Re: [gentoo-user] tmpfs filling up with nothing
On Mon, 13 Nov 2023 15:09:45 +0200, Mart Raudsepp wrote: > On Wed, 2023-11-08 at 19:08 +, Neil Bothwick wrote: > > On Wed, 8 Nov 2023 16:17:19 +0200, Alan McKinnon wrote: > > > > > On Wed, Nov 8, 2023 at 4:10 PM Neil Bothwick > > > wrote: > > > > > > > I have PORTAGE_TMPDIR on /tmp, which is a 24GB tmpfs. Last night, > > > > an > > > > update failed with an out of space error. df showed only 440MB > > > > free > > > > but du and ndcu both showed well under 1GB in use (including > > > > hidden > > > > files). this has happened on the odd occasion in the past and the > > > > only solution appears to be to reboot. Of course, that means I > > > > cannot > > > > provide any more information until it happens again. > > > > > > > > Has anyone else experienced this or, hopefully, resolved it > > > > without > > > > rebooting? > > > > > Hey Neil, > > > > > > Yeah had this a few times. Always turns out to be deleted files > > > that > > > something still has a handle on > > > > Hah! I never thought of that one. I'll try that next time it happens. > > > > > Another common case is that it runs out of inodes, not space, > especially if df actually says there is free spaces. Check > df -i /tmp It was not inodes, df was showing close to 100% full. The problem was as Alan suggested, deleted files still locked. -- Neil Bothwick Dolly Parton-- silicone based life pgpl0jfV1gxdi.pgp Description: OpenPGP digital signature
Re: [gentoo-user] hardened vs desktop
Am Montag, 13. November 2023, 17:43:01 CET schrieb ralfconn: > [...] I suppose the added benefit of this new > profile is that it will inherit the changes eventually done to the > parent profiles by the gentoo developers, correct? YES ! You surely know that some use-flags can also be set for individual packages (and not globally; e.g. for some time this was true for use-flag "wayland"). You will get all these now automatically with your combined profile. Peter
Re: [gentoo-user] hardened vs desktop
Il 13/11/23 14:22, Peter Böhm ha scritto: Am Montag, 13. November 2023, 11:19:26 CET schrieb ralfconn: Hello, I've been running the desktop profile for years. Now I'm thinking to switch to the hardened. Since there is no 'hardened desktop' profile, the hint I found online is to note the current desktop USEs, switch to hardened and add the USEs not found there, but I wonder if it is really the best option. Comparing the two profiles, hardened seems a sub-set of desktop with the addition of: cet hardened pie ssp xtpax It seems to me easier to add these to the desktop rather the other way round. Any gotcha's I am missing? Yes, you are missing that the best solution is: Make a new profile which contains both profiles. See more here: https://forums.gentoo.org/viewtopic-p-8694188.html#8694188 (And you have to start with a hardened stage3) Looks like a good alternative, thanks. Following the post I created the local profile 'hardened-desktop' and confirmed the USEs are the combination of the two profiles. I suppose the added benefit of this new profile is that it will inherit the changes eventually done to the parent profiles by the gentoo developers, correct? P.S.: Maybe read also the first note from this article: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP Thanks, this requires a bit more of study on my side which I'll certainly do as a second step. BTW, hardened-sources is no longer available so KSPP might be the only option. raffaele
Re: [gentoo-user] tmpfs filling up with nothing
On Mon, Nov 13, 2023 at 3:09 PM Mart Raudsepp wrote: > On Wed, 2023-11-08 at 19:08 +, Neil Bothwick wrote: > > On Wed, 8 Nov 2023 16:17:19 +0200, Alan McKinnon wrote: > > > > > On Wed, Nov 8, 2023 at 4:10 PM Neil Bothwick > > > wrote: > > > > > > > I have PORTAGE_TMPDIR on /tmp, which is a 24GB tmpfs. Last night, > > > > an > > > > update failed with an out of space error. df showed only 440MB > > > > free > > > > but du and ndcu both showed well under 1GB in use (including > > > > hidden > > > > files). this has happened on the odd occasion in the past and the > > > > only solution appears to be to reboot. Of course, that means I > > > > cannot > > > > provide any more information until it happens again. > > > > > > > > Has anyone else experienced this or, hopefully, resolved it > > > > without > > > > rebooting? > > > > > Hey Neil, > > > > > > Yeah had this a few times. Always turns out to be deleted files > > > that > > > something still has a handle on > > > > Hah! I never thought of that one. I'll try that next time it happens. > > > Another common case is that it runs out of inodes, not space, > especially if df actually says there is free spaces. Check > df -i /tmp > instead then - it might tell IFree is 0 and IUsed and Inodes are the > same non-0 value. > > Interesting side note: I used to worry about free inodes a lot, but stopped when I realised I had only ever run into the problem once: some damn fool had created an account on the company FTP server for CDRs to be uploaded that goe crunched and sent somewhere in the bowels of the billing dept. The same damn fool neglected to write any kind of cleanup code, and when the sender started having difficulties I had myself a look. That upload/ dir had 1.5 million files in it and yet the server was working fine, except if you tried to ls or do anything that needed to read the dir. Deleting that lot took IIRC 6 or 8 hours! I suppose this and things like it are why the big players are now making XFS the default fs on install. Even a mid-sized machine these days can max out ext4 -- Alan McKinnon alan dot mckinnon at gmail dot com
Re: [gentoo-user] hardened vs desktop
Am Montag, 13. November 2023, 11:19:26 CET schrieb ralfconn: > Hello, > > I've been running the desktop profile for years. Now I'm thinking to > switch to the hardened. Since there is no 'hardened desktop' profile, > the hint I found online is to note the current desktop USEs, switch to > hardened and add the USEs not found there, but I wonder if it is really > the best option. Comparing the two profiles, hardened seems a sub-set of > desktop with the addition of: > > cet > hardened > pie > ssp > xtpax > > It seems to me easier to add these to the desktop rather the other way > round. Any gotcha's I am missing? Yes, you are missing that the best solution is: Make a new profile which contains both profiles. See more here: https://forums.gentoo.org/viewtopic-p-8694188.html#8694188 (And you have to start with a hardened stage3) Many greetings, Peter P.S.: Maybe read also the first note from this article: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/ Kernel_Hardening_with_KSPP
Re: [gentoo-user] tmpfs filling up with nothing
On Wed, 2023-11-08 at 19:08 +, Neil Bothwick wrote: > On Wed, 8 Nov 2023 16:17:19 +0200, Alan McKinnon wrote: > > > On Wed, Nov 8, 2023 at 4:10 PM Neil Bothwick > > wrote: > > > > > I have PORTAGE_TMPDIR on /tmp, which is a 24GB tmpfs. Last night, > > > an > > > update failed with an out of space error. df showed only 440MB > > > free > > > but du and ndcu both showed well under 1GB in use (including > > > hidden > > > files). this has happened on the odd occasion in the past and the > > > only solution appears to be to reboot. Of course, that means I > > > cannot > > > provide any more information until it happens again. > > > > > > Has anyone else experienced this or, hopefully, resolved it > > > without > > > rebooting? > > > Hey Neil, > > > > Yeah had this a few times. Always turns out to be deleted files > > that > > something still has a handle on > > Hah! I never thought of that one. I'll try that next time it happens. Another common case is that it runs out of inodes, not space, especially if df actually says there is free spaces. Check df -i /tmp instead then - it might tell IFree is 0 and IUsed and Inodes are the same non-0 value. The option for this is: nr_inodes: The maximum number of inodes for this instance. The default is half of the number of your physical RAM pages, or (on a machine with highmem) the number of lowmem RAM pages, whichever is the lower. And for me with a 32GB tmpfs, it could have easily hit the default limit when having e.g. firefox + webkit-gtk + chromium or some such unpacked and built at once, or one of them failed without cleaning up, etc. A value of 0 would disable the limit altogether, but this comes with the caveat of the possibility of a memory DoS when something malicious could be writing 0 length files in there, because the size limit doesn't get hit by it, but tracking the inodes does take some memory itself and there's no inodes limit to deny that at some point then. So it might be best to figure out some good value for that, perhaps e.g. 8 times the default (what you see with your tmpfs size under Inodes column with `df -i /tmp`). HTH, Mart
Re: [gentoo-user] hardened vs desktop
On Mon, 2023-11-13 at 11:19 +0100, ralfconn wrote: > > It seems to me easier to add these to the desktop rather the other way > round. Any gotcha's I am missing? > There are a few other things in profiles/features/hardened that you should copy -- particularly the gcc USE flags -- but basically, you're right. These days the hardened profiles don't add much. The main thing they "add" is the lack of unnecessary features enabled by default in a desktop profile. It's a tedious process, but turning on the features you need one at a time in package.use will eventually result in a smaller attack surface than enabling them all at once in the desktop profile's make.defaults. Of course you could do that the other way around, too, starting from a desktop profile and disabling them one at a time.
[gentoo-user] hardened vs desktop
Hello, I've been running the desktop profile for years. Now I'm thinking to switch to the hardened. Since there is no 'hardened desktop' profile, the hint I found online is to note the current desktop USEs, switch to hardened and add the USEs not found there, but I wonder if it is really the best option. Comparing the two profiles, hardened seems a sub-set of desktop with the addition of: cet hardened pie ssp xtpax It seems to me easier to add these to the desktop rather the other way round. Any gotcha's I am missing? thanks raffaele
