Re: Sending mail from external firewall to external mail server (behind firewall)

[Stefan Kell]

Hello,

 Original-Nachricht 
 Datum: Tue, 19 Feb 2008 22:36:20 -0600
 Von: Albert Chin [EMAIL PROTECTED]
 An: misc@openbsd.org
 Betreff: Sending mail from external firewall to external mail server (behind 
 firewall)

 ... snip...
 
   rdr pass log on $ext_if inet proto tcp from any to $mail_ip \
 port = smtp - $emma_gw
 
 From the Internet, if I telnet 67.95.107.111 25, everything works.
 But, on hammer:
   hammer% telnet 67.95.107.111 25
   Trying 67.95.107.111...
   telnet: connect to address 67.95.107.111: Connection refused
 
 ... snip ...

see man pf.conf, especially paragraph Translation rules apply only to 
packets that pass through the specified interface,...

Regards

Stefan Kell

[ami] Unable to set Hot Spare from bioctl on a Dell PERC 4/Di

[Matthew Mulrooney]

Hi there, I'm back with another LSI controller, and I'm experiencing 
problems with creating hot spares from bioctl.  This seems to be the 
same problem that I posted to misc@ on Oct 16, 2006 with the subject 
line of:


  [ami] Unable to set Hot Spare on MegaRAID SATA 300-8x

I've got the same symptoms, but now with a PERC 4/Di controller.  [And 
this time I've found a better work around than just avoiding bioctl -H 
with this LSI controller :).]


Problem summary
===
When I use bioctl to mark an Unused drive as a Hot Spare, that drive 
will fail to be integrated when another disk fails.


The only way, that I've found, to make that drive properly act as a Hot 
Spare, is to only set it as such from the LSI boot menu.  If you have 
already marked it as a Hot Spare from bioctl, pull the Hot Spare-marked 
drive, and replace it (it can be the same physical disk).  At that point 
your disk should be showing up as an 'Unused' disk, from where you can 
go do the thing in the LSI boot menu.


This is an improvement over my 2006 analysis of the situation, where I 
couldn't find a way to reset the drive back to Unused (after Hot Sparing 
it from bioctl).  The LSI boot menu requires a drive to be in an Unused 
state before it will allow me to correctly mark it as a Hot Spare.



If you're interested, please let me know what I can do to be of 
assistance in trouble shooting this.  I have a limited window before 
this box will have to be pushed into production, and I can live with the 
current situation (an after hours reboot in the case of a drive failure 
is perfectly fine).


Matthew


Test case
=
s = step succeeded
F = step failed

Normal case (RAID 1 + one hot spare)
---
s Configure array from the LSI boot menu
s   Clear configuration
s   New configuration
s Disks 0, 1:  RAID 1 array
s Disk  2: Hot spare

s Install OpenBSD-4.2

s Single disk failure
s   Disk 0:  Fails (I pulled it from the hot swap cage)
s   Disk 2:  Automatically replaces it
s   Observe the RAID 1 array get fully rebuilt

s Replace failed disk
s   Replace Disk 0 with a new disk
s   Observe that Disk 0 is marked as Unused through bioctl
s   Set Disk 0 to be a hot spare (through bioctl)

s Single disk failure
s   Disk 1:  Fails (I pulled it)
F   Disk 0:  FAILS TO GET INTEGRATED, DESPITE STILL BEING MARKED AS A
 HOT SPARE - Array is still degraded.

s Reboot, enter into the LSI boot menu
s   Configure  View/Add Configurarion
s Highlight disk 0  F4 (hot spare)
s   This Physical Drive is already a HOTSPARE\nPress any key to
 continue
s   F10 (Configure), Esc, Esc
s   Exit? = YES
s   Please REBOOT YOUR SYSTEM, CTRL-ALT-DEL

s Recheck array
F   Disk 0:  Still failing to integrate.  Array still degraded.

s Attempt to shake loose the 'Hot Spare' bit from disk 0
s   Remove disk 0
s   Replace disk 0 (with the same physical disk)
s   Disk 0 is *no longer* marked as a 'Hot Spare' (either through
bioctl or through the LSI boot menu).  Yeah! :)
[I don't think I tested this method with my SATA 300-8x.]


Log file

# The output is generated by:
#   date; bioctl ami0

##
# Created a new RAID 1 array from the LSI boot menu and installed OpenBSD 4.2
Tue Feb 19 04:01:42 MST 2008
Volume  Status   Size Device
 ami0 0 Scrubbing146695782400 sd0 RAID1 3% done
  0 Online   146811125760 0:0.0   safte0 MAXTOR  ATLAS10K5_146SCAJNZM
  1 Online   146811125760 0:1.0   safte0 SEAGATE ST3146807LC DS09
 ami0 1 Hot spare146811125760 0:2.0   safte0 IBM IC35L146UCDY10-0S27F

Tue Feb 19 10:02:15 MST 2008
Volume  Status   Size Device
 ami0 0 Scrubbing146695782400 sd0 RAID1 94% done
  0 Online   146811125760 0:0.0   safte0 MAXTOR  ATLAS10K5_146SCAJNZM
  1 Online   146811125760 0:1.0   safte0 SEAGATE ST3146807LC DS09
 ami0 1 Hot spare146811125760 0:2.0   safte0 IBM IC35L146UCDY10-0S27F

Tue Feb 19 10:12:15 MST 2008
Volume  Status   Size Device
 ami0 0 Scrubbing146695782400 sd0 RAID1 97% done
  0 Online   146811125760 0:0.0   safte0 MAXTOR  ATLAS10K5_146SCAJNZM
  1 Online   146811125760 0:1.0   safte0 SEAGATE ST3146807LC DS09
 ami0 1 Hot spare146811125760 0:2.0   safte0 IBM IC35L146UCDY10-0S27F

##
# Mirroring complete
Tue Feb 19 10:22:16 MST 2008
Volume  Status   Size Device
 ami0 0 Online   146695782400 sd0 RAID1
  0 Online   146811125760 0:0.0   safte0 MAXTOR  ATLAS10K5_146SCAJNZM
  1 Online   146811125760 0:1.0   safte0 SEAGATE ST3146807LC DS09
 ami0 1 Hot spare146811125760 0:2.0   safte0 IBM IC35L146UCDY10-0S27F

##
# Pulling Drive 0:0.0
Tue Feb 19 16:15:15 MST 2008
Volume  

Re: What is our ultimate goal??

[Mayuresh Kathe]

On Feb 20, 2008 12:52 PM, Duncan Patton a Campbell [EMAIL PROTECTED] wrote:
 On Wed, 20 Feb 2008 08:47:54 +0530
 Mayuresh Kathe [EMAIL PROTECTED] wrote:

  On Feb 20, 2008 2:59 AM, Ted Unangst [EMAIL PROTECTED] wrote:
   On Feb 19, 2008 4:50 AM, Mayuresh Kathe [EMAIL PROTECTED] wrote:
That's the reason I've been gathering good C developers, so that they
could either;
1. take up complex projects like FireEngine/DTrace,
2. write replacements for as many GNU tools/utilities as possible,
3. be a landing stage for newer developers who get intimidated by the
intensity of the core developers.
  
   good luck with that.  be sure to let us know when it's all done, ok?  
   thanks.
 
  If thats sarcasm its really not warranted.
  If its not sarcasm, then we'll be posting to the list about our progress.
 
  Also, Ted, I'm sorry if you felt offended by my ranting about you not
  completing kernel threads, but the loss of those developers really
  felt bad.
 
  ~Mayuresh
 

 Looks to me like your Tivo Box project might need to actually pay someone
 to write a threads library.

This is the second time someone has mentioned about a project that
does not exist.
What's gotten into you people?

~Mayuresh

Re: rtorrent + OpenBSD = freeze

[Girish Venkatachalam]

On 16:43:00 Feb 19, Daniel Andersson wrote:
 
 Could you please elaborate? The only thing that was working after
 the freeze was the routing. I guess I could try FreeBSD since they
 have pf too. iptables is driving me nuts.
 

Sorry I was out and just came back home.

I think my answer would be irrelevant now since many other people seem
to be facing problems. So there seems to be something wrong somewhere.

I did notice a freeze but I don't think it has anything to do with what
others are saying.

Almost in every case I thought it was due to the tracker being down or
some such bittorrent issue. Since p2p networks have so much churn I am
always wary of concluding anything based on this.

Beyond this I have nothing more to add to this. As to iptables and pf, I
honestly think comparing the two would be like comparing darkness to
light. ;)

On a different note, I  have seen my OpenBSD box freeze badly whenever I
access my Sony SATA DVD R/W drive. I never got time to diagnose the
exact cause. It is a serious issue and something needs to be done about
it soon. In fact I install using FTP or HTTP due to this hairy issue.

Other than that I have seen OpenBSD freeze with the ImageMagick convert(1)
program as well.

Here goes one more freeze. 

I used to have trouble recording voice 
with the new Intel HDA driver, but nowadays that problem does not seem
to be there.

It is a little unnerving to note that OpenBSD userland code sometimes
hangs the whole machine very much like Windoze but then...let us better
be open about it and do something.

I am quite well versed with OpenBSD's kernel code but I need experience
with driver development and fixing such freezes. If someone can throw
some light on the debugging process I can definitely give it a shot.

Would I have to use a serial console and run the kernel with ddb(4) ?

Thanks.

Best,
Girish

Re: What is our ultimate goal??

[Duncan Patton a Campbell]

On Wed, 20 Feb 2008 15:11:34 +0530
Mayuresh Kathe [EMAIL PROTECTED] wrote:

 On Feb 20, 2008 12:52 PM, Duncan Patton a Campbell [EMAIL PROTECTED] wrote:
  On Wed, 20 Feb 2008 08:47:54 +0530
  Mayuresh Kathe [EMAIL PROTECTED] wrote:
 
   On Feb 20, 2008 2:59 AM, Ted Unangst [EMAIL PROTECTED] wrote:
On Feb 19, 2008 4:50 AM, Mayuresh Kathe [EMAIL PROTECTED] wrote:
 That's the reason I've been gathering good C developers, so that they
 could either;
 1. take up complex projects like FireEngine/DTrace,
 2. write replacements for as many GNU tools/utilities as possible,
 3. be a landing stage for newer developers who get intimidated by the
 intensity of the core developers.
   
good luck with that.  be sure to let us know when it's all done, ok?  
thanks.
  
   If thats sarcasm its really not warranted.
   If its not sarcasm, then we'll be posting to the list about our progress.
  
   Also, Ted, I'm sorry if you felt offended by my ranting about you not
   completing kernel threads, but the loss of those developers really
   felt bad.
  
   ~Mayuresh
  
 
  Looks to me like your Tivo Box project might need to actually pay someone
  to write a threads library.
 
 This is the second time someone has mentioned about a project that
 does not exist.
 What's gotten into you people?
 
 ~Mayuresh
 

It's a question of the alienability of the BSD License.  Unlike Linux, the 
BSD license allows you the freedom of moving the software into a proprietary
configuration which permits a conventional profit model.

You are ragging on Ted for not having provided you with a feature for your 
project which is not seen to be of the widest possible utility, and which 
might adversley influence some of OBSD's more crucial feature if not 
implemented 
with enormous care.  

Basically you are asking him to provide your 4profit model with free work that
would not necessarily benefit the project OR other 4profit models.  

Mebbe if you really need threads (because some code you intend to import uses 
them)
then you should offer to PAY Ted to do this (for the project?).  This would 
likely 
provide him with the kind of incentive he needs to do something seen as not 
crucial
by his peers.

Dhu

Re: What is our ultimate goal??

[Henning Brauer]

* Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]:
 Wouldn't it be nice to have a high performance networking stack?

yeah.
guess what we have?
exactly that.
(which doesn't mean it could be even faster)

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: Sending mail from external firewall to external mail server (behind firewall)

[Albert Chin]

On Wed, Feb 20, 2008 at 08:55:44AM +0100, Stefan Kell wrote:
  Original-Nachricht 
  Datum: Tue, 19 Feb 2008 22:36:20 -0600
  Von: Albert Chin [EMAIL PROTECTED]
  An: misc@openbsd.org
  Betreff: Sending mail from external firewall to external mail server 
  (behind firewall)
 
  ... snip...
  
rdr pass log on $ext_if inet proto tcp from any to $mail_ip \
  port = smtp - $emma_gw
  
  From the Internet, if I telnet 67.95.107.111 25, everything works.
  But, on hammer:
hammer% telnet 67.95.107.111 25
Trying 67.95.107.111...
telnet: connect to address 67.95.107.111: Connection refused
  
  ... snip ...
 
 see man pf.conf, especially paragraph Translation rules apply
 only to packets that pass through the specified interface,...

Thanks. I've changed my pf rule from:
  rdr pass log on $ext_if inet proto tcp from any to $mail_ip \
port = smtp - $emma_gw
to:
  rdr pass log inet proto tcp from any to $mail_ip \
port = smtp - $emma_gw

This certainly helps for hosts on the local network. But, the issue
with telnet 67.95.107.111 25 not working on hammer remains.

BTW, we are running OpenBSD 4.0 on x86.

-- 
albert chin ([EMAIL PROTECTED])

Re: What is our ultimate goal??

[Mayuresh Kathe]

On Feb 20, 2008 4:58 PM, Henning Brauer [EMAIL PROTECTED] wrote:
 * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]:
  Wouldn't it be nice to have a high performance networking stack?

 yeah.
 guess what we have?
 exactly that.
 (which doesn't mean it could be even faster)

Pardon if I sound ignorant, but isn't our networking stack based on
the 24 year old technology from Berkeley?

Re: take threads off the table

[Geoff Steckel]

Artur Grabowski wrote:

Geoff Steckel [EMAIL PROTECTED] writes:


Any argument to experience must be from similar actual implementations
using threads and another model, such as multiple processes with
interprocess communications.


Sure. I'll pick up the challenge.

At work we have a server that uses around 4GB RAM and runs on an 4 cpu
machine. It serves millions of tcp connections per hour. sharing the
memory without sharing pointer values is too inefficient since a big
amount of the memory used is a pre-computed cache of most common query
results. The service needs 4x4GB of RAM on the machine to be able to
reload the data efficiently without hitting disk, since hitting the
disk kills performance in critical moments and leads to
inconsistencies between the four machines that run identical instances
of this service.

Therefore:

 - fork would not work because cache would not be shared and this
   would lead to too big cache miss ratio.

 - adding more RAM won't work because it would spend rack real estate
   and power and cooling budget which we can't do.

 - adding more machines will not solve the problem for the same reasons
   as RAM.

 - reducing the data set will not work because we kinda like to make
   lots of money, not just a little money.

 - partitioning the data does not work good because it causes a too
   high cost in performance and memory consumption.

What works is threads. We've had one thread related bug in the past
year.



Art,
  It sounds like your application is pretty reasonable. The benefits
of much cash, the restrictions on what hardware can be used, and
your willingness to keep the project under control make a big difference
in the cost-benefit balance.

I can think of one thing that might have made a difference:
it's possible under most unix-style OSs to share memory at a
fixed address
I'm not entirely sure that how much of your database stays in the cache
except possibly some of the root, but I hope you've got the tools
to know that.

Still,
   you're pushing the envelope very hard to get as much performance
   and you -need- the performance, and even a percent or two of performance
   matters

   your application is SIMD-like in the large

   you've considered the tradeoffs and accept the risk for the benefits

And I infer from what you say:

   It sounds like most queries are read-only, so they
   do not affect any shared state, therefore locking issues are relatively
   few.

   It also sounds like the application itself is relatively static
   (or at least the query engine is).

   The programming team is relatively static due to
   large $$$ rewards

   I'm assuming that the query engine is well separated in the code
   from code which changes due to changes in the data being served

All of this taken together puts this into an area where I'm willing to
agree that threads are an acceptable solution if not a desirable one.
If any of the points above were different (complex state changes,
didn't need 100+%, not read-only, not static code, many hands changing
on the engine code) I'd disagree.

On a very superficial consideration of what you've said,
I suspect I could get a multiprocess solution to come within a few percent
of the threaded one, but you say you need that last few percent. There
are a lot of possible memory architecture issues (4 x 4 GB memory gets
me wondering about its exact physical layout and bus architecture). A form
of pipelined processing might also partition well, but I don't know any
details of what you're doing. Depending very much on the exact situation
offloading the TCP handshaking onto the processors in GBit network cards
---might--- work - there are a lot of possible gotchas but ---if--- the
cards are fast enough and have enough on-card memory, the payoff could be
large of course, then the network cards would have all the threads
in them!

Good luck, and thanks for the useful example!

   geoff steckel

Re: What is our ultimate goal??

[Henning Brauer]

* Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 13:12]:
 On Feb 20, 2008 4:58 PM, Henning Brauer [EMAIL PROTECTED] wrote:
  * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]:
   Wouldn't it be nice to have a high performance networking stack?
 
  yeah.
  guess what we have?
  exactly that.
  (which doesn't mean it could be even faster)
 
 Pardon if I sound ignorant, but isn't our networking stack based on
 the 24 year old technology from Berkeley?

so?

isn't your computer running on 100 years old technology called 
electricity?

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: What is our ultimate goal??

[Pau Amaro-Seoane]

could you please stop this shit and continue the conversation privately?

People registered at misc know well why they are using obsd. We don't
need this discussion.

2008/2/20, Henning Brauer [EMAIL PROTECTED]:
 * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 13:12]:

  On Feb 20, 2008 4:58 PM, Henning Brauer [EMAIL PROTECTED] wrote:
* Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]:
 Wouldn't it be nice to have a high performance networking stack?
   
yeah.
guess what we have?
exactly that.
(which doesn't mean it could be even faster)
  
   Pardon if I sound ignorant, but isn't our networking stack based on
   the 24 year old technology from Berkeley?


 so?

  isn't your computer running on 100 years old technology called
  electricity?


  --
  Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
  BS Web Services, http://bsws.de
  Full-Service ISP - Secure Hosting, Mail and DNS Services
  Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: What is our ultimate goal??

[Jordi Espasa Clofent]

Touchi!
--
Thanks,
Jordi Espasa Clofent

Re: What is our ultimate goal??

[Mayuresh Kathe]

On Feb 20, 2008 5:52 PM, Henning Brauer [EMAIL PROTECTED] wrote:
 * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 13:12]:

  On Feb 20, 2008 4:58 PM, Henning Brauer [EMAIL PROTECTED] wrote:
   * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]:
Wouldn't it be nice to have a high performance networking stack?
  
   yeah.
   guess what we have?
   exactly that.
   (which doesn't mean it could be even faster)
 
  Pardon if I sound ignorant, but isn't our networking stack based on
  the 24 year old technology from Berkeley?

 so?

 isn't your computer running on 100 years old technology called
 electricity?

But that 100 year old technology used to be DC earlier, then it was
converted to AC because of its inherent benefits.
Similarly, wouldn't it have been beneficial to go for a modern
approach for the network stack?
(not that now I can do anything about it, all's lost for me)
Could you please read http://research.sun.com/minds/2007-0710/

~Mayuresh

Re: What is our ultimate goal??

[Henning Brauer]

* Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 14:07]:
 On Feb 20, 2008 5:52 PM, Henning Brauer [EMAIL PROTECTED] wrote:
  * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 13:12]:
   On Feb 20, 2008 4:58 PM, Henning Brauer [EMAIL PROTECTED] wrote:
* Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]:
 Wouldn't it be nice to have a high performance networking stack?
yeah.
guess what we have?
exactly that.
(which doesn't mean it could be even faster)
   Pardon if I sound ignorant, but isn't our networking stack based on
   the 24 year old technology from Berkeley?
  so?
  isn't your computer running on 100 years old technology called
  electricity?
 But that 100 year old technology used to be DC earlier, then it was
 converted to AC because of its inherent benefits.

way over a hundred years ago, yes (except for some small irrelevant 
isles like parts of new york if memory serves).

 Similarly, wouldn't it have been beneficial to go for a modern
 approach for the network stack?

we have a very modern approach: correct, secure and fast.

 (not that now I can do anything about it, all's lost for me)
 Could you please read http://research.sun.com/minds/2007-0710/

yeah, i did, lots of marketing blubber, lots of bla bla, lots of vague 
indications, nothing concrete, nothing technical.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: take threads off the table

[Douglas A. Tutty]

On Wed, Feb 20, 2008 at 10:14:14AM +0100, Artur Grabowski wrote:
 Geoff Steckel [EMAIL PROTECTED] writes:
 
  Any argument to experience must be from similar actual
  implementations using threads and another model, such as multiple
  processes with interprocess communications.
 
 Sure. I'll pick up the challenge.
 
 At work we have a server that uses around 4GB RAM and runs on an 4 cpu
 machine. It serves millions of tcp connections per hour. sharing the
 memory without sharing pointer values is too inefficient since a big
 amount of the memory used is a pre-computed cache of most common query
 results. The service needs 4x4GB of RAM on the machine to be able to
 reload the data efficiently without hitting disk, since hitting the
 disk kills performance in critical moments and leads to
 inconsistencies between the four machines that run identical instances
 of this service.
 

While this kind of setup is well beyond my pay-grade, looking just at
the issue of, in effect, using threads to share a cache to avoid hitting
the disk, I wonder why using a memory filesystem as the common cache
wouldn't work.  No threads, shared data via the filesystem but that
filesystem is in memory and quite fast.

Doug.

Re: What is our ultimate goal??

[Janne Johansson]

Henning Brauer wrote:

* Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 14:07]:

(not that now I can do anything about it, all's lost for me)
Could you please read http://research.sun.com/minds/2007-0710/


yeah, i did, lots of marketing blubber, lots of bla bla, lots of vague 
indications, nothing concrete, nothing technical.


Mostly Lets fix Slow-aris is what I saw. Unless you are in a 
slow-aris situation, moving to whatever they did might not be an 
improvement. ;)

Question about Implementing authpf, squid and ldap authentication....

[Brian Shackelford]

Hello  -



I have been working on and actually making progress for writing a client
for windows that will authenticate a user to authpf upon login thereby
granting access to the network based on rules setup for each user/group.
In addition we would love to be able to somehow transparently
authenticate that user to the squid firewall tied back to the Active
Directory on our network using LDAP.  Just wondering if anyone has
approached/done something like this already in the hopes of saving some
time developing it.



I would be more than happy to share my code for the windows side - needs
to be cleaned up before I released it - if anybody is interested in
assisting as well.  My goal would be to have a small client that starts
with windows that notes when a user logs onto the computer and
automagically takes care of opening and holding open an ssh1 session to
the firewall as well as someone allowing the user to be authenticated to
the squid proxy transparently.



Any advice (useful advice preferred - but other advice accepted without
prejudice) would be appreciated.



I have limited background in C and C++ and a fair amount of experience
in Windows C# development.



Thanks,
Brian Shackelford

Re: What is our ultimate goal??

[Stuart Henderson]

On 2008/02/20 14:14, Henning Brauer wrote:
 * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 14:07]:
  On Feb 20, 2008 5:52 PM, Henning Brauer [EMAIL PROTECTED] wrote:
   isn't your computer running on 100 years old technology called
   electricity?
  But that 100 year old technology used to be DC earlier, then it was
  converted to AC because of its inherent benefits.
 
 way over a hundred years ago, yes (except for some small irrelevant 
 isles like parts of new york if memory serves).

and, those data centres and telcos who have worked out that converting
AC-DC-AC-DC (or DC-AC-DC-AC-DC when the power comes from something like
PV cells...) is not the smartest thing they could be doing...

Re: [ami] Unable to set Hot Spare from bioctl on a Dell PERC 4/Di

[Marco Peereboom]

My natural answer is that this is a firmware issue.  But since you
provided such good steps I will try to recreate this.  Thank you for
this outstanding report.

On Wed, Feb 20, 2008 at 01:42:59AM -0700, Matthew Mulrooney wrote:
 Hi there, I'm back with another LSI controller, and I'm experiencing 
 problems with creating hot spares from bioctl.  This seems to be the same 
 problem that I posted to misc@ on Oct 16, 2006 with the subject line of:

   [ami] Unable to set Hot Spare on MegaRAID SATA 300-8x

 I've got the same symptoms, but now with a PERC 4/Di controller.  [And this 
 time I've found a better work around than just avoiding bioctl -H with this 
 LSI controller :).]

 Problem summary
 ===
 When I use bioctl to mark an Unused drive as a Hot Spare, that drive will 
 fail to be integrated when another disk fails.

 The only way, that I've found, to make that drive properly act as a Hot 
 Spare, is to only set it as such from the LSI boot menu.  If you have 
 already marked it as a Hot Spare from bioctl, pull the Hot Spare-marked 
 drive, and replace it (it can be the same physical disk).  At that point 
 your disk should be showing up as an 'Unused' disk, from where you can go 
 do the thing in the LSI boot menu.

 This is an improvement over my 2006 analysis of the situation, where I 
 couldn't find a way to reset the drive back to Unused (after Hot Sparing it 
 from bioctl).  The LSI boot menu requires a drive to be in an Unused state 
 before it will allow me to correctly mark it as a Hot Spare.


 If you're interested, please let me know what I can do to be of assistance 
 in trouble shooting this.  I have a limited window before this box will 
 have to be pushed into production, and I can live with the current 
 situation (an after hours reboot in the case of a drive failure is 
 perfectly fine).

 Matthew


 Test case
 =
 s = step succeeded
 F = step failed

 Normal case (RAID 1 + one hot spare)
 ---
 s Configure array from the LSI boot menu
 s   Clear configuration
 s   New configuration
 s Disks 0, 1:  RAID 1 array
 s Disk  2: Hot spare

 s Install OpenBSD-4.2

 s Single disk failure
 s   Disk 0:  Fails (I pulled it from the hot swap cage)
 s   Disk 2:  Automatically replaces it
 s   Observe the RAID 1 array get fully rebuilt

 s Replace failed disk
 s   Replace Disk 0 with a new disk
 s   Observe that Disk 0 is marked as Unused through bioctl
 s   Set Disk 0 to be a hot spare (through bioctl)

 s Single disk failure
 s   Disk 1:  Fails (I pulled it)
 F   Disk 0:  FAILS TO GET INTEGRATED, DESPITE STILL BEING MARKED AS A
  HOT SPARE - Array is still degraded.

 s Reboot, enter into the LSI boot menu
 s   Configure  View/Add Configurarion
 s Highlight disk 0  F4 (hot spare)
 s   This Physical Drive is already a HOTSPARE\nPress any key to
  continue
 s   F10 (Configure), Esc, Esc
 s   Exit? = YES
 s   Please REBOOT YOUR SYSTEM, CTRL-ALT-DEL

 s Recheck array
 F   Disk 0:  Still failing to integrate.  Array still degraded.

 s Attempt to shake loose the 'Hot Spare' bit from disk 0
 s   Remove disk 0
 s   Replace disk 0 (with the same physical disk)
 s   Disk 0 is *no longer* marked as a 'Hot Spare' (either through
 bioctl or through the LSI boot menu).  Yeah! :)
 [I don't think I tested this method with my SATA 300-8x.]


 Log file
 
 # The output is generated by:
 #   date; bioctl ami0

 ##
 # Created a new RAID 1 array from the LSI boot menu and installed OpenBSD 4.2
 Tue Feb 19 04:01:42 MST 2008
 Volume  Status   Size Device
  ami0 0 Scrubbing146695782400 sd0 RAID1 3% done
   0 Online   146811125760 0:0.0   safte0 MAXTOR  
 ATLAS10K5_146SCAJNZM
   1 Online   146811125760 0:1.0   safte0 SEAGATE ST3146807LC 
 DS09
  ami0 1 Hot spare146811125760 0:2.0   safte0 IBM 
 IC35L146UCDY10-0S27F

 Tue Feb 19 10:02:15 MST 2008
 Volume  Status   Size Device
  ami0 0 Scrubbing146695782400 sd0 RAID1 94% done
   0 Online   146811125760 0:0.0   safte0 MAXTOR  
 ATLAS10K5_146SCAJNZM
   1 Online   146811125760 0:1.0   safte0 SEAGATE ST3146807LC 
 DS09
  ami0 1 Hot spare146811125760 0:2.0   safte0 IBM 
 IC35L146UCDY10-0S27F

 Tue Feb 19 10:12:15 MST 2008
 Volume  Status   Size Device
  ami0 0 Scrubbing146695782400 sd0 RAID1 97% done
   0 Online   146811125760 0:0.0   safte0 MAXTOR  
 ATLAS10K5_146SCAJNZM
   1 Online   146811125760 0:1.0   safte0 SEAGATE ST3146807LC 
 DS09
  ami0 1 Hot spare146811125760 0:2.0   safte0 IBM 
 IC35L146UCDY10-0S27F

 ##
 # Mirroring complete
 Tue Feb 19 10:22:16 MST 2008
 Volume  Status   Size Device
  ami0 0 Online   146695782400 sd0 RAID1
   0 Online   146811125760 

Re: What is our ultimate goal??

[Marco Peereboom]

On Wed, Feb 20, 2008 at 02:14:31PM +0100, Henning Brauer wrote:
  But that 100 year old technology used to be DC earlier, then it was
  converted to AC because of its inherent benefits.
 
 way over a hundred years ago, yes (except for some small irrelevant 
 isles like parts of new york if memory serves).

Even new york stopped doing it last year.  There is no more DC current
being served.

 
  Similarly, wouldn't it have been beneficial to go for a modern
  approach for the network stack?

There only is perceived benefit; which clearly mean you fell for the
marketing bullets.  Good, go buy sun stuff and run their OS.  It is as
nice a UNIX as you'll find.

 
 we have a very modern approach: correct, secure and fast.

Amen!

 
  (not that now I can do anything about it, all's lost for me)

Maybe some drama classes are in order.

  Could you please read http://research.sun.com/minds/2007-0710/
 
 yeah, i did, lots of marketing blubber, lots of bla bla, lots of vague 
 indications, nothing concrete, nothing technical.

That piece was more than worthless.  Some ding dong said ooh ooh I made
it faster.  Well fantastic!  Unfortunately there is no quantification
of faster.  0 x fast is still 0.

Besides if you actually understood the beauty and elegance that is the
OpenBSD TCP/IP stack you wouldn't be yammering about marketing
horseshit.  Old != bad.  Actually, over the last few years in computer
land new == bad (java, xml, c++ etc).

Re: What is our ultimate goal??

[Fergus Wilde]

On Wednesday 20 February 2008 13:14, Henning Brauer wrote:
 * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 14:07]:
  On Feb 20, 2008 5:52 PM, Henning Brauer [EMAIL PROTECTED] wrote:
   * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-20 13:12]:
On Feb 20, 2008 4:58 PM, Henning Brauer [EMAIL PROTECTED] wrote:
 * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]:
  Wouldn't it be nice to have a high performance networking stack?

 yeah.
 guess what we have?
 exactly that.
 (which doesn't mean it could be even faster)
   
Pardon if I sound ignorant, but isn't our networking stack based on
the 24 year old technology from Berkeley?
  
   so?
   isn't your computer running on 100 years old technology called
   electricity?
 
  But that 100 year old technology used to be DC earlier, then it was
  converted to AC because of its inherent benefits.

 way over a hundred years ago, yes (except for some small irrelevant
 isles like parts of new york if memory serves).

  Similarly, wouldn't it have been beneficial to go for a modern
  approach for the network stack?

 we have a very modern approach: correct, secure and fast.

  (not that now I can do anything about it, all's lost for me)
  Could you please read http://research.sun.com/minds/2007-0710/

 yeah, i did, lots of marketing blubber, lots of bla bla, lots of vague
 indications, nothing concrete, nothing technical.

I did read this as well, and for my two tiny cents it has to be said that OBSD 
runs a great deal faster on my (admittedly rather elderly) Sun boxen than 
Solaris ever did.

-- 
Fergus Wilde
Chetham's Library
Long Millgate
Manchester
M3 1SB

Tel: 0161 834 7961
Fax: 0161 839 5797

http://www.chethams.org.uk

Re: What is our ultimate goal??

[Joel Sing]

On Wednesday 20 February 2008, Mayuresh Kathe wrote:
  isn't your computer running on 100 years old technology called
  electricity?

 But that 100 year old technology used to be DC earlier, then it was
 converted to AC because of its inherent benefits.
 Similarly, wouldn't it have been beneficial to go for a modern
 approach for the network stack?
 (not that now I can do anything about it, all's lost for me)
 Could you please read http://research.sun.com/minds/2007-0710/

If you're going to ask people to read up on the Solaris networking stack, at 
least give them a technical document rather than a blog/marketing piece:

http://www.sun.com/bigadmin/features/articles/solaris_networking.jsp

The background section should explain to you why Solaris experienced 
performance issues with its STREAMS-based stack, which they have since 
replaced with ``FireEngine''. The OpenBSD stack does not exhibit these same 
performance problems.

Have you done any benchmarks?
-- 

 = Joel Sing | [EMAIL PROTECTED] | 0419 577 603 =


 Real stupidity beats artificial intelligence every time.
  - Terry Pratchett, Hogfather

vpn client configuration

[bsd bsd]

Hi,

I'm trying to connect Checkpoint VPN-1 using OpenBSD 3.8. Basic set up is as
follows:

Host-A - Gateway-A -- - Gateway-B - Host-B

Gateway-A: OpenBSD3.8
Gateway-B: Checkpoint VPN1
Aim: Establish connection to Host-B from Host-A.

I've no control on Gateway-B and Host-B.

First of all, I'm able to connect Gateway-B from Gateway-A. Configuration
files that I've used are as follows:

===
isakmpd.conf

[Phase 1]
IP-OF-GATEWAY-B=peer-machineB

[Phase 2]
Connections=VPN-A-B

# ISAKMP phase 1 peers (from [Phase 1])
[peer-machineB]
Phase=  1
Transport=  udp
Address=IP-OF-GATEWAY-B
Configuration=  Default-main-mode
Authentication= PRESHAREDKEY

# IPSEC phase 2 connections (from [Phase 2])
[VPN-A-B]
Phase=  2
ISAKMP-peer=peer-machineB
Configuration=  Default-quick-mode
Local-ID=   machineA-internal-network
Remote-ID=  machineB-internal-network

# ID sections (as used in [VPN-A-B])

[machineA-internal-network]
ID-type=IPV4_ADDR
Address=   IP-OF-HOST-A

[machineB-internal-network]
ID-type=IPV4_ADDR
Address=IP-OF-HOST-B

# Main and Quick Mode descriptions (as used by peers and connections)

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
===

===
isakmpd.policy
Keynote-version: 2
Authorizer: POLICY
Conditions: app_domain == IPsec policy 
esp_present == yes 
esp_enc_alg != null - true;
===

Using these files, when I run isakmpd (isakmpd -d -DA=90) I can successfully
connect to GATEWAY-B. tcpdump output is as follows:

===
tcpdump: listening on em0, link-type EN10MB
14:44:40.315165 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 202:
IP-OF-GATEWAY-A.500  IP-OF-GATEWAY-B.500:  [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1- msgid:  len: 160
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 25076, len
188)
14:44:40.333719 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 122:
IP-OF-GATEWAY-B.500  IP-OF-GATEWAY-A.500:  [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid:  len: 80
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600 (DF) (ttl 53, id
3115, len 108)
14:44:40.356321 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 222:
IP-OF-GATEWAY-A.500  IP-OF-GATEWAY-B.500:  [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid:  len: 180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 (ttl 64, id 1228, len 208)
14:44:40.376569 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 226:
IP-OF-GATEWAY-B.500  IP-OF-GATEWAY-A.500:  [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid:  len: 184
payload: KEY_EXCH len: 132
payload: NONCE len: 24 (DF) (ttl 53, id 3116, len 212)
14:44:40.396111 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 134:
IP-OF-GATEWAY-A.500  IP-OF-GATEWAY-B.500:  [udp sum ok] isakmp
v1.0exchange ID_PROT encrypted
cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid:  len: 92
(ttl 64, id 23041, len 120)
14:44:40.617927 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 110:

Re: What is our ultimate goal??

[chefren]

On 02/20/08 15:00, Marco Peereboom wrote:
 On Wed, Feb 20, 2008 at 02:14:31PM +0100, Henning Brauer wrote:
 But that 100 year old technology used to be DC earlier, then it was
  converted to AC because of its inherent benefits.

Marketing blurb.

 way over a hundred years ago, yes (except for some small irrelevant
 isles like parts of new york if memory serves).

 Even new york stopped doing it last year.  There is no more DC current
 being served.

Well

http://www.economist.com/science/displaystory.cfm?story_id=9539765

 Put like this, a Europe-wide grid seems an obvious idea. That it has not
 yet been built is because AC power lines would lose too much power over
 such large distances. Hence the renewed interest in DC.

 Westinghouse won the battle of the currents in the 1880s because it is
 easier to transform the voltage of an AC current than of a DC current.

(Also debatable with switching power technologies we have now instead of the
classical bulkey 50/60Hz transformers, often the first thing we do these
days is making the AC DC...)

 High voltage is the best way to transmit power (the higher the voltage,
 the smaller the loss), but high voltage is not usually what the user
 wants. Power is therefore transmitted along high-tension AC lines and
 then stepped down to usable voltages in local sub-stations.

 Edison was right, however, to argue that DC is the best way to transmit
 electricity of any given voltage. That is because the shifting current of
 AC runs to earth more easily than DC does. To avoid this earthing, AC
 lines have to be built a long way from the groundand the higher the
 voltage, the farther away they need to be. At 400 kilovolts, a standard
 value for long-distance transmission, an alternating current 30 metres
 (100 feet) from the ground has a fortieth of the loss of a similar cable
 at ground level. But even at this height an overhead DC line will beat an
 AC line at distances more than 1,000km (600 miles), while ground-level DC
 will beat AC at distances as short as 30km.

+++chefren

Re: [ami] Unable to set Hot Spare from bioctl on a Dell PERC 4/Di

[Unix Fan]

Woah, Has anyone ever provided such a detailed and thorough error report 
before?



That was just amazing..  lol :)



-Nix Fan.







-Nix Fan.

Asian lang support with generic kernel

[arthur]

Hi All,

I am new to OBSD but I like its secure and simple. Thanks everyone to make
this happen!!

I try to install obsd as my desktop workstation. I install from 4.2 release
and now the X/KDE is running. After install KED-I18N-cn pkg, now I can open
web pages in Chinese. I will deal with the fonts/inputmethod/tuneup later,
even I don't know how to do that yet, but I think those are doable (it is X
anyway).

One problem I have is that I can't save local disk file with Chinese filename.
Does generic kernel support Asian language? If so, there is any link/hint on
how to config that. If not, is there anyway to patch it, and how. Google gave
me some pages on how to patch older version of OBSD to support Asian language
but I can't find any info regarding v4.2.

Thank you.

Arthur

syslog-ng and log analyzers

[Rami Sik]

Hi All,



I would like to see what you'd suggest as a log analyzer tool(s) on a
centralized log server running syslog-ng.



I also need to use a specific tool as PF log analyzer. What do you
suggest for that purpose?



Rami Sik

Re: rtorrent + OpenBSD = freeze

[Paul Thorn]

On Tue, 19 Feb 2008, Brian wrote:


I have seen this freeze with both xl(4) and nfe(4).


Maybe it's time folks start posting their dmesg.

Brian


I've seen this freeze, too. Seems to be related to rtorrent use.
More prevalent when rtorrent is handling multiple torrents.

The machine isn't setup as a router but after the freeze, the 
computer responds to pings, but neither console nor sshd responds 
leaving me no choice but hard reboot.


I originally had assumed that this was due to me using an old
-current, but since others seem to be experiencing similar freezes,
it may be worthwhile to post my dmesg, too.

I'd certainly be willing to help in any ongoing debugging effort.

dmesg below:

OpenBSD 4.2-current (GENERIC) #476: Fri Nov  2 14:41:26 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Sempron(tm) 2200+ (AuthenticAMD 686-class, 256KB L2 cache) 1.50 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 234385408 (223MB)
avail mem = 218775552 (208MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/07/04, BIOS32 rev. 0 @ 0xfb590, SMBIOS 
rev. 2.2 @ 0xf (34 entries)
bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 07/07/2004
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0xdf74
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdec0/176 (9 entries)
pcibios0: PCI Exclusive IRQs: 3 5 10 11
pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT82C596A ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xda00 0xd/0x8000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA VT8378 PCI rev 0x00
ppb0 at pci0 dev 1 function 0 VIA VT8377 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 VIA VT8378 VGA rev 0x01: aperture at 
0xe400, size 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x80: irq 11
uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x80: irq 3
uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x80: irq 10
ehci0 at pci0 dev 16 function 3 VIA VT6202 USB rev 0x82: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 VIA EHCI root hub rev 2.00/1.00 addr 1
viapm0 at pci0 dev 17 function 0 VIA VT8235 ISA rev 0x00
iic0 at viapm0
spdmem0 at iic0 addr 0x50: 256MB DDR SDRAM non-parity PC3200CL3.0
pciide0 at pci0 dev 17 function 1 VIA VT82C571 IDE rev 0x06: ATA133, channel 
0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: ST3250620A
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd1 at pciide0 channel 0 drive 1: ST3320620A
wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: PIONEER, DVD-RW DVR-106D, 1.06 SCSI0 5/cdrom 
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
auvia0 at pci0 dev 17 function 5 VIA VT8233 AC97 rev 0x50: irq 10
ac97: codec id 0x414c4760 (Avance Logic ALC655 rev 0)
audio0 at auvia0
vr0 at pci0 dev 18 function 0 VIA RhineII-2 rev 0x74: irq 11, address 
00:11:5b:0a:44:14
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 8: OUI 0x004063, 
model 0x0032
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 VIA UHCI root hub rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 VIA UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 VIA UHCI root hub rev 1.00/1.00 addr 1
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x290/8: IT87
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ff6d netmask ff6d ttymask ffef
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted

Re: syslog-ng and log analyzers

[Claer]

On Wed, Feb 20 2008 at 32:08, Rami Sik wrote:
 Hi All,
Hi alone,
 
 I would like to see what you'd suggest as a log analyzer tool(s) on a
 centralized log server running syslog-ng.
In our network, I decided to analyse the logs received by syslog-ng with 
Prelude-LML. In fact, all logs are retransmitted to Prelude-LML syslog
daemon binding on localhost.

Prelude-LML can find security threats in logs of numerous products. It's
easy to see them with the Prelude console (Prewikka).

The fact that only a copy is sent to prelude-lml permits to store the
logs as you want. This way you can analyse mail or web logs with your
favorite log analyser. We intend to use awstats for this purpose.

 I also need to use a specific tool as PF log analyzer. What do you
 suggest for that purpose?
For the moment, I didn't choose any product to analyse pf logs. 
I haven't found yet a firewall log analyser that emphase the important
alerts and not summarise in a beautiful graph all the connections.

Claer

Re: Question about Implementing authpf, squid and ldap authentication....

[Stefan Kell]

Hi,

On Wed, 20 Feb 2008, Brian Shackelford wrote:


I have been working on and actually making progress for writing a client
for windows that will authenticate a user to authpf upon login thereby
granting access to the network based on rules setup for each user/group.
In addition we would love to be able to somehow transparently
authenticate that user to the squid firewall tied back to the Active
Directory on our network using LDAP.  Just wondering if anyone has
approached/done something like this already in the hopes of saving some
time developing it.



there was a discussion on openbsd-misc some days ago, see 
http://thread.gmane.org/gmane.os.openbsd.misc/138273;, for LDAP and 
squid.


Regarding authpf: I would not do this because you have the choice between 
organizing and handling many users and passwords on your openbsd firewall 
or only a few or one users and passwords and then you have probably no 
security. If possible I would not allow direct access to the internet but 
only via squid.


regards

Stefan Kell

OpenBSD 4.2 with ftp-proxy, named, spamd on Alix2c1 board (+dmesg)

[Klaus Botschen]

Just for the records.

The Alix2c1 board is from PC Engines, 3 LAN, 1 miniPCI,
a 433 MHz AMD Geode LX700 with 128 MB DDR DRAM,
CompactFlash socket (see http://pcengines.ch/alix2c1.htm).

In short, I upgraded the BIOS, performed a PXE boot,
did a normal install, configured afterwards the RAM-disk
for /var and /tmp and made / readonly.

Works great, thanks.. and BTW, Recurring PayPal Donations is a
good idea.

Now the longer story.

The boards (two of them) are used for NAT, firewall, DNS, FTP-proxy and
Spamd frontend for a mailserver that is behind the firewall. Its a small
network for about 10 users.

For bios upgrade, I used a ready-to-run freedos image from a korean host,
http://210.109.84.3/download/freedos_alixupdate_16.img
which I wrote with dd onto a 1GB CF card (using a PCMCIA adapter).

You have to link the serial ports of your computer with the alix board
using a nullmodem (crossover) serial cable. I use Linux as main OS
and used minicom as terminal. Default settings for the Alix board
are 38400-8-N-1. the serial port on my machine is /dev/ttyS0.

For PXE boot you need some entries in /etc/dhcpd.conf:
allow bootp;
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.200 192.168.0.250;
  default-lease-time 14400;
  max-lease-time 172800;
  next-server 192.168.0.10;# this is my machine
  filename  pxeboot;
}


Put these files to the tftpboot directory:
bsd.rd
pxeboot
etc/boot.conf

# cat boot.conf
set tty com0
stty com0 38400
boot bsd.rd

Now I performed a normal 4.2 install with following deviations:
- I cleared all partitions and created only wd0a using the whole disk.
- No swap.
- I left out comp42.tgz.
- I had to add xbase42.tgz because of expiretable-0.6 (will change in 4.3).

Next time I would make two partitions, one for installation,
and a larger one so that I can store updated image files there,
boot bsd.rd and copy the image over the primary partition...

After installation comes:
# /mnt/usr/sbin/chroot /mnt

We need /tmp, /var and /dev writeable, but this would destroy the
CompactFlash card. We move those three directories to a memory
based file system that will be populated during startup.

# mkdir /proto
# cp -rp /var /proto/var
# mkdir /proto/dev
# cp /dev/MAKEDEV /proto/dev
# cd /proto/dev
# ./MAKEDEV all
# rm -rf /tmp
# ln -s /var/tmp /tmp

Now i'm not quite sure whether the MAKEDEV worked out of the box;
i think i had to reboot because I got lots of error messages.

Lots of configuration work needs to be done:

This sets the boot console to the serial port:
# cat /etc/boot.conf
set tty com0
stty com0 38400

Minicom only supports VT102:
# cat /etc/ttys
tty00   /usr/libexec/getty std.38400  vt102on secure


# cat /etc/fstab
/dev/wd0a / ffs ro,noatime 1 1
swap /var mfs rw,-P=/ptype/var,-s=65536,noexec,nosuid,nodev 0 0
swap /dev mfs rw,-P=/ptype/dev,-s=4096,-i=128,noexec,nosuid 0 0

# cat /etc/rc.conf  (only changes, YMMV:)
named_flags=
ntpd_flags=
spamd_flags=
spamlogd_flags=-i pflog0
ftpproxy_flags=

Be careful not to set the ntpd-flags to -s, in my tests, when the
internet was not connected, ntpd would hang completely.
I use rdate for that, see later.

I added a single line in /etc/rc:

  mount -a -t nonfs,vnd
  mount -uw / # root on nfs requires this, others aren't hurt
  rm -f /fastboot # XXX (root now writeable)
+ sleep 1 # wait until mfs is populated

# cat /etc/rc.conf.local
expiretable=YES


# cat /etc/rc.local
echo -n 'rdate '
rdate -ncv pool.ntp.org

if [ X${expiretable} == XYES ]; then
echo -n 'expiretable '
/usr/local/sbin/expiretable -v -d -t 2h bruteforce
fi


Now something completely different, the packet filtering.
The Mailserver sits in the local LAN and is protected by the firewall and spamd.
I installed there the open source edition of zimbra.com, so there are plenty of 
ports
redirected to the webserver.
Aside from that, I decided to block SSH brute force attempts, but set it to 
tight -
I locked myself out for 2 hours because I initiated several scp commands to 
fast...
For the automatic unlocking to work, you need expiretable-0.6.
Additionally, I have a whitelist with IP addresses of known mail servers
located in /var/db/whitelist.

# cat /etc/pf.conf
WORLD=vr2
LAN=vr0
IPEXT=a.b.c.d
IPINT=192.168.0.0/24
MAIL=192.168.0.104
MAILPTS= { www, pop3, auth, https, pop3s, 7071 } 
table rfc1918 persist { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 
224.0.0.0/5, 169.254.0.0/16 }
table whitelist persist file /var/db/whitelist
table spamd persist
table spamd-white persist
table bruteforce persist
set loginterface $WORLD
set limit table-entries 35
scrub on $WORLD all fragment reassemble random-id reassemble tcp
nat-anchor ftp-proxy/*
nat on $WORLD from  $IPINT to any - $IPEXT
rdr-anchor ftp-proxy/*
rdr pass on $LAN proto tcp from $IPINT to any port 21 - 127.0.0.1 port 8021
#  mail server and spamd
rdr pass on $WORLD proto tcp from whitelist to $WORLD port smtp - $MAIL port 
smtp
rdr pass on $WORLD proto 

Re: Sending mail from external firewall to external mail server (behind firewall)

[Stefan Kell]

Hello,

On Wed, 20 Feb 2008, Albert Chin wrote:


On Wed, Feb 20, 2008 at 08:55:44AM +0100, Stefan Kell wrote:

 Original-Nachricht 

Datum: Tue, 19 Feb 2008 22:36:20 -0600
Von: Albert Chin [EMAIL PROTECTED]
An: misc@openbsd.org
Betreff: Sending mail from external firewall to external mail server (behind 
firewall)



... snip...

  rdr pass log on $ext_if inet proto tcp from any to $mail_ip \
port = smtp - $emma_gw


From the Internet, if I telnet 67.95.107.111 25, everything works.

But, on hammer:
  hammer% telnet 67.95.107.111 25
  Trying 67.95.107.111...
  telnet: connect to address 67.95.107.111: Connection refused

... snip ...


see man pf.conf, especially paragraph Translation rules apply
only to packets that pass through the specified interface,...


Thanks. I've changed my pf rule from:
 rdr pass log on $ext_if inet proto tcp from any to $mail_ip \
   port = smtp - $emma_gw
to:
 rdr pass log inet proto tcp from any to $mail_ip \
   port = smtp - $emma_gw

This certainly helps for hosts on the local network. But, the issue
with telnet 67.95.107.111 25 not working on hammer remains.

BTW, we are running OpenBSD 4.0 on x86.



Have a look at the pf-FAQ, see http://www.openbsd.org/faq/pf/rdr.html;.
Your problem is discussed there. I think you cannot test redirection on
the firewall itself because the packets won't reach the redirection
stuff in pf.

Regards

Stefan Kell

Re: take threads off the table

[Ted Unangst]

On Feb 20, 2008 5:48 AM, Douglas A. Tutty [EMAIL PROTECTED] wrote:
 While this kind of setup is well beyond my pay-grade, looking just at
 the issue of, in effect, using threads to share a cache to avoid hitting
 the disk, I wonder why using a memory filesystem as the common cache
 wouldn't work.  No threads, shared data via the filesystem but that
 filesystem is in memory and quite fast.

Because the data structure actually used by your program is rarely bit
for bit identical with the on disk representation of that same data.
Memory filesystems impose all sorts of overhead like inodes, names,
directories, modification times, sizes, owner id, group id, access
time, permissions, superblocks, backup superblocks.

Re: syslog-ng and log analyzers

[Ryan Corder]

On Wed, Feb 20, 2008 at 08:32:31AM -0800, Rami Sik wrote:
| I would like to see what you'd suggest as a log analyzer tool(s) on a
| centralized log server running syslog-ng.
| 
| I also need to use a specific tool as PF log analyzer. What do you
| suggest for that purpose?

I prefer to use a log notification tool instead of relying on a tool
to figure out what is going on.  Since I pretty much know what I'm looking
out for, I can define certain things to watch for and then set up
appropriate notifications.

Check out tenshi -- written for Gentoo Linux, but is just Perl.

http://www.gentoo.org/proj/en/infrastructure/tenshi/

later.
ryanc

ssh_config, chroot, or user rights to restrict user access?

[LeRoy, Ted]

I'm taking a class on system security.  We're in teams and we have to
allow attacking teams ssh access to our devices.

I'd like to limit the user account access for the other groups,
permitting them a shell and a few commands, but no ability to browse the
box or do things like cat or cp /etc/passwd.

I'm running OpenBSD 4.2 on the server they'll be attacking.  I'm an
OpenBSD noob.  Learning under fire.

If someone can help me figure out whether using ssh_config, chroot, or
just using permissions will be the easiest, most effective way to go
about it, and how to proceed, it will be much appreciated.  Alternatives
would be great too.

Thanks!

Ted LeRoy

Re: syslog-ng and log analyzers

[Kian Mohageri]

On Feb 20, 2008 10:51 AM, Ryan Corder [EMAIL PROTECTED] wrote:

 On Wed, Feb 20, 2008 at 08:32:31AM -0800, Rami Sik wrote:
 | I would like to see what you'd suggest as a log analyzer tool(s) on a
 | centralized log server running syslog-ng.
 |
 | I also need to use a specific tool as PF log analyzer. What do you
 | suggest for that purpose?

 I prefer to use a log notification tool instead of relying on a tool
 to figure out what is going on.  Since I pretty much know what I'm looking
 out for, I can define certain things to watch for and then set up
 appropriate notifications.

 Check out tenshi -- written for Gentoo Linux, but is just Perl.


Another vote for Tenshi.  Probably the best way to do it with
syslog-ng is to have syslog-ng forward logs to Tenshi (listening on
loopback) because otherwise Tenshi won't be able to follow the logs
(if you organize them by date, etc.).

-Kian

Re: ssh_config, chroot, or user rights to restrict user access?

[Jason Crawford]

On Wed, Feb 20, 2008 at 2:02 PM, LeRoy, Ted [EMAIL PROTECTED] wrote:
 I'm taking a class on system security.  We're in teams and we have to
 allow attacking teams ssh access to our devices.

 I'd like to limit the user account access for the other groups,
 permitting them a shell and a few commands, but no ability to browse the
 box or do things like cat or cp /etc/passwd.

 I'm running OpenBSD 4.2 on the server they'll be attacking.  I'm an
 OpenBSD noob.  Learning under fire.

 If someone can help me figure out whether using ssh_config, chroot, or
 just using permissions will be the easiest, most effective way to go
 about it, and how to proceed, it will be much appreciated.  Alternatives
 would be great too.


The easiest way is to upgrade to -current, as openssh in -current has
the ChrootDirectory option in sshd_config now. Look at:
http://undeadly.org/cgi?action=articlesid=20080220110039mode=expandedcount=5
for more details.

votre cadeau est arrive

[Toner Services - le specialiste de la cartouche discount]

Si ce message ne s'affiche pas correctement, vous pouvez le visualiser en
suivant ce lien

[IMAGE]

TONER SERVICE, le spicialiste de la cartouche d'imprimante

1 cartouche achetie = 1 cadeau offert

canon

brother

epson

hp

Pour vous, 1 superbe parure : itui + stylo bille + porte mine 

3 cartouches acheties : frais de port gratuits

lexmark

) CAPDICISION, Tous droits riservis
Conformiment ` l'article 34 de la loi Informatique et Liberti
du 6 janvier 1978, vous disposez d'un droit d'acchs, de modification, de
rectification et de suppression
des donnies vous concernant.Diclaration CNIL n01181416

Votre adresse email figure sur les listes de diffusion CDPRO car vous
vous y jtes inscrit(e)
ou une relation vous a parraini(e) ou encore vous avez participi aux
nombreux ivhnements CDPRO
dans l'univers de l'informatique d'iquipement.

Conformiment ` l'article 34 de la loi Informatique et Liberti du 6
janvier 1978, vous disposez d'un droit d'acchs,
de modification, de rectification et de suppression des donnies vous
concernant.
Pour l'exercer, et si vous ne disirez plus recevoir de telles offres par
e-mail de CD PRO, merci d'utiliser le lien suivant

Motorcycle Links

[Iggy Calderone]

Hi this is Iggy, how are you? I found immobat-maroc.com and I really 
enjoyed it.  The information is great and the site is easy to navigate.

Please consider adding the following info to your web site:

http://www.ExoticSportbike.com

ExoticSportbike.com - Motorcycle Parts and Accessories for all types of 
Sportbikes

I noticed some other motorcycle related links on this page: 
http://www.immobat-maroc.com/p=10,index_protek.html, but any area on 
your site would be great.  Let me know what you think.  Thanks!

Ride Safe,

Iggy Calderone
Exotic Sportbike
[EMAIL PROTECTED]
http://www.exoticsportbike.com
1-800-917-2453

Re: ssh_config, chroot, or user rights to restrict user access?

[Josh Grosse]

On Wed, 20 Feb 2008 14:02:34 -0500, LeRoy, Ted wrote
 I'm taking a class on system security.  We're in teams and we have to
 allow attacking teams ssh access to our devices.
 
 I'd like to limit the user account access for the other groups,
 permitting them a shell and a few commands, but no ability to browse 
 the box or do things like cat or cp /etc/passwd.
 
 I'm running OpenBSD 4.2 on the server they'll be attacking.  I'm an
 OpenBSD noob.  Learning under fire.
 
 If someone can help me figure out whether using ssh_config, chroot,
  or just using permissions will be the easiest, most effective way 
 to go about it, and how to proceed, it will be much appreciated.  Alternatives
 would be great too.
 
 Thanks!
 
 Ted LeRoy

Ted,

A new sftp chroot restriction environment is now available in -current; you
may find the discussion at the OpenBSD Journal helpful:

http://undeadly.org/cgi?action=articlesid=20080220110039

Re: Using CVS to back up /etc

[Jeff Quast]

 Currently I back up /etc on these machines using variants on rsync and
 rsnapshot, and it works OK. However, I've got it into my head to shift
 to using CVS to back up /etc on these machines. Advantages I think I see:

http://www.infrastructures.org/papers/bootstrap/bootstrap.html

might help in your research, i have not yet seein it mentioned here

Re: ssh_config, chroot, or user rights to restrict user access?

[Tom Lobato]

LeRoy, Ted escreveu:

I'm taking a class on system security.  We're in teams and we have to
allow attacking teams ssh access to our devices.
  


it`s not what you asked, but may be helpful to your task:
http://www.securityfocus.com/infocus/1876



Tom Lobato

Re: syslog-ng and log analyzers

[Henning Brauer]

* Rami Sik [EMAIL PROTECTED] [2008-02-20 17:47]:
 I would like to see what you'd suggest as a log analyzer tool(s) on a
 centralized log server

there's a very nice way to do that with the trustworthy syslogd (yeah, 
the one without that -ng suffix) we ship. just put the following line 
in your syslog.conf:

*.*   |/usr/local/sbin/logsurfer -d /picksomething -s

the very nice part of the story is that syslogd will take care of 
forking logsurfer, and start a new one if it should die for whatever 
reason.

it'll take you a while to write sensible logsurfer rules, but after a 
while of spamming you it'll nicely report anomalies.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

make release errors

[Chris Smith]

Hello,

Trying to do a make release apparently without success:
=
cp /usr/dest/snapshot/*BOOT* /usr/rel
cp: /usr/dest/snapshot/*BOOT*: No such file or directory
*** Error code 1 (ignored)
cp /usr/dest/snapshot/cd*.iso /usr/rel
cp /usr/dest/snapshot/Packages /usr/rel
cp: /usr/dest/snapshot/Packages: No such file or directory
*** Error code 1 (ignored)
cp /usr/dest/snapshot/INSTALL.* /usr/rel
cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel
cp: /usr/dest/snapshot/*.fs.gz: No such file or directory
*** Error code 1 (ignored)
cd /usr/rel;  md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs  
*.iso *.gz *.tgz  MD5
md5: cannot open *BOOT*: No such file or directory
md5: cannot open Packages: No such file or directory
md5: cannot open *.gz: No such file or directory
cd /usr/rel  sort -o MD5 MD5
=

System started as a clean install from the 2/17/08 snapshot and upgraded 
to -current before doing make release. I followed the instructions 
at: http://openbsd.org/faq/faq5.html#Release

What did I miss?

Thank you,
-- 
Chris

Re: syslog-ng and log analyzers

[Ryan Corder]

On Wed, Feb 20, 2008 at 11:12:06AM -0800, Kian Mohageri wrote:
| Another vote for Tenshi.  Probably the best way to do it with
| syslog-ng is to have syslog-ng forward logs to Tenshi (listening on
| loopback) because otherwise Tenshi won't be able to follow the logs
| (if you organize them by date, etc.).

I have syslog-ng keep an additional 'catchall' log that only the
tenshi user has access to.  It is then rotated every 24 hours via
logrotate.  This method is no more or less secure, but in my mind
it is one less process listening on a socket.

Re: Not updating .libs-XXXXX, remember to clean it (huh?)

[Marc Espie]

On Tue, Feb 19, 2008 at 01:07:25PM -0500, Juan Miscaro wrote:
 I am working with a recent snapshot installation (090208) and I have
 some questions regarding updating packages with pkg_add.
 
 
 ...
 1. I am shown the following:
 
 Not updating .libs-curl-7.16.2, remember to clean it
 Not updating .libs-db-4.2.52p11, remember to clean it
 Not updating .libs-pcre-7.1, remember to clean it
 Not updating .libs-png-1.2.18, remember to clean it
 
 How do I clean it?

By using pkg_delete

 I have these files on my system.  By cleaning it should I merely
 delete the earlier version?  If so, why doesn't pkg_add do it?

Because you might have compiled stuff on your system manually, and then
if you remove those libs, you will break it.

But you're right, it's poorly documented...

Re: make release errors

[Richard Daemon]

On Wed, Feb 20, 2008 at 8:11 PM, Richard Daemon
[EMAIL PROTECTED] wrote:

 On Wed, Feb 20, 2008 at 6:26 PM, Chris Smith [EMAIL PROTECTED] wrote:
   Hello,
  
Trying to do a make release apparently without success:
=
cp /usr/dest/snapshot/*BOOT* /usr/rel
cp: /usr/dest/snapshot/*BOOT*: No such file or directory
*** Error code 1 (ignored)
cp /usr/dest/snapshot/cd*.iso /usr/rel
cp /usr/dest/snapshot/Packages /usr/rel
cp: /usr/dest/snapshot/Packages: No such file or directory
*** Error code 1 (ignored)
cp /usr/dest/snapshot/INSTALL.* /usr/rel
cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel
cp: /usr/dest/snapshot/*.fs.gz: No such file or directory
*** Error code 1 (ignored)
cd /usr/rel;  md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs
*.iso *.gz *.tgz  MD5
md5: cannot open *BOOT*: No such file or directory
md5: cannot open Packages: No such file or directory
md5: cannot open *.gz: No such file or directory
cd /usr/rel  sort -o MD5 MD5
=
  
System started as a clean install from the 2/17/08 snapshot and upgraded
to -current before doing make release. I followed the instructions
at: http://openbsd.org/faq/faq5.html#Release
  
What did I miss?
  
Thank you,
--
Chris
  
  

  Probably because the steps - test -d ${DESTDIR}  mv ${DESTDIR}
  ${DESTDIR}.old  rm -rf ${DESTDIR}.old 

  Skip that part or better yet, don't rm -rf until you're fully finished
  everything... Especially if you want to make a full release(8) with X
  sets too then you'll have OpenBSD in ${DESTDIR}.old and Xenocara in
  ${DESTDIR}, if memory serves me correctly. It's kinda misleading and
  the same goes with release(8).

  Just my $0.02, hope this helps.


whoops, i meant lower in the FAQ:

# test -d ${DESTDIR}  mv ${DESTDIR} ${DESTDIR}-  \
 rm -rf ${DESTDIR}- 

Re: make release errors

[Stuart Henderson]

 On Wed, Feb 20, 2008 at 6:26 PM, Chris Smith [EMAIL PROTECTED] wrote:
  Hello,
 
   Trying to do a make release apparently without success:

No these warnings are ok. You got the *.tgz didn't you?

   cp /usr/dest/snapshot/*BOOT* /usr/rel
   cp: /usr/dest/snapshot/*BOOT*: No such file or directory
   *** Error code 1 (ignored)
   cp /usr/dest/snapshot/cd*.iso /usr/rel
   cp /usr/dest/snapshot/Packages /usr/rel
   cp: /usr/dest/snapshot/Packages: No such file or directory
   *** Error code 1 (ignored)
   cp /usr/dest/snapshot/INSTALL.* /usr/rel
   cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel
   cp: /usr/dest/snapshot/*.fs.gz: No such file or directory
   *** Error code 1 (ignored)
   cd /usr/rel;  md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs
   *.iso *.gz *.tgz  MD5
   md5: cannot open *BOOT*: No such file or directory
   md5: cannot open Packages: No such file or directory
   md5: cannot open *.gz: No such file or directory
   cd /usr/rel  sort -o MD5 MD5

Re: make release errors

[Alexander Hall]

Chris Smith wrote:

Hello,

Trying to do a make release apparently without success:
=
cp /usr/dest/snapshot/*BOOT* /usr/rel
cp: /usr/dest/snapshot/*BOOT*: No such file or directory
*** Error code 1 (ignored)
cp /usr/dest/snapshot/cd*.iso /usr/rel
cp /usr/dest/snapshot/Packages /usr/rel
cp: /usr/dest/snapshot/Packages: No such file or directory
*** Error code 1 (ignored)
cp /usr/dest/snapshot/INSTALL.* /usr/rel
cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel
cp: /usr/dest/snapshot/*.fs.gz: No such file or directory
*** Error code 1 (ignored)
cd /usr/rel;  md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs  
*.iso *.gz *.tgz  MD5

md5: cannot open *BOOT*: No such file or directory
md5: cannot open Packages: No such file or directory
md5: cannot open *.gz: No such file or directory
cd /usr/rel  sort -o MD5 MD5
=

System started as a clean install from the 2/17/08 snapshot and upgraded 
to -current before doing make release. I followed the instructions 
at: http://openbsd.org/faq/faq5.html#Release


What did I miss?


The ignored part in the error output. Those error messages are typical 
(dare I guess you're on i386?) and not critical.


If these are the only errors you get, then you can go on with the rest 
of the release.


/Alexander

Re: make release errors

[Richard Daemon]

On Wed, Feb 20, 2008 at 6:26 PM, Chris Smith [EMAIL PROTECTED] wrote:
 Hello,

  Trying to do a make release apparently without success:
  =
  cp /usr/dest/snapshot/*BOOT* /usr/rel
  cp: /usr/dest/snapshot/*BOOT*: No such file or directory
  *** Error code 1 (ignored)
  cp /usr/dest/snapshot/cd*.iso /usr/rel
  cp /usr/dest/snapshot/Packages /usr/rel
  cp: /usr/dest/snapshot/Packages: No such file or directory
  *** Error code 1 (ignored)
  cp /usr/dest/snapshot/INSTALL.* /usr/rel
  cp /usr/dest/snapshot/*.fs /usr/dest/snapshot/*.fs.gz /usr/rel
  cp: /usr/dest/snapshot/*.fs.gz: No such file or directory
  *** Error code 1 (ignored)
  cd /usr/rel;  md5 *bsd!(*.gz) *boot* cdbr *BOOT* INSTALL.* Packages *.fs
  *.iso *.gz *.tgz  MD5
  md5: cannot open *BOOT*: No such file or directory
  md5: cannot open Packages: No such file or directory
  md5: cannot open *.gz: No such file or directory
  cd /usr/rel  sort -o MD5 MD5
  =

  System started as a clean install from the 2/17/08 snapshot and upgraded
  to -current before doing make release. I followed the instructions
  at: http://openbsd.org/faq/faq5.html#Release

  What did I miss?

  Thank you,
  --
  Chris



Probably because the steps - test -d ${DESTDIR}  mv ${DESTDIR}
${DESTDIR}.old  rm -rf ${DESTDIR}.old 

Skip that part or better yet, don't rm -rf until you're fully finished
everything... Especially if you want to make a full release(8) with X
sets too then you'll have OpenBSD in ${DESTDIR}.old and Xenocara in
${DESTDIR}, if memory serves me correctly. It's kinda misleading and
the same goes with release(8).

Just my $0.02, hope this helps.

Re: make release errors

[Chris Smith]

On Wednesday 20 February 2008, Stuart Henderson wrote:
 No these warnings are ok. You got the *.tgz didn't you?

Yes. Thank you.

-- 
Chris

Re: make release errors

[Chris Smith]

On Wednesday 20 February 2008, Richard Daemon wrote:
 whoops, i meant lower in the FAQ:

 # test -d ${DESTDIR}  mv ${DESTDIR} ${DESTDIR}-  \
 B  B  B rm -rf ${DESTDIR}- 

Thanks. I had just created these directories so they were empty to start
with.

--
Chris

Re: make release errors

[Chris Smith]

On Wednesday 20 February 2008, Alexander Hall wrote:
 The ignored part in the error output. Those error messages are
 typical (dare I guess you're on i386?) and not critical.

Yes, i386.

 If these are the only errors you get, then you can go on with the
 rest of the release.

I get this as well:
=
# cd /usr/src/distrib/sets  sh checkflist
6455a6456
 ./usr/sbin/authpf-noip
13115a13117
 ./usr/share/man/cat4/wbsio.0
13442a13445
 ./usr/share/man/cat8/authpf-noip.0
=

If I don't want X, am I basically done except for any third party 
packages desired?

Thank you.

-- 
Chris

inspircd + libunwind?

[kg]

[EMAIL PROTECTED]:~ $ sysctl kern.version
kern.version=OpenBSD 4.3-beta (GENERIC) #6: Wed Feb 20 19:23:25 PST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

...with an equally current userland.

I am trying to get InspIRCd (http://www.inspircd.org/) 1.1.17 compiled but
it requires libunwind.

The InspIRCd website indicates that their code was working at one time on
OpenBSD, but that was some time ago (3.7).

Does anyone have information on either running inspircd or libunwind under
OpenBSD?  Is there such a thing as libunwind on OpenBSD?  Google is turning
up very little.

Thanks.

Re: What is our ultimate goal??

[Mayuresh Kathe]

On Thu, Feb 21, 2008 at 1:05 PM, ropers [EMAIL PROTECTED] wrote:
 On 20/02/2008, Mayuresh Kathe [EMAIL PROTECTED] wrote:
   On Feb 20, 2008 4:58 PM, Henning Brauer [EMAIL PROTECTED] wrote:
 * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]:
  Wouldn't it be nice to have a high performance networking stack?

 yeah.
 guess what we have?
 exactly that.
 (which doesn't mean it could be even faster)
  
  
   Pardon if I sound ignorant, but isn't our networking stack based on
the 24 year old technology from Berkeley?

  Pardon if I sound ignorant, but isn't our Bugatti Veyron based on
  the millennia old wheel technology?

The wheel isn't the technology, it is a concept.
An implementation of the wheel concept would be the technology.
The concept is the same, but the technology is certainly different.
Are you saying your Bugatti Veyron is running on wooden wheels?

~Mayuresh

Re: What is our ultimate goal??

[ropers]

On 20/02/2008, Mayuresh Kathe [EMAIL PROTECTED] wrote:
 On Feb 20, 2008 4:58 PM, Henning Brauer [EMAIL PROTECTED] wrote:
   * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]:
Wouldn't it be nice to have a high performance networking stack?
  
   yeah.
   guess what we have?
   exactly that.
   (which doesn't mean it could be even faster)


 Pardon if I sound ignorant, but isn't our networking stack based on
  the 24 year old technology from Berkeley?

Pardon if I sound ignorant, but isn't our Bugatti Veyron based on
the millennia old wheel technology?