Re: IPv6 with wide-dhcpv6
On Sat, Jul 15, 2017 at 2:17 AM, Stuart Hendersonwrote: > On 2017-07-14, David Higgs wrote: > > Comcast provides me with IPv6 via DHCPv6, which I've finally tried to > > configure on my OpenBSD 6.1 router. I am having difficulty maintaining > my > > IPv6 public IP address when using the wide-dhcpv6 package when in client > > mode. > > Switch to dhcpcd, which has a workaround for the vltime/pltime bug, or > use a snapshot, where it has been fixed. Or both. > > > - Is there a security/quality preference between wide-dhcpv6 and > dhcpcd? I > > notice that dhcp6c doesn't appear to support a dedicated chroot/user... > > dhcpcd is more modern and actively maintained. I'm not aware of any > client that does DHCPv6-PD that has privsep though. > > > - Does the project have any near-term plans to write a DHCPv6 daemon to > > live in base? > > I'm not aware of any. > > After a good amount of trial and error, it appears that Comcast will only dole out a single /128 via DHCPv6. Annoying but easy enough to work around with pf(4) nat-to and some static RFC 4193 prefixes. No apparent problems when running dhcpcd. FWIW, I did notice that sometimes my upstream link does not have the accept_rtadv flag set (as per ndp -i $INTF), but I haven't investigated this in depth. Thanks! --david
Good looking fonts in Java apps
Hi Guys, I am running a Java app launched by javaws (IcedTea-web) and am finding the fonts terrible, does anyone know how I can get better anti-aliased fonts? I have installed all the good ttf fonts from Google (Noto, Droid, Freetype etc ) which have made my Gnome3 desktop a bit nicer, it is really just Java apps now .. On the same issue, IcedTea seems to run my app very slowly, at lease compared to Oracle javaws on Linux, any helpers there would also be appreciated. Cheers, Bernie
Re: Best place for VM images
On Tue, Jul 18, 2017 at 01:52:53AM +0200, Leo Unglaub wrote: > Hey friends, > what is the best/recommended place to store the vmm images. In man 5 vm.conf > is an example with /var/vmm/, is this the best location? > > Also if /var/vmm is its own partition, what would be the best mount options > for it. I would assume nodev, nosuid are good. > > Any recommendations? > Thanks and greetings > Leo > I've been putting mine in a dedicated partition. /var/vmm should probably be its own partition if used. nodev, nosuid are probably good choices there too. -ml
Re: AMD64 modern laptop recommendation
Radoslav_Mirzawrites: > To congratulate myself for 2 years of not smoking I want to buy a new > medium to high end laptop and install only OpenBSD on it. > > Does anyone run OpenBSD on a brand new laptop with good support? This was posted recently: https://jcs.org/2017/07/14/matebook I think with any "brand new" laptop you're going to find various things that are not (yet) supported. Allan
AMD64 modern laptop recommendation
Dear Group, To congratulate myself for 2 years of not smoking I want to buy a new medium to high end laptop and install only OpenBSD on it. Does anyone run OpenBSD on a brand new laptop with good support? Any recommendations. Cheers! Sent from ProtonMail mobile
Re: Compiling Linux source on OpenBSD
> On Jul 17, 2017, at 7:12 PM, Bernard Mentinkwrote: > > Hi all, > > This is my first time on OpenBSD and am really loving it. I had my HP > Pavilion desktop booting into a Gnome3 desktop in no time (.. had so many > issues trying to boot FreeBSD, gave up) > > My question is regarding compiling Linux code. I have some tools for > programming FPGA's which I would really like to do on BSD, i.e the likes of > IceStorm tools and Yosys ... etc > They are not in the Repo or in Ports so don't have much option but to try > and compile from linux which failed of course with lot's of errors the > first time I tried. > > Is there any guidelines for porting this stuff? > > Cheers, > Bernie See if this handbook provides any help. https://www.openbsd.org/faq/ports/
Compiling Linux source on OpenBSD
Hi all, This is my first time on OpenBSD and am really loving it. I had my HP Pavilion desktop booting into a Gnome3 desktop in no time (.. had so many issues trying to boot FreeBSD, gave up) My question is regarding compiling Linux code. I have some tools for programming FPGA's which I would really like to do on BSD, i.e the likes of IceStorm tools and Yosys ... etc They are not in the Repo or in Ports so don't have much option but to try and compile from linux which failed of course with lot's of errors the first time I tried. Is there any guidelines for porting this stuff? Cheers, Bernie
Best place for VM images
Hey friends, what is the best/recommended place to store the vmm images. In man 5 vm.conf is an example with /var/vmm/, is this the best location? Also if /var/vmm is its own partition, what would be the best mount options for it. I would assume nodev, nosuid are good. Any recommendations? Thanks and greetings Leo
Httpd Content-Length with NextCloud
Hello guys, not sure if its a bug or not. But trying to contribute. I am running OpenBSD 6.1 stable branch When downloading a large file with from poor connection ie: 100 kbps ( I don't have time remaining ) I notice that OpenBSD HTTPD does not set Content-Lenght and connections is unexpectable closed. I tried to move to Nginx just to test. The Content-Lenght is set and the file is downloaded normally. Any thoughts/directions and workarounds are very appreciated. Thanks in advance
growisofs hanging on "closing disc"
Burning a .iso file to DVD as described in the FAQ: # growisofs -dvd-compat -Z /dev/rcd0c=my_iso_file.iso the process hangs at "closing disc" [...] 3427401728/3577901056 (95.8%) @14.3x, remaining 0:10 RBU 100.0% UBU 94.4% 3494150144/3577901056 (97.7%) @14.4x, remaining 0:05 RBU 100.0% UBU 95.1% 3561422848/3577901056 (99.5%) @14.5x, remaining 0:01 RBU 49.1% UBU 95.8% builtin_dd: 1747024*2KB out @ average 10.3x1352KBps /dev/rcd0c: flushing cache /dev/rcd0c: updating RMA /dev/rcd0c: closing disc top(1) shows: PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 90416 root 2 -20 33M 43M sleep/0 poll 0:13 0.00% growisofs If I force kill the growisofs process, I can eject the DVD and it is usable. I'm running 6.1 release w/syspatches. What other info would be useful? Allan
Re: Verified auth tty ioctl()s implementation details
multiplex'd wrote: > From an end-user standpoint, this means that if a user has run a > priviledged command using sudo and then (within the timeout) runs a > script which itself calls sudo, then they will not be prompted to > enter a password as the script is running with the same foreground > process group on the controlling terminal as the first invocation. > However, in the same scenario, doas would prompt for a password > when it is invoked from within the script, as its parent process ID > is different when running under an interactive user shell from when > it's executed in a shell script. (This can also be observed when > building ports with SUDO=doas, as doas is invoked at various points > in the build process under different make (sub)processes, which > results in doas prompting for a password many times.) > > Now, I am running on the assumption that these ioctl()s were > implemented as a kernel-side component of doas's "password timeout" > functionality as observed when using the "persist" configuration > keyword. From that, my question is whether there is any particular > reason for recording the parent process ID in particular as part of > the cookie stored by the persistent authentication ioctl() as opposed > to the process group ID of the calling process's session leader, as > with sudo. Yes, the difference is intentional. For pretty much exactly the reason you noticed, although perhaps with the opposite result. A successful authentication is not meant to be inherited by any random program or script you run. A) because vague security concerns, but also B) because I think it's weird that a script maybe works if it runs fast enough, but fails if it takes five minutes to get to doas. Like "make; doas make install" works on a fast machine but fails unexectedly on a slower machine. A more robust approach to this problem is to invert privilege. Start as root, then drop to another user.
CVS: tag exploration
Hi, I'd like to backfill the changes in 6.1 to https://openbsd.org/plus61.html and update https://openbsd.org/plus.html, but I faced a little problem: how do I find out the last revision number before the pre-release code freeze? Those revisions must be tagged, but, apparently, cvs(1) doesn't provide any way to get a tag list or see some info on tag. Do I miss something?
Re: Choice of sis(4) versus vr(4) ?
On Mon, Jul 17, 2017 at 09:07:04PM +0300, Lars Noodén wrote: > I'm looking to refurbish an old device and will probably add a network > card to it. Are there any reasons based on the current drivers or the > hardware itself to choose sis(4) or vr(4) over one or the other on > i386 -curren? > They are both similarly bad. I think it would not matter which one you use. -- :wq Claudio
Choice of sis(4) versus vr(4) ?
I'm looking to refurbish an old device and will probably add a network card to it. Are there any reasons based on the current drivers or the hardware itself to choose sis(4) or vr(4) over one or the other on i386 -curren? Regards, Lars
Getting Dell RAID status via SNMP
Hi folks, On HP HW we can query the RAID status of a system remotely with snmpwalk on .1.3.6.1.4.1.30155.2.1.2.1.5.3 And you get back a status of one of the following 3 : - online - pfail - rebuild Works great! I cannot find a RAID status on a Dell though. I do a walk of 1.3.6.1.4.1.30155 And save it to a file and look through it but do not see anything obviously to do with RAID status. Maybe it is a numeric field? Anyone? Thanks.
Re: Security report with mail permissions
Thank you for your answer Ingo. I'll reconfigure my mailbox to use text only Le Dimanche 16 juillet 2017 18h45, Ingo Schwarzea écrit : Hi Mik, not quoting anything because your posting is too ill-formatted. Yours is a frequently answered question. The directory /var/mail/ is intended for individual user mailboxes. If you need a directory for a different purpose - like mailbox subhierarchies for virtual domains - create a different directory. If you want to do daily checks on that different directory checking for a different format, implement your own checks in daily.local(8). Yours, Ingo
Re: OpenBSD as Open Networking OS
Thanks for your input. I get the point with the closed ASICs. I wasn´t aware of that and it explains why there is even no OpenWRT, pfsense etc. support for this devices sad. best Thomas 2017-07-17 11:45 GMT+02:00 Reyk Floeter: > Yes, I'm very interested in this but there is no "open" hardware. > > As Mischa mentioned, all of the platforms need vendor drivers > and AFAIK all of them are gigantic and non-free *. > > OpenFlow is an alternative to control switches in a standard way > without direct access to the switch chipsets, but it is a long way to > get switchd(8) to this point. And it has limitations, of course. > > *) let me know if I'm wrong. > > Reyk > >> On 17.07.2017, at 11:00, miraculli . wrote: >> >> Hi misc, >> >> I just read about a trending topic: SDN and Open Networking. >> The principal idea behind Open Networking is to allow the customer >> to install a custom OS to switch-hardware. >> The main software player in this business seems to be a penguin OS >> called: Cumulus >> There is also a overview of devices that are able install a custom OS: >> >> https://cumulusnetworks.com/products/hardware-compatibility-list/ >> >> Is there any experience using OpenBSD in this domain and with this >> kind of hardware? >> >> Thanks >> Thomas >> > -- +49.179.1448024 Karl-Kunger-Straße 68 D - 12435 Berlin
Re: syspatch glitch
On Mon, Jul 17, 2017 at 12:04:19PM +0200, Raimo Niskanen wrote: > It seems syspatch looks at the current machine capabilities instead of > which kernel is running when it decides on if /bsd is /bsd.sp or /bsd.mp. Hi. > I tried to install OpenBSD 6.1 to a USB connected CF card that later will > run in an alix2d13 that has got one core, but I did the installation from > a laptop with two cores. Both i386. > > Then I moved /bsd to /bsd.mp and /bsd.sp to /bsd since the installer had > detected that the install machine should run /bsd.mp. > > After that I ran syspatch, still on the laptop, and it failed on patch 002 > with as I remember tar complaining on not being able to find /bsd.sp. I you run syspatch on the laptop then what you call the running kernel is the one that booted (i.e. the one on the laptop). That's perfectly normal and as you saw this is what the installer does as well. > installation, and after that it seems both /bsd (.mp) and /bsd.sp are > patched, so I can hopefully change the kernels just before putting the CF > card in the Alix instead, so no harm done. > > But is it by design that syspatch looks at the running machine instead of > the running kernel? I would have expected it the other way around... Why would you expect that? The installation was done on an MP system. The running machine and running kernel as the same in your setup. What you want to do instead is run syspatch from rc.firstime on your Alix. Kernel handling is tricky because we need to handle 2 different kernels and kernel is usually the thing people like to fuck with... -- Antoine
Re: Restoring /altroot
On 07/17/17 05:50, Raimo Niskanen wrote: > On Fri, Jul 14, 2017 at 10:46:14PM -0400, Nick Holland wrote: >> On 07/14/17 09:00, Raimo Niskanen wrote: >> > Hi misc@. >> > >> > I wonder how to restore from an /altroot backup? >> > >> > (I missed that pax -r happily writes absolute paths and wrote over >> > /etc from a backup file of another machine) >> > >> > >> > Is it to dd(1) back all but the first 16 blocks - the reverse of what >> > daily(8) does? Is that all that is needed? >> >> don't... >> >> > (I missed to skip the first 16 blocks, and I used the block devices instead >> > of the character devices. The result was a vegetable, and would like to >> > understand which of my mistakes that were fatal.) probably worth answering why this failed... 1) The first 16 blocks are where the disklabel is hiding on the first partition (usually, 'a'). Blindly copy over a disklabel from the wrong disk, you will blow away your current disklabel. BEST case (both disks have the exact same layout), you just changed the DDUID of your target disk. 2) writing to sd0a/wd0a instead of rsd0a/rwd0a just drops the data in the wrong place. This error probably saved your disklabel, so it's a good error to combine with the first. Didn't help anything, but kept the damage from being worse. >> yeah, that's why. It CAN work, but ... it is the hard way and it's >> error prone. >> >> better way: let's say sd1k is your /altroot... >> >> # mount /dev/sd1k /altroot >> >> now...it's just a normal file system on a normal place. Copy out >> whatever you want. umount it when done, please. >> >> Nick. > > Yes, thank you! That is the safe way. In this case I wanted to get rid > of all files that my pax fumbling had put there, so I wanted to clear the > root filesystem and copy back all from /altroot. But then I also would > have ro run installboot on the restored root filesystem, right? > > Is that the right(tm) way to do it? If you copy files from any backup back to root, yes, you will need to re-run installboot. This has to be done any time /boot could have moved to a new physical spot on the disk. If you really want to blow things completely away, give consideration to doing an "upgrade" (to either what you were running or most recent release, or even -current), then restoring your /etc/ directory, and re-running sysmerge afterwards (if you change versions). Nick.
Re: Restoring /altroot
On Fri, Jul 14, 2017 at 10:46:14PM -0400, Nick Holland wrote: > On 07/14/17 09:00, Raimo Niskanen wrote: > > Hi misc@. > > > > I wonder how to restore from an /altroot backup? > > > > (I missed that pax -r happily writes absolute paths and wrote over > > /etc from a backup file of another machine) > > > > > > Is it to dd(1) back all but the first 16 blocks - the reverse of what > > daily(8) does? Is that all that is needed? > > don't... > > > (I missed to skip the first 16 blocks, and I used the block devices instead > > of the character devices. The result was a vegetable, and would like to > > understand which of my mistakes that were fatal.) > > yeah, that's why. It CAN work, but ... it is the hard way and it's > error prone. > > better way: let's say sd1k is your /altroot... > > # mount /dev/sd1k /altroot > > now...it's just a normal file system on a normal place. Copy out > whatever you want. umount it when done, please. > > Nick. Yes, thank you! That is the safe way. In this case I wanted to get rid of all files that my pax fumbling had put there, so I wanted to clear the root filesystem and copy back all from /altroot. But then I also would have ro run installboot on the restored root filesystem, right? Is that the right(tm) way to do it? -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Verified auth tty ioctl()s implementation details
Hi all, In the last couple of days I've been studying sudo(8) and doas(1) to find out how they work and what their operational differences are. With regards to storing persistent cookies, to allow a user to execute further commands without reauthentication (subject to a timeout), sudo uses a timestamp file and doas uses verified auth ioctls on the controlling tty. However, sudo and doas differ in the information stored in the persistent cookie. sudo records the ID of the foreground process group on the controlling terminal while doas records the parent process ID, according to the description of TIOCSETVERAUTH in tty(4). >From an end-user standpoint, this means that if a user has run a priviledged command using sudo and then (within the timeout) runs a script which itself calls sudo, then they will not be prompted to enter a password as the script is running with the same foreground process group on the controlling terminal as the first invocation. However, in the same scenario, doas would prompt for a password when it is invoked from within the script, as its parent process ID is different when running under an interactive user shell from when it's executed in a shell script. (This can also be observed when building ports with SUDO=doas, as doas is invoked at various points in the build process under different make (sub)processes, which results in doas prompting for a password many times.) Now, I am running on the assumption that these ioctl()s were implemented as a kernel-side component of doas's "password timeout" functionality as observed when using the "persist" configuration keyword. From that, my question is whether there is any particular reason for recording the parent process ID in particular as part of the cookie stored by the persistent authentication ioctl() as opposed to the process group ID of the calling process's session leader, as with sudo. Regards.
syspatch glitch
It seems syspatch looks at the current machine capabilities instead of which kernel is running when it decides on if /bsd is /bsd.sp or /bsd.mp. I tried to install OpenBSD 6.1 to a USB connected CF card that later will run in an alix2d13 that has got one core, but I did the installation from a laptop with two cores. Both i386. Then I moved /bsd to /bsd.mp and /bsd.sp to /bsd since the installer had detected that the install machine should run /bsd.mp. After that I ran syspatch, still on the laptop, and it failed on patch 002 with as I remember tar complaining on not being able to find /bsd.sp. Restoring /bsd to /bsd.sp and /bsd.mp to /bsd allowed me to syspatch the installation, and after that it seems both /bsd (.mp) and /bsd.sp are patched, so I can hopefully change the kernels just before putting the CF card in the Alix instead, so no harm done. But is it by design that syspatch looks at the running machine instead of the running kernel? I would have expected it the other way around... By the way. Syspatch and openup really makes keeping a system updated a breeze - thank you very much for these tools, everyone involved! Best regards -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: OpenBSD as Open Networking OS
Yes, I'm very interested in this but there is no "open" hardware. As Mischa mentioned, all of the platforms need vendor drivers and AFAIK all of them are gigantic and non-free *. OpenFlow is an alternative to control switches in a standard way without direct access to the switch chipsets, but it is a long way to get switchd(8) to this point. And it has limitations, of course. *) let me know if I'm wrong. Reyk > On 17.07.2017, at 11:00, miraculli .wrote: > > Hi misc, > > I just read about a trending topic: SDN and Open Networking. > The principal idea behind Open Networking is to allow the customer > to install a custom OS to switch-hardware. > The main software player in this business seems to be a penguin OS > called: Cumulus > There is also a overview of devices that are able install a custom OS: > > https://cumulusnetworks.com/products/hardware-compatibility-list/ > > Is there any experience using OpenBSD in this domain and with this > kind of hardware? > > Thanks > Thomas >
Re: OpenBSD as Open Networking OS
Hi Thomas, I used to work for Cumulus and the tricky part with this is that you need to get access to the broadcom (and melanox) shipsets, which is not trivial and costly. I would love to see a BSD running on open networking equipment! There are more NOS out there but they have their own speciality. Cumulus is the most generic to the deploy. There is also BigSwitch and IP Fusion. Mischa > On 17 Jul 2017, at 11:00, miraculli .wrote: > > Hi misc, > > I just read about a trending topic: SDN and Open Networking. > The principal idea behind Open Networking is to allow the customer > to install a custom OS to switch-hardware. > The main software player in this business seems to be a penguin OS > called: Cumulus > There is also a overview of devices that are able install a custom OS: > > https://cumulusnetworks.com/products/hardware-compatibility-list/ > > Is there any experience using OpenBSD in this domain and with this > kind of hardware? > > Thanks > Thomas >
Re: Security report with mail permissions
>Hi Mik, > >not quoting anything because your posting is too ill-formatted. > >Yours is a frequently answered question. The directory /var/mail/ >is intended for individual user mailboxes. If you need a directory >for a different purpose - like mailbox subhierarchies for virtual >domains - create a different directory. > >If you want to do daily checks on that different directory checking >for a different format, implement your own checks in daily.local(8). That is the correct answer. The files in /var/mail already have some pretty tricky locking requirements, so there is no way we're going to encourage placement of other objects in there.
OpenBSD as Open Networking OS
Hi misc, I just read about a trending topic: SDN and Open Networking. The principal idea behind Open Networking is to allow the customer to install a custom OS to switch-hardware. The main software player in this business seems to be a penguin OS called: Cumulus There is also a overview of devices that are able install a custom OS: https://cumulusnetworks.com/products/hardware-compatibility-list/ Is there any experience using OpenBSD in this domain and with this kind of hardware? Thanks Thomas
snapshot kernel crash amd64
Hello, I had installed OpenBSD 6.1 on a Dell Latitude E7470 laptop (amd64, Skylake architecture). It could work on it but there were some shortcomings (video was slow). Today I upgraded to the latest snapshot, and I have rebooted successfully, once, after which I updated packages. When I boot up the system now, it gets stuck at the kernel messages, the last three lines being (typing it over): vmm0 at mainbus0: VMX/EPI error: [drm:pid96670:intel_dp_link_training_clock_recovery] *ERROR* too many full retries, give up error: [drm:pid96670:intel_dp_set_idle_link_train] *ERROR* Timed out waiting for DP idle patterns I do not remember what I have done to break the system. There are several reasons why I think it is my fault, and not a bug: 1. I have booted once successfully in the system (and everything worked great); 2. it happens also for the old kernel (obsd) (and also bsd.sp). A package upgrade cannot break the system to this extend. What could it be then? It would be difficult to include dmesg etc., because the system doesn't boot up. - Marco