Booting bsd.rd via PXE on uefi system

[Telnet Userid]

Greetings OpenBSD users and developers!

I am experimenting with PXE booting on uefi based virtual machine (qemu
with ovmf uefi firmware). Currently, I am having difficulty to boot
OpenBSD bsd.rd installer via PXE with uefi firmware.

Supplying pxeboot as uefi pxe boot file would lead to unsupported format
error. Supplying BOOTX64.EFI as pxe boot file doesn't bring the nice
OpenBSD boot prompt. Instead, BOOTX64.EFI will only stuck at probing
device.

Is there a way to boot OpenBSD ramdisk on uefi system via PXE?

Thanks.

Re: Driving 4k Display for OpenBSD Workstation

[Bryan Vyhmeister]

On Fri, Jul 22, 2016 at 02:05:07PM +1000, Jonathan Gray wrote:
> There is no kernel support for skylake and it will require firmware.
> https://01.org/linuxgraphics/intel-linux-graphics-firmwares
> 
> The intel code in Mesa does not use gallium or LLVM.
> 
> Using efifb with a 4k display would likely be horribly slow due to the
> high number of pixels to push.

I guess I will find out just how slow. I have two 4k monitors on the
way (the Dell P4317W and also an HP Z27s). Perhaps I will pick up some
more 30-inch 2560x1600 monitors for now. Thanks for all the info.

Bryan

Re: Driving 4k Display for OpenBSD Workstation

[Jonathan Gray]

On Thu, Jul 21, 2016 at 08:41:04PM -0700, Bryan Vyhmeister wrote:
> On Fri, Jul 22, 2016 at 01:25:58PM +1000, Jonathan Gray wrote:
> > There is kernel support for TAHITI/PITCAIRN/CAPE VERDE southern
> > islands but no userland acceleration as both 2d and 3d acceleration
> > require LLVM.
> > 
> > The marketing names are a mess, see
> > https://www.x.org/wiki/RadeonFeature/
> > to decode them.
> 
> Thanks for the clarification. That makes sense. Sounds like the better
> option is to wait for Skylake inteldrm(4) and use efifb(4) and wsfb(4)
> for now. Does Skylake inteldrm(4) require LLVM or anything like that?

There is no kernel support for skylake and it will require firmware.
https://01.org/linuxgraphics/intel-linux-graphics-firmwares

The intel code in Mesa does not use gallium or LLVM.

Using efifb with a 4k display would likely be horribly slow due to the
high number of pixels to push.

Re: Driving 4k Display for OpenBSD Workstation

[Bryan Vyhmeister]

On Fri, Jul 22, 2016 at 01:25:58PM +1000, Jonathan Gray wrote:
> There is kernel support for TAHITI/PITCAIRN/CAPE VERDE southern
> islands but no userland acceleration as both 2d and 3d acceleration
> require LLVM.
> 
> The marketing names are a mess, see
> https://www.x.org/wiki/RadeonFeature/
> to decode them.

Thanks for the clarification. That makes sense. Sounds like the better
option is to wait for Skylake inteldrm(4) and use efifb(4) and wsfb(4)
for now. Does Skylake inteldrm(4) require LLVM or anything like that?

Bryan

Re: Driving 4k Display for OpenBSD Workstation

[Jonathan Gray]

On Thu, Jul 21, 2016 at 07:44:47PM -0700, Bryan Vyhmeister wrote:
> On Thu, Jul 21, 2016 at 10:27:18PM +0300, li...@wrant.com wrote:
> > Thu, 21 Jul 2016 11:45:01 -0700 Bryan Vyhmeister 
> > > My goal for this project is to have an OpenBSD workstation (I run
> > > -current) built around 4k displays.
> > 
> > Short answer from user level: I'd personally get more 2560x1440 27" IPS
> > monitors for now, and use the excess budget for another set of the same.
> > You'd probably have to get a slightly older & cheaper video card (6450).
> > I know of no justification for a 5K monitor yet, though I want one too..
> 
> I am not interested in a 5k monitor, only 4k monitors. I recognize the
> Radeon HD 6450 cards work well. I have one now. I also have a 30-inch
> 2560x1600 and 34-inch 3440x1440 monitor which all work well. I would
> just like more screen real estate which is why 4k monitors are
> interesting, particularly the 43-inch Dell P4317W. I would like some
> feedback if the Radeon HD 7750 cards work decently with radeondrm(4). I

There is kernel support for TAHITI/PITCAIRN/CAPE VERDE southern islands
but no userland acceleration as both 2d and 3d acceleration require LLVM.

The marketing names are a mess, see
https://www.x.org/wiki/RadeonFeature/
to decode them.

Re: Driving 4k Display for OpenBSD Workstation

[Bryan Vyhmeister]

On Thu, Jul 21, 2016 at 10:27:18PM +0300, li...@wrant.com wrote:
> Thu, 21 Jul 2016 11:45:01 -0700 Bryan Vyhmeister 
> > My goal for this project is to have an OpenBSD workstation (I run
> > -current) built around 4k displays.
> 
> Short answer from user level: I'd personally get more 2560x1440 27" IPS
> monitors for now, and use the excess budget for another set of the same.
> You'd probably have to get a slightly older & cheaper video card (6450).
> I know of no justification for a 5K monitor yet, though I want one too..

I am not interested in a 5k monitor, only 4k monitors. I recognize the
Radeon HD 6450 cards work well. I have one now. I also have a 30-inch
2560x1600 and 34-inch 3440x1440 monitor which all work well. I would
just like more screen real estate which is why 4k monitors are
interesting, particularly the 43-inch Dell P4317W. I would like some
feedback if the Radeon HD 7750 cards work decently with radeondrm(4). I
also know Skylake inteldrm(4) is in the works but is not here yet.

Bryan

Re: Question on Theo's dotSecurity paper

[Ted Unangst]

patrick keshishian wrote:
> Hi,
> 
> Quick question about Theo de Raadt's "Presentations: dotSecurity
> 2016"[1]. Slide 11 says "Most violations result in process being killed",
> not all violations?
> 
> Just wanted clarification here.

If you look at kern_pledge.c, you'll see a couple instances where EPERM is
returned instead of killing the process.

Re: httpd/slowcgi - httpoxy vurnerability

[Pedro Tender]

Good.
Now take the steps to fix the problem you've created.
Further reading at https://httpoxy.org

On Jul 21, 2016 21:54, "Jiri B"  wrote:

Hi,

Red Hat found a vulnerability in various web servers and frameworks
related to env variable passed to cgi scripts, see below:

  HTTPoxy - CGI "HTTP_PROXY" variable name clash
  https://access.redhat.com/security/vulnerabilities/httpoxy

I was able to reproduce on OpenBSD httpd/slowcgi (6.0-beta from Jul 1).

j.

~~~
# slowcgi -d
slowcgi: socket: /var/www/run/slowcgi.sock
slowcgi: slowcgi_user: www
slowcgi: chroot: /var/www
slowcgi: inflight incremented, now 1
slowcgi: version: 1
slowcgi: type:1
slowcgi: requestId:   1
slowcgi: contentLength:   8
slowcgi: paddingLength:   0
slowcgi: reserved:0
slowcgi: role 1
slowcgi: flags0
slowcgi: version: 1
slowcgi: type:4
slowcgi: requestId:   1
slowcgi: contentLength:   448
slowcgi: paddingLength:   0
slowcgi: reserved:0
slowcgi: env[0], PATH_INFO=
slowcgi: env[1], SCRIPT_NAME=/cgi-bin/testovic
slowcgi: env[2], SCRIPT_FILENAME=//cgi-bin/testovic
slowcgi: env[3], QUERY_STRING=
slowcgi: env[4], DOCUMENT_ROOT=/
slowcgi: env[5], DOCUMENT_URI=/cgi-bin/testovic
slowcgi: env[6], GATEWAY_INTERFACE=CGI/1.1
slowcgi: env[7], HTTP_ACCEPT=*/*
slowcgi: env[8], HTTP_HOST=localhost
slowcgi: env[9], HTTP_PROXY=AFFECTED
slowcgi: env[10], HTTP_USER_AGENT=curl/7.49.0
slowcgi: env[11], REMOTE_ADDR=127.0.0.1
slowcgi: env[12], REMOTE_PORT=30357
slowcgi: env[13], REQUEST_METHOD=GET
slowcgi: env[14], REQUEST_URI=/cgi-bin/testovic
slowcgi: env[15], SERVER_ADDR=127.0.0.1
slowcgi: env[16], SERVER_PORT=80
slowcgi: env[17], SERVER_NAME=default
slowcgi: env[18], SERVER_PROTOCOL=HTTP/1.1
slowcgi: env[19], SERVER_SOFTWARE=OpenBSD httpd
slowcgi: version: 1
slowcgi: type:4
slowcgi: requestId:   1
slowcgi: contentLength:   0
slowcgi: paddingLength:   0
slowcgi: reserved:0
slowcgi: fork: //cgi-bin/testovic
slowcgi: version: 1
slowcgi: type:5
slowcgi: requestId:   1
slowcgi: contentLength:   0
slowcgi: paddingLength:   0
slowcgi: reserved:0
slowcgi: resp version: 1
slowcgi: resp type:6
slowcgi: resp requestId:   1
slowcgi: resp contentLength:   47
slowcgi: resp paddingLength:   0
slowcgi: resp reserved:0
slowcgi: resp version: 1
slowcgi: resp type:6
slowcgi: resp requestId:   1
slowcgi: resp contentLength:   0
slowcgi: resp paddingLength:   0
slowcgi: resp reserved:0
slowcgi: resp version: 1
slowcgi: resp type:7
slowcgi: resp requestId:   1
slowcgi: resp contentLength:   0
slowcgi: resp paddingLength:   0
slowcgi: resp reserved:0
slowcgi: wait: //cgi-bin/testovic
slowcgi: resp version: 1
slowcgi: resp type:3
slowcgi: resp requestId:   1
slowcgi: resp contentLength:   8
slowcgi: resp paddingLength:   0
slowcgi: resp reserved:0
slowcgi: resp appStatus:   0
slowcgi: resp protocolStatus:  0

$ curl -H 'Proxy: AFFECTED' http://localhost/cgi-bin/testovic
HTTP_PROXY='AFFECTED'

$ cat /var/www/cgi-bin/testovic
#!/bin/sh
echo "Content-Type:text/plain "
echo "HTTP_PROXY='$HTTP_PROXY'"
~~~

Re: how would you troubleshoot your wifi?

[Miles Keaton]

Worked! Thanks Stefan!

On Thu, Jul 21, 2016 at 8:34 PM, Stefan Sperling  wrote:

>
> On Thu, Jul 14, 2016 at 01:13:21PM +0800, Miles Keaton wrote:
> > iwm0: hw rev 0x140, fw ver 25.228 (API ver 9), address 5b:51:4f:a1:16:d9
> > iwm0: fatal firmware error
>
> You got some answers already but they were all misleading.
> I believe I've already fixed this bug. Please verify my assumption by
> upgrading to -current now and letting me know if the problem persists.
> (Run fw_update iwm before upgrading or iwm won't work during the upgrade!)

httpd/slowcgi - httpoxy vurnerability

[Jiri B]

Hi,

Red Hat found a vulnerability in various web servers and frameworks
related to env variable passed to cgi scripts, see below:

  HTTPoxy - CGI "HTTP_PROXY" variable name clash 
  https://access.redhat.com/security/vulnerabilities/httpoxy

I was able to reproduce on OpenBSD httpd/slowcgi (6.0-beta from Jul 1).

j.

~~~
# slowcgi -d
slowcgi: socket: /var/www/run/slowcgi.sock
slowcgi: slowcgi_user: www
slowcgi: chroot: /var/www
slowcgi: inflight incremented, now 1
slowcgi: version: 1
slowcgi: type:1
slowcgi: requestId:   1
slowcgi: contentLength:   8
slowcgi: paddingLength:   0
slowcgi: reserved:0
slowcgi: role 1
slowcgi: flags0
slowcgi: version: 1
slowcgi: type:4
slowcgi: requestId:   1
slowcgi: contentLength:   448
slowcgi: paddingLength:   0
slowcgi: reserved:0
slowcgi: env[0], PATH_INFO=
slowcgi: env[1], SCRIPT_NAME=/cgi-bin/testovic
slowcgi: env[2], SCRIPT_FILENAME=//cgi-bin/testovic
slowcgi: env[3], QUERY_STRING=
slowcgi: env[4], DOCUMENT_ROOT=/
slowcgi: env[5], DOCUMENT_URI=/cgi-bin/testovic
slowcgi: env[6], GATEWAY_INTERFACE=CGI/1.1
slowcgi: env[7], HTTP_ACCEPT=*/*
slowcgi: env[8], HTTP_HOST=localhost
slowcgi: env[9], HTTP_PROXY=AFFECTED
slowcgi: env[10], HTTP_USER_AGENT=curl/7.49.0
slowcgi: env[11], REMOTE_ADDR=127.0.0.1
slowcgi: env[12], REMOTE_PORT=30357
slowcgi: env[13], REQUEST_METHOD=GET
slowcgi: env[14], REQUEST_URI=/cgi-bin/testovic
slowcgi: env[15], SERVER_ADDR=127.0.0.1
slowcgi: env[16], SERVER_PORT=80
slowcgi: env[17], SERVER_NAME=default
slowcgi: env[18], SERVER_PROTOCOL=HTTP/1.1
slowcgi: env[19], SERVER_SOFTWARE=OpenBSD httpd
slowcgi: version: 1
slowcgi: type:4
slowcgi: requestId:   1
slowcgi: contentLength:   0
slowcgi: paddingLength:   0
slowcgi: reserved:0
slowcgi: fork: //cgi-bin/testovic
slowcgi: version: 1
slowcgi: type:5
slowcgi: requestId:   1
slowcgi: contentLength:   0
slowcgi: paddingLength:   0
slowcgi: reserved:0
slowcgi: resp version: 1
slowcgi: resp type:6
slowcgi: resp requestId:   1
slowcgi: resp contentLength:   47
slowcgi: resp paddingLength:   0
slowcgi: resp reserved:0
slowcgi: resp version: 1
slowcgi: resp type:6
slowcgi: resp requestId:   1
slowcgi: resp contentLength:   0
slowcgi: resp paddingLength:   0
slowcgi: resp reserved:0
slowcgi: resp version: 1
slowcgi: resp type:7
slowcgi: resp requestId:   1
slowcgi: resp contentLength:   0
slowcgi: resp paddingLength:   0
slowcgi: resp reserved:0
slowcgi: wait: //cgi-bin/testovic
slowcgi: resp version: 1
slowcgi: resp type:3
slowcgi: resp requestId:   1
slowcgi: resp contentLength:   8
slowcgi: resp paddingLength:   0
slowcgi: resp reserved:0
slowcgi: resp appStatus:   0
slowcgi: resp protocolStatus:  0

$ curl -H 'Proxy: AFFECTED' http://localhost/cgi-bin/testovic
HTTP_PROXY='AFFECTED'

$ cat /var/www/cgi-bin/testovic
#!/bin/sh
echo "Content-Type:text/plain "
echo "HTTP_PROXY='$HTTP_PROXY'"
~~~

Re: choosing OpenBSD for fileserver instead of FreeBSD + ZFS

[Liviu Daia]

On 20 July 2016, Miles Keaton  wrote:
> Got a fileserver with a few terabytes of important personal media,
> like all old home movies, baby photos, etc.  Files that I want my
> family to have access to when I die.
>
> Really it's more of a file archive.  A backup.  Just rsync + ssh.
> Serving it isn't the point.  Just preserving it forever.
[...]

Don't rely on your machines alone.  As other people have pointed
out, a fire can ruin your backup in a few minutes.  There are online
storage services, make copies of your backups to two or more separate
systems like this, and make sure your family know about them, and know
how to restore your files from them.  Only when you have that sorted out
spend time optimizing your local bakup system.

Regards,

Liviu Daia

spreed server

[Stephen Graf]

Has anyone tried to build the spreed server?
https://github.com/strukturag/spreed-webrtc

I tried, but the configure would not run with openbsd automake, autoconf and
m4 packages.
When I loaded the GNU equivalents, the configure ran but the makefile
produced did not work,
probably because the openbsd packages were not used.

Re: Driving 4k Display for OpenBSD Workstation

[lists]

Thu, 21 Jul 2016 11:45:01 -0700 Bryan Vyhmeister 
> My goal for this project is to have an OpenBSD workstation (I run
> -current) built around 4k displays.
[...]
> Any recommendations? Thank you.

Short answer from user level: I'd personally get more 2560x1440 27" IPS
monitors for now, and use the excess budget for another set of the same.
You'd probably have to get a slightly older & cheaper video card (6450).
I know of no justification for a 5K monitor yet, though I want one too..

Re: Bare-metal PM953 / 850/950 PRO/EVO IO benchmark anyone? Re: Disk I/O performance of OpenBSD 5.9 on Xen

[Peter N. M. Hansteen]

On 07/20/16 04:20, Tinker wrote:
> It would be more interesting to get an idea of how a quality SSD such as
> how the Samsung PM953 / 850/950 PRO/EVO performs on various hardware
> with OpenBSD running bare-metal.

TL;DR no bonnie, but direct comparison of rotating rust vs ssd, on a
recent snapshot.

Slightly longer version - this list and tech@ have seen numerous posts
involving the Clevo laptop I bought rougly two years ago. Nice machine
really, the first dmesg relevant to this post is up at
https://home.nuug.no/~peter/dmesg.hd.txt - the machine came with both SSD

sd1 at scsibus1 targ 1 lun 0:  SCSI3
0/direct fixed naa.500a07510c250249
sd1: 228936MB, 512 bytes/sector, 468862128 sectors, thin

and a somewhat larger hard disk

sd0 at scsibus1 targ 0 lun 0:  SCSI3
0/direct fixed naa.50014ee659ea420c
sd0: 953869MB, 512 bytes/sector, 1953525168 sectors

I of course went with the SSD as the system disk (there was no way to
convince the firmware to make the SSD appear as sd0, so whenever I
upgrade I need to remember that root is on sd1, but I digress), and the
sold-as-terabyte hard drive for my /home partition. I kind of liked
having that space, and well, it's quite a nice machine. The only problem
really is that whenever there's significant disk IO, there is more noise
than the lady of the house appreciates having within a meter or two of
her ears.

So this week, not really for performance reasons but rather hoping that
solid state storage would produce less noise than rotating rust
platters, I decided that I would replace the hard drive with an SSD of
equal size. After *several minutes* of browsing, I decided a Samsung 850
PRO SSD 1TB - MZ-7KE1T0BW was what I wanted.

The package arrived yesterday but for various practical reasons I only
got around to doing the switch this morning. The last thing I did before
shutting down to switch the storage units was this:

[Mon Jul 18 18:12:27] peter@elke:~$ time dd if=/dev/random of=foo.out
bs=1k count=1k
1024+0 records in
1024+0 records out
1048576 bytes transferred in 0.023 secs (45375222 bytes/sec)

real0m0.426s
user0m0.000s
sys 0m0.020s
[Thu Jul 21 10:41:25] peter@elke:~$ time dd if=/dev/random of=foo.out
bs=1k count=1m
1048576+0 records in
1048576+0 records out
1073741824 bytes transferred in 14.856 secs (72274766 bytes/sec)

real0m16.745s
user0m0.070s
sys 0m5.870s

[Thu Jul 21 10:55:38] peter@elke:~$ time du -hs .
355G.

real13m56.428s
user0m0.930s
sys 0m12.530s

Not really a benchmark, but data points.

The system with the SSD for the /home drive looks like this:
https://home.nuug.no/~peter/dmesg.ssd.txt

For the impatient,

[Thu Jul 21 20:26:57] peter@elke:~/20160721_ssd_before-after$ diff
dmesg.hd.txt dmesg.ssd.txt
18c18
< cpu0: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 2793.92 MHz
---
> cpu0: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 2793.89 MHz
36c36
< cpu3: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 2793.54 MHz
---
> cpu3: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz, 2793.53 MHz
108,109c108,109
< sd0 at scsibus1 targ 0 lun 0:  SCSI3
0/direct fixed naa.50014ee659ea420c
< sd0: 953869MB, 512 bytes/sector, 1953525168 sectors
---
> sd0 at scsibus1 targ 0 lun 0:  SCSI3
0/direct fixed naa.500253884019088e
> sd0: 976762MB, 512 bytes/sector, 2000409264 sectors, thin


Then after dealing with various $DAYJOB-related stuff while my data was
copied, I re-ran that sequence of commands:

[Thu Jul 21 20:23:52] peter@elke:~$ time dd if=/dev/random of=foo.out
bs=1k count=1k
1024+0 records in
1024+0 records out
1048576 bytes transferred in 0.010 secs (104471057 bytes/sec)

real0m0.017s
user0m0.000s
sys 0m0.010s
[Thu Jul 21 20:23:53] peter@elke:~$ time dd if=/dev/random of=foo.out
bs=1k count=1m
1048576+0 records in
1048576+0 records out
1073741824 bytes transferred in 10.468 secs (102565159 bytes/sec)

real0m10.473s
user0m0.100s
sys 0m10.290s
[Thu Jul 21 20:24:13] peter@elke:~$ time du -hs .
357G.

real0m12.800s
user0m0.730s
sys 0m7.270s

At this point, I hear you say, "in other news, 'Water Still Wet'", or,
as expected, solid state storage does indeed perform better than
rotating platters with rust on them.

And for the noise level part, when I said I thought the machine was both
lighter and quieter, my sweetheart answered she hadn't noticed I had the
machine perched on my knees.

So it's a success on all stated criteria, only the monetary unit per
unit of storage is still slightly disadvantageous for the solid state
units, to the point that I'll need to hold on to this particular laptop
for a while longer than I had originally imagined. Then again, now that
the thing is actually silent for the most part, that may not be a bad thing.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember 

Driving 4k Display for OpenBSD Workstation

[Bryan Vyhmeister]

My goal for this project is to have an OpenBSD workstation (I run
-current) built around 4k displays. I have a Dell P4317W 4k display on
order and I am going to order a couple of other 4k displays as well. I
have a Radeon HD 6870 Eyefinity 6 card which should be supported by
radeondrm(4) but it does not support 4k displays at 60Hz. There is a
Radeon HD 7750 card that also has six Mini DisplayPort connectors and
does support 4k displays but I am not totally clear if it will work well
with radeondrm(4). Reading the archives is not quite clear on this.

The alternative is to use a Skylake processor with integrated graphics
and use efifb(4) and wsfb(4) for now which I presume would work well
enough although not as well as something supported by inteldrm(4). I am
using my ThinkPad X260 with efifb(4) and wsfb(4) which works pretty well
but it would be nice to have properly accelerated Xorg.

Any recommendations? Thank you.

Bryan

Re: how would you troubleshoot your wifi?

[Andreas Bartelt]

sorry, my response was not precise - the "fatal" error is gone now but 
the observed performance problems are still there.

Re: Native C written i2pd port for OpenBSD

[Rafael Sadowski]

On Thu Jul 21, 2016 at 12:49:25PM +0300, Denis Lapshin wrote:
> Hi there.
> 
> Looking for a OpenBSD port of PurpleI2P/i2pd C written project (non java
> version).
> Github link: https://github.com/PurpleI2P/i2pd
> 
> Building it from scratch make a lot of errors.
> 
> Please suggest.
> 
> Denis

I try to port i2pd for you today:

https://github.com/jasperla/openbsd-wip/commit/670284343b3d8c7b99f36514c2aa9a9040d32e52
https://github.com/jasperla/openbsd-wip/tree/master/net/i2pd

My first test looks good. Runtime feedback is obligation (not @misc) ;)

Kind Regards,

Rafael

Re: how would you troubleshoot your wifi?

[Andreas Bartelt]

On 07/21/16 10:34, Stefan Sperling wrote:
> On Thu, Jul 14, 2016 at 01:13:21PM +0800, Miles Keaton wrote:
>> iwm0: hw rev 0x140, fw ver 25.228 (API ver 9), address 5b:51:4f:a1:16:d9
>> iwm0: fatal firmware error
>
> You got some answers already but they were all misleading.
> I believe I've already fixed this bug. Please verify my assumption by
> upgrading to -current now and letting me know if the problem persists.
> (Run fw_update iwm before upgrading or iwm won't work during the upgrade!)
>
>

I'm also observing this error and I'm experiencing massive problems with 
regard to wireless performance on current (compared to 5.9 at some 
point) - unfortunately, I've been observing these for some time now. My 
guess would be that its related to iwm(4) but it could potentially also 
be related to the ral(4) side which runs in 802.11g hostap mode on 
current. I didn't have any time in order to look into this deeper yet -- 
I also made some changes with regard to the position of my access point 
but this (at least now) seems to be completely unrelated to the observed 
problems.

Sorry for being of no help atm with regard to reporting observed 
problems with current in a timely manner.

Best regards
Andreas
OpenBSD 6.0 (GENERIC.MP) #0: Thu Jul 21 04:55:30 CEST 2016
a...@obsd.bartelt.name:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8277159936 (7893MB)
avail mem = 8021778432 (7650MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xccbfd000 (64 entries)
bios0: vendor LENOVO version "N10ET38W (1.17 )" date 08/20/2015
bios0: LENOVO 20CMCTO1WW
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP ASF! HPET ECDT APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT 
SSDT SSDT SSDT PCCT SSDT UEFI MSDM BATB FPDT UEFI DMAR
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz, 798.28 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz, 798.15 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz, 798.15 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz, 798.15 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus -1 (EXP3)
acpicpu0 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 mwait.1@0x33), 
C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(200@233 mwait.1@0x40), C2(200@148 

Question on Theo's dotSecurity paper

[patrick keshishian]

Hi,

Quick question about Theo de Raadt's "Presentations: dotSecurity
2016"[1]. Slide 11 says "Most violations result in process being killed",
not all violations?

Just wanted clarification here.

Thanks,
--patrick


[1] http://www.openbsd.org/papers/dot2016.pdf

Install OpenBSD on disks larger than 2TB

[Leo Unglaub]

Hey,
i am using OpenBSD with two harddrives. Both of them are 2 TB and i put 
them in a Raid 1 (mirroring) using softraid0. It works perfect, the 
system boots from the raid 1 and runs perfectly.


Sadly now 2 TB is not enought disc space anymore and i got some new 4TB 
drives. I suceeded in crating a raid 1 on them, but i am unable to boot 
of those drives. Do you have any ideas what i could try next?


Here is what i did so far:

fdisk -igy sd0
fdisk -igy sd1
disklabel -E sd0 (created a partition of type RAID)
disklabel -E sd1 (created the same disklayout)
bioctl -c1 -l sd0a,sd1a softraid0 (resulted in sd2 beeing created)


I can install OpenBSD on the new sd2 but i cannot boot from it. I used 
the latest snapshot to try this.


Any ideas?
Thanks and greetings
Leo

Re: choosing OpenBSD for fileserver instead of FreeBSD + ZFS

[Boris Goldberg]

Hello Miles,

  I did research the matter about 18 month (or maybe 2 years) ago for the
business, even asked the list. Decided in favor of FreeNAS (based on
FreeBSD+ZFS if someone doesn't know). Can't tell how it went because the
project died for reasons unrelated to the storage.
  If you decide to go with OpenBSD I'd strongly suggest to use a good
hardware RAID controller (not relaying on the softraid). Make sure it's
supported. I've had a good experience with HP Smart Array Pxx series. You
can buy older models quite cheap on ebay (if you trust ebay). Haven't
checked it on a "generic" PC though. Install the battery and replace it
than the system complains (on boot or otherwise) - also sold on ebay.
  RAID5 might not be enough than dealing with "few terabytes" - there is a
risk of a second disk corruption due a high activity during recovery
(google the subject). Consider RAID6 or RAID10 (1E, 1C, etc.) - both
require a minimum of four disks.
  I was told that fsck requires about 1G of memory per 1T of space. Could
be dealt with by splitting to multiple partitions (labels). The ZFS memory
requirements aren't lower anyway.
  You need some sort of snapshoted (!) backup. Even if the RAID saves you
from the disk corruption (the "if" here bigger than most people think), a
human error (or a virus on someone's computer/phone) can destroy all your
data, and than a rsync can propagate the "changes" to the backup (also
destroying it if you don't have proper snapshots). The snapshots don't need
to be called "snapshots" - any sort of backup with possibility to restore
to an older date will do.


Wednesday, July 20, 2016, 6:52:04 AM, you wrote:

MK> Got a fileserver with a few terabytes of important personal media, like all
MK> old home movies, baby photos, etc.  Files that I want my family to have
MK> access to when I die.

MK> Really it's more of a file archive.  A backup.  Just rsync + ssh.  Serving
MK> it isn't the point.  Just preserving it forever.

MK> (It's all unencrypted.  It's not that kind of private.  Private and offline
MK> from the outside world, but public within the family.)

MK> For years it's been on a Synology, Linux ext4 filesystem.  Now I'm making a
MK> new clone of it (new PC) to be in a different location.

MK> I assumed I'd use FreeBSD + ZFS because of ZFS's checksum features.  But
MK> really I love and prefer OpenBSD for everything else, and don't want any
MK> other ZFS features : just that checksum.

MK> So I figure if I use OpenBSD + softraid RAID 5 (across 4 disks) and then
MK> write my own little shell script to track the MD5 (find . -type f -exec md5
MK> {} \;) whenever I make changes, that should be enough to see if a file has
MK> been changed due to disk corruption.

MK> (Which makes me realize I don't know a damn thing about disk corruption,
MK> only that it's happened a few times in the past.  The occasional JPG or MP3
MK> from the late 90s that used to work but now doesn't, and who-knows-why.)

MK> Before I embark on this direction for a fileserver, I thought I should
MK> check with the smart people here on misc:

MK> Any tips from anyone who's done something similar?

MK> Or would anyone advise me against OpenBSD or this MD5 log approach for a
MK> fileserver like this?

-- 
Best regards,
 Borismailto:psi...@prodigy.net

Re: choosing OpenBSD for fileserver instead of FreeBSD + ZFS

[Chris Bennett]

On Wed, Jul 20, 2016 at 02:00:33PM +0200, Solène wrote:
> Also, make backup. Raid5 will prevent data loss when a disk fail, but if 2
> disks fails or if the filesystem get corrupted, you will lose your data.
> When you have multiple terabyte of data, if you use multiple disks that have
> been made at the same time, chances are that they can fail at the same time,
> also, rebuilding a few terabytes can takes time. Having backup with
> rsnapshot to keep track of a few days changes can be a good idea, or at
> least save very important data if you can't afford saving everything (maybe
> the loss of the musics or videos files is acceptable ?)
> 

As I understand, the worst thing you can do to your hardware and your
disks is to power off. Shock to the power supply, motherboard components
and the disks have to spin up again, which often times they can't do,
but would keep spinning reliably for another couple of years if never
powered down.

So would it be best to keep a system like this up 24/7?
How does life expectancy compare using home PC versus server PC?

Are there hard drives out there that stop spinning on their own after a
certain time if inactive?

SSD's are getting much bigger now. Are they now considered more
reliable, less reliable or not decided yet against spinning disks?

Chris Bennett

strange behaviour spamd

[Markus Rosjat]

Hi there,

I noticed that a trapped ip gets whitelisted when there are still 
greylisted messages. this shouldn't happen when I use the -a -t switches 
to trap the ip or do I miss something here ?


Regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: [OT] Cloud storage accessible via sftp or rsync/ssh?

[lists]

Thu, 21 Jul 2016 09:54:05 +0200 Denis Fondras 
> Hi John,
> 
> > Can anybody recommend a good cloud storage provider that has access
> > via sftp or rsync tunneled through ssh? Everything I have found
> > seems targeted at Windows, Linux, phones etc. with no
> > platform-agnostic interface. 
> 
> French hoster Online.net has a new storage service called C14.
> https://blog.online.net/2016/07/04/c14-the-secure-cold-storage-platform-for-free-during-the-summer/
> 
> It is cheap and you can access with rsync but it is "cold storage"
> and the delay might make it a no-go. It is also hosted in France so
> the government blackboxes will read all your traffic :o

Also, French OVH offers personal dedicated servers (kimsufi.com brand),
located in FR and CA for lower monthly than most virtual server offers.

OVH Kimsufi (USD)
[https://www.kimsufi.com/us/en/servers.xml]

OVH Kimsufi (EUR)
[https://www.kimsufi.com/en/servers.xml]

You can install OpenBSD and get away with real HDD storage inexpensive.
They also offer OpenStack KVM SSD VPS packages, these I've not tested:

OVH VPS SSD (USD)
https://www.ovh.com/us/vps/vps-ssd.xml

OVH VPS SSD (EUR)
https://www.ovh.ie/vps/vps-ssd.xml

I'm not related to these, it's inexpensive enough to self host though..

Re: Native C written i2pd port for OpenBSD

[Kamil Cholewiński]

Short answer: you'll probably have to get your hands dirty and help port it.
Open an issue, talk to maintainers, see what you can do to help.

On Thu, 21 Jul 2016, Denis Lapshin  wrote:
> Hi there.
>
> Looking for a OpenBSD port of PurpleI2P/i2pd C written project (non java 
> version).
> Github link: https://github.com/PurpleI2P/i2pd
>
> Building it from scratch make a lot of errors.
>
> Please suggest.
>
> Denis

Native C written i2pd port for OpenBSD

[Denis Lapshin]

Hi there.

Looking for a OpenBSD port of PurpleI2P/i2pd C written project (non java 
version).

Github link: https://github.com/PurpleI2P/i2pd

Building it from scratch make a lot of errors.

Please suggest.

Denis

Re: openbgpd blackhole community

[Claudio Jeker]

On Wed, Jul 20, 2016 at 11:05:03PM +0200, Hrvoje Popovski wrote:
> Hi all,
> 
> here at CIX we want to implement BLACKHOLE based on
> https://tools.ietf.org/html/draft-ietf-grow-blackholing
> 
> presentation
> https://www.ietf.org/proceedings/94/slides/slides-94-grow-1.pdf
> 
> Recommendation is to have Blackhole BGP Community: 65535:666, but when
> configure that community i'm getting "Bad community AS number".
> 
> Is there any problem to allow 65535 in community ?
> 
> 
> configuration:
> 
> AS 65005
> router-id 10.192.192.124
> listen on 10.192.192.124
> holdtime 180
> holdtime min 3
> fib-update no
> log updates
> nexthop qualify via bgp
> transparent-as yes
> 
> group rsip4 {
> local-address 10.192.192.124
> announce IPv6 none
> announce IPv4 unicast
> set nexthop no-modify
> enforce neighbor-as yes
> announce all
> neighbor 10.192.192.65 {
> remote-as   123
> max-prefix 1024 restart 5
> passive
> }
> neighbor 10.192.192.87 {
> remote-as   124
> max-prefix 1024 restart 5
> passive
> }
> neighbor 10.192.192.66 {
> remote-as   125
> max-prefix 1024 restart 5
> passive
> }
> }
> 
> deny from any inet prefixlen 8 >< 24
> allow from any inet prefixlen 16 - 32 community 65535:666
> 
> match from any community 65535:666 set nexthop 10.192.192.90
> match from any set community 65005:65000
> 
> deny to group rsip4 community 65005:65000
> deny to group rsip4 community 0:65005
> allow to group rsip4 community 65005:65005
> deny to group rsip4 community 0:neighbor-as
> allow to group rsip4 community 65005:neighbor-as
> 
> match to group rsip4 prefix 10.192.192.64/26 set prepend-self 1
> 

Just use "community BLACKHOLE" instead of 65535:666 and it will work.

-- 
:wq Claudio

Re: how would you troubleshoot your wifi?

[Stefan Sperling]

On Thu, Jul 14, 2016 at 01:13:21PM +0800, Miles Keaton wrote:
> iwm0: hw rev 0x140, fw ver 25.228 (API ver 9), address 5b:51:4f:a1:16:d9
> iwm0: fatal firmware error

You got some answers already but they were all misleading.
I believe I've already fixed this bug. Please verify my assumption by
upgrading to -current now and letting me know if the problem persists.
(Run fw_update iwm before upgrading or iwm won't work during the upgrade!)

Re: how would you troubleshoot stuttering video? (Lenovo Thinkpad)

[Miles Keaton]

On Tue, Jul 19, 2016 at 5:31 AM, Alexandre Ratchov  wrote:

> If you have some time, could you build a kernel with the
> AZALIA_DEBUG option, reboot using the new kernel and send me the
> output of dmesg once with the mic disabled in the bios and once
> with the mic enabled.  This way we could compare them and possibly
> find a fix.
>

Happy to help!  Here are the two dmesg, using -current.  Let me know if I
can help/test in any way.

# DISABLED:

OpenBSD 6.0 (AZALIA) #0: Thu Jul 21 11:52:32 NZST 2016
derek@t440s.x:/usr/src/sys/arch/amd64/compile/AZALIA
real mem = 8246124544 (7864MB)
avail mem = 7991668736 (7621MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdcd3d000 (61 entries)
bios0: vendor LENOVO version "GJET67WW (2.17 )" date 12/10/2013
bios0: LENOVO 20AQCTO1WW
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT
SSDT SSDT SSDT SSDT PCCT SSDT UEFI POAT ASF! BATB FPDT UEFI SSDT DMAR
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.67 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT
,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,
BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT
,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,
BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT
,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,
BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 1995.38 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT
,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,
BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus -1 (EXP3)
acpicpu0 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for XHCI, EHC1
acpipwrres1 at acpi0: NVP3, resource for PEG_
acpipwrres2 at acpi0: NVP2, resource for PEG_
acpitz0 at acpi0: critical temperature is 200 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
"LEN0071" at acpi0 not configured
"LEN0036" at acpi0 not configured
acpibat0 at acpi0: BAT0 model "45N1773" serial 32828 type LION oem "SANYO"
acpibat1 at acpi0: BAT1 model "45N1737" serial 26275 type LION oem "SANYO"
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"INT340F" at acpi0 not configured
"INT33A0" at acpi0 not configured
acpivideo0 at acpi0: VID_
acpivout at acpivideo0 not 

Re: [OT] Cloud storage accessible via sftp or rsync/ssh?

[Denis Fondras]

Hi John,

> Can anybody recommend a good cloud storage provider that has access via sftp
> or rsync tunneled through ssh? Everything I have found seems targeted at
> Windows, Linux, phones etc. with no platform-agnostic interface.
> 

French hoster Online.net has a new storage service called C14.
https://blog.online.net/2016/07/04/c14-the-secure-cold-storage-platform-for-free-during-the-summer/

It is cheap and you can access with rsync but it is "cold storage" and the delay
might make it a no-go. It is also hosted in France so the government blackboxes
will read all your traffic :o

Denis

Re: vm example

[Peter Hessler]

On 2016 Jul 20 (Wed) at 21:43:33 -0700 (-0700), Stephen Graf wrote:
:Does anyone have an example of setting up vm?
:
: 
:
:I am running into a problem with /dev/vmm not configured when trying to run
:vmd.  (OpenBSD 5.9, amd64)
:

vmm is not yet ready, so it is not enabled.  You won't have the
experience you desire, so I recommend waiting until we turn it on.


-- 
Matter cannot be created or destroyed,
nor can it be returned without a receipt.

Re: Override NGROUPS_MAX

[Theo de Raadt]

> On Thu, Jul 21, 2016 at 2:31 AM, Artturi Alm  wrote:
> > On Wed, Jul 20, 2016 at 06:32:49PM -0400, Eric Furman wrote:
> >> The person didn't make a simple config change they made
> >> a change to the actual kernal code.
> >> Huge difference.
> >
> > thank you for your reply, but that's no answer to my question, and
> > you have no sense for my lack of humour it seems.
> > the Huge difference is between kernel and kernal code, now have you used
> > config to make changes to usar code? you should test the diff i sent, if
> so.
> 
> There are a spectrum of possible changes that someone may make from
> inconsequential to forked project.  Your diff made running config(8)
> emit a warning even if the user had made *no* changes to a provided
> GENERIC config, effectively claiming that we deny support if they
> don't ship a kernel theo builds, but that is *not* the case.  Indeed,
> we provide errata including kernel patches for the last couple
> releases.  We are not that dogmatic.
> 
> What's we're saying is that while many changes have no effect on
> support or will be gladly merged into the base in some form, other
> changes go beyond what the project can or will support.  There is no
> easily stated rule for this and the effective rule changes in various
> ways as our understanding changes and as the world changes.  For
> example, a year ago changes that would fail on static-lib-only archs
> would not be accepted; now they are.  Theo is saying that the world
> and the project will need to change in many, many ways before
> Sébastien's diff would be supported and we don't see that happening in
> the foreseeable future.

I'll add something more.

We already suffer from low quality in many bug reports.  People very
often forget to mention they have tweaks of their own.  Resizing such
an array could lead to many unknown consequences, which we don't want
to think though.  Our function in this ecosystem definately does not
include dealing with other people's bullshit decisions...

Re: openbgpd blackhole community

[Peter Hessler]

Hi

We had previously limited which communities could be set within the Well
Known Community range, but that limitation has been fixed in 5.9. 

We also support "community BLACKHOLE", as a convienence.

-peter


On 2016 Jul 20 (Wed) at 23:05:03 +0200 (+0200), Hrvoje Popovski wrote:
:Hi all,
:
:here at CIX we want to implement BLACKHOLE based on
:https://tools.ietf.org/html/draft-ietf-grow-blackholing
:
:presentation
:https://www.ietf.org/proceedings/94/slides/slides-94-grow-1.pdf
:
:Recommendation is to have Blackhole BGP Community: 65535:666, but when
:configure that community i'm getting "Bad community AS number".
:
:Is there any problem to allow 65535 in community ?
:
:
:configuration:
:
:AS 65005
:router-id 10.192.192.124
:listen on 10.192.192.124
:holdtime 180
:holdtime min 3
:fib-update no
:log updates
:nexthop qualify via bgp
:transparent-as yes
:
:group rsip4 {
:local-address 10.192.192.124
:announce IPv6 none
:announce IPv4 unicast
:set nexthop no-modify
:enforce neighbor-as yes
:announce all
:neighbor 10.192.192.65 {
:remote-as   123
:max-prefix 1024 restart 5
:passive
:}
:neighbor 10.192.192.87 {
:remote-as   124
:max-prefix 1024 restart 5
:passive
:}
:neighbor 10.192.192.66 {
:remote-as   125
:max-prefix 1024 restart 5
:passive
:}
:}
:
:deny from any inet prefixlen 8 >< 24
:allow from any inet prefixlen 16 - 32 community 65535:666
:
:match from any community 65535:666 set nexthop 10.192.192.90
:match from any set community 65005:65000
:
:deny to group rsip4 community 65005:65000
:deny to group rsip4 community 0:65005
:allow to group rsip4 community 65005:65005
:deny to group rsip4 community 0:neighbor-as
:allow to group rsip4 community 65005:neighbor-as
:
:match to group rsip4 prefix 10.192.192.64/26 set prepend-self 1
:

-- 
Baruch's Observation:
If all you have is a hammer, everything looks like a nail.

Re: Differences between etherip(4) and gif(4)

[Theo de Raadt]

> I noticed that the etherip pseudo-device appeared with OpenBSD 5.9 which is
> intended for tunnelling.
> 
> Prior to this I have been using the gif pseudo device to accomplish much the
> same thing (in my case L2 over L3).
> 
> Apart from specifying the mtu to lower value to avoid problems with larger
> frames, is there any real advantage with the new etherip device?

Let me see if I know your pain.

A route forcing traffic ipsec traffic into a gif that is a member of
the bridge, to fragment; and on the other end, defragging it into full
MTU traffic.

Such a configuration requires a lot of pieces.  It is fragile
configuration, and you need to be very careful using such a machine
for too many other network services.

etherip makes a few of those steps easier.  It is still new, so try it out.