Re: Crypto softraid is supported on GPT/UEFI boot and not just on BIOS/MBR boot, right?
On 09/28/17 05:58, ti...@openmailbox.org wrote: >> On Wed, Sep 27, 2017 at 05:02:06PM -, ti...@openmailbox.org >> wrote: > .. >>> What am I doing wrong, are there actually any installboot >>> arguments that could help me make it work? >> >> It looks like you're using GPT on both the physical and the >> softraid disk, correct? >> >> In my setup, I have GPT on the physical disk (sd0) but an MBR on >> the softraid volume. So perhaps try using an MBR on sd1 and see if >> that helps? I am poking in the dark here. No idea if that will work >> for you. > > An MBR has a max of 2TB so over time the whole MBR thing needs to be > discontinued, right, however this is a smaller disk so having MBR > inside the softraid would work indeed. By that logic, we should have quit using cheap disks when they went over 32MB. Or 120MB. Or 504MB. Or 128GB. Or ... I have MBRs on 4TB SoftRaid volumes, works fine. fdisk, make the "entire" disk (welllthe first 2TB) OpenBSD. disklabel, change the boundaries of the OpenBSD part to be the entire disk. Done. Nick.
Re: Can I rotate the framebuffer (e.g. using wsdisplay) in OpenBSD?
Le 28/09/2017 à 10:13, Stefan Sperling a écrit : On Thu, Sep 28, 2017 at 12:55:41AM +0200, Stéphane Aulery wrote: Le 27/09/2017 à 17:24, Stefan Sperling a écrit : On Wed, Sep 27, 2017 at 04:11:45PM +0200, Kamil Cholewiński wrote: On Wed, 27 Sep 2017, Francois Pussaultwrote: maybe installing a tool like xrandr ? Xrandr works only for X. I've skimmed wscons(4), wsdisplay(4), wsconscfg(8), wsconsctl(8), nothing about rotation... In -current, the console is rotated counter-clockwise if the display isn't already upright: https://marc.info/?l=openbsd-cvs=150266331224832=2 https://marc.info/?l=openbsd-cvs=150300131911666=2 This behaviour is hard-coded and cannot be configured. It helps machines which need counter-clockwise rotation, but is not ideal because some machines need clockwise rotation instead. There are plans to auto-detect and use the correct rotation required in the future. And if I use a monitor in portrait orientation ? I have been using a monitor in portrait for many years and was never bothered by the console being the wrong way (X is rotated of course). In a rare situation where I need the console, I can make use of the laws of physics and turn the monitor upright with my hands and arms. This approach seems to work very reliably. I've never seen it fail. It is not the game if you involve the invisible hand! -- Stéphane Aulery
Re: regarding the default path for pkg_add in -current
On Wed, Sep 27, 2017 at 08:57:10PM -0600, and...@quickstick.net wrote: > Hello Folks !! > > Regarding GENERIC.MP #115 > > I have a feeling you are about to roll into 6.2, however I just want to > bring the following to your attention in case it matters. > > I just did a clean install of -current using the bsd.rd dated 2017-09-27. > Within the install sequence of questions, the default download path has been > hardcoded to ../6.2/... as opposed to ../snapshots/.. > > I manually changed it to ../snapshots/ and it installed as expected. > > Also, after login, pkg_add is very determined to use to the same ../6.2/.. > directory path. For the benefit of others who might find themselves in the > same spot, the workaround is to use the full path while using pkg_add. In my > case, it is: > > $ doas pkg_add \ > https://ftp3.usa.openbsd.org/pub/OpenBSD/snapshots/amd64/pkgname Unless you have good reasons to care about confidentiality, I'd advise against https for pkg_add right now for performance reasons.
Re: relayd TLS load balancer for multiple websites
On 28 September 2017 at 06:32, mabiwrote: > Thanks for the pointer regarding SNI not being supported in relayd. I will go > on and find another solution, probably HAproxy. For a small number of domains it would probably be feasible to get a single certificate with multiple SANs. Letsencrypt at least supports this as long as all of the domains map (or can be made to map) to the place requesting the certificate. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Maintaining process clarification
Hi Ingo, thanks for the note, please find my notes below, >> Example: In 6.1 > > I assume that means you are using -stable. > >> there is package openvpn-2.4.1, how updates to the package are >> handled? If there is critical issue with the package, then >> "openvpn-2.4.1" is updated or it get new version numbering? > yes, that is stable > It gets a new version number, typically openvpn-2.4.1p0. > If the fix is done via a new upstream release, the number > may look something like openvpn-2.4.2. > > In this particular case, it actually is openvpn-2.4.3p1 in both > -stable and -current. > actually in -stable i see only 2.4.1 , 2.4.3 is in snapshot >> And yes - i know i can recompile by myself and i do not mind doing >> that, but i would avoid recompiling almost all all the time if there >> is already process > > Using -stable, you will have to compile port updates yourself: > > https://www.openbsd.org/faq/faq15.html#PortsSecurity so to get latest updates (binary) from the packages i should run -current ? > > Or use the third-party, but IMHO trustworthy third-party precompiled > stable packages fro MTier: > > https://stable.mtier.org/ thanks, i will check that out > That said, use the manual pages and the FAQ before asking questions, > and do not use web search engines to search for answers to questions > regarding OpenBSD. Unlike in Linux, almost everything is documented > precisely and concisely in the canonical places in the manual pages > or FAQ, and documentation is almost always up to date. yes, documentation quality is great, I need clarification on update process as it is very different from linux distributions. _ Zbyszek Żółkiewski
Re: Strange sed substitution removes text
On Mon, 25 Sep 2017 18:16:15 +, Martijn van Duren wrote: > Lets just wait until Ingo has time to look into it. He's still on > holiday in Paris, so it might be a few days. Hi, I already reported this issue three months ago, along with other related and unrelated bugs; see my second message in this thread: https://marc.info/?t=14969951951 As one can infer from reading any of these messages, this is far from being the only unresolved problem with OpenBSD's sed, so I doubt it is worth asking anyone to look particularly into this one more deeply; in fact, the whole substitute() function is flawed in multiple other aspects and, together with the rest of the program, which is likewise either plain wrong or embarrassingly suboptimal in almost every possible way, disserves no more than to be thrown away and rewritten. Because of my personal need for a correct and elegant implementation, this is exactly what I did in my local tree. Nevertheless, I have not been too impatient to share my code here as no one seemed to care when I mentioned it to tech@, but perhaps this freshly posted report could make someone interested after all. (If so, however, I would still need to take the time to write a fully fledged supporting justification before submitting it, because, as I reckon, one does not simply reimplement sed without explaining in depth why and how this had to be done.) Regards, kshe
Re: Maintaining process clarification
Hi Zbyszek, Zbyszek wrote on Thu, Sep 28, 2017 at 11:43:35AM +0200: > I am new to OpenBSD Welcome. > Example: In 6.1 I assume that means you are using -stable. > there is package openvpn-2.4.1, how updates to the package are > handled? If there is critical issue with the package, then > "openvpn-2.4.1" is updated or it get new version numbering? It gets a new version number, typically openvpn-2.4.1p0. If the fix is done via a new upstream release, the number may look something like openvpn-2.4.2. In this particular case, it actually is openvpn-2.4.3p1 in both -stable and -current. > And yes - i know i can recompile by myself and i do not mind doing > that, but i would avoid recompiling almost all all the time if there > is already process Using -stable, you will have to compile port updates yourself: https://www.openbsd.org/faq/faq15.html#PortsSecurity Or use the third-party, but IMHO trustworthy third-party precompiled stable packages fro MTier: https://stable.mtier.org/ If you use -current instead of stable, just updating to a newer snapshot is sufficient: https://www.openbsd.org/faq/faq5.html#Flavors That said, use the manual pages and the FAQ before asking questions, and do not use web search engines to search for answers to questions regarding OpenBSD. Unlike in Linux, almost everything is documented precisely and concisely in the canonical places in the manual pages or FAQ, and documentation is almost always up to date. Yours, Ingo
Re: relayd TLS load balancer for multiple websites
Thanks for the pointer regarding SNI not being supported in relayd. I will go on and find another solution, probably HAproxy. > Original Message > Subject: Re: relayd TLS load balancer for multiple websites > Local Time: September 28, 2017 3:02 PM > UTC Time: September 28, 2017 1:02 PM > From: mcmer-open...@tor.at > To: mabi> openbsd-misc > > m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST): >> I was wondering if it is possible to use relayd as load balancer with >> TLS termination for multiple different websites residing on different >> server. > > With a public IP per website: yes. Else: no. > > reyk@, 2014-07-24, "no SNI yet" > https://marc.info/?l=openbsd-misc=140621533620964 > > recent thread: > https://marc.info/?l=openbsd-misc=150599591326006 > > Marcus > > btw, protonmail"s "text/plain, base64, utf-8" reportedly keeps people > from seeing these messages.
Re: relayd TLS load balancer for multiple websites
m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST): > I was wondering if it is possible to use relayd as load balancer with > TLS termination for multiple different websites residing on different > server. With a public IP per website: yes. Else: no. reyk@, 2014-07-24, "no SNI yet" https://marc.info/?l=openbsd-misc=140621533620964 recent thread: https://marc.info/?l=openbsd-misc=150599591326006 Marcus btw, protonmail's "text/plain, base64, utf-8" reportedly keeps people from seeing these messages.
Re: relayd TLS load balancer for multiple websites
Thanks Bryan for your example. I saw in your example you only use the example.com domain. I would be using multiple domains such as example1.com, example2.com, exampleX.com, and so on. Would it also work in that case? Again I suppose here that I need to have all these different domains in one single SSL certificate file, right? On the relayd.conf man page I read that the second "forward to" config parameter in a "relay" entity is used as backup in case the first "forward to" table is down. So one could think in your config that your second "forward to " would be used as you backup table. Finally what is the purpose of setting the Connection HTTP header to close as you have here below? match request header set "Connection" value "close" > Original Message > Subject: Re: relayd TLS load balancer for multiple websites > Local Time: September 28, 2017 2:21 PM > UTC Time: September 28, 2017 12:21 PM > From: bryanlhar...@gmail.com > To: mabi> openbsd-misc > > Here is what I did, which I learned from the httpd & relayd book by Michael W > Lucas (I recommend). I cannot remember why I set the top header options, I > must have been trying to learn about them. The host ones are to figure out > the site and send the connection to the table above. > > ext_addr="..." > int_addr="127.0.0.1" > vm1_addr="192.0.2.11" > vm2_addr="192.0.2.12" > vm3_addr="192.0.2.13" > vm4_addr="192.0.2.14" > > table { $int_addr } > table { > $vm1_addr > $vm2_addr > $vm3_addr > $vm4_addr > } > > # Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration > http protocol https { > # playing with these options > match request header append "X-Forwarded-For" value "$REMOTE_ADDR" > match request header append "X-Forwarded-By" value > "$SERVER_ADDR:$SERVER_PORT" > match request header set "Keep-Alive" value "$TIMEOUT" > match request header set "Connection" value "close" > > match request header "Host" value "website.example.com" forward to > match request header "Host" value "example.com" forward to > match request header "Host" value "www.example.com" forward to > > } > > relay wwwtls { > # Run as a SSL/TLS accelerator > listen on $ext_addr port 443 tls > protocol https > > forward to port 80 check tcp > forward to port 80 mode loadbalance check tcp > } > > V/r, > Bryan > > On Thu, Sep 28, 2017 at 7:32 AM, mabi wrote: > >> Hi, >> >> I was wondering if it is possible to use relayd as load balancer with TLS >> termination for multiple different websites residing on different server. >> >> From reading the man page I understand that for this purpose I will need to >> use one "relay" entity per website which will then have its own "http >> protocol" entity. If this is correct, this means I will require one public >> IP address per website which seems to me a bit a waste hence my asking. >> >> The alternative would be to have one "relay" entity but this means I can >> only have one "http protocol" entity assigned to it from my understanding. >> This also means that I would have to have to use one single SSL certificate >> file which includes every CN for each of my website. My feeling tells me >> that this does not sound good practice. Then how would relayd know that >> website www.website1.com has to be forwarded to the hosts in and >> that website www.website2.com has to be forwarded to the hosts in ? >> Would you in the "http protocol" entity filter using the HTTP "Host" header >> (such as SNI)? >> >> Sorry for all these questions but I am trying to find out the best way/good >> practice to setup a relayd TLS load balancer for a different >> websites/webapps/domains and can't find much documentation about this >> specific case. >> >> Note here that I will be using the acme-client for all of the domains. >> >> Thanks for your input. >> >> Best, >> Mabi
Re: FF vs. Chrome/Chromium
Op Wed, 27 Sep 2017 16:44:01 +0200 schreef Theo de Raadt: Firefox has W^X compliance and so runs with the secure defaults. it uses page aliasing, which is a shitty way of being compliant Do you mean dual-mapping a.k.a. double-mapping? I found some old patches using a temporarily file and mmap w/ fd to achieve this, but they never went in. This blog: https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox/ suggests that it is simply switching between RW and RX using mprotect. Can you please elaborate? -- Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
Re: relayd TLS load balancer for multiple websites
Here is what I did, which I learned from the httpd & relayd book by Michael W Lucas (I recommend). I cannot remember why I set the top header options, I must have been trying to learn about them. The host ones are to figure out the site and send the connection to the table above. ext_addr="..." int_addr="127.0.0.1" vm1_addr="192.0.2.11" vm2_addr="192.0.2.12" vm3_addr="192.0.2.13" vm4_addr="192.0.2.14" table { $int_addr } table { $vm1_addr $vm2_addr $vm3_addr $vm4_addr } # Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration http protocol https { # playing with these options match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "Keep-Alive" value "$TIMEOUT" match request header set "Connection" value "close" match request header "Host" value "website.example.com" forward to match request header "Host" value "example.com" forward to match request header "Host" value "www.example.com" forward to } relay wwwtls { # Run as a SSL/TLS accelerator listen on $ext_addr port 443 tls protocol https forward to port 80 check tcp forward to port 80 mode loadbalance check tcp } V/r, Bryan On Thu, Sep 28, 2017 at 7:32 AM, mabiwrote: > Hi, > > I was wondering if it is possible to use relayd as load balancer with TLS > termination for multiple different websites residing on different server. > > From reading the man page I understand that for this purpose I will need > to use one "relay" entity per website which will then have its own "http > protocol" entity. If this is correct, this means I will require one public > IP address per website which seems to me a bit a waste hence my asking. > > The alternative would be to have one "relay" entity but this means I can > only have one "http protocol" entity assigned to it from my understanding. > This also means that I would have to have to use one single SSL certificate > file which includes every CN for each of my website. My feeling tells me > that this does not sound good practice. Then how would relayd know that > website www.website1.com has to be forwarded to the hosts in and > that website www.website2.com has to be forwarded to the hosts in > ? Would you in the "http protocol" entity filter using the HTTP > "Host" header (such as SNI)? > > Sorry for all these questions but I am trying to find out the best > way/good practice to setup a relayd TLS load balancer for a different > websites/webapps/domains and can't find much documentation about this > specific case. > > Note here that I will be using the acme-client for all of the domains. > > Thanks for your input. > > Best, > Mabi
relayd TLS load balancer for multiple websites
Hi, I was wondering if it is possible to use relayd as load balancer with TLS termination for multiple different websites residing on different server. From reading the man page I understand that for this purpose I will need to use one "relay" entity per website which will then have its own "http protocol" entity. If this is correct, this means I will require one public IP address per website which seems to me a bit a waste hence my asking. The alternative would be to have one "relay" entity but this means I can only have one "http protocol" entity assigned to it from my understanding. This also means that I would have to have to use one single SSL certificate file which includes every CN for each of my website. My feeling tells me that this does not sound good practice. Then how would relayd know that website www.website1.com has to be forwarded to the hosts in and that website www.website2.com has to be forwarded to the hosts in ? Would you in the "http protocol" entity filter using the HTTP "Host" header (such as SNI)? Sorry for all these questions but I am trying to find out the best way/good practice to setup a relayd TLS load balancer for a different websites/webapps/domains and can't find much documentation about this specific case. Note here that I will be using the acme-client for all of the domains. Thanks for your input. Best, Mabi
Re: Mount LUKS and truecrypt external volumes
On 2017-09-26, x9pwrote: > Walking through ports i could not find alternatives to mount Linux LUKS > encrypted storages and Truecrypt-compatible storages. There aren't any in ports. It might be worth trying porting FUSE-based implementations, though FUSE on OpenBSD is missing a few things so porting might be a bit awkward, and it's not the most reliable thing in the world ever, but it mostly works (at least it doesn't trigger panics all that often any more). If you want high quality FDE on OpenBSD, use softraid(4) crypto.
Re: Crypto softraid is supported on GPT/UEFI boot and not just on BIOS/MBR boot, right?
> On Wed, Sep 27, 2017 at 05:02:06PM -, ti...@openmailbox.org wrote: .. >> What am I doing wrong, are there actually any installboot arguments that >> could help me make it work? > > It looks like you're using GPT on both the physical and the > softraid disk, correct? > > In my setup, I have GPT on the physical disk (sd0) but an MBR > on the softraid volume. So perhaps try using an MBR on sd1 and > see if that helps? > I am poking in the dark here. No idea if that will work for you. An MBR has a max of 2TB so over time the whole MBR thing needs to be discontinued, right, however this is a smaller disk so having MBR inside the softraid would work indeed. I mostly chose softraid in the first place for symmetry. I'll try make the softraid contain an MBR and let you know. Indeed I'm on 6.1, so I see that's why I run BOOTX64 3.32 rather than the newest BOOTX64 3.33 of -current. As soon as I try -current (or 6.2) I'll retry the whole installation and let you know too. Thanks again, Tinker
Maintaining process clarification
Hi, I am new to OpenBSD and after 15 years of work with linux i find OpenBSD as very refreshing experience among bloated server software platforms, so guys thanks for that. My questions is about updating packages using pkg_add -u , i am kind of confused about how it works. Example: In 6.1 there is package openvpn-2.4.1, how updates to the package are handled? If there is critical issue with the package, then "openvpn-2.4.1” is updated or it get new version numbering? I have used to that distros add own numbering like 2.4.1_u1 and so one - to give a clue that package was updated/patched. And yes - i know i can recompile by myself and i do not mind doing that, but i would avoid recompiling almost all all the time if there is already process thanks, _ Zbyszek Żółkiewski
Re: FF vs. Chrome/Chromium
> On 27 Sep 2017, at 16:44, Theo de Raadtwrote: > > you really shouldn't be promising that to anyone. it might not happen, > their design might not allow it. > > pledge in giant programs is very rare. chrome got LUCKY, and there is > no evidence that firefox will also. There was also another interesting presentation by Landry Breuil about "7 years of maintaining firefox " with "- sandboxing w/ `pledge()` ?" https://www.openbsd.org/papers/eurobsdcon2017_seven_years_of_maintaining_firefox.md but not sure if recordings will be available.
Re: Can I rotate the framebuffer (e.g. using wsdisplay) in OpenBSD?
On Thu, Sep 28, 2017 at 08:48:31AM -, ti...@openmailbox.org wrote: > In a world where such weird laptop manufacturers exist, OpenBSD > having framebuffer rotation would fix the whole setup. Yes, and as was already stated there are developers (not me) who plan to do that work and might even generously share their results with all of us. Just be patient, please.
Re: Can I rotate the framebuffer (e.g. using wsdisplay) in OpenBSD?
> On Thu, Sep 28, 2017 at 12:55:41AM +0200, Stéphane Aulery wrote: .. >> And if I use a monitor in portrait orientation ? > > I have been using a monitor in portrait for many years and was never > bothered by the console being the wrong way (X is rotated of course). > > In a rare situation where I need the console, I can make use of the > laws of physics and turn the monitor upright with my hands and arms. > This approach seems to work very reliably. I've never seen it fail. If it's a laptop, the angle between the laptop (correctly oriented) and the screen (oriented 90 degrees away from you) is 90 degrees, and you would need to tilt your head 90 degrees instead (as the screen can't be tilted), or tilt your hands 90 degrees while tilting the laptop 90 degrees too, or carry an external keyboard with you, in which case the laptop but not me would need to be tilted. In a world where such weird laptop manufacturers exist, OpenBSD having framebuffer rotation would fix the whole setup. But doing it with X is cool too of course, at the very least for now.
Re: Can I rotate the framebuffer (e.g. using wsdisplay) in OpenBSD?
On Thu, Sep 28, 2017 at 12:55:41AM +0200, Stéphane Aulery wrote: > Le 27/09/2017 à 17:24, Stefan Sperling a écrit : > > On Wed, Sep 27, 2017 at 04:11:45PM +0200, Kamil Cholewiński wrote: > > > On Wed, 27 Sep 2017, Francois Pussaultwrote: > > > > maybe installing a tool like xrandr ? > > > > > > Xrandr works only for X. I've skimmed wscons(4), wsdisplay(4), > > > wsconscfg(8), wsconsctl(8), nothing about rotation... > > > > In -current, the console is rotated counter-clockwise if the display > > isn't already upright: > > https://marc.info/?l=openbsd-cvs=150266331224832=2 > > https://marc.info/?l=openbsd-cvs=150300131911666=2 > > > > This behaviour is hard-coded and cannot be configured. It helps machines > > which > > need counter-clockwise rotation, but is not ideal because some machines need > > clockwise rotation instead. There are plans to auto-detect and use the > > correct > > rotation required in the future. > > And if I use a monitor in portrait orientation ? I have been using a monitor in portrait for many years and was never bothered by the console being the wrong way (X is rotated of course). In a rare situation where I need the console, I can make use of the laws of physics and turn the monitor upright with my hands and arms. This approach seems to work very reliably. I've never seen it fail.
Re: Crypto softraid is supported on GPT/UEFI boot and not just on BIOS/MBR boot, right?
On Wed, Sep 27, 2017 at 05:02:06PM -, ti...@openmailbox.org wrote: > > On Wed, Sep 27, 2017 at 10:31:22AM -, ti...@openmailbox.org wrote: > >> >> OpenBSD/amd64 BOOTX64 3.32 Are you running -current? (We would already know that if you had included a dmesg -- tsk tsk). In -current, boot is version "3.33", not "3.32". > I then booted the machine (by typing "boot sr0a:/bsd" in the boot console > again of course) and did "installboot -v sd1", and it gave: > > Using / as root > installing bootstrap on /dev/rsd0c > using first-stage /usr/mdec/biosboot, second-stage /usr/mdec/boot > sd1: softraid volume with 1 disk(s) > sd1: installing boot loader on softraid volume > /usr/mdec/boot is 6 blocks x 16384 bytes > copying /usr/mdec/BOOTIA32.EFI to > /tmp/installboot.1lt1hgtQYa/efi/BOOT/BOOTIA32.EFI > copying /usr/mdec/BOOTIX64.EFI to > /tmp/installboot.1lt1hgtQYa/efi/BOOT/BOOTIX64.EFI > > Rebooting, that also did not help. That looks OK, though. Passing the softraid disk is correct. > I tried with "fdisk -e sd1" and disabling the 1 (EFI) partition by setting > its type to 0 (so that installboot would not try to install any EFI files to > sd1i) and then doing "installboot sd1", and that did not help too. > > What am I doing wrong, are there actually any installboot arguments that > could help me make it work? It looks like you're using GPT on both the physical and the softraid disk, correct? In my setup, I have GPT on the physical disk (sd0) but an MBR on the softraid volume. So perhaps try using an MBR on sd1 and see if that helps? I am poking in the dark here. No idea if that will work for you.
Re: softraid crypto with keydisk and password
On Thu, Sep 28, 2017 at 04:15:20AM +0200, Erling Westenvik wrote: > On Thu, Sep 28, 2017 at 09:11:49AM +1000, tomr wrote: > > I remember seeing a post, I think on undeadly.org, which went through > > having the bootloader on password-encrypted usb drive, that also > > contains a keyfile for the main disk. It said something like "I also > > wanted the laptop to appear broken, and the disk full of random data, if > > the usb drive wasn't present - rather than stopping at a password prompt" > > Here you go: > > http://www.undeadly.org/cgi?action=article=20110530221728 Hi, I am the author of this undeadly article. It is now very old and full of outdated information. Follow this FAQ section instead: http://www.openbsd.org/faq/faq14.html#softraid