Spectrum Protect – container vulnerability

We ran into an issue where a level-zero operator became root, and cleaned up some TSM dedupe-pool containers so he’d stop getting full filesystem alerts.

Things exposed:

How does someone that green get full, unmonitored root access?
* They told false information about timestaps during defense
* Their senior tech lead was content to advise they not move or delete files without contacting the app owner.
* Imagine if this had been a customer facing database server!

In ISP/TSM, once extents are marked damaged, a new backup of that extent will replace it.
* Good TDP4VT CTL files and other incrementals will send missing files.
* TDP for VMWare full backups fail if the control file backup is damaged.
* Damaged extents do not mark files as damaged or missing.

Replicate Node will back-propagate damaged files.
* Damaged extents do not mark files as damaged or missing.

Also, in case you missed that:
* Damaged extents do not mark files as damaged or missing.

For real, IBM says:
* Damaged extents do not mark files as damaged or missing.
* “That might cause a whole bunch of duplicates to be ingested and processed.”

IBM’s option is to use REPAIR STGPOOL.
* Requires a prior PROTECT STGPOOL (similar to BACKUP STGPOOL and RESTORE STGPOOL).
* PROTECT STGPOOL can go to a container copy on tape, a container copy on FILE, or a container primary on the replica target server.
* PROTECT STGPOOL cannot go to a cloud pool
* STGRULE TIERING only processes files, not PROTECT extents.
* PROTECT STGPOOL cannot go to a cloud pool that way either.
* There is NO WAY to use cloud storage pool to protect a container pool from damage.

EXCEPTION: Damaged extents can be replaced by REPLICATE NODE into a pool.
* You can DISABLE SES, and reverse the replication config.
* Replicate node that way will perform a FULL READ of the source pool.

There is a Request For Enhancement from November, 2017 for TYPE=CLOUD POOLTYPE=COPY.
* That would be a major code effort, but would solve this major hole.
* That has not gotten a blink from product engineering.
* Not even an “under review”, nor “No Way”, nor “maybe sometime”.

Alternatives for PROTECT into CLOUD might be:
* Don’t use cloud. Double the amount of local disk space, and replicate to another datacenter.
* Use NFS (We would need to build a beefy VM, and configure KRB5 at both ends, so we could do NFSv4 encrypted).
* Use CIFS (the host is on AIX, which does not support CIFS v3. Linux conversion up front before we had bulk data was given a big NO.)
* Use azfusefs (Again, it’s not Linux)

Anyway, maybe in 2019 this can be resolved, but this is the sort of thing that really REALLY was poorly documented, and did not get the time and resources to be tested in advance. This is the sort of thing that angers everyone at every level.

REFERENCE: hard,intr,nfsvers=4,tcp,rsize=1048576,wsize=1048576,bg,noatime


ANR3114E LDAP error 81. Failure to connect to the LDAP server

This used to be on IBM’s website, but it disappeared.  It is referenced all over the net, and needed to still exist. I only found it in the wayback machine, so I’m adding another copy to the internet.

2013 SOURCE: www-01.ibm.com/support/docview.wss?uid=swg21656339

Problem(Abstract)

When the SET LDAPUSER command is used, the connection can fail with:

ANR3114E LDAP error 81 (Can’t contact LDAP server)

Cause

The user common name (CN) in the SET LDAPUSER command contains a space or the ldapurl option is incorrectly specified.

Diagnosing the problem

Collect a trace of the Tivoli Storage Manager Server using the following trace classes:
session verbdetail ldap ldapcache unicode

More information about tracing the server can be found here: Enabling a trace for the server or storage agent

The following errors are reported within the trace:

11:02:04.127 [44][output.c][7531][PutConsoleMsg]:ANR2017I Administrator ADMIN issued command: SET LDAPPASSWORD ?***? ~
11:02:04.171 [44][ldapintr.c][548][ldapInit]:Entry: ldapUserNew =      CN=tsm user,OU=TSM,DC=ds,DC=example,DC=com
11:02:04.173 [44][ldapintr.c][5851][LdapHandleErrorEx]:Entry: LdapOpenSession(ldapintr.c:2340) ldapFunc = ldap_start_tls_s_np, ldapRc = 81, ld = 0000000001B0CAB0
11:02:04.174 [44][ldapintr.c][5867][LdapHandleErrorEx]:ldap_start_tls_s_np returned LDAP code 81(Can't contact LDAP server), LDAP Server message ((null)), and possible GSKIT SSL/TLS error 0(Success)
11:02:04.174 [44][output.c][7531][PutConsoleMsg]:ANR3114E LDAP error 81 (Can't contact LDAP server) occurred during ldap_start_tls_s_np.~
11:02:04.174 [44][ldapintr.c][6079][LdapHandleErrorEx]:Exit: rc = 2339, LdapOpenSession(ldapintr.c:2340), ldapFunc = ldap_start_tls_s_np, ldapRc = 81, ld = 0000000001B0CAB0
11:02:04.174 [44][ldapintr.c][1580][ldapCloseSession]:Entry: sessP = 0000000009B99CD0
11:02:04.175 [44][ldapintr.c][3159][LdapFreeSess]:Entry: sessP = 0000000009B99CD0
11:02:04.175 [44][ldapintr.c][2449][LdapOpenSession]:Exit: rc = 2339, ldapHandleP = 000000000AFDE740, bindDn =                              (CN=tsm user,OU=TSM,DC=ds,DC=example,DC=com)
11:02:04.175 [44][output.c][7531][PutConsoleMsg]:ANR3103E Failure occurred while initializing LDAP directory services.~
11:02:04.175 [44][ldapintr.c][856][ldapInit]:Exit: rc = 2339
11:02:04.175 [44][output.c][7531][PutConsoleMsg]:ANR2732E Unable to communicate with the external LDAP directory server.~

Resolving the problem

  • In the trace provided, the common name (CN) contains a space. (CN=tsm user,OU=TSM,DC=ds,DC=example,DC=com)

    Remove the space in the common name when using the SET LDAPUSER command. For example:

    SET LDAPUSER “CN=tsmuser,OU=TSM,DC=ds,DC=example,DC=com”

  • Use an LDAP connection utility such as ldp.exe to ensure the ldapurl option is correct and the LDAP server is accepting connections

    <ldapurl> port 636, check the box for SSL

    Verify there are no errors in the output


Gridcoin Compiles on Xenial


I know it might not mean anything to the non-techs, and it might seem insignificant to the uber-techs.

I have successfully built the Gridcoin client on Xenial 16.04.4 with proper libraries, and confirmed it sees my testnet wallet, and overall is just working like it should. (No testplan per se.)

This is a major accomplishment for me, and makes me very excited. It takes 16 minutes to compile with 3 cores of i7-6820HQ CPU @ 2.70GHz and 3.2GB RAM.

I get some QT warnings, but they do not seem to break anything:

/usr/include/x86_64-linux-gnu/qt5/QtCore/qlogging.h:112:73: note: in expansion of macro ‘Q_ATTRIBUTE_FORMAT_PRINTF’
void critical(CategoryFunction catFunc, const char *msg, ...) const Q_ATTRIBUTE_FORMAT_PRINTF(3, 4);

Here is my build environment setup procedure.

### Xenial Build Environment References
http://wiki.gridcoin.us/Linux_guide
https://raw.githubusercontent.com/gridcoin/Gridcoin-Research/master/CompilingGridcoinOnLinux.txt
Google searches for libqt5charts for xenial (KDE Neon distribution)

https://88plug.com/linux/install-berkeley-4-8-db-libs-on-ubuntu-16-04

##########################################
### Intall libqt5charts5-dev and related files from Neon LTS
cat < <‘EOF’ > /etc/apt/sources.list.d/kde-neon-archive-xenial.list
deb http://archive.neon.kde.org/testing-qt xenial main
deb http://archive.neon.kde.org/user/lts xenial main
EOF
sudo apt update
sudo upgrade
sudo apt install ntp git build-essential curl libcurl4-openssl-dev libcurl3-dev libssl-dev libzip-dev libzip4 libdb-dev libdb++-dev \
libdb4.8-dev libdb4.8++-dev debhelper devscripts automake libtool pkg-config libprotobuf-dev protobuf-compiler libminiupnpc-dev \
autotools-dev libevent-dev bsdmainutils software-properties-common libboost-all-dev libqt5gui5 libqt5core5a libqt5dbus5 qttools5-dev \
libqrencode-dev qt-sdk qtcreator libqt5charts5-dev qt5-default qttools5-dev-tools libqt5webkit5-dev libqt5charts5-dev
sudo apt-get autoremove

### Change the distro back to Ubuntu from Neon
echo “DISTRIB_ID=Ubuntu” >> /etc/lsb-release

### Install BDB 4.8 on Xenial
sudo add-apt-repository ppa:bitcoin/bitcoin ## Stable
#sudo add-apt-repository ppa:bitcoin/rc ## testing
sudo apt update
sudo apt install libdb4.8-dev libdb4.8++-dev

##########################################
### New download
cd ~
git clone https://github.com/gridcoin/Gridcoin-Research
cd ~/Gridcoin-Research

### Optional if issues
git config –global http.sslverify false

##########################################
### Refresh download – master, hotfix, staging
cd ~/Gridcoin-Research
make clean
git fetch –all
git reset –hard origin/master

### Build Daemon
cd ~/Gridcoin-Research/src
make clean
mkdir obj
chmod 755 leveldb/build_detect_platform
make -j3 -f makefile.unix USE_UPNP=-
strip gridcoinresearchd
install -m 755 gridcoinresearchd ~/.Gridcoinresearchd/testnet/gridcoinresearchd
### The above probably wants sudo, and a target of /usr/bin

### Build GUI
cd ~/Gridcoin-Research
rm -f build/o.*
qmake gridcoinresearch.pro “USE_UPNP=-”
make -j3
strip gridcoinresearch
install -m 755 gridcoinresearch ~/.Gridcoinresearchd/testnet/gridcoinresearch
### The above probably wants sudo, and a target of /usr/bin

##########################################
### Refresh download, development
cd ~/Gridcoin-Research
make clean
git fetch –all
git reset –hard origin/development

### Build Autotools
cd ~/Gridcoin-Research
./autogen.sh
#./configure –with-incompatible-bdb ### If you do not have BDB 4.8
./configure
date ; make -j3 ; date
make install

###############################


GRC VM Template

Installed base OS

Ubuntu 16.04.4 LTS  because only LTS releases are worthy.  No auto-updates.
Copy over home directory and /etc/apt from my current TESTNET system

Split /home /usr /var /tmp into separate LVs.

lvcreate, edit /etc/fstab, mount on temp space, copy over, move old dir, reboot, remove old dir.

Shrunk root filesystem

grub
e
root=/dev/ram0 rw
^X

Wait for mdadm to finish complaining.
alias ll='ls -laF'
mkdir /mnt
lvm pvscan
lvm vgscan
lvm vgchange -a y
e2fsck -f /dev/ubuntu-vg/root
mount /dev/ubuntu-vg/root /mnt
cd /mnt
cp -a lib lib65 bin sbin /
cd /
umount /mnt
e2fsck -f /dev/ubuntu-vg/root
resize2fs -M /dev/ubuntu-vg/root
lvreduce -L 1120M /dev/ubuntu-vg/root
e2fsck -f /dev/ubuntu-vg/root
resize2fs /dev/ubuntu-vg/root
umount -a

power off VM since halt and reboot do not work.

Cleared free space

lvcreate -l 100%FREE -n deleteme ubuntu-vg
dd if=/dev/zero of=/dev/null bs=256k
lvremove /dev/ubuntu-vg/deleteme
swapoff /dev/ubuntu-vg/swap_1
dd if=/dev/zero of=/dev/ubuntu-vg/swap_1 bs=256k
for i in / /home /var /tmp /boot /usr ; do dd if=/dev/null of=${i}/deleteme bs=256k & rm ${i}/deleteme ; done
halt -p

Compacted

"\Program Files\Oracle\VirtualBox\VBoxManage.exe" modifyhd --compact "Xenial GRC Build.vdi"

Plans

Snapshot, test building.


ubuntu shrink root

/var, /usr, /home, and /tmp were all fairly easy to replace live.

/ is a special case.  I did the following:

grub
e
root=/dev/ram0 rw
^X
Wait for mdadm to finish complaining.
alias ll='ls -laF'
mkdir /mnt
lvm pvscan
lvm vgscan
lvm vgchange -a y
e2fsck -f /dev/ubuntu-vg/root
mount /dev/ubuntu-vg/root /mnt
cd /mnt
cp -a lib lib65 bin sbin /
cd /
umount /mnt
e2fsck -f /dev/ubuntu-vg/root
resize2fs -M /dev/ubuntu-vg/root
lvreduce -L 1120M /dev/ubuntu-vg/root
e2fsck -f /dev/ubuntu-vg/root
resize2fs /dev/ubuntu-vg/root
umount -a

Cryptocurrency

This is the Bitcoin write-up my BIL asked for. It’s a bit wordy, but hopefully it has info useful to you.

 

First and foremost, Don’t buy more than you are willing to lose outright.
Consider bitcoins to be the highest risk place to put money other than leaving gold coins on your front porch. This isn’t just some “oh, usual disclaimer.” This is a real warning. There is no protection in a crypto market. Zero. There is no such thing as insider trading. Theft of video-game money is not really theft at all.

 

Economy dynamics.
Value of anything comes from holding on to something when someone else wants it. The more you want to hold it, the more they have to pay to get it.

If no one wants something, then it has zero value. If only one person wants it, then it is only valuable to that person.

Currencies, real, fiat, and crypto, have value because people feel they represent something. In the past, it represented precious metals. Now, fiat currencies represent a share of the value of the country which issues them. Stocks are a share of the value of the company that issued them. Bonds are a share of the future debt payments of the company that issued them.

Usually, bonds track with the value of the payout, plus or minus a little based on the interest payments. Stocks track about 6x the value of the company. Currency exchange rates are a little more fuzzy, but similar to stocks, they track the relative value of the contributions of that country.

“Price” is just a way of quantifying an exchange rate. Deflation causes scarcity and economic collapse if unchecked. Basically, if you have 100 coins, and never more, but population and productivity grows, that means the value of goods would continually drop with relation to the value of money. You end up in a deflationary spiral, and people starve, economies collapse, etc. This is a risk for Bitcoin, because the currency is limited to 21m coins total. As more people try to get into crypto, it drives up the “price”.

If GDP or equivalent falls, then the opposite happens, and rapid inflation happens, the exact opposite. You can see this in Zimbabwe, where wheelbarrows of dollars are used, and the million dollar banknote was issued years ago.

Also, you can decrease the value of your debts by inflation. Most promisory notes are say, 100 dollars, not “1% of your productivity”. So, if you control the value of your currency, and the promisory notes are in that currency, you can just issue another 900 dollars. Suddenly, your debt is worth 10% of what it was before.

In the end, you want a slow inflation, steady, 2-4% per year, to ensure a stable economy.

 

What is Bitcoin?
Bitcoin is accepted for some real-world transactions. In the end though, it’s still basically video-game money. People use it for money laundering and other sorts of illegal activities. Its value is based on the idea of privacy, or decentralization. All it would take to destroy it is for people to realize it has no value. There is on underlying premise where it has a real value of its own.

Bitcoin is the grand-daddy. It’s 9 years old. It uses a blockchain to track transactions. The blockchain is literally that. Think of it as a database that is purely linear. You start at block zero, and go to block infinity. There are never random writes. Only appends. It’s like a transaction log without a normal database on it.

The way it works is that every transaction is held by every other node in the network. After X number of megs, you pack it up and generate a cryptographic hash for that block, and issue it to the network. It’s signed by your set of keys, so you get some credit for the computation. Your block gets passed around to everyone else, but so did a a bunch of competing blocks. Eventually, “the best block” is selected and added to the blockchain. Winners get payout, and some cryptos pay out to secondary, tertiary, etc. since they confirmed that transaction computed to the same as what everyone else thought. People who compute a different hash have their block thrown away. It’s a majority rule type thing to ensure that no one person can insert a false transaction. The complexity of the hash increases with time (block number) so that new computers do not inflate the currency too fast.

Along with all of that, multiple people often issue the same block at the same time with slightly different transactions in it. This is called a fork. Basically the blockchain splits in two (or more). Forks are consolidated based on whomever has the most peers/votes. If your transaction was stuck on a fork, and did not propagate to all of the other forks, then if your fork is abandoned, your transaction rolls back. It’s completely undone. This is why transactions require confirmations. If you accepted a transaction based on zero confirmations, you could keep reloading your wallet, sending the same coins over and over, getting your hamburger, and walking away, with the other party getting no payment once the forks consolidate. But, if you have 500 confirmations, you can be pretty sure that the whole network has accepted your transaction, even through there are tens of thousands of nodes online at any given time.

 

The wallet is just sets of keys.
The address is a hash of your public key. Every address has a set of keys to sign the messages you issue, proving you are you. The public key is usable by anyone, but the private key is only usable by you (hopefully). You can sign messages like with PGP, or you sign transaction on the coin network. “Yes, I promise I am giving away 0.00001 coin to address sdoyf3486t9f032h082h. Signed, w0ty982ty0t8yeiwf”. The value of your wallet is just tallying up all of the transactions for your addresses.

 

What are altcoins?
Every other crypto uses some of the Bitcoin source code. Most of them are literally a fork of Bircoin. As discussed above, forks can happen naturally, like cancer, and usually are eradicated by the protocol as it merges transactions. Forks can also happen if the protocol changes. If not everyone accepts the new protocol, they cannot join that network. Or, if the merge protocol is broken. As time went on, there were forks of forks. Some forked at block zero on purpose, before being issued. Some forked at a live block due to political issues (BCH and ETC are both political forks). When forks happen later in the chain, everyone who had coins at the time of the fork has coins on both networks.  Some are great, and some are scams.

 

How secure is it?
It’s not. The blockchains themselves could be secure, but from time to time, some defect happens, and everyone downloads a snapshot of the blockchain to merge the forks. You’re taking on faith that this one source has not tampered with the blockchain. There is no SEC regulation, because it’s not real currency. The IRS does consider it an asset, so you have to pay capital gains (or losses), so keep track of your purchases, earnings, mining, etc.

Also, many coins have foundation wallets. Basically, before the currency was issued, someone computed the first million hashes, and got the starting 10% of the possible coins. Someone holds that, and can spend it, for free. Some do good things, such as pay for developers to keep working on the source code, but there is no restriction (and no confiscating funds) if they decide to go all hedonistic about it. Of the 1800 coins out there, 90% of them are scams. Literally pump-and-dump schemes where a handful of people convince unknowning people to give up valuable currency for junk currency. It’s the same as if you convinced people to give you Euros for Monopoly money.

Some people consider it a speculation market. We saw this last year, with a huge peak in December. If you look at the long-term value of each crypto currency, you can see how this happens from time to time. Often, it’s one person manipulating the market, buying, making insider trades, etc, then cashing out. Some people ride the wave, and time the market, to make good money. Some people do not.

Then there are the “hacks”. A major exchange accumulates a bunch of crypto, and once they run low on cash, they are “hacked”. All of their coins are drained off. There is no insurance, so everyone is just SOL. (Mt. Gox is a major example.) Most people recommend keeping your coins in your own wallet, but if you lose that, your coins are also gone. If someone gets access to it, then they can steal all of your coins. Beyond that, Bitcoin’s blockchain is already 150GB. Lightning and SegWit promise to help, but only going forward. You can also run a partial wallet, but then you are assuming all of the old blocks are true.

 

Fees, exchange rates, etc.
In the end, you’ll find price tracks relative to Bitcoin. Bitcoin is THE currency, but it’s long in the tooth, and takes too much CPU to continue. Eventually, all of the tech advances of the top coins will fold into a new altcoin, and the old coins will fall out of favor. Maybe it will be a fork like BCH (BCH is bitcoin 1.0, BTC is 2.0. 1.0 was supposed to die, but some people didn’t jump over.)

Lastly, most ccards are treating it as cash, so if you buy starting this month, they many of them will put it at the highest interest rate, add transaction fees, etc. YMMV, but pulling from debit or from bank transfer may be the best option going forward. OR, you can trade services and stuff privately for crypto. There are forums that let you buy and sell crypto without going through your bank. Usually it involves meeting someone in person. There are also a few ATMs here and there which can do BTC transactions, but not a whole lot of them BTC to USD.

My thought is, if buying in, go for something you can actually purchase directly. BTC, ETH and LTC are all low-drama and directly accessible. Wait for the bottom to hit, and wait for the next bubble before selling out. But assume that the money you put in might completely evaporate while waiting. As with all investing, diversify. I have about $200 in crypto, including the electricity to fold proteins and get paid for it, plus a mutual fund with 5% bitcoin exposure. I would never want more than 5% of my holdings in crypto, and getting it in a mutual fund maybe is not as much gain, but also not as much risk. Also, so much easier to sell a mutual fund for cash (though harder to evade taxes, etc.)

 

So then, why do crypto at all?
Some people, it’s just for fun. It’s a videogame with points. Bitcoin has name recognition. Litecoin is basically all the things they should have done to Bitcoin. Etherium has contracts. Gridcoin has scientific research. IOTA has microtransactions for small electronics. Ripple has interbank trading support. Some people just believe in the value of holding the currency, and supporting the network. (Just HODL it!)  Whatever you do, research the history, vision, and mission of the currency.  Look into the community, developers, etc.  If you don’t get the warm fuzzies, move along.

 

END OF LINE
So much ramble, and not as organized as I’d like. Hopefully there is some value in this braindump for you.


BOINC Xenial Drivers

Any time I want to apply updates, here is the cycle I have to do to keep nVidia and ATI/AMD drivers happy for BOINC.

#####################################################
BOINC drivers on Xenial
#####################################################

### Update the kernel
apt-get update
apt-get install linux-lowlatency-hwe-16.04 linux-tools-lowlatency-hwe-16.04 linux-image-lowlatency-hwe-16.04 linux-headers-lowlatency-hwe-16.04
apt-get dist-upgrade
apt-get autoremove

### For AMD/ATI driver issues:
Testing: https://launchpad.net/~paulo-miguel-dias/+archive/ubuntu/mesa/
OR stable https://launchpad.net/~paulo-miguel-dias/+archive/ubuntu/pkppa
apt-get install ppa-purge
ppa-purge ppa:paulo-miguel-dias/ppka
ppa-purge ppa:paulo-miguel-dias/mesa
add-apt-repository ppa:paulo-miguel-dias/mesa
apt-get update
apt-get dist-upgrade
apt-get install boinc-client-opencl clinfo mesa-opencl-icd

### For nvidia driver issues:
apt-get purge xserver-xorg-video-nouveau
apt-get purge nvidia*
apt-get install boinc-client-nvidia-cuda
update-alternatives --config gl_conf
update-alternatives --config x86_64-linux-gnu_gl_conf
ldconfig
update-initramfs -u
nvidia-xconfig

### Virtualbox crashes
apt-get purge virtualbox*
https://www.virtualbox.org/wiki/Linux_Downloads

### Reboot for the drivers if necessary
shutdown -r now

If I were running an x-server, there is nvidia-xconfig, but I run headless (mostly) and connect to boincmgr over an SSH tunnel.


AIX JFS2 autoresize

computersarefun put in a request for AIX to auto-grow/shrink filesystems.
Ref: https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=114789

This seems more like a monitoring thing than an operating system thing.
Also, handling this as a thin LUN is probably better where possible.
Here is an example script.

Potential improvements:
* Notifications on exceptions
* Config file to track different settings per filesystem
* Also check iused / ifree to handle tiny-files
* Run as a daemon vs from cron.
* Explicit lists of filesystems, or include/exclude lists

#!/bin/ksh
###########
# Run this from cron every minute to automatically resize JFS2 filesystems
# Incorrect limits could cause size flapping for small filesystems.
# We skip things we cannot reduce.

MINFREEPCT=10
MAXFREEPCT=70
MINPPFREE=10

LVLIST=`mount | grep jfs2 | grep /dev/ | awk ‘{print $1;}’ | cut -f 3 -d /`
for lv in $LVLIST ; do
df -gv 2>/dev/null | grep $lv | read device size used free pct iused ifree ipct mountpoint || continue
FREEPCT=$(( $used * 100 / $size ))
VG=`lslv $lv 2>/dev/null | grep “VOLUME GROUP:” | awk ‘{print $6;}’`
PPSIZE=`lsvg $VG 2>/dev/null | grep ‘PP SIZE’ | awk ‘{print $6;}’`
[[ $PPSIZE -gt 0 ]] || continue
#
if [[ $FREEPCT -lt $MINFREEPCT ]] ; then
FREEPPS=`lsvg $VG | grep FREE | awk ‘{print $6;}’`
[[ $FREEPPS -gt $MINFREEPPS ]] && chfs -a size=+1 $mountpoint
continue
fi
#
[[ $FREEPCT -gt $MAXFREEPCT ]] && chfs -a size=-$PPSIZE $mountpoint
#
done