Re: Missing files in etc

[Philip Guenther]

On Thu, Jan 7, 2016 at 1:53 PM, Roderich  wrote:
> I see, there is no set etc58.tgz, many of the files of the etc set are
> now in the base set, but I miss some files (login.conf, passwd, pwd.db,
> ssh/sshd_config, ...).
>
> Unpacking base58.tgz with "tar xvzpf" is not enough to serve a diskless
> machine, the missing files are necessary.
>
> What can I do?

You could USE THE INSTALLER, instead of creating problems for yourself
and wasting other people's time.

Really want to do it for yourself without involving others?  Then
*read* the installer and do the steps that it's doing!


Philip Guenther

Re: Missing files in etc

[Philip Guenther]

On Thu, Jan 7, 2016 at 3:59 PM, Ted Unangst  wrote:
> Philip Guenther wrote:
>> On Thu, Jan 7, 2016 at 1:53 PM, Roderich  wrote:
>> > I see, there is no set etc58.tgz, many of the files of the etc set are
>> > now in the base set, but I miss some files (login.conf, passwd, pwd.db,
>> > ssh/sshd_config, ...).
>> >
>> > Unpacking base58.tgz with "tar xvzpf" is not enough to serve a diskless
>> > machine, the missing files are necessary.
>> >
>> > What can I do?
>>
>> You could USE THE INSTALLER, instead of creating problems for yourself
>> and wasting other people's time.
>
> Unfortunately we don't have a diskless installer.

That's weird: I don't see "diskless installer" mentioned at all
previous to these replies to me.  Sorry, I guess I lose the game of
"guess the problem I'm trying to solve!"

I stand by my recommendation that if he wants to manually do the job
of the installer, he should read the source code to the existing one.


Philip Guenther

Re: Missing files in etc

[Roderich]

On Thu, 7 Jan 2016, Philip Guenther wrote:


Unpacking base58.tgz with "tar xvzpf" is not enough to serve a diskless
machine, the missing files are necessary.

What can I do?


You could USE THE INSTALLER, instead of creating problems for yourself
and wasting other people's time.


I thank Ingo very much for his time writing one line. The diskless machine
is now running.

Please, Guenther, tell me, how to use the installer to populate
a directory to serve a diskless machine. Please!

Perhaps you help a lot of people, that like me, want to ocassionally
set up quickly a diskless machine only to make a test without risk
for a working machine. Or do you think, one must read the installer
script to do that?

BTW, it seems, now is /etc/fstab necessary.

And something like telnetd or sshd in the installers shell
can be very helpfull for making the kernel panic and save
the result of trace and ps.

Regards
Rodrigo.

Re: PF: can't make queueing and priority work as expected

[Stuart Henderson]

On 2016-01-07, Marko Cupać  wrote:
> # QUEUES
> queue upload  on $if_ext bandwidth  860K
>queue ack  parent upload   qlimit 50  bandwidth   10K
>queue fast parent upload   qlimit 50  bandwidth   20K
>queue bulk parent upload   qlimit 50  bandwidth  800K default
>queue slow parent upload   qlimit 50  bandwidth   30K
> queue download on $if_intbandwidth 8800K
>queue ack  parent download qlimit 50  bandwidth  100K
>queue fast parent download qlimit 50  bandwidth  200K
>queue bulk parent download qlimit 50  bandwidth 8000K default
>queue slow parent download qlimit 50  bandwidth  500K

While the manual suggests it works like this, I've only got it working
close to how I expect when I set "max" on the queues. I don't know whether
that's a bug or simply lack of fully understanding it on my part, though.

Re: Missing files in etc

[Ted Unangst]

Philip Guenther wrote:
> On Thu, Jan 7, 2016 at 1:53 PM, Roderich  wrote:
> > I see, there is no set etc58.tgz, many of the files of the etc set are
> > now in the base set, but I miss some files (login.conf, passwd, pwd.db,
> > ssh/sshd_config, ...).
> >
> > Unpacking base58.tgz with "tar xvzpf" is not enough to serve a diskless
> > machine, the missing files are necessary.
> >
> > What can I do?
> 
> You could USE THE INSTALLER, instead of creating problems for yourself
> and wasting other people's time.

Unfortunately we don't have a diskless installer.

Re: Missing files in etc

[Roderich]

I wrote the following more or less nonsense:


And something like telnetd or sshd in the installers shell
can be very helpfull for making the kernel panic and save
the result of trace and ps.


It can be very helpfull, but not for that. The kernel in that state
will not transmit to the machine that conected to it before the
panic. Painful that I had to do the test with the diskless machine
to recognize it. Tomorow I grab a 0 modem cable and try, unless
I read here a better idea.

Rodrigo.

Re: Problems installing OpenBSD 5.8

[Raf Czlonka]

On Wed, Jan 06, 2016 at 11:15:39PM GMT, Roderich wrote:
> I thank again Raf and Peter, and now Kurt!
> 
> On Wed, 6 Jan 2016, Raf Czlonka wrote:
> 
> > That was Peter who mentioned it, not me - he's better at reading minds
> > that I am, so it seems ;^)
> >
> > BTW, this might be useful - https://marc.info/?t=14320053791
> 
> It seems, it is worse than that.
> 
> I attached my old external drive in the just installed OpenBSD,
> and it got panic. I got a "ddb{0}"?prompt. I should report
> the result of "trace" and "ps" given to that promp, but I do
> not know how to save that with OpenBSD in that panic state,
> and I dont want to get a panic again. :)

If it's not simply a faulty hardware, then it would be nice to get it
fixed. If you can't get the output on serial console, then just take
some photos[0].

> > The installer expects SHA256.sig as it uses signify to verify the sets -
> > simply download it from your local mirror[0].
> 
> O.K. with the sets in install58.iso, the file
> /pub/OpenBSD/5.8/i386/SHA256.sig in the mirror
> and index.txt (obtained with "ls -nT > index.txt" in the directory)
> it worked.
> 
> It would have been nice to have SHA256.sig and index.txt from
> the beginning in istall58.iso. Then downloading, doing vnconfig
> and mounting on htdocs would be enough.

Index.txt is only needed if you're installing sets using HTTP from your
own server - there's not need for it to be on any of the disk images.
If you're doing that, then install??.iso isn't at all necessary - simply
download the required files from the mirror and put them on your server.

> > I'm still not following. *Which* files exactly do you have in mind?
> 
> Forget it. Perhaps unpacking with something like "tar xzpf" is enough.

Again, installer does everything for you - no need to worry about file
permissions.

> In any case, to have a guide for manual installing would be nice.
> When I have troubles with the installer (or an insaller of a OS),
> then I have to begin from 0. I hate it. OpenBSD has a better installer,
> because one have less troubles, because it is not so fat than others,
> that is all.

If you really want it, each upgrade guide includes a manual process[1].

Regards,

Raf

[0] http://www.openbsd.org/ddb.html
[1] http://www.openbsd.org/faq/upgrade58.html#upgrade

Announce NAT pools via OSPF

[BARDOU Pierre]

Hello,

Il would like to announce the NAT pools used by my firewalls to my backbone
using OSPF.

Let's say my real network is connected to vmx0. It's address is A/24 and is
NATed to N/24.
My backbone is reached through vmx1.

So I configured a route on the firewall , destination N/24, gateway
127.0.0.1.
Then I configured ospf to "redistribute static, area 0.0.0.0 { interface vmx1
}".
I can see N/24 with ospfctl sh fib, flagged valid.

But the route doesn't show up in the backbone when i use ospfctl sh rib.

I tried to add interface lo0 on the firewall ospfd.conf, this adds
127.0.0.1/32 on the backbone RIB, but I still can't see N/24.

I also tried to configure a lo1 with the address N/24 and to put it in
ospfd.conf, only N/32 shows up on the backbone.

Finally I configured a vether0 with the address N/24 and put it in ospfd.conf,
and that did the trick.

Is that a good way to do what I want, or do someone has any better solution to
advise me ?
Thank you

--
Cordialement,


Pierre Bardou
Ingénieur réseau
Tél. 05.34.61.71.84
bardo...@mipih.fr

12, rue Michel Labrousse
CS 93668- 31036 Toulouse cedex 1


Avant d'imprimer cet e-mail, pensons à l'environnement

Re: mbuf leak in carp with ipv6

[Håkon Lerring]

> On 05 Jan 2016, at 13:06, Stefan Sperling  wrote:
>
> On Tue, Jan 05, 2016 at 12:29:43PM +0100, Håkon Lerring wrote:
>> Hello misc.
>>
>> I was investigating a problem with a firewall that goes AWOL every week.
It
>> happens only if i activate an ipv6 address on a carp interface. The carp
log
>> has this message:
>>
>> Jan  5 12:10:06  /bsd: carp: packet size 48 too small
>>
>> I think i have narrowed down the leak to the handling of too small
>> ipv6-packets:
>>
>> --- ip_carp.c.orig   2016-01-05 12:18:03.0 +0100
>> +++ ip_carp.c2016-01-05 12:18:30.0 +0100
>> @@ -562,6 +562,7 @@
>>  if ((m = m_pullup(m, *offp + sizeof(*ch))) == NULL) {
>>  carpstats.carps_badlen++;
>>  CARP_LOG(LOG_INFO, sc, ("packet size %u too small", len));
>> +m_freem(m);
>>  return (IPPROTO_DONE);
>>  }
>>  ch = (struct carp_header *)(mtod(m, caddr_t) + *offp);
>>
>>
>> I have not yet tested this patch since this is a production system. Why
the
>> other machine is sending incomplete packets is another question i'm
currently
>> investigating.
>
> Your patch effectively just calls m_freem(NULL);
> And m_pullup already frees the mbuf on failure.
>
> Can you describe the actual problem you're seeing with more words than
"AWOL"?

Sorry for my hasty conclusion about my problem (i see that i might be wrong
about the cause), i will explain it in more detail.

I have 2 firewalls/routers with multiple carp interfaces (11). 1 on uplink
(carp2) and the rest for different internal networks. All the carp interfaces
are set up as a preemptive failover in case the master goes down. The problem
has two symptoms but i believe they might have the same cause (as they occur
at the same time).

The first symptom is that at what seems to be random times the carp2 interface
(see ifconfig output below) on the backup-machine starts flapping between
backup and master (the designated master does not do the same) and complain
about too small packets:

Jan  7 09:00:11 hostname /bsd: carp2: state transition: BACKUP -> MASTER
Jan  7 09:00:12 hostname /bsd: carp2: state transition: MASTER -> BACKUP
Jan  7 09:00:12 hostname /bsd: carp: packet size 48 too small
Jan  7 09:00:18 hostname last message repeated 6 times
Jan  7 09:00:19 hostname /bsd: carp2: state transition: BACKUP -> MASTER
Jan  7 09:00:19 hostname /bsd: carp2: state transition: MASTER -> BACKUP
Jan  7 09:00:19 hostname /bsd: carp: packet size 48 too small
Jan  7 09:00:25 hostname last message repeated 6 times
Jan  7 09:00:26 hostname /bsd: carp2: state transition: BACKUP -> MASTER
Jan  7 09:00:26 hostname /bsd: carp2: state transition: MASTER -> BACKUP

etc..

The designated master does also log that "packet size 48 too small"

MASTER carp2:
carp2: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:02
description: uplink
priority: 15
carp: MASTER carpdev bnx0 vhid 2 advbase 1 advskew 0
groups: carp
status: master
inet  netmask 0xfff8 broadcast 
inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x16
inet6  prefixlen 64

BACKUP carp2:
carp2: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:02
description: uplink
priority: 15
carp: BACKUP carpdev bnx0 vhid 2 advbase 2 advskew 128
groups: carp
status: backup
inet  netmask 0xfff8 broadcast 
inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x16
inet6  prefixlen 64

The other carp interfaces on the same machine does not have this problem. The
only things different about carp2 from the other interfaces is that carp2 has
an IPv6 address and is backed by a bnx interface instead of an em interface
(though this does not seem to be of significance as i have tried it with em
interface with the same result).

The other symptom (which causes most problems) is that at the same time the
amount mbuf clusters starts to increase. I set kern.maxclusters=12288 to stop
it from running out too quickly but i don't think it will ever be satisfied if
i continue to increase the limit. When it runs out of mbuf clusters it just
stops forwarding packets and SSH drops any connection attempts. Here is a
munin graph from this morning:
https://www.dropbox.com/s/j4353z4nl9e22jg/netmem_clusters.png?dl=0
 ( sorry
archive users for linking on a mailing list )

The symptoms sometimes disappear after reboot but ocurr again after a while.

Environment:
System  : OpenBSD 5.8
Details : OpenBSD 5.8 (GENERIC.MP) #1236: Sun Aug 16 02:31:04 MDT
2015
 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/co
mpile/GENERIC.MP

Architecture: OpenBSD.amd64
Machine : amd64

dmesg:
OpenBSD 5.8 (GENERIC.MP) #1236: Sun Aug 16 02:31:04 MDT 2015

Re: sudo and globbing

[Jiri B]

On Thu, Jan 07, 2016 at 11:43:14AM -0500, Jiri B wrote:
> I discovered an article about sudo and globbing[1] and
> there's difference how it does work on Linux and OpenBSD.

I forgot to put the url

http://zurlinux.com/?p=2244

> - openbsd
> 
> # su -s /usr/local/bin/bash - nobody
> No home directory /nonexistent!
> Logging in with home = "/".
> -bash-4.3$ sudo bash -c "ls -l /var/tor/cache*"
> -rw---  1 _tor  _tor20442 Dec 10 11:32 /var/tor/cached-certs
> -rw---  1 _tor  _tor  1409287 Jan  7 15:56 
> /var/tor/cached-microdesc-consensus
> -rw---  1 _tor  _tor  5107307 Jan  7 17:23 /var/tor/cached-microdescs
> -rw---  1 _tor  _tor0 Jan  7 17:23 /var/tor/cached-microdescs.new
> -bash-4.3$ sudo -s bash -c "ls -l /var/tor/cache*"
> .cshrc   .profile altroot  bin  bsd  bsd.rd   bsd.sp   dev  etc   
>home mnt  root sbin sys  tftpboot tmp  usr  var
> 
> - linux
> 
> [root@slot-1 ~]# su -s /bin/bash nobody
> bash-4.2$ exit
> [root@slot-1 ~]# visudo
> [root@slot-1 ~]# su -s /bin/bash nobody
> bash-4.2$ sudo bash -c "ls -l /var/cache/ldconfig/aux*"
> -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache
> bash-4.2$ sudo -s bash -c "ls -l /var/cache/ldconfig/aux*"
> -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache

Re: Add Bay Trail EHCI controller to pcidevs

[Dan Jones]

> On Jan 7, 2016, at 4:08 AM, open...@tuta.io wrote:
>
> Hi Mark,
> Thanks for having a look at this.
> The 6th of January install59.fs should have v 1.298 of acpi.c
> But I still get the same 'can't map interrupt' on both EHCI and XHCI.
> Let me know if there's a way to collect more support data to help
investigating this.
> Thanks.
> Regards,
>

Thank you also for continuing to look at this. On Lenovo Ideapad 100S-11
(Intel Atom Z3735F) using the January 6 amd64 snapshot it no longer reports
the interrupt error but the system will not complete the boot due to a memory
conflict.  Sections of the dmesg are below.

[skipping initial boot message thru bios0]

acpi0 at bios0: rev 2
acpi0: tables DSDT FACP UEFI TCPA MSDM UEFI OEM0 DBG2 HPET LPIT APIC MCFG SLIC
SSDT SSDT SSDT SSDT SSDT TPM2 SSDT SSDT SSDT FPDT WDAT CSRT BGRT
acpimadt0 at acpi0 add 0xfee0: PC-AT compat

[skipping cpu0]

ioapic0 at mainbus0: amid 2 ps 0xfed0, version 20, 87 pins
ioapic0: misconfigured as apic 1, remapped at apid 2
acpiprt0 at acpi0: bus 0 (PC10)
pci0 at mainbus0 bus 0
0:2:0: mem address conflict 0x9000/0x40
0:2:0: mem address conflict 0x8000/0x1000

Regards,

Dan

Re: PF: can't make queueing and priority work as expected

[sven falempin]

On Thu, Jan 7, 2016 at 1:28 PM, Marko Cupać  wrote:

> Hi,
>
> I am setting up gateway for a small network which has two main types of
> traffic: p2p and http(s). The idea is to give p2p traffic all the
> available bandwidth until there is http(s) traffic, in which case p2p
> should be throttled down and http(s) should be given all the available
> bandwidth.
>
> The problem is that p2p does not get throttled down when http(s) is on
> wire. I spent days re-reading QUEUEING section of pf.conf and
> chapter #7 of 3rd edition of "Book of PF" but I still couldn't make it
> work. From 'systat queues' I can conclude that traffic seem to be
> assigned to appropriate queues, but queue bandwidth does not seem to be
> respected. What am I doing wrong?
>
> Snapshot of 'systat queues' and active pf.conf below:
>
> QUEUE BW SCH P  PKTS BYTES DROP_P DROP_B QLEN P/S  B/S
> upload on pppoe 860K   0 0  0  00   00
>  ack 10K228K   12M  0  00 364  20K
>  fast20K  60  5397  0  00   00
>  bulk   800K 263  110K  0  00 0.6  417
>  slow30K   34234   35M  0  00  59  67K
> download on re2   8M   0 0  0  00   00
>  ack100K   18314 1205K  0  00  34 2388
>  fast   200K  51 15491  0  00   00
>  bulk 8M   29014   41M  0  00  57  85K
>  slow   500K317K  457M  0  00 523 771K
>
>
> # INTERFACE MACROS
> if_int  = "re2"
> if_ext  = "pppoe0"
>
> # HOST MACROS
> efreet= "{ 192.168.33.20 }"
> rpi   = "{ 192.168.33.22 }"
>
> # PORT MACROS
> p2p = "{ 1:65535 }"
> prpi= "{ 4:40100 }"
> ipsec   = "{ 500 4500 }"
> web = "{ 80 443 }"
> mail= "{ 25 110 143 587 993 995 }"
> xmpp= "{ 5222 }"
>
> # TABLES
> tablepersist
>
> # RUNTIME OPTIONS
> set ruleset-optimization none
> set loginterface $if_ext
>
> # QUEUES
> queue upload  on $if_ext bandwidth  860K
>queue ack  parent upload   qlimit 50  bandwidth   10K
>queue fast parent upload   qlimit 50  bandwidth   20K
>queue bulk parent upload   qlimit 50  bandwidth  800K default
>queue slow parent upload   qlimit 50  bandwidth   30K
> queue download on $if_intbandwidth 8800K
>queue ack  parent download qlimit 50  bandwidth  100K
>queue fast parent download qlimit 50  bandwidth  200K
>queue bulk parent download qlimit 50  bandwidth 8000K default
>queue slow parent download qlimit 50  bandwidth  500K
>
> # QUICKS AND BLOCKS
> block log quick inet6
> block log quick from 
> antispoof for $if_int
> antispoof for $if_ext
>
> # SCRUB & NAT
> match in all scrub ( no-df random-id max-mss 1440 )
> match out on egress inet from $if_int:network to any nat-to ($if_ext:0)
>
> # SHAPING
> match proto icmp   set ( queue   fast   prio   4 )
> match proto tcp  to port 22set ( queue ( fast ack ) prio ( 4 5 ) )
> match proto tcp  to port 53set ( queue ( fast ack ) prio ( 4 5 ) )
> match proto udp  to port 53set ( queue   fast   prio   4 )
> match proto tcp  to port $web  set ( queue ( bulk ack ) prio ( 3 5 ) )
> match proto tcp  to port $mail set ( queue ( bulk ack ) prio ( 3 5 ) )
> match proto tcp  to port $xmpp set ( queue ( bulk ack ) prio ( 3 5 ) )
> match proto tcp  to port $p2p  set ( queue ( slow ack ) prio ( 0 5 ) )
> match proto udp  to port $p2p  set ( queue   slow   prio   0 )
>
> # RULES
> block log all
>
> pass in  on $if_int inet proto icmp from $if_int:network to any
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>  port 22
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>  port 53
> pass in  on $if_int inet proto udp  from $if_int:network to any \
>  port 53
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>  port $web
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>  port $mail
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>  port $xmpp
> pass in  on $if_int inet proto tcp  from $if_int:network to any \
>  port $p2p
> pass in  on $if_int inet proto udp  from $if_int:network to any \
>  port $p2p
>
> pass out on $if_ext inet proto icmp from ($if_ext:0) to any
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>  port 22
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>  port 53
> pass out on $if_ext inet proto udp  from ($if_ext:0) to any \
>  port 53
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>  port $web
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>  port $mail
> pass out on $if_ext inet proto tcp  from ($if_ext:0) to any \
>  port $xmpp
> pass out on 

Missing files in etc

[Roderich]

Dear Sirs!

I see, there is no set etc58.tgz, many of the files of the etc set are
now in the base set, but I miss some files (login.conf, passwd, pwd.db,
ssh/sshd_config, ...).

Unpacking base58.tgz with "tar xvzpf" is not enough to serve a diskless
machine, the missing files are necessary.

What can I do?

Thanks
Rodrigo.

Re: Missing files in etc

[Ingo Schwarze]

Hi Roderich,

Roderich wrote on Thu, Jan 07, 2016 at 09:53:16PM +:

> What can I do?

Look in /var/sysmerge/.
  Ingo