Restricting users from certain privileges
Hi: I could not figure out how to restrict users or other users from certain privileges to execute certain commands in FreeBSD/NanoBSD? What I meant is I want to create a NanoBSD image in which there will be an additional user, say 'admin'. I need to give this new user (admin) some privileges to run some root-can-only-execute commands, but not all (ACL similar to the firmwares in adsl modems from ISPs). I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD Rootkits' besides FreeBSD handbook, but I simply could not figure out. Could anyone throw some light on this? Appreciate it! Thanks! /zenny --- Support http://thehumanape.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
> Hi: > > I could not figure out how to restrict users or other users from certain > privileges to execute certain commands in FreeBSD/NanoBSD? > > What I meant is I want to create a NanoBSD image in which there will be an > additional user, say 'admin'. I need to give this new user (admin) some > privileges to run some root-can-only-execute commands, but not all (ACL > similar to the firmwares in adsl modems from ISPs). > > I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD > Rootkits' besides FreeBSD handbook, but I simply could not figure out. > Could anyone throw some light on this? Appreciate it! > > Thanks! > > /zenny try sudo from ports, security/sudo cheers, danny ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss wrote: > > Hi: > > > > I could not figure out how to restrict users or other users from certain > > privileges to execute certain commands in FreeBSD/NanoBSD? > > > > What I meant is I want to create a NanoBSD image in which there will be > an > > additional user, say 'admin'. I need to give this new user (admin) some > > privileges to run some root-can-only-execute commands, but not all (ACL > > similar to the firmwares in adsl modems from ISPs). > > > > I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD > > Rootkits' besides FreeBSD handbook, but I simply could not figure out. > > Could anyone throw some light on this? Appreciate it! > > > > Thanks! > > > > /zenny > > try sudo from ports, security/sudo > > cheers, >danny > > Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). So this is not what I am trying to achieve in my original post. /z ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
On 04/28/2012 09:50 AM, Zenny wrote: > On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss wrote: > >>> Hi: >>> >>> I could not figure out how to restrict users or other users from certain >>> privileges to execute certain commands in FreeBSD/NanoBSD? >>> >>> What I meant is I want to create a NanoBSD image in which there will be >> an >>> additional user, say 'admin'. I need to give this new user (admin) some >>> privileges to run some root-can-only-execute commands, but not all (ACL >>> similar to the firmwares in adsl modems from ISPs). >>> >>> I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD >>> Rootkits' besides FreeBSD handbook, but I simply could not figure out. >>> Could anyone throw some light on this? Appreciate it! >>> >>> Thanks! >>> >>> /zenny >> try sudo from ports, security/sudo >> >> cheers, >>danny >> >> > Thanks Daniel, but sudo gives all (not selective) root privileges to the > user (admin in my case). So this is not what I am trying to achieve in my > original post. If sudo does not work then what about using ACLs? $ chmod og-rwx /bin/dangerous $ setfacl -m "user:admin:rx" /bin/dangerous -- VZ signature.asc Description: OpenPGP digital signature
Re: Restricting users from certain privileges
On 2012-04-28 09:50, Zenny wrote: > On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss wrote: ... >> try sudo from ports, security/sudo > Thanks Daniel, but sudo gives all (not selective) root privileges to the > user (admin in my case). This isn't true. With sudo, you can give specific users, or groups of users, restricted lists of commands they can run, and even specify on which particular machines they can be run. Please take a look at the nicely documented sample sudoers file: http://www.sudo.ws/sudo/sample.sudoers For example, these lines may do more or less what you want: # users in the secretaries netgroup need to help manage the printers # as well as add and remove users +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser # fred can run commands as oracle or sybase without a password fred ALL = (DB) NOPASSWD: ALL # on the alphas, john may su to anyone but root and flags are not allowed john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* # jen can run anything on all machines except the ones # in the "SERVERS" Host_Alias jen ALL, !SERVERS = ALL # jill can run any commands in the directory /usr/bin/, except for # those in the SU and SHELLS aliases. jill SERVERS = /usr/bin/, !SU, !SHELLS # steve can run any command in the directory /usr/local/op_commands/ # as user operator. steve CSNETS = (operator) /usr/local/op_commands/ # matt needs to be able to kill things on his workstation when # they get hung. matt valkyrie = KILL ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
28.04.2012 14:50, Zenny пишет: >> try sudo from ports, security/sudo >> >> cheers, >>danny >> >> > Thanks Daniel, but sudo gives all (not selective) root privileges to the > user (admin in my case). So this is not what I am trying to achieve in my > original post. Please do study sudo real power :-) It can give selective privileges per-command, an d it can also allow one to run some command with some arguments only and not with others. Or, without any arguments only - as you tune its sudoers configuration file. Eugene Grosbein ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
On Sat, Apr 28, 2012 at 11:29:58AM +0200, Dimitry Andric wrote: > On 2012-04-28 09:50, Zenny wrote: > > On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss wrote: > ... > >> try sudo from ports, security/sudo > > Thanks Daniel, but sudo gives all (not selective) root privileges to the > > user (admin in my case). > > This isn't true. With sudo, you can give specific users, or groups of > users, restricted lists of commands they can run, and even specify on > which particular machines they can be run. Sure, but if the allowed commands were not specifically designed to be run with elevated privileges, you typically give the user ability to run any command with elevated privileges. Even specially designed commands sometimes give away much more power then intended. pgpvd54jgZVYf.pgp Description: PGP signature
Re: Restricting users from certain privileges
Hi, all, Am 28.04.2012 um 11:39 schrieb Eugene Grosbein: > 28.04.2012 14:50, Zenny пишет: > >>> try sudo from ports, security/sudo >>> >>> cheers, >>> danny >>> >>> >> Thanks Daniel, but sudo gives all (not selective) root privileges to the >> user (admin in my case). So this is not what I am trying to achieve in my >> original post. > > Please do study sudo real power :-) > It can give selective privileges per-command, > an d it can also allow one to run some command with some arguments only > and not with others. Or, without any arguments only - as you tune > its sudoers configuration file. Just make sure none of the permitted commands has got the feature of starting a shell ;-)) Kind regards, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
On Sat, Apr 28, 2012 at 11:47:07AM +0200, Patrick M. Hausen wrote: > Hi, all, > > Am 28.04.2012 um 11:39 schrieb Eugene Grosbein: > > > 28.04.2012 14:50, Zenny ??: > > > >>> try sudo from ports, security/sudo > >>> > >>> cheers, > >>> danny > >>> > >>> > >> Thanks Daniel, but sudo gives all (not selective) root privileges to the > >> user (admin in my case). So this is not what I am trying to achieve in my > >> original post. > > > > Please do study sudo real power :-) > > It can give selective privileges per-command, > > an d it can also allow one to run some command with some arguments only > > and not with others. Or, without any arguments only - as you tune > > its sudoers configuration file. > > > Just make sure none of the permitted commands has got the > feature of starting a shell ;-)) Right, think of vi(1), less(1), et al. pgpP10LGeyV8H.pgp Description: PGP signature
Re: Restricting users from certain privileges
On Sat, 28 Apr 2012 09:50:30 +0200 Zenny wrote: > Thanks Daniel, but sudo gives all (not selective) root privileges to the > user (admin in my case). So this is not what I am trying to achieve in my > original post. FWIW, sudo can be configured to allow only some commands. HTH -- Regards, Torfinn Ingolfsen ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
Hi! > > > Please do study sudo real power :-) > > > It can give selective privileges per-command, [...] > > Just make sure none of the permitted commands has got the > > feature of starting a shell ;-)) > > Right, think of vi(1), less(1), et al. Even this aspect is taken care of with sudo (at least to a certain limit): NOEXEC and EXEC If sudo has been compiled with noexec support and the underlying operating system supports it, the NOEXEC tag can be used to prevent a dynamically-linked executable from running further commands itself. In the following example, user aaron may run /usr/bin/more and /usr/bin/vi but shell escapes will be disabled. aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the "PREVENTING SHELL ESCAPES" section below for more details on how NOEXEC works and whether or not it will work on your system. -- p...@opsec.eu+49 171 3101372 8 years to go ! ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
On 04/28/2012 02:50 AM, Zenny wrote: On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss wrote: Hi: I could not figure out how to restrict users or other users from certain privileges to execute certain commands in FreeBSD/NanoBSD? What I meant is I want to create a NanoBSD image in which there will be an additional user, say 'admin'. I need to give this new user (admin) some privileges to run some root-can-only-execute commands, but not all (ACL similar to the firmwares in adsl modems from ISPs). I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD Rootkits' besides FreeBSD handbook, but I simply could not figure out. Could anyone throw some light on this? Appreciate it! Thanks! /zenny try sudo from ports, security/sudo cheers, danny Thanks Daniel, but sudo gives all (not selective) root privileges to the user (admin in my case). So this is not what I am trying to achieve in my original post. Try the security/super port. It is easy to create very fine grained privileges to selected users. (I am not saying that sudo cannot do this, but with super it is very easy.) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
On Apr 28, 2012 12:50 AM, "Zenny" wrote: > > On Sat, Apr 28, 2012 at 9:38 AM, Daniel Braniss wrote: > > > > Hi: > > > > > > I could not figure out how to restrict users or other users from certain > > > privileges to execute certain commands in FreeBSD/NanoBSD? > > > > > > What I meant is I want to create a NanoBSD image in which there will be > > an > > > additional user, say 'admin'. I need to give this new user (admin) some > > > privileges to run some root-can-only-execute commands, but not all (ACL > > > similar to the firmwares in adsl modems from ISPs). > > > > > > I read Dru Lavingne's 'BSD Hacks' and Joseph Kong's 'Designing BSD > > > Rootkits' besides FreeBSD handbook, but I simply could not figure out. > > > Could anyone throw some light on this? Appreciate it! > > > > > > Thanks! > > > > > > /zenny > > > > try sudo from ports, security/sudo > > > > cheers, > >danny > > > > > Thanks Daniel, but sudo gives all (not selective) root privileges to the > user (admin in my case). So this is not what I am trying to achieve in my > original post. Sudo let's you do a lot more than all-or-nothing access. You can specify individual commands that can be run, even down to the options that can be used, and whether or not they need a passwd. And you can even specify which user to run the command as (doesn't have to be root). Read through the sudoers(5) man page and the comments in the default sudoers file for all the gory details. Cheers, Freddie Cash fjwc...@gmail.com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: High load event idl.
Le 28/04/2012 ? 09:55:41+0300, Alexander Motin a écrit
> On 04/28/12 00:34, Albert Shih wrote:
> Definitely, because here I don't see much.
>
Thanks.
> Generally, all CPU loads and load averages now calculated via sampling,
> so theoretically with spiky load numbers may vary for many reasons. I
> would start from collecting information about running processes. To find
> fast switching processes that could hide from accounting try `top -SH -m
> io -o vcsw`. To get more information about scheduler work, use
> /usr/src/tools/sched/schedgraph.py (instruction inside it).
I recompile my kernel this night and tell you tommorow.
Here the result of top with those strange option ;-)
last pid: 25530; load averages: 0.52, 0.58, 0.57
up 0+01:06:40 22:43:54
156 processes: 3 running, 134 sleeping, 19 waiting
CPU: 0.0% user, 0.0% nice, 0.6% system, 0.0% interrupt, 99.4% idle
Mem: 67M Active, 52M Inact, 217M Wired, 11M Cache, 415M Buf, 3574M Free
Swap: 4096M Total, 4096M Free
PID USERNAME VCSW IVCSW READ WRITE FAULT TOTAL PERCENT COMMAND
11 root 277513 0 0 0 0 0.00% idle{idle:
cpu0}
12 root 246 3 0 0 0 0 0.00% intr{irq12:
psm0}
25244 root 245 21 0 0 0 0 0.00% Xorg
12 root 220 0 0 0 0 0 0.00% intr{irq20:
hpet0 uhc}
12 root 124 15 0 0 0 0 0.00% intr{swi4:
clock}
12 root 65 1 0 0 0 0 0.00% intr{irq17:
wpi0}
12 root 32 0 0 0 0 0 0.00% intr{swi4:
clock}
11 root 21390 0 0 0 0 0.00% idle{idle:
cpu1}
0 root 20 0 0 0 0 0 0.00%
kernel{fw0_taskq}
14 root 20 0 0 0 0 0 0.00% yarrow
25274 jas15 0 0 0 0 0 0.00% ion3
25022 root 11 3 0 0 0 0 0.00% powerd
25372 jas 9 2 0 0 0 0 0.00% xterm
0 root8 0 0 0 0 0 0.00%
kernel{nvidia taskq}
12 root6 0 0 0 0 0 0.00% intr{irq16:
vgapci0}
25166 root4 0 0 0 0 0 0.00%
hald-addon-storage
12 root4 0 0 0 0 0 0.00% intr{swi6:
Giant task}
12 root4 0 0 0 0 0 0.00% intr{irq1:
atkbd0}
12 root3 0 0 0 0 0 0.00% intr{irq14:
ata0}
4 root2 0 0 0 0 0 0.00% pfpurge
18 root2 0 0 0 0 0 0.00% bufdaemon
20 root2 0 0 0 0 0 0.00% syncer
21 root2 0 0 0 0 0 0.00% softdepflush
25276 jas 2 0 0 0 0 0 0.00% ion-statusd
25526 jas 2 0 0 0 0 0 0.00% top
25345 jas 2 0 0 0 0 0 0.00% xterm
19 root2 0 0 0 0 0 0.00% vnlru
25133 haldaemon 2 0 0 0 0 0 0.00% hald{hald}
12 root2 0 0 0 0 0 0.00% intr{swi2:
cambio}
25364 root2 0 0 0 0 0 0.00% top
7 root1 0 0 0 0 0 0.00% pagedaemon
15 root1 0 0 0 0 0 0.00% usb{usbus6}
15 root1 0 0 0 0 0 0.00% usb{usbus2}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 root0 0 0 0 0 0 0.00%
console-kit-daemon{console-kit-daem}
25135 ro
Re: Restricting users from certain privileges
On Sat, Apr 28, 2012 at 08:04:31PM +0200, Kurt Jaeger wrote: > Hi! > > > > > Please do study sudo real power :-) > > > > It can give selective privileges per-command, > [...] > > > Just make sure none of the permitted commands has got the > > > feature of starting a shell ;-)) > > > > Right, think of vi(1), less(1), et al. > > Even this aspect is taken care of with sudo (at least to a certain limit): > >NOEXEC and EXEC > >If sudo has been compiled with noexec support and the underlying >operating system supports it, the NOEXEC tag can be used to prevent a >dynamically-linked executable from running further commands itself. > >In the following example, user aaron may run /usr/bin/more and >/usr/bin/vi but shell escapes will be disabled. > > aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi > >See the "PREVENTING SHELL ESCAPES" section below for more details on >how NOEXEC works and whether or not it will work on your system. > cp /usr/bin/vi ~/ or upload your own... sudo $HOME/vi You need to be very careful with this NOEXEC thinking as it will not always get you what you originally intended. -- - (2^(N-1)) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
On Apr 28, 2012 4:03 PM, "Jason Hellenthal" wrote: > cp /usr/bin/vi ~/ > > or upload your own... > > sudo $HOME/vi > If your Cmnd_Alias includes the full path to vi, then your last command won't work. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Restricting users from certain privileges
On Sat, Apr 28, 2012 at 04:34:34PM -0700, Freddie Cash wrote: > On Apr 28, 2012 4:03 PM, "Jason Hellenthal" wrote: > > cp /usr/bin/vi ~/ > > > > or upload your own... > > > > sudo $HOME/vi > > > > If your Cmnd_Alias includes the full path to vi, then your last command > won't work. I know. Just an example of why you should be careful. I had an admin on a box I supervise add an entry where it enabled a user to run miscelaneous commands. It did not effect anything since the user is well trusted but if it had been the other way around and had not be caught the sheer consequence of such could have been disasterous. -- - (2^(N-1)) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: High load event idl.
On 04/29/12 01:53, Oliver Pinter wrote: Attached the ktr file. This is on core2duo P9400 cpu ( smbios.system.product="HP ProBook 5310m (WD792EA#ABU)" ). The workload is only a single user boost: sh + top running, but the load average is near 0.5. ktr shows no real load there. But it shows that you are using dummynet, that schedules its runs on every hardclock tick. I believe that load you see is the result or synchronization between dummynet calls and loadvg sampling, both of which called from hardclock. I think removing dummynet from equation, should hide this problem and also reduce you laptops power consumption. What's about fixing this, it is loadavg sampling algorithm that should be changed. Fixing dummynet to not run on every hardclock tick would also be great. On 4/28/12, Alexander Motin wrote: On 04/28/12 00:34, Albert Shih wrote: Le 27/04/2012 ? 22:45:40+0200, Oliver Pinter a écrit I'm running 9-stable on all my computer. (csup yesterday). On my desktop everything is fine. But I've two laptop, (both are Dell). On both latptop I've problem about the load, event when I do nothing I got a load between 0.5-1. Here the result of a «top» on the laptop : last pid: 2434; load averages: 0.63, 0.67, 0.59 up 0+00:23:59 22:25:29 57 processes: 3 running, 54 sleeping CPU: 2.7% user, 0.0% nice, 3.7% system, 1.4% interrupt, 92.2% idle Mem: 89M Active, 92M Inact, 198M Wired, 13M Cache, 100M Buf, 3529M Free Swap: 4096M Total, 4096M Free Here on the desktop : last pid: 61010; load averages: 0.00, 0.00, 0.00 up 2+11:02:42 22:29:08 126 processes: 1 running, 125 sleeping CPU: % user, % nice, % system, % interrupt, % idle Mem: 803M Active, 2874M Inact, 1901M Wired, 112M Cache, 620M Buf, 202M Free Swap: 6144M Total, 36M Used, 6107M Free http://lists.freebsd.org/pipermail/freebsd-bugs/2012-April/048213.html What I understand of your message (I'm definitvly not a dev) is that's only a little problem of accounting. I'm not absolute sure of that because my laptop fan never stop... If you want any more information... Definitely, because here I don't see much. Generally, all CPU loads and load averages now calculated via sampling, so theoretically with spiky load numbers may vary for many reasons. I would start from collecting information about running processes. To find fast switching processes that could hide from accounting try `top -SH -m io -o vcsw`. To get more information about scheduler work, use /usr/src/tools/sched/schedgraph.py (instruction inside it). -- Alexander Motin -- Alexander Motin ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: High load event idl.
On Sun, 29 Apr 2012 08:17:38 +0300, Alexander Motin wrote: > On 04/29/12 01:53, Oliver Pinter wrote: > > Attached the ktr file. This is on core2duo P9400 cpu ( > > smbios.system.product="HP ProBook 5310m (WD792EA#ABU)" ). The workload > > is only a single user boost: sh + top running, but the load average is > > near 0.5. > > ktr shows no real load there. But it shows that you are using dummynet, that > schedules its runs on every hardclock tick. I believe that load you see is > the result or synchronization between dummynet calls and loadvg sampling, > both of which called from hardclock. I think removing dummynet from equation, > should hide this problem and also reduce you laptops power consumption. > > What's about fixing this, it is loadavg sampling algorithm that should be > changed. Fixing dummynet to not run on every hardclock tick would also be > great. Wading in out of my depth, and copying Luigi in case he misses it .. but even back in the olden days when HZ defaulted to 100, one was advised to use HZ >= 1000 for smooth dummynet traffic shaping dispatch scheduling. I wonder, with the newer clocks and timers, whether there is another clock that could be used for dummynet scheduling, that would not have this effect (even if largely cosmetic?) on load average calculation? cheers, Ian > > On 4/28/12, Alexander Motin wrote: > > > On 04/28/12 00:34, Albert Shih wrote: > > > >Le 27/04/2012 ? 22:45:40+0200, Oliver Pinter a écrit > > > > > > I'm running 9-stable on all my computer. (csup yesterday). > > > > > > > > > > > > On my desktop everything is fine. But I've two laptop, (both are > > > > > > Dell). > > > > > > On > > > > > > both latptop I've problem about the load, event when I do nothing I > > > > > > got > > > > > > a > > > > > > load between 0.5-1. > > > > > > > > > > > > Here the result of a «top» on the laptop : > > > > > > > > > > > > last pid: 2434; load averages: 0.63, 0.67, 0.59 up 0+00:23:59 > > > > > > 22:25:29 > > > > > > 57 processes: 3 running, 54 sleeping > > > > > > CPU: 2.7% user, 0.0% nice, 3.7% system, 1.4% interrupt, 92.2% > > > > > > idle > > > > > > Mem: 89M Active, 92M Inact, 198M Wired, 13M Cache, 100M Buf, 3529M > > > > > > Free > > > > > > Swap: 4096M Total, 4096M Free > > > > > > > > > > > > Here on the desktop : > > > > > > > > > > > > last pid: 61010; load averages: 0.00, 0.00, 0.00 up 2+11:02:42 > > > > > > 22:29:08 > > > > > > 126 processes: 1 running, 125 sleeping > > > > > > CPU: % user, % nice, % system, % interrupt, % > > > > > > idle > > > > > > Mem: 803M Active, 2874M Inact, 1901M Wired, 112M Cache, 620M Buf, > > > > > > 202M > > > > > > Free > > > > > > Swap: 6144M Total, 36M Used, 6107M Free > > > > > > > > > > > > > > > > http://lists.freebsd.org/pipermail/freebsd-bugs/2012-April/048213.html > > > > > > > > What I understand of your message (I'm definitvly not a dev) is that's > > > > only > > > > a little problem of accounting. > > > > > > > > I'm not absolute sure of that because my laptop fan never stop... > > > > > > > > If you want any more information... > > > > > > Definitely, because here I don't see much. > > > > > > Generally, all CPU loads and load averages now calculated via sampling, > > > so theoretically with spiky load numbers may vary for many reasons. I > > > would start from collecting information about running processes. To find > > > fast switching processes that could hide from accounting try `top -SH -m > > > io -o vcsw`. To get more information about scheduler work, use > > > /usr/src/tools/sched/schedgraph.py (instruction inside it). > > > > > > -- > > > Alexander Motin___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: High load event idl.
On 04/29/12 09:09, Ian Smith wrote: On Sun, 29 Apr 2012 08:17:38 +0300, Alexander Motin wrote: > On 04/29/12 01:53, Oliver Pinter wrote: > > Attached the ktr file. This is on core2duo P9400 cpu ( > > smbios.system.product="HP ProBook 5310m (WD792EA#ABU)" ). The workload > > is only a single user boost: sh + top running, but the load average is > > near 0.5. > > ktr shows no real load there. But it shows that you are using dummynet, that > schedules its runs on every hardclock tick. I believe that load you see is > the result or synchronization between dummynet calls and loadvg sampling, > both of which called from hardclock. I think removing dummynet from equation, > should hide this problem and also reduce you laptops power consumption. > > What's about fixing this, it is loadavg sampling algorithm that should be > changed. Fixing dummynet to not run on every hardclock tick would also be > great. Wading in out of my depth, and copying Luigi in case he misses it .. but even back in the olden days when HZ defaulted to 100, one was advised to use HZ>= 1000 for smooth dummynet traffic shaping dispatch scheduling. I wonder, with the newer clocks and timers, whether there is another clock that could be used for dummynet scheduling, that would not have this effect (even if largely cosmetic?) on load average calculation? First of all, the easiest solution would be to make dummynet to schedule callout not automatically, but on first queued packet. I believe that in case of laptop the queue should be empty most of time and the callout calls are completely useless there. Luigi promised to look on this once. What's about better precision/removing synchronization -- there is starting GSoC project now (by davide@) to rewrite callout(9) subsystem to use better precision allowed by new timer drivers. While now it is possible to get raw access to additional timer hardware available on some systems, I don't think it is a good idea. -- Alexander Motin ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: 9-STABLE, ZFS, NFS, ggatec - suspected memory leak
> Daniel Braniss wrote: > > > Security_Multipart(Fri_Apr_27_13_35_56_2012_748)-- > > > Content-Type: Text/Plain; charset=us-ascii > > > Content-Transfer-Encoding: 7bit > > > > > > Rick Macklem wrote > > > in > > > <1527622626.3418715.1335445225510.javamail.r...@erie.cs.uoguelph.ca>: > > > > > > rm> Steven Hartland wrote: > > > rm> > Original Message - > > > rm> > From: "Rick Macklem" > > > rm> > > At a glance, it looks to me like 8.x is affected. Note that > > > the > > > rm> > > bug only affects the new NFS server (the experimental one > > > for 8.x) > > > rm> > > when exporting ZFS volumes. (UFS exported volumes don't > > > leak) > > > rm> > > > > > rm> > > If you are running a server that might be affected, just: > > > rm> > > # vmstat -z | fgrep -i namei > > > rm> > > on the server and see if the 3rd number shown is increasing. > > > rm> > > > > rm> > Many thanks Rick wasnt aware we had anything experimental > > > enabled > > > rm> > but I think that would be a yes looking at these number:- > > > rm> > > > > rm> > vmstat -z | fgrep -i namei > > > rm> > NAMEI: 1024, 0, 1, 1483, 25285086096, 0 > > > rm> > vmstat -z | fgrep -i namei > > > rm> > NAMEI: 1024, 0, 0, 1484, 25285945725, 0 > > > rm> > > > > rm> ^ > > > rm> I don't think so, since the 3rd number (USED) is 0 here. > > > rm> If that # is increasing over time, you have the leak. You are > > > rm> probably running the old (default in 8.x) NFS server. > > > > > > Just a report, I confirmed it affected 8.x servers running newnfs. > > > > > > Actually I have been suffered from memory starvation symptom on > > > that > > > server (24GB RAM) for a long time and watching vmstat -z > > > periodically. It stopped working once a week. I investigated the > > > vmstat log again and found the amount of NAMEI leak was 11,543,956 > > > (about 11GB!) just before the locked-up. After applying the patch, > > > the leak disappeared. Thank you for fixing it! > > > > > > -- Hiroki > And thanks Hiroki for testing it on 8.x. > > > this is on 8.2-STABLE/amd64 from around August: > > same here, this zfs+newnfs has been hanging every few months, and I > > can see > > now the leak, it's slowly increasing: > > NAMEI: 1024, 0, 122975, 529, 15417248, 0 > > NAMEI: 1024, 0, 122984, 520, 15421772, 0 > > NAMEI: 1024, 0, 123002, 502, 15424743, 0 > > NAMEI: 1024, 0, 123008, 496, 15425464, 0 > > > > cheers, > > danny > Maybe you could try the patch, too. > > It's at: >http://people.freebsd.org/~rmacklem/namei-leak.patch > > I'll commit it to head soon with a 1 month MFC, so that hopefully > Oliver will have a chance to try it on his production server before > the MFC. > > Thanks everyone, for your help with this, rick I haven't applied the patch yet, but in the meanime I have been running some experiments on a zfs/nfs server running 8.3-STABLE, and don't see any leaks what triggers the leak? thanks, danny ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
