Re: OpenBSD 6.1: BOOTIA32 3.32 issue

[Michele Curti]

On Wed, May 10, 2017 at 08:35:28PM +0200, Patrick Wildt wrote:
> On Wed, May 10, 2017 at 03:14:30PM +0200, Stefan Sperling wrote:
> > On Tue, May 09, 2017 at 09:47:14PM +0200, Michele Curti wrote:
> > > On Tue, May 09, 2017 at 09:36:02PM +0200, Michele Curti wrote:
> > > > On Tue, May 09, 2017 at 10:20:03AM +0200, Michele Curti wrote:
> > > > > Hi all, I tried to upgrade to OpenBSD 6.1 on an Asus X205TA (bay
> > > > > trail, 32 bit efi, 64 bit os) but the bootloader do not correctly
> > > > > detect the internal disk.
> > > > > 
> > > > > I also tried a fresh install, but things do not change.  Boot fails
> > > > > and when I do a "machine diskinfo" I got a lot of "?" symbols (a video
> > > > > here https://www.youtube.com/watch?v=fsomNX-oFTQ )
> > > > > 

Thanks to yasuoka fix I just noted that using dp0 instead of dp 
changes the diskinfo disks order

# setting efi_bootdp = dp;

DiskBlkSiz  IoAlign SizeFlags   Checksum
hd0 512 1   29GB0x2 0xad4a42c3
hd1 512 1   4MB 0x0 0x0
hd2 512 1   4MB 0x0 0x0

# setting efi_bootdp = dp0;

DiskBlkSiz  IoAlign SizeFlags   Checksum
hd0 512 1   4MB 0x0 0x0
hd1 512 1   4MB 0x0 0x0
hd2 512 1   29GB0x2 0xad4a42c3

So I can use the stock bootloader without changes but I must do a 

boot> set device hd2a

Do not know how much useful is this info...

Michele

Re: OpenBSD 6.1: BOOTIA32 3.32 issue

[Michele Curti]

On Thu, May 11, 2017 at 10:42:04AM +0900, YASUOKA Masahiko wrote:
> Hi,
> 
> On Tue, 9 May 2017 10:20:03 +0200
> Michele Curti  wrote:
> > I also tried a fresh install, but things do not change.
> > Boot fails and when I do a "machine diskinfo" I got a lot of "?" 
> > symbols (a video here https://www.youtube.com/watch?v=fsomNX-oFTQ )
> 
> Hanging on "machine diskinfo" seems to be a different problem.
> The diff is already committed.  Can you test this?

Yes, no more hangs, thank you!

boot> machine diskinfo
DiskBlkSiz  IoAlign SizeFlags   Checksum
hd0 512 1   4MB 0x0 0x0
hd1 512 1   4MB 0x0 0x0
hd2 512 1   29GB0x2 0xad4a42c3

Michele

> 
> (I'll look into another problem later)
> 
> Index: sys/arch/amd64/stand/efiboot/efidev.c
> ===
> RCS file: /cvs/src/sys/arch/amd64/stand/efiboot/efidev.c,v
> retrieving revision 1.24
> diff -u -p -r1.24 efidev.c
> --- sys/arch/amd64/stand/efiboot/efidev.c 24 Dec 2016 08:41:13 -  
> 1.24
> +++ sys/arch/amd64/stand/efiboot/efidev.c 11 May 2017 01:31:13 -
> @@ -789,7 +789,7 @@ efi_dump_diskinfo(void)
>   printf("hd%d\t%u\t%u\t%u%s\t0x%x\t0x%x\t%s\n",
>   (bdi->bios_number & 0x7f),
>   ed->blkio->Media->BlockSize,
> - ed->blkio->Media->IoAlign, siz, sizu,
> + ed->blkio->Media->IoAlign, (int)siz, sizu,
>   bdi->flags, bdi->checksum,
>   (ed->blkio->Media->RemovableMedia)? "Removable" : "");
>   }
> 

Re: OpenBSD 6.1: BOOTIA32 3.32 issue

[YASUOKA Masahiko]

Hi,

On Tue, 9 May 2017 10:20:03 +0200
Michele Curti  wrote:
> I also tried a fresh install, but things do not change.
> Boot fails and when I do a "machine diskinfo" I got a lot of "?" 
> symbols (a video here https://www.youtube.com/watch?v=fsomNX-oFTQ )

Hanging on "machine diskinfo" seems to be a different problem.
The diff is already committed.  Can you test this?

(I'll look into another problem later)

Index: sys/arch/amd64/stand/efiboot/efidev.c
===
RCS file: /cvs/src/sys/arch/amd64/stand/efiboot/efidev.c,v
retrieving revision 1.24
diff -u -p -r1.24 efidev.c
--- sys/arch/amd64/stand/efiboot/efidev.c   24 Dec 2016 08:41:13 -  
1.24
+++ sys/arch/amd64/stand/efiboot/efidev.c   11 May 2017 01:31:13 -
@@ -789,7 +789,7 @@ efi_dump_diskinfo(void)
printf("hd%d\t%u\t%u\t%u%s\t0x%x\t0x%x\t%s\n",
(bdi->bios_number & 0x7f),
ed->blkio->Media->BlockSize,
-   ed->blkio->Media->IoAlign, siz, sizu,
+   ed->blkio->Media->IoAlign, (int)siz, sizu,
bdi->flags, bdi->checksum,
(ed->blkio->Media->RemovableMedia)? "Removable" : "");
}

Re: PF queueing confusion

[Gabriele Tozzi]

Il 11/05/2017 01:42, Erling Westenvik ha scritto:
> Check out pfctl(8) and the -F option. The issue might be resolvable
> simply by flushing one or more of the filter parameters you'll find
> there.

I had always assumed that loading a new ruleset with pfctl -f also
implied "-F all".

This explains a lot :)

Thank you

Re: Why would I need a container like Docker?!

[Erik Lauritsen]

> Now, everyone is telling me I should run Docker and a completely different 
> setup.

"devops" are web developers with root, they need stuff like Docker or they
end up breaking everything.

"sysadmin" knows how to handle the bare metal!

> What the fuck?! Why in the world would anyone setup Debian as a testing 
> environment
> and then use Red Hat on production?! And different network topology?
>
> Are people really that stupid?

Yes.

Re: PF queueing confusion

[Erling Westenvik]

On Thu, May 11, 2017 at 12:09:26AM +0200, Gabriele Tozzi wrote:
>
> Looks like I've solved by only renaming the queues.
>
> Instead of naming them "high", "normal" and "low", I have now named them
> "exthi", "extstd" and "extlo" and then everything seems to work as expended.
>
> Maybe "high" is a (maybe undocumented) reserved queue name?

Check out pfctl(8) and the -F option. The issue might be resolvable
simply by flushing one or more of the filter parameters you'll find
there.  (Beware though - you may get kicked out of the server when
flushing states if you're connecting via ssh, and may have to log back
in. tmux(1) is your friend!)

--
Erling Westenvik

Re: OpenBSD 6.1: BOOTIA32 3.32 issue

[Michele Curti]

On Wed, May 10, 2017 at 08:35:28PM +0200, Patrick Wildt wrote:
> On Wed, May 10, 2017 at 03:14:30PM +0200, Stefan Sperling wrote:
> > On Tue, May 09, 2017 at 09:47:14PM +0200, Michele Curti wrote:
> > >   bios_bootdev = 0x80;
> > > - efi_bootdp = dp0;
> > > + efi_bootdp = dp;
> > >   break;
> > >   }
> > >   }
> > > 
> > 
> 
> I don't think this is the correct fix.  It might solve your issue, but I
> don't think it's completely right.  So EFI has those so called device
> paths.  A path is basically a list of nodes.  To compare two paths you
> need to compare the whole path and not just a single node of it.  If you
> store dp instead of dp0 you will basically only save a part of the path,
> not the full path.
> 
> What you can do is print the full path of efi_bootdp like..
> 
> for (dp = efi_bootdp; !IsDevicePathEnd(dp);
> dp = NextDevicePathNode(dp)) {
> printf("%x %x - ", DevicePathType(dp), DevicePathSubType(dp));
> }
> printf("\n");
> 

4e 6f - 5f 2d - 22 4e - 4e 55 - 3a 48 - 1e ce - and many others 

I got the same values starting the for loop with dp = dp0 or dp = NULL

So dp0 was not intialized by the EFI_CALL() above?

if (status == EFI_SUCCESS)
status = EFI_CALL(BS->HandleProtocol, imgp->DeviceHandle,
_guid, (void **));
if (status == EFI_SUCCESS) {


I'm going to study a bit about EFI.. :p

Thanks,
Michele

> And do the same for the DPs that are being put into the
> efi_device_path_cmp function.  That will at least print the types, but
> not the content of the nodes.  That's a start into figuring out why it
> does not correctly compare the paths.
> 
> Maybe there's a bug in the compare code?

Re: PF queueing confusion

[Gabriele Tozzi]

Looks like I've solved by only renaming the queues.

Instead of naming them "high", "normal" and "low", I have now named them
"exthi", "extstd" and "extlo" and then everything seems to work as expended.

Maybe "high" is a (maybe undocumented) reserved queue name?

Re: Compaq nx6310 does not suspend/resume

[Mike Larkin]

On Wed, May 10, 2017 at 05:19:04PM +0200, Jan Stary wrote:
> This is current/i386 on a Compaq nx6310 laptop (dmesg below).

This machine is notoriously bad. Did this ever work for you?

-ml

> Mostly works, but I experience trouble with suspend/resume.
> 
> apmd(8) is running with apmd_flags="-A", but closing the lid does nothing,
> eventhough machdep.lidsuspend=1 and machdep.lidaction=1
> Trying to suspend manually with Fn+F3 does nothing as well.
> Trying to suspend with apm(8)'s options does this:
> 
> apm -S says
> 
>   May 10 16:12:32 hp apmd: system entering standby
>   May 10 16:12:33 hp /bsd: uhub1 detached
>   May 10 16:12:33 hp /bsd: uhub2 detached
>   May 10 16:12:33 hp /bsd: uhub3 detached
> 
> and, presumably, goes into standby. The power led is blinking.
> It will not resume: pressing the power button makes the power led
> light up again, but that's it. Even the display backlight
> stays turned off. The machine is not accessible remotely
> and needs to be forcefully restarted.
> /etc/apm/standby does not get called.
> 
> apm -z says
> 
>   May 10 16:31:26 hp apmd: system suspending
>   May 10 16:31:28 hp /bsd: uhub1 detached
>   May 10 16:31:28 hp /bsd: uhub2 detached
>   May 10 16:31:28 hp /bsd: uhub3 detached
> 
> and, presumably, goes to suspend, but never resumes.
> The symptoms are the same as with apm -S.
> /etc/apm/suspend does not get called.
> 
> apm -Z puts the system into hibernation, and it works.
> After pressing the power button, the machine boots,
> and unhibernates at the end of the boot sequence.
> /etc/apm/{hibernate,resume} get called.
> 
> How can I help debug this?
> 
> http://stare.cz/dmesg/compaq-nx6310.20170509
> http://stare.cz/dmesg/compaq-nx6310.acpidump.tar
> http://stare.cz/dmesg/compaq-nx6310.pcidump
> 
>   Jan
> 
> 
> OpenBSD 6.1-current (GENERIC) #0: Tue May  9 17:46:04 CEST 2017
> h...@hp.stare.cz:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Celeron(R) M CPU 430 @ 1.73GHz ("GenuineIntel" 686-class) 1.73 
> GHz
> cpu0: 
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,PBE,NXE,SSE3,MWAIT,TM2,xTPR,PDCM,PERF,SENSOR
> real mem  = 1601519616 (1527MB)
> avail mem = 1558122496 (1485MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: date 04/17/07, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.4 @ 
> 0xf38eb (23 entries)
> bios0: vendor Hewlett-Packard version "68YDU Ver. F.0D" date 04/17/2007
> bios0: Hewlett-Packard 30AA
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SLIC HPET APIC MCFG TCPA SSDT SSDT SSDT SSDT
> acpi0: wakeup devices C096(S5) C0F1(S3) C0F8(S3) C0F9(S3) C0FA(S3) C0FB(S3) 
> C102(S5) C22B(S5) C115(S5) C22C(S5) C118(S5) C22C(S5)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 14318179 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 132MHz
> cpu0: mwait min=64, max=64, C-substates=0.1.1.1, IBE
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
> acpimcfg0 at acpi0 addr 0xf800, bus 0-63
> acpiprt0 at acpi0: bus 2 (C096)
> acpiprt1 at acpi0: bus 8 (C102)
> acpiprt2 at acpi0: bus 24 (C115)
> acpiprt3 at acpi0: bus 32 (C118)
> acpiprt4 at acpi0: bus 0 (C002)
> acpiec0 at acpi0
> acpicpu0 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014), C1(1000@1 
> halt)
> acpipwrres0 at acpi0: C1F0, resource for C1EC
> acpipwrres1 at acpi0: C1FD, resource for C1F1
> acpipwrres2 at acpi0: C21A, resource for C218
> acpipwrres3 at acpi0: C222, resource for C121
> acpipwrres4 at acpi0: C321, resource for C325
> acpipwrres5 at acpi0: C322, resource for C326
> acpipwrres6 at acpi0: C323, resource for C327
> acpipwrres7 at acpi0: C324, resource for C328
> acpitz0 at acpi0: critical temperature is 256 degC
> acpitz1 at acpi0: critical temperature is 105 degC
> acpitz2 at acpi0: critical temperature is 105 degC
> acpitz3 at acpi0: critical temperature is 105 degC
> acpitz4 at acpi0: critical temperature is 110 degC
> "PNP0A06" at acpi0 not configured
> "PNP0303" at acpi0 not configured
> "SYN0112" at acpi0 not configured
> "HPQ0006" at acpi0 not configured
> acpibat0 at acpi0: C1BC model "Primary" serial 08083 2016/11/05 type LIon oem 
> "Hewlett-Packard"
> acpibat1 at acpi0: C1BB not present
> acpiac0 at acpi0: AC unit online
> acpibtn0 at acpi0: C23F
> acpibtn1 at acpi0: C238
> "PNP0C14" at acpi0 not configured
> "PNP0C0B" at acpi0 not configured
> "PNP0C0B" at acpi0 not configured
> "PNP0C0B" at acpi0 not configured
> "PNP0C0B" at acpi0 not configured
> acpivideo0 at acpi0: C083
> bios0: ROM list: 0xc/0x1! 0xd/0x1000 0xd1000/0x1800
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
> inteldrm0 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 

Re: OT: Recommendations for a CMS?

[Allan Streib]

Paul Suh  writes:

> About Drupal: 
>
>> every major version of drupal is a pain. They generally don't have any
>> kind of same migration plan from version to version.  Especially the user
>> interface, which changed a lot, so you're often better off reimporting
>> your data and starting the menu design from scratch
>
> This is a serious negative for me. Also that it's PHP-based -- I know
> PHP has gotten better, but there's been just too many potential
> problems in PHP for me to really feel good about it.

It is true that Drupal changes are significant between major version
releases (6, 7, 8). That said the changes are improvements, if somewhat
painful.

Be cautious about contributed modules. Some are of questionable quality
and most of the Drupal security advisories I see are related to
contributed modules not the core.

I run Drupal 8 on OpenBSD 6.0 with good results. Will be moving to 6.1
soon. Note that you do need nginx as well, since httpd will not (as far
as I can tell) handle the URL rewrites that Drupal demands.

  https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/

These days I would not worry much more about PHP than Python or Ruby but
perhaps I'm naive.

Allan

Re: OCSP stapling issues with httpd(8) and ocspcheck(1)

[martian]

to note, I am running 6.1-stable.

OCSP stapling issues with httpd(8) and ocspcheck(1)

[martian]

Hello, I am attempting to enable OCSP stapling with httpd, however when
clients attempt to verify said signature, they fail.

My process for generating the staplefile is as follows:

# ocspcheck -N -o /etc/ssl/ocsp/.com.der \
/etc/ssl/private/.com.fullchain.pem


This appears to generate a valid OCSP responsefile as verified by 
ocsptool(1):



# cat /etc/ssl/ocsp/.com.der  | ocsptool --response-info
OCSP Response Information:
Response Status: Successful
Response Type: Basic OCSP Response
Version: 1
Responder ID: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
Produced At: Tue May 09 10:51:00 UTC 2017
Responses:
Certificate ID:
  Hash Algorithm: SHA1
  Issuer Name Hash: 7ee66ae7729ab3fcf8a220646c16a12d6071085d
  Issuer Key Hash: a84a6a63047dddbae6d139b7a64565eff3a8eca1
  Serial Number: 04dbfc34be721f3824e59ada8489c6c00492
Certificate Status: good
This Update: Tue May 09 10:00:00 UTC 2017
Next Update: Tue May 16 10:00:00 UTC 2017
Extensions:


However when I add in an OCSP directive into http.conf(5) in order to 
enable stapling, it seems OCSP verification fails:


# cat /etc/httpd.conf
server ".com" {
listen on * tls port 443
tls {
certificate "/etc/ssl/private/.com.fullchain.pem"
key "/etc/ssl/private/.com.key"
ocsp "/etc/ssl/ocsp/.com.der"
}
}


# nc -zvc .com 443
Connection to .com 443 port [tcp/https] succeeded!
nc: tls handshake failed (ocsp verify failed: no result for cert)


Firefox also gives an error of:
An error occurred during a connection to .com. The OCSP response 
does not include a status for the certificate being verified. Error 
code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING



Both work when the ocsp directive is removed from http.conf(5).


openssl(1) s_client confirms that the OCSP response is being sent:

# openssl s_client -connect .com:443 -tlsextdebug  -status
-8<-8<-8<-8<-8<-8<-8<-8<-8<-
OCSP response:
==
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt 
Authority X3

Produced At: May  9 10:52:00 2017 GMT
Responses:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
  Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
  Serial Number: 0474005E94C1946D6FD3EB7A486278E9F643
Cert Status: good
This Update: May  9 10:00:00 2017 GMT
Next Update: May 16 10:00:00 2017 GMT

Signature Algorithm: sha256WithRSAEncryption
 53:f9:c7:f6:49:15:29:ce:87:1b:8e:86:47:d2:a1:b2:c7:2d:
 1d:da:9c:87:9d:45:60:9c:e7:57:ec:b5:57:f1:7c:5c:88:b4:
 db:67:04:16:6f:b4:93:0b:d4:93:b6:08:a8:03:17:f3:f4:b3:
 54:1f:b5:d0:f4:ca:29:6f:ca:02:68:3a:ec:19:4b:f5:5f:51:
 53:43:b1:44:95:f4:e9:51:d4:43:54:89:0b:30:fa:17:30:0d:
 31:33:c3:3d:91:36:9c:b3:7a:df:6e:07:cb:5d:b9:15:65:37:
 01:0a:2e:0d:96:4c:9e:83:36:7b:34:a7:3d:f1:3d:5d:a1:c7:
 bc:fc:f1:a6:cf:1e:16:71:88:55:5d:f3:b4:8f:63:e3:90:e5:
 1f:63:46:34:be:45:7f:1a:56:27:b9:7e:ba:03:0d:95:b4:01:
 84:49:06:65:93:aa:8b:23:35:18:fe:d9:45:e5:a6:82:ee:e4:
 03:ea:b9:58:94:c6:18:1f:d9:8e:31:1a:00:4f:f1:87:eb:17:
 ca:a9:10:ed:81:c8:4a:4d:f7:44:82:ff:f1:18:f6:e7:eb:f6:
 3d:85:27:0b:27:5e:58:00:67:f7:cd:e4:25:32:ed:52:08:ec:
 8b:c3:4a:c3:40:eb:47:a2:14:07:17:5d:42:a4:d3:75:c1:45:
 a6:55:7a:23
==
-8<-8<-8<-8<-8<-8<-8<-8<-8<-


Can anyone shed any light on whats going on here? Is it related to the 
fact that Lets Encrypt OCSP responder doesn't use nonces? (meaning one 
has to use the -N flag with ocspcheck(1).)


Any cluebyfour responses would be appreciated.

Re: OT: Recommendations for a CMS?

[Paul Suh]

Thanks to everyone for suggestions and ideas. 

My comments on some of the suggestions, in more or less chronological order: 

> I would recommend something like Magento

Magento is total overkill -- this is not an e-commerce site and the additional 
exposed attack surface is horrendous. 

> https://www.locomotivecms.com/

Worth looking into, at first glance. Thanks! 

> https://redaxo.org

I guess it's ok, but the site is entirely in German, und mein Deutsch ist nicht 
gut. My staff's German is non-existent. 

About Drupal: 

> every major version of drupal is a pain. They generally don't have any
> kind of same migration plan from version to version.  Especially the user
> interface, which changed a lot, so you're often better off reimporting
> your data and starting the menu design from scratch

This is a serious negative for me. Also that it's PHP-based -- I know PHP has 
gotten better, but there's been just too many potential problems in PHP for me 
to really feel good about it. 

> So, the suggestion is.. to just start setting up an OpenBSD web stack.
> You are going to make good progress, just better compared to other OS.

Actually, I can spin up OpenBSD pretty easily for myself, either in VirtualBox 
or vmm, but the point is to make it sustainable by my staff, who just don't 
have the technical skills to sysadmin OpenBSD or another unix variant, for that 
matter. The choice of a CMS is almost orthogonal to the choice of the 
underlying OS, since they're all pretty much built on common web programming 
languages (PHP, Python, Ruby, etc.) and databases (MySQL/MariaDB, Postgresql), 
all of which run on a variety of server OS platforms. 

> erpnext.com is the most featurefull free erp I have found, including cms.
> may take a little work to port to OpenBSD and unfortunately uses nodejs

Ugh, again complete overkill. This is using a tactical nuke to kill an ant. I'm 
not looking for a full ERP solution, really! And I'm not thrilled with anything 
based on node.js. Node.js has a really strange dependency system and any 
language that allows the JSF*ck mess is not something that I would trust in 
terms of security. 

Thanks again to everyone who chimed in. 


--Paul



smime.p7s
Description: S/MIME cryptographic signature

Ipsec - Problem configuring host-to-host

[jphelps]

Hello.

I am trying to establish an ipsec connection in transport mode between two
hosts located in the same LAN, using PSK for authentication and ikev1 for
automatic keying. So far, my attempts have resulted in failure.

Host A ( 192.168.1.11 ) runs OpenBSD 6.1 and uses the following
configurations:

/etc/ipsec.conf
ike passive esp transport from 192.168.1.11 to 192.168.1.12 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 \
psk "test"

/etc/rc.conf.local
isakmpd_flags=-K -T
ipsec=YES

Host B ( 192.168.1.12 ) runs Knoppix 7.7.1, Strongswan 5.5.0, and uses the
following configurations:

/etc/ipsec.conf
[...]
conn test
left=192.168.1.12
right=192.168.1.11
authby=secret
auto=start
type=transport
ike=aes-sha1-modp1024
esp=aes-sha1-modp1024
compress=no

/etc/ipsec.secrets
192.168.1.12 192.168.1.11 : PSK "test"

This shows up in /var/log/messages on Host A when establishing ipsec between
both hosts is attempted:
May 10 16:57:39 server isakmpd[37746]: isakmpd: starting
May 10 16:57:58 server isakmpd[4052]: attribute_unacceptable:
ENCRYPTION_ALGORIT HM: got AES_CBC, expected 3DES_CBC
May 10 16:57:58 server isakmpd[4052]: message_negotiate_sa: no compatible
propos al found
May 10 16:57:58 server isakmpd[4052]: dropped message from 192.168.1.12 port
500  due to notification type NO_PROPOSAL_CHOSEN

Notice that isakmpd is expecting 3DES, when I configured the connection to
use aes at both ends. More worrysome: When I configure the Host B to use
3DES for phase 1, isakmpd complains because it was offered PSK, but RSA_SIG
was expected! This leads me to believe that isakmpd is ignoring the
configuration parameters.

Any help is appreciated. 

Re: PF queueing confusion

[Gabriele Tozzi]

Il 10/05/2017 20:56, Luis Coronado ha scritto:
> but perhaps someone else would be able to see something that you didn't,
> hence the requirement to share the file.

I understand, but it contains sensitive information that I prefer not to
share. If you could tell me what to look for, I will look for it.

I have also checked "pfctl -s rules | grep high" and it returns no data.
To the best of my knowledge, this confirms that there is no pf rule
explicitly sending packets to the "high" queue... but lots of packets
are queued there anyway, so I am supposing there should be some other
queueing mechanism that I do not know of.

Apart from using the "set queue" directive in pf.conf, what could cause
this behaviour?

Re: Compaq nx6310 does not suspend/resume

[Anton Lindqvist]

On Wed, May 10, 2017 at 05:19:04PM +0200, Jan Stary wrote:
> How can I help debug this?

This might be of interest, mlarkin@ posted a detailed write-up[1] on how
to debug suspend issues.

[1] http://marc.info/?l=openbsd-bugs=147440712910124=2

Re: PF queueing confusion

[Luis Coronado]

but perhaps someone else would be able to see something that you didn't,
hence the requirement to share the file.

-luis


On Wed, May 10, 2017 at 12:50 PM, Gabriele Tozzi  wrote:

>
> Il 10/05/2017 14:45, Daniel Melameth ha scritto:
> >> queue ext on $Ext bandwidth 900K
> >> queue  normal parent ext bandwidth 386K, max 850K qlimit 10 default
> >> queue  high parent ext bandwidth 193K qlimit 10
> >> queue  low parent ext bandwidth 193K, max 540Kb qlimit 10
> >
> > You'll have to post your pf.conf.
>
> The whole pf.conf is very long but I have checked multiple times and
> there is no rule with the "set queue high" or "set queue ( *, high )"
> syntax.
>
>

Re: PF queueing confusion

[Gabriele Tozzi]

Il 10/05/2017 14:45, Daniel Melameth ha scritto:
>> queue ext on $Ext bandwidth 900K
>> queue  normal parent ext bandwidth 386K, max 850K qlimit 10 default
>> queue  high parent ext bandwidth 193K qlimit 10
>> queue  low parent ext bandwidth 193K, max 540Kb qlimit 10
>
> You'll have to post your pf.conf.

The whole pf.conf is very long but I have checked multiple times and
there is no rule with the "set queue high" or "set queue ( *, high )"
syntax.

Re: OpenBSD 6.1: BOOTIA32 3.32 issue

[Patrick Wildt]

On Wed, May 10, 2017 at 03:14:30PM +0200, Stefan Sperling wrote:
> On Tue, May 09, 2017 at 09:47:14PM +0200, Michele Curti wrote:
> > On Tue, May 09, 2017 at 09:36:02PM +0200, Michele Curti wrote:
> > > On Tue, May 09, 2017 at 10:20:03AM +0200, Michele Curti wrote:
> > > > Hi all, I tried to upgrade to OpenBSD 6.1 on an Asus X205TA (bay
> > > > trail, 32 bit efi, 64 bit os) but the bootloader do not correctly
> > > > detect the internal disk.
> > > > 
> > > > I also tried a fresh install, but things do not change.  Boot fails
> > > > and when I do a "machine diskinfo" I got a lot of "?" symbols (a video
> > > > here https://www.youtube.com/watch?v=fsomNX-oFTQ )
> > > > 
> > > > How can I debug the issue?
> > > > 
> > > 
> > > Compiling bootia32.efi :p
> > > 
> > > With sys/arch/amd64/stand/efiboot/efiboot.c revision 1.15 it works,
> > > revision 1.16 it fails.
> > > 
> > > I'll try to understand, thanks, Michele
> > 
> > 
> > With the following diff it works, bye!
> 
> Looks good to me. Is anyone handling this patch?
> 
> > Index: efiboot/efiboot.c
> > ===
> > RCS file: /cvs/src/sys/arch/amd64/stand/efiboot/efiboot.c,v
> > retrieving revision 1.17
> > diff -u -p -r1.17 efiboot.c
> > --- efiboot/efiboot.c   3 Mar 2017 08:56:18 -   1.17
> > +++ efiboot/efiboot.c   9 May 2017 19:44:30 -
> > @@ -92,7 +92,7 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TA
> > if (DevicePathType(dp) == MEDIA_DEVICE_PATH &&
> > DevicePathSubType(dp) == MEDIA_HARDDRIVE_DP) {
> > bios_bootdev = 0x80;
> > -   efi_bootdp = dp0;
> > +   efi_bootdp = dp;
> > break;
> > }
> > }
> > 
> 

I don't think this is the correct fix.  It might solve your issue, but I
don't think it's completely right.  So EFI has those so called device
paths.  A path is basically a list of nodes.  To compare two paths you
need to compare the whole path and not just a single node of it.  If you
store dp instead of dp0 you will basically only save a part of the path,
not the full path.

What you can do is print the full path of efi_bootdp like..

for (dp = efi_bootdp; !IsDevicePathEnd(dp);
dp = NextDevicePathNode(dp)) {
printf("%x %x - ", DevicePathType(dp), DevicePathSubType(dp));
}
printf("\n");

And do the same for the DPs that are being put into the
efi_device_path_cmp function.  That will at least print the types, but
not the content of the nodes.  That's a start into figuring out why it
does not correctly compare the paths.

Maybe there's a bug in the compare code?

Compaq nx6310 does not suspend/resume

[Jan Stary]

This is current/i386 on a Compaq nx6310 laptop (dmesg below).
Mostly works, but I experience trouble with suspend/resume.

apmd(8) is running with apmd_flags="-A", but closing the lid does nothing,
eventhough machdep.lidsuspend=1 and machdep.lidaction=1
Trying to suspend manually with Fn+F3 does nothing as well.
Trying to suspend with apm(8)'s options does this:

apm -S says

May 10 16:12:32 hp apmd: system entering standby
May 10 16:12:33 hp /bsd: uhub1 detached
May 10 16:12:33 hp /bsd: uhub2 detached
May 10 16:12:33 hp /bsd: uhub3 detached

and, presumably, goes into standby. The power led is blinking.
It will not resume: pressing the power button makes the power led
light up again, but that's it. Even the display backlight
stays turned off. The machine is not accessible remotely
and needs to be forcefully restarted.
/etc/apm/standby does not get called.

apm -z says

May 10 16:31:26 hp apmd: system suspending
May 10 16:31:28 hp /bsd: uhub1 detached
May 10 16:31:28 hp /bsd: uhub2 detached
May 10 16:31:28 hp /bsd: uhub3 detached

and, presumably, goes to suspend, but never resumes.
The symptoms are the same as with apm -S.
/etc/apm/suspend does not get called.

apm -Z puts the system into hibernation, and it works.
After pressing the power button, the machine boots,
and unhibernates at the end of the boot sequence.
/etc/apm/{hibernate,resume} get called.

How can I help debug this?

http://stare.cz/dmesg/compaq-nx6310.20170509
http://stare.cz/dmesg/compaq-nx6310.acpidump.tar
http://stare.cz/dmesg/compaq-nx6310.pcidump

Jan


OpenBSD 6.1-current (GENERIC) #0: Tue May  9 17:46:04 CEST 2017
h...@hp.stare.cz:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) M CPU 430 @ 1.73GHz ("GenuineIntel" 686-class) 1.73 
GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,PBE,NXE,SSE3,MWAIT,TM2,xTPR,PDCM,PERF,SENSOR
real mem  = 1601519616 (1527MB)
avail mem = 1558122496 (1485MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 04/17/07, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.4 @ 
0xf38eb (23 entries)
bios0: vendor Hewlett-Packard version "68YDU Ver. F.0D" date 04/17/2007
bios0: Hewlett-Packard 30AA
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC HPET APIC MCFG TCPA SSDT SSDT SSDT SSDT
acpi0: wakeup devices C096(S5) C0F1(S3) C0F8(S3) C0F9(S3) C0FA(S3) C0FB(S3) 
C102(S5) C22B(S5) C115(S5) C22C(S5) C118(S5) C22C(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 132MHz
cpu0: mwait min=64, max=64, C-substates=0.1.1.1, IBE
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpiprt0 at acpi0: bus 2 (C096)
acpiprt1 at acpi0: bus 8 (C102)
acpiprt2 at acpi0: bus 24 (C115)
acpiprt3 at acpi0: bus 32 (C118)
acpiprt4 at acpi0: bus 0 (C002)
acpiec0 at acpi0
acpicpu0 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014), C1(1000@1 halt)
acpipwrres0 at acpi0: C1F0, resource for C1EC
acpipwrres1 at acpi0: C1FD, resource for C1F1
acpipwrres2 at acpi0: C21A, resource for C218
acpipwrres3 at acpi0: C222, resource for C121
acpipwrres4 at acpi0: C321, resource for C325
acpipwrres5 at acpi0: C322, resource for C326
acpipwrres6 at acpi0: C323, resource for C327
acpipwrres7 at acpi0: C324, resource for C328
acpitz0 at acpi0: critical temperature is 256 degC
acpitz1 at acpi0: critical temperature is 105 degC
acpitz2 at acpi0: critical temperature is 105 degC
acpitz3 at acpi0: critical temperature is 105 degC
acpitz4 at acpi0: critical temperature is 110 degC
"PNP0A06" at acpi0 not configured
"PNP0303" at acpi0 not configured
"SYN0112" at acpi0 not configured
"HPQ0006" at acpi0 not configured
acpibat0 at acpi0: C1BC model "Primary" serial 08083 2016/11/05 type LIon oem 
"Hewlett-Packard"
acpibat1 at acpi0: C1BB not present
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: C23F
acpibtn1 at acpi0: C238
"PNP0C14" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: C083
bios0: ROM list: 0xc/0x1! 0xd/0x1000 0xd1000/0x1800
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
inteldrm0 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xd000, size 0x1000
inteldrm0: apic 1 int 16
inteldrm0: 1024x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
azalia0 

Why would I need a container like Docker?!

[Martin Hanson]

I have occasionally used virtualization (Qemu) for easy testing of some OS. I 
have also played around with "containers" using FreeBSD Jails and Linux LXC, 
but I have never ever thought of any of this as a security measurement or 
anything needed beyond testing.

When I want isolation I run a single box (or boxes) and install OpenBSD on the 
bare metal. Then I run whatever services are needed on that box or boxes. I 
would then deploy a network with isolated segments.

Now, everyone is telling me I should run Docker and a completely different 
setup.

I read up about Docker and found this:

  "Containers are a solution to the problem of how to get software to run 
reliably when moved from one computing environment to another. This could be 
from a developer's laptop to a test environment, from a staging environment 
into production and perhaps from a physical machine in a data center to a 
virtual machine in a private or public cloud."

  "Problems arise when the supporting software environment is not identical, 
says Solomon Hykes, the creator of Docker, "You're going to test using Python 
2.7, and then it's going to run on Python 3 in production and something weird 
will happen. Or you'll rely on the behavior of a certain version of an SSL 
library and another one will be installed. You'll run your tests on Debian and 
production is on Red Hat and all sorts of weird things happen."

  "And it's not just different software that can make a difference, he added, 
"The network topology might be different, or the security policies and storage 
might be different but the software has to run on it."

What the fuck?! Why in the world would anyone setup Debian as a testing 
environment and then use Red Hat on production?! And different network topology?

Are people really that stupid?

If people really are that stupid they shouldn't be allowed near a computer in 
the first place and certainly Docker or any container technology isn't going to 
solve their problems!

It seems like the OpenBSD project is about the only project left nowadays where 
people are still using their brains!

Re: OpenBSD and you

[Peter N. M. Hansteen]

On Wed, May 10, 2017 at 01:20:06PM +0300, Manolis Tzanidakis wrote:
> On Wed (10/05/17), Peter N. M. Hansteen wrote:
> > That was the first option that came to mind, and the one I may go for as 
> > a supplemental format *if* I can find a way to generate PDFs from this 
> > source format *and* get the page breaks right. The print preview is
> > available browsers does not leave much hope of that actually happening,
> > however.
> 
> You can give wkhtmltopdf (https://wkhtmltopdf.org/) a shot; it's in packages.
> 
> A quick test I ran:
> 
> $ wkhtmltopdf "https://home.nuug.no/~peter/openbsd_and_you/; output.pdf
> 
> produces nice results, but omits the titles. I guess adding ", sans-serif" in
> the "font-family" lines in your css should fix that, eg:
> 
> - body { font-family: 'Droid Serif'; }
> + body { font-family: 'Droid Serif', sans-serif; }

Thanks for a potentially useful set of suggestions!

The index.html that's out there now has that change in it. However, likely
due to some local silliness with fonts here I get missing italics (starting p 7)
and missing monospace in 'shell' environments or config listings starting a 
few pages later.

If you get better output, I'd be much indebted if you send me your pdf output 
so I can put it in place while I sort of the fonts issue. 

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Why would I need a container like Docker?!

[Predrag Punosevac]

Martin Hanson wrote:

> I have occasionally used virtualization (Qemu) for easy testing of some
> OS. I have \ also played around with "containers" using FreeBSD Jails
> and Linux LXC, but I have \ never ever thought of any of this as a
> security measurement or anything needed beyond \ testing.
> 
> When I want isolation I run a single box (or boxes) and install OpenBSD
> on the bare \ metal. Then I run whatever services are needed on that box
> or boxes. I would then \ deploy a network with isolated segments.
> 
> Now, everyone is telling me I should run Docker and a completely
> different setup.
> 
> I read up about Docker and found this:
> 
>   "Containers are a solution to the problem of how to get software to
> run reliably \ when moved from one computing environment to another.
> This could be from a \ developer's laptop to a test environment, from a
> staging environment into production \ and perhaps from a physical
> machine in a data center to a virtual machine in a \ private or public
> cloud."
> 
>   "Problems arise when the supporting software environment is not
> identical, says \ Solomon Hykes, the creator of Docker, "You're going to
> test using Python 2.7, and \ then it's going to run on Python 3 in
> production and something weird will happen. Or \ you'll rely on the
> behavior of a certain version of an SSL library and another one \ will
> be installed. You'll run your tests on Debian and production is on Red
> Hat and \ all sorts of weird things happen."
> 
>   "And it's not just different software that can make a difference, he
> added, "The \ network topology might be different, or the security
> policies and storage might be \ different but the software has to run on
> it."
> 
> What the fuck?! Why in the world would anyone setup Debian as a testing
> environment \ and then use Red Hat on production?! And different network
> topology?
> 

Let me give you an example. I run Red Hat on all our computing nodes and
clusters in the Lab. Among 90+ people in our crew we have deep-learning
guys guys who like to use shit like Caffe and TensorFlow

http://caffe.berkeleyvision.org/

https://www.tensorflow.org/

which is a research grade software. We even use shit like 

http://www.ros.org/

to collect data. 

Building such things on Ubuntu let alone anything else on which the
software has not being even tested can make grown up man cry. So guess
what is my solution. I use 

http://singularity.lbl.gov/

to run Ubuntu virtual kernel in Red Hat userland (to anybody familiar
with vkernel on DragonFly BSD this should sound familiar) and DOCKER to
install the software we need. Please don't try to read the documentation
for Singularity as the guy is in the serious need for some kind mental
help or at least a good technical writer on his team.


Our "deliverables" to many government agencies are Docker images. That
is the contract which pays mine and many other salaries.


Hopefully now it makes sense.


> Are people really that stupid?
> 

I am not a particularly bright guy but I never thought of myself as
stupid. Now when you brought to my attention it makes perfect sense.
That is exactly the reason  why I am struggling so much to produce any
publications.


Cheers,
Predrag

> If people really are that stupid they shouldn't be allowed near a
> computer in the \ first place and certainly Docker or any container
> technology isn't going to solve \ their problems!
> 
> It seems like the OpenBSD project is about the only project left
> nowadays where \ people are still using their brains!

Re: OpenBSD and you

[R0me0 ***]

Peter,

With a presentation like that, everyone is tempt to met Mr. Puffy

Thank you for keep it uptated ! ( ~6.1 )

It's amazing job ! You rock .

Cheers,





2017-05-10 7:20 GMT-03:00 Manolis Tzanidakis :

> On Wed (10/05/17), Peter N. M. Hansteen wrote:
> > That was the first option that came to mind, and the one I may go for as
> > a supplemental format *if* I can find a way to generate PDFs from this
> > source format *and* get the page breaks right. The print preview is
> > available browsers does not leave much hope of that actually happening,
> > however.
>
> You can give wkhtmltopdf (https://wkhtmltopdf.org/) a shot; it's in
> packages.
>
> A quick test I ran:
>
> $ wkhtmltopdf "https://home.nuug.no/~peter/openbsd_and_you/; output.pdf
>
> produces nice results, but omits the titles. I guess adding ", sans-serif"
> in
> the "font-family" lines in your css should fix that, eg:
>
> - body { font-family: 'Droid Serif'; }
> + body { font-family: 'Droid Serif', sans-serif; }
>
>

Re: CGI script to see collectd stats

[Predrag Punosevac]

Ajitabh Pandey wrote:

> Hello,
> 
> I am running Collectd server on my OpenBSD 6.1 box and various clients
> are
> sending stats to this box. I see /var/collectd that various RRDs are
> getting created. However, I am not sure what should I used to see the
> graphs. I looked at RRDCGI but it looks way complicated to setup. I
> could
> not find collectd-web package also.
> 
Hi,

I have being using Collectd for remote telemetry in my Lab for over 4
years and I have being running Collectd server on OpenBSD for the past
two. 

The lack of decent working front-end is the Achilles tendon of Collectd
which IMHO is eventually going to kill the project now when it is
becoming clear that Whisper has some advantages over RRD. Before I go
any further let me know what I do and what works really well. 


The best front end for Collectd is in fact Observium and its fork
LibreNMS which is in OpenBSD ports.

http://www.observium.org/

Observium is main polling protocol is SNMP. Setting Observium/LibreNMS
is not trivial but it is not too difficult either. You can find my and
Stuart's discusion on misc how to set LibreNMS which runs fairly well on
OpenBSD. His pkg-readme is must! Before the LibreNMS fork which occurred
2 years ago I was using

https://www.turnkeylinux.org/observium

since Observium project explicitly doesn't support anything except
Ubuntu and Debian. Once you have Observium or LibreNMS polling your
devices displaying collectd graphs is just adding a line in the
Observium/Collectd config file which will point the application to the
location of RRD files gathered by collectd server. The only caveat is
that you have to poll the device to be able to see collectd button which
will take you to magnificent graphs. This did hurt me personally as I
don't SNMP poll KVM guests on one of my KVM hosts but I do have RRD data
for the guests via collectd KVM plugin. The another really big problem
with Observium/LibreNMS is the lack of a proxy which is needed for
monitoring devices behind firewalls. You don't have that problem with
collectd which works on the push principle. It is a bit of problem for
me as I do have a private subnet behind somebody's else firewall.


Recently, a front-end for Collectd, called facette has being added to
ports

http://openports.se/sysutils/facette

It is dead simple to set up but useless as each graph has to be created
manually from data. With my RRD folder containing close to 1500 files
that is just ridicules. Observium/LibreNMS automatically create graphs
for all available RRDs minus the KVM guest caveat.

The only other front-end for Collectd which actually works (at least for
me) is Collectd-web

https://collectd.org/wiki/index.php/File:Collectd-web.png

It does create graphs automatically for all available devices but the
quality of both interface and graphs is inferior comparing to
Observium/LibreNMS.



I will finish this long post by bringing to your attention that Collectd
can send time-series directly to carbon-aggregator which in turns writes
it to Wisper. 

https://collectd.org/wiki/index.php/Plugin:Write_Graphite


That will enable you to see your time-series using Graphite-web (IIRC
doesn't run on OpenBSD). We have played in my Lab (machine
learning/statistical data-mining) with Graphite-web due to our internal
needs for a good tool for time-series display. I can tell you that
Graphite is second to none in what it does and we are using it for our
research (but not for infrastructure monitoring).

Best,
Predrag

P.S. I am looking forward to see what other people have to say about
this topic.




> Searching on web I see that for a non-chrooted web server there are
> straight forward scripts available. Most of the instructions are for
> linux.
> 
> I would prefer to use OpenBSD httpd and not resort to non-chrooted
> apache
> or nginx. I am finding it really difficult to find something suitable
> which
> works under chroot.
> 
> I am able to run a hello world cgi script in chroot.
> 
> If any of you guys have some information/config/tool etc to share for
> collectd graphs, it would be of great help.
> 
> Thanks & Regards.
> -- 
> Ajitabh Pandey

Re: [PATCH] Installer bug (MSDOS tildes)

[Theo Buehler]

On Wed, May 10, 2017 at 12:51:45PM +, Michal Bozon wrote:
> There was a "typo" in my patch, this should be a correct one:
> 
> --- /usr/src/distrib/miniroot/install.sub.ooo   Wed May 10 12:19:56 2017
> +++ /usr/src/distrib/miniroot/install.sub   Wed May 10 12:48:31 2017
> @@ -1804,7 +1804,7 @@
>  fi
>  
>  # Always mount msdos partitions with -s to get lower case names.
> -grep -q "^  $resp: .*MSDOS" $_file && _opts="-s"
> +grep -q "^  $resp: .*MSDOS" $_file && _opts="-l"
>  mount -o ro,$_opts /dev/$_dev$resp /mnt2
>  }
> 
> I am not sure why "-s" flag is used, maybe it fixed some problem,
> but it has introduced another one.

A similar diff was briefly committed in 1.750 for the reason you mention:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub#rev750
It was backed out again in
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub#rev752

> 
> MB
> 
> 
> On 2017-05-10 Wed 12:34, Michal Bozon wrote:
> > Hi,
> > there is a typo in install.sub
> > causing problems e.g. when removable FAT32 formatted
> > disk with installation files is attached,
> > and "disk" is selected as install media:
> > 
> > INSTALL.i386 not found ...
> > (because it is visible as instal~1.i38)
> > 
> > Directory does not contain SHA256.sig ...
> > (because it is visible as sha256.sig)
> > 
> > here is the patch:
> > 
> > --- /usr/src/distrib/miniroot/install.sub
> > +++ /usr/src/distrib/miniroot/install.sub
> > @@ -1805,7 +1805,7 @@
> >  
> >  # Always mount msdos partitions with -s to get lower case names.
> >  grep -q "^  $resp: .*MSDOS" $_file && _opts="-s"
> > -mount -o ro,$_opts /dev/$_dev$resp /mnt2
> > +mount -o ro $_opts /dev/$_dev$resp /mnt2
> >  }
> > 
> > 
> > regards,
> > Michal Bozon
> 

Re: CGI script to see collectd stats

[Alceu Rodrigues de Freitas Junior]

Em 10/05/2017 07:54, Ajitabh Pandey escreveu:

Hello,

I am running collectd server on my OpenBSD 6.1 box and various clients are
sending stats to this box. I see /var/collectd that various RRDs are
getting created. However, I am not sure what should I used to see the
graphs. I looked at RRDCGI but it looks way complicated to setup. I could
not find collectd-web package also.

Searching on web I see that for a non-chrooted web server there are
straight forward scripts available. Most of the instructions are for linux.

I would prefer to use OpenBSD httpd and not resort to non-chrooted apache
or nginx. I am finding it really difficult to find something suitable which
works under chroot.

I am able to run a hello world cgi script in chroot.

If any of you guys have some information/config/tool etc to share for
collectd graphs, it would be of great help.

Thanks & Regards.



Can't help with your chroot requisite. But I did spent some doing 
looking into that and can share something.


All (Perl) CGI's is something I don't recommend to. First, they are 
CGIs, second, even if you're able to configure them you will get a lot 
of warnings because the CGI module in Perl is getting deprecated.


I went with rrdscout (Flask web application). It should be enough for 
your needs and uses a modern framework. On the other hand, I'm not sure 
it is being maintained anymore. I forked it on Github and generate a 
INSTALL document specific for OpenBSD:


https://github.com/glasswalk3r/rrdscout/blob/master/INSTALL-openbsd.txt

I had to install freetype from ports too to be able to generated 
readable charts from the RRD:


cd /usr/ports/print/freetype
make install
make clean
make clean=depends

Hope that helps you.

Regards,
Alceu

Re: OpenBSD 6.1: BOOTIA32 3.32 issue

[Stefan Sperling]

On Tue, May 09, 2017 at 09:47:14PM +0200, Michele Curti wrote:
> On Tue, May 09, 2017 at 09:36:02PM +0200, Michele Curti wrote:
> > On Tue, May 09, 2017 at 10:20:03AM +0200, Michele Curti wrote:
> > > Hi all, I tried to upgrade to OpenBSD 6.1 on an Asus X205TA (bay
> > > trail, 32 bit efi, 64 bit os) but the bootloader do not correctly
> > > detect the internal disk.
> > > 
> > > I also tried a fresh install, but things do not change.  Boot fails
> > > and when I do a "machine diskinfo" I got a lot of "?" symbols (a video
> > > here https://www.youtube.com/watch?v=fsomNX-oFTQ )
> > > 
> > > How can I debug the issue?
> > > 
> > 
> > Compiling bootia32.efi :p
> > 
> > With sys/arch/amd64/stand/efiboot/efiboot.c revision 1.15 it works,
> > revision 1.16 it fails.
> > 
> > I'll try to understand, thanks, Michele
> 
> 
> With the following diff it works, bye!

Looks good to me. Is anyone handling this patch?

> Index: efiboot/efiboot.c
> ===
> RCS file: /cvs/src/sys/arch/amd64/stand/efiboot/efiboot.c,v
> retrieving revision 1.17
> diff -u -p -r1.17 efiboot.c
> --- efiboot/efiboot.c 3 Mar 2017 08:56:18 -   1.17
> +++ efiboot/efiboot.c 9 May 2017 19:44:30 -
> @@ -92,7 +92,7 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TA
>   if (DevicePathType(dp) == MEDIA_DEVICE_PATH &&
>   DevicePathSubType(dp) == MEDIA_HARDDRIVE_DP) {
>   bios_bootdev = 0x80;
> - efi_bootdp = dp0;
> + efi_bootdp = dp;
>   break;
>   }
>   }
> 

Re: Why would I need a container like Docker?!

[Alceu Rodrigues de Freitas Junior]

Em 10/05/2017 00:53, Martin Hanson escreveu:

I have occasionally used virtualization (Qemu) for easy testing of some OS. I have also 
played around with "containers" using FreeBSD Jails and Linux LXC, but I have 
never ever thought of any of this as a security measurement or anything needed beyond 
testing.

When I want isolation I run a single box (or boxes) and install OpenBSD on the 
bare metal. Then I run whatever services are needed on that box or boxes. I 
would then deploy a network with isolated segments.

Now, everyone is telling me I should run Docker and a completely different 
setup.

I read up about Docker and found this:

  "Containers are a solution to the problem of how to get software to run reliably 
when moved from one computing environment to another. This could be from a developer's 
laptop to a test environment, from a staging environment into production and perhaps from 
a physical machine in a data center to a virtual machine in a private or public 
cloud."

  "Problems arise when the supporting software environment is not identical, says Solomon 
Hykes, the creator of Docker, "You're going to test using Python 2.7, and then it's going 
to run on Python 3 in production and something weird will happen. Or you'll rely on the 
behavior of a certain version of an SSL library and another one will be installed. You'll run 
your tests on Debian and production is on Red Hat and all sorts of weird things happen."

  "And it's not just different software that can make a difference, he added, "The 
network topology might be different, or the security policies and storage might be different 
but the software has to run on it."

What the fuck?! Why in the world would anyone setup Debian as a testing 
environment and then use Red Hat on production?! And different network topology?

Are people really that stupid?

If people really are that stupid they shouldn't be allowed near a computer in 
the first place and certainly Docker or any container technology isn't going to 
solve their problems!

It seems like the OpenBSD project is about the only project left nowadays where 
people are still using their brains!



It seems you didn't read the documentation correctly. Do it again, 
specially because containers do have their own security issues.


After that, I'm sure you will understand what the given example is 
trying to achieve. You can use Debian as your (DEV/TEST) environment 
because the image used on Docker will be RedHat based, but using the 
kernel you're on. It is possible to do that, although it makes sense to 
use the same RedHat as well, at least for QA environments.


Containers (and Docker didn't start as a container itself, but as 
tooling to provide easy to use containers on Linux) is a different 
concept of VMs because you don't need to run a entire operational system 
just to get some isolation between applications. A container to boot 
takes much less time than a VM, for example, and should use less 
resources. Requirements are different too.


But those are not the only benefits. You should check about the relation 
of Docker and DevOps. As always, there is no silver bullet, but those 
practices makes some things possible and even easier to implement.


On the other hand, yes, all those layers of abstraction (e.g. AWS) leave 
some IT professionals without really understanding what they are 
doing... if this will be really a problem in the future it something we 
will need to wait to see.

Re: [PATCH] Installer bug (MSDOS tildes)

[Michal Bozon]

There was a "typo" in my patch, this should be a correct one:

--- /usr/src/distrib/miniroot/install.sub.ooo   Wed May 10 12:19:56 2017
+++ /usr/src/distrib/miniroot/install.sub   Wed May 10 12:48:31 2017
@@ -1804,7 +1804,7 @@
 fi
 
 # Always mount msdos partitions with -s to get lower case names.
-grep -q "^  $resp: .*MSDOS" $_file && _opts="-s"
+grep -q "^  $resp: .*MSDOS" $_file && _opts="-l"
 mount -o ro,$_opts /dev/$_dev$resp /mnt2
 }

I am not sure why "-s" flag is used, maybe it fixed some problem,
but it has introduced another one.

MB


On 2017-05-10 Wed 12:34, Michal Bozon wrote:
> Hi,
> there is a typo in install.sub
> causing problems e.g. when removable FAT32 formatted
> disk with installation files is attached,
> and "disk" is selected as install media:
> 
> INSTALL.i386 not found ...
> (because it is visible as instal~1.i38)
> 
> Directory does not contain SHA256.sig ...
> (because it is visible as sha256.sig)
> 
> here is the patch:
> 
> --- /usr/src/distrib/miniroot/install.sub
> +++ /usr/src/distrib/miniroot/install.sub
> @@ -1805,7 +1805,7 @@
>  
>  # Always mount msdos partitions with -s to get lower case names.
>  grep -q "^  $resp: .*MSDOS" $_file && _opts="-s"
> -mount -o ro,$_opts /dev/$_dev$resp /mnt2
> +mount -o ro $_opts /dev/$_dev$resp /mnt2
>  }
> 
> 
> regards,
> Michal Bozon

Re: PF queueing confusion

[Daniel Melameth]

On Wed, May 10, 2017 at 4:47 AM, Gabriele Tozzi  wrote:
> I have a quite simple pf setup: I have defined 3 queues for my external
> interface in my pf.conf:
>
> queue ext on $Ext bandwidth 900K
> queue  normal parent ext bandwidth 386K, max 850K qlimit 10 default
> queue  high parent ext bandwidth 193K qlimit 10
> queue  low parent ext bandwidth 193K, max 540Kb qlimit 10
>
> I have noticed that the "high" queue got the wide majority of traffic,
> so I have removed all the rules referencing it from pf.conf and,
> surprisingly, this is the result after reloading the ruleset:
>
> # pfctl -s queue -v
>   [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:
>  0 ]
>   [ qlength:   0/ 50 ]
> queue ext on pppoe0 bandwidth 900K qlimit 50
>   [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:
>  0 ]
>   [ qlength:   0/ 50 ]
> queue normal parent ext bandwidth 386K, max 850K default qlimit 10
>   [ pkts:   1555  bytes: 130921  dropped pkts:  0 bytes:
>  0 ]
>   [ qlength:   0/ 10 ]
> queue high parent ext bandwidth 193K qlimit 10
>   [ pkts:  19303  bytes:   28319771  dropped pkts:179 bytes:
> 255401 ]
>   [ qlength:   0/ 10 ]
> queue low parent ext bandwidth 193K, max 540K qlimit 10
>   [ pkts:   4863  bytes:4044635  dropped pkts:487 bytes:
> 176124 ]
>
> Still a lot of data is sent through the "high" queue, even if no rules
> in pf.conf is referencing it. As a counter-proof, I can remove the queue
> creation line from pf.conf and reload the ruleset without triggering any
> error, so the queue is definitely not referenced.
>
> What could be wrong?

You'll have to post your pf.conf.

Re: Why would I need a container like Docker?!

[Jiri B]

On Wed, May 10, 2017 at 05:53:07AM +0200, Martin Hanson wrote:
> [... pathetic screaming ...]

Pathetic screaming doesn't help to anything.

And... there already has been an interest in zones/containers
in OpenBSD, see https://marc.info/?l=openbsd-tech=144617514431852=2

j.

[PATCH] Installer bug (MSDOS tildes)

[Michal Bozon]

Hi,
there is a typo in install.sub
causing problems e.g. when removable FAT32 formatted
disk with installation files is attached,
and "disk" is selected as install media:

INSTALL.i386 not found ...
(because it is visible as instal~1.i38)

Directory does not contain SHA256.sig ...
(because it is visible as sha256.sig)

here is the patch:

--- /usr/src/distrib/miniroot/install.sub
+++ /usr/src/distrib/miniroot/install.sub
@@ -1805,7 +1805,7 @@
 
 # Always mount msdos partitions with -s to get lower case names.
 grep -q "^  $resp: .*MSDOS" $_file && _opts="-s"
-mount -o ro,$_opts /dev/$_dev$resp /mnt2
+mount -o ro $_opts /dev/$_dev$resp /mnt2
 }


regards,
Michal Bozon

Re: smtpd aliases file issue

[Gilles Chehade]

On Wed, May 10, 2017 at 04:32:55PM +0530, Ajitabh Pandey wrote:
> 
> If my understanding about how this should work incorrect? If not then what
> am I doing wrong?
> 

What you are doing wrong is not showing your configuration file so we're
able to check if it does what you think it is doing


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

Re: smtpd aliases file issue

[Edgar Pettijohn]

Did you restart smtpd?

⁣Sent from BlueMail ​

On May 10, 2017, 6:03 AM, at 6:03 AM, Ajitabh Pandey  
wrote:
>Hello,
>
>On an OpenBSD 6.1, I have default smtpd setup.
>
>I placed a .forward file in root's home and am able to receive the
>emails
>on an external address.
>
>I then removed the .forward from root's home and then placed a .forward
>in
>the home directory of normal user account (say user01). Emails directly
>send to user01 are being forwarded to external email address as
>expected.
>
>Next I edited the /etc/mail/aliases file and uncomment the line with
>root's
>name in it and placed an entry like -
>
>root: user01
>
>After saving the file, I ran newaliases to generate
>/etc/mail/aliases.db
>file.
>
>This should forward all email's destined for root to user01 and
>consequently to external email address as user01's home has a .forward
>file
>in it.
>
>This is not happening. Any email sent to root is being delivered to the
>mailbox of root and the smtpd logs in /var/log/maillog confirmed the
>same.
>
>If my understanding about how this should work incorrect? If not then
>what
>am I doing wrong?
>
>Thanks and Regards.
>--
>Ajitabh Pandey
>http://ajitabhpandey.info/

smtpd aliases file issue

[Ajitabh Pandey]

Hello,

On an OpenBSD 6.1, I have default smtpd setup.

I placed a .forward file in root's home and am able to receive the emails
on an external address.

I then removed the .forward from root's home and then placed a .forward in
the home directory of normal user account (say user01). Emails directly
send to user01 are being forwarded to external email address as expected.

Next I edited the /etc/mail/aliases file and uncomment the line with root's
name in it and placed an entry like -

root: user01

After saving the file, I ran newaliases to generate /etc/mail/aliases.db
file.

This should forward all email's destined for root to user01 and
consequently to external email address as user01's home has a .forward file
in it.

This is not happening. Any email sent to root is being delivered to the
mailbox of root and the smtpd logs in /var/log/maillog confirmed the same.

If my understanding about how this should work incorrect? If not then what
am I doing wrong?

Thanks and Regards.
-- 
Ajitabh Pandey
http://ajitabhpandey.info/

CGI script to see collectd stats

[Ajitabh Pandey]

Hello,

I am running collectd server on my OpenBSD 6.1 box and various clients are
sending stats to this box. I see /var/collectd that various RRDs are
getting created. However, I am not sure what should I used to see the
graphs. I looked at RRDCGI but it looks way complicated to setup. I could
not find collectd-web package also.

Searching on web I see that for a non-chrooted web server there are
straight forward scripts available. Most of the instructions are for linux.

I would prefer to use OpenBSD httpd and not resort to non-chrooted apache
or nginx. I am finding it really difficult to find something suitable which
works under chroot.

I am able to run a hello world cgi script in chroot.

If any of you guys have some information/config/tool etc to share for
collectd graphs, it would be of great help.

Thanks & Regards.
-- 
Ajitabh Pandey
http://ajitabhpandey.info/

PF queueing confusion

[Gabriele Tozzi]

Hello there,

I have noticed some weirdness when using "pfctl -s queue -v" so I have
decided to investigate.

I have a quite simple pf setup: I have defined 3 queues for my external
interface in my pf.conf:

queue ext on $Ext bandwidth 900K
queue  normal parent ext bandwidth 386K, max 850K qlimit 10 default
queue  high parent ext bandwidth 193K qlimit 10
queue  low parent ext bandwidth 193K, max 540Kb qlimit 10

I have noticed that the "high" queue got the wide majority of traffic,
so I have removed all the rules referencing it from pf.conf and,
surprisingly, this is the result after reloading the ruleset:

# pfctl -s queue -v
  [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:
 0 ]
  [ qlength:   0/ 50 ]
queue ext on pppoe0 bandwidth 900K qlimit 50
  [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:
 0 ]
  [ qlength:   0/ 50 ]
queue normal parent ext bandwidth 386K, max 850K default qlimit 10
  [ pkts:   1555  bytes: 130921  dropped pkts:  0 bytes:
 0 ]
  [ qlength:   0/ 10 ]
queue high parent ext bandwidth 193K qlimit 10
  [ pkts:  19303  bytes:   28319771  dropped pkts:179 bytes:
255401 ]
  [ qlength:   0/ 10 ]
queue low parent ext bandwidth 193K, max 540K qlimit 10
  [ pkts:   4863  bytes:4044635  dropped pkts:487 bytes:
176124 ]

Still a lot of data is sent through the "high" queue, even if no rules
in pf.conf is referencing it. As a counter-proof, I can remove the queue
creation line from pf.conf and reload the ruleset without triggering any
error, so the queue is definitely not referenced.

What could be wrong?

Thank You

-- 
GPG Key Fingerprint:
DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF

Re: OpenBSD and you

[Manolis Tzanidakis]

On Wed (10/05/17), Peter N. M. Hansteen wrote:
> That was the first option that came to mind, and the one I may go for as 
> a supplemental format *if* I can find a way to generate PDFs from this 
> source format *and* get the page breaks right. The print preview is
> available browsers does not leave much hope of that actually happening,
> however.

You can give wkhtmltopdf (https://wkhtmltopdf.org/) a shot; it's in packages.

A quick test I ran:

$ wkhtmltopdf "https://home.nuug.no/~peter/openbsd_and_you/; output.pdf

produces nice results, but omits the titles. I guess adding ", sans-serif" in
the "font-family" lines in your css should fix that, eg:

- body { font-family: 'Droid Serif'; }
+ body { font-family: 'Droid Serif', sans-serif; }

Re: ThinkPad x250 with USB DAC (Audioquest DragonFly v1.2)

[Stuart Henderson]

On 2017-05-09, Caolan McMahon  wrote:
> I recently installed OpenBSD 6.1 on my Lenovo ThinkPad x250. I use a
> USB DAC to listen to music because the built-in laptop audio is
> terrible.

That's useful information, the internal audio on older Thinkpads is
pretty good so that's another reason not to get a newer one :)

> OpenBSD appears to detect the USB audio device, but is unable to play
> any sound through it. I've seen similar posts on this list regarding
> USB 2.0 audio devices and various internal USB hub combinations
> causing issues, and I'm wondering if this device + laptop combination
> is a lost cause?

Is there a way to disable USB3 in bios?

Re: Packet in and out on the same eithernet port.

[Stuart Henderson]

On 2017-05-09, Peter Fraser  wrote:
> Because of one user's misconfiguration of Microsoft's HypeV, his
> virtual machines were not getting the results of arp. As a result
> of that configuration all the packets going to machines on the same
> subnetwork were going to the default gateway. The default gateway was an
> OpenBSD 6.1 server. OpenBSD very slowly forward the packets back out the
> same if (an em0) and the packets got to where they were supposed to go.

That's normal routing, I don't know why it's slow though.

> I a long time ago I tried to redirect, using pf, an external ip
> address back to an internal ip address. It did not work, and I believe I
> was told it could not work. So I am surprised that the above was working
> at all. I also don't understand why it was so slow.

This works fine, but you have to NAT as well as redirect.

Assume the following addresses:

PF machine internal 10.0.0.1, external 192.0.2.1
Original machine internal 10.0.0.100
Target internal 10.0.0.200, external 172.16.1.1

With just rdr:

Original machine -> PF  10.0.0.100 -> 172.16.1.1
PF -> rdr target10.0.0.100 -> 10.0.0.200
rdr target -> original  10.0.0.200 -> 10.0.0.100  sent directly

The original machine doesn't accept the packet because it's expecting the
source address to be the *external* one it sent it to.

What should happen is that the packet goes back to PF to be "un-translated".
With rdr and nat:

Original machine -> PF  10.0.0.100 -> 172.16.1.1
PF -> rdr target10.0.0.1   -> 10.0.0.200
rdr target -> PF10.0.0.200 -> 10.0.0.1
PF -> original  172.16.1.1 -> 10.0.0.100

Re: With Multiple PPPoE interfaces on one will work

[Gregory Edigarov]

Hi,
before anything it is necessary to provide a defintion of "not working" 
and some evidence, like ifconfig, netstat -rn, ping, etc. then somebody 
will be able to help you.
the more information you will provide, the quicker response with a 
solution you will get.



On 10.05.17 07:53, Steve wrote:

  Hello,
In 5.7 it was possible to have multiple pppoe interfaces active and 
working.This used to work fine with ifstated monitoring for outage and changing 
routing appropriatelyIn either 5.8 or 5.9 this seems to have stopped 
working.With both interfaces configured only one interface will ever become 
active.
I am unable to test with 6.0 or 6.1 at the moment.
Is anyone familiar with this issue ?
Can anyone confirm if this is resolved in 6.0 or 6.1.
Thank you.

Re: problem with external disk on 6.1

[Kirill]

small add on:
this happens only when plug device on a working machine (if device
recognized while system boot, it acts normal)
And if unplug it later half (physically) and plug again it works ok.


On 05/04/17 16:10, Kirill wrote:
> Hello!
> There is a problem with my WD external disk on 6.1. on 6.0 there are no
> problems.
> 
> dmesg:
> nightlord@work:[~]% dmesg
> OpenBSD 6.1 (GENERIC.MP) #5: Thu Apr 13 11:26:43 MSK 2017
> r...@work.nightbbs.ru:/usr/obj/sys/arch/amd64/compile/GENERIC.MP
> real mem = 2056990720 (1961MB)
> avail mem = 1990025216 (1897MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe9f80 (85 entries)
> bios0: vendor Hewlett-Packard version "786G1 v01.08" date 08/25/2008
> bios0: Hewlett-Packard HP Compaq dc7900 Small Form Factor
> acpi0 at bios0: rev 0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC ASF! MCFG TCPA SLIC HPET DMAR
> acpi0: wakeup devices COM1(S4) PCI0(S4) PEG1(S4) PEG2(S4) IGBE(S4)
> PCX1(S4) PCX2(S4) PCX5(S4) PCX6(S4) HUB_(S4) USB1(S3) USB2(S3) USB3(S3)
> USB4(S3) USB5(S3) USB6(S3) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM)2 Duo CPU E8500 @ 3.16GHz, 3159.08 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
> cpu0: 6MB 64b/line 16-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 332MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM)2 Duo CPU E8500 @ 3.16GHz, 3158.73 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
> cpu1: 6MB 64b/line 16-way L2 cache
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
> acpimcfg0 at acpi0 addr 0xf400, bus 0-63
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (PEG1)
> acpiprt2 at acpi0: bus -1 (PEG2)
> acpiprt3 at acpi0: bus 32 (PCX1)
> acpiprt4 at acpi0: bus -1 (PCX2)
> acpiprt5 at acpi0: bus 48 (PCX5)
> acpiprt6 at acpi0: bus -1 (PCX6)
> acpiprt7 at acpi0: bus 7 (HUB_)
> acpicpu0 at acpi0: !C2(500@17 mwait.3@0x10), C1(1000@1 mwait.1)
> acpicpu1 at acpi0: !C2(500@17 mwait.3@0x10), C1(1000@1 mwait.1)
> "PNP0F13" at acpi0 not configured
> "PNP0303" at acpi0 not configured
> "PNP0501" at acpi0 not configured
> "PNP0700" at acpi0 not configured
> "PNP0003" at acpi0 not configured
> acpibtn0 at acpi0: PBTN
> "PNP0C14" at acpi0 not configured
> cpu0: unknown Enhanced SpeedStep CPU, msr 0x0616492206004922
> cpu0: using only highest and lowest power states
> cpu0: Enhanced SpeedStep 3159 MHz: speeds: 24333, 2000 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel Q45 Host" rev 0x03
> inteldrm0 at pci0 dev 2 function 0 "Intel Q45 Video" rev 0x03
> drm0 at inteldrm0
> intagp0 at inteldrm0
> agp0 at intagp0: aperture at 0xe000, size 0x1000
> inteldrm0: msi
> inteldrm0: 1280x1024, 32bpp
> wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> "Intel Q45 Video" rev 0x03 at pci0 dev 2 function 1 not configured
> "Intel Q45 HECI" rev 0x03 at pci0 dev 3 function 0 not configured
> pciide0 at pci0 dev 3 function 2 "Intel Q45 PT IDER" rev 0x03: DMA
> (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI
> pciide0: using apic 1 int 18 for native-PCI interrupt
> pciide0: channel 0 ignored (not responding; disabled or no drives?)
> pciide0: channel 1 ignored (not responding; disabled or no drives?)
> puc0 at pci0 dev 3 function 3 "Intel Q45 KT" rev 0x03: ports: 1 com
> com4 at puc0 port 0 apic 1 int 17: ns16550a, 16 byte fifo
> com4: probed fifo depth: 15 bytes
> em0 at pci0 dev 25 function 0 "Intel ICH10 D BM LM" rev 0x02: msi,
> address 00:23:7d:4e:a2:5c
> uhci0 at pci0 dev 26 function 0 "Intel 82801JD USB" rev 0x02: apic 1 int 20
> uhci1 at pci0 dev 26 function 1 "Intel 82801JD USB" rev 0x02: apic 1 int 21
> uhci2 at pci0 dev 26 function 2 "Intel 82801JD USB" rev 0x02: apic 1 int 22
> ehci0 at pci0 dev 26 function 7 "Intel 82801JD USB" rev 0x02: apic 1 int 22
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev
> 2.00/1.00 addr 1
> azalia0 at pci0 dev 27 function 0 "Intel 82801JD HD Audio" rev 0x02: msi
> azalia0: codecs: Analog Devices AD1884A
> audio0 at azalia0
> ppb0 at pci0 dev 28 function 0 "Intel 82801JD PCIE" rev 0x02: msi
> pci1 at ppb0 bus 32
> ppb1 

Re: OpenBSD and you

[Peter N. M. Hansteen]

On Wed, May 10, 2017 at 10:32:13AM +0500, ?? ?? wrote:
 
> I think workaround is using pdf format. It's supported now by all
> modern browsers. It's open crossplatform standard, simple to storing
> and can be opened not only in browsers (obviously).

That was the first option that came to mind, and the one I may go for as 
a supplemental format *if* I can find a way to generate PDFs from this 
source format *and* get the page breaks right. The print preview is
available browsers does not leave much hope of that actually happening,
however.

The primary purpose here is, and will remain, to have the presentation look
nice on any screen that's conveniently available while I do the presentation. 

If I can find a reasonably automatic way to render this without javascript
that's a nice bonus, and I'll keep looking to the extent that it does not
seriously disrupt other things I need to get done.

The in-browser print preview method is simply not a practical option. 
And reverting to the previous powerpoint clone rubbish is right out. If I do
find a workable option, I'll let you all know.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: OpenBSD and you

[Артур Истомин]

On Tue, May 09, 2017 at 10:22:21PM +0200, Peter N. M. Hansteen wrote:
> And I was just reminded off-list that the remark markdown variant
> (https://github.com/gnab/remark) used for this presentation requires
> javascript enabled in your browser.
> 
> Sorry about that.
> 
> I'll be looking into workarounds, hopefully some can be found.

I think workaround is using pdf format. It's supported now by all
modern browsers. It's open crossplatform standard, simple to storing
and can be opened not only in browsers (obviously).

> 
> - Peter
> -- 
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>