speaking of security...
under release goals > improve security of imagebuilder
it mentions ADD_LOCAL_KEY ...
@aparcar are you able to explain to the broader community how this works so we can begin to make use of this security improvement?
make help | grep KEY
make image ADD_LOCAL_KEY=1 # store locally generated signing key in built images
@Torxgewinde
Thanks for the info, Was asking if any other qualcomm IPQ users was doing the same, Is seem to be happening sicne 19.x release though. And NAS is wired.
without echo performance
root@FB750:~# ping 192.168.2.10
PING 192.168.2.10 (192.168.2.10): 56 data bytes
64 bytes from 192.168.2.10: seq=0 ttl=128 time=0.605 ms
64 bytes from 192.168.2.10: seq=1 ttl=128 time=2.152 ms
64 bytes from 192.168.2.10: seq=2 ttl=128 time=2.193 ms
64 bytes from 192.168.2.10: seq=3 ttl=128 time=3.716 ms
64 bytes from 192.168.2.10: seq=4 ttl=128 time=2.646 ms
64 bytes from 192.168.2.10: seq=5 ttl=128 time=2.216 ms
Now with echo performance
root@FB750:~# ping 192.168.2.10
PING 192.168.2.10 (192.168.2.10): 56 data bytes
64 bytes from 192.168.2.10: seq=0 ttl=128 time=0.589 ms
64 bytes from 192.168.2.10: seq=1 ttl=128 time=0.513 ms
64 bytes from 192.168.2.10: seq=2 ttl=128 time=0.512 ms
64 bytes from 192.168.2.10: seq=3 ttl=128 time=0.503 ms
64 bytes from 192.168.2.10: seq=4 ttl=128 time=0.510 ms
64 bytes from 192.168.2.10: seq=5 ttl=128 time=0.509 ms
@Warlock
never a crash with my FRITZ!Box 7530 however was capped at ~600Mbps but when investigating with htop (over SSH) i can see that only CPU 0 was been hit maxed with other 1-3 cores was sort of IDLE irqbalance fixed and now back to 950Mbps
Turns out that the busybox "ip rule" command can not process or show these "not" arguments. When I installed the ip-tiny package I could see the "not" was correctly in place.
Resolved
so it was not a regression? and on 19 'opkg<ip' was required for this (show) functionality?
The command line "ip rule" problem was not a regression (it it is a bit odd on 1907 also). It turns out ip-tiny had been installed as a dependency for me on 19.07, so I did not see it there. And uci seems to be generating the right rules, but it does not use the command line to set that up.
I am still having a routing differences in 2102 which I am still investigating.
Thank you for your suggestion to change govenor. I have installed a snapshots, and now I see, that rc3 is close. I think I will try to opgrade first, and wait a few days. If the problem persists with rc3, I will try to change govenor.
no, as of 21.02 rc2 https is the default for luci
I am currently trying rc2 on an Asus WL-500W.
In failsafe mode, the device is not reachable via the network.
This is a regression from rc1.
When the device is booted normally, networking is fine even on rc2.
In addition, I tried the upcoming rc3, and networking in failsafe mode is also broken there.
I suspect it is caused by ifname usage in /lib/preinit/10_indicate_preinit, but I have not debugged it.
@rmilecki?
Update: this bug was already reported as FS#3866
@mpa any chance of gathering serial state?
ifconfig -a; dmesg | tail -n 100
would help alot... otherwise just;
cat /tmp/board.json
will help... or feel free to test this;
--- a/lib/preinit/10_indicate_preinit 2021-06-07 05:21:51.000000000 +1000
+++ b/lib/preinit/10_indicate_preinit 2021-06-17 01:44:44.331353701 +1000
@@ -73,9 +73,11 @@
json_select network
json_select "lan"
json_get_vars ifname
+ json_get_vars device
json_select ..
json_select ..
+ [ -z "$ifname" ] && [ -n "$device" ] && ifname=$device
[ -n "$ifname" ] || return
# only use the first one
Release Candidate 3 for Archer C2600 and corresponding software such as irqbalance, available for download. Testing a C2600 currently.
I can't reboot my Netgear R6220 when running 21.02.0-rc2. Running "reboot" on the console does nothing. Rebooting through luci does nothing. Anyone else seeing this?
Oh, btw.. No information in kernel or openwrt logs.
do the network interfaces disable and processes close? or literally nothing happens?
Interfaces remain up, processes are not terminating.
i have the same exact problem with rc3.
The weird thing is that i have 3 tp-link archer c6 v2 eu version, one has the problem that doesn't reboot, the other two acts regularly.
reboot, poweroff, halt -> no action executed.
I applied a variant of your workaround.
Now the network configuration in failsafe mode is fine - thank you.
--- a/lib/preinit/10_indicate_preinit 2021-06-12 17:36:52.597146354 +0200
+++ b/lib/preinit/10_indicate_preinit 2021-06-16 23:27:57.485615919 +0200
@@ -72,10 +72,11 @@
json_select network
json_select "lan"
- json_get_vars ifname
+ json_get_vars device
json_select ..
json_select ..
+ ifname="$device"
[ -n "$ifname" ] || return
# only use the first one
Same problem here with rc3. Can't reboot the device.
Router: ZBT-WE826 (32M)
When building with the ImageBuilder a usign aka signify key is created which can be used for signing the images. Signed images allow verification before installation, so a running device checks if it trusts the signature an image is signed with. Officially released images contain OpenWrt signing keys, but if you build and sign your own image, you can use ADD_LOCAL_KEY so your running device will trust your own ImageBuilder as well.
All of this is only active if ucert is installed and export REQUIRE_IMAGE_SIGNATURE=1 is set before running sysupgrade on the device.
cool feature... thanks!
validation is a great backstop when it comes to man in the middle or other remote vectors