1518413494 M * Bertl_oO  off to bed now ... have a good one everyone!
1518413496 N * Bertl_oO Bertl_zZ
1518414360 Q * bonbons Quit: Leaving
1518422972 Q * Ghislain Quit: Leaving.
1518422974 J * Ghislain ~ghislain@81.56.195.31
1518423785 J * nikolay ~nikolay@149.235.255.3
1518423832 M * Ghislain hi there
1518424208 M * Ghislain 4.9.80-vs2.3.9.7aq compile, runs and testme testfs are okay. netstat do not leak anymore
1518424253 M * Ghislain virt_load, virt_uptime seems ok
1518424296 M * Ghislain virt mem seems also but i got a difference between my guests
1518424327 M * Ghislain statch show 2 lines, jessie show 3 (+/- buffer cache  appear)
1518424396 M * Ghislain s/statch/stretch/
1518424463 M * Ghislain ss -l show the 127.x.x.x address and not 127.0.0.1
1518424604 M * Ghislain this was allready the case before in 4.1
1518425045 M * Le_Coyote Ghislain: FWIW, 4.4.111-vs2.3.9.1 here, ss does show 127.0.0.1
1518425085 M * Le_Coyote Odd.
1518425091 M * Ghislain indeed
1518425148 M * Le_Coyote Gcc 7 still not marked as stable in Gentoo … No reptoline then :/
1518425184 M * Le_Coyote retpoline*
1518425242 M * Ghislain Mitigation: PTI 
1518425242 M * Ghislain Vulnerable 
1518425242 M * Ghislain Vulnerable: Minimal generic ASM retpoline
1518425262 M * Ghislain that is what i get in my 4.93.80
1518425300 M * Ghislain kernel is compiled in debian buster
1518425307 M * Le_Coyote Darn.
1518425322 M * Le_Coyote x86_64 ?
1518425330 M * Ghislain yes
1518425349 M * Le_Coyote And which version of GCC?
1518425389 M * Ghislain gcc (Debian 8-20180110-1) 8.0.0 20180110 (experimental) [trunk revision 256425]
1518425406 M * Le_Coyote Huh.
1518425418 M * Le_Coyote So 4.9.80 didn't get all the backports then
1518425662 M * Le_Coyote I'm still annoyed that util-vserver won't build properly with hardened now
1518425816 M * Ghislain i cannot build the utils on buster, i must compile them on jessie. On buster they fail to build because it seems dietlib has issues
1518425837 M * Le_Coyote Ah, that rings a bell too
1518425923 M * Le_Coyote Then again, it looks totally unmaintained
1518426000 M * Ghislain dietlibc yes, i tried to replace with musl but it failed on some kernel includes
1518426048 M * Le_Coyote I'm questioning the sanity of depending on old, unmaintained software
1518426089 M * Le_Coyote And yeah, I checked, it doesn't know how to be build with no-pie I think
1518426113 M * Ghislain well  the dev community for vserver-util is one, so you cannot expect a workforce on it :)
1518426154 M * Le_Coyote True.
1518426163 M * Le_Coyote Which is why I'm considering LXC more and more
1518426171 M * Le_Coyote LXC/LXD
1518426228 M * Ghislain you must use what suits your need, for me vserver has some unique features and a mindset that i love. So i will do my best to stick to it but your mileage may varry
1518426263 M * Le_Coyote I'd love to stick with it
1518426329 M * Le_Coyote But sometimes I just wish I could stop creating manual patches for dietlibc, util-vserver & co
1518426374 M * Le_Coyote Also, if I'd been using LXC/LXD, I wouldn't be worrying about the CPU issues any longer
1518429534 M * Ghislain i know, the only thing you can do is help Bertl and Daniel whenever possible
1518429739 Q * Le_Coyote Ping timeout: 480 seconds
1518430355 J * Le_Coyote ~smokey@253.242.118.78.rev.sfr.net
1518431784 N * Bertl_zZ Bertl
1518431789 M * Bertl morning folks!
1518431837 M * Bertl Le_Coyote: how does LXC 'solve' the 'CPU issues' (whatever they are)?
1518432049 M * Ghislain because they use distribution kernels that are patched i guess
1518432083 M * Ghislain ubuntu does the job of compiling and makign sure reptoline and KPTI is in here
1518432177 M * Bertl ubuntu also makes sure that there are a lot of buggy and completely unused drivers and features in the kernel, which quite often can be used for exploits ...
1518432501 M * Ghislain well nobody gets fired for choosing an ubuntu kernel ;p (famous IBM quotes)
1518432795 M * Ghislain and you know i love to compile unused module in my kernel too ;p
1518433820 M * Bertl yeah, beats me why that is so :)
1518433945 M * Ghislain eheh, hey i remove the 10mbps network cards and PATA so.. its a start. The issue when you work with hosting provider is htat you never know what chipset/network card/storage chipset you gonna get
1518433988 M * Ghislain so its not easy to have to recompile a kernel at each new machine because today they used this network card intead of the famous TG3
1518434035 M * Ghislain and the more famous bnx2 well known for his binary blob NOT included in vanilla that i have to add each time by hand :p
1518434329 M * Ghislain Bertl: i dont know if you seen but netstat is ok and ss -nl shows the 127.x.x.x internal ip instead of 127.0.0.1
1518434346 M * Ghislain on the latest 4.9.80
1518436025 M * Bertl excellent! thanks for testing!
1518436213 M * Bertl looks like we should have a working kernel/patch soon ...
1518440084 M * Ghislain yep
1518440345 M * Ghislain i tried to understand the loop for tcp seeing if cannot filter before it but i did not understood how they get the sockets list they loop on
1518440590 M * Ghislain it seems ss also leak udp sockets
1518440644 M * Ghislain i can see my ns server listening on 0.0.0.0:53 on another guest
1518440655 M * Ghislain on old non patched  4.1
1518440663 M * Ghislain i mean old ptch set
1518440694 M * Ghislain this is because our filters should be at ip level not tcp or udp or whatever
1518442875 M * Ghislain Bertl: do you think the filtering should be done in ./net/socket.c ?  in __sock_create perhaps ?
1518443049 M * Bertl well, we can't work on the IP level because we are only able to address tcp and udp
1518443101 M * Ghislain well we limit ip access so this is at the socket no ? oh you mean inside a guest only tcp and udp will work ?
1518443107 M * Bertl and filtering at the time of creation wouldn't do much good ... would it?
1518443128 M * Ghislain yes, i dont find where the "list_sock" is but you got my meaning :p
1518443144 M * Bertl so, if udp gets leaked, we should find the place where udp is listed
1518443166 M * Ghislain i guess udp.c :p
1518443178 M * Bertl but it should be cosmetic, because binding should be restricted
1518443206 M * Bertl @udp.c chances are good :)
1518443348 M * Bertl checking 4.1.49, I see the checks in udp_get_first() and udp_get_next()
1518443385 M * Bertl so that should be properly filtered
1518443430 M * Ghislain udp    UNCONN     0      0                                                                                                                                                       127.156.194.1:53                                                    Â
1518443430 M * Ghislain udp    UNCONN     0      0                                                                                                                                                      10.100.254.254:53    
1518443447 M * Ghislain i am on 4.1.43-vs2.3.8.6aq for my dns server
1518443466 M * Ghislain the puppet guset see the udp socket of the dns guest
1518443499 M * Ghislain and it can see the real 127.x ip and a network 10.x that this guest has no access to
1518443555 M * Le_Coyote Bertl: What I meant is that vanilla 4.15 with fixes for Spectre/Meltdown has been out for a few days now
1518443555 M * Bertl well, as usual, the steps would be:
1518443566 M * Le_Coyote No offense of course, just stating the fact
1518443594 M * Bertl 1) check with latest 4.1.x kernel/patches
1518443606 M * Bertl 2) create a minimal test case to reproduce the issue
1518443620 M * Bertl 3) see where the leaked information comes from
1518443642 M * Bertl Le_Coyote: 4.15.x patches are in the works
1518443689 M * Le_Coyote Oh? Well that's great to know :) My next option was to investigate whether 4.9 had these fixes backported already
1518443697 M * Le_Coyote But 4.15 sounds great
1518443761 M * Le_Coyote I'm gonna post a simple patch for util-vserver vs hardened gcc
1518443770 M * Le_Coyote In spite of daniel's silence :/
1518443785 M * Bertl will still take a little, there are a lot of changes compared to 4.9 and 4.9 was already a PITA
1518443801 M * Le_Coyote I'll bet
1518443803 M * Ghislain PITA is a tehcnical word of course
1518443832 M * Bertl the problem is that they are now actively moving networking stuff around
1518443861 M * Bertl i.e. today you find a function in one file, tomorrow it was moved to a completely different one
1518444030 M * Bertl naturally that complicates things with dependencies and includes
1518444393 M * Ghislain hey i upgraded gcc on my debian and look: Mitigation: Full generic retpoline
1518444417 M * Ghislain so spectre v1 still to mitigate
1518444628 M * nikolay Ghislain, you may want to read this https://lkml.org/lkml/2018/1/22/598 before continuing with this retpoline patching...
1518444954 M * Le_Coyote It would be great if someone could summarize the do's and don't's, as well as shoulds and shouldn't's for all these mitigation strategies
1518444967 M * Le_Coyote (kernel dev's preferably)
1518444990 M * Ghislain http://kroah.com/log/blog/2018/01/19/meltdown-status-2/
1518444995 M * Le_Coyote How many end-users read LKMLand think they're safe with the latest kernel and microcode ?
1518445012 M * Le_Coyote Merci Ghislain ;)
1518445181 M * Ghislain its not a list of all the tech with comparison but this is interesting to follow this blog
1518445473 M * Ghislain nikolay: you try to make me cry yes ? i just acheived hte reptoline mark today... :(
1518445564 M * nikolay sorry about this, again it is not a bad thing, it just depends on what hardware you run ...
1518447717 M * Bertl  off for now ... bbl
1518447723 N * Bertl Bertl_oO
1518450767 Q * nikolay Quit: Leaving
1518451456 M * Le_Coyote Ah yeah, there's that too. I'm not even sure my CPUs are affected by the microcode update
1518451467 M * Le_Coyote Meaning the reboot issue
1518455571 M * Bertl_oO if they got an update, they are probably affected :)
1518458089 M * Ghislain http://www.brendangregg.com/blog/2018-02-09/kpti-kaiser-meltdown-performance.html
1518458094 M * Ghislain fyi
1518458819 M * Bertl_oO conclusion: don't do more than a million syscalls per second and cpu :)
1518460045 M * Ghislain yeah , do not do that, and dont cross the streams !
1518462141 M * Aiken with meltdown if you value your sanity do not do a kernel compile in a kvm guest on a core 2 duo where both host and guest have kpti enabled