Re: IPv6 with wide-dhcpv6

[David Higgs]

On Sat, Jul 15, 2017 at 2:17 AM, Stuart Henderson 
wrote:

> On 2017-07-14, David Higgs  wrote:
> > Comcast provides me with IPv6 via DHCPv6, which I've finally tried to
> > configure on my OpenBSD 6.1 router.  I am having difficulty maintaining
> my
> > IPv6 public IP address when using the wide-dhcpv6 package when in client
> > mode.
>
> Switch to dhcpcd, which has a workaround for the vltime/pltime bug, or
> use a snapshot, where it has been fixed. Or both.
>
> > - Is there a security/quality preference between wide-dhcpv6 and
> dhcpcd?  I
> > notice that dhcp6c doesn't appear to support a dedicated chroot/user...
>
> dhcpcd is more modern and actively maintained. I'm not aware of any
> client that does DHCPv6-PD that has privsep though.
>
> > - Does the project have any near-term plans to write a DHCPv6 daemon to
> > live in base?
>
> I'm not aware of any.
>
>
After a good amount of trial and error, it appears that Comcast will only
dole out a single /128 via DHCPv6.  Annoying but easy enough to work around
with pf(4) nat-to and some static RFC 4193 prefixes.

No apparent problems when running dhcpcd.  FWIW, I did notice that
sometimes my upstream link does not have the accept_rtadv flag set (as per
ndp -i $INTF), but I haven't investigated this in depth.

Thanks!

--david

Good looking fonts in Java apps

[Bernard Mentink]

Hi Guys,

I am running a Java app launched by javaws (IcedTea-web) and am finding the
fonts terrible, does anyone know how I can get better anti-aliased fonts?

I have installed all the good ttf fonts from Google (Noto, Droid, Freetype
 etc ) which have made my Gnome3 desktop a bit nicer, it is really just
Java apps now ..

On the same issue, IcedTea seems to run my app very slowly, at lease
compared to Oracle javaws on Linux, any helpers there would also be
appreciated.

Cheers,
Bernie

Re: Best place for VM images

[Mike Larkin]

On Tue, Jul 18, 2017 at 01:52:53AM +0200, Leo Unglaub wrote:
> Hey friends,
> what is the best/recommended place to store the vmm images. In man 5 vm.conf
> is an example with /var/vmm/, is this the best location?
> 
> Also if /var/vmm is its own partition, what would be the best mount options
> for it. I would assume nodev, nosuid are good.
> 
> Any recommendations?
> Thanks and greetings
> Leo
> 

I've been putting mine in a dedicated partition. /var/vmm should probably
be its own partition if used.

nodev, nosuid are probably good choices there too.

-ml

Re: AMD64 modern laptop recommendation

[Allan Streib]

Radoslav_Mirza  writes:

> To congratulate myself for 2 years of not smoking I want to buy a new
> medium to high end laptop and install only OpenBSD on it.
>
> Does anyone run OpenBSD on a brand new laptop with good support?

This was posted recently: https://jcs.org/2017/07/14/matebook

I think with any "brand new" laptop you're going to find various things
that are not (yet) supported.

Allan

AMD64 modern laptop recommendation

[Radoslav_Mirza]

Dear Group,
To congratulate myself for 2 years of not smoking I want to buy a new medium to 
high end laptop and install only OpenBSD on it.

Does anyone run OpenBSD on a brand new laptop with good support?

Any recommendations.

Cheers!

Sent from ProtonMail mobile

Re: Compiling Linux source on OpenBSD

[Josh Stephens]

> On Jul 17, 2017, at 7:12 PM, Bernard Mentink  wrote:
> 
> Hi all,
> 
> This is my first time on OpenBSD and am really loving it. I had my HP
> Pavilion desktop booting into a Gnome3 desktop in no time (.. had so many
> issues trying to boot FreeBSD, gave up)
> 
> My question is regarding compiling Linux code. I have some tools for
> programming FPGA's which I would really like to do on BSD, i.e the likes of
> IceStorm tools and Yosys ... etc
> They are not in the Repo or in Ports so don't have much option but to try
> and compile from linux  which failed of course with lot's of errors the
> first time I tried.
> 
> Is there any guidelines for porting this stuff?
> 
> Cheers,
> Bernie

See if this handbook provides any help. https://www.openbsd.org/faq/ports/

Compiling Linux source on OpenBSD

[Bernard Mentink]

Hi all,

This is my first time on OpenBSD and am really loving it. I had my HP
Pavilion desktop booting into a Gnome3 desktop in no time (.. had so many
issues trying to boot FreeBSD, gave up)

My question is regarding compiling Linux code. I have some tools for
programming FPGA's which I would really like to do on BSD, i.e the likes of
IceStorm tools and Yosys ... etc
They are not in the Repo or in Ports so don't have much option but to try
and compile from linux  which failed of course with lot's of errors the
first time I tried.

Is there any guidelines for porting this stuff?

Cheers,
Bernie

Best place for VM images

[Leo Unglaub]

Hey friends,
what is the best/recommended place to store the vmm images. In man 5 
vm.conf is an example with /var/vmm/, is this the best location?


Also if /var/vmm is its own partition, what would be the best mount 
options for it. I would assume nodev, nosuid are good.


Any recommendations?
Thanks and greetings
Leo

Httpd Content-Length with NextCloud

[R0me0 ***]

Hello guys, not sure if its a bug or not.

But trying to contribute.

I am running OpenBSD 6.1 stable branch

When downloading a large file with from poor connection ie: 100 kbps ( I
don't have time remaining )

I notice that OpenBSD HTTPD does not set Content-Lenght and connections is
unexpectable closed.

I tried to move to Nginx just to test. The Content-Lenght is set and the
file is downloaded normally.

Any thoughts/directions and workarounds are very appreciated.

Thanks in advance

growisofs hanging on "closing disc"

[Allan Streib]

Burning a .iso file to DVD as described in the FAQ:

  # growisofs -dvd-compat -Z /dev/rcd0c=my_iso_file.iso

the process hangs at "closing disc"

[...]
 3427401728/3577901056 (95.8%) @14.3x, remaining 0:10 RBU 100.0% UBU  94.4%
 3494150144/3577901056 (97.7%) @14.4x, remaining 0:05 RBU 100.0% UBU  95.1%
 3561422848/3577901056 (99.5%) @14.5x, remaining 0:01 RBU  49.1% UBU  95.8%
builtin_dd: 1747024*2KB out @ average 10.3x1352KBps
/dev/rcd0c: flushing cache
/dev/rcd0c: updating RMA
/dev/rcd0c: closing disc


top(1) shows:

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
90416 root   2  -20   33M   43M sleep/0   poll  0:13  0.00% growisofs


If I force kill the growisofs process, I can eject the DVD and it is
usable.

I'm running 6.1 release w/syspatches. What other info would be useful?

Allan

Re: Verified auth tty ioctl()s implementation details

[Ted Unangst]

multiplex'd wrote:
> From an end-user standpoint, this means that if a user has run a 
> priviledged command using sudo and then (within the timeout) runs a
> script which itself calls sudo, then they will not be prompted to
> enter a password as the script is running with the same foreground
> process group on the controlling terminal as the first invocation.
> However, in the same scenario, doas would prompt for a password
> when it is invoked from within the script, as its parent process ID 
> is different when running under an interactive user shell from when 
> it's executed in a shell script. (This can also be observed when
> building ports with SUDO=doas, as doas is invoked at various points
> in the build process under different make (sub)processes, which
> results in doas prompting for a password many times.)
> 
> Now, I am running on the assumption that these ioctl()s were 
> implemented as a kernel-side component of doas's "password timeout"
> functionality as observed when using the "persist" configuration 
> keyword. From that, my question is whether there is any particular 
> reason for recording the parent process ID in particular as part of 
> the cookie stored by the persistent authentication ioctl() as opposed 
> to the process group ID of the calling process's session leader, as
> with sudo.

Yes, the difference is intentional. For pretty much exactly the reason you
noticed, although perhaps with the opposite result. A successful
authentication is not meant to be inherited by any random program or script
you run. A) because vague security concerns, but also B) because I think it's
weird that a script maybe works if it runs fast enough, but fails if it takes
five minutes to get to doas. Like "make; doas make install" works on a fast
machine but fails unexectedly on a slower machine.

A more robust approach to this problem is to invert privilege. Start as root,
then drop to another user. 

CVS: tag exploration

[Daniil Berendeev]

Hi,

I'd like to backfill the changes in 6.1 to 
https://openbsd.org/plus61.html and update 
https://openbsd.org/plus.html, but I faced a little problem: how do I 
find out the last revision number before the pre-release code freeze? 
Those revisions must be tagged, but, apparently, cvs(1) doesn't provide 
any way to get a tag list or see some info on tag.


Do I miss something?

Re: Choice of sis(4) versus vr(4) ?

[Claudio Jeker]

On Mon, Jul 17, 2017 at 09:07:04PM +0300, Lars Noodén wrote:
> I'm looking to refurbish an old device and will probably add a network
> card to it.  Are there any reasons based on the current drivers or the
> hardware itself to choose sis(4) or vr(4) over one or the other on
> i386 -curren?
> 

They are both similarly bad. I think it would not matter which one you
use.

-- 
:wq Claudio

Choice of sis(4) versus vr(4) ?

[Lars Noodén]

I'm looking to refurbish an old device and will probably add a network
card to it.  Are there any reasons based on the current drivers or the
hardware itself to choose sis(4) or vr(4) over one or the other on
i386 -curren?

Regards,
Lars

Getting Dell RAID status via SNMP

[Jibby Jeremiah]

Hi folks,

On HP HW we can query the RAID status of a system remotely with snmpwalk on

.1.3.6.1.4.1.30155.2.1.2.1.5.3

And you get back a status of one of the following 3 :
- online
- pfail
- rebuild

Works great!

I cannot find a RAID status on a Dell though.   I do a walk of

1.3.6.1.4.1.30155

And save it to a file and look through it but do not see anything obviously
to do with RAID status.  Maybe it is a numeric field?

Anyone?

Thanks.

Re: Security report with mail permissions

[Mik J]

Thank you for your answer Ingo.

I'll reconfigure my mailbox to use text only



Le Dimanche 16 juillet 2017 18h45, Ingo Schwarze  a écrit :



Hi Mik,

not quoting anything because your posting is too ill-formatted.

Yours is a frequently answered question.  The directory /var/mail/
is intended for individual user mailboxes.  If you need a directory
for a different purpose - like mailbox subhierarchies for virtual
domains - create a different directory.

If you want to do daily checks on that different directory checking
for a different format, implement your own checks in daily.local(8).

Yours,
  Ingo

Re: OpenBSD as Open Networking OS

[miraculli .]

Thanks for your input.

I get the point with the closed ASICs. I wasn´t aware of that and it
explains why there is even no OpenWRT, pfsense etc. support for this
devices

sad.

best
Thomas





2017-07-17 11:45 GMT+02:00 Reyk Floeter :
> Yes, I'm very interested in this but there is no "open" hardware.
>
> As Mischa mentioned, all of the platforms need vendor drivers
> and AFAIK all of them are gigantic and non-free *.
>
> OpenFlow is an alternative to control switches in a standard way
> without direct access to the switch chipsets, but it is a long way to
> get switchd(8) to this point. And it has limitations, of course.
>
> *) let me know if I'm wrong.
>
> Reyk
>
>> On 17.07.2017, at 11:00, miraculli .  wrote:
>>
>> Hi misc,
>>
>> I just read about a trending topic: SDN and Open Networking.
>> The principal idea behind Open Networking is to allow the customer
>> to install a custom OS to switch-hardware.
>> The main software player in this business seems to be a penguin OS
>> called: Cumulus
>> There is also a overview of devices that are able install a custom OS:
>>
>> https://cumulusnetworks.com/products/hardware-compatibility-list/
>>
>> Is there any experience using OpenBSD in this domain and with this
>> kind of hardware?
>>
>> Thanks
>> Thomas
>>
>



-- 
+49.179.1448024
Karl-Kunger-Straße 68
D - 12435 Berlin

Re: syspatch glitch

[Antoine Jacoutot]

On Mon, Jul 17, 2017 at 12:04:19PM +0200, Raimo Niskanen wrote:
> It seems syspatch looks at the current machine capabilities instead of
> which kernel is running when it decides on if /bsd is /bsd.sp or /bsd.mp.

Hi.

> I tried to install OpenBSD 6.1 to a USB connected CF card that later will
> run in an alix2d13 that has got one core, but I did the installation from
> a laptop with two cores.  Both i386.
> 
> Then I moved /bsd to /bsd.mp and /bsd.sp to /bsd since the installer had
> detected that the install machine should run /bsd.mp.
> 
> After that I ran syspatch, still on the laptop, and it failed on patch 002
> with as I remember tar complaining on not being able to find /bsd.sp.

I you run syspatch on the laptop then what you call the running kernel is the
one that booted (i.e. the one on the laptop). That's perfectly normal and as
you saw this is what the installer does as well.

> installation, and after that it seems both /bsd (.mp) and /bsd.sp are
> patched, so I can hopefully change the kernels just before putting the CF
> card in the Alix instead, so no harm done.
> 
> But is it by design that syspatch looks at the running machine instead of
> the running kernel?  I would have expected it the other way around...

Why would you expect that?
The installation was done on an MP system. The running machine and running
kernel as the same in your setup.

What you want to do instead is run syspatch from rc.firstime on your Alix.
Kernel handling is tricky because we need to handle 2 different kernels and
kernel is usually the thing people like to fuck with...

-- 
Antoine

Re: Restoring /altroot

[Nick Holland]

On 07/17/17 05:50, Raimo Niskanen wrote:
> On Fri, Jul 14, 2017 at 10:46:14PM -0400, Nick Holland wrote:
>> On 07/14/17 09:00, Raimo Niskanen wrote:
>> > Hi misc@.
>> > 
>> > I wonder how to restore from an /altroot backup?
>> > 
>> > (I missed that pax -r happily writes absolute paths and wrote over
>> >  /etc from a backup file of another machine)
>> > 
>> > 
>> > Is it to dd(1) back all but the first 16 blocks - the reverse of what
>> > daily(8) does?  Is that all that is needed?
>> 
>> don't...
>> 
>> > (I missed to skip the first 16 blocks, and I used the block devices instead
>> >  of the character devices.  The result was a vegetable, and would like to
>> >  understand which of my mistakes that were fatal.)

probably worth answering why this failed...
1) The first 16 blocks are where the disklabel is hiding on the first
partition (usually, 'a').  Blindly copy over a disklabel from the wrong
disk, you will blow away your current disklabel.  BEST case (both disks
have the exact same layout), you just changed the DDUID of your target
disk.

2) writing to sd0a/wd0a instead of rsd0a/rwd0a just drops the data in
the wrong place.  This error probably saved your disklabel, so it's a
good error to combine with the first.  Didn't help anything, but kept
the damage from being worse.

>> yeah, that's why.  It CAN work, but ... it is the hard way and it's
>> error prone.
>> 
>> better way: let's say sd1k is your /altroot...
>> 
>> # mount /dev/sd1k /altroot
>> 
>> now...it's just a normal file system on a normal place.  Copy out
>> whatever you want.  umount it when done, please.
>> 
>> Nick.
> 
> Yes, thank you!  That is the safe way.  In this case I wanted to get rid
> of all files that my pax fumbling had put there, so I wanted to clear the
> root filesystem and copy back all from /altroot.  But then I also would
> have ro run installboot on the restored root filesystem, right?
> 
> Is that the right(tm) way to do it?

If you copy files from any backup back to root, yes, you will need to
re-run installboot.  This has to be done any time /boot could have moved
to a new physical spot on the disk.

If you really want to blow things completely away, give consideration to
doing an "upgrade" (to either what you were running or most recent
release, or even -current), then restoring your /etc/ directory, and
re-running sysmerge afterwards (if you change versions).

Nick.

Re: Restoring /altroot

[Raimo Niskanen]

On Fri, Jul 14, 2017 at 10:46:14PM -0400, Nick Holland wrote:
> On 07/14/17 09:00, Raimo Niskanen wrote:
> > Hi misc@.
> > 
> > I wonder how to restore from an /altroot backup?
> > 
> > (I missed that pax -r happily writes absolute paths and wrote over
> >  /etc from a backup file of another machine)
> > 
> > 
> > Is it to dd(1) back all but the first 16 blocks - the reverse of what
> > daily(8) does?  Is that all that is needed?
> 
> don't...
> 
> > (I missed to skip the first 16 blocks, and I used the block devices instead
> >  of the character devices.  The result was a vegetable, and would like to
> >  understand which of my mistakes that were fatal.)
> 
> yeah, that's why.  It CAN work, but ... it is the hard way and it's
> error prone.
> 
> better way: let's say sd1k is your /altroot...
> 
> # mount /dev/sd1k /altroot
> 
> now...it's just a normal file system on a normal place.  Copy out
> whatever you want.  umount it when done, please.
> 
> Nick.

Yes, thank you!  That is the safe way.  In this case I wanted to get rid
of all files that my pax fumbling had put there, so I wanted to clear the
root filesystem and copy back all from /altroot.  But then I also would
have ro run installboot on the restored root filesystem, right?

Is that the right(tm) way to do it?

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Verified auth tty ioctl()s implementation details

[multiplex'd]

Hi all,

In the last couple of days I've been studying sudo(8) and doas(1) to
find out how they work and what their operational differences are.
With regards to storing persistent cookies, to allow a user to execute
further commands without reauthentication (subject to a timeout), sudo 
uses a timestamp file and doas uses verified auth ioctls on the 
controlling tty.

However, sudo and doas differ in the information stored in the persistent
cookie. sudo records the ID of the foreground process group on the 
controlling terminal while doas records the parent process ID, according
to the description of TIOCSETVERAUTH in tty(4).

>From an end-user standpoint, this means that if a user has run a 
priviledged command using sudo and then (within the timeout) runs a
script which itself calls sudo, then they will not be prompted to
enter a password as the script is running with the same foreground
process group on the controlling terminal as the first invocation.
However, in the same scenario, doas would prompt for a password
when it is invoked from within the script, as its parent process ID 
is different when running under an interactive user shell from when 
it's executed in a shell script. (This can also be observed when
building ports with SUDO=doas, as doas is invoked at various points
in the build process under different make (sub)processes, which
results in doas prompting for a password many times.)

Now, I am running on the assumption that these ioctl()s were 
implemented as a kernel-side component of doas's "password timeout"
functionality as observed when using the "persist" configuration 
keyword. From that, my question is whether there is any particular 
reason for recording the parent process ID in particular as part of 
the cookie stored by the persistent authentication ioctl() as opposed 
to the process group ID of the calling process's session leader, as
with sudo.

Regards.

syspatch glitch

[Raimo Niskanen]

It seems syspatch looks at the current machine capabilities instead of
which kernel is running when it decides on if /bsd is /bsd.sp or /bsd.mp.

I tried to install OpenBSD 6.1 to a USB connected CF card that later will
run in an alix2d13 that has got one core, but I did the installation from
a laptop with two cores.  Both i386.

Then I moved /bsd to /bsd.mp and /bsd.sp to /bsd since the installer had
detected that the install machine should run /bsd.mp.

After that I ran syspatch, still on the laptop, and it failed on patch 002
with as I remember tar complaining on not being able to find /bsd.sp.

Restoring /bsd to /bsd.sp and /bsd.mp to /bsd allowed me to syspatch the
installation, and after that it seems both /bsd (.mp) and /bsd.sp are
patched, so I can hopefully change the kernels just before putting the CF
card in the Alix instead, so no harm done.

But is it by design that syspatch looks at the running machine instead of
the running kernel?  I would have expected it the other way around...



By the way.  Syspatch and openup really makes keeping a system updated a
breeze - thank you very much for these tools, everyone involved!

Best regards
-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: OpenBSD as Open Networking OS

[Reyk Floeter]

Yes, I'm very interested in this but there is no "open" hardware.

As Mischa mentioned, all of the platforms need vendor drivers
and AFAIK all of them are gigantic and non-free *.

OpenFlow is an alternative to control switches in a standard way
without direct access to the switch chipsets, but it is a long way to
get switchd(8) to this point. And it has limitations, of course.

*) let me know if I'm wrong.

Reyk

> On 17.07.2017, at 11:00, miraculli .  wrote:
> 
> Hi misc,
> 
> I just read about a trending topic: SDN and Open Networking.
> The principal idea behind Open Networking is to allow the customer
> to install a custom OS to switch-hardware.
> The main software player in this business seems to be a penguin OS
> called: Cumulus
> There is also a overview of devices that are able install a custom OS:
> 
> https://cumulusnetworks.com/products/hardware-compatibility-list/
> 
> Is there any experience using OpenBSD in this domain and with this
> kind of hardware?
> 
> Thanks
> Thomas
> 

Re: OpenBSD as Open Networking OS

[Mischa Peters]

Hi Thomas,

I used to work for Cumulus and the tricky part with this is that you need to 
get access to the broadcom (and melanox) shipsets, which is not trivial and 
costly. 

I would love to see a BSD running on open networking equipment!

There are more NOS out there but they have their own speciality. Cumulus is the 
most generic to the deploy. There is also BigSwitch and IP Fusion. 

Mischa


> On 17 Jul 2017, at 11:00, miraculli .  wrote:
> 
> Hi misc,
> 
> I just read about a trending topic: SDN and Open Networking.
> The principal idea behind Open Networking is to allow the customer
> to install a custom OS to switch-hardware.
> The main software player in this business seems to be a penguin OS
> called: Cumulus
> There is also a overview of devices that are able install a custom OS:
> 
> https://cumulusnetworks.com/products/hardware-compatibility-list/
> 
> Is there any experience using OpenBSD in this domain and with this
> kind of hardware?
> 
> Thanks
> Thomas
> 

Re: Security report with mail permissions

[Theo de Raadt]

>Hi Mik,
>
>not quoting anything because your posting is too ill-formatted.
>
>Yours is a frequently answered question.  The directory /var/mail/
>is intended for individual user mailboxes.  If you need a directory
>for a different purpose - like mailbox subhierarchies for virtual
>domains - create a different directory.
>
>If you want to do daily checks on that different directory checking
>for a different format, implement your own checks in daily.local(8).

That is the correct answer.

The files in /var/mail already have some pretty tricky locking
requirements, so there is no way we're going to encourage placement of
other objects in there.

OpenBSD as Open Networking OS

[miraculli .]

Hi misc,

I just read about a trending topic: SDN and Open Networking.
The principal idea behind Open Networking is to allow the customer
to install a custom OS to switch-hardware.
The main software player in this business seems to be a penguin OS
called: Cumulus
There is also a overview of devices that are able install a custom OS:

https://cumulusnetworks.com/products/hardware-compatibility-list/

Is there any experience using OpenBSD in this domain and with this
kind of hardware?

Thanks
Thomas

snapshot kernel crash amd64

[Marco van Hulten]

Hello,

I had installed OpenBSD 6.1 on a Dell Latitude E7470 laptop (amd64,
Skylake architecture).  It could work on it but there were some
shortcomings (video was slow).

Today I upgraded to the latest snapshot, and I have rebooted
successfully, once, after which I updated packages.  When I boot up the
system now, it gets stuck at the kernel messages, the last three lines
being (typing it over):

vmm0 at mainbus0: VMX/EPI
error: [drm:pid96670:intel_dp_link_training_clock_recovery] *ERROR* too many 
full retries, give up error:
[drm:pid96670:intel_dp_set_idle_link_train] *ERROR* Timed out waiting for DP 
idle patterns

I do not remember what I have done to break the system.  There are
several reasons why I think it is my fault, and not a bug:

1. I have booted once successfully in the system (and everything worked
great);
2. it happens also for the old kernel (obsd) (and also bsd.sp).

A package upgrade cannot break the system to this extend.  What could
it be then?

It would be difficult to include dmesg etc., because the system doesn't
boot up.

- Marco