 -D cp852 ${I} 
 ${MNT}
   __log ${I}:mount (fat)
   }
   ;;
 (*ext2*)
   __create_mount_point ${I}
   fsck.ext2 -y ${I}
   mount -t ext2fs ${I} ${MNT}
   __log ${I}:mount (ext2)
   ;;
 (*ext3*)
   __create_mount_point ${I}
   fsck.ext3 -y ${I}
   mount -t ext2fs ${I} ${MNT}
   __log ${I}:mount (ext3)
   ;;
 (*ext4*)
   __create_mount_point ${I}
   fsck.ext4 -y ${I}
   ext4fuse ${I} ${MNT} # /* sysutils/fusefs-ext4fuse */
   __log ${I}:mount (ext4)
   ;;
 (*Unix\ Fast\ File*)
   __create_mount_point ${I}
   fsck_ufs -y ${I}
   mount ${I} ${MNT}
   __log ${I}:mount (ufs)
   ;;
 (*)
   case $( dd  ${I} count=1 2 /dev/null | strings | head -1 ) in
 (EXFAT)
   __create_mount_point ${I}
   mount.exfat ${I} ${MNT} # /* sysutils/fusefs-exfat */
   __log ${I}:mount (ufs)
   ;;
 (*) continue ;;
   esac
   ;;
   esac
   __state_add ${I} $( mount | grep -m 1  ${MNT}  | awk '{printf $1}' ) \
 ${MNT} || continue
 done
 ;;
 
   (detach)
 MOUNT=$( mount )
 __state_lock
 grep ${1} ${STATE} \
   | while read DEV PROVIDER MNT
 do
   TARGET=$( echo ${MOUNT} | grep -E ^${PROVIDER}  | awk '{print 
 $3}' )
   [ -z ${TARGET} ]  {
 __state_remove ${MNT} ${STATE} ${LINE}
 continue
   }
   umount -f ${TARGET} 
   unset TARGET
   __state_remove ${MNT} ${STATE} ${LINE}
   __log ${DEV}:umount
 done
 __state_unlock
 __log /dev/${1}:detach
 find ${MNTPREFIX} -type d -empty -delete
 ;;
 
 esac
 
 
 
  Not sure if you've looked at disktype in sysutils
  but it may be useful to you.
 
 I will get look into that, thanks ;)
 
 
 
  Neat scripts!
  Matt
 
 Thanks mate.
 
 
 
 Regards,
 vermaden
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Processes getting stuck in state tmpfs

[Gleb Kurtsou]

On (10/02/2012 22:41), Florian Smeets wrote:
 Hi,
 
 if you set WRKDIRPREFIX to a tmpfs mountpoint and try to build audio/gsm
 from ports one of the mv processes gets stuck in state tmpfs quite
 often. Traces from a kernel with WITTNESS and DEBUG_VFS_LOCKS are
 available here http://tb.smeets.im/~flo/tmpfs.txt

It's because of incorrect vnode locking order in tmpfs_rename. Issue is
known and tmpfs is not the only file system suffering from it (e.g. ext2).

There two ways of working around it in tree:
* UFS: try locking vnode, unlock all vnodes on failure, restart,
relookup vnodes needed.
* ZFS: introduce directory entry locks to guarantee fvp won't disappear,
fdvp can be safely traversed, etc. That won't be easy..

UFS-way would be a good temporal solution, but I think we should work on
improving VOP_RENAME() in a long run.

I'll try to prepare a patch in several days.

Thanks,
Gleb.
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: [patch] pam_exec: use program exit code instead of PAM_SYSTEM_ERR

[Gleb Kurtsou]

On (24/01/2012 15:25), Jean-S?bastien P?dron wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Hi,
 
 If the specified program exits with non-zero, current implementation
 of pam_exec(8) logs this code and return PAM_SYSTEM_ERR. Therefore,
 applications have no idea what went wrong with authentication.
 
 Attached is a patch that changes the behaviour to always return the
 program exit code as-is. This lets the program returns meaningful
 informations to applications.
 
 I also added a small paragraph explaining this to the man page.
 
 I'm planning to commit this to -CURRENT (maybe in a week or two) and
 merge it to 9 and 8 if there're no objections.

Please consider making it optional.  It will break for generic
applications because pam_sm_chauthtok error codes are documented and
standardized. I'm not aware of any application that uses PAM error
constants as exit code.

Thanks,
Gleb.

 
 Thanks for any comments!
 
 - -- 
 Jean-Sébastien Pédron
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.18 (FreeBSD)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
 iEYEARECAAYFAk8ev0IACgkQa+xGJsFYOlNjyACfSg6NgDLy+7VF6rEVV6yTINTd
 rlgAoNpgWLvYBEL2DCejuPDz0yQRf5QY
 =JEte
 -END PGP SIGNATURE-

 diff --git a/lib/libpam/modules/pam_exec/pam_exec.8 
 b/lib/libpam/modules/pam_exec/pam_exec.8
 index 311d64c..c5d2404 100644
 --- a/lib/libpam/modules/pam_exec/pam_exec.8
 +++ b/lib/libpam/modules/pam_exec/pam_exec.8
 @@ -32,7 +32,7 @@
  .\
  .\ $FreeBSD$
  .\
 -.Dd February 1, 2005
 +.Dd January 24, 2012
  .Dt PAM_EXEC 8
  .Os
  .Sh NAME
 @@ -59,6 +59,12 @@ variables:
  .Ev PAM_TTY ,
  and
  .Ev PAM_USER .
 +.Pp
 +The program exit code should be one of the codes defined in
 +.Pa /usr/include/security/pam_constants.h
 +under section XSSO 5.2. Authentication is successful if the return code is
 +.Er PAM_SUCCESS
 +(0), failed otherwise.
  .Sh SEE ALSO
  .Xr pam_get_item 3 ,
  .Xr pam.conf 5 ,
 diff --git a/lib/libpam/modules/pam_exec/pam_exec.c 
 b/lib/libpam/modules/pam_exec/pam_exec.c
 index b7a870f..d497479 100644
 --- a/lib/libpam/modules/pam_exec/pam_exec.c
 +++ b/lib/libpam/modules/pam_exec/pam_exec.c
 @@ -141,12 +141,7 @@ _pam_exec(pam_handle_t *pamh __unused, int flags 
 __unused,
   openpam_log(PAM_LOG_ERROR, unknown status 0x%x, status);
   return (PAM_SYSTEM_ERR);
   }
 - if (WEXITSTATUS(status) != 0) {
 - openpam_log(PAM_LOG_ERROR, %s returned code %d,
 - argv[0], WEXITSTATUS(status));
 - return (PAM_SYSTEM_ERR);
 - }
 - return (PAM_SUCCESS);
 + return (WEXITSTATUS(status));
  }
  
  PAM_EXTERN int

 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Freeze with 10.0 and VirtualBox {4.1.4|4.1.6|4.1.51r38464}

[Gleb Kurtsou]

On (26/11/2011 14:44), Andriy Gapon wrote:
 on 26/11/2011 14:19 Gustau Pérez said the following:
  
Starting Virtualbox in the console in headless mode allows to see what 
  happens
  and get a dump of the panic.
  
The messages I got were not the cause problem. The panic I was able to get
  shows this:
  
  http://pastebin.com/dHnB3Xh0
  
I can't get any further with core although I compiled virtualbox-ose-kmod 
  with
  debug symbols (I used make config to enable them, because I think 
  -DWITH_DEBUG
  does not work because kmk is used in the build process).
  
Any help will be appreciated.
 
 vm_phys_alloc_contig implementation has been recently changed and now it seems
 to require that vm_page_queue_free_mtx is held.

Using new vm_page_alloc_contig() may be a better option here. Can't help
with patch, stuck with pre Nov 15 CURRENT myself.

 
 -- 
 Andriy Gapon
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: SIOCGIFADDR broken on 9.0-RC1?

[Gleb Kurtsou]

On (15/11/2011 18:10), GR wrote:
 Hello list,
 
 more insights since my last post. Here is a small code to trigger the bug 
 (end of email).
 When you run it on 9.0-RC1, it gets an alias address instead of the main inet 
 address:
 
 % ./get-ip re0  
 inet: 192.168.2.10
 # Main address being 192.168.1.148
 
 On 8.2-RELEASE, all goes well:
 % ./get-ip re0
 inet: PUBLIC_IP4
 
 Is something broken, or a behaviour has changed since 8.2-RELEASE?

Your test case looks ok and works as expexted for me on 10-CURRENT, both
without aliases and after adding alias to interface. Perhaps it's the way
you add aliases (libdnet ?).

I've used:
ifconfing em0 alias OTHERIP


Thanks,
Gleb.

 
 Best regards,
 
 
 --8--
 #include sys/types.h
 #include sys/socket.h
 #include stdio.h
 #include stdlib.h
 #include unistd.h
 #include net/if.h
 #include sys/sockio.h
 #include string.h
 #include netinet/in.h
 #include arpa/inet.h
 
 int
 main(int argc, char *argv[])
 {
int fd;
struct ifreq ifr;
const struct sockaddr_in *sa;
 
fd = socket(AF_INET, SOCK_DGRAM, 0);
if (fd  0) {
   perror(socket);
   exit(-1);
}
 
memset(ifr, 0, sizeof(struct ifreq));
strlcpy(ifr.ifr_name, argv[1], sizeof(ifr.ifr_name));
 
if (ioctl(fd, SIOCGIFADDR, ifr) == 0) {
   sa = (const struct sockaddr_in *) ifr.ifr_addr;
   printf(inet: %s\n, inet_ntoa(sa-sin_addr));
}
else {
   perror(ioctl);
   exit(-1);
}
 
exit(0);
 }
 --8--
 
 -- 
   ^  ___  ___ http://www.GomoR.org/  -+
   | / __ |__/Senior Security Engineer  |
   | \__/ |  \ ---[ zsh$ alias psed='perl -pe ' ]---|
   +--  Net::Frame = http://search.cpan.org/~gomor/  ---+
 
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: HEADS UP: ports/ and 10.0-CURRENT

[Gleb Kurtsou]

On (26/09/2011 23:03), Ade Lovett wrote:
 With the advent of the conversion of HEAD to 10.0-CURRENT and, as to be
 expected, ports/ is going to be essentially unusable for a while.
 
 The issue stems from configure scripts (to choose something completely
 at random) assuming that FreeBSD would never jump to a double-digit
 major version number, and as such, various regexps for freebsd1* (ie:
 FreeBSD 1.1.x) are now matching freebsd10.

It's more exciting than that. FreeBSD = 10 is already seized by
Apple :)

http://www.google.com/codesearch#search/q=__FreeBSD__%5CW%2B10type=cs


 
 This is going to be some fairly fundamental breakage.
 
 However, until such time as 9.0-RELEASE is completely out of the door,
 with autotools hat on, I will _not_ be committing any changes to
 infrastructural ports to fix this.
 
 That is to say, until 9.0-R happens, and for some considerable period
 afterwards, ya'll can pretty much expect ports/ to be non-functional on
 HEAD.  PRs mentioning this will be gleefully closed referencing this
 message.
 
 -aDe
 
 Reply-To set to me.  Please honor it.
 
 
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: fsid change of ZFS?

[Gleb Kurtsou]

On (24/08/2011 21:34), Hiroki Sato wrote:
 Kostik Belousov kostik...@gmail.com wrote
   in 20110824082119.gj17...@deviant.kiev.zoral.com.ua:
 
 ko On Tue, Aug 23, 2011 at 11:23:03PM +0200, Pawel Jakub Dawidek wrote:
 ko  On Tue, Aug 23, 2011 at 04:11:20PM -0400, Rick Macklem wrote:
 ko   Here's the patch. (Hiroki could you please test this, thanks, rick.)
 ko   ps: If the white space gets trashed, the same patch is at:
 ko  http://people.freebsd.org/~rmacklem/fsid.patch
 ko 
 ko  The patch is fine by me. Thanks, Rick!
 ko
 ko Sorry, I am late.
 ko
 ko It seems that the probability of the collisions for the hash is quite 
 high.
 ko Due to the fixup procedure, the resulting typenum will depend on the order
 ko of the module initialization, isn't it ? IMO, it makes the patch goal not
 ko met.
 
  I tried the following two experiments (the complete results are
  attached) to confirm the probability:
 
  1. [fsidhash1.txt]
   well-known vfc_name and the names [a-z]fs (# of names is 36)
   with no fix-up recalculation.
 
  2. [fsidhash2.txt]
   well-known vfc_name and the names [a-z][a-z]fs (# of names is 710)
   with no fix-up recalculation.
 
  There is no collision in the case 1.  And when [a-z][a-z]fs are
  included the average number of the collided names in the same hash
  value is 4.43 (i.e. 160 different hash values are generated, the
  theoretical best number is (710 entries / 256 buckets) = 2.77).
Could you run the same test with fnv_32_buf()? Collision rate is likely
to be lower.

  At least, vfc_names we currently have in our kernel code have no
  collision, fortunately.  As you noticed [a-z][a-z]fs is an
  impractical data set and these results cannot explain the
  characteristics for all possible and practical vfc_names, so whether
  this hash is reasonable or not depends on how we think of them.
  Comments or other better idea?
 
 -- Hiroki
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: chromium port causing massive I/O faults

[Gleb Kurtsou]

On (27/07/2011 00:48), Alexander Best wrote:
 On Mon Jul 25 11, Matthias Andree wrote:
  Am 25.07.2011 09:21, schrieb Alexander Best:
   On Mon Jul 25 11, Adrian Chadd wrote:
   Is it perhaps doing disk IO using mmap?
   
   how can i check, whether that's the case or not?
  
  Use truss(1) for instance.
  
  However, unless there are *practical* problems, a high number of page
  faults is not an indication for problems.  Although it may sound scary,
  page faults are a feature of the memory management.
 
 unfortunately truss(1) is crashing chromium :( i opened up a new thread
 reagarding this issue on freebsd-current@.
Could you try ktrace? It works for me

 another thing i noticed is the increase in system calls caused by chromium.
 let's have a look at hub.freebsd.org:
 
 uptime = 149 days
 
 and 'vmstat -s' reports:
 
 2168697753 cpu context switches
 2266220366 device interrupts
 2902880931 software interrupts
 3779075897 traps
 902107847 system calls
 
 now on my box:
 
 uptime = 2 days
 
 and 'vmstat -s' reports:
 
 1155995386 cpu context switches
 164577882 device interrupts
 189456976 software interrupts
 137007580 traps
 2178434582 system calls
About 2.5k syscalls with chrome + a lot of other stuff running. 1.5k
without chrome.

Looks like there is a lot of clock_gettime and gettimeofday syscalls.
~ % kdump -m 1 -f ktrace.out | grep 'CALL .*gettime' | wc -l
   24343

~ % kdump -E -m 1 -f ktrace.out | grep 'CALL .*gettime' | tail -20
 12747 chrome   15.077376 CALL  gettimeofday(0x7f7f9630,0x7f7f9640)
 12747 chrome   15.077396 CALL  clock_gettime(0x4,0x7fbfb6f0)
 12747 chrome   15.077497 CALL  gettimeofday(0x7fbfb650,0x7fbfb660)
 12747 chrome   15.077609 CALL  gettimeofday(0x7fbfb650,0x7fbfb660)
 12747 chrome   15.077723 CALL  gettimeofday(0x7fbfb650,0)
 12747 chrome   15.077845 CALL  clock_gettime(0,0x7fbfb2b0)
 12747 chrome   15.078337 CALL  clock_gettime(0x4,0x7f9fa630)
 12747 chrome   15.078544 CALL  clock_gettime(0x4,0x7f9fa650)
 12747 chrome   15.078587 CALL  clock_gettime(0x4,0x7f9fa650)
 12747 chrome   15.078632 CALL  clock_gettime(0x4,0x7f9fa650)
 12747 chrome   15.078674 CALL  clock_gettime(0x4,0x7f9fa650)
 12747 chrome   15.082803 CALL  gettimeofday(0x7edd3630,0x7edd3640)
 12747 chrome   15.084644 CALL  gettimeofday(0x7fbfb650,0x7fbfb660)
 12747 chrome   15.084746 CALL  clock_gettime(0x4,0x7fbfb670)
 12747 chrome   15.084815 CALL  clock_gettime(0x4,0x7fbfb670)
 12747 chrome   15.086620 CALL  gettimeofday(0x7efd4650,0x7efd4660)
 12747 chrome   15.086736 CALL  clock_gettime(0x4,0x7efd4670)
 12747 chrome   15.086815 CALL  clock_gettime(0x4,0x7efd4670)
 12747 chrome   15.098315 CALL  gettimeofday(0x7fffafe0,0x7fffaff0)
 12747 chrome   15.098680 CALL  clock_gettime(0x4,0x7fffb250)

Some work was done by kib@ to create a kernel page strong current time
and other misc info to eliminate gettimeofday kind syscalls.  Bits of it
were commited but I'm not sure if it was finished.
But anyway calling gettimeofday hundreds of times per second is a chrome
bug.

FreeBSD 9.0-CURRENT #2 r224003+777e962: Thu Jul 14 13:04:55 EEST 2011
chromium-11.0.696.57_1

 i ran the following command twice. first time without running chromium and the
 second time with chromium running:
 
 otaku% vmstat -s|grep system calls; sleep 1; vmstat -s|grep system calls
 2178187850 system calls
 2178189739 system calls
 
 otaku% vmstat -s|grep system calls; sleep 1; vmstat -s|grep system calls
 2177998835 system calls
 2178022003 system calls
 
 so it's 2k/sec vs. 23k/sec
 
 cheers.
 alex
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: chromium port causing massive I/O faults

[Gleb Kurtsou]

On (27/07/2011 09:18), Alexander Best wrote:
 On Wed Jul 27 11, Gleb Kurtsou wrote:
  On (27/07/2011 00:48), Alexander Best wrote:
   On Mon Jul 25 11, Matthias Andree wrote:
Am 25.07.2011 09:21, schrieb Alexander Best:
 On Mon Jul 25 11, Adrian Chadd wrote:
 Is it perhaps doing disk IO using mmap?
 
 how can i check, whether that's the case or not?

Use truss(1) for instance.

However, unless there are *practical* problems, a high number of page
faults is not an indication for problems.  Although it may sound scary,
page faults are a feature of the memory management.
   
   unfortunately truss(1) is crashing chromium :( i opened up a new thread
   reagarding this issue on freebsd-current@.
  Could you try ktrace? It works for me
  
   another thing i noticed is the increase in system calls caused by 
   chromium.
   let's have a look at hub.freebsd.org:
   
   uptime = 149 days
   
   and 'vmstat -s' reports:
   
   2168697753 cpu context switches
   2266220366 device interrupts
   2902880931 software interrupts
   3779075897 traps
   902107847 system calls
   
   now on my box:
   
   uptime = 2 days
   
   and 'vmstat -s' reports:
   
   1155995386 cpu context switches
   164577882 device interrupts
   189456976 software interrupts
   137007580 traps
   2178434582 system calls
  About 2.5k syscalls with chrome + a lot of other stuff running. 1.5k
  without chrome.
  
  Looks like there is a lot of clock_gettime and gettimeofday syscalls.
  ~ % kdump -m 1 -f ktrace.out | grep 'CALL .*gettime' | wc -l
 24343
  
  ~ % kdump -E -m 1 -f ktrace.out | grep 'CALL .*gettime' | tail -20
   12747 chrome   15.077376 CALL  gettimeofday(0x7f7f9630,0x7f7f9640)
   12747 chrome   15.077396 CALL  clock_gettime(0x4,0x7fbfb6f0)
   12747 chrome   15.077497 CALL  gettimeofday(0x7fbfb650,0x7fbfb660)
   12747 chrome   15.077609 CALL  gettimeofday(0x7fbfb650,0x7fbfb660)
   12747 chrome   15.077723 CALL  gettimeofday(0x7fbfb650,0)
   12747 chrome   15.077845 CALL  clock_gettime(0,0x7fbfb2b0)
   12747 chrome   15.078337 CALL  clock_gettime(0x4,0x7f9fa630)
   12747 chrome   15.078544 CALL  clock_gettime(0x4,0x7f9fa650)
   12747 chrome   15.078587 CALL  clock_gettime(0x4,0x7f9fa650)
   12747 chrome   15.078632 CALL  clock_gettime(0x4,0x7f9fa650)
   12747 chrome   15.078674 CALL  clock_gettime(0x4,0x7f9fa650)
   12747 chrome   15.082803 CALL  gettimeofday(0x7edd3630,0x7edd3640)
   12747 chrome   15.084644 CALL  gettimeofday(0x7fbfb650,0x7fbfb660)
   12747 chrome   15.084746 CALL  clock_gettime(0x4,0x7fbfb670)
   12747 chrome   15.084815 CALL  clock_gettime(0x4,0x7fbfb670)
   12747 chrome   15.086620 CALL  gettimeofday(0x7efd4650,0x7efd4660)
   12747 chrome   15.086736 CALL  clock_gettime(0x4,0x7efd4670)
   12747 chrome   15.086815 CALL  clock_gettime(0x4,0x7efd4670)
   12747 chrome   15.098315 CALL  gettimeofday(0x7fffafe0,0x7fffaff0)
   12747 chrome   15.098680 CALL  clock_gettime(0x4,0x7fffb250)
  
  Some work was done by kib@ to create a kernel page strong current time
  and other misc info to eliminate gettimeofday kind syscalls.  Bits of it
  were commited but I'm not sure if it was finished.
  But anyway calling gettimeofday hundreds of times per second is a chrome
  bug.
 
 *lol* i did exactly the same measurements, you did. :) here are my results:
 
 otaku% kdump|grep CALL  mmap|wc
  7242896   58468
 otaku% kdump -s|grep CALL  clock_gettime|wc
49545  198180 2772674
 otaku% kdump -s|grep CALL  linux_clock_gettime|wc
40185  160740 2491298
 otaku% kdump -s|grep CALL  linux_gettimeofday|wc 
21670   86680 1278530
 otaku% kdump -s|grep CALL  gettimeofday|wc 
 8173   32692  525053
 otaku% kdump -s|grep CALL  linux_sys_futex|wc
 6191   24764  548800
I suppose linux_* stuff comes from flashplugin. Clearly flash generates
more gettime syscalls than chrome itself. Unfortunately the only way to
fix this mess in a linux centric world is to implement syscall free
gettimeofday with linux ABI support.

syscall-free gettimeofday discussion:
http://freebsd.1045724.n5.nabble.com/fast-syscall-free-gettimeofday-td4488301.html

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Heavy I/O blocks FreeBSD box for several seconds

[Gleb Kurtsou]

On (11/07/2011 16:36), m...@freebsd.org wrote:
 On Mon, Jul 11, 2011 at 4:00 PM, Ali Mashtizadeh mashtiza...@gmail.com 
 wrote:
  Maybe someone can setup something like reviewboard [1] for developers
  to use. This may also help folks who want to keep abreast of the
  current work in a particular subsystem or get involved into the
  development process more. At my company we use reviews and it seems to
  help the catch some bugs and help new engineers ramp up faster.
 
  [1] http://www.reviewboard.org/
 
 FreeBSD development is completely open; anyone can sign up for the
 svn-src-* mailing list they are interested in, including
 svn-src-head@.  Code reviews are plenty as well; just check the list
 archives for discussion of bugs, poor design choices and unintended
 effects.  But most reviews are silent and after-the-fact by looking at
 the list mail.  It's a system that seems to be working just fine for
 the FreeBSD project so far.  This isn't a job for most anyone; it's a
 volunteer project and so anything that raises the barrier to getting
 work done for the project should be looked at with skepticism.

I agree with everything said above and think that it's not reviews
that's missing. By review I don't mean something like getting ok to
commit reply from N developers before committing. svn-src@ works
great for it, commits keep getting reverted :) Review is a time
consuming process that also requires certain level of expertise.
Volunteer project can hardly afford it.

Having a project adopted way of sharing work in progress will be a step
forward. Yes, I'm aware of perforce, it's to hard to use and wasn't
designed to share and test ideas. I think guthub can be a very good
candidate (but AFAIK it won't allow hosting of FreeBSD repo for not paid
accounts). I'm not suggesting switching to git as VCS, but using github
UI for communication and tracking not yet commited or work in progress
changes. In ideal world developers will merge patches from each other
increasing chance of a good code to survive and get commited later.
Currently we have patches hosted at people.freebsd.org, as attachments
on maillists and PRs -- almost all stale or outdated. Key difference of
github is that original patch author will be aware of you using it,
potentially updating and improving it. Others can continue supporting
the patch if original author abandons it, etc. Sending patches is too
complicated and counterproductive comparing to github.

Thanks,
Gleb.

 
 Is there a specific deficit that you want to address?
 
 Thanks,
 matthew
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Thoughts on TMPFS no longer being considered highly experimental

[Gleb Kurtsou]

On (23/06/2011 20:44), Olivier Smedts wrote:
 2011/6/23 Alexander V. Chernikov melif...@ipfw.ru:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA1
 
  Matthew Jacob wrote:
 
  I gave up on using it after a brief try earlier this year. I can't
  remember the details, but it did lock up my amd64 system.
 
  On Thu, 23 Jun 2011, David O'Brien wrote:
 
  Does anyone object to this patch?
 
  David Wolfskill and I have run TMPFS on a number of machines for two
  years with no problems.
 
  I may have missed something, but I'm not aware of any serious PRs on
  TMPFS either.
 
  There was some issues with sendfile(2) and mmap(2) causing kernel hangs
  in some cases. vim triggers such hangs for me. However, those problems
  were fixed and MFCed (afair).
 
  I'm using tmpfs on several machines in production without any problems.
  Maybe being _highly_ experimental for nearly 4 years is enough? :)
 
 I think there are still problems with high wired memory consumers like
 ZFS. I've got 0-sized tmpfs with 8GB RAM + ZFS with 4GB ARC + 4GB
 swap.
There is a patch to make tmpfs memory management more strict (more
aggressive), and set default partition size to half of all memory.
http://marc.info/?l=freebsd-fsm=129747362722933w=2

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Starting with svn commit r216333 current freezes

[Gleb Kurtsou]

On (18/12/2010 10:14), Christian Gusenbauer wrote:
 Hi!
 
 With commit r216333 to pmap.c my PC (i386 32 bit) freezes within a few 
 seconds 
 when X (with nvidia-driver 256.53) starts. I already recompiled and 
 reinstalled the nvidia driver, but this didn't change anything. I also tried 
 the latest nvidia-driver 260.19.29 but without luck, too :-(.
 
 By chance I saw a panic message vm_page_unwire: page 0x... wire count is 
 zero, but no crash dump was generated.

It works fine for me on amd64.

% uname -a
FreeBSD tops 9.0-CURRENT FreeBSD 9.0-CURRENT #9 r216475+2eff56c: Thu Dec 16 
08:21:48 EET 2010 r...@tops:/usr/obj/freebsd-src/local/sys/TOPS  amd64

pciconf:
vgap...@pci0:1:0:0: class=0x03 card=0x04411028 chip=0x0a7510de rev=0xa2 
hdr=0x00
vendor = 'NVIDIA Corporation'
class  = display
subclass   = VGA

Xorg log:
(--) PCI:*(0:1:0:0) 10de:0a75:1028:0441 nVidia Corporation GT218 [GeForce 310M] 
rev 162, Mem @ 0xfa00/16777216, 0xc000/268435456, 0xd000/33554432, 
I/O @ 0xe000/128, BIOS @ 0x/65536
(II) LoadModule: glx
(II) Loading /usr/local/lib/xorg/modules/extensions/libglx.so
(II) Module glx: vendor=NVIDIA Corporation
compiled for 4.0.2, module version = 1.0.0
Module class: X.Org Server Extension
(II) NVIDIA GLX Module  256.53  Fri Aug 27 20:49:58 PDT 2010

 
 Any clues?
 
 Thanks,
 Christian.
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: tmpfs out of space (ZFS related?)

[Gleb Kurtsou]

On (21/11/2010 22:22), Ivan Voras wrote:
 I got a curious error today while starting PostgreSQL, complaining about 
 out of space errno while creating lock file on /tmp.
 
 /tmp on this machine is mounted as tmpfs and indeed, here is the statistic:
 
 biggie:/# df -i
 Filesystem1M-blocks  Used  Avail Capacity iused ifree %iused 
 Mounted on
 /dev/mfid0s1a  9912  5193   392657%  306079   1012831   23%   /
 devfs 0 0  0   100%   0 0  100%   /dev
 fdescfs   0 0  0   100%   4 110920% 
 /dev/fd
 tmpfs 0 0  0   100%   9 0  100%   /tmp
 tank 376044 0 376044 0%   4 7701383470%   /tank
 tank/ports   376658   614 376044 0%  145919 7701383470% 
 /usr/ports
 tank/mysql   37607329 376044 0% 102 7701383470% 
 /var/db/mysql
 tank/pgdata90400469 24425 376044 6%1047 7701383470% 
 /tank/pgdata90
 
 On the other hand, top reports this:
 
 last pid: 79667;  load averages:  0.08,  0.68,  0.77up 1+09:12:13 
 00:11:33
 44 processes:  1 running, 43 sleeping
 CPU:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
 Mem: 13M Active, 46M Inact, 15G Wired, 232K Cache, 1458M Buf, 8358M Free
 Swap: 1024M Total, 1024M Free
 
 Note the 8358M free report.
That's probably integer overflow, could you try specifying max
size as mount option. There was a series of integer overflows in tmpfs.
Used and available are 0 in df output. On my system I have:
% df
Filesystem SizeUsed   Avail Capacity  Mounted on
tmpfs  4.3G4.0K4.3G 0%/usr/obj/ports

Also note, that tmpfs does somewhat weired thing on constantly
recalculating available space based on free memory/swap (not sure if
specifying max size would fix it).

Did you try double copy elimination patch by k...@?
http://lists.freebsd.org/pipermail/freebsd-fs/2010-June/008786.html

It doesn't apply cleanly to current any more, but fixing it shouldn't be
hard. The patch wouldn't fix this particular issue but looks very
promising.

Thanks,
Gleb

 The server has ZFS and was doing IO intensive database work on it; the 8 
 GB free memory comes from PostgreSQL being restarted and freeing the 
 memory (but failing to start again...).
 
 Starting PostgreSQL gets me this message:
 Nov 22 00:18:24 biggie postgres[79696]: [1-1] FATAL:  could not write 
 lock file /tmp/.s.PGSQL.5432.lock: No space left on device
 
 This is 8-STABLE amd64.
 
 Running touch /tmp/abc works, and creates a file. Running echo abc  
 /tmp/abc doesn't return an error but *doesn't write anything to the 
 file*, just creates a directory entry.
 
 The status doesn't change over time, i.e. df on tmpfs always shows 0 
 free.
 
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Fixing and importing the fusefs kernel module - any VFS-savvy takers?

[Gleb Kurtsou]

On (28/10/2010 13:49), Ivan Voras wrote:
 Hello,
 
 After a discussion in arch@, it looks like there are many developers
 interested in having fusefs in the tree but no VFS experts with the
 time to fix the remaining bugs and basically make it stable enough to
 commit to the base tree.
 
 Fusefs is the Linux-developed userland filesystem interface which is
 fairly popular in the wild, especially with the sshfs module which
 allows mounting of generic ssh/sftp directories in a very easy way.
 Among other filesystems developed for fuse there are some cluster file
 systems, some crypto file systems and helper file systems used by
 Gnome and such environments. The initial FreeBSD reimplementation of
 the kernel module (the userland utlities and libraries don't require
 complicated porting) was was developed in one of the very early Google
 Summer of Code projects (2005) and is now in a bit unusual situation:
 
 1) it *is* popular, as reports about its breakage arrive pretty soon
 after it breaks (i.e. due to mainline kernel changes)
 
 2) it is currently available as a port but it is practically
 unmaintained. The source code archive is from 2008 and the port
 contains a dozen patches to be applied to it to make it work on recent
 systems
 
 3) it is also not exactly rock stable, though this has improved with
 the above patches;
 
 Currently, with sshfs, it is good enough to:
 
 - survive blogbench runs
 - survive fsx runs with arguments -W -R -L, i.e. no mmaped
 operations, no file size altering / truncate operations
 
 There have been claims it also corrupts kernel memory.
 
 Basically, this is a call for help in working on fusefs. There are
 several developers and users willing to do testing and such but no
 available developers with their hands in the guts of VFS to squash the
 buried bugs. Fusefs might be especially relevant to desktop users and
 as such to PC-BSD developers, so I'm cc-ing Kris in case he has a
 comment.
 
 Is anyone interested?

Hi Ivan,

I didn't reply to thread on @current as it seemed to me that decision
was to keep it as it is until someone steps in to maintain it.

I'd agree that sshfs is most wanted feature, but fuse_sshfs
implementation is broken at best. It doesn't even have notion on inode
numbers. It returns all directory entries with d_file=0, the same way
st_ino=0. To make it actually work (dirent's with d_file=0 considered
empty placeholders by FreeBSD VFS and libc) librefuse fills it with
arbitrary numbers. To make long story short stuff like 'cd ..' works for
you only because your sh and/or filemanager keeps full path on its own.
Lots of other things using VOP_VPTOCNP are also broken. In this
particular case puffs_sshfs looks much more promising, although it's
explicitly marked as incomplete and buggy. The same applies to vast
majority of fuse filesystems. Ignoring it is probably the easiest way to
solve the problem, but I'd expect future userlevel filesystem
implementation to comply to our VFS.

Absence of mmap support is a real show stopper. It's also broken in
puffs, and doesn't pass fsx tests. (I've once started implementing it
but lost interest in userlevel filesystems after digging deeper into
it.) On the other hand adding it to fuse shouldn't be very hard, it's
just a question of free time.

To sum it up. My personal opinion is that we'd better go with
puffs-style approach. Implement userspace-kernel protocol that is as
much close to our VFS as possible, and implement proper wrapper like
librefuse (which is ok, but looks more like sketch than ready to use
library).  What I don't like about puffs is that is basically ignores
locking serializing request from kernel.

I'd suggest we ask a person with skills in network filesystems: locking,
caching and all related issues, and improve existing puffs
infrastructure accordingly (that includes inode numbers problem I've
mentioned before). NFS4 might have interesting ideas. Probably Rick
Macklem could express his opinion on this regard.

Besides as far as I know OpenAFS has user-kernel interface and
implements filesystem at userspace. Sun or Apple have reimplemented fuse
in their own, although initial version was based on FreeBSD fuse port.
It might be worth checking before moving any further with fuse.

 
 References:
 
 http://permalink.gmane.org/gmane.os.freebsd.architechture/13623
 http://fuse.sourceforge.net/
 http://fuse4bsd.creo.hu/
 http://www.freebsd.org/cgi/cvsweb.cgi/ports/sysutils/fusefs-kmod/
 http://old.nabble.com/forum/Search.jtp?forum=6572local=yquery=fusefs
 http://old.nabble.com/forum/Search.jtp?forum=6610local=yquery=fusefs
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: Fixing and importing the fusefs kernel module - any VFS-savvy takers?

[Gleb Kurtsou]

On (28/10/2010 22:24), Ivan Voras wrote:
 On 28 October 2010 16:15, Gleb Kurtsou gleb.kurt...@gmail.com wrote:
 
  I'd agree that sshfs is most wanted feature, but fuse_sshfs
  implementation is broken at best. It doesn't even have notion on inode
  numbers. It returns all directory entries with d_file=0, the same way
  st_ino=0. To make it actually work (dirent's with d_file=0 considered
  empty placeholders by FreeBSD VFS and libc) librefuse fills it with
  arbitrary numbers. To make long story short stuff like 'cd ..' works for
  you only because your sh and/or filemanager keeps full path on its own.
  Lots of other things using VOP_VPTOCNP are also broken. In this
  particular case puffs_sshfs looks much more promising, although it's
  explicitly marked as incomplete and buggy. The same applies to vast
  majority of fuse filesystems. Ignoring it is probably the easiest way to
  solve the problem, but I'd expect future userlevel filesystem
  implementation to comply to our VFS.
 
 For these fuse-sshfs problems, how many are the problem of sshfs (the
 userland code), the FUSE API (because it's designed for Linux) and the
 fuse4bsd kernel module (because it's unfinished and buggy)?
These are sshfs problems, and the real problem is that user level
filesystems are of much lower quality than kernel level. Writing good
filesystems in userspace shouldn't be much easier than writing kernel
one (not counting fancy language of choice and ntfs-3g-like use of
binary drivers). All the kernel restrictions and requirements are still
there nor puffs, nor fuse do black magic for you.

  Absence of mmap support is a real show stopper. It's also broken in
  puffs, and doesn't pass fsx tests. (I've once started implementing it
  but lost interest in userlevel filesystems after digging deeper into
  it.) On the other hand adding it to fuse shouldn't be very hard, it's
  just a question of free time.
 
  To sum it up. My personal opinion is that we'd better go with
  puffs-style approach. Implement userspace-kernel protocol that is as
  much close to our VFS as possible, and implement proper wrapper like
  librefuse (which is ok, but looks more like sketch than ready to use
  library).  What I don't like about puffs is that is basically ignores
  locking serializing request from kernel.
 
 I'm trying to avoid dispersal of effort. Basically, I won't be
 convinced to support puffs until someone who knows (possibly you if
 you are up to it) demonstrates that the refuse API is stable enough
 and practically 100% compatible with FUSE - 
No-no, I'm not convincing you to choose puffs. It's too immature. I just
like the approach.

 some of their file systems
 look fit for serious use and 99% isn't very much when talking about
 OS stability.
That's why I'm so sceptical about fuse, puffs, and entire concept in
general. Is fuse really that stable on linux? Do people use it on
production servers?

 On the other hand, if a developer suddenly appears and says I will
 make puffs+refuse work I will support him completely and I will stop
 crusading for fuse because having puffs is better than nothing. :)

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: pam_pefs setup (Re: RFC: pefs - stacked cryptographic filesystem)

[Gleb Kurtsou]

On (08/09/2010 11:25), Daniel O'Connor wrote:
 
 On 08/09/2010, at 3:22, Gleb Kurtsou wrote:
  Please note that your home directory has to be mounted, I mount it in
  /etc/rc.local, but don't add any keys. pam_pefs adds the key. Also note
  that it has to be exactly your home directory (/home/gleb in my case), to
  prevent possible attacks. And keychain database has to be created, so
  that pam_pefs knows how to verify the key.
 
 Have you considered something similar to pam_mount? 
 (http://pam-mount.sourceforge.net/)
 
 ie pam_pefs could mount your home directory itself and unmount it on logout.
I knew about pam_mount before starting pam_pefs and my intent was to
keep pam_pefs as simple as possible. Unlike some other stacked
cryptographic filesystems, pefs can be mounted in read-only mode without
providing a key.

pam_mount can be used together with pam_pefs to mount/unmount filesystem
on login/logout if needed. pam_mount is more generic then pam_pefs.

At the moment pam_pefs doesn't remove key on logout because it is a bit
tricky if there are several keys installed. I'm also against the idea of
keeping keys installed by current session during the session to remove
them on logout. Key chains for different sessions may overlap. I'd
suggest to use pam_mount to unmount filesystem on logout in such
scenario. 

Thanks,
Gleb.

 --
 Daniel O'Connor software and network engineer
 for Genesis Software - http://www.gsoft.com.au
 The nice thing about standards is that there
 are so many of them to choose from.
   -- Andrew Tanenbaum
 GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: RFC: pefs - stacked cryptographic filesystem

[Gleb Kurtsou]

On (07/09/2010 14:28), Robert Watson wrote:
 On Mon, 6 Sep 2010, Gleb Kurtsou wrote:
 
  I would like to ask for feedback on a kernel level stacked cryptographic 
  filesystem. It has started as Summer Of Code'2009 project and matured a lot 
  since then. I've recently added support for sparse files and switched to 
  XTS 
  encryption mode.
 
  I've been using it to encrypt my home directory for almost a year already, 
  and use fsx, dbench and blogbench for testing. So it should be fairly 
  stable.
 
  Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT and 
  8-STABLE supported.
 
  Please email me separately if you're willing to help testing on big endian 
  machine, XTS code doesn't look endian correct.
 
  At this point all of the project goals complete and I'd like it to get 
  wider 
  coverage in terms of tests and reviews and hope to see it commited to HEAD 
  soon.
 
 Hi Gleb:
 
 This sounds like really exciting work!  Do you have much in the way of formal 
 documentation of your crypto design at this point?  I'd like to point some of 
 the local crypto gurus at Cambridge at it to do some analysis of your 
 approach.  However, as they rightly point out, reverse engineering crypto 
 from 
 code is rather a high barrier of entry for a crypto review, so detailed 
 documentation of the approach and a formal format description would be much 
 prefered :-).

Hello Robert,

I've updated my older blog post on pefs crypto design, it's not formal
but hope it helps. If there is anything else you might need, I'd be
happy to help:

http://glebkurtsou.blogspot.com/2009/09/pefs-crypto-primitives.html

Thanks,
Gleb

 
 Thanks,
 
 Robert
 
 
 
 
  Installation instructions:
 
  1a. Clone git repository:
  # git clone git://github.com/glk/pefs.git pefs
  # cd pefs
 
  1b. Or download latest snapshot from github:
  http://github.com/glk/pefs/archives/master
 
  2. Build and install:
  # make obj all
  # make install
 
  3. Mount pefs filesystem:
  # pefs mount ~/Private ~/Private
 
  4. Enter passphrase:
  # pefs addkey ~/Private
 
  5. Test it and report back. There is also a man page available.
 
  6. Example how to save your key in keychain database.
 
  pefs has to be mounted and key specified to make fs writable, create
  keychain with single entry (keychain -Z option):
  # pefs addchain -Z ~/Private
  Don't encrypt .pefs.db:
  # mv ~/Private/.pefs.db /tmp
  # umount ~/Private
  # mv /tmp/.pefs.db ~/Private
  # pefs mount ~/Private ~/Private
  Use -c option to verify key is in database
  # pefs addkey -c ~/Private
 
  7. You can setup pam_pefs (not compiled by default) to add key to home
  directory and authenticate against keychain database on login, e.g. by
  adding the following line to /etc/pam.d/system before pam_unix.so:
 
  authsufficient  pam_pefs.so try_first_pass
 
 
  The following is a list of its most important features:
 
  *   Kernel level file system, no user level daemons needed.
 Transparently runs on top of existing file systems.
  *   Random per file tweak value used for encryption, which guaranties
 different cipher texts for the same encrypted files.
  *   Saves metadata only in encrypted file name, but not in file itself.
  *   Supports arbitrary number of keys per file system, default directory
 key, mixing files encrypted with different keys in same directory.
  *   Allows defining key chains, can be used to add/delete several keys
 by specifying only master key.
  *   Uses modern cryptographic algorithms: AES and Camellia in XTS mode,
 PKCS#5v2 and HKDF for key generation.
 
 
  Github repository: http://github.com/glk/pefs
 
  More details on my blog: http://glebkurtsou.blogspot.com/search/label/pefs
 
  Thanks,
  Gleb.
 
  ___
  freebsd-current@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-current
  To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
 
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

pam_pefs setup (Re: RFC: pefs - stacked cryptographic filesystem)

[Gleb Kurtsou]

On (07/09/2010 16:32), Thomas Vogt wrote:
[...]
 
 I've an issue with pam_pefs:
 
 === lib/libpam/modules/pam_pefs (install)
 install -C -o root -g wheel -m 444   libpam_pefs.a /usr/lib
 install -C -o root -g wheel -m 444   libpam_pefs_p.a /usr/lib
 install -o root -g wheel -m 444 pam_pefs.8.gz  /usr/share/man/man8
 
 I do not see any pam_pefs.so which makes login not possible if
 pam.d/system is modified as mentioned in your description:
 
 auth  sufficient  pam_pefs.so try_first_pass
Sorry, I don't quite understand you here. Don't hesitate contacting me
again if didn't understand you correctly.

I've also missed one more line, which actually adds the key:
session optionalpam_pefs.so

Setup I've posted makes possible to login using pefs key or standard
pam_unix.so password. Here is my /etc/pam.d/system file:

# auth
authsufficient  pam_opie.so no_warn no_fake_prompts
authrequisite   pam_opieaccess.so   no_warn allow_local
authsufficient  pam_pefs.so try_first_pass
authrequiredpam_unix.so no_warn try_first_pass 
nullok

# account
account requiredpam_login_access.so
account requiredpam_unix.so

# session
session optionalpam_pefs.so
session requiredpam_lastlog.so  no_fail

# password
passwordrequiredpam_unix.so no_warn try_first_pass


I have stronger password for pefs, while traditional password is
weaker and easier to type. I use pefs password to login only the first
time and add key my home directory.

Please note that your home directory has to be mounted, I mount it in
/etc/rc.local, but don't add any keys. pam_pefs adds the key. Also note
that it has to be exactly your home directory (/home/gleb in my case), to
prevent possible attacks. And keychain database has to be created, so
that pam_pefs knows how to verify the key.

Details on how to create it available in my original email. That's
rather inconvenient procedure, but you need to do it just once, it's so
complicated because pefs is read-only if no key specified, but database
should not be encrypted to make it accessible by pam_pefs:
 3. Mount pefs filesystem:
 # pefs mount /home/ME /home/ME

 4. Enter passphrase:
 # pefs addkey /home/ME

 # pefs addchain -Z /home/ME
 Don't encrypt .pefs.db:
 # mv ~/Private/.pefs.db /tmp
 # umount ~/Private
 # mv /tmp/.pefs.db /home/ME
 # pefs mount /home/ME /home/ME
 Use -c option to verify key is in database
 # pefs addkey -c /home/ME

I'll try to make it easier, I didn't actually expect anyone to try it,
and just mentioned it without providing instructions not to write long
setup procedure.

You can also try adding debug option to pam_pefs.so config if something
goes wrong.

I don't remember details but pefs/Makefile contains the following
comment by me:
# Should be built from sources tree
# SUBDIR+= lib/libpam/modules/pam_pefs

But if you are able to build it, it should be fine.

Thanks,
Gleb.

 
 Regards,
 Thomas
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: RFC: pefs - stacked cryptographic filesystem

[Gleb Kurtsou]

Thanks to Peter Holm and Thomas Vogt for finding several bugs:
* Compilation with DIAGNOSTIC option
* Vnode reference and lock leak in pefs_rename()

I've uploaded new version to test:
http://github.com/downloads/glk/pefs/pefs-2010-09-07.tar.gz

Github repository is also updated.

Also note, that if you have extra debugging options like DEBUG_LOCKS in
your kernel config pefs module has to be build with same options.
I set KERNBUILDDIR to my kernel build directory to make it work:
# uname -v
FreeBSD 9.0-CURRENT #25 r212049+d758796: Tue Aug 31 22:09:45 EEST 2010 
r...@tops:/usr/obj/freebsd-src/local/sys/TOPS
# export KERNBUILDDIR=/usr/obj/freebsd-src/local/sys/TOPS
# cd pefs/sys/modules/pefs
# make clean
# make  make install

Thanks,
Gleb.

On (06/09/2010 21:38), Gleb Kurtsou wrote:
 Hello,
 
 I would like to ask for feedback on a kernel level stacked cryptographic
 filesystem. It has started as Summer Of Code'2009 project and matured a
 lot since then. I've recently added support for sparse files and
 switched to XTS encryption mode.
 
 I've been using it to encrypt my home directory for almost a year
 already, and use fsx, dbench and blogbench for testing. So it should be
 fairly stable.
 
 Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT
 and 8-STABLE supported.
 
 Please email me separately if you're willing to help testing on big
 endian machine, XTS code doesn't look endian correct.
 
 At this point all of the project goals complete and I'd like it to get
 wider coverage in terms of tests and reviews and hope to see it commited
 to HEAD soon.
 
 
 Installation instructions:
 
 1a. Clone git repository:
 # git clone git://github.com/glk/pefs.git pefs
 # cd pefs
 
 1b. Or download latest snapshot from github:
 http://github.com/glk/pefs/archives/master
 
 2. Build and install:
 # make obj all
 # make install
 
 3. Mount pefs filesystem:
 # pefs mount ~/Private ~/Private
 
 4. Enter passphrase:
 # pefs addkey ~/Private
 
 5. Test it and report back. There is also a man page available.
 
 6. Example how to save your key in keychain database.
 
 pefs has to be mounted and key specified to make fs writable, create
 keychain with single entry (keychain -Z option):
 # pefs addchain -Z ~/Private
 Don't encrypt .pefs.db:
 # mv ~/Private/.pefs.db /tmp
 # umount ~/Private
 # mv /tmp/.pefs.db ~/Private
 # pefs mount ~/Private ~/Private
 Use -c option to verify key is in database
 # pefs addkey -c ~/Private
 
 7. You can setup pam_pefs (not compiled by default) to add key to home
 directory and authenticate against keychain database on login, e.g. by
 adding the following line to /etc/pam.d/system before pam_unix.so:
 
 auth  sufficient  pam_pefs.so try_first_pass
 
 
 The following is a list of its most important features:
 
 *   Kernel level file system, no user level daemons needed.
 Transparently runs on top of existing file systems.
 *   Random per file tweak value used for encryption, which guaranties
 different cipher texts for the same encrypted files.
 *   Saves metadata only in encrypted file name, but not in file itself.
 *   Supports arbitrary number of keys per file system, default directory
 key, mixing files encrypted with different keys in same directory.
 *   Allows defining key chains, can be used to add/delete several keys
 by specifying only master key.
 *   Uses modern cryptographic algorithms: AES and Camellia in XTS mode,
 PKCS#5v2 and HKDF for key generation.
 
 
 Github repository: http://github.com/glk/pefs
 
 More details on my blog: http://glebkurtsou.blogspot.com/search/label/pefs
 
 Thanks,
 Gleb.
 
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: RFC: pefs - stacked cryptographic filesystem

[Gleb Kurtsou]

On (07/09/2010 10:57), Kevin Oberman wrote:
 On Mon, 6 Sep 2010, Gleb Kurtsou wrote:
 
  I would like to ask for feedback on a kernel level stacked cryptographic 
  filesystem. It has started as Summer Of Code'2009 project and matured a lot 
  since then. I've recently added support for sparse files and switched to 
  XTS 
  encryption mode.
 
  I've been using it to encrypt my home directory for almost a year already, 
  and use fsx, dbench and blogbench for testing. So it should be fairly 
  stable.
 
  Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT and 
  8-STABLE supported.
 
  Please email me separately if you're willing to help testing on big endian 
  machine, XTS code doesn't look endian correct.
 
  At this point all of the project goals complete and I'd like it to get 
  wider 
  coverage in terms of tests and reviews and hope to see it commited to HEAD 
  soon.
 
 I've got to ask a probably dumb question...how is this better then geli
 encrypted objects? I've used them for sometime with excellent results.
 
 Or does it provide functionality that geli does not?

If geli works for you I'd suggest you continue using geli, geli design
is order of magnitude simpler due to being block device but not a
filesystem. Besides geli provides data authentication, which is very
important, and something that can't be easily implemented in stacked
filesystem.

Pros of stacked filesystem approach:
* You don't have to create separate filesystem (use separate partition),
  just encrypt part of existing filesystem
* It's easier to create/manage snapshots/backups (imho)
* Ability to use multiple keys, each directory can have its own key,
  files with different keys can be mixed in one directory, etc. You
  don't have to create another filesystem and claim that you don't know
  password for this one if you're asked to provide it, in case you have
  something to hide ;)

Cons:
* pefs maximum file name length is ~180 bytes, but not 255
* Stacked filesystem is likely to be slower due to extra overhead

I don't really know what makes one better then other, it has only on
thing in common - encryption - everything else is different. It depends
on how you intend to use it.

I was using geli myself, the only problem I had was that at some point I
realized that initial partition size was too small :) But that more or
less applies to both approaches.

E.g. non-standard example where stacked filesystem may be preferred is
to use it for encrypted crash dumps: if dump available on dumpdev
mount /var/crash as pefs; ask user for password, or automatically add
random one and let user to save it later after boot. Crash dumps are
encrypted without extra cost of setting up partition, geli, etc.

Thanks,
Gleb.

 -- 
 R. Kevin Oberman, Network Engineer
 Energy Sciences Network (ESnet)
 Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
 E-mail: ober...@es.netPhone: +1 510 486-8634
 Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: RFC: pefs - stacked cryptographic filesystem

[Gleb Kurtsou]

On (07/09/2010 17:04), Ivan Voras wrote:
 On 09/06/10 20:38, Gleb Kurtsou wrote:
 
  Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT
  and 8-STABLE supported.
 
 You probably didn't test it, but I've tried pefs on top of ext2fs (I use 
 ext2fs to share data between OSes) and it quickly panicked.
I've tried it once, it paniced. msdosfs is known to work, but I'd say it
shouldn't :)

I'll look at it tomorrow, thanks for pointing it.

If you are going to use it note that lower filesystem should be case
sensitive, the same applies to ZFS.

Thanks,
Gleb.

 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: RFC: pefs - stacked cryptographic filesystem

[Gleb Kurtsou]

On (07/09/2010 16:27), Ivan Voras wrote:
 On 09/06/10 20:38, Gleb Kurtsou wrote:
  Hello,
 
  I would like to ask for feedback on a kernel level stacked cryptographic
  filesystem. It has started as Summer Of Code'2009 project and matured a
  lot since then. I've recently added support for sparse files and
  switched to XTS encryption mode.
 
 I've tried it and so far it works :)
 
  3. Mount pefs filesystem:
  # pefs mount ~/Private ~/Private
 
 I see you've used the same example in the man page. Maybe it would be 
 better for educational purposes to use two separate directories, e.g. 
 ~/Private and ~/Decrypted to avoid confusion by new users (of course not 
 all examples need to use this).
Actually I've used the same directory solely for educational purposes --
there is just one directory, it's either encrypted or not.

Users should think of it as of nullfs on steroids, but that doesn't
sound acceptable for man page. Seriously, any help on documentation is
more than welcome. I'm not good at writing it, and there is too much to
document. We could discuss all the details privately to write a
decent man page, if you have time to help.

  6. Example how to save your key in keychain database.
 
 This is probably in line with what rwatson said (and would be covered by 
 the same document): can you describe what keychains actually do?
Yes. I was thinking about 6 and 7 as of feature list, so no
documentation or instructions. Keychains are mentioned in man page, but
once again documentation is far from being good. Help wanted.

Most important fact is that keychains have nothing to do with
filesystem, it's solely userspace utility concept. Chain is a series of
keys (keychain db entries). Each db entry consists of two keys: parent
key and child key. Child key may be zero, i.e. end of chain marker,
(created by addchain -Z).

Keychain database itself is a dictionary of the following form:
db[parent_key] = child_key

Consider the following database:
db[k0] = 0 (zero child key)
db[k1] = k2
db[k2] = k3
db[k3] = 0

k0 is special. Its child key is zero (end of chain). Chain would consist
only of one key: k0

If user enters k1, the following chain can be retrieved from the
database: k1 k2 k3. All three keys are then added to filesystem.

In case of k2 chain is k2 k3.

All entries stored encrypted in a way that child entry can be decrypted
only by parent key.

Using key chains one can emulate access levels.

(Don't miss 'pefs randomchain' command which was invented especially to
make some fun for those trying to look at your data)

  7. You can setup pam_pefs (not compiled by default) to add key to home
  directory and authenticate against keychain database on login, e.g. by
  adding the following line to /etc/pam.d/system before pam_unix.so:
 
  authsufficient  pam_pefs.so try_first_pass
 
 So, this would bypass passwd and let the user in if his password 
 authenticates against the keychain database in his home directory? 
Exactly, that's the way I use it. More detailed description available
here: http://marc.info/?l=freebsd-currentm=128388197901390w=2

 Will it automagically pefs-mount his home directory?
No, not mounting pefs is intentional. It automagically adds keys to
already mounted pefs filesystem.

 
  *   Uses modern cryptographic algorithms: AES and Camellia in XTS mode,
   PKCS#5v2 and HKDF for key generation.
 
 I do have an request: since you are already using kernel crypto support, 
 it would be simple to just throw Blowfish in :) If for nothing else, 
 consider it a gift to those who are fond of Blowfish's large key sizes 
 (upto 448 bits).
XTS requires 128 bit block cipher. One can use Blowfish to encrypt two
64 bit subblocks, but one would need to mix these blocks somehow, that
what XTS does :) A bit tricky to implement.

Adding serpent or twofish should be easy.

 Actually, it would probably be seen as a reflection of consistency to 
 implement the same algorithms that geli(8) implements. geli doesn't 
 implement XTS yet - if your XTS code proves to be stable it would be a 
 good thing to include it as standard and then use it from geli.
The problem is 128 bit block in XTS, in my opinion hacking XTS to add
support for algorithms with other block sizes is a very bad idea. There
are more than enough modern algorithms that can be used instead.

Not sure how far reflection of consistency extends but pefs is very
likely not to support modes other then XTS, because for now it's the
only widespread standard mode of operation with arbitrary sector size
and arbitrary offset encryption.

 I see you've copied SHA2 code to the pefs code. What is wrong with just 
 using the kernel's SHA2 implementation?
That was accidental, or there was a reason I've already forgotten about.
Anyway it's just a copy from kernel, my intention was to make it easier
to test by users.

There's hmac which is one-to-one copy from geli. I've extracted it
because now both geli and pefs use same code.

Thanks,
Gleb

RFC: pefs - stacked cryptographic filesystem

[Gleb Kurtsou]

Hello,

I would like to ask for feedback on a kernel level stacked cryptographic
filesystem. It has started as Summer Of Code'2009 project and matured a
lot since then. I've recently added support for sparse files and
switched to XTS encryption mode.

I've been using it to encrypt my home directory for almost a year
already, and use fsx, dbench and blogbench for testing. So it should be
fairly stable.

Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT
and 8-STABLE supported.

Please email me separately if you're willing to help testing on big
endian machine, XTS code doesn't look endian correct.

At this point all of the project goals complete and I'd like it to get
wider coverage in terms of tests and reviews and hope to see it commited
to HEAD soon.


Installation instructions:

1a. Clone git repository:
# git clone git://github.com/glk/pefs.git pefs
# cd pefs

1b. Or download latest snapshot from github:
http://github.com/glk/pefs/archives/master

2. Build and install:
# make obj all
# make install

3. Mount pefs filesystem:
# pefs mount ~/Private ~/Private

4. Enter passphrase:
# pefs addkey ~/Private

5. Test it and report back. There is also a man page available.

6. Example how to save your key in keychain database.

pefs has to be mounted and key specified to make fs writable, create
keychain with single entry (keychain -Z option):
# pefs addchain -Z ~/Private
Don't encrypt .pefs.db:
# mv ~/Private/.pefs.db /tmp
# umount ~/Private
# mv /tmp/.pefs.db ~/Private
# pefs mount ~/Private ~/Private
Use -c option to verify key is in database
# pefs addkey -c ~/Private

7. You can setup pam_pefs (not compiled by default) to add key to home
directory and authenticate against keychain database on login, e.g. by
adding the following line to /etc/pam.d/system before pam_unix.so:

authsufficient  pam_pefs.so try_first_pass


The following is a list of its most important features:

*   Kernel level file system, no user level daemons needed.
Transparently runs on top of existing file systems.
*   Random per file tweak value used for encryption, which guaranties
different cipher texts for the same encrypted files.
*   Saves metadata only in encrypted file name, but not in file itself.
*   Supports arbitrary number of keys per file system, default directory
key, mixing files encrypted with different keys in same directory.
*   Allows defining key chains, can be used to add/delete several keys
by specifying only master key.
*   Uses modern cryptographic algorithms: AES and Camellia in XTS mode,
PKCS#5v2 and HKDF for key generation.


Github repository: http://github.com/glk/pefs

More details on my blog: http://glebkurtsou.blogspot.com/search/label/pefs

Thanks,
Gleb.

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: RFC: pefs - stacked cryptographic filesystem

[Gleb Kurtsou]

Sorry for replying to myself, I've realized I put wrong download link:
http://github.com/downloads/glk/pefs/pefs-2010-09-06.tar.gz

On (06/09/2010 21:38), Gleb Kurtsou wrote:
 Hello,
 
 I would like to ask for feedback on a kernel level stacked cryptographic
 filesystem. It has started as Summer Of Code'2009 project and matured a
 lot since then. I've recently added support for sparse files and
 switched to XTS encryption mode.
 
 I've been using it to encrypt my home directory for almost a year
 already, and use fsx, dbench and blogbench for testing. So it should be
 fairly stable.
 
 Tested on top of ZFS, UFS and tmpfs on amd64 and i386; both 9-CURRENT
 and 8-STABLE supported.
 
 Please email me separately if you're willing to help testing on big
 endian machine, XTS code doesn't look endian correct.
 
 At this point all of the project goals complete and I'd like it to get
 wider coverage in terms of tests and reviews and hope to see it commited
 to HEAD soon.
 
 
 Installation instructions:
 
 1a. Clone git repository:
 # git clone git://github.com/glk/pefs.git pefs
 # cd pefs
 
 1b. Or download latest snapshot from github:
 http://github.com/glk/pefs/archives/master

Or use direct download link:
http://github.com/downloads/glk/pefs/pefs-2010-09-06.tar.gz

 
 2. Build and install:
 # make obj all
 # make install
 
 3. Mount pefs filesystem:
 # pefs mount ~/Private ~/Private
 
 4. Enter passphrase:
 # pefs addkey ~/Private
 
 5. Test it and report back. There is also a man page available.
 
 6. Example how to save your key in keychain database.
 
 pefs has to be mounted and key specified to make fs writable, create
 keychain with single entry (keychain -Z option):
 # pefs addchain -Z ~/Private
 Don't encrypt .pefs.db:
 # mv ~/Private/.pefs.db /tmp
 # umount ~/Private
 # mv /tmp/.pefs.db ~/Private
 # pefs mount ~/Private ~/Private
 Use -c option to verify key is in database
 # pefs addkey -c ~/Private
 
 7. You can setup pam_pefs (not compiled by default) to add key to home
 directory and authenticate against keychain database on login, e.g. by
 adding the following line to /etc/pam.d/system before pam_unix.so:
 
 auth  sufficient  pam_pefs.so try_first_pass
 
 
 The following is a list of its most important features:
 
 *   Kernel level file system, no user level daemons needed.
 Transparently runs on top of existing file systems.
 *   Random per file tweak value used for encryption, which guaranties
 different cipher texts for the same encrypted files.
 *   Saves metadata only in encrypted file name, but not in file itself.
 *   Supports arbitrary number of keys per file system, default directory
 key, mixing files encrypted with different keys in same directory.
 *   Allows defining key chains, can be used to add/delete several keys
 by specifying only master key.
 *   Uses modern cryptographic algorithms: AES and Camellia in XTS mode,
 PKCS#5v2 and HKDF for key generation.
 
 
 Github repository: http://github.com/glk/pefs
 
 More details on my blog: http://glebkurtsou.blogspot.com/search/label/pefs
 
 Thanks,
 Gleb.
 
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Re: [CFT] BSDL iconv in base system

[Gleb Kurtsou]

On (15/06/2010 02:13), Gabor Kovesdan wrote:
 Hello Folks,
 
 during the last summer, Google generously founded my Summer of Code 
 project, which was providing a BSD-licensed iconv implementation for 
 FreeBSD. I'm proud to announce that the work has been completed and a 
 patch is available to add it to the base system.
 
 The results of this work are:
 - The Citrus implementation has been ported from NetBSD.
 - Some utilities have been added. There is a conversion table generator, 
 which can compare conversion tables to reference data generated by GNU 
 libiconv. This helps ensuring conversion compatibility.
 - UTF-16 surrogate support and some endianness issues have been fixed.
 - The rather chaotic Makefiles to build metadata have been refactored 
 and cleaned up, now it is easy to read and it is also easier to add 
 support for new encodings.
 - A bunch of new encodings and encoding aliases have been added.
 - Support for 1-2, 1-3 and 1-4 mappings, which is needed for 
 transliterating with flying accents as GNU does, like u.
 - Lots of warnings have been fixed, the major part of the code is now 
 WARNS=6 clean.
 - New section 1 and section 5 manual pages have been added.
 - Some GNU-specific calls have been implemented: iconvlist(), 
 iconvctl(), iconv_canonicalize(), iconv_open_into()
 - Support for GNU's //IGNORE suffix has been added.
 - The - argument for stdin is now recognized in iconv(1) as per POSIX.
 - The Big5 conversion module has been fixed.
 - The iconv.h header files is supposed to be compatible with the GNU 
 version, i.e. sources should build with base iconv.h and GNU libiconv. 
 I've just did a very quick test and it seems ports can safely link to 
 GNU libiconv, there's no conflict.
 - Various cleanups and style(9) fixes.
 - A bachelor thesis written in Hungarian language: 
 http://www.kovesdan.org/files/bsc_iconv.pdf
 
 The rather big patch (42,5M) is available here: 
 http://www.kovesdan.org/patches/iconv_base_integrate.diff
 
 Any comments, suggestions or bugreports are very welcome.

Awesome! Thanks for working on it.

Are there any plans to resurrect/finish multibyte collation support
GSoC'2008 project:
http://wiki.freebsd.org/KonradJankowski/Collation

And are you aware of any plans on adding utf8-aware regex? I think
NetBSD has already imported one:
http://blog.netbsd.org/tnf/entry/efficient_wide_character_regular_expressions

Thanks,
Gleb.

 -- 
 Gabor Kovesdan
 FreeBSD Volunteer
 
 EMAIL:ga...@freebsd.org  .:|:.ga...@kovesdan.org
 WEB:http://people.FreeBSD.org/~gabor  .:|:.http://kovesdan.org
 
 ___
 freebsd-current@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org