Adolf Belka [Tue, 21 Jun 2022 18:52:24 +0000 (20:52 +0200)]
xfsprogs: Update to version 5.18.0
- Update from version 5.16.0 to 5.18.0
- Update of rootfile not required
- Changelog
Release v5.18.0
xfsprogs: more autoconf modernisation
Release v5.18.0-rc1
mkfs: Fix memory leak
xfsprogs: autoconf modernisation
xfs_io: add a quiet option to bulkstat
metadump: be careful zeroing corrupt inode forks
metadump: handle corruption errors without aborting
xfs_db: take BB cluster offset into account when using 'type' cmd
xfs_scrub: don't revisit scanned inodes when reprocessing a stale inode
xfs_scrub: balance inode chunk scan across CPUs
xfs_scrub: prepare phase3 for per-inogrp worker threads
xfs_scrub: widen action list length variables
xfs_scrub: in phase 3, use the opened file descriptor for repair calls
xfs_scrub: make phase 4 go straight to fstrim if nothing to fix
xfs_scrub: don't try any file repairs during phase 3 if AG metadata bad
xfs_scrub: fall back to scrub-by-handle if opening handles fails
xfs_scrub: in phase 3, use the opened file descriptor for scrub calls
xfs_scrub: collapse trivial file scrub helpers
xfs_repair: check the ftype of dot and dotdot directory entries
xfs_repair: improve error reporting when checking rmap and refcount btrees
xfs_repair: detect v5 featureset mismatches in secondary supers
mkfs: don't trample the gid set in the protofile
mkfs: round log size down if rounding log start up causes overflow
mkfs: improve log extent validation
mkfs: don't let internal logs bump the root dir inode chunk to AG 1
mkfs: reduce internal log size when log stripe units are in play
mkfs: fix missing validation of -l size against maximum internal log size
xfs_repair: fix sizing of the incore rt space usage map calculation
xfs_db: report absolute maxlevels for each btree type
xfs_db: support computing btheight for all cursor types
xfs_repair: warn about suspicious btree levels in AG headers
xfs_db: warn about suspicious finobt trees when metadumping
xfs: note the removal of XFS_IOC_FSSETDM in the documentation
xfs_db: fix a complaint about a printf buffer overrun
xfs_scrub: move to mallinfo2 when available
debian: support multiarch for libhandle
debian: bump compat level to 11
debian: refactor common options
Release v5.18.0-rc0
mm/fs: delete PF_SWAPWRITElibxfs-5.18-sync
xfs: document the XFS_ALLOC_AGFL_RESERVE constant
xfs: constify xfs_name_dotdot
xfs: constify the name argument to various directory functions
xfs: remove the XFS_IOC_{ALLOC,FREE}SP* definitions
xfs: remove the XFS_IOC_FSSETDM definitions
xfs: pass the mapping flags to xfs_bmbt_to_iomap
Release v5.16.0
libxfs: remove kernel stubs from xfs_shared.h
debian: Generate .gitcensus instead of .census (Closes: #999743)
Release v5.16.0-rc0
xfs: Fix the free logic of state in xfs_attr_node_hasname
xfs: #ifdef out perag code for userspace
xfs: use swap() to make dabtree code cleaner
xfs: remove unused parameter from refcount code
xfs: reduce the size of struct xfs_extent_free_item
xfs: rename xfs_bmap_add_free to xfs_free_extent_later
xfs: create slab caches for frequently-used deferred items
xfs: compact deferred intent item structures
xfs: rename _zone variables to _cache
xfs: remove kmem_zone typedef
xfs: use separate btree cursor cache for each btree type
xfs: compute absolute maximum nlevels for each btree type
xfs: kill XFS_BTREE_MAXLEVELS
xfs_repair: stop using XFS_BTREE_MAXLEVELS
xfs_db: stop using XFS_BTREE_MAXLEVELS
xfs: compute the maximum height of the rmap btree when reflink enabled
xfs: clean up xfs_btree_{calc_size,compute_maxlevels}
xfs: compute maximum AG btree height for critical reservation calculation
xfs: rename m_ag_maxlevels to m_allocbt_maxlevels
xfs: dynamically allocate cursors based on maxlevels
xfs: encode the max btree height in the cursor
xfs: refactor btree cursor allocation function
xfs: rearrange xfs_btree_cur fields for better packing
xfs: prepare xfs_btree_cur for dynamic cursor heights
xfs: reduce the size of nr_ops for refcount btree cursors
xfs: remove xfs_btree_cur.bc_blocklog
xfs: fix perag reference leak on iteration race with growfs
xfs: terminate perag iteration reliably on agcount
xfs: rename the next_agno perag iteration variable
xfs: fold perag loop iteration logic into helper function
xfs: remove the xfs_dqblk_t typedef
xfs: remove the xfs_dsb_t typedef
xfs: remove the xfs_dinode_t typedef
xfs: check that bc_nlevels never overflows
xfs: remove xfs_btree_cur_t typedef
xfs: fix maxlevels comparisons in the btree staging code
xfs: port the defer ops capture and continue to resource capture
xfs: formalize the process of holding onto resources across a defer roll
xfs: use kmem_cache_free() for kmem_cache objects
xfs_repair: fix AG header btree level comparisons
xfs_db: fix metadump level comparisons
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Fri, 24 Jun 2022 21:58:57 +0000 (23:58 +0200)]
general-functions.pl: Fix for bug #12865 - Static IP address pools - Add network - Name wit>
- The fix for bug #12428 removed spaces from the validhostname subroutine as hostnames are
not supposed to have spaces
- This resulted in spaces no longer being allowed for the Static IP Address Pools names
- New subroutine created called validccdname. This allows letters, upper and lower case,
numbers, spaces and dashes
Fixes: Bug #12865 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 24 Jun 2022 21:58:56 +0000 (23:58 +0200)]
ovpnmain.cgi: Fix for bug #12865 - Static IP address pools - Add network - Name with space
- The fix for bug #12428 removed spaces from the validhostname subroutine as hostnames are
not supposed to have spaces
- This resulted in spaces no longer being allowed for the Static IP Address Pools names
- New subroutine created called validccdname in general-functions.pl
Fixes: Bug #12865 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 24 Jun 2022 12:14:26 +0000 (14:14 +0200)]
python3-msgpack: Required for build and execution of borgbackup 1.2.0
- New python module required for borgbackup. In borgbackup version 1.1.18 or 1.1.19
the old bundled msgpack in borgbackup was removed and a specified version range
of python3-msgpack required.
- This patch adds the lfs and rootfiles for this module
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 24 Jun 2022 12:14:24 +0000 (14:14 +0200)]
borgbackup: Fix bug #12884 - borgbackup 1.2.0 crashes on running any borg command
- When borgbackup was upgraded from version 1.1.17 to 1.2.0 the build was sucessfully
completed but there was no testing feedback till after full release. It turned out
that it did not successfully run.
- python3-packaging which had been installed for the build of borgbackup needed to also
be available for the execution.
- When borgbackup was upgraded to 1.2.0 it was noticed that the old python3-msgpack was
no longer needed as borgbackup used its own bundled msgpack since around version 1.1.10
What was not seen was that in version 1.1.19 or 1.1.18 the bundled version of msgpack
had been removed and that the newer version of python3-msgpack now needed to be
installed but the version number has to meet the borgbackup requirements which currently
require it to be =<1.0.3
- This patch adds the python3-packaging and python3-msgpack modules as dependencies for
borgbackup
- The egg-info files are uncommented in the rootfile so that the borgbackup metadata can
be found by python.
- The updated borgbackup build together with the python3-packaging and python3-msgpack
modules were installed into a vm system using the .ipfire packages.
Successfully initialised a borgbackup repo and ran two backups to the repo and checked
the stats for the backup. Everything ran fine.
Fixes: Bug #12884 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 22 Jun 2022 20:22:36 +0000 (22:22 +0200)]
ovpnmain.cgi: Fix for bug #12883 - separate .p12 file corrupted
- Patch https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=2feacd989823aa1dbd5844c315a9abfd49060487
from May 2021 put the variable containing the .p12 content into double quotes which
causes the contents to be treated as text whereas the .p12 file is an application file.
- Most people must be downloading the zip package of .p12, ovpn.conf and ta.key files so
the problem was not noticed till now and flagged up in the forum.
https://community.ipfire.org/t/openvpn-p12-password-on-android-problem/8127
- The problem does not occur for the .p12 file in the zip file as the downloading of the
zip file does not have the variable name in double quotes.
- Putting the zip file variable into double quotes caused the downloaded zip file to be
corrupt and not able to be opened as an archive.
- Removing the double quotes from the .p12 variable name caused the separate .p12 file
download to be able to be correctly opened.
- The same quoted variable name is used also for the cacert.pem, cert.pem, servercert.pem
and ta.key file downloads. To be consistent the same change has been applied to these.
Fixes: Bug #2883 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Jon Murphy [Fri, 27 May 2022 00:40:31 +0000 (19:40 -0500)]
Ship NTP changes
- Device time more accurate. (e.g., +/- 10 seconds per day to < 100 ms on some devices)
( I know we don't need the perfect time server )
- NTP and time will be accurate in manual mode (setting on Time Server > NTP Configuration WebGUI)
- Change NTP "prefer" server:
- The current preferred NTP server in an Undisciplined Local Clock.
- This is intended when no outside source of synchronized time is available.
- Change the "prefer" server from 127.127.1.0 to the Primary NTP server specified on
the Time Server > NTP Configuration WebGUI page.
- Change allows the drift file (located at /etc/ntp/drift) to be populated by ntpd.
- The drift file is updated about once per hour which helps correct the device time.
Peter Müller [Sun, 19 Jun 2022 09:41:05 +0000 (09:41 +0000)]
Tor: Update to 0.4.7.8
Changes in version 0.4.7.8 - 2022-06-17
This version fixes several bugfixes including a High severity security issue
categorized as a Denial of Service. Everyone running an earlier version
should upgrade to this version.
o Major bugfixes (congestion control, TROVE-2022-001):
- Fix a scenario where RTT estimation can become wedged, seriously
degrading congestion control performance on all circuits. This
impacts clients, onion services, and relays, and can be triggered
remotely by a malicious endpoint. Tracked as CVE-2022-33903. Fixes
bug 40626; bugfix on 0.4.7.5-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 17, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/06/17.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (logging):
- Demote a harmless warn log message about finding a second hop to
from warn level to info level, if we do not have enough
descriptors yet. Leave it at notice level for other cases. Fixes
bug 40603; bugfix on 0.4.7.1-alpha.
- Demote a notice log message about "Unexpected path length" to info
level. These cases seem to happen arbitrarily, and we likely will
never find all of them before the switch to arti. Fixes bug 40612;
bugfix on 0.4.7.5-alpha.
o Minor bugfixes (relay, logging):
- Demote a harmless XOFF log message to from notice level to info
level. Fixes bug 40620; bugfix on 0.4.7.5-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Thu, 16 Jun 2022 21:31:59 +0000 (23:31 +0200)]
samba: Ship with CU169
- samba is linked to liblber from openldap. openldap was updated in CU168 but
I missed that samba had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the samba PAK_VER so that it will be shipped and therefore
have the library links updated.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 16 Jun 2022 21:16:36 +0000 (23:16 +0200)]
netatalk: Ship with CU169 - Fixes bug #12878
- netatalk is linked to liblber from openldap. openldap was updated in CU168 but
I missed that netatalk had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the netatalk PAK_VER so that it will be shipped and therefore
have the library links updated.
Fixes: Bug #12878 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 16 Jun 2022 21:31:59 +0000 (23:31 +0200)]
samba: Ship with CU169
- samba is linked to liblber from openldap. openldap was updated in CU168 but
I missed that samba had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the samba PAK_VER so that it will be shipped and therefore
have the library links updated.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 16 Jun 2022 21:16:36 +0000 (23:16 +0200)]
netatalk: Ship with CU169 - Fixes bug #12878
- netatalk is linked to liblber from openldap. openldap was updated in CU168 but
I missed that netatalk had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the netatalk PAK_VER so that it will be shipped and therefore
have the library links updated.
Fixes: Bug #12878 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Timo Eissler [Tue, 7 Jun 2022 15:53:23 +0000 (17:53 +0200)]
openvpn-authenticator: Change event and environment handling
Move reading of environment in it's own function because not all
events have a ENV block following and thus always reading the ENV
will cause RuntimeError("Unexpected environment line ...").
Michael Tremer [Wed, 4 May 2022 13:46:41 +0000 (14:46 +0100)]
openvpn-2fa: Import a prototype of an authenticator
This script runs aside of OpenVPN and connects to the management socket.
On the socket, OpenVPN will post any new clients trying to authenticate
which will be handled by the authenticator.
If a client has 2FA enabled, it will be challanged for the current token
which will then be checked in a second pass.
Clients which do not have 2FA enabled will just be authenticated no
matter what and tls-verify will have handled the rest.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Timo Eissler [Fri, 8 Apr 2022 08:50:20 +0000 (10:50 +0200)]
OpenVPN: Add support for 2FA / One-Time Password
Add two-factor authentication (2FA) to OpenVPN host connections with
one-time passwords.
The 2FA can be enabled or disabled per host connection and requires the
client to download it's configuration again after 2FA has beend enabled
for it.
Additionally the client needs to configure an TOTP application, like
"Google Authenticator" which then provides the second factor.
To faciliate this every connection with enabled 2FA
gets an "show qrcode" button after the "show file" button in the
host connection list to show the 2FA secret and an 2FA configuration QRCode.
When 2FA is enabled, the client needs to provide the second factor plus
the private key password (if set) to successfully authorize.
This only supports time based one-time passwords, TOTP with 30s
window and 6 digits, for now but we may update this in the future.
Signed-off-by: Timo Eissler <timo.eissler@ipfire.org>