Fwd: vmm(4) direct device resources access from guests

[Denis]

Is it possible to have full I/O access to PCI-express devices from guest
OSes like Penguin?

File sealing

[Simon Ser]

Hi all,

File sealing is a Linux-specific safety mechanism that can be used when
sharing memory between two processes.

In this scenario, one process typically calls shm_open(SHM_ANON), mmaps
the result in its address space, writes interesting things in this slice
of memory, sends the file descriptor over a Unix socket to another
process. The other process then mmaps the file descriptor to its own
address space and reads the shared memory.

Sometimes the two processes don't trust each other, for instance in the
case of Wayland. Bad clients may try to crash the compositor.

One way to crash the compositor is to send a shared memory file descriptor
and then shrink the file. When the compositor tries to read the
now-unmapped part of the file it'll receive SIGBUS.

What the compositor currently does is that it handles SIGBUS and ignores it
if it's about a memory slice mmapped from IPC. Apart from being a hack,
this makes things complicated because:

* There are multiple Wayland interfaces that need to mmap a file descriptor
  sent over IPC. Collecting the list of IPC-mmapped regions is currently not
  possible with libwayland.
* Since SIGBUS is global state, handling it is difficult. Some other IPC
  mechanisms might need to add more regions to the list. Threads make this
  even more annoying.

See [1]

I'd like to know if there are plans to add a feature similar to file
sealing [2] in OpenBSD.

Thanks,

--
Simon Ser
https://emersion.fr

[1]: https://gitlab.freedesktop.org/wayland/wayland/issues/53#note_24663
[2]: https://lwn.net/Articles/591108/

vmm(4) direct device resources access from guests

[Denis]

Is it possible to have full I/O access to PCI-express devices from guest
OSes like Linux?

Re: vmm(4) direct device resources access from guests

[Janne Johansson]

Den tors 1 nov. 2018 kl 08:53 skrev Denis :
>
> Is it possible to have full I/O access to PCI-express devices from guest
> OSes like Penguin?
>

https://www.openbsd.org/faq/faq16.html

-- 
May the most significant bit of your life be positive.

FOSDEM 2019 - Distributions Devroom Call for Participation

[Brian Exelbierd]

The Distributions devroom will take place Sunday 3 February 2019 at
FOSDEM, in Brussels, Belgium at the Université Libre de Bruxelles.

As more and more workloads are being considered for containerization in
the future and are finally landing in virtualized environments today,
distributions remain a critical success factor and are more important
than ever. Containers, like virtual machines, are not magical and
rely on piles of software being assembled in a way that is repeatable,
reliable, and functional. This is at the very heart of the problem that
distributions have always solved.

Each distribution is responsible for building, testing, and releasing
software as well as managing the lifecycle of each application in the
collection. Additionally, distributions do very important work in ensuring
that various versions of upstream software work well together and can
co-exist. Distributions are also, often responsible, for "de-vendoring"
upstream software so that security fixes can be applied more quickly.

We welcome submissions targeted at contributors interested in issues
unique to distributions, especially in the following topics:

# Topics and Areas of Focus

## Focus Areas

- The ways that distribution technologies can be leveraged to allow
  for easier creation of a multi-verse of artifacts from single source
  trees. This includes the increasing move toward self-contained
  applications and providing multiple non-parallel installed versions
  of software.

- Efforts being made in shared environments around Build/Test/Release
  cycles.

- Topics related to the delivery problem as it impacts updates in
  terms of both size and rollback/reliability are expected to be featured.

## Additional Topic Ideas

- Distribution and Community collaborations, eg: how does code flow from
  developers to end users across communities, ensuring trust and code
  audibility

- Automating building software for redistribution to minimize human
  involvement, eg: bots that branch and build software, bots that
  participate as team members extending human involvement

- Cross-distribution collaboration on common issues, eg: content
  distribution, infrastructure, and documentation

- Growing distribution communities, eg: onboarding new users, helping
  new contributors learn community values and technology,  increasing
  contributor technical skills, recognizing and rewarding contribution

- Principals of Rolling Releases, Long Term Supported Releases (LTS),
  Feature gated releases, and calendar releases

- Distribution construction, installation, deployment, packaging and
  content management

- Balancing new code and active upstreams verus security updates, back
  porting and minimization of user breaking changes

- Delivering architecture independent software universally across
  architectures within the confines of distribution systems

- Effectively communicating the difference in experience across
  architectures for developers, packagers, and users

- Working with vendors and including them in the community

- The future of distributions, emerging trends and evolving user demands
  from the idea of a platform

Ideal submissions are actionable and opinionated. Submissions may
be in the form of 25 or 50 minute talks, panel sessions, round-table
discussions, or Birds of a Feather (BoF) sessions.

Dates
--
Submission Deadline: 02-Dec-2018 @ 2359 GMT
Acceptance Notification: 7-Dec-2018
Final Schedule Posted: 14-Dec-2018

How to submit
--
Visit https://penta.fosdem.org/submission/FOSDEM19

1.) If you do not have an account, create one here
2.) Click 'Create Event'
3.) Enter your presentation details
4.) Be sure to select the Distributions Devroom track!
5.) Submit

What to include
---
- The title of your submission
- A 1-paragraph Abstract
- A longer description including the benefit of your talk to your target
  audience, including a definition of your target audience.
- Approximate length / type of submission (talk, BoF, ...)
- Links to related websites/blogs/talk material (if any)

Administrative Notes

We will be live-streaming and recording the Distributions Devroom.
Presenting at FOSDEM implies permission to record your session and
distribute the recording afterwards. All videos will be made available
under the standard FOSDEM content license (CC-BY).

If you have any questions, feel free to contact the
devroom organizers: distributions-devr...@lists.fosdem.org
(https://lists.fosdem.org/listinfo/distributions-devroom)

Cheers!

Brian Exelbierd (twitter: @bexelbie) and Brian Stinson (twitter:
@bstinsonmhk) for and on behalf of The Distributions Devroom Program
Committee

httpd rewiterules like apache

[Markus Rosjat]

Hi all,

I was wondering if it is possible to do like a proxy rewrite like with 
Apache rewrite mod?


RewriteRule ^(.*) http://some.tld/$1 [L,P]

So here the P Flag should preserver the original domain in the url and 
just proxy the request to the other location (not on the same machine!)


Since there is redirection I can do this but then the url gets of course 
replaced  in a block directive


 block return 301 "http://dome.tld$REQUEST_URI";

I read that there is rewrite support but as far as I figured it's just 
for location on the filesystem ?


regards

--
Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT

Re: httpd rewiterules like apache

[Tony Boston]

You should definitely try the relayd(8) route here.

> On 1. Nov 2018, at 11:32, Markus Rosjat  wrote:
> 
> Hi all,
> 
> I was wondering if it is possible to do like a proxy rewrite like with Apache 
> rewrite mod?
> 
> RewriteRule ^(.*) http://some.tld/$1 [L,P]
> 
> So here the P Flag should preserver the original domain in the url and just 
> proxy the request to the other location (not on the same machine!)
> 
> Since there is redirection I can do this but then the url gets of course 
> replaced  in a block directive
> 
>  block return 301 "http://dome.tld$REQUEST_URI";
> 
> I read that there is rewrite support but as far as I figured it's just for 
> location on the filesystem ?
> 
> regards
> 
> --
> Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de
> 
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
> 
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
> 
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
> print it, think about your responsibility and commitment to the ENVIRONMENT
> 

--
Tony

GPG-FP: 49CC8250 CDCF2183 6209C1AE 625677C1 F7783D5F
Threema: DN8PJX4Z






signature.asc
Description: Message signed with OpenPGP

Re: httpd rewiterules like apache

[Markus Rosjat]

Hi,


Am 01.11.2018 um 11:40 schrieb Tony Boston:

You should definitely try the relayd(8) route here.

 that would be forwarding it to the ip like

 match request quick header "Host" value "*some.tld" forward to 

but that wouldnt solve something like

RewriteRule ^(.*)http://some.tld/someotherdir/$1  [L,P]

so a http://www.my.tld would go to http:/some.tld/something.http but woudnt 
http://some.tld/someotherdir/something.http

or do I get it wrong?

--
Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT

Re: vmm(4) direct device resources access from guests

[Denis]

It seems hardware passthrough does not available.

On 11/1/2018 11:33 AM, Janne Johansson wrote:
> Den tors 1 nov. 2018 kl 08:53 skrev Denis :
>>
>> Is it possible to have full I/O access to PCI-express devices from guest
>> OSes like Penguin?
>>
> 
> https://www.openbsd.org/faq/faq16.html
> 

Re: Which key shortcuts are safe to bind and some Q:s about history and OS diffs Re: Ctrl+4 means SIGQUIT+coredump, where is this documented, what more shortcuts are there?

[Christian Weisgerber]

On 2018-11-01, Tinker  wrote:

>> > No idea how ^4 is mapped to ^\, but for some reason it is,
>>
>> See "Table 3-5 Keys Used to Generate 7-Bit Control Characters" in
>> the VT220 Programmer Reference Manual:
>> https://vt100.net/docs/vt220-rm/table3-5.html
>
> Historial reasons, a ha.

And I'll venture a guess why DEC added those combinations:  In order
to type ^[ ^\ ^] to produce the ESC, FS, GS characters, you need
keys for [ \ ].  If you look at non-English keyboard layouts, you'll
see that the corresponding keys have been re-purposed for other
characters.  In the old days of national ASCII variants, even the
characters [ \ ] didn't exist in many national encodings.  Later,
when extended 8-bit character sets were introduced, [ \ ] were only
made available in a secondary mapping reachable with an extra
modifier key (AltGr or such).  And that's the situation right into
the present.

By contrast, combinations like ^3, ^4, ^5 were readily available
on keyboards.

https://en.wikipedia.org/wiki/ISO/IEC_646#ISO_646_national_variants

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: File sealing

[Ted Unangst]

Simon Ser wrote:
> Hi all> I'd like to know if there are plans to add a feature similar to file
> sealing [2] in OpenBSD.

I don't think so. You explained a possible use, but didn't actually explain if
code using file sealing already exists.

Re: vmm(4) direct device resources access from guests

[Mike Larkin]

On Thu, Nov 01, 2018 at 10:18:04AM +0300, Denis wrote:
> Is it possible to have full I/O access to PCI-express devices from guest
> OSes like Linux?

no

Re: File sealing

[Simon Ser]

Hi,

On Thursday, November 1, 2018 6:25 PM, Ted Unangst  wrote:
> Simon Ser wrote:
>
> > Hi all> I'd like to know if there are plans to add a feature similar to file
> > sealing [2] in OpenBSD.
>
> I don't think so. You explained a possible use, but didn't actually explain if
> code using file sealing already exists.

Thanks for your reply. Indeed, code using file sealing exists, for instance
GTK+ [1] and GLFW [2].

I've been told that for this same use-case, another mechanism has already been
implemented on OpenBSD. It's an additional parameter that can be passed to mmap
and makes truncated regions appear as zeros instead of triggering SIGBUS. 
However
I couldn't find any more info about this. Can you tell me more about this?

Thanks,

Simon Ser

[1]: 
https://gitlab.gnome.org/GNOME/gtk/blob/master/gdk/wayland/gdkdisplay-wayland.c#L1223
[2]: https://github.com/glfw/glfw/blob/master/src/wl_window.c#L156

Re: File sealing

[Ted Unangst]

Simon Ser wrote:
> Sometimes the two processes don't trust each other, for instance in the
> case of Wayland. Bad clients may try to crash the compositor.
> 
> One way to crash the compositor is to send a shared memory file descriptor
> and then shrink the file. When the compositor tries to read the
> now-unmapped part of the file it'll receive SIGBUS.
> 
> What the compositor currently does is that it handles SIGBUS and ignores it
> if it's about a memory slice mmapped from IPC. Apart from being a hack,
> this makes things complicated because:

I'be been reminded that there's a different way to solve this problem in 
OpenBSD.

The secret __MAP_NOFAULT flag to mmap. See for instance use in libxshmfence.

Re: File sealing

[Simon Ser]

On Thursday, November 1, 2018 6:49 PM, Ted Unangst  wrote:
> I'be been reminded that there's a different way to solve this problem in 
> OpenBSD.
>
> The secret __MAP_NOFAULT flag to mmap. See for instance use in libxshmfence.

Oh, thanks! That's what I've been searching for.

Re: spamd and google smtp ips

[Chris Narkiewicz]

W dniu 30/10/2018 o 23:39, Stuart Henderson pisze:

I haven't run spamd myself for years, I got fed up with delayed and
lost mails.



Thanks. That was probably the tipping comment for me - I decided to search
for alternative spam protection.

It's the lost e-mails bing the the thing I cannot afford and in absence 
of *reliable* whitelist, I decided not to go this route.


Best regards,
Chris

Unexpected connection with `ifconfig join`

[AB]

I've run into a strange problem using ifconfig's new join statements.
I have two join lines in /etc/hostname.iwn0, with no nwid statement.
When both of these APs are out of range, it connects to a third,
unmentioned (open) AP.  This is a network I've manually joined before,
but do not want to join automatically.

/etc/hostname.iwn0:

join linksies wpakey 0123456789abcdef
join sisco wpakey beef
dhcp

Output of `ifconfig iwn0 joinlist`:

iwn0: flags=8843 mtu 1500
lladdr ab:cd:ef:12:34:56
index 2 priority 4 llprio 3
groups: wlan egress
media: IEEE802.11 autoselect (HT-MCS6 mode 11n)
status: active
ieee80211: nwid BADWAP chan 64 bssid ff:ff:ff:ff:ff:ff -63dBm
join: linksies
  sisco
inet 192.168.50.85 netmask 0x8000 broadcast 192.168.50.255

I've tried adding '-join BADWAP' to hostname.iwn0, but it still joins
automatically at boot.

This started mid-September on -current, and I've been updating to newer
shapshots at least weekly since then.  Running a snapshot from earlier
this week at the moment.  Have I perhaps overlooked something?

Thanks,
Adam

Re: OpenBSD site

[Aaron Mason]

Even more amazing - if you see an error on the website, you can fix it
and send a patch.  If they like it, they'll include the change.  I put
in a patch a quite a few years ago to replace some broken links with
archived counterparts[1] which Theo himself accepted [2].  Not tooting
my own horn here, just saying that it can be done, and it's one of the
things that's kept me coming back all these years.

[1] https://marc.info/?l=openbsd-www&m=129340910201453&w=2
[2] https://marc.info/?l=openbsd-cvs&m=129355971818793&w=2
On Sun, Oct 28, 2018 at 10:01 AM Henry Bonath  wrote:
>
> This is amazing to know, thank you!
>
> On Sat, Oct 27, 2018 at 3:11 PM  wrote:
>
> > Knowing OpenBSD philosophy, you should probably NOT expect a CMS :).
> >
> > But you don't need to guess when you can check for yourself - all the
> > sources are available for an anonymous CVS as described in [1].
> >
> > You can easily have an up-to-date local copy on your machine by first
> > reading manual pages on cvs(1), httpd(8) and httpd.conf(5) and then doing
> > something like (as root):
> >
> > # mkdir -p /var/www/htdocs/openbsd
> > # cd /var/www/htdocs/openbsd
> > # cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs checkout -P www
> >
> > and adding the following section to /etc/httpd.conf:
> >
> > server "openbsd-doc" {
> > listen on * port 81
> > root "/htdocs/openbsd/www"
> > }
> >
> > and enabling httpd:
> >
> > # rcctl enable httpd
> >
> > After that, navigate to http://localhost:81 and enjoy browsing an offline
> > copy of OpenBSD website.
> >
> > [1] https://www.openbsd.org/anoncvs.html
> >
> >
> > On Sat, Oct 27, 2018, at 4:24 AM, Janne Johansson wrote:
> > > Manual edits, no hurry to jump on this weeks fashionable web
> > > framework, testing with lynx goes a long way to keep it simple and
> > > readable.
> > >
> > > Den lör 27 okt. 2018 kl 11:14 skrev misc nick :
> > > >
> > > > I was wondering how you maintain and update such high quality content
> > in OpenBSD's site.
> > > > Do you manually edit html files, use a cms, or something else? I am
> > asking to shamelessly
> > > > copy your best practices. ;-)
> > > >
> > > > Thanks,
> > > > Nick
> > > >
> > >
> > >
> > > --
> > > May the most significant bit of your life be positive.
> > >
> >
> >



--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse