smartos should be using a neural network to tell me the commands i should be using...haha

all the chatGPT goodness

nn trained on smartos/ora/sunw sunsolve data

usenet sunfaq

chatGPT give me a cover letter in charles bukowski style...focus in on the sun sparc...haha

Hi everybody, I’m looking for a way to disable IPv6 in a LX branded zone…was not lucky so far. Has anybody a solution?

EasyNT: what do you mean with disable ipv6?

I have a IPv6 address on the nic which in my case should not be

link-local one?

inet6 fe80::d0c1:ffff:fe2f:ab1b prefixlen 10 scopeid 0x20<link>

yeah

why is that a problem?

I have no IPv6 on my network, I’m trying to setup Mastodon and the setup script calls some yarn stuff which tries to reach hosts with IPv6 addresses which fails

red hering

I bet this is the npm is too stupid to do multiple dns records crap all over again

possible

but I guess if I could disable IPv6 on the system, the problem would be obsolete

no, it doesn't

the problem is literally that npm gets multiple entries from getaddrinfo and craps out with the fallback to the next entry

hmm…so then I should make it clear to npm/yarn to not use IPv6

it has nothing to do with ipv6

so what should I do?

but unreachable addresses returned via DNS

I read somewhere that yarn has hardcoded IPv6 addresses…not sure though

for an lx zone, you can try gai.conf

looks interesting

uncomment this?

52 # For sites which prefer IPv4 connections change the last line to

53 #

54 #precedence ::ffff:0:0/96 100

yeah

and then reboot I guess

nbjoerg: you are my personal hero of the day :D

thanks so much!!

someone without ipv6 should beat the shit out of npm :)

I mean fix the problem

:D

hi guys, i hope you can help me, i have a very big security problem with all my LX branded systems (it doesn't happens with native zones), my system users seem are limited to 16 system groups when the GZ, and NGZ have NGROUPS_MAX set to 1024 not to 16

i tried to use the binaries of /native when possible in order to avoid this problem but without success, honestly i don't know what to do to solve this

I would appreciate any help

danmcd: any clue? smartos.topicbox.com/groups/smartos…0220127t011500z-to-20230209t001143z

I just read this now. Having the vmcore.0 might be nice.

hello, how do I use mount -F smbfs -o noprompt=true? I get login failed: syserr = authentication failed with sharemgr set -P smb -s /public -p guestok=true smb

This is an SMB/CIFS authentication problem.

Indeed, do I need to use idmap?

idmap is more for serving smb

if you're trying to mount an SMB share

you might need a .nsmbrc (IIRC) file for credentials if you don't want to supply them in the mount arguments

(and whatever is sharing the filesystem requires a login)

I'm trying to make a public share accessible to anyone without authentication and to mount it from a native zone, maybe I'm missing some steps

^^ from another zone

is it being served from an LX zone or a VM?

native zone

i think you can add 'guestok=true' to the sharesmb options to allow anonymous access

if you want to share a dataset between multiple zones on the same box, you can also loopback mount the dataset in all the zones as another possibility

(just need to be sure uid/gids match)

that's what I did, and I get login failed: syserr = authentication failed

I want to use the share with the outside world too

twitter.com/jperkin/status/1371780238586351616 is what I needed to do to get guestok working

any chance you tooted that too?

oh, from 2021. haha

yeh not really sure what to do about that, retooting them seems wrong, but I also want to kill my twitter for obvious reasons

fair.

saving it for later. :)

nice, thanks

psarria_: Do you mean that users are members of multiple groups? And that tops out at 16 groups?

random thing I noticed, jperkin: in a trunk zone I was able to install wireguard-go but it didn't see a wireguard-tools package.

oh, lemme look

ah ok, so there's already a wireguard-tools package which ends up being chosen instead of the version in pkgsrc-extra, in 2021Q4 I disabled that package but I didn't do that in trunk

2022Q4 even

psarria_: I can reproduce this behavior...I'll look into it.

this will all be much better if I just get my act together and get everything upstreamed, huh...

bahamat, yes, 16 is the maximum number of groups that a system user can belong to

bahamat, afaik NGROUPS_MAX is by default 16 but you can override that in /etc/system, even doing so, system users in LX branded zones are unable to do anything beyond of 16th group

bahamat, i can reproduce in bash: pastebin.com/7RiJhNr6

if i use strace, i can see a getgroups syscall with 16 as array size: pastebin.com/RRcEgU78

how are LX processes determining the max?

there is a sysconf parameter -- i don't know if LX returns a hard coded value or not (or if that's waht that program is using to determine the max)

jbk, there is a sysctl parameter that inherits GZ's NGROUPS_MAX value correctly but it's like getgroups syscall take a value (16) as maximum, you can see that here: pastebin.com/E8Xd7uRW

psarria: And you mean system users vs...what other kind of user?

ok, sorry, i wrote "system user" because as root i can see the groups the user belongs to, i mean users, perhaps it wasn't the best form to called them, sorry

Yeah, doing `groups <user>` will show all the groups they're assigned to. But as any user, just `groups` will top out at 16.

right!

psarria: So, how many groups are we talking about here?

273

!!

i know, it's a high number but in this environment it should normal i think, it's the relation within websites groups and webserver apache group

There have historically, iirc, been several places where a limit of 16 has existed. You're definitely out in poorly explored territory with that scale of group assignments.

So, the limit of 16 on illumos is for NFS. NFS breaks badly when it's more than 16. But I think there's a hard coded cap at 32, even increasing it via /etc/system.

And LX just uses whatever the illumos value is.

Oracle documentation says it can go up to 1024, but I'm not sure which versions that applies to.

however, it works correctly under native zones

How do you normally set it for native zones?

ok, i've tested under native zones only in lab, i mean it works when a user belongs to 20 groups, but i'm going to test with 300 right now

bahamat, yes, it works inside a native zone, i've attached an user to 300 groups, pastebin.com/raw/Ch4RUarv

That's not a valid test.

You need to *be* the user and run just `groups`.

Running `groups <name>` will look up the user database.

But running `groups` will check the groups on the process itself.

yes, it works too: pastebin.com/07sytz5F

And to increase groups, how is it you're doing that? Are you just setting it in /etc/system in the ngz?

yes, i used this guide: wiki.smartos.org/modifying-boot-files the part related to root pool because i don't use USB

in GZ

Do you *also* set that in the ngz, or just for the gz?

only in GZ, this is only the line i've added: pastebin.com/RYUZruYD

i set 1024 because is the maximun

OK, well there's probably no short term answer.

@bahamat I already have a disk that spare took over spare-2 DEGRADED 0 0 0\n c3t5000CCA27077CE29d0 OFFLINE 0 0 0\n c3t5000CCA270ADF839d0 ONLINE 0 0 0

how do I just make the spare the new member, 29d0 was already taken out

Smithx10: Ok, I'm missing context on this...I don't remember this conversation :-)

ahhh, disk went bad, spare took over, we powered down, found the serialnumber in slot 6 replaced it with new disk, powered back up

Ok, so to promote the spare, IIRC it's `zpool replace zones <dead device> <spare device>`

then your replacement device, you just add as a spare.

cannot replace c3t5000CCA27077CE29d0 with c3t5000CCA270ADF839d0: c3t5000CCA270ADF839d0 is busy, or device removal is in progress

Guessing because it is already online as the spare and resilvered?

reading serverfault.com/questions/838880/zf…re-replace-detach-ressource-is-busy

bahamat, ok thanks for all, i'm going to migrate these systems to bhyve in order to avoid more security problems, although i would like to investigate a bit more, any advises with that ?

so.... do I just detach the offline disk at this point?

Smithx10: Yeah, that looks like the right thing.

Smithx10: Let me give you a gist...

nice that worked

now just add the new disk as a spare

Here's a test I did: gist.github.com/bahamat/af25c60c9dff964ac4c261a79aac8f74

bahamat: all good now