FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 08-15-2012, 09:47 AM
Grant
 
Default Required Priorities (Security) = slow server

I recently moved my server from:

3.2.11-hardened
Security Level (Hardened Gentoo [server])

to:

3.4.5-hardened
Configuration Method (Automatic)
Usage Type (Server)
Virtualization Type (None)
Required Priorities (Security)

and http became extremely slow. Some pages that would normally
execute in 1 second would take 10 seconds or more. There is a lot of
php and perl server-side stuff so the slowdown may have been rooted in
that. I changed to Required Priorities (Performance) and everything
sped back up to normal. My laptop was moved to the following at the
same time and I didn't notice any performance change:

3.4.5-hardened
Configuration Method (Automatic)
Usage Type (Desktop)
Virtualization Type (None)
Required Priorities (Security)

Is this sort of behavior expected from a server?

- Grant
 
Old 08-17-2012, 06:56 AM
Grant
 
Default Required Priorities (Security) = slow server

> I recently moved my server from:
>
> 3.2.11-hardened
> Security Level (Hardened Gentoo [server])
>
> to:
>
> 3.4.5-hardened
> Configuration Method (Automatic)
> Usage Type (Server)
> Virtualization Type (None)
> Required Priorities (Security)
>
> and http became extremely slow. Some pages that would normally
> execute in 1 second would take 10 seconds or more. There is a lot of
> php and perl server-side stuff so the slowdown may have been rooted in
> that. I changed to Required Priorities (Performance) and everything
> sped back up to normal. My laptop was moved to the following at the
> same time and I didn't notice any performance change:
>
> 3.4.5-hardened
> Configuration Method (Automatic)
> Usage Type (Desktop)
> Virtualization Type (None)
> Required Priorities (Security)
>
> Is this sort of behavior expected from a server?
>
> - Grant

This may have been a false alarm. I think I've been having
intermittent network problems to part of the internet. Can anyone
confirm that the above config shouldn't slow down an http server?

- Grant
 
Old 08-17-2012, 08:14 AM
Hinnerk van Bruinehsen
 
Default Required Priorities (Security) = slow server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17.08.2012 08:56, Grant wrote:
>> I recently moved my server from:
>>
>> 3.2.11-hardened Security Level (Hardened Gentoo [server])
>>
>> to:
>>
>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>> (Server) Virtualization Type (None) Required Priorities
>> (Security)
>>
>> and http became extremely slow. Some pages that would normally
>> execute in 1 second would take 10 seconds or more. There is a
>> lot of php and perl server-side stuff so the slowdown may have
>> been rooted in that. I changed to Required Priorities
>> (Performance) and everything sped back up to normal. My laptop
>> was moved to the following at the same time and I didn't notice
>> any performance change:
>>
>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>> (Desktop) Virtualization Type (None) Required Priorities
>> (Security)
>>
>> Is this sort of behavior expected from a server?
>>
>> - Grant
>
> This may have been a false alarm. I think I've been having
> intermittent network problems to part of the internet. Can anyone
> confirm that the above config shouldn't slow down an http server?
>
> - Grant
>

It's hard to make any generalisations but I have some servers with
similar grsec-autoconfig (server instead of desktop) and no noticable
slowdown (I'd say nothing more that 10%).
I'd recommend to use 3.5.1-r2 (testing) or 3.2.27 (stable), though.

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQLf1fAAoJEJwwOFaNFkYcZ98IAJ1RUmreIf 0HW7AqyNl9LjUA
5sHkDKnepkmdwdUBA61VBJXjicfreBi+I3g9GmIrm6SY2pYseN ogi92YYqRHNi9c
cxHHr7z2M/fLjApFE9JqAZpKcSBzr4fwUECS7qzFz16XXrNxOFnmdbBY9ewx dHxB
QeQnWBNaem/1qrzdifOE9nCZgkhDaZ2X+1EgYcGA3yPh6fNwNDL/mfkVCyU2jhra
zZbB5v9QzSrWe4Her8KPPTnaUrtQsukLZGI3g4IulrBLxkuqsh 8StCA0A4cyokJ4
Vl+AjykYEvtxzWE1mVy4bCNSWlLCmmLOVlZ3hEWRQ701CL2lXg YTS/PWHJ9mjwI=
=YPvF
-----END PGP SIGNATURE-----
 
Old 08-17-2012, 09:47 AM
Grant
 
Default Required Priorities (Security) = slow server

>>> I recently moved my server from:
>>>
>>> 3.2.11-hardened Security Level (Hardened Gentoo [server])
>>>
>>> to:
>>>
>>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>>> (Server) Virtualization Type (None) Required Priorities
>>> (Security)
>>>
>>> and http became extremely slow. Some pages that would normally
>>> execute in 1 second would take 10 seconds or more. There is a
>>> lot of php and perl server-side stuff so the slowdown may have
>>> been rooted in that. I changed to Required Priorities
>>> (Performance) and everything sped back up to normal. My laptop
>>> was moved to the following at the same time and I didn't notice
>>> any performance change:
>>>
>>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>>> (Desktop) Virtualization Type (None) Required Priorities
>>> (Security)
>>>
>>> Is this sort of behavior expected from a server?
>>>
>>> - Grant
>>
>> This may have been a false alarm. I think I've been having
>> intermittent network problems to part of the internet. Can anyone
>> confirm that the above config shouldn't slow down an http server?
>>
>> - Grant
>>
>
> It's hard to make any generalisations but I have some servers with
> similar grsec-autoconfig (server instead of desktop) and no noticable
> slowdown (I'd say nothing more that 10%).
> I'd recommend to use 3.5.1-r2 (testing) or 3.2.27 (stable), though.
>
> WKR
> Hinnerk

3.4.5 is the latest stable, right?

http://packages.gentoo.org/package/sys-kernel/hardened-sources

I'm using Server too. I'm using Desktop on my laptop.

- Grant
 
Old 08-17-2012, 09:57 AM
Hinnerk van Bruinehsen
 
Default Required Priorities (Security) = slow server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17.08.2012 11:47, Grant wrote:
>>>> I recently moved my server from:
>>>>
>>>> 3.2.11-hardened Security Level (Hardened Gentoo [server])
>>>>
>>>> to:
>>>>
>>>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>>>> (Server) Virtualization Type (None) Required Priorities
>>>> (Security)
>>>>
>>>> and http became extremely slow. Some pages that would
>>>> normally execute in 1 second would take 10 seconds or more.
>>>> There is a lot of php and perl server-side stuff so the
>>>> slowdown may have been rooted in that. I changed to Required
>>>> Priorities (Performance) and everything sped back up to
>>>> normal. My laptop was moved to the following at the same
>>>> time and I didn't notice any performance change:
>>>>
>>>> 3.4.5-hardened Configuration Method (Automatic) Usage Type
>>>> (Desktop) Virtualization Type (None) Required Priorities
>>>> (Security)
>>>>
>>>> Is this sort of behavior expected from a server?
>>>>
>>>> - Grant
>>>
>>> This may have been a false alarm. I think I've been having
>>> intermittent network problems to part of the internet. Can
>>> anyone confirm that the above config shouldn't slow down an
>>> http server?
>>>
>>> - Grant
>>>
>>
>> It's hard to make any generalisations but I have some servers
>> with similar grsec-autoconfig (server instead of desktop) and no
>> noticable slowdown (I'd say nothing more that 10%). I'd recommend
>> to use 3.5.1-r2 (testing) or 3.2.27 (stable), though.
>>
>> WKR Hinnerk
>
> 3.4.5 is the latest stable, right?
>
> http://packages.gentoo.org/package/sys-kernel/hardened-sources
>
> I'm using Server too. I'm using Desktop on my laptop.
>
> - Grant
>

Sorry,
I misread the part about the laptop. As far as I remember the only
supported versions by Upstream are 2.6.32.59 and 3.2.27 as stable and
3.5.2 as testing (the versions on grsecurity.net, right now).
Other versions aren't supported by upstream.
Actually I'm not sure what is stable for gentoo since I'm using ~arch
myself.

- - Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQLhWiAAoJEJwwOFaNFkYcvy8IANEV6my1np ZhaoWYPcZ8Yt65
sdZIKkcbOmkT4ApEaf3p5BuvNU0FFpnCEKbyrw+40M98WNgKYe wuOgVJcHMl0aWq
fEJKuGTr9KVavgmnUfudSwh12Fyp9huJ9XzakoFsbjidxqM70U 5C1H8AS251ml6F
ITvG/9erhB+FnZpBhtb4GCFAYb+VP1fnP1SP4ZZvVHuFRk1OOpxiRJz uNn53M6JD
5HQQdOM/6dJYNIPp+7ynTyK+lHYqVkrDDId3pBoLzp9dZxMzTbgAKLfBba DNm3Uh
EXYfi8XvjhDvptJWDV4x9AZghishkseyJDoZwRislAR1pQqG7y pu3iYD7euVM8s=
=nv9x
-----END PGP SIGNATURE-----
 
Old 08-17-2012, 05:06 PM
Grant
 
Default Required Priorities (Security) = slow server

> I misread the part about the laptop. As far as I remember the only
> supported versions by Upstream are 2.6.32.59 and 3.2.27 as stable and
> 3.5.2 as testing (the versions on grsecurity.net, right now).
> Other versions aren't supported by upstream.

Interesting, I would have thought Gentoo would keep hardened-sources
in sync with upstream's recommendation/support.

- Grant
 
Old 08-17-2012, 07:35 PM
"Francisco Blas Izquierdo Riera (klondike)"
 
Default Required Priorities (Security) = slow server

El 17/08/12 19:06, Grant escribió:
> Interesting, I would have thought Gentoo would keep hardened-sources
> in sync with upstream's recommendation/support.
There are a few reasons for that not being the case but of them I'd go
for the fact that in order to get stabilished a package must have been
on ~arch for some time and have no known bugs. Then the arch teams have
to test the packages and then the packages get finally stabilished.

We can't, for obvious reasons, try to stabilize all the packages we get
since that would saturate the arch teams' resources, as a result we
generaly ask for the stabilization in the case of gentoo-sources of
those that have proved to be quite stable for some time.
 
Old 08-17-2012, 08:19 PM
"Tóth Attila"
 
Default Required Priorities (Security) = slow server

That is exactly what hardened sources package maintainers do.
There's always a tiny time difference between the latest grsecurity patch
showing up on the homepage and the respective kernel ebuild appears.

*hardened-sources-3.5.1-r2 (16 Aug 2012)
16 Aug 2012; Anthony G. Basile (blueness)
+hardened-sources-3.5.1-r2.ebuild:
vanilla-3.5.1 + genpatches-3.5-2 + grsecurity-2.9.1-3.5.1-201208132030

They are doing a good job.
So: big thanks.

Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Augusztus 17.(P) 19:06 idÅ‘pontban Grant ezt Ã*rta:
>> I misread the part about the laptop. As far as I remember the only
>> supported versions by Upstream are 2.6.32.59 and 3.2.27 as stable and
>> 3.5.2 as testing (the versions on grsecurity.net, right now).
>> Other versions aren't supported by upstream.
>
> Interesting, I would have thought Gentoo would keep hardened-sources
> in sync with upstream's recommendation/support.
>
> - Grant
>
 
Old 08-18-2012, 12:49 AM
Maxim Kammerer
 
Default Required Priorities (Security) = slow server

On Fri, Aug 17, 2012 at 11:19 PM, "Tóth Attila" <atoth@atoth.sote.hu> wrote:
> That is exactly what hardened sources package maintainers do.
> There's always a tiny time difference between the latest grsecurity patch
> showing up on the homepage and the respective kernel ebuild appears.

First, I would like to note that I appreciate very much Anthony's
dedication to maintaining hardened-sources.

The situation with stabilizing hardened-sources versions, as I see it,
is problematic because grsecurity / PaX upstream only supports a
couple of kernels they consider stable (currently, 2.6.32 and 3.2),
and the very latest kernel as unstable (currently, 3.5). They don't
release patches for interim kernels [1]. So the issue with stabilizing
those versions (say, 3.4) is moot — the upstream kernel might be
stable, but grsecurity / PaX patches are frozen in time. This results
in a weird situation if you want, e.g., a stable kernel that's more
modern than 3.2, but don't want EFI-related bugs [2] that were fixed
by grsecurity after they switched to 3.5 series for testing.

Ideally, grsecurity could release patches for each kernel series after
latest stable (currently, 3.2), but that would probably require too
much resources.

[1] http://forums.grsecurity.net/viewtopic.php?f=3&t=2980
[2] https://bugs.gentoo.org/428726, https://bugs.gentoo.org/430122

--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
 
Old 08-19-2012, 01:45 AM
"Anthony G. Basile"
 
Default Required Priorities (Security) = slow server

On 08/17/2012 04:19 PM, "Tóth Attila" wrote:

That is exactly what hardened sources package maintainers do.
There's always a tiny time difference between the latest grsecurity patch
showing up on the homepage and the respective kernel ebuild appears.


I try to get most of upstream's releases into portage so we can test
them as ~arch and give upstream feedback. After a while, I see what
issues came up in the last "batch" of kernels. I then pick the one that
is least problematic.


Typical upstream cycle goes: 1) introduced new feature, 2) bad breakage,
2) still breakage, 3) not so bad, 4) fixed. I try catch it at #4 before
they start the cycle all over again.


Hope this helps to explain my release policy.


--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
 

Thread Tools




All times are GMT. The time now is 10:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org