Discussion:
reorder_kernel requires writable /usr/share
RD Thrush
2017-07-02 16:50:36 UTC
Permalink
Synopsis: reorder_kernel requires writable /usr/share
Category: system
System : OpenBSD 6.1
Details : OpenBSD 6.1-current (GENERIC.MP) #73: Sat Jul 1 10:53:54 MDT 2017
***@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Architecture: OpenBSD.amd64
Machine : amd64
/etc/rc: reorder_kernel() requires /usr/share to be writeable
On a system w/ a separate read-only partition containing /usr/share,
cat /var/log/kernel_relink.log
sh makegap.sh 0xcccccccc
makegap.sh[69]: cannot create gap.link: Read-only file system
ld: cannot open output file gap.o: Read-only file system
*** Error 1 in /usr/share/compile/GENERIC.MP (Makefile:966 'gap.o')
In _reorder_libs() a similar read-only problem was resolved.
I used that as the basis for the appended patch:

nuc1:src/etc 4996>cvs -d $CVSROOT diff -uNp rc
Index: rc
===================================================================
RCS file: /cvs/OpenBSD/src/etc/rc,v
retrieving revision 1.506
diff -u -p -u -p -r1.506 rc
--- rc 30 Jun 2017 17:06:03 -0000 1.506
+++ rc 2 Jul 2017 16:04:09 -0000
@@ -222,7 +222,8 @@ reorder_libs() {
# Re-link the kernel, placing the objects in a random order.
# Replace current with relinked kernel and inform root about it.
reorder_kernel() {
- local _dkdev=$(df /usr/share | sed '1d;s/ .*//')
+ local _dkdev=$(df /usr/share | sed '1d;s/ .*//') \
+ _mp=$(mount | grep "^$_dkdev") _remount=false _error=false

# Skip if /usr/share is on a nfs mounted filesystem.
[[ $(mount | grep "^$_dkdev") == *" type nfs "* ]] && return
@@ -239,6 +240,16 @@ reorder_kernel() {
_kernel=${_kernel%#*}
_sha256=/var/db/kernel.SHA256

+ # Remount read-write, if /usr/share is on a read-only ffs filesystem.
+ if [[ $_mp == *' type ffs '*'read-only'* ]]; then
+ if mount -u -w $_dkdev; then
+ _remount=true
+ else
+ echo 'reorder_kernel: mount -uw failed.'
+ return
+ fi
+ fi
+
if [[ -f $_compile.tgz ]]; then
rm -rf $_compile
mkdir -m 700 -p $_compile
@@ -251,6 +262,16 @@ reorder_kernel() {
cd $_compile/$_kernel
make newbsd
make newinstall
+
+ # Restore previous mount state if it was changed.
+ if $_remount; then
+ mount -u -r $_dkdev || _error=true
+ fi
+
+ if $_error; then
+ echo 'reorder_kernel: mount -ur failed.'
+ return
+ fi

echo "\nKernel has been relinked and is active on next reboot.\n"
cat $_sha256

dmesg:
OpenBSD 6.1-current (GENERIC.MP) #73: Sat Jul 1 10:53:54 MDT 2017
***@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 16974663680 (16188MB)
avail mem = 16454418432 (15692MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xaeee2000 (53 entries)
bios0: vendor Intel Corporation version "RYBDWi35.86A.0364.2017.0511.0949" date 05/11/2017
bios0: Intel Corporation NUC5i7RYB
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI LPIT SSDT ASF! SSDT SSDT SSDT DMAR
acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 3093.27 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 3093265320 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 3093.08 MHz
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 3093.19 MHz
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 3092.89 MHz
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 40 pins
acpimadt0: bogus nmi for apid 0
acpimadt0: bogus nmi for apid 2
acpimadt0: bogus nmi for apid 1
acpimadt0: bogus nmi for apid 3
acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus 1 (RP01)
acpiprt5 at acpi0: bus -1 (RP02)
acpiprt6 at acpi0: bus -1 (RP03)
acpiprt7 at acpi0: bus 2 (RP04)
acpiprt8 at acpi0: bus -1 (RP05)
acpiprt9 at acpi0: bus -1 (RP06)
acpiprt10 at acpi0: bus -1 (RP07)
acpiprt11 at acpi0: bus -1 (RP08)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(***@506 ***@0x60), C2(***@117 ***@0x30), C1(***@1 mwait.1), PSS
acpicpu1 at acpi0: C3(***@506 ***@0x60), C2(***@117 ***@0x30), C1(***@1 mwait.1), PSS
acpicpu2 at acpi0: C3(***@506 ***@0x60), C2(***@117 ***@0x30), C1(***@1 mwait.1), PSS
acpicpu3 at acpi0: C3(***@506 ***@0x60), C2(***@117 ***@0x30), C1(***@1 mwait.1), PSS
acpipwrres0 at acpi0: PG00, resource for PEG0
acpipwrres1 at acpi0: PG01, resource for PEG1
acpipwrres2 at acpi0: PG02, resource for PEG2
acpipwrres3 at acpi0: WRST
acpipwrres4 at acpi0: WRST
acpipwrres5 at acpi0: WRST
acpipwrres6 at acpi0: WRST
acpipwrres7 at acpi0: WRST
acpipwrres8 at acpi0: WRST
acpipwrres9 at acpi0: WRST
acpipwrres10 at acpi0: WRST
acpipwrres11 at acpi0: FN00, resource for FAN0
acpipwrres12 at acpi0: FN01, resource for FAN1
acpipwrres13 at acpi0: FN02, resource for FAN2
acpipwrres14 at acpi0: FN03, resource for FAN3
acpipwrres15 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 110 degC
acpitz1 at acpi0: critical temperature is 110 degC
"NTN0530" at acpi0 not configured
"INT3F0D" at acpi0 not configured
acpibtn0 at acpi0: SLPB
"INT33A1" at acpi0 not configured
acpibtn1 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
cpu0: Enhanced SpeedStep 3093 MHz: speeds: 3101, 3100, 3000, 2700, 2500, 2400, 2200, 2000, 1800, 1600, 1400, 1200, 1100, 900, 700, 500 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 5G Host" rev 0x09
inteldrm0 at pci0 dev 2 function 0 "Intel Iris Graphics 6100" rev 0x09
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 3840x2160, 32bpp
error: [drm:pid0:intel_pipe_config_compare] *ERROR* mismatch in has_audio (expected 1, found 0)
pipe state doesn't match!
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 3 function 0 "Intel Core 5G HD Audio" rev 0x09: msi
azalia0: No codecs found
xhci0 at pci0 dev 20 function 0 "Intel 9 Series xHCI" rev 0x03: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
"Intel 9 Series MEI" rev 0x03 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel I218-V" rev 0x03: msi, address b8:ae:ed:77:77:b0
azalia1 at pci0 dev 27 function 0 "Intel 9 Series HD Audio" rev 0x03: msi
azalia1: codecs: Realtek/0x0283
audio0 at azalia1
ppb0 at pci0 dev 28 function 0 "Intel 9 Series PCIE" rev 0xe3
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 3 "Intel 9 Series PCIE" rev 0xe3: msi
pci2 at ppb1 bus 2
iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless AC 7265" rev 0x59, msi
pcib0 at pci0 dev 31 function 0 "Intel 9 Series LPC" rev 0x03
ahci0 at pci0 dev 31 function 2 "Intel 9 Series AHCI" rev 0x03: msi, AHCI 1.3
ahci0: port 3: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 3 lun 0: <ATA, Samsung SSD 850, EMT2> SCSI3 0/direct fixed naa.5002538d404bb52d
sd0: 238475MB, 512 bytes/sector, 488397168 sectors, thin
ichiic0 at pci0 dev 31 function 3 "Intel 9 Series SMBus" rev 0x03: apic 2 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 8GB DDR3 SDRAM PC3-12800 SO-DIMM
spdmem1 at iic0 addr 0x52: 8GB DDR3 SDRAM PC3-12800 SO-DIMM
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x4e/2: NCT6776F rev 0x33
lm1 at wbsio0 port 0xa00/8: NCT6776F
vmm0 at mainbus0: VMX/EPT
uhidev0 at uhub0 port 2 configuration 1 interface 0 "CM Storm Keyboard -- QuickFire XT" rev 1.10/1.04 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub0 port 2 configuration 1 interface 1 "CM Storm Keyboard -- QuickFire XT" rev 1.10/1.04 addr 2
uhidev1: iclass 3/1, 2 report ids
uhid0 at uhidev1 reportid 1: input=6, output=0, feature=0
uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0
uhub1 at uhub0 port 4 configuration 1 interface 0 "Genesys Logic USB2.0 Hub" rev 2.00/32.98 addr 3
uhidev2 at uhub1 port 1 configuration 1 interface 0 "Generic USB" rev 1.10/1.10 addr 4
uhidev2: iclass 3/1
ukbd1 at uhidev2: 8 variable keys, 6 key codes
wskbd2 at ukbd1 mux 1
wskbd2: connecting to wsdisplay0
uhidev3 at uhub1 port 1 configuration 1 interface 1 "Generic USB" rev 1.10/1.10 addr 4
uhidev3: iclass 3/1, 3 report ids
ums0 at uhidev3 reportid 1: 5 buttons, Z dir
wsmouse0 at ums0 mux 0
uhid2 at uhidev3 reportid 2: input=2, output=0, feature=0
uhid3 at uhidev3 reportid 3: input=1, output=0, feature=0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (7214a743b5b0a9e8.a) swap on sd0b dump on sd0b
iwm0: hw rev 0x210, fw ver 16.242414.0, address 34:13:e8:38:fd:d3

usbdevs:
Controller /dev/usb0:
addr 1: super speed, self powered, config 1, xHCI root hub(0x0000), Intel(0x8086), rev 1.00
port 1 disabled
port 2 addr 2: low speed, power 100 mA, config 1, Keyboard -- QuickFire XT(0x001a), CM Storm(0x2516), rev 1.04
port 3 disabled
port 4 addr 3: high speed, self powered, config 1, USB2.0 Hub(0x0610), Genesys Logic(0x05e3), rev 32.98
port 1 addr 4: low speed, power 100 mA, config 1, USB(0x0131), Generic(0x09eb), rev 1.10
port 2 powered
port 3 powered
port 4 powered
port 5 disabled
port 6 disabled
port 7 disabled
port 8 disabled
port 9 disabled
port 10 disabled
port 11 disabled
port 12 disabled
port 13 disabled
port 14 disabled
port 15 disabled
Robert Peichaer
2017-07-02 16:53:43 UTC
Permalink
Post by RD Thrush
Synopsis: reorder_kernel requires writable /usr/share
Category: system
System : OpenBSD 6.1
Details : OpenBSD 6.1-current (GENERIC.MP) #73: Sat Jul 1 10:53:54 MDT 2017
Architecture: OpenBSD.amd64
Machine : amd64
/etc/rc: reorder_kernel() requires /usr/share to be writeable
On a system w/ a separate read-only partition containing /usr/share,
cat /var/log/kernel_relink.log
sh makegap.sh 0xcccccccc
makegap.sh[69]: cannot create gap.link: Read-only file system
ld: cannot open output file gap.o: Read-only file system
*** Error 1 in /usr/share/compile/GENERIC.MP (Makefile:966 'gap.o')
In _reorder_libs() a similar read-only problem was resolved.
revision 1.506
date: 2017/06/30 17:06:03; author: rpe; state: Exp; lines: +24 -18; commitid: sUDtacXshDGSqeZm;
Improve reorder_kernel()

- check for and exit if /usr/share is on a nfs mounted filesystem
- add trap handlers that mail the logfile to the admin user
- use $_compile instead of $_compile_dir like in the installer
- use $_compile/$_kernel instead of $_kernel_dir
- remove the now redundant sha256 -h ... after make newinstall
- write stdout/stderr of the background subshell to a logfile

OK tb@ deraadt@
RD Thrush
2017-07-02 17:31:31 UTC
Permalink
Post by RD Thrush
Post by RD Thrush
Synopsis: reorder_kernel requires writable /usr/share
Category: system
System : OpenBSD 6.1
Details : OpenBSD 6.1-current (GENERIC.MP) #73: Sat Jul 1 10:53:54 MDT 2017
Architecture: OpenBSD.amd64
Machine : amd64
/etc/rc: reorder_kernel() requires /usr/share to be writeable
On a system w/ a separate read-only partition containing /usr/share,
cat /var/log/kernel_relink.log
sh makegap.sh 0xcccccccc
makegap.sh[69]: cannot create gap.link: Read-only file system
ld: cannot open output file gap.o: Read-only file system
*** Error 1 in /usr/share/compile/GENERIC.MP (Makefile:966 'gap.o')
In _reorder_libs() a similar read-only problem was resolved.
revision 1.506
date: 2017/06/30 17:06:03; author: rpe; state: Exp; lines: +24 -18; commitid: sUDtacXshDGSqeZm;
Improve reorder_kernel()
- check for and exit if /usr/share is on a nfs mounted filesystem
- add trap handlers that mail the logfile to the admin user
- use $_compile instead of $_compile_dir like in the installer
- use $_compile/$_kernel instead of $_kernel_dir
- remove the now redundant sha256 -h ... after make newinstall
- write stdout/stderr of the background subshell to a logfile
My patch was against revision 1.506. I'm unsure how to interpret
your reply (of the associated commit message) to the bug report.

I've attached the patch in case there was a whitespace issue w/ the
inline version.
Theo de Raadt
2017-07-02 16:56:52 UTC
Permalink
I should point out that when you make that chance, you own the pieces.
Theo de Raadt
2017-07-02 17:38:43 UTC
Permalink
Remounting a filesystem?

I don't agree with that approach. It adds way too much complexity.

It seems you are trying to 'defend' /usr from writes, but it was
never defended since it could always be remounted.
RD Thrush
2017-07-02 18:03:19 UTC
Permalink
Post by Theo de Raadt
Remounting a filesystem?
I don't agree with that approach. It adds way too much complexity.
It's similar to the remount when /usr/lib is on a read-only partition
as in _reorder_libs():

arp42:build/packages 504>grep -n -A8 'read-write' /etc/rc
182: # Remount read-write, if /usr/lib is on a read-only ffs filesystem.
183- if [[ $_mp == *' type ffs '*'read-only'* ]]; then
184- if mount -u -w $_dkdev; then
185- _remount=true
186- else
187- echo ' failed.'
188- return
189- fi
190- fi
Theo de Raadt
2017-07-02 18:05:41 UTC
Permalink
Post by RD Thrush
Post by Theo de Raadt
Remounting a filesystem?
I don't agree with that approach. It adds way too much complexity.
It's similar to the remount when /usr/lib is on a read-only partition
arp42:build/packages 504>grep -n -A8 'read-write' /etc/rc
182: # Remount read-write, if /usr/lib is on a read-only ffs filesystem.
183- if [[ $_mp == *' type ffs '*'read-only'* ]]; then
184- if mount -u -w $_dkdev; then
185- _remount=true
186- else
187- echo ' failed.'
188- return
189- fi
190- fi
Yes, but once again I don't know what this is trying to help.

Just you, I think. Maybe someone else?

I am unsure if these 6-line chunks belong in /etc. The configuration
is way out of default.
Ted Unangst
2017-07-02 18:12:29 UTC
Permalink
Post by Theo de Raadt
Yes, but once again I don't know what this is trying to help.
Just you, I think. Maybe someone else?
I am unsure if these 6-line chunks belong in /etc. The configuration
is way out of default.
Configuration creep. Start with six lines to support readonly /usr because "it
can't hurt". Next feature needs six more lines. Then six more lines. Now it
looks like readonly /usr is supported. Look at all these lines that make it
work!
Theo de Raadt
2017-07-02 18:25:14 UTC
Permalink
Post by Ted Unangst
Post by Theo de Raadt
Yes, but once again I don't know what this is trying to help.
Just you, I think. Maybe someone else?
I am unsure if these 6-line chunks belong in /etc. The configuration
is way out of default.
Configuration creep. Start with six lines to support readonly /usr because "it
can't hurt". Next feature needs six more lines. Then six more lines. Now it
looks like readonly /usr is supported. Look at all these lines that make it
work!
I should also point out that relinking happens in a sub-process of /etc/rc.
It may take some time to finish the job. It is done async, not syncronous.
During that time, /usr will be RW.

sshd probably starts before relinking is complete. Actually I know it does,
because on one machine I'm logged in before it finishes linking.

Loading...