Re: relayd as websocket proxy?
Hello,
I am facing issues with running Jupyter notebook behind relayd. This is
most probably because of websockets proxy.
When I open a notebook, its not able to connect to the kernel.
Searching on the net pointed me to this issue -
https://github.com/jupyter/notebook/issues/2664
The solution there is with an nginx configuration. I am not able to figure
out equivalent relayd config.
Any help here would be appreciated.
Here is my relayd config -
-
-
relayd_addr="0.0.0.0"
relayd_port="80"
jupyter_port="5000"
table { 127.0.0.1 }
httpd_port="8000"
table { 127.0.0.1 }
log all
http protocol "httpfilter" {
match header append "X-Forwarded-For" \
value "$REMOTE_ADDR"
match header append "X-Forwarded-By" \
value "$REMOTE_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"
### TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
### Return HTTP/HTML error pages
return error
match request path "/ipython/*" forward to
match request path "/" forward to
}
relay http {
listen on $relayd_addr port $relayd_port
protocol "httpfilter"
forward to port $jupyter_port mode loadbalance
forward to port $httpd_port check tcp interval 60
}
-
-
Regards.
--
Ajitabh Pandey
On Mon, Apr 30, 2018 at 9:24 PM, Andre Ruppert wrote:
> Hello @misc,
>
> is it possible to configure relayd to act as a websocket proxy with
> v6.2/v6.3?
>
> I set up relayd as ssl accelerator:
>
> excerpt from relayd.conf:
>
>
> http protocol "httpfilter2" {
>
> tcp { nodelay, sack, socket buffer 65536, backlog 100 }
>
> return error
> match request header set "Connection" value "close"
> match header set "Keep-Alive" value "$TIMEOUT"
> match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
> match request header append "X-Forwarded-By" value \
> "$SERVER_ADDR:$SERVER_PORT"
>
> tls { tlsv1, ciphers "HIGH:!ADH:!NULL:!RC4:-ECDH:ECDHE" }
> }
> ...
>
> relay webrtc_wsc {
> listen on $webrtc_wsc_relayd_addr \
> port $webrtc_wsc_relayd_port tls
> protocol "httpfilter2"
> transparent forward to port $webrtc_wsc_web_port \
> mode loadbalance http “/” code 200
> }
> ...
>
> valid .key and .crt-files are placed in /etc/ssl/private and /etc/ssl.
>
>
> First: "standard" SSL acceleration works fine without problems.
>
> Second: websocket connections don't :-(
>
> As far I can see websocket upgrade messages (decoded in wireshark as
> "HTTP/1.1 101 Switching Protocols" packets) from the internal server are
> replaced by relayd with packets with the RST-flag set directed to the WAN
> client and the connection is closed.
>
>
> My head-scratching question:
> is this possible at all with relayd?
>
> Or do I have to switch to nginx?
>
>
> Regards
> Andre Ruppert
>
>
>
>
--
Ajitabh Pandey
http://ajitabhpandey.info/ | http://unixclinic.net/ |
http://buddingthoughts.info
ICQ - 150615062
Registered Linux User - 240748
Re: Troubleshooting rl instability on OpenBSD 6.1
On 01/05/18 21:30, Stuart Longland wrote: > No corresponding log messages from the switch. > > In any case, I've asked PC Engines about the voltage range of the APU2, > having priced one for under the AU$600 mark. Right, so a further update… I observed the errors came in bursts, sometimes at particular times of the day. During these times, nothing else has connectivity issues, just the border router. I wondered if it might be bursts of network activity on the main switch. The 240-12V 1.35A switchmode PSU in it was replaced with a Micrel MIC29750 LDO which is set to regulate to 11.8V (within 3%), and is capable of supplying 7.5A. The mainboard of the Linksys LGS326AU features two switchmode PSUs that regulate to 3.3V and 5V, everything in the switch runs off those two power rails. On paper, that *should* work fine, and for everything else, it does. Just this border router misbehaves with it. As an experiment, I grabbed an old 10/100Mbps switch, hooked the main switch and rl0 on the border router up to it. I also hooked up a TS-7670 to that same 10/100 switch. If it's the main switch, I shouldn't be able to ping either machine. About 45 minutes later, I got a burst of errors from my cron job. Pinging the border router yielded no reply, but I could still ping the TS-7670. I think that confirms hardware. Disappointingly, I've not heard from PC Engines regarding the APU2 and its power supply tolerance, but I've placed an order with Yawarra Computers anyway, as it *looks* as if all the expensive bits that touch 12V can take 24V+. If a 12V capacitor blows, well I have the schematics and a soldering iron to replace that part. Plus, the old border router is still there even if not the most reliable. When that arrives, I can look at getting OpenBSD 6.3 onto that, and migrating my old config across. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: tap+bridge: arp reply not forwarded
On Sat, May 05, 2018 at 11:37:07PM -0400, Xavier Guerin wrote: > Hello list, > > Working with a user-space TCP-IP, I tried to setup a local bridge > between two taps, each tap being driver by a user-space client and > server. > > user-space <-> TAP0 <-> BRIDGE0 <-> TAP1 <-> user-space > > I am interestingly stuck at the ARP discovery phase. When the client > send its ARP request, the server receives it and replies. However, the > client never gets the reply back. > > Some research indicated that since the client is getting an echoed > version of its request, the bridge learns its address preventing > the reply from being forwared. > > Would my understanding be correct? If so, is there any way to correct > this behavior? > > Thanks, > xavier > You could try adding your own arp entry with `arp -s' and see what happens.
Re: HTTPD and php-cgi
On Sat, 5 May 2018 12:19:59 +0200 Martijn van Duren wrote: On Sat, 5 May 2018 08:48:23 +0200 Mischa Peters wrote: Hi Martijn, Mischa. Thanks for you replies, from which I've figured out that the problem is I'm running sparc64 and the packages you refer to are not extant... I guess I'll have a go with ports and hopefully report back... Thanks again. Dhu -- Je suis Canadien. Ce n'est pas Francais ou Anglaise. C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) http://babayaga.neotext.ca/PublicKeys/Duncan_Patton_a_Campbell_pubkey.txt
Re: tap+bridge: arp reply not forwarded
On Sat, May 05, 2018 at 11:37:07PM -0400, Xavier Guerin wrote: > Hello list, > > Working with a user-space TCP-IP, I tried to setup a local bridge > between two taps, each tap being driver by a user-space client and > server. > > user-space <-> TAP0 <-> BRIDGE0 <-> TAP1 <-> user-space > > I am interestingly stuck at the ARP discovery phase. When the client > send its ARP request, the server receives it and replies. However, the > client never gets the reply back. > > Some research indicated that since the client is getting an echoed > version of its request, the bridge learns its address preventing > the reply from being forwared. > > Would my understanding be correct? If so, is there any way to correct > this behavior? > > Thanks, > xavier > What version are you running? I ask because of the following: https://www.openbsd.org/errata63.html https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/003_arp.patch.sig +--+ Carlos
tap+bridge: arp reply not forwarded
Hello list, Working with a user-space TCP-IP, I tried to setup a local bridge between two taps, each tap being driver by a user-space client and server. user-space <-> TAP0 <-> BRIDGE0 <-> TAP1 <-> user-space I am interestingly stuck at the ARP discovery phase. When the client send its ARP request, the server receives it and replies. However, the client never gets the reply back. Some research indicated that since the client is getting an echoed version of its request, the bridge learns its address preventing the reply from being forwared. Would my understanding be correct? If so, is there any way to correct this behavior? Thanks, xavier
User-space TCP/IP testing with tap, bridge and PF
Hello list, I am developing a userspace TCP/IP stack. Most of the time on my servers I use special NICs and API to bypass the kernel. When on the go I'd like to do the same on my OpenBSD dev laptop. I chose to use tap + bridge and some PF-fu to try to make it work, but after several fruitless hours i am stumped. Here is my setup: userspace <-> tap0 <-> bridge0 <-> iwm0 TAP0 is left unconfigured (except for link0). No route is present for my userspace stack. I added the following in pf.conf to get out to the Internet: > pass out on $lan_if proto tcp from 10.1.0.1 to any nat-to ($lan_if:0) 10.1.0.1 being my userspace stack's IP. I've gone as far as having one of my packet sent to its destination address and come back to iwm0. Then, OpenBSD does the reverse translation and schlepts the packet back on the bridge. However, because of the lack of route to my userspace stack, openbsd uses the defaut route's MAC, which is not the one for my tap0 device and therefore the packet never reaches its destination through bridge0. I tried to add a static route for the userspace stack's IP but I don't seem to be able to do that (route fails between "address unreachable" and "invalid argument" when specifying either the device of the link address). Is my approach correct? If so, how get I get openbsd to use the proper MAC address on the return path? Thanks! xavier
compiling ardour -lexecinfo issues
Maybe this should go to ports@ but not sure I am near there yet.
So I am trying to compile the latest ardour on 6.3, got through compiling
rubberband and aubio and now well I am stuck here:
[200~./waf configure --boost-include=/usr/local/include
Setting top to : /home/superfly/git/ardour
Setting out to : /home/superfly/git/ardour/build
Checking for 'gcc' (c compiler) : /usr/bin/gcc
Checking for 'g++' (c++ compiler): /usr/bin/g++
Global Configuration
* Install prefix: /usr/local
* Debuggable build : True
* Build documentation : False
Ardour Configuration
* Will build against private GTK dependency stack : no
* Will rely on libintl built into libc : yes
* Will build against private Ardour dependency stack : no
Checking for boost library >= 1.39 : ok
Checking for program pkg-config :
/usr/bin/pkg-config
Checking for 'glib-2.0' >= 2.28 : yes
Checking for 'gthread-2.0' >= 2.2: yes
Checking for 'glibmm-2.4' >= 2.32.0 : yes
Checking for 'sndfile' >= 1.0.18 : yes
Checking for 'giomm-2.4' >= 2.2 : yes
Checking for 'libcurl' >= 7.0.0 : yes
Checking for 'libarchive' >= 3.0.0 : yes
Checking for 'liblo' >= 0.26 : yes
Checking for 'taglib' >= 1.6 : yes
Checking for 'vamp-sdk' >= 2.1 : yes
Checking for 'vamp-hostsdk' >= 2.1 : yes
Checking for 'rubberband': yes
Checking for sndfile RF64=>RIFF support : Found
Checking for clang : no
Warning: you are building Ardour with SSE support even though your
system
does not support these instructions. (This may not be an error,
especially
if you are a package maintainer)
hidapi is not yet available for the given system
Checking for 'fftw3f': yes
Checking for 'aubio' >= 0.3.2: yes
Checking for 'aubio' >= 0.4.0: yes
Checking for 'libxml-2.0': yes
Checking for 'sigc++-2.0' >= 2.0 : yes
Checking for function getmntent : not found
Checking for header execinfo.h : not found
Checking for header unistd.h : not found
Checking for function posix_memalign : no
Checking for function localtime_r: not found
Checking for header boost/shared_ptr.hpp : not found
The configuration failed
(complete log in /home/superfly/git/ardour/build/config.log)
Tail form the config.log
[2/2] cxxprogram:
build/.conf_check_c02c9165785b1b8132b54a498262d87b/testbuild/test.cpp.1.o ->
build/.conf_check_c02c9165785b1b8132b54a498262d87b/testbuild/testprog
['/usr/bin/g++', '-lexecinfo', 'test.cpp.1.o', '-o',
'/home/superfly/git/ardour/build/.conf_check_c02c9165785b1b8132b54a498262d87b/testbuild/testprog',
'-Wl,-Bstatic', '-Wl,-Bdynamic']
err: /usr/bin/ld: cannot find -lexecinfo
collect2: ld returned 1 exit status
from /home/superfly/git/ardour/libs/pbd: Test does not build: Traceback (most
recent call last):
File
"/home/superfly/git/ardour/.waf-1.6.11-06ee4b7efbeab1252ed3b11499834d2a/waflib/Tools/c_config.py",
line 447, in run_c_code
bld.compile()
File
"/home/superfly/git/ardour/.waf-1.6.11-06ee4b7efbeab1252ed3b11499834d2a/waflib/Build.py",
line 190, in compile
raise Errors.BuildError(self.producer.error)
BuildError: Build failed
-> task in 'testprog' failed (exit status 1):
{task 29862752065616: cxxprogram test.cpp.1.o -> testprog}
['/usr/bin/g++', '', '-lexecinfo', 'test.cpp.1.o', '-o',
'/home/superfly/git/ardour/build/.conf_check_c02c9165785b1b8132b54a498262d87b/testbuild/testprog',
'-Wl,-Bstatic', '-Wl,-Bdynamic']
not found
from /home/superfly/git/ardour/libs/pbd: The configuration failed
Sanity check:
[200~ll /usr/local/lib/libexecinfo*
-rw-r--r-- 1 root bin 43940 Mar 27 11:52 /usr/local/lib/libexecinfo.a
-rw-r--r-- 1 root bin 45620 Mar 27 11:52 /usr/local/lib/libexecinfo.so.2.0
-rw-r--r-- 1 root bin 44868 Mar 27 11:52 /usr/local/lib/libexecinfo_p.a
So kind of drawing a blank of where to go next to resolve this.
Ken
6.3 - dhclient not working on wireless
Hi,
I upgraded to 6.3 and I cannot connect to a certain WiFi network
anymore, or, better, ifconfig says it is connected and the LED says it
is too, but then dhclient fails to get a lease from it.
I can connect to the same network through wired ethernet and dhclient
correctly gets an address from the same router.
What is going wrong? can I enable some further information?
Here you can see ifconfig "active":
wpi0: flags=8843 mtu 1500
lladdr 00:13:02:9a:52:1b
index 2 priority 4 llprio 3
groups: wlan
media: IEEE802.11 autoselect (DS1 mode 11g)
status: active
ieee80211: nwid westernesse chan 10 bssid f8:d1:11:b9:07:2a
-16dBm nwkey
(getting very near to the access point doesn't help eiher).
dhclient -v wpi0
wpi0: DHCPDISCOVER - interval 1
wpi0: DHCPDISCOVER - interval 1
wpi0: DHCPDISCOVER - interval 1
wpi0: DHCPDISCOVER - interval 1
wpi0: DHCPDISCOVER - interval 1
wpi0: DHCPDISCOVER - interval 1
wpi0: DHCPDISCOVER - interval 1
wpi0: DHCPDISCOVER - interval 1
wpi0: DHCPDISCOVER - interval 1
wpi0: DHCPDISCOVER - interval 1
wpi0: no lease ... sleeping
what's going wrong? how can I get more information?
It used to work: I have a small shell script I launch so i know I did
not change anything, nor did the network configuration change.
Thanks,
Riccardo
Mandatory dmesg:
OpenBSD 6.3 (GENERIC.MP) #491: Sat Mar 24 14:38:11 MDT 2018
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Genuine Intel(R) CPU T2500 @ 2.00GHz ("GenuineIntel" 686-class) 2 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,PERF,SENSOR
real mem = 3219472384 (3070MB)
avail mem = 3146792960 (3001MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 04/01/10, BIOS32 rev. 0 @ 0xfd6b0, SMBIOS rev.
2.4 @ 0xe0010 (68 entries)
bios0: vendor LENOVO version "79ETE6WW (2.26 )" date 04/01/2010
bios0: LENOVO 2007WRU
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET BOOT SSDT SSDT
SSDT SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) EXP0(S4) EXP1(S4) EXP2(S4)
EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 166MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Genuine Intel(R) CPU T2500 @ 2.00GHz ("GenuineIntel" 686-class) 2 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,PERF,SENSOR
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
, remapped to apid 1
acpimcfg0 at acpi0 addr 0xf000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (AGP_)
acpiprt2 at acpi0: bus 2 (EXP0)
acpiprt3 at acpi0: bus 3 (EXP1)
acpiprt4 at acpi0: bus 4 (EXP2)
acpiprt5 at acpi0: bus 12 (EXP3)
acpiprt6 at acpi0: bus 21 (PCI1)
acpicpu0 at acpi0: !C3(100@57 io@0x1016), !C2(500@1 io@0x1014),
C1(1000@1 halt), PSS
acpicpu1 at acpi0: !C3(100@57 io@0x1016), !C2(500@1 io@0x1014),
C1(1000@1 halt), PSS
acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB7
acpitz0 at acpi0: critical temperature is 127 degC
acpitz1 at acpi0: critical temperature is 99 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
"IBM0057" at acpi0 not configured
"IBM0071" at acpi0 not configured
"ATM1200" at acpi0 not configured
acpibat0 at acpi0: BAT0 model "92P1137" serial 121 type LION oem "SANYO"
acpiac0 at acpi0: AC unit offline
acpithinkpad0 at acpi0
acpidock0 at acpi0: GDCK not docked (0)
acpivideo0 at acpi0: VID_
acpivout0 at acpivideo0: LCD0
acpivideo1 at acpi0: VID_
acpivout at acpivideo1 not configured
bios0: ROM list: 0xc/0xfe00 0xd/0x1000 0xd1000/0x1000
0xdc000/0x4000! 0xe/0x1!
cpu0: Enhanced SpeedStep 1995 MHz: speeds: 2000, 1667, 1333, 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82945GM PCIE" rev 0x03: apic 1 int 16
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility X1400" rev 0x00
drm0 at radeondrm0
radeondrm0: apic 1 int 16
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
azalia0: codecs: Analog Devices AD1981HD, Conexant/0x2bfa, using Analog
Devices AD1981HD
audio0 at azalia0
ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 1 int 20
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 "Intel 82573L" rev 0x00: msi, address
00:15:58:2e:43:6c
ppb2 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 1 int 21
pci3 at ppb2 bus 3
w
Re: cloning to smaller hard disk
> Your initial system and final system were One Big Partition layouts -- about this , i did it on a linux previously . namely (cd /m1;tar cvpf - altroot ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - bin ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - boot ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - bsd ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - bsd.rd ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - dev ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - etc )| (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - grub ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - home ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - m-sd2 )| (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - mnt ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - root ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - sbin ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - sys ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - tmp ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - usr ) | (cd /m2 ; tar xpf - ) (cd /m1;tar cvpf - var ) | (cd /m2 ; tar xpf - ) but this is too complex to do , so i simplified that the test openbsd HDD has only one big partiton a . becase my PC has 10GB memory , so it does not need swap . regards
Re: Machine won't boot - softraid metadata version mismatch
Thank you so much Erling! With your help, I was able to comment out my existing volumes with the "ed" editor (thanks for showing me that, what a strange editor), and rescue everything with rsync from my OS drive (mostly /etc and /root), then do a fresh install of 6.3 (with my raid drives unplugged as Stuart Henderson suggested), and my softraid volumes are now back online. I opted to do the fresh install because I already know how to upgrade, and don't have the time for that process. My machine was a 5.0 originally, and I had upgraded it to 5.4 over the years, but when I got married, somehow I lost time for regular upgrades, and instead have only been doing the errata patches. I learned an important lesson when booting with a "Live USB" drive, I never would have thought it would touch my local system, but I guess when I think about it it makes sense. Now the only issue is that my Samba shares are not all working, it seems there is a big difference in Samba 4 from 3, regarding the use of guest accounts. I'll figure it out soon. I really appreciate all the replies though, I probably couldn't have restored my system without everyone's help! Thanks again. On Thu, May 3, 2018 at 12:09 PM, Erling Westenvik < erling.westen...@gmail.com> wrote: > On Thu, May 03, 2018 at 10:51:12AM -0500, Brandon Tanner wrote: > > I haven't posted here in years, and OpenBSD has been rock solid for a > home > > file server. However recently I somehow made the machine un-bootable and > > I'm kicking myself for it now. I've tried to google my heart out to fix > > this issue, but I doubt it is very common based on my searches. > > Don't panic. > > > My machine is OpenBSD 5.4, and has 2 x raid1 softraid with 4 disks, and a > > 5th disc for the OS only. > > > > So I was wanting to try out the latest kernel to see if sysctl hw.sensors > > would report my motherboard fan sensors since 5.4 does not, so I made a > > bootable USB live-stick using 6.3, based on this article ( > > http://astro-gr.org/openbsd-live-usb-stick/) which says to prepare the > > machine in QEMU and then dd it to a usb flash drive. I was able to boot > the > > USB stick fine, and run sysctl, and nope, my fan sensors are not there in > > 6.3 either. > > > > Now, when I removed the stick and booted the old system (5.4), it now > won't > > boot. The complaint is that my softraid volumes have a metadata version > > that is newer than it should be. I guess the live-USB stick actually > > upgraded them somehow. > > Quoting https://www.openbsd.org/faq/upgrade60.html: > > "softraid(4) metadata version changed. The current softraid metadata > version has been incremented as part of implementing support for sector > sizes other than 512 bytes. Since on-disk metadata is automatically > updated every time a softraid volume is mounted, once you mount a > softraid volume on a new kernel (including bsd.rd) that volume will no > longer be recognized by older kernels." > > As I see it, you have two options: > > 1. Upgrade your system to at least 6.0, carefully upgrading version by >version and following the steps for each upgrade guide: > > 5.4 -> 5.5 > 5.5 -> 5.6 > 5.6 -> 5.7 > 5.7 -> 5.8 > 5.8 -> 5.9 > 5.9 -> 6.0 > 6.0 -> 6.1 > 6.1 -> 6.2 > 6.2 -> 6.3 > > 2. Do a fresh install of 6.3. > > I would go for option 1. It takes time but you'll learn a lot during the > process, and in the end it may take you just as long to fine tune a > fresh install. > > > The error is basically: > > softraid0: cannot read metadata version 6 on sd1a, expected version 5 or > > earlier > > > > Full Pictures of it are here: > > https://imgur.com/a/jYhVwra > > Which tells us that your OS disk is probably just fine. If you comment > out the raid volumes from /etc/fstab, you won't get any complaints, > right? > > > It looks like this person has a similar experience: > > http://openbsd-archive.7691.n7.nabble.com/softraid-not- > bootable-in-5-4-after-visiting-5-5-td253121.html#a253330 > > > > At this point I'm not sure what to do, and I'm afraid to guess at options > > for fear of losing my data. My gut feeling is that I can probably fix > this > > or put a new O/S drive in and install 6.3 on it fresh, and somehow get my > > softraid volumes back up on it. But I wanted to run that theory by you > all > > first. > > > > Thanks, > > Brandon > > Good luck. > > Regards, > > Erling >
Re: Suspend on Lenovo T440
Theo also sent me a message to disable TPM as well as the fingerprint reader in the BIOS. Compiling so I haven't rebooted to try it yet. But will, thank you. Ken On Sat, May 05, 2018 at 12:54:03PM -0300, Daniel Bolgheroni wrote: > On Sat, May 05, 2018 at 03:14:32PM +, Ken M wrote: > > So I recently picked up a Lenovo T440 for a good price to use as my OpenBSD > > road > > warrior and replace the aging Toshiba I was using. Everything works but 2 > > things: > > > > 1. Bluetooth of course > > 2. Resume from suspend on lid close > > > > I am writing because of number 2. For now I have disabled suspend on lid > > close > > but I was wondering if other T440 users might have gotten suspend and > > resume on > > lod close and open to work for another option on this computer. > > Please check if this helps you: > > https://marc.info/?l=openbsd-misc&m=152230308012611&w=2 > > -- > db
Re: Suspend on Lenovo T440
On Sat, May 05, 2018 at 03:14:32PM +, Ken M wrote: > So I recently picked up a Lenovo T440 for a good price to use as my OpenBSD > road > warrior and replace the aging Toshiba I was using. Everything works but 2 > things: > > 1. Bluetooth of course > 2. Resume from suspend on lid close > > I am writing because of number 2. For now I have disabled suspend on lid close > but I was wondering if other T440 users might have gotten suspend and resume > on > lod close and open to work for another option on this computer. Please check if this helps you: https://marc.info/?l=openbsd-misc&m=152230308012611&w=2 -- db
Suspend on Lenovo T440
So I recently picked up a Lenovo T440 for a good price to use as my OpenBSD road warrior and replace the aging Toshiba I was using. Everything works but 2 things: 1. Bluetooth of course 2. Resume from suspend on lid close I am writing because of number 2. For now I have disabled suspend on lid close but I was wondering if other T440 users might have gotten suspend and resume on lod close and open to work for another option on this computer. Ken
Re: Can SSH report successful connections to pf?
Cool! On Sat, May 5, 2018 at 3:17 AM Andreas Kusalananda Kähäri < andreas.kah...@icm.uu.se> wrote: > On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote: > > > > You might want to parse /var/log/authlog and the logrotated > authlog.[0-9].gz > > for successful and unsuccessful logins and then add the unsuccessful > logins > > with pfctl to a blocked table. To have it permanent after a reboot you > can write > > with pfctl the blocked ip's to a file, which you re-read in a pf.conf > ruleset. > > > > Like > > table persist file "/etc/pf.bruteforce" > > block in quick proto tcp from to any > > > > Stefan > > This is *exactly* what sshguard does. I have an updated > security/sshguard port (previously posted to the ports list) that > understands our sshd's log output, but it has not yet been comitted. > There is currently some kind of issue with it preventing it from > starting at boot (but always starts with "rcctl start sshguard"). I > haven't looked too deeply at that yet though. > > Regards, > > > -- > Andreas Kusalananda Kähäri, > National Bioinformatics Infrastructure Sweden (NBIS), > Uppsala University, Sweden. >
Re: adb 5.1.1.4 and Android 8 and 8.1
Ping? 16 апреля 2018 г. 12:22:22 GMT+05:00, "dmitry.sensei" пишет: >Hi!. > >The current version of the adb does not work with Android 8.0 > > >In Linux, I updated the version of the utilities to the latest version. > >Can someone compile the latest version for OpenBSD? > >-- >Dmitry Orlov -- Простите за краткость, создано в K-9 Mail.
Best testcases for SSHD when fuzzing with afl?
Hello, So far I found these testcases for the input directory of afl when I am fuzzing the OpenBSD OpenSSHD: git clone https://github.com/openbsd/src.git find src/ -type f | grep -i regress | grep -i ssh | grep -i testdata But the question: does anybody have more? Or better? Any idea how to have more and better quality testcases? http://lcamtuf.coredump.cx/afl/
Re: HTTPD and php-cgi
Hello Duncan,
On 05/05/18 03:23, Duncan Patton a Campbell wrote:
>
> I am looking for documentation on running php-cgi-5.6 under the bsd httpd
> server.
>
> From what I can tell, the function of php-fastcgi has been subsumed to
> php-cgi-5.6,
> but further than that I can find little or no salient documentation. Any
> pointers
> would be appreciated.
>
> Thanks,
>
> Dhu
>
This is exactly the reason why php-fastcgi was renamed to php-cgi. The
old php-fastcgi contained what normally is normally called the php-cgi
binary, which also contains *some* fastcgi functionality, but is *not*
the recommended way to run php in fastcgi mode.
The recommended way to run php in fastcgi mode is php-fpm, which is
included in in the php main package. You can start this daemon by
running `rcctl start php${PHP_VERSION}_fpm`. This will make php-fpm
listen on its socket which can be set via the listen statement in
/etc/php-fpm.conf (by default it's /var/www/run/php-fpm.sock).
Once you have php-fpm up and running you can connect to it through httpd
through the "fastcgi socket /run/php-fpm.sock" command in the
appropriate "location" block from. See httpd.conf(5) for more
information.
Hope this helps.
martijn@
Re: Can SSH report successful connections to pf?
On 05/05/18 01:56, Kapfhammer, Stefan wrote: > > You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz > for successful and unsuccessful logins and then add the unsuccessful logins > with pfctl to a blocked table. To have it permanent after a reboot you can > write > with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset. > > Like > table persist file "/etc/pf.bruteforce" > block in quick proto tcp from to any The problem here is what logon attempt frequency and which number of simultaneous connections you set as acceptable. You *will* at some point end up blocking yourself based on those criteria, even more certainly so if you're chasing the relatively slow attackers, and if you allow password logins at all, valid users will occasionally mistype their passwords. For those reasons, I ended up with a regime that block drops according to something like # --- table persist counters file "/var/tmp/bruteforce" block drop log (all) quick from label bruteforce pass in quick log (all) on egress proto tcp to port ssh flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 2/10, overload flush global, pflow) and just because I can, 28 day expiry, and a cron job that dumps table contents to file at reasonable intervals. The bruteforce table is never empty, and the bulk of the miscreants will will be caught this way. After trying various fully automatic variants that all bit back in various ways, I ended up determining that scanning the logs manually when I have time (typically once or twice per day) was sufficient to catch the rest. Then I add to the bruteforce table and harvest local parts for the spamtraps. Some of my scribbles on this can be found at https://bsdly.blogspot.no/2017/04/forcing-password-gropers-through.html and http://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-lessons-learned.html (with references) - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Can SSH report successful connections to pf?
On 2018-05-04, Kapfhammer, Stefan wrote: > > You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz This wheel has been invented several times, if someone wants to make their own they should study revisions to past designs as there have been some nasty problems fixed along the way. Rather than parsing authlog from disk, it's better to have syslogd pipe to a command instead.
Re: bioctl, encryption, and keydisk
etienne.m...@magickarpet.org (Etienne), 2018.05.04 (Fri) 19:06 (CEST):
> On 04/05/18 17:40, Marcus MERIGHI wrote:
>
> > I'm currently reading https://marc.info/?l=openbsd-misc&m=141435482820277
> > "crypto softraid and keydisk on same harddrive", 2014-10-26.
> >
> > jsing@ had this patch, which was tested and worked for the OP - but was
> > not commited: https://marc.info/?l=openbsd-misc&m=141450636905550
> >
>
> Nice! Thanks for that, I'll try.
here's jsing@ patch regenerated with -current so that it applies
cleanly.
In case it stil works (please report back) we could forward it to tech@
in the hope of someone taking care of it...
Marcus
Index: i386_softraid.c
===
RCS file: /cvs/src/usr.sbin/installboot/i386_softraid.c,v
retrieving revision 1.10
diff -u -p -u -r1.10 i386_softraid.c
--- i386_softraid.c 28 Apr 2016 16:48:18 - 1.10
+++ i386_softraid.c 5 May 2018 08:21:52 -
@@ -42,6 +42,7 @@ void sr_install_bootldr(int, char *);
void
sr_install_bootblk(int devfd, int vol, int disk)
{
+ struct bioc_vol bv;
struct bioc_disk bd;
struct disklabel dl;
struct partition *pp;
@@ -56,6 +57,15 @@ sr_install_bootblk(int devfd, int vol, i
bd.bd_diskid = disk;
if (ioctl(devfd, BIOCDISK, &bd) == -1)
err(1, "BIOCDISK");
+
+ /* Skip CRYPTO key disks. */
+ /* XXX - pass volume in rather than volume ID. */
+ memset(&bv, 0, sizeof(bv));
+ bv.bv_volid = vol;
+ if (ioctl(devfd, BIOCVOL, &bv) == -1)
+ err(1, "BIOCVOL");
+ if (bv.bv_level == 'C' && bd.bd_size == 0)
+ return;
/* Check disk status. */
if (bd.bd_status != BIOC_SDONLINE && bd.bd_status != BIOC_SDREBUILD) {
Re: Can SSH report successful connections to pf?
On 04/05/18 23:16, Luke Small wrote: Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better? See this paper, that might contain what you're trying to achieve: https://www.sans.org/reading-room/whitepapers/firewalls/cleaning-yard-discussion-mothers-home-network-security-32933 At the end of a "pass" rule in pf.conf, the author adds: max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload flush global which means: "any source can only have a total of three connections, and they may not create them at a rate faster than two every five minutes. If they do, they will be added to the abusers table and every packet/session will be globally dropped." I locked myself out of many boxes thanks to that. -- Étienne
Re: Can SSH report successful connections to pf?
On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote: > > You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz > for successful and unsuccessful logins and then add the unsuccessful logins > with pfctl to a blocked table. To have it permanent after a reboot you can > write > with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset. > > Like > table persist file "/etc/pf.bruteforce" > block in quick proto tcp from to any > > Stefan This is *exactly* what sshguard does. I have an updated security/sshguard port (previously posted to the ports list) that understands our sshd's log output, but it has not yet been comitted. There is currently some kind of issue with it preventing it from starting at boot (but always starts with "rcctl start sshguard"). I haven't looked too deeply at that yet though. Regards, -- Andreas Kusalananda Kähäri, National Bioinformatics Infrastructure Sweden (NBIS), Uppsala University, Sweden.
Re: =?UTF-8?Q?Re:_=ef=bf=bccloning_to_smaller_hard_disk?
my way has a weak point that the kernel of the small HDD may become different from that of the big HDD by of using ' upgrade ' . ( it is good in case of virsion up 6.2->6.3 ) are there sophistcated methods not chainging kernel ? i used 'upgrade' process to load the boot loader to small HDD . - regards
