Testing report for Core Update 132

Testing report for Core Update 132

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2101 bytes --]

Hello all,

after testing too little in the past months, I am hereby
trying to catch up for announced Core Update 132.

Most services are running as expected:
- IPsec
- OpenVPN (tested with RW connections only)
- DDNS
- Squid (non-transparent, including upstream proxy)
- Suricata (IPS mode, activated on all interfaces)

Tor suffers from missing libseccomp dependency and a permission
bug (see #12088), but starts correctly after installing the
library and fixing /var/lib/tor permissions manually.

I can confirm IDS rulesets download works in combination
with an upstream proxy now (tested with Emerging Threats).

Suricata seems to drop some packets (as internal connections
sometimes take ages to establish), but does not log anything.
This requires some further investigation, and it is kind
of an evident-missing blame at the moment.

Talking about the <sarcasm>all-new-and-improved Intel CPU vulnerabilities</sarcasm>,
disabling SMT automatically seems to work:

> [root(a)maverick ~]# grep . /sys/devices/system/cpu/vulnerabilities/*
> /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
> /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT disabled
> /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected
> /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
> /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling

(CPU is an Intel Celeron N3150 4x 1.60 GHz .)

However, the new WebUI CGI is partly missing German translations,
and claims "Simultaneous Multi-Threading (SMT) is not supported". The
latter is confusing, as the system states the opposite.

Talking about aesthetics, the CGI is a bit messy, but that
is not a functionality problem and might be fixed in an upcoming
update.

Thanks, and best regards,
Peter Müller
-- 
The road to Hades is easy to travel.
	-- Bion of Borysthenes

Re: Testing report for Core Update 132

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2621 bytes --]

Hi,

> On 27 May 2019, at 21:26, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello all,
> 
> after testing too little in the past months, I am hereby
> trying to catch up for announced Core Update 132.

Cool!

> 
> Most services are running as expected:
> - IPsec
> - OpenVPN (tested with RW connections only)
> - DDNS
> - Squid (non-transparent, including upstream proxy)
> - Suricata (IPS mode, activated on all interfaces)
> 
> Tor suffers from missing libseccomp dependency and a permission
> bug (see #12088), but starts correctly after installing the
> library and fixing /var/lib/tor permissions manually.
> 
> I can confirm IDS rulesets download works in combination
> with an upstream proxy now (tested with Emerging Threats).
> 
> Suricata seems to drop some packets (as internal connections
> sometimes take ages to establish), but does not log anything.
> This requires some further investigation, and it is kind
> of an evident-missing blame at the moment.

Yes. I am aware of this and we have a ticket for it:

  https://bugzilla.ipfire.org/show_bug.cgi?id=12078

> 
> Talking about the <sarcasm>all-new-and-improved Intel CPU vulnerabilities</sarcasm>,
> disabling SMT automatically seems to work:
> 
>> [root(a)maverick ~]# grep . /sys/devices/system/cpu/vulnerabilities/*
>> /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
>> /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT disabled
>> /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
>> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected
>> /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
>> /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling

You got a royal flush there. Almost hit them all.

> (CPU is an Intel Celeron N3150 4x 1.60 GHz .)
> 
> However, the new WebUI CGI is partly missing German translations,
> and claims "Simultaneous Multi-Threading (SMT) is not supported". The
> latter is confusing, as the system states the opposite.

This is what we get from the kernel.

> Talking about aesthetics, the CGI is a bit messy, but that
> is not a functionality problem and might be fixed in an upcoming
> update.

Yes I know. I mentioned I did this as quickly as possible to make the release. Please send in patches :)

-Michael

> 
> Thanks, and best regards,
> Peter Müller
> -- 
> The road to Hades is easy to travel.
> 	-- Bion of Borysthenes