From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id aMEzL1LSZ1/DLgAA0tVLHw (envelope-from ) for ; Sun, 20 Sep 2020 22:06:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id KMMHK1LSZ1+SLAAAbx9fmQ (envelope-from ) for ; Sun, 20 Sep 2020 22:06:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1E2A49404C2 for ; Sun, 20 Sep 2020 22:06:10 +0000 (UTC) Received: from localhost ([::1]:45048 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kK7TE-0004lS-Lz for larch@yhetil.org; Sun, 20 Sep 2020 18:06:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34010) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kK7T8-0004lK-Ci for guix-patches@gnu.org; Sun, 20 Sep 2020 18:06:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:41335) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kK7T8-0006XO-48 for guix-patches@gnu.org; Sun, 20 Sep 2020 18:06:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kK7T7-0001Bf-Vd for guix-patches@gnu.org; Sun, 20 Sep 2020 18:06:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#43540] [PATCH] Instantiate nscd in each system container instead of using the container host's service. Resent-From: Jason Conroy Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 20 Sep 2020 22:06:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 43540 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 43540@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16006395504542 (code B ref -1); Sun, 20 Sep 2020 22:06:01 +0000 Received: (at submit) by debbugs.gnu.org; 20 Sep 2020 22:05:50 +0000 Received: from localhost ([127.0.0.1]:52881 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kK7Sw-0001BB-1K for submit@debbugs.gnu.org; Sun, 20 Sep 2020 18:05:50 -0400 Received: from lists.gnu.org ([209.51.188.17]:39712) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kK7Ss-0001B1-79 for submit@debbugs.gnu.org; Sun, 20 Sep 2020 18:05:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33976) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kK7Ss-0004lD-3H for guix-patches@gnu.org; Sun, 20 Sep 2020 18:05:46 -0400 Received: from mail-ed1-x52e.google.com ([2a00:1450:4864:20::52e]:36126) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kK7So-0006RC-Tw for guix-patches@gnu.org; Sun, 20 Sep 2020 18:05:45 -0400 Received: by mail-ed1-x52e.google.com with SMTP id w1so11038858edr.3 for ; Sun, 20 Sep 2020 15:05:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=T046CT9BClv4MJxy/xIFoZGvyAImMd7rl8FGmsij+to=; b=Pkmm4PIKttz/u58EEetQiPrM4vLfzAvi7XWNWUARicEOCGjHrYk4m44tROcRPp18AJ +Pk3juXKEu6XP1cBvirCSmmBQJ1r2bwKyjCAPkLzHMGy0EegPY/XkCCCQw2mJJS4NG20 FrJaEJ8IP8SdBIB24Mhc7Yo7PXEmc3A99w5VUYA58m/05r+9v0lyi3NgCFWiCdZ8k785 kH/Z492hmSez+Ukzu9Gl5nszxPQozssXYv4ZCZSktbSey9Q09whnkzHvJh96vrjkq2tu 0EoLfaniZFlJXThoxxy0Zpcn/bqhnZKLWYqCwsQJjU39/H+a0S9s6KdYooQvVJGdRGju GSFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=T046CT9BClv4MJxy/xIFoZGvyAImMd7rl8FGmsij+to=; b=kBTnSzcT9p61HBkJ3+oSbLh7Fm7bbimL5JAKr1N7qGkPwj1V5d4BWhKYRm/o8lTrtG G8J+/WQ3Dxsa3r9XH+xNq8QxKL0YOEs6g5UfLYW3XgqMcsgCwoHtq8g8x9YJvXkUYYig 3vuTDJrDSJUbPCqn35gWVDHc751eFD4roviV4+XuZ/Zl+7yObihuteWFsbHy30axueMT u9qcqimXOHEhhsoE4LgNDABMeullWZbqMF9pWet/5s5eNNT86FUD/s7zPtjgwyDptl3B W9FJFERqi2o4MBhkghR7AGpQprg42kZHG6phebL1rFPVpekt/7o2nIBcguk4cba5fbng QTtQ== X-Gm-Message-State: AOAM530WQMYzNaAT2DBvqkVEavpm1pgEvAX+zMgMmTgCZ1ge9r7ECcr3 lONSIIcLFBocmK8npdgmu+w1LmcLwSV+WcTGt6yzFJlT X-Google-Smtp-Source: ABdhPJwxXnnuR0Lv21mEGdHc7QLs617XzR2U3Z0HTY8cLpTMbj49aTZ6+UEEplIt2CiuY7SSwTJKq0vqj2O3JrKDtMI= X-Received: by 2002:a50:dec7:: with SMTP id d7mr13221119edl.212.1600639538542; Sun, 20 Sep 2020 15:05:38 -0700 (PDT) MIME-Version: 1.0 From: Jason Conroy Date: Sun, 20 Sep 2020 18:05:02 -0400 Message-ID: Content-Type: multipart/mixed; boundary="0000000000001bde2905afc5efba" Received-SPF: pass client-ip=2a00:1450:4864:20::52e; envelope-from=conjaroy@gmail.com; helo=mail-ed1-x52e.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.3 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -2.3 (--) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=gmail.com header.s=20161025 header.b=Pkmm4PIK; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: 1.59 X-TUID: 6SnJxgubQiat --0000000000001bde2905afc5efba Content-Type: multipart/alternative; boundary="0000000000001bde2605afc5efb8" --0000000000001bde2605afc5efb8 Content-Type: text/plain; charset="UTF-8" Hello Guix, Currently, Guix system containers hosted on machines that run nscd are configured to use that daemon's socket by bind-mounting /var/run/nscd into the container's filesystem. As discussed in bug#41575, there are certain nscd configurations that expose information from the host's /etc files into the container's processes, and aside from the security implications, this exposure can lead to anomalous behavior inside the containers, including failure to boot. The following patch gives each container a private nscd instance. While Guix's default nscd configuration caches pretty aggressively (for hostnames, up to 32MB with a 12h TTL), the per-container nscd uses a smaller cache size of 256kB, which means that the overhead of this change should be modest even on systems with many containers. This patch has been lightly tested by verifying the following: - `make check` and `guix pull` - successful boot and operation of a system container - presence of nscd in the container - correct cache sizes in nscd.conf Per my employer's guidelines for OSS contributors, this patch contains: - My corporate email address in the "From" line - My employer listed as copyright holder (this has already been cleared with Ludo') Thanks! Jason --0000000000001bde2605afc5efb8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Guix,

Currently, G= uix system containers hosted on machines that run nscd are configured to us= e that daemon's socket by bind-mounting /var/run/nscd into the containe= r's filesystem. As discussed in bug#41575, there are certain nscd confi= gurations that expose information from the host's /etc files into the c= ontainer's processes, and aside from the security implications, this ex= posure can lead to anomalous behavior inside the containers, including fail= ure to boot.

The following patch gives each contai= ner a private nscd instance. While Guix's default nscd configuration c= aches pretty aggressively (for hostnames, up to 32MB with a 12h TTL), the p= er-container nscd uses a smaller cache size of 256kB, which means that the = overhead of this change should be modest even on systems with many containe= rs.

This patch has been lightly tested by veri= fying the following:

- `make check` and `guix pull= `
- successful boot and operation of a system container
=
- presence of nscd in the container
- correct cache sizes in= nscd.conf

Per my employer's guidelines fo= r OSS contributors, this patch contains:

- My corp= orate email address in the "From" line
- My employer li= sted as copyright holder (this has already been cleared with Ludo')

Thanks!

Jason

=
--0000000000001bde2605afc5efb8-- --0000000000001bde2905afc5efba Content-Type: application/x-patch; name="one-nscd-per-container.patch" Content-Disposition: attachment; filename="one-nscd-per-container.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_kfa9l4z50 RnJvbSBiYTQ4YmMwN2VlMzY4MWQxNDljNGJlMjI1NWE2NzI0NTE2MDhiZDY0IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBKYXNvbiBDb25yb3kgPGpjb25yb3lAZ29vZ2xlLmNvbT4KRGF0 ZTogVHVlLCAxNSBTZXAgMjAyMCAyMzowODo1MyAtMDQwMApTdWJqZWN0OiBbUEFUQ0hdIEluc3Rh bnRpYXRlIG5zY2QgaW4gZWFjaCBzeXN0ZW0gY29udGFpbmVyIGluc3RlYWQgb2YgdXNpbmcKIHRo ZSBjb250YWluZXIgaG9zdCdzIHNlcnZpY2UuCgotLS0KIGdudS9zeXN0ZW0vZmlsZS1zeXN0ZW1z LnNjbSAgICB8ICA4ICsrLS0tCiBnbnUvc3lzdGVtL2xpbnV4LWNvbnRhaW5lci5zY20gfCA2NSAr KysrKysrKysrKysrKysrKysrKysrKystLS0tLS0tLS0tCiAyIGZpbGVzIGNoYW5nZWQsIDQ5IGlu c2VydGlvbnMoKyksIDI0IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2dudS9zeXN0ZW0vZmls ZS1zeXN0ZW1zLnNjbSBiL2dudS9zeXN0ZW0vZmlsZS1zeXN0ZW1zLnNjbQppbmRleCA1YzAyZGZh YzkzLi40NjRlODdjYjE4IDEwMDY0NAotLS0gYS9nbnUvc3lzdGVtL2ZpbGUtc3lzdGVtcy5zY20K KysrIGIvZ251L3N5c3RlbS9maWxlLXN5c3RlbXMuc2NtCkBAIC0xLDUgKzEsNiBAQAogOzs7IEdO VSBHdWl4IC0tLSBGdW5jdGlvbmFsIHBhY2thZ2UgbWFuYWdlbWVudCBmb3IgR05VCiA7OzsgQ29w eXJpZ2h0IMKpIDIwMTMsIDIwMTQsIDIwMTUsIDIwMTYsIDIwMTcsIDIwMTgsIDIwMTksIDIwMjAg THVkb3ZpYyBDb3VydMOocyA8bHVkb0BnbnUub3JnPgorOzs7IENvcHlyaWdodCDCqSAyMDIwIEdv b2dsZSBMTEMKIDs7OyBDb3B5cmlnaHQgwqkgMjAyMCBKYWt1YiBLxIVkemlvxYJrYSA8a3ViYUBr YWR6aW9sa2EubmV0PgogOzs7IENvcHlyaWdodCDCqSAyMDIwIE1heGltIENvdXJub3llciA8bWF4 aW0uY291cm5veWVyQGdtYWlsLmNvbT4KIDs7OwpAQCAtNTkwLDExICs1OTEsOCBAQCBhIGJpbmQg bW91bnQuIgogICAgICAgICAgICAgICAgICA7OyBYWFg6IE9uIHNvbWUgR05VL0xpbnV4IHN5c3Rl bXMsIC9ldGMvcmVzb2x2LmNvbmYgaXMgYQogICAgICAgICAgICAgICAgICA7OyBzeW1saW5rIHRv IGEgZmlsZSBpbiBhIHRtcGZzIHdoaWNoLCBmb3IgYW4gdW5rbm93biByZWFzb24sCiAgICAgICAg ICAgICAgICAgIDs7IGNhbm5vdCBiZSBiaW5kIG1vdW50ZWQgcmVhZC1vbmx5IHdpdGhpbiB0aGUg Y29udGFpbmVyLgotICAgICAgICAgICAgICAgICA7OyBUaGUgc2FtZSBnb2VzIHdpdGggL3Zhci9y dW4vbnNjZCwgYXMgZGlzY3Vzc2VkIGluCi0gICAgICAgICAgICAgICAgIDs7IDxodHRwczovL2J1 Z3MuZ251Lm9yZy8zNzk2Nz4uCi0gICAgICAgICAgICAgICAgICh3cml0YWJsZT8gKG9yIChzdHJp bmc9PyBmaWxlICIvZXRjL3Jlc29sdi5jb25mIikKLSAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgKHN0cmluZz0/IGZpbGUgIi92YXIvcnVuL25zY2QiKSkpKSkKLSAgICAgICAgICAgICAg KGNvbnMgIi92YXIvcnVuL25zY2QiICVuZXR3b3JrLWNvbmZpZ3VyYXRpb24tZmlsZXMpKSkKKyAg ICAgICAgICAgICAgICAgKHdyaXRhYmxlPyAoc3RyaW5nPT8gZmlsZSAiL2V0Yy9yZXNvbHYuY29u ZiIpKSkpCisgICAgICAgICAgICAgICVuZXR3b3JrLWNvbmZpZ3VyYXRpb24tZmlsZXMpKQogCiAo ZGVmaW5lIChmaWxlLXN5c3RlbS10eXBlLXByZWRpY2F0ZSB0eXBlKQogICAiUmV0dXJuIGEgcHJl ZGljYXRlIHRoYXQsIHdoZW4gcGFzc2VkIGEgZmlsZSBzeXN0ZW0sIHJldHVybnMgI3QgaWYgdGhh dCBmaWxlCmRpZmYgLS1naXQgYS9nbnUvc3lzdGVtL2xpbnV4LWNvbnRhaW5lci5zY20gYi9nbnUv c3lzdGVtL2xpbnV4LWNvbnRhaW5lci5zY20KaW5kZXggYzVlMmU0YmY5Yy4uYWUxZWExZmIzMSAx MDA2NDQKLS0tIGEvZ251L3N5c3RlbS9saW51eC1jb250YWluZXIuc2NtCisrKyBiL2dudS9zeXN0 ZW0vbGludXgtY29udGFpbmVyLnNjbQpAQCAtMyw2ICszLDcgQEAKIDs7OyBDb3B5cmlnaHQgwqkg MjAxNiwgMjAxNywgMjAxOSwgMjAyMCBMdWRvdmljIENvdXJ0w6hzIDxsdWRvQGdudS5vcmc+CiA7 OzsgQ29weXJpZ2h0IMKpIDIwMTkgQXJ1biBJc2FhYyA8YXJ1bmlzYWFjQHN5c3RlbXJlYm9vdC5u ZXQ+CiA7OzsgQ29weXJpZ2h0IMKpIDIwMjAgRWZyYWltIEZsYXNobmVyIDxlZnJhaW1AZmxhc2hu ZXIuY28uaWw+Cis7OzsgQ29weXJpZ2h0IMKpIDIwMjAgR29vZ2xlIExMQwogOzs7CiA7OzsgVGhp cyBmaWxlIGlzIHBhcnQgb2YgR05VIEd1aXguCiA7OzsKQEAgLTc3LDYgKzc4LDIxIEBAIGRvaW5n IGFueXRoaW5nLiIpCiAgICAgICAgICAgIChzdGFydCAjfihjb25zdCAjdCkpKSkKICAgICNmKSkK IAorKGRlZmluZSAlbnNjZC1jb250YWluZXItY2FjaGVzCisgIDs7IFNpbWlsYXIgdG8gJW5zY2Qt ZGVmYXVsdC1jYWNoZXMgYnV0IHdpdGggc21hbGxlciBjYWNoZSBzaXplcy4gVGhpcyBhbGxvd3MK KyAgOzsgbWFueSBjb250YWluZXJzIHRvIGNvZXhpc3Qgb24gdGhlIHNhbWUgbWFjaGluZSB3aXRo b3V0IGV4aGF1c3RpbmcgUkFNLgorICAobGlzdCAobnNjZC1jYWNoZSAoZGF0YWJhc2UgJ2hvc3Rz KQorICAgICAgICAgICAgICAgICAgICAocG9zaXRpdmUtdGltZS10by1saXZlICgqIDM2MDAgMTIp KQorICAgICAgICAgICAgICAgICAgICAobmVnYXRpdmUtdGltZS10by1saXZlIDIwKQorICAgICAg ICAgICAgICAgICAgICAocGVyc2lzdGVudD8gI3QpCisgICAgICAgICAgICAgICAgICAgIChtYXgt ZGF0YWJhc2Utc2l6ZSAoZXhwdCAyIDE4KSkpCisgICAgICAgIChuc2NkLWNhY2hlIChkYXRhYmFz ZSAnc2VydmljZXMpCisgICAgICAgICAgICAgICAgICAgIChwb3NpdGl2ZS10aW1lLXRvLWxpdmUg KCogMzYwMCAyNCkpCisgICAgICAgICAgICAgICAgICAgIChuZWdhdGl2ZS10aW1lLXRvLWxpdmUg MzYwMCkKKyAgICAgICAgICAgICAgICAgICAgKGNoZWNrLWZpbGVzPyAjdCkgICA7Y2hlY2sgL2V0 Yy9zZXJ2aWNlcyBjaGFuZ2VzCisgICAgICAgICAgICAgICAgICAgIChwZXJzaXN0ZW50PyAjdCkK KyAgICAgICAgICAgICAgICAgICAgKG1heC1kYXRhYmFzZS1zaXplIChleHB0IDIgMTgpKSkpKQor CiAoZGVmaW5lKiAoY29udGFpbmVyaXplZC1vcGVyYXRpbmctc3lzdGVtIG9zIG1hcHBpbmdzCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICM6a2V5CiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNoYXJlZC1uZXR3b3JrPwpAQCAtMTAwLDIy ICsxMTYsMzkgQEAgY29udGFpbmVyaXplZCBPUy4gIEVYVFJBLUZJTEUtU1lTVEVNUyBpcyBhIGxp c3Qgb2YgZmlsZSBzeXN0ZW1zIHRvIGFkZCB0byBPUy4iCiAgICAgKGZpbGUtc3lzdGVtIChpbmhl cml0IChmaWxlLXN5c3RlbS1tYXBwaW5nLT5iaW5kLW1vdW50IGZzKSkKICAgICAgIChuZWVkZWQt Zm9yLWJvb3Q/ICN0KSkpCiAKLSAgKGRlZmluZSB1c2VsZXNzLXNlcnZpY2VzCi0gICAgOzsgU2Vy dmljZXMgdGhhdCBtYWtlIG5vIHNlbnNlIGluIGEgY29udGFpbmVyLiAgVGhvc2UgdGhhdCBhdHRl bXB0IHRvCi0gICAgOzsgYWNjZXNzIC9kZXYvdHR5WzAtOV0gaW4gcGFydGljdWxhciBjYW5ub3Qg d29yayBpbiBhIGNvbnRhaW5lci4KKyAgKGRlZmluZSBzZXJ2aWNlcy10by1kcm9wCisgICAgOzsg U2VydmljZSB0eXBlcyB0byBmaWx0ZXIgZnJvbSB0aGUgb3JpZ2luYWwgb3BlcmF0aW5nLXN5c3Rl bS4gU29tZSBvZgorICAgIDs7IHRoZXNlIG1ha2Ugbm8gc2Vuc2UgaW4gYSBjb250YWluZXIgKGUu Zy4sIHRob3NlIHRoYXQgYWNjZXNzCisgICAgOzsgL2Rldi90dHlbMC05XSksIHdoaWxlIG90aGVy cyBqdXN0IG5lZWQgdG8gYmUgcmVpbnN0YW50aWF0ZWQgd2l0aAorICAgIDs7IGRpZmZlcmVudCBj b25maWdzIHRoYXQgYXJlIGJldHRlciBzdWl0ZWQgdG8gY29udGFpbmVycy4KICAgICAoYXBwZW5k IChsaXN0IGNvbnNvbGUtZm9udC1zZXJ2aWNlLXR5cGUKICAgICAgICAgICAgICAgICAgIG1pbmdl dHR5LXNlcnZpY2UtdHlwZQotICAgICAgICAgICAgICAgICAgYWdldHR5LXNlcnZpY2UtdHlwZSkK LSAgICAgICAgICAgIDs7IFJlbW92ZSBuc2NkIHNlcnZpY2UgaWYgbmV0d29yayBpcyBzaGFyZWQg d2l0aCB0aGUgaG9zdC4KKyAgICAgICAgICAgICAgICAgIGFnZXR0eS1zZXJ2aWNlLXR5cGUKKyAg ICAgICAgICAgICAgICAgIDs7IFJlaW5zdGFudGlhdGVkIGJlbG93IHdpdGggc21hbGxlciBjYWNo ZXMuCisgICAgICAgICAgICAgICAgICBuc2NkLXNlcnZpY2UtdHlwZSkKICAgICAgICAgICAgIChp ZiBzaGFyZWQtbmV0d29yaz8KLSAgICAgICAgICAgICAgICAobGlzdCBuc2NkLXNlcnZpY2UtdHlw ZQotICAgICAgICAgICAgICAgICAgICAgIHN0YXRpYy1uZXR3b3JraW5nLXNlcnZpY2UtdHlwZQot ICAgICAgICAgICAgICAgICAgICAgIGRoY3AtY2xpZW50LXNlcnZpY2UtdHlwZQotICAgICAgICAg ICAgICAgICAgICAgIG5ldHdvcmstbWFuYWdlci1zZXJ2aWNlLXR5cGUKLSAgICAgICAgICAgICAg ICAgICAgICBjb25ubWFuLXNlcnZpY2UtdHlwZQotICAgICAgICAgICAgICAgICAgICAgIHdpY2Qt c2VydmljZS10eXBlKQorICAgICAgICAgICAgICAgIDs7IFJlcGxhY2UgdGhlc2Ugd2l0aCBkdW1t eS1uZXR3b3JraW5nLXNlcnZpY2UtdHlwZSBiZWxvdy4KKyAgICAgICAgICAgICAgICAobGlzdAor ICAgICAgICAgICAgICAgICBzdGF0aWMtbmV0d29ya2luZy1zZXJ2aWNlLXR5cGUKKyAgICAgICAg ICAgICAgICAgZGhjcC1jbGllbnQtc2VydmljZS10eXBlCisgICAgICAgICAgICAgICAgIG5ldHdv cmstbWFuYWdlci1zZXJ2aWNlLXR5cGUKKyAgICAgICAgICAgICAgICAgY29ubm1hbi1zZXJ2aWNl LXR5cGUKKyAgICAgICAgICAgICAgICAgd2ljZC1zZXJ2aWNlLXR5cGUpCiAgICAgICAgICAgICAg ICAgKGxpc3QpKSkpCiAKKyAgKGRlZmluZSBzZXJ2aWNlcy10by1hZGQKKyAgICAoYXBwZW5kCisg ICAgIDs7IE1hbnkgR3VpeCBzZXJ2aWNlcyBkZXBlbmQgb24gYSAnbmV0d29ya2luZycgc2hlcGhl cmQKKyAgICAgOzsgc2VydmljZSwgc28gbWFrZSBzdXJlIHRvIHByb3ZpZGUgYSBkdW1teSAnbmV0 d29ya2luZycKKyAgICAgOzsgc2VydmljZSB3aGVuIHdlIGFyZSBzdXJlIHRoYXQgbmV0d29ya2lu ZyBpcyBhbHJlYWR5IHNldCB1cAorICAgICA7OyBpbiB0aGUgaG9zdCBhbmQgY2FuIGJlIHVzZWQu ICBUaGF0IHByZXZlbnRzIGRvdWJsZSBzZXR1cC4KKyAgICAgKGlmIHNoYXJlZC1uZXR3b3JrPwor ICAgICAgICAgKGxpc3QgKHNlcnZpY2UgZHVtbXktbmV0d29ya2luZy1zZXJ2aWNlLXR5cGUpKQor ICAgICAgICAgJygpKQorICAgICAobGlzdAorICAgICAgKG5zY2Qtc2VydmljZSAobnNjZC1jb25m aWd1cmF0aW9uCisgICAgICAgICAgICAgICAgICAgICAoY2FjaGVzICVuc2NkLWNvbnRhaW5lci1j YWNoZXMpKSkpKSkKKwogICAob3BlcmF0aW5nLXN5c3RlbQogICAgIChpbmhlcml0IG9zKQogICAg IChzd2FwLWRldmljZXMgJygpKSA7IGRpc2FibGUgc3dhcApAQCAtMTI0LDE1ICsxNTcsOSBAQCBj b250YWluZXJpemVkIE9TLiAgRVhUUkEtRklMRS1TWVNURU1TIGlzIGEgbGlzdCBvZiBmaWxlIHN5 c3RlbXMgdG8gYWRkIHRvIE9TLiIKICAgICAgICAgICAgICAgICAgICAgICAgICAjOnNoYXJlZC1u ZXR3b3JrPyBzaGFyZWQtbmV0d29yaz8pKQogICAgIChzZXJ2aWNlcyAoYXBwZW5kIChyZW1vdmUg KGxhbWJkYSAoc2VydmljZSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKG1lbXEg KHNlcnZpY2Uta2luZCBzZXJ2aWNlKQotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICB1c2VsZXNzLXNlcnZpY2VzKSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgc2VydmljZXMtdG8tZHJvcCkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAo b3BlcmF0aW5nLXN5c3RlbS11c2VyLXNlcnZpY2VzIG9zKSkKLSAgICAgICAgICAgICAgICAgICAg ICA7OyBNYW55IEd1aXggc2VydmljZXMgZGVwZW5kIG9uIGEgJ25ldHdvcmtpbmcnIHNoZXBoZXJk Ci0gICAgICAgICAgICAgICAgICAgICAgOzsgc2VydmljZSwgc28gbWFrZSBzdXJlIHRvIHByb3Zp ZGUgYSBkdW1teSAnbmV0d29ya2luZycKLSAgICAgICAgICAgICAgICAgICAgICA7OyBzZXJ2aWNl IHdoZW4gd2UgYXJlIHN1cmUgdGhhdCBuZXR3b3JraW5nIGlzIGFscmVhZHkgc2V0IHVwCi0gICAg ICAgICAgICAgICAgICAgICAgOzsgaW4gdGhlIGhvc3QgYW5kIGNhbiBiZSB1c2VkLiAgVGhhdCBw cmV2ZW50cyBkb3VibGUgc2V0dXAuCi0gICAgICAgICAgICAgICAgICAgICAgKGlmIHNoYXJlZC1u ZXR3b3JrPwotICAgICAgICAgICAgICAgICAgICAgICAgICAobGlzdCAoc2VydmljZSBkdW1teS1u ZXR3b3JraW5nLXNlcnZpY2UtdHlwZSkpCi0gICAgICAgICAgICAgICAgICAgICAgICAgICcoKSkp KQorICAgICAgICAgICAgICAgICAgICAgIHNlcnZpY2VzLXRvLWFkZCkpCiAgICAgKGZpbGUtc3lz dGVtcyAoYXBwZW5kIChtYXAgbWFwcGluZy0+ZnMKICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAoaWYgc2hhcmVkLW5ldHdvcms/CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIChhcHBlbmQgJW5ldHdvcmstZmlsZS1tYXBwaW5ncyBtYXBwaW5ncykKLS0gCjIuMjAuMQoK --0000000000001bde2905afc5efba--