Mailing List Archive

> I recently moved my server from:
>
> 3.2.11-hardened
> Security Level (Hardened Gentoo [server])
>
> to:
>
> 3.4.5-hardened
> Configuration Method (Automatic)
> Usage Type (Server)
> Virtualization Type (None)
> Required Priorities (Security)
>
> and http became extremely slow. Some pages that would normally
> execute in 1 second would take 10 seconds or more. There is a lot of
> php and perl server-side stuff so the slowdown may have been rooted in
> that. I changed to Required Priorities (Performance) and everything
> sped back up to normal. My laptop was moved to the following at the
> same time and I didn't notice any performance change:
>
> 3.4.5-hardened
> Configuration Method (Automatic)
> Usage Type (Desktop)
> Virtualization Type (None)
> Required Priorities (Security)
>
> Is this sort of behavior expected from a server?
>
> - Grant

This may have been a false alarm. I think I've been having
intermittent network problems to part of the internet. Can anyone
confirm that the above config shouldn't slow down an http server?

- Grant

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17.08.2012 08:56, Grant wrote:
>> I recently moved my server from:
>>
>> 3.2.11-hardened Security Level (Hardened Gentoo [server])
>>
>> to:
>>
>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>> (Server) Virtualization Type (None) Required Priorities
>> (Security)
>>
>> and http became extremely slow. Some pages that would normally
>> execute in 1 second would take 10 seconds or more. There is a
>> lot of php and perl server-side stuff so the slowdown may have
>> been rooted in that. I changed to Required Priorities
>> (Performance) and everything sped back up to normal. My laptop
>> was moved to the following at the same time and I didn't notice
>> any performance change:
>>
>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>> (Desktop) Virtualization Type (None) Required Priorities
>> (Security)
>>
>> Is this sort of behavior expected from a server?
>>
>> - Grant
>
> This may have been a false alarm. I think I've been having
> intermittent network problems to part of the internet. Can anyone
> confirm that the above config shouldn't slow down an http server?
>
> - Grant
>

It's hard to make any generalisations but I have some servers with
similar grsec-autoconfig (server instead of desktop) and no noticable
slowdown (I'd say nothing more that 10%).
I'd recommend to use 3.5.1-r2 (testing) or 3.2.27 (stable), though.

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQLf1fAAoJEJwwOFaNFkYcZ98IAJ1RUmreIf0HW7AqyNl9LjUA
5sHkDKnepkmdwdUBA61VBJXjicfreBi+I3g9GmIrm6SY2pYseNogi92YYqRHNi9c
cxHHr7z2M/fLjApFE9JqAZpKcSBzr4fwUECS7qzFz16XXrNxOFnmdbBY9ewxdHxB
QeQnWBNaem/1qrzdifOE9nCZgkhDaZ2X+1EgYcGA3yPh6fNwNDL/mfkVCyU2jhra
zZbB5v9QzSrWe4Her8KPPTnaUrtQsukLZGI3g4IulrBLxkuqsh8StCA0A4cyokJ4
Vl+AjykYEvtxzWE1mVy4bCNSWlLCmmLOVlZ3hEWRQ701CL2lXgYTS/PWHJ9mjwI=
=YPvF
-----END PGP SIGNATURE-----

>>> I recently moved my server from:
>>>
>>> 3.2.11-hardened Security Level (Hardened Gentoo [server])
>>>
>>> to:
>>>
>>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>>> (Server) Virtualization Type (None) Required Priorities
>>> (Security)
>>>
>>> and http became extremely slow. Some pages that would normally
>>> execute in 1 second would take 10 seconds or more. There is a
>>> lot of php and perl server-side stuff so the slowdown may have
>>> been rooted in that. I changed to Required Priorities
>>> (Performance) and everything sped back up to normal. My laptop
>>> was moved to the following at the same time and I didn't notice
>>> any performance change:
>>>
>>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>>> (Desktop) Virtualization Type (None) Required Priorities
>>> (Security)
>>>
>>> Is this sort of behavior expected from a server?
>>>
>>> - Grant
>>
>> This may have been a false alarm. I think I've been having
>> intermittent network problems to part of the internet. Can anyone
>> confirm that the above config shouldn't slow down an http server?
>>
>> - Grant
>>
>
> It's hard to make any generalisations but I have some servers with
> similar grsec-autoconfig (server instead of desktop) and no noticable
> slowdown (I'd say nothing more that 10%).
> I'd recommend to use 3.5.1-r2 (testing) or 3.2.27 (stable), though.
>
> WKR
> Hinnerk

3.4.5 is the latest stable, right?

http://packages.gentoo.org/package/sys-kernel/hardened-sources

I'm using Server too. I'm using Desktop on my laptop.

- Grant

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17.08.2012 11:47, Grant wrote:
>>>> I recently moved my server from:
>>>>
>>>> 3.2.11-hardened Security Level (Hardened Gentoo [server])
>>>>
>>>> to:
>>>>
>>>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>>>> (Server) Virtualization Type (None) Required Priorities
>>>> (Security)
>>>>
>>>> and http became extremely slow. Some pages that would
>>>> normally execute in 1 second would take 10 seconds or more.
>>>> There is a lot of php and perl server-side stuff so the
>>>> slowdown may have been rooted in that. I changed to Required
>>>> Priorities (Performance) and everything sped back up to
>>>> normal. My laptop was moved to the following at the same
>>>> time and I didn't notice any performance change:
>>>>
>>>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>>>> (Desktop) Virtualization Type (None) Required Priorities
>>>> (Security)
>>>>
>>>> Is this sort of behavior expected from a server?
>>>>
>>>> - Grant
>>>
>>> This may have been a false alarm. I think I've been having
>>> intermittent network problems to part of the internet. Can
>>> anyone confirm that the above config shouldn't slow down an
>>> http server?
>>>
>>> - Grant
>>>
>>
>> It's hard to make any generalisations but I have some servers
>> with similar grsec-autoconfig (server instead of desktop) and no
>> noticable slowdown (I'd say nothing more that 10%). I'd recommend
>> to use 3.5.1-r2 (testing) or 3.2.27 (stable), though.
>>
>> WKR Hinnerk
>
> 3.4.5 is the latest stable, right?
>
> http://packages.gentoo.org/package/sys-kernel/hardened-sources
>
> I'm using Server too. I'm using Desktop on my laptop.
>
> - Grant
>

Sorry,
I misread the part about the laptop. As far as I remember the only
supported versions by Upstream are 2.6.32.59 and 3.2.27 as stable and
3.5.2 as testing (the versions on grsecurity.net, right now).
Other versions aren't supported by upstream.
Actually I'm not sure what is stable for gentoo since I'm using ~arch
myself.

- - Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQLhWiAAoJEJwwOFaNFkYcvy8IANEV6my1npZhaoWYPcZ8Yt65
sdZIKkcbOmkT4ApEaf3p5BuvNU0FFpnCEKbyrw+40M98WNgKYewuOgVJcHMl0aWq
fEJKuGTr9KVavgmnUfudSwh12Fyp9huJ9XzakoFsbjidxqM70U5C1H8AS251ml6F
ITvG/9erhB+FnZpBhtb4GCFAYb+VP1fnP1SP4ZZvVHuFRk1OOpxiRJzuNn53M6JD
5HQQdOM/6dJYNIPp+7ynTyK+lHYqVkrDDId3pBoLzp9dZxMzTbgAKLfBbaDNm3Uh
EXYfi8XvjhDvptJWDV4x9AZghishkseyJDoZwRislAR1pQqG7ypu3iYD7euVM8s=
=nv9x
-----END PGP SIGNATURE-----

> I misread the part about the laptop. As far as I remember the only
> supported versions by Upstream are 2.6.32.59 and 3.2.27 as stable and
> 3.5.2 as testing (the versions on grsecurity.net, right now).
> Other versions aren't supported by upstream.

Interesting, I would have thought Gentoo would keep hardened-sources
in sync with upstream's recommendation/support.

- Grant

El 17/08/12 19:06, Grant escribió:
> Interesting, I would have thought Gentoo would keep hardened-sources
> in sync with upstream's recommendation/support.
There are a few reasons for that not being the case but of them I'd go
for the fact that in order to get stabilished a package must have been
on ~arch for some time and have no known bugs. Then the arch teams have
to test the packages and then the packages get finally stabilished.

We can't, for obvious reasons, try to stabilize all the packages we get
since that would saturate the arch teams' resources, as a result we
generaly ask for the stabilization in the case of gentoo-sources of
those that have proved to be quite stable for some time.

That is exactly what hardened sources package maintainers do.
There's always a tiny time difference between the latest grsecurity patch
showing up on the homepage and the respective kernel ebuild appears.

*hardened-sources-3.5.1-r2 (16 Aug 2012)
16 Aug 2012; Anthony G. Basile (blueness)
+hardened-sources-3.5.1-r2.ebuild:
vanilla-3.5.1 + genpatches-3.5-2 + grsecurity-2.9.1-3.5.1-201208132030

They are doing a good job.
So: big thanks.

Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Augusztus 17.(P) 19:06 időpontban Grant ezt írta:
>> I misread the part about the laptop. As far as I remember the only
>> supported versions by Upstream are 2.6.32.59 and 3.2.27 as stable and
>> 3.5.2 as testing (the versions on grsecurity.net, right now).
>> Other versions aren't supported by upstream.
>
> Interesting, I would have thought Gentoo would keep hardened-sources
> in sync with upstream's recommendation/support.
>
> - Grant
>

On Fri, Aug 17, 2012 at 11:19 PM, "Tóth Attila" <atoth@atoth.sote.hu> wrote:
> That is exactly what hardened sources package maintainers do.
> There's always a tiny time difference between the latest grsecurity patch
> showing up on the homepage and the respective kernel ebuild appears.

First, I would like to note that I appreciate very much Anthony's
dedication to maintaining hardened-sources.

The situation with stabilizing hardened-sources versions, as I see it,
is problematic because grsecurity / PaX upstream only supports a
couple of kernels they consider stable (currently, 2.6.32 and 3.2),
and the very latest kernel as unstable (currently, 3.5). They don't
release patches for interim kernels [1]. So the issue with stabilizing
those versions (say, 3.4) is moot — the upstream kernel might be
stable, but grsecurity / PaX patches are frozen in time. This results
in a weird situation if you want, e.g., a stable kernel that's more
modern than 3.2, but don't want EFI-related bugs [2] that were fixed
by grsecurity after they switched to 3.5 series for testing.

Ideally, grsecurity could release patches for each kernel series after
latest stable (currently, 3.2), but that would probably require too
much resources.

[1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2980
[2] https://bugs.gentoo.org/428726, https://bugs.gentoo.org/430122

--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte

On 08/17/2012 04:19 PM, "Tóth Attila" wrote:
> That is exactly what hardened sources package maintainers do.
> There's always a tiny time difference between the latest grsecurity patch
> showing up on the homepage and the respective kernel ebuild appears.

I try to get most of upstream's releases into portage so we can test
them as ~arch and give upstream feedback. After a while, I see what
issues came up in the last "batch" of kernels. I then pick the one that
is least problematic.

Typical upstream cycle goes: 1) introduced new feature, 2) bad breakage,
2) still breakage, 3) not so bad, 4) fixed. I try catch it at #4 before
they start the cycle all over again.

Hope this helps to explain my release policy.


--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

>> That is exactly what hardened sources package maintainers do.
>> There's always a tiny time difference between the latest grsecurity patch
>> showing up on the homepage and the respective kernel ebuild appears.
>
>
> I try to get most of upstream's releases into portage so we can test them as
> ~arch and give upstream feedback. After a while, I see what issues came up
> in the last "batch" of kernels. I then pick the one that is least
> problematic.
>
> Typical upstream cycle goes: 1) introduced new feature, 2) bad breakage, 2)
> still breakage, 3) not so bad, 4) fixed. I try catch it at #4 before they
> start the cycle all over again.
>
> Hope this helps to explain my release policy.

Thank you for explaining, and a thank you for dedicating so much time to Gentoo.

- Grant