| === lotuspsychje_ is now known as lotuspsychje | ||
| guesswhat | I am kinda confused, I have VM with docker containers ( mixed usage ). NewRelic agent is reporting CPU usage ~75%, but avg15load is ~80 per host ... how should I interpret this? | 10:29 |
|---|---|---|
| tomreyn | guesswhat: you're not saying what you're measuring where | 10:42 |
| guesswhat | tomreyn, its from newrelic agent aggregated per whole vm | 10:48 |
| guesswhat | not sure how to debug high avgload ( 1,5,15 ) and low overall CPU usage in % | 10:49 |
| guesswhat | iowait is low, peaks to 15% | 10:49 |
| tomreyn | and the avg15load=80 is on the 'main' VM or on a container? you wrote "per host", does this mean in a container? | 10:50 |
| guesswhat | thats main VM | 11:02 |
| tomreyn | so you have ~75% average (?) CPU resource allocation and a 15 minute average load of 80, while iowait is low with peaks at 15%. that's unexplicable to me as well. | 11:14 |
| tomreyn | if that's all on the same system | 11:15 |
| tomreyn | although sometimes containers won't be able to abstract from the container host and will actually report their container host's values for the guest, too. | 11:16 |
| tomreyn | guesswhat: ^ | 11:16 |
| === lotuspsychje_ is now known as lotuspsychje | ||
| guesswhat | i just saw a peak to 40% in iowait ..., but blkio rw is okish, maybe netio ? i am running web scraper in these containers, maybe each process ( client waiting for response ) is actually in waiting state not consuming cpu | 11:20 |
| ahasenack | waveform: hi, do you have any tpm2 chip/add-on recommendations for the pi3 and pi4? | 13:42 |
| ogra | lol | 13:50 |
| ogra | the TPM implementations you could attach to a pi (have to) use insecure bus connections... so using tpm on a pi in general is rather a training exercise but wont give you any secure setup | 13:52 |
| ogra | IIRC there are TPM chips to be attached via I2C or some such ... but you can easily sniff the keys off the bus then | 13:53 |
| ogra | (this is also the reason we do ot support such a setup on pi's with any official products) | 13:54 |
| waveform | ahasenack, basically no for the reasons ogra's mentioned | 13:55 |
| ogra | if you want to use it anyway for training, testing or whatnot, there is the SLB9670 availabe with RPi pin setup which then attaches via SPI bus ... but dont use it in production ... | 13:58 |
| ahasenack | it was mostly to experiment with it, assuming that some future board would have the tpm chip properly soldered/implemented | 13:58 |
| patdk-lap | insecure bus connections? what is a secure bus connection? | 13:59 |
| ahasenack | but I heard about arm "zones" | 13:59 |
| ahasenack | so maybe a pi4 will never have a tpm chip | 13:59 |
| ogra | patdk-lap, direct integration into the SoC | 13:59 |
| patdk-lap | you can always sniff any bus, no bus is secure | 13:59 |
| patdk-lap | hmm, I have not seen that with a tpm anywhere and that isn't secure, just *slightly* more difficult | 14:00 |
| patdk-lap | you just disolve part of the package and attach to the wires | 14:00 |
| ahasenack | I would prefer to play with a pi4+tpm than my real-use-laptop, just in the case I brick it by accident | 14:00 |
| ogra | sligthly, yeah ... you'd have to hire ant-man to attach the probes for you 🙂 | 14:00 |
| waveform | "just" :) | 14:00 |
| patdk-lap | no you wouldn't | 14:00 |
| ahasenack | I know there is swtpm, but still, I would want to use the real thing | 14:00 |
| ogra | the secureboot we offer fr arm in UbuntuCore land is all OPTEE/TrustZone based btw ... i dont think we'll ever support TPM on arm | 14:01 |
| patdk-lap | I have never seen a tpm built into an soc | 14:01 |
| waveform | ahasenack, there was also some issue with separate memory regions for trustzone to operate securely -- I forget the details | 14:02 |
| ahasenack | ogra: how can I poke around these trustzones in a pi4? I was wondering if mine had support for that | 14:02 |
| ogra | it doesnt | 14:02 |
| ahasenack | that explains it :) | 14:02 |
| ogra | dues to the nature of its bootloader | 14:02 |
| ogra | (the g | 14:02 |
| ogra | bah | 14:02 |
| ogra | (the proprietary GPU driver is the bootloader ...) | 14:03 |
| waveform | my vague recollection was the trustzone implementation is there because it was a base part of the ISA (I may be wrong about that) but there was some issue about not having secured memory for it ... ah, this seems perhaps pertinent: https://forums.raspberrypi.com/viewtopic.php?t=311331 | 14:03 |
| ogra | on a Pi the ARM never boots on its own ... the HW initialized the GPU through the driver ... once that is up, it fires up the ARM | 14:04 |
| ahasenack | ok, so not a good platform to play with that | 14:04 |
| ogra | so the TZ implementation would have to be implemented in the GPU driver by broadcom to make it secure | 14:04 |
| ahasenack | maybe just the tpm addon to play with, then | 14:04 |
| ahasenack | but not for "real" security | 14:05 |
| ogra | use qualcomm or nxp if you want to play with OPTEE and TZ | 14:05 |
| ahasenack | are boards available with those? | 14:05 |
| ahasenack | cheap enough for a user, not a company, to buy? | 14:05 |
| ogra | yeaha, but not at Pi-prices | 14:05 |
| ahasenack | low 3 digits perhaps? | 14:05 |
| ogra | more the latter 🙂 | 14:05 |
| ahasenack | k | 14:06 |
| ogra | low-mid 3 digit prices should be possible | 14:06 |
| ogra | if you look for qualcomm, talk to ondra, he knows that HW in and out (but is also on vac. i think) | 14:07 |
| waveform | incidentally, there is a "secured boot" implementation on the CM4 and 400 (and later revs of the 4? I have some recollection it requires stepping C0 of the 2711) but it's pi-specific (RSA based) | 14:07 |
| waveform | (in other words, if you were experimenting with it in the hopes of learning something relevant to your laptop, it likely wouldn't be) | 14:08 |
| ahasenack | well, both, I would hope there is some commonality | 14:08 |
| ahasenack | but it doesn't have to be about boot only, tpm can be used for many other things | 14:09 |
| ahasenack | that I think would be common between the pi4 and a laptop | 14:09 |
| ogra | yeah, /dev/tmp should be the same after boot | 14:09 |
| ogra | err | 14:09 |
| ogra | tpm | 14:09 |
| ahasenack | and I was wondering if, the moment I attach a tpm dev to the pi4, if the kernel would be able to make those boot measurements and store them in the tpm registers | 14:09 |
| ogra | you will be able to use it after boot for sure | 14:11 |
| ogra | for security during boot you'd need integration with the bootloader though ... which ... again points back to broadcom | 14:12 |
| ogra | (beyond the bus issues) | 14:12 |
| tomreyn | interesting discussion. could you maybe have fTPM on ARM64 SOCs? | 14:14 |
| ahasenack | yeah, found it | 14:15 |
| ahasenack | SLB 9670 TPM 2.0,add-on | 14:15 |
| ahasenack | $29.99 | 14:15 |
| ahasenack | plus $64.26 Shipping & Import Fees Deposit to Brazil | 14:15 |
| tomreyn | :) | 14:15 |
| ogra | wow, shipping is twice the price ! | 14:18 |
| ahasenack | welcome to Br | 14:18 |
| ahasenack | there is a 60% tax on imports | 14:19 |
| ahasenack | including the shipping price | 14:19 |
| patdk-lap | same issues like india? huge import fees to bring in tech into the country? | 14:19 |
| ahasenack | so it's (thing + shipping) * 1.6 | 14:19 |
| tomreyn | unless you buy from the little china shop around the corner? | 14:19 |
| ahasenack | this is the simplified import mechanism | 14:19 |
| ahasenack | everything taxed at 60% | 14:19 |
| ahasenack | if you are a company and want to bring in quantities to resell, there is another process, then it isn't that high (but it's still high) | 14:19 |
| ahasenack | then usually the price only doubles | 14:20 |
| ahasenack | U$ 30 in the US ebcaomes U$ 60 here | 14:20 |
| ahasenack | it used to be (thing)*1.6 + shipping for the import tax calculation | 14:21 |
| ahasenack | but then people started asking shippers to declare the thing as, say, $10,00, and put the rest in the shipping calculation | 14:22 |
| ogra | yeah, i remember seein brazilians at sprints with towers of amazon boxes to circumvent input fees ... | 14:22 |
| ahasenack | yep | 14:22 |
| ogra | towers taller than themselves often enugh 🙂 | 14:22 |
| ahasenack | when you bring it with you on a trip, as luggage, then the tax is 50% over what exceeds U$ 500,00 | 14:22 |
| ahasenack | < U$ 500,00 was tax free | 14:23 |
| ahasenack | is | 14:23 |
| ahasenack | so a U$ 1000,00 laptop becomes (1000 + 500*0.5) = 1250 | 14:23 |
| ahasenack | still cheaper than buying it here, with similar specs (which are not available most of the time) | 14:24 |
| ogra | yeah | 14:24 |
| alireza | I've run a VPN server, and I want to limit the client to have only access to instagram.com , what firewall do you suggest in this case? iptable is not good enough. | 17:47 |
| sdeziel | alireza: you are probably better off setting up a proxy (like squid) and require your clients to use it. This will let you control which domains are reachable at the DNS level rather than IP level as with iptables | 17:49 |
| alireza | I'm trying to connect people from something like china's great wall to Instagram, and I have to use a stronger solution such as Shadowsocks + v2ray protocol. So proxy won't work in my proble | 17:52 |
| alireza | sdeziel: what about csf firewall? is there any better choese? | 17:54 |
| sdeziel | alireza: sorry for not being clear, I'm proposing to use a proxy at the other end of the VPN | 17:55 |
| sdeziel | alireza: in other words, you'd run both a VPN server and a proxy accessible only through the VPN. That proxy would be configured to only give access out to Instagram | 17:55 |
| ahasenack | does anybody recall why in ubuntu we don't have the [homes] samba share enabled by default? It's a delta we have with debian: https://pastebin.ubuntu.com/p/FmkZXNVCqx/ | 18:04 |
| ahasenack | that change was made in 2013 for trusty, as far as I can see | 18:04 |
| ahasenack | I was wondering if it's because until recently the /home/$USER directory in ubuntu was 0755 (world readable)? | 18:04 |
| alireza | I'm using this configuration to create WebSocket from the Nginx request to the Shadowsocks service (kinda proxy service for China's great wall). However, I want to limit the clients to only having access to the Instagram application and deny any other requests. So in this method, the clients won't have access to another website through My free VPN. My current configuration is: https://paste.ofcode.org/39D7QMtbyFHzHh4k75p8tzy | 18:42 |
| === ahasenack_ is now known as ahasenack | ||
| znf | Screw that guy that made the new server installer | 20:34 |
| znf | Worst decision ever | 20:34 |
| mybalzitch | I haven't seen it lately | 21:13 |
| mybalzitch | I wasn't a fan of the buttons in the new desktop installer | 21:14 |
| znf | I've made the auto-installer crap | 21:24 |
| znf | but once I install it, I can not log in :) | 21:24 |
| znf | god damn junk | 21:32 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!