**** BEGIN LOGGING AT Thu Oct 22 10:59:57 2020 Oct 22 11:00:14 feel free to explain it better ¯\_(ツ)_/¯ Oct 22 11:00:32 Spot-on, stintel! Oct 22 11:01:34 rsalvaterra: i tried sysupgrade and fresh installs with procd-ujail and procd-seccomp, and without Oct 22 11:02:49 it worked only without procd-ujail and procd-seccomp. although it is not a proper fix but let's fix one problem at a time Oct 22 11:03:13 maybe users can be added by uci-defaults to avoid this problem Oct 22 11:03:18 damex: I don't user ujail/seccomp. Oct 22 11:03:24 *us Oct 22 11:03:26 *use Oct 22 11:03:35 Gah… fat-fingered… Oct 22 11:03:40 rsalvaterra: me neither. it got forced on all highmem devices by that commit Oct 22 11:04:42 ynezz: thanks for reverting that commit Oct 22 11:05:23 stintel: any ideas on net-snmp snmpd not answering requests on reboot on 1907? (if you've even seen the ticket?) Oct 22 11:05:25 we really need better testing Oct 22 11:05:45 karlp: I've seen the mail, I'm still in crisis situation at work + don't run 19.07 so I will not be of any help any time soon :( Oct 22 11:06:11 no stress. Oct 22 11:06:54 soooner or later I'll just do a new release of my own that just forcibly resets it until it answers, but it's weird, it's all the way along 1907. Oct 22 11:07:05 stintel: are you already running ~master on your production stuff? Oct 22 11:08:49 karlp: I'm always running master on all my stuff Oct 22 11:09:01 too much adventure for me :) Oct 22 11:09:04 it breaks all the time, but at least someone notices it then Oct 22 11:10:13 but yeah, too much adventure/frustration, even before this stuff going on at work I was not doing much openwrt related stuff anymore due to the constant need for yak shaving when trying to actually get some work done Oct 22 11:10:30 I feel ya Oct 22 11:11:13 karlp: what did you do to snmpd so it is in that state? i am using snmpd on all devices here Oct 22 11:11:30 edgerouter-x runs snmpd on 19.07 and seems to be fine Oct 22 11:11:34 just reboot. Oct 22 11:11:46 completely stock 19.07 with snmpd added, no othe rpackages, no other config. Oct 22 11:11:58 responds on first boot, reboot -> non-responsive until it's restarted. Oct 22 11:13:20 karlp: do you have enough memory? and did you install extra mibs? Oct 22 11:15:15 literally, clone 19.07, add snmpd, build, flash. Oct 22 11:15:50 I have enough memory when I've got all my own apps running too, and it's only on reboot, and /etc/init.d/snmpd restart will instantly restore things until you reboot next. Oct 22 11:17:20 karlp: did you try with actual 19.07 release? Oct 22 11:17:41 not self built but an official build from a mirror? Oct 22 11:17:43 I don't really see why I should. Oct 22 11:18:46 but hey, why not, I can retest more Oct 22 11:19:58 if you have <64M or even <128M of ram - you might have issues with snmpd starting with extra mibs present Oct 22 11:20:13 you don't install them so it is not the case Oct 22 11:20:36 lynxis Still analyzing what they sent me. Looks like more than just GPL code to me, I'm checking if I'm allowed to upload it. If you are really interested you can contact me via pn. Oct 22 11:22:26 karlp: I think I've seen your problem on master even Oct 22 11:22:38 karlp: but I don't exactly recall which device(s) Oct 22 11:23:03 ath79 sounds like it might be Oct 22 11:23:04 +I only tried master briefly, and it seemed to work, but didn't try it much. Oct 22 11:23:09 yeah, I'm on ath79 Oct 22 11:34:37 damex: yes. just reflashed the 19.07.4 download, opkg update and opkg install snmpd, and it's failing to respond after reboots. (unsuprisingly :) Oct 22 11:37:00 weird. i rebooted er-x '10 days 20 hours 59 minutes 39 seconds' ago (it is on 19.07 release) and it brought up snmpd just fine (i haven't even though about checking it since librenms didn't report it Oct 22 11:37:29 karlp: does the process actually run? Oct 22 11:37:30 I wsa surprised when it was reported to me too :) Oct 22 11:37:34 process is running... Oct 22 11:37:40 it's all in the ticket... Oct 22 11:37:44 so maybe it's ath79 related Oct 22 11:38:00 uh... could you send me a ticket? Oct 22 11:38:02 https://github.com/openwrt/packages/issues/13728 Oct 22 11:38:47 I'm afraid I don't have any non-ath79 hw here at home to even try out. Oct 22 11:38:49 karlp: do you have access to strace on that machine? Oct 22 11:39:11 and tcpdump ;p Oct 22 11:39:44 what do you want to look for with tcpdump? Oct 22 11:40:26 strace shows it continuously fetching stuff from /proc, metrics Oct 22 11:40:31 it's not "stuck" per se Oct 22 11:42:58 it even shows it receiving the snmp message Oct 22 11:43:07 I'll try and attach it with annotations. Oct 22 11:46:54 build #406 of bcm47xx/generic is complete: Success [build successful] Build details are at http://buildbot.openwrt.org/master/images/builders/bcm47xx%2Fgeneric/builds/406 Oct 22 11:47:43 there's some strace Oct 22 11:47:53 karlp: if request is going through and arrive at 161 port (udp) and go back too Oct 22 11:48:18 the request arrives at snmpd, Oct 22 11:48:50 familiar enough with tcpdump syntax to give me a command line? Oct 22 11:49:13 I never remember all the magic Oct 22 11:49:36 sudo tcpdump -n -s0 port 161 and udp Oct 22 11:49:48 oh, no sudo ;p Oct 22 11:52:12 :P Oct 22 11:52:34 added to the ticket, arrives, but never leaves Oct 22 11:53:10 why do you have -s0? is that because "you've always done that" ? Oct 22 11:53:17 ynezz: next time please at least revert the offending commit and not a random other commit by me.... Oct 22 11:53:39 ynezz: See? I told you guys. :P Oct 22 11:54:31 I believe the commit is fine… it's just sysupgrade that need to be… smarter…? Oct 22 11:54:39 dangole: ujail is too broken to shove it down people's throats Oct 22 11:55:56 ideally for such changes I would gather a few acks first before pushing Oct 22 11:58:55 stintel, rsalvaterry: just trying to find out if the right commit has been reverted, because people have been complaining about the procd update and what was reverted is the switch to have ujail installed by default. that's not related to ubus not coming but, but probably the commits just before are. Oct 22 12:00:18 so my question is: i anyone test-run the revert-commit before applying it? Oct 22 12:00:18 dangole: why did you commit your changes without testing it first? Oct 22 12:00:42 damex: i did of course test it a lot, for about a week. it has also been sitting in my staging tree for some days. Oct 22 12:00:56 dangole: Sure, I'm not blaming ujail at all (even though I personally don't use it). The underlying issue is much older, the fact that /etc/{groups,passwd,shadow} are unconditionally backed-up/restored. If a new user is added, it won't be there after sysupgrade. Oct 22 12:00:59 haven't followed the actual breakage tbh, but I had to disable ujail for dnsmasq because after some uptime I could no longer restart dnsmasq Oct 22 12:01:18 and I am blaiming ujail for that Oct 22 12:02:09 ah ok. i didn't try with restoring configuration. yes, if /etc/passwd and /etc/group are not updated that is a big problem. Oct 22 12:02:11 maybe ujail got selinux blocked ;) Oct 22 12:02:32 dangole: sysupgrade and new users/groups being added is a big issue Oct 22 12:02:39 it's been discussed a few times but never fixed Oct 22 12:03:03 because that will break quite everything i'm doing right now: moving each service to run as it's own user instead of root. Oct 22 12:03:21 sure, such change is never convenient for anyway, and i was aware about that before Oct 22 12:03:59 Yeah, eggs need to be broken, etc… but sysupgrading from 19 to 20 will be… "fun". Oct 22 12:04:15 (Is sysupgrade even supported between major versions?) Oct 22 12:04:23 if that's what you are doing you should really come up with a solution for that new users missing when sysupgrade Oct 22 12:04:26 first Oct 22 12:04:47 rsalvaterra: it is supposed to be Oct 22 12:05:32 just as well "20" isn't out yet then rsalvaterra ... Oct 22 12:05:45 stintel: The problem is knowing how to safely merge the files. Oct 22 12:05:49 I see people keep advising to not restore the configuration when doing that but I disagree. migrations should be added. if you can't sysupgrade without nuking settings then sysupgrade is completely useless Oct 22 12:05:49 what's not needed to be supported is "some random point on master" to "some other random point on master" Oct 22 12:06:01 imho sysupgrade between major versions never worked well, every other attempt to do that broke something for me in the past. downstream projects like libremesh are completely disabling the option to keep config over sysupgrade for that reason. Oct 22 12:06:02 karlp: Thank God! :P Oct 22 12:06:10 karlp: snaplen is not really needed but easier to be set 0 when you don't know what to expect Oct 22 12:06:27 damex: did you read the man page to see what -s0 actually does? Oct 22 12:06:33 rsalvaterra: that's why I suggested uci-defaults. a package can `id -u someuser || useradd ...` or so Oct 22 12:06:45 I'm with stintel, if you can't sysuypgrade from one stable release to the next, it's useless. Oct 22 12:07:03 not saying you should sysupgrade from 12.whatever to 19.07 Oct 22 12:07:13 but from one major release to the next should be supported Oct 22 12:07:24 agreed. Oct 22 12:07:45 if the project is not going to do so, I'm going to find another project to run on my devices Oct 22 12:08:13 stintel: Come on, don't be so dramatic. It's just a bug. :) Oct 22 12:08:42 anyway. so in the end the wrong commit was reverted :( because that one could have stayed, it was just the reflex to blame uajil. because it's procd itself which was changed to run ubusd as user ubus (which needs to exist for that to work) Oct 22 12:08:44 karlp: yeah, it is actually defaults to 0 ( 262144 ) as default backward compatibiltiy. Snarf snaplen bytes of data from each packet Oct 22 12:10:56 dangole: It's easy to blame the wrong thing. Heck, I blamed the SLOB allocator (which is working fine in Linux 5.4), I'm testing it on a 4/32 device and it seems to save a bit of memory. Oct 22 12:12:07 ok, i'll just fix that in fstools, so /etc/passwd, /etc/shadow and /etc/group gets merged instead of overwritten... Oct 22 12:12:54 how are you going to do that ? Oct 22 12:13:28 some awk maybe? Oct 22 12:13:40 sounds very hackish Oct 22 12:13:56 I'd be happy to see someone come up with a solution, but please have it reviewed Oct 22 12:14:23 I would prefer something like I suggested earlier but we don't have useradd by default so meh Oct 22 12:18:38 stintel: can't useradd be added? it is a pretty small binary Oct 22 12:18:56 it is adduser in busybox actually Oct 22 12:20:30 one can also look into a compromise Oct 22 12:20:59 if we can filter syscalls and limit capability access then the power of root is already greately reduced Oct 22 12:21:21 sure its not perfect, but neither is setuid Oct 22 12:25:49 besides do we really need setuid if we have ambient capablities? Oct 22 12:26:14 dangole: couldn't you just appear sooner? :) 1.) That commit was suggested, people claimed here, that reverting it fixed the issue 2.) do_page_fault(): sending SIGSEGV to ujail for invalid read access from 00000100f3708c81 3.) I don't remember seeing any prior discussion on the list for such radical change Oct 22 12:26:47 dangole: IIRC correctly adding those packages by default is enough to enable ujail Oct 22 12:27:28 there is probabably plenty of issues which needs to be ironed out first, I don't think, that it's ready for prime time Oct 22 12:28:34 last time I've tried snapshot with procd/ujail under x86_64/qemu it was crashing after 12hours or so due to OOM issues Oct 22 12:28:45 didn't have time to debug that yet Oct 22 12:29:06 yness: yes, and that is the goal and intention (having ujail enabled for dnsmasq, ntpd, umdns and maybe more services, rather than running them with all privileges as root) Oct 22 12:29:21 I get it and I support that Oct 22 12:29:44 but perhaps we need to do it in less invasive way :) Oct 22 12:29:59 like call for testing or such, not enabling it by default Oct 22 12:30:32 I had some strange issues with dnsmasq as well (but those happen even without ujail) Oct 22 12:30:33 ynezz: that's how ujail did not get used in 5+ years since John came up with it Oct 22 12:30:43 yeah, true Oct 22 12:31:15 ynezz: and sure, running everything as root and unrestricted is surely more convenient and flexible. Oct 22 12:32:02 it feels just strange, such fundamental changes, yet didn't proposed/discussed on the list Oct 22 12:32:16 not that anyone would care, but now we couldn't complain either :) Oct 22 12:32:20 ynezz: so i understand that people will hate that kind of change. because best case they won't notice and everything still works, maybe it prevents some vulnerabilities we most likely wouldn't know about either way. Oct 22 12:33:15 ynezz: i see. i felt i've been working on and talking about ujail for a while now, pushed things to my staging tree regularly and did receive quite some feedback from people trying that Oct 22 12:34:58 yeah, I know and I value your work Oct 22 12:35:56 ynezz: but maybe good to reiterate the roadmap evey once in a while after some silence. to me we had agreed to have ujail enabled by default on !SMALL_FLASH for the "next release", but yes, that's more than year ago it has been last debated publicly Oct 22 12:36:13 indeed Oct 22 12:36:56 i'll fix that /etc/{passwd,shadow,group} merger on sysupgrade, so we can go forward with this asap Oct 22 12:37:10 I'm sorry, but I don't have much time now to help you with that, but I'm sure, that you've now few testers around Oct 22 12:37:16 would also be nice to reproduce that segfault Oct 22 12:37:25 damex: ^ Oct 22 12:37:48 AFAIK it was caused by initramfs Oct 22 12:38:07 yeah, all i did is boot to memory (initramfs+kernel) Oct 22 12:40:46 damex: on x86/64? Oct 22 12:40:56 dangole: mips64 Oct 22 13:09:34 ynezz, rsalvaterra, stintel: solution for merging /etc/passwd et al after sysupgrade could be as simple as this: https://termbin.com/ap3h (untested, going to test extensively now) Oct 22 13:10:48 Looks simple enough, yes. Oct 22 13:11:17 ie. this keeps lines imports lines /rom/etc/passwd if that users doesn't exist in /etc/passwd at all, same for /etc/group and /etc/shadow Oct 22 13:14:09 dangole: want me to check for something? Oct 22 13:15:09 damex: lemme pull things together in my staging tree, i guess the segfault is getpwnam not being checked for !NULL Oct 22 13:17:01 damex: no, that was a first guess, but that's not it. can you start ujail manually with the same parameters using gdb and see which line is indicated for that segfault? Oct 22 13:18:46 gonna take a while to build that + gdb Oct 22 13:19:33 dangole: want me to include anything else? Oct 22 13:20:23 damex: for now just build as you did so we can tackle that segfault where it appears. Oct 22 13:21:15 damex: what i do for debugging is rename /sbin/ujail to /sbin/ujail_real and have a shell-wrapper at /sbin/ujail logging the cmdline it was called with and not doing anything. in that way i can then call that exact ujail cmdline with gdb, strace or whatever i like. Oct 22 13:25:09 damex: i'd be grateful not having to setup a mips64 build... Oct 22 13:26:12 sure, it is currently building generic octeon + that commit with procd-ujail and procd-seccomp on top Oct 22 13:26:21 and +gdb +strace Oct 22 13:32:31 dangole: https://gist.github.com/damex/341615f454c9093a6ce30dee4e8f0cbe repeated Oct 22 13:34:35 damex: so now replace /sbin/ujail with a simple shell script logging into /tmp/ujail.log what it has been called with Oct 22 13:34:39 dangole: set -x && /sbin/ujail_real ${@} Oct 22 13:34:44 enough? Oct 22 13:35:17 oh logging Oct 22 13:35:18 okay Oct 22 13:35:19 damex: i'd usually not even call ujail_real in my /sbin/ujail wrapper, just have it log the cmdline, so i can call it manually with gdb Oct 22 13:37:41 dangole: how do i run it again to reproduce? Oct 22 13:37:48 without reboot ofcourse since it is initramfs Oct 22 13:38:50 when someone tests that passwd merge patch , maybe see what happens if there is an entry in existing /etc/passwd: "joe:x:81:81:/var:/bin/false", might not be an issue but might be worth trying Oct 22 13:40:27 grift: that would be replaced by ubus:x:81:81:... i don't check for overlapping uids/gids as we are managing those in a monolithic way and nobody should ever create a UID<1000 other than those listed in as USERID:= in packages, and those don't overlap. Oct 22 13:41:26 grift: but you are right, it wouldn't even be replaced :( we'd then have two users with uid=81... Oct 22 13:41:52 grift: no sure if it's worth trying to catch that sort of things, but maybe limiting the merge for uid<1024 Oct 22 13:42:36 and what value does ubus use here? USERID:=ubus=81:ubus=81 Oct 22 13:42:46 the numerical id or the translated name? Oct 22 13:42:53 are we _actualyl_ manbaginng uids? we've spoken about it, but I didn't know hwe'd actually done anything about it Oct 22 13:43:05 otherwise you might end up with ubusd associated with uid joe? Oct 22 13:43:37 but yes looks a bit fragile Oct 22 13:45:09 grift: hm. we should never have uid>=1000 in /rom/etc/passwd and users should never create uid<1000 having a different name than the one defined as USERID:= by packages. Oct 22 13:45:38 agreed but it will happen Oct 22 13:45:41 grift: the first convention is already satisfied, the second one should be documented maybe, but it's also kinda covered by POSIX that UID<1000 is "OS managed" Oct 22 13:45:54 dangole: so uh, how are you suggest to run ujail again? Oct 22 13:46:18 box is ready and running generic initramf+kernel build from ram Oct 22 13:46:46 damex: yes, please run `gdb /sbin/ujail` and then in gdb do `run "$@"` with the parameters ujail was called with Oct 22 13:47:13 dangole: i have no idea which parameters it was runing with Oct 22 13:47:43 let's say i add the script in place of binary. how do i reproduce that execution of ujail? Oct 22 13:48:02 damex: that why i use that shell script in place of /sbin/ujail to log the exact call parameters Oct 22 13:48:15 dangole: sure, i did that. how do i make system execute that? Oct 22 13:48:51 damex: if your scripts logs into a file, then just look into that file, copy the parameters and paste them into gdb Oct 22 13:49:26 damex: ie. my /sbin/ujail looks like this: "echo "$@" >> /tmp/ujail.log" Oct 22 13:49:40 sure, but i can not reboot machine to make ujail run again Oct 22 13:49:53 and it does not get to run automatically Oct 22 13:50:10 damex: /etc/init.d/dnsmasq restart ? Oct 22 13:50:16 oh, okay Oct 22 13:50:25 damex: i guess, as that'd be the only service running with ujail by default for now Oct 22 13:50:32 damex: umdns :) Oct 22 13:51:39 Hello! Oct 22 13:56:18 grift: looking into that uid overlap issue, there is no good solution. because what we do then, if the user already got another username set for that uid in /etc/passwd? i can't even imagine a meaningful error-patch which would not break stuff in that moment... Oct 22 13:57:08 *error-path Oct 22 14:00:44 dangole: sent output to pm, does not make sense Oct 22 14:01:53 dangole yes thats a pickle, i guess using useradd would address this but yes i know thats expensive. also note that obviously generic distributions have dealt with this as well Oct 22 14:02:45 i was just laying this on the table for consideration though, this isnt really my cup of tea Oct 22 14:03:38 grift: adduser != useradd and is available on busybox and is very cheap Oct 22 14:03:41 maybe.... we stop using numeric uids? Oct 22 14:03:54 right adduser is a wrapper around useradd Oct 22 14:04:08 oh... really? didn't knew that :( Oct 22 14:04:12 so yes i meant consider using useradd Oct 22 14:04:29 in debian its a wrapper atleast Oct 22 14:04:39 adds bells and whistles such as finger etc Oct 22 14:06:21 karlp yes good point Oct 22 14:06:54 https://git.busybox.net/busybox/tree/loginutils/adduser.c looks standalone to me Oct 22 14:08:06 i guess thats a busbox thing then Oct 22 14:08:11 yeah, it is Oct 22 14:08:48 debian also has a adduser that is basically a wrapper (superset) around/of useradd Oct 22 14:08:52 grift: it could be enalbed though openwrt build system. to test - choose busybox -> customize -> loginutils -> its there Oct 22 14:10:38 > bool "adduser (15 kb)" Oct 22 14:10:44 is it small enough? Oct 22 14:11:07 yes ill be honest, i kind of in a way like the idea of openwrt being a single user system by default Oct 22 14:11:52 but i think of it in a selinux scenario, and i admit that in a non-selinux scenario some extra security is needed as well Oct 22 14:15:18 so eventhough its "just" 15KiB is kind of sets a precendent Oct 22 14:16:22 i would probably add a user if useradd/adduser what available on my router quicker then when i would have to do it manually or if i would have to install the util first Oct 22 14:16:56 yeah, it has to be available out of box everywhere Oct 22 14:17:06 it is a part of busybox and i don't think you can ship it separately Oct 22 14:17:23 ... not on a single user system i guess Oct 22 14:17:48 oh Oct 22 14:18:05 well thats just my humble view Oct 22 14:18:56 i am just saying that i kind of understand the decision to not have it, but this changes that and that then brings up a different question Oct 22 14:19:02 which way to go Oct 22 14:19:20 k.i.s.s. way Oct 22 14:20:22 agreed, so then i guess its a matter of defining that (not just when it comes to uid's but also about what we intend to address by adding uids) Oct 22 14:20:37 maybe theres a simpler way to achieve something similar? Oct 22 14:22:19 decision kind of has already been made though since atleast dnsmasq has its own uid Oct 22 14:22:41 so yes provided that adduser solves the issue i guess that should be considered Oct 22 14:23:34 because yes i would argue that if youre going to manage users then you better do it in a robust way Oct 22 14:23:38 if we get selinux forced on people - openwrt will lose users Oct 22 14:23:45 or maintainers Oct 22 14:23:54 yes but thats a big if Oct 22 14:24:19 but yes (barring and defensec in depth) that would simplify things Oct 22 14:24:26 defense* Oct 22 14:25:00 o i misunderstood Oct 22 14:25:13 i think youre assuming there Oct 22 14:25:50 but anyways thats not going to happen anyway most likely so no reason to worry about that Oct 22 14:26:33 grift: that is from my personal experience integrating selinux/grsec/etc Oct 22 14:26:50 do you have android phone? Oct 22 14:26:59 no, not anymore Oct 22 14:26:59 more then a billion people run selinux Oct 22 14:27:32 its just a matter of implementing it properly Oct 22 14:27:51 you need to be able to describe rules in a human readable and understandable manner Oct 22 14:28:00 no Oct 22 14:28:05 and need to force it down to everyone Oct 22 14:28:27 if it is not - lots of stuff will be selinux-incompatible and most likely won't work Oct 22 14:28:41 grift: why human factor is not a factor here? Oct 22 14:28:44 who will write rules? Oct 22 14:28:53 vendor Oct 22 14:29:00 grift, ynezz, rsalvaterra: i think i found an elegant and sufficient hack for adding missing lines to /etc/passwd, /etc/group and /etc/shadow: Oct 22 14:29:01 https://git.openwrt.org/?p=openwrt/staging/dangole.git;a=blobdiff;f=package/base-files/files/lib/preinit/80_mount_root;h=56d3fa379743efe6b494a7b15a7a45f3b93caa99;hp=265a3f18df49043824a6d70609e6c95dc017496a;hb=de7ca7dafadfd650d031e0379ce0c002868d5936;hpb=2812ea3acb88c7e3649c912d6ad761bf8818fc51 Oct 22 14:29:01 vendor who? there is no vendor here. Oct 22 14:29:40 i guess ... Oct 22 14:29:43 dangole: how about https://git.busybox.net/busybox/tree/loginutils/adduser.c ? Oct 22 14:29:57 last thing you want is have "users" address security Oct 22 14:30:01 damex: if we decide to have that anyway, i'm all for having it Oct 22 14:30:41 dangole: i think people have missunderstanding what you mean when someone say 'adduser' tool. there is many alternatives and that one have to come from busybox to satisfy embedded requirements Oct 22 14:31:34 damex: if it's just for solving that sysupgrade /etc/passwd problem then it'd be like adding 15kB binary instead of 300b shell to solve some rare/unsupported corner cases Oct 22 14:31:36 grift: yes, so the problem be on maintainer shoulders and people maintaining opensource do not want extra burden. generally Oct 22 14:32:22 do you think that stuff like leveraging seccomp filters in a meaningful way does not require maintenance? Oct 22 14:32:39 it does. all of that stuff require maintenance Oct 22 14:32:45 exactly Oct 22 14:34:14 maybe we will get a sudo at some point ;D Oct 22 14:34:45 and properly managed users with separate ssh keys and etc... and maybe integration with ldap/radius ;p Oct 22 14:34:51 anyway i was just throwing that uid scenario out for consideration , i have no strong feeling on it. but just nothing that theres murphies law Oct 22 14:34:56 if it can happen it will happen Oct 22 14:35:37 thats exactly what i meant with precedent damex Oct 22 14:35:58 having users implies useradd, and then next someone will make the case of sudo by default Oct 22 14:36:04 where does the buck stop? Oct 22 14:37:07 actually i would be glad if we get a users and radius/ldap support. i will be able to throw openwrt in place of vyos installs (that does it poorly) for NE that understand no thing to manage firewalls Oct 22 14:37:30 but that is kinda offtopic ;p Oct 22 14:37:50 grift: well, it does not stop unless there is a line drawn... somewhere Oct 22 14:39:17 damex: I actually configured an OpenWrt system with "proper users" and sudo, years ago. Not really worth it. Oct 22 14:39:18 dangole: sure, then that binary have to become of a core Oct 22 14:39:45 rsalvaterra: there is lots of things to address (luci and such) before it becomes usable in a sane manner Oct 22 14:39:55 rsalvaterra: yeah, agree, not really worth it Oct 22 14:40:28 damex: That was one of the reasons I just gave up on LuCI at the time. :) Oct 22 14:40:29 so maybe start by leveraging capabilities first and go from there? Oct 22 14:40:52 Nowadays, I don't care. I do everything though the terminal, it's so much more convenient. Oct 22 14:40:59 *through Oct 22 14:41:41 well, i am using shell to manage openwrt install but luci is there to just show representation of something like wireless and such when you're lazy and just want a fancy page ;p Oct 22 14:42:18 with ansible becoming a defacto a standard at managing such things - not every single openwrt can be managed due to lack of python :( Oct 22 14:42:54 Eek! Python?! Good heavens…! Oct 22 14:44:41 hahah thats exactly my first thought Oct 22 14:44:48 python on my router, no thanks Oct 22 14:45:51 blocktrron: any suggestions on how can i generate exactly the same of_platdata as you did for nanopi so i could get librecomputer renegade merged? Oct 22 14:52:21 sigh... a few days away and master is broken big time Oct 22 14:52:47 when the cat's away.... ;) Oct 22 14:52:56 seriously, it starts to annoy me Oct 22 14:53:46 who thought that it is a great idea to simply relocate the ubus socket path? Oct 22 14:54:01 and of course anything that might be affected by that was neglected Oct 22 14:54:16 can't you at least put *some* effort into this before you fuck around with that stuff Oct 22 14:54:25 jow: i grepped through packages and core and didn't see any direct mention of that patch Oct 22 14:54:31 rpcd seems broken Oct 22 14:54:36 uhttpd too Oct 22 14:54:43 grep won't find defaults, only explicits Oct 22 14:54:45 and grep - wtf Oct 22 14:54:58 boot that crap, and open the fricking ui in a browser at least once Oct 22 14:55:35 jow: i did boot that for quite some days, and so were other people reviewing it on my staging tree Oct 22 14:55:54 jow: probably nobody did sysupgrade and kept config, so that was fixed now (missing entries in overwritten /etc/passwd) Oct 22 14:56:22 still sorry for that mess, of course Oct 22 14:58:48 where people work mistakes are made, in fedora theres 100 developers making many changes in rawhide stuff is always broken, but innovation has to start somewhere and thats what rawhide/master is for ? Oct 22 14:59:26 fine, by that standard I'll push my half completed crap as well now Oct 22 14:59:45 and apaprently we do not care about backwards compatibility either naymore, so lets throw some breaking changes into the mix Oct 22 14:59:46 not saying things should be tested to the best of your ability. just saying mistakes are made Oct 22 14:59:55 s/should/shouldnt/ Oct 22 15:05:59 .. but yes after that commit was made in the staging tree i was waiting for dangole to show up here so that i could vent my concerns about it Oct 22 15:08:16 https://git.defensec.nl/?p=selinux-policy.git;a=commitdiff;h=a2087bfff861036be15fe49527f2d56cd2d833bc Oct 22 15:08:22 "this could get ugly" Oct 22 15:08:58 https://github.com/openwrt/openwrt/commit/de7ca7dafadfd650d031e0379ce0c002868d5936 seems like people still have problems Oct 22 15:17:37 jow: i've added migration for rpcd and uhttpd, if you spot any more, let me know Oct 22 15:17:41 jow: please note that i Oct 22 15:17:56 'm here and do take care of fallout Oct 22 15:19:38 grift: i'm reading the chat logs even when i'm not connected on the channel Oct 22 15:19:51 grift: mentioning my name will make me see it a few hours later Oct 22 15:20:02 dangole ok good to know Oct 22 15:20:33 dangole so about the setuid/ntpd thing, no that wont solve the selinux transition issue Oct 22 15:20:48 you can compare selinux domain transition to setting the setuid bit on a file Oct 22 15:20:54 so you can reason like this: Oct 22 15:20:57 grift: what was your concern with that ubus socket path change? why could it get ugly (in terms of SELinux)? Oct 22 15:21:20 would chowning busybox ntpd and setting the setuid bit solve the uid issue? Oct 22 15:21:35 if no then it also would solve the selinux domai ntransition issue Oct 22 15:21:52 s/would/wouldnt Oct 22 15:22:43 well the path isnt so much an selinux issue the question is how will it be created i guess Oct 22 15:23:11 but that commit comment wasnt so much about selinux, it was just a comment that "things could get ugly" in general Oct 22 15:23:26 grift: procd mkdirs it before starting ubus and chowns it Oct 22 15:23:35 because its ubus and messing with that in anyway is kind of tricky Oct 22 15:23:50 k Oct 22 15:24:01 anyway dont worry about the selinux aspect Oct 22 15:24:10 thats secundary Oct 22 15:24:55 but about ntpd domain transition Oct 22 15:25:31 heres two bookmarks that demonstrate how to do that programmatically, and if that doesnt answer any question that those bookmarks should lead to more examples: Oct 22 15:25:56 "openrc_contexts" support in libselinux: https://github.com/SELinuxProject/selinux/commit/09d99e8bec6e112598518c08a90d9423e61c8540#diff-34f169c1f9239fbebc57172b3e57e098347cfaa25773cfd0dcc85f441b466235 Oct 22 15:26:04 relocating the ubus socket?? what an idea Oct 22 15:26:17 this is what openrc uses to run run_init with a manual transition Oct 22 15:26:34 heres some of that code: https://github.com/OpenRC/openrc/blob/72df51e17ba0e1a0f94451b4bbfb338288c4625c/src/rc/rc-selinux.c#L302 Oct 22 15:26:40 theres many more examples Oct 22 15:26:44 zorun: so that it can sit in a path which is owned by ubusd and hence ubusd would be able to create the socket without being root Oct 22 15:27:12 grift: thank you for the pointers, will go through that Oct 22 15:27:52 can't you add a symlink for compatibility? I have no idea if it works for sockets Oct 22 15:28:28 yes symlink should be possible Oct 22 15:28:42 we do that for /dev/log in fedora as well for example Oct 22 15:33:35 zorun: i don't think you should have any other direct mentions of the socket path. Oct 22 15:34:02 zorun: ah, nginx in packages.git... Oct 22 15:34:22 murphies law again Oct 22 15:37:38 Oh, my… firewall4 is a thing. Oct 22 15:38:23 there will always be something Oct 22 15:48:36 zorun: https://github.com/openwrt/packages/pull/13751 Oct 22 15:48:45 i hope that was it... Oct 22 15:52:16 https://gist.github.com/damex/60226226c1c65d10978d7aa123ee348a Oct 22 17:11:44 what if i want to introduce octeon3 subtarget and device in there - do i introduce octeon3 first and then add device or do both at the same time? Oct 22 17:12:19 a subtarget without a device won't make much sense Oct 22 17:12:37 The question is rather whether a subtarget will be justified Oct 22 17:16:01 I'd like to go through all the shell scripts and make them best conform to https://github.com/koalaman/shellcheck / https://www.shellcheck.net/ Oct 22 17:16:13 Is a wide patch likely to be accepted for this? Oct 22 17:16:45 Nick_Lowe: probably not, and if, not fast Oct 22 17:16:51 so, you will get rebase-hell Oct 22 17:17:19 there are a few smaller patches like this in the mailing list patchwork. Oct 22 17:17:23 I'm hesitant. I've seen breakage due to people fixing shellcheck warnings. easier to review package by package basis Oct 22 17:18:27 I think the main challenge will be to put the changes into reasonable blocks. Oct 22 17:18:49 also if there is breakage, reverting a big tree-wide patch is ... meh Oct 22 17:19:00 fact Oct 22 17:19:31 on the other hand, the problem with the per-package approach is that you then have to mix different types of fixes Oct 22 17:20:14 I frequently had that problem with Rosen's patches, where I was sure about two changes but hesitant on two other ones in the same patch Oct 22 17:20:56 well that's just wrong to accept. bump a package + fix shellcheck in its scripts are 2 commits Oct 22 17:21:04 whoever accepts those should stop doing that in the first place Oct 22 17:21:55 they can go in 1 series, but it should be 2 different commits so it allows proper bisecting Oct 22 17:22:15 I was referring to different "types" of shellcheck recommendations Oct 22 17:23:02 Rosen typically splits that up properly, but sometimes there still are cases like that Oct 22 17:23:37 adrianschmutzler: i think it will be justified. there is octeon3 devices (7xxx octeons) that have FPU (hardfp) and that benefit from march=octeon3. Oct 22 17:23:56 currently 'octeon' target is soft-float Oct 22 17:24:29 damex: but mere speed improvement (unless really massive) typically is no reason to have the overhead of a separate branch Oct 22 17:24:37 branch->subtarget Oct 22 17:25:22 So, prepare yourself to argue Oct 22 17:25:24 http://lists.openwrt.org/pipermail/openwrt-devel/2020-October/031787.html i tried raising question about that here but no feedback yet Oct 22 17:25:38 adrianschmutzler: even bringing FPU is not worth it? Oct 22 17:26:18 ahhh on another note, I contacted my ISP today, can upgrade from 200/120 to 1000/600 Oct 22 17:26:25 but need to sign for 12months Oct 22 17:26:38 they claim is no way to upgrade without signing for 12m :/ Oct 22 17:27:19 damex: I don't know much about octeon, I can just give you general feedback (that's why I didn't answer the mail either) Oct 22 17:28:16 stintel: don't complain, there are still many ISPs that lock you in a contract for 24m Oct 22 17:28:29 ;-) Oct 22 17:28:34 meh Oct 22 17:28:45 damex: for most people, with most routing apps, no, hardfloat is ~irrelevant Oct 22 17:29:06 and when I asked "what if I decide to move and you cannot offer your services on my new address?" -> pay the entire period penalty Oct 22 17:29:12 wtf that's not even legal afaict Oct 22 17:29:18 afaik* Oct 22 17:29:37 I'm asking a native speaker to do this for me :P Oct 22 17:30:14 I still hope the EU will limit these contracts at some point ... 6 months would be fine Oct 22 17:30:44 it's a bit nasty. I've been with them for 5 years. just upgrade it already Oct 22 17:31:01 adrianschmutzler: Belgium limits the minimum contract term to 6 months. It's not an EU thing then? Oct 22 17:31:29 svanheule[m]: Not yet, but I hope it becomes… Oct 22 17:31:30 In Germany, vodafone still has 24 months as default Oct 22 17:31:54 Because here in Portugal, it's the same s**t, 24 months. Oct 22 17:31:55 geez Oct 22 17:31:58 wtf Oct 22 17:31:59 stintel: do they offer it cheaper because of 12~24m contract or it is the only option and that's it? Oct 22 17:32:14 For once, telecom stuff is better in BE :P Oct 22 17:32:25 damex: they claim only option. price is cheaper with the longer one Oct 22 17:32:46 but I don't care it will cost me a bit more each month, I want to be able to cancel at any time Oct 22 17:33:00 Oh, and Vodafone is the worst. Their fiber plan includes a fiber router which can't be configured in bridge mode. Oct 22 17:33:12 and this is not a new subscription. with a new subscription ... I could maybe understand it Oct 22 17:33:16 other than the power costs, does that really matter rsalvaterra ? Oct 22 17:33:27 or does the double nat bother you? Oct 22 17:33:53 rsalvaterra: tell me about it. I had so much fun to get Full DS with cable ... Oct 22 17:34:21 Double NAT doesn't bother me at all, because I won't tolerate it. If an ISP doesn't give me the public IP address, it Doesn't Exist™. Oct 22 17:35:07 and a 48 prefix Oct 22 17:35:30 no ip6 no deal Oct 22 17:35:43 grift: some countries don't have that luxury Oct 22 17:35:43 I'm with Hyperoptic in the UK - have to pay £5 a month extra for a static IP :-/ at least there's an option but it seems overpriced to me Oct 22 17:36:09 but I have dual v6 tunnels with full BGP feed - each terminated on a separate router. I can live with that for now Oct 22 17:36:48 Nick_Lowe: I think it's 5 euros with vodafone as well, but only available for more expensive business contracts :-( Oct 22 17:37:01 fortunately, the address changes rarely Oct 22 17:38:37 Yikes, I just sent a kernel patch and completely forgot we're right in the middle of the merge window. Bracing for impact… Oct 22 17:44:30 blocktron Is the revised cell_density patch okay? Oct 22 17:44:53 blocktrron Is the revised cell_density patch okay? Oct 22 18:12:22 stintel, rsalvaterra, adrianschmutzler: in israel they made contracts with private people over more than 30 days un-enforcable/illegal, sim-lock was banned and infrastructure-owning companies (ie. traditionally Bezeq for phone copper pairs and HOT for tv coaxial copper) cannot act be ISPs... Oct 22 18:13:32 seems like some of that law was broken again recently though Oct 22 18:14:51 and yes, EU should regulate telco contracts like financial services (which is what they are in the end) Oct 22 18:26:48 lets just say that there is a lot of room for improvement in that industry (to say the least) Oct 22 18:43:08 >KGB-0< https://tests.reproducible-builds.org/openwrt/openwrt_lantiq.html has been updated. (98.1% images and 100.0% packages reproducible in our current test framework.) Oct 22 19:05:46 evening Oct 22 19:08:30 lynxis: hello Oct 22 19:08:32 danitool: ping Oct 22 19:10:39 dangole: ping Oct 22 19:10:43 danitool: unping Oct 22 19:13:12 whoa :) Oct 22 19:21:06 aparcar[m]: pont Oct 22 19:21:09 pont Oct 22 19:21:24 *pong* Oct 22 19:26:13 :D Oct 22 19:35:52 danitool: ack & ty Oct 22 19:36:25 lynxis: want to work a bit on openwrts reproducibility? Oct 22 19:36:57 aparcar[m]: i would love to. but i need to upstream some stuff and also look afterwards on the mikrotik aptches Oct 22 19:37:29 good luck Oct 22 19:38:06 aparcar[m]: if you like to have feedback we could talk about it. Oct 22 19:39:27 lynxis: I thought of writing a blog post at some point, there some feedback would be cool Oct 22 19:41:22 sure Oct 22 19:55:44 *yawn* Oct 22 19:55:59 morning blogic Oct 22 19:56:04 evening Oct 22 19:56:25 * blogic has been playing with python and websockets all day :-D Oct 22 19:56:59 remote cli? Oct 22 19:58:10 * lynxis has been playing with frame relay Oct 22 19:58:37 Frame relay…? What year is this? Oct 22 19:59:18 1995 or 2003 Oct 22 19:59:50 Riiight… :P Oct 22 20:10:05 lynxis: cloud mgmt backend for owrt Oct 22 20:10:33 using nginx to host static cfg.json files Oct 22 20:10:46 using websocket to transport cfg chenage events and states Oct 22 20:11:13 and mqtt for stats Oct 22 20:11:28 so that your browser can link directly to the AP via websocket mqtt Oct 22 20:14:27 asyncio in python is way crazy an API Oct 22 20:14:55 and shame on me, I actually used try: except: final: blocks :-D Oct 22 20:15:27 tomorrow I will start defining the datamodel, write the schemas and the utpl code to render them out into uci batch files Oct 22 20:16:23 usually when someone says websockets in 2020 - they mean grpc ;p Oct 22 20:16:33 oh well Oct 22 20:17:27 damex: you mean a google api that might not be supported anymore in 3 weeks ? Oct 22 20:18:13 damex: actually we want more complexity Oct 22 20:18:22 blogic: no idea about google api but it is a CNCF project https://grpc.io Oct 22 20:18:32 we should use protobuf to transport a yang datamode and then use the gNI stuff Oct 22 20:19:04 yo dawg Oct 22 20:19:05 damex: my protocol is json based and only knows 4 attributes Oct 22 20:19:07 i heard you like protocols Oct 22 20:19:19 uuid, serial, state, cfg Oct 22 20:20:12 wc -l server.py Oct 22 20:20:12 93 server.py Oct 22 20:20:15 :-) Oct 22 20:20:24 the whole python websocket server is 93 lines Oct 22 20:20:39 it'll be a bit more as i want to add a PAM backend and fine tune ssl Oct 22 20:20:43 so like 125 lines Oct 22 20:20:59 eats around 180k ram / user session Oct 22 20:28:17 not bad considering it is a python Oct 22 20:28:22 seen worse Oct 22 20:29:11 blogic: since when are you such a python fan? Oct 22 20:30:27 aparcar[m]: lol Oct 22 20:32:42 aparcar[m]: I was never against it Oct 22 20:32:50 just on routers it is a bad choice Oct 22 20:32:58 however I am building server code here Oct 22 20:33:10 I am actually just reading up on the sqlite3 binding Oct 22 20:33:54 so the idea is that we have a second websocket path where a webui can get/set the network settings of a deployment Oct 22 20:34:11 once finished, it can write the state into a json file on the cdn Oct 22 20:34:46 and then the code talking to the router will pick up the new file, detect that the uuid has changed and send the event to the APs Oct 22 20:35:21 so one basically has a single nginx serving the static json cfg files, receiving the state files and proxying 2 websockets Oct 22 20:36:49 aparcar[m]: and no, we dont need a docker container, although I am sure you'll build one Oct 22 20:37:15 one thing I am still trying to figure out is if we want AP passwords or venue ones Oct 22 20:37:29 so the current design pushes 2 cfg files Oct 22 20:37:36 1) the board cfg Oct 22 20:37:40 2) the venue cfg Oct 22 20:38:08 board would be APs upstairs, downstairs, garden Oct 22 20:38:29 venue would be home, parents, sister, honey, friendX Oct 22 20:38:53 venue basically holds the ssid cfgs, captive, splash, ssid cfg Oct 22 20:39:11 board holds the channel, tx power, rrsi threh type settings Oct 22 20:39:25 *thresh Oct 22 20:41:27 so when the CDN goes down you can't configure your local routers anymore? Oct 22 20:43:32 anyway sounds rad. Sure I'll docker it, in fact someone just offered me offered me money to port a docker runtime to OpenWrt, strange huh? Oct 22 21:03:04 cp cgroups docker-runtime Oct 22 21:07:37 ynezz: pssst I need this new surf borad Oct 22 21:07:58 i can't bring subtarget to a target that had no subtargets before, is that right? i need to move target's boards to some subtarget... right? Oct 22 21:08:43 something like target -> (subtarget with target old boards) + (subtarget with new boards that is different from old ones) Oct 22 21:18:16 damex: generic target Oct 22 21:18:24 err, subtarget Oct 22 21:18:47 hmm... sure. generic it is Oct 22 21:19:05 you essentially just need something like this: https://github.com/openwrt/openwrt/blob/master/target/linux/mpc85xx/image/Makefile#L22 Oct 22 21:19:29 and then distribute the devices across generic.mk and octeon3.mk or similar Oct 22 21:20:22 see here for example (though that one is big, you will only need a small part of it): Oct 22 21:20:23 https://github.com/openwrt/openwrt/pull/3079 Oct 22 21:21:10 you can ignore all the split base-files stuff for now. Oct 22 21:23:36 adrianschmutzler: thanks, checking that mvebu PR :) Oct 22 21:26:42 damex: it's also the most recent case where a subtarget was not accepted as the benefit was not "sufficient" Oct 22 21:28:07 been thinking... maybe just add device to existing target first? Oct 22 21:29:13 if the device works there, too, it might at least get the device merged Oct 22 21:29:56 be aware that octeon is not really crowded with reviewer and committers; making it easy is even more imperative there than usual Oct 22 21:31:15 Hey, does anyone know the error "Initramfs unpacking failed: invalid magic at start of compressed archive"? I updated openwrt to the latest master (linux 4.19 instead of 4.16) and now initramfs boot is broken on my device Oct 22 21:33:02 *(old: linux 4.14, new: linux 4.19) Oct 22 22:37:25 >KGB-1< https://tests.reproducible-builds.org/openwrt/openwrt_bcm47xx.html has been updated. (100.0% images and 100.0% packages reproducible in our current test framework.) Oct 22 23:46:12 aparcar[m]: the cdn will run in a mdu deployment on a cascaded ucpe Oct 22 23:46:30 bingo! Oct 22 23:46:56 in a private deployment it'll run on your locall trusted hosting provider Oct 22 23:47:03 or even on a local router Oct 22 23:47:23 karlp: what ? Oct 22 23:47:55 you can take the piss but I am actually trying to fix a problem in sane and scalable way here Oct 22 23:48:30 blogic: acronym soup bingo Oct 22 23:48:50 normally commercial wifi is run against a aws cloud Oct 22 23:48:52 it's nice to see the very first mention of it when you're already well into the details and concrete implementations Oct 22 23:50:26 so rather than doing so, it makes sense to deploy a ucpe (univerals customer premisses equipment) device to cascahe the controller for mdu (multi dwelling units) on site such that even if a netplit happens, the local insatnce is still operational Oct 22 23:50:59 basically meaning, lets move logic away from the cloud and let it happen on sight Oct 22 23:51:38 and then let the ucpe handle syn-up to the evil cloud as an option if there really is a requirement ot even do so Oct 22 23:52:46 and the ucpe should really be able to handle de centralized load balancing and band sterring locally without the need for some crappy machine learning cloud techno hipster BS Oct 22 23:53:00 ideally you wont even need a ucpe Oct 22 23:54:47 but be patronizing all you want Oct 22 23:56:19 typos, hate small android keyboards when fast typing Oct 23 00:46:49 ping damex Oct 23 00:50:26 so i found a way to work-around the segfault in ujail on mips64 Oct 23 00:50:29 it's very weird Oct 23 00:50:30 https://termbin.com/ea8h Oct 23 00:52:58 so this triggers when calling elf_load_deps("/lib/ld-musl-mips64-sf.so.1", ...), right *after* elf64_scan_dynamic successfully run and found out that ld.so doesn't have any needed dynamic library dependencies... then it mysteriously gets called again for no reason Oct 23 00:53:35 i'll retry with a more recent GCC and see what happens... Oct 23 02:38:08 heya guys, I am getting stuck trying to debug the handoff from uboot to kernel on an mpc8544ds device, where it just hangs after loading the DTB. I have tried earlycon and earlyprintk and many other changes to the DTS, but am stuck trying to understand why it doesn't print anything... :| any pointers would be welcome... #linux hasn't been helpful Oct 23 02:43:27 aparcar[m]: https://jsonblob.com/e60607a1-14d0-11eb-ab18-770709d6d2bd rough uscan wip Oct 23 02:45:02 swalker: nice Oct 23 03:11:30 damex: please try building my staging tree for your octeon3 mips64 target Oct 23 03:11:32 damex: https://git.openwrt.org/?p=openwrt/staging/dangole.git;a=commitdiff;h=bdd329235610aba25e7bb182bbfab67d7436b77c Oct 23 03:43:39 swalker: can you auto generate it and provide it somewhere? Oct 23 03:44:14 swalker: there was also an idea to replace the wiki packages entries with something rendered, like https://pkgs.alpinelinux.org/packages Oct 23 06:35:23 aparcar[m]: rebase openwrt on alpine Oct 23 06:38:06 mangix: :) Oct 23 08:32:42 actually on a serious note, alpine's so called "router" variant is pretty huge at 500MB Oct 23 08:34:47 seems like alpine is mostly meant for containers Oct 23 08:39:26 eager to play with fw4, verry nice Oct 23 08:39:34 Anyone familar with ipv6 and dnamasq help me figure out why I can't get an ipv6 address on the LAN side, but it's available on the device? Oct 23 08:43:03 ah the rabbithole that ipv6 is :) Oct 23 08:43:20 Grommish: you need to fiddle with prefix delegation and stuff probably Oct 23 08:43:30 I got it to assign a /128 address finally Oct 23 08:43:34 why are you looking at dnsmasq for ip6? Oct 23 08:44:08 but now my system just gives me a Network is unreachable for ping6 Oct 23 08:44:08 grift: dnsmasq handles dhcpv4 by default on openwrt. Oct 23 08:44:26 the device itself handles v6 fine Oct 23 08:44:40 Grommish: so you can probably ping6 from the router to the wan Oct 23 08:44:50 Borromini: correct Oct 23 08:44:52 https://paste.debian.net/1168358/ < this is what i have Oct 23 08:44:59 However, the device on the LAN cannot Oct 23 08:45:02 the ra option might need some fiddling Oct 23 08:45:08 yeah that's how it was by default as well here. Oct 23 08:45:15 i think the ra_flags are default Oct 23 08:45:20 yes maybe add a static route as well Oct 23 08:45:33 grift: you shouldn't need that, if it's set up right Oct 23 08:45:39 It's all DHCP Oct 23 08:45:53 from the ISP to the edge router and out from there to the LAN Oct 23 08:46:16 depends on how you configured it on the client side i think Oct 23 08:46:18 Its going into the box, and the box sees it, but the lan clients can't use it Oct 23 08:46:27 grift: where is fw4? Oct 23 08:46:38 https://git.openwrt.org/?p=openwrt/staging/dangole.git;a=commitdiff;h=b4f18dde24014007d25a32ca68c3231f682d8f2d Oct 23 08:47:00 i use ip6 a lot with openwrt Oct 23 08:47:08 and it "just" works Oct 23 08:47:49 but if you set up the client you get a static ip then you need to address route and you pretty much always should address ra Oct 23 08:48:00 nice nftables as well :) Oct 23 08:48:34 Borromini: Not so nice, now it means I have to study nftables too. :P Oct 23 08:48:52 nft language is nice and expressive Oct 23 08:49:02 rsalvaterra: i hear you :P Oct 23 08:49:45 I suppose fw4 isn't meant to replace fw3, but to give users the choice, right? Oct 23 08:50:05 eventually iptables is just legacy by now Oct 23 08:50:20 yeah should be on its way out i reckon Oct 23 08:51:51 Hmm… I know there were some corner cases which couldn't be addressed with nftables, but I guess they've been solved by now…? Oct 23 08:52:08 probably Oct 23 08:52:14 (Haven't really followed the development.) Oct 23 08:52:34 might be some loose ends but probablu nothing significant Oct 23 08:53:13 we even added secmark support to nft not long ago Oct 23 08:53:25 grift: who's we? Oct 23 08:53:39 selinux community Oct 23 08:54:34 which is awesome because with that you can do per process firewalling Oct 23 08:54:37 Oh, well… looks like I have to dive in the nftables documentation. Oct 23 08:54:49 more flexbible then using bpf Oct 23 08:55:02 grift: ok :) Oct 23 08:56:00 ill probably will be playing with that on openwrt eventually Oct 23 08:56:16 the policy supports it already as well Oct 23 08:56:38 but yes .. nft would have to be build with secmark support i guess Oct 23 08:57:19 grift: If SELinux is enabled. ;) Oct 23 08:57:25 true Oct 23 08:57:42 but that goes without saying Oct 23 08:59:26 Yeah, it's a pet peeve of mine… there's lots of stuff enabled by default, which can't be disabled (by a normal user — but a normal user probably won't be building OpenWrt). Oct 23 08:59:59 i am a normal user and i build openwrt Oct 23 09:00:35 Ok, I should clarify my definition of "normal user". :) Oct 23 09:01:17 Basically someone who just downloads an image and installs it. At most, uses the image builder. Oct 23 09:01:19 if you ask me that whole toolchain flexibility is what defines opewrt Oct 23 09:01:58 it just could use some more "marketing"/"publicity" Oct 23 09:02:23 ie bring it a little closer Oct 23 09:03:14 Lots of people still think OpenWrt is just a toy for home routers. Oct 23 09:03:26 Probably because of its origins. Oct 23 09:03:31 rsalvaterra: for most people, it is Oct 23 09:04:45 I couldn't see an enterprise environment allowing Openwrt, or depending on it. Openwrt is enthusist-grade and nothing more.. and that's ok Oct 23 09:04:47 well the toy gets more interesting with the flexibility of the toolchain Oct 23 09:05:00 gives you the ability to personalize your router firmware Oct 23 09:06:09 Grommish: Enterprise? I don't know… but for small to medium companies, it's perfect. Oct 23 09:06:45 its the only known router firmware with MAC support Oct 23 09:07:08 rsalvaterra: How do you convince that director that you should be able to remove (and void) warranty on the expensive device you just paid for.. with software someone "gives" away Oct 23 09:07:11 anyway linux was a enthusiast kernel as well Oct 23 09:07:14 look at it now Oct 23 09:07:23 grift: Only took 40 years Oct 23 09:07:38 I was using VMS/VAX back in 1990.. badly Oct 23 09:08:07 Grommish: I convinced our CEO to build an APU2C4 machine with OpenWrt, for our office. ;) Oct 23 09:08:30 rsalvaterra: How often do you think that realistically happens though ;p Oct 23 09:08:34 Or.. Oct 23 09:08:36 That's your job Oct 23 09:08:42 and you just happen to be an enthusist Oct 23 09:09:16 the guy with the DBA fetish doesn't care about Openwrt ;p Oct 23 09:09:28 and every IT person has a bent Oct 23 09:09:31 He said he needed a system which could work as firewall/gateway and load-balanced two WAN connections… Oct 23 09:09:58 Ok.. you C-Suite? Oct 23 09:10:00 … and he was looking at Cisco gear (and included consulting, of course). Oct 23 09:10:09 Or E-level Oct 23 09:10:33 And I said, "I can do that for about 250€". :P Oct 23 09:11:11 rsalvaterra: oo.. you even managed lunch on it too I bet heheh Oct 23 09:11:28 But you're the outlier Oct 23 09:11:49 I know… it's the advantage of small companies. :) Oct 23 09:11:59 Your voice is heard. Oct 23 09:12:28 Yep.. More risk though.. Oct 23 09:12:43 Since you probably got voluntold to keep it running? Oct 23 09:13:15 Yeah, I maintain it. Oct 23 09:13:25 Actually, I'm the only one who has access to it. Oct 23 09:13:35 As it should be Oct 23 09:13:54 Another advantage to the SMB market.. you can tell the owner they can't have the keys Oct 23 09:14:02 and they'll listen.. usually Oct 23 09:14:22 In this case, nobody asked my for any keys… so I didn't give them. :P Oct 23 09:14:30 :D Oct 23 09:15:24 And I won't… I do the asking for (public) keys. Oct 23 09:15:53 (The root password is disabled.) Oct 23 09:43:42 Does anyone know how to enable 2KB jumbo frame support on mt7621? I tried changing the MTK_MAX_RX_LENGTH to 2048 but it did not work Oct 23 09:43:56 Some MikroTik routers which used mt7621 have this feature on ROS Oct 23 10:25:47 dengqf6: the previous ethernet driver has such a commit. check the git log. Oct 23 10:34:47 I am trying to create a SciPy package for OpenWRT, and I am having issues with the dependency on Numpy: numpy builds, scipy doesn't Oct 23 10:35:24 apparently the scipy build tries to import Numpy, but there is a mismatch in architecture Oct 23 10:35:36 this is the build output https://pastebin.com/05CGD97A Oct 23 10:36:04 and this is the scipy pkg Makefile: https://pastebin.com/Fvmn51Pd Oct 23 10:37:20 it seems like the host python runs the scipy setup, which imports numpy, but it's the ARM numpy that gets imported and the host python chokes ofc Oct 23 10:38:26 I think that is the issue, but it's the first time I build a python package with C modules AND a dependency on another python package with C modules Oct 23 10:38:33 so I'm not sure how to fix it Oct 23 10:46:43 there is somebody that had the same problem with buildroot and opened an issue on scipy: https://github.com/scipy/scipy/issues/9875 Oct 23 10:47:03 the reply was essentially "not our problem, closing. good luck" =) Oct 23 10:54:03 mangix: do you mean https://kernel.source.codeaurora.cn/pub/scm/linux/kernel/git/netdev/net-next.git/commit?id=555a893303872e044fb86f0a5834ce78d41ad2e2 this commit? It only allows 151x MTU, not up to 2k Oct 23 10:56:20 dengqf6: no there's a different one Oct 23 10:57:03 that looks like the upstream driver **** ENDING LOGGING AT Fri Oct 23 10:59:57 2020