Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic
> Do you know any clock fix for Debian guest like > kern.timecounter.hardware=tsc + NTPd for OBSD guests? Sadly I do not. Keep an eye on openbsd.amsterdam - they follow openbsd patches closely and care a lot about this issue. For what it’s worth, CentOS was even worse for me; for every 20 real seconds, 1 passed in centos. :v
Re: Back to the Future
We are all a little bunkers and that's okay thanks guys On Sun, Apr 19, 2020, 8:26 PM leroy jordan wrote: > nevermind I got the book you guys need to lighten up a little I > understand that a lot of people on here and highly intelligent and > everything some people is in here is a very intelligent they just can't > communicate so therefore I need to be lenient sometime I'm not fussing I'm > just saying don't make people want to turn away that may be able to get > gold vital help like maintaining packages or either bringing new packages > like B complex if necessary Bluetooth > > cheers George's > > On Sun, Apr 19, 2020, 8:01 PM leroy jordan > wrote: > >> Iowa >> >> Hey I need to go back in time I got to disable I know I got a boot and >> soup and single user mode I'm just not sure where to put my dis label at if >> you don't want to put it out there and public can you please privately >> email me and give me instructions I really appreciate it but grammar fuk >> y'all cheers have a good day thanks >> >> Matt broke everything >> >
Re: Back to the Future
nevermind I got the book you guys need to lighten up a little I understand that a lot of people on here and highly intelligent and everything some people is in here is a very intelligent they just can't communicate so therefore I need to be lenient sometime I'm not fussing I'm just saying don't make people want to turn away that may be able to get gold vital help like maintaining packages or either bringing new packages like B complex if necessary Bluetooth cheers George's On Sun, Apr 19, 2020, 8:01 PM leroy jordan wrote: > Iowa > > Hey I need to go back in time I got to disable I know I got a boot and > soup and single user mode I'm just not sure where to put my dis label at if > you don't want to put it out there and public can you please privately > email me and give me instructions I really appreciate it but grammar fuk > y'all cheers have a good day thanks > > Matt broke everything >
Back to the Future
Iowa Hey I need to go back in time I got to disable I know I got a boot and soup and single user mode I'm just not sure where to put my dis label at if you don't want to put it out there and public can you please privately email me and give me instructions I really appreciate it but grammar fuk y'all cheers have a good day thanks Matt broke everything
Re: UNIX crash course
People recommend me these books https://www.openbsd.org/books.html for programming starting point. Here is a list of admin. related books too. Very comprehensive and useful books listed. Martin ‐‐‐ Original Message ‐‐‐ On Sunday, April 19, 2020 7:15 PM, Chris Zakelj wrote: > Looking to the list for suggestions on becoming at least a > semi-competent admin. Long-time members may remember my trial-by-fire > 15+ years ago when the boss ordered a T1 and the carrier's tech > "helpfully" pointed the dmz interface at the (already outdated) NT4 file > server. My current situation is nothing like that, but thanks to all > the recent trolls, I discovered that following the IEEE's transition > from their email service being little more than a .forward alias into a > full-fledged GMail suite, that Google wasn't forwarding emails it deemed > spammy and caused the partial loss of nearly seven months' worth of > mail. Since I don't trust Google or pretty much any "free" provider at > this point, that means doing it myself. Some steps (registering a > domain, ordering business-class service or a static IP, etc) are > self-evident. But after that, there's a lot I really need to learn > beyond what's in the man pages, and my copy of 'Absolute OpenBSD' is > quite dated at this point. I've also got that misbehaving ARC-1200B > card, so if dlg@ or another team member in the US/Canada has interest in > figuring out what's going sideways, I'll pay for shipping both ways.
Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic
Do you know any clock fix for Debian guest like kern.timecounter.hardware=tsc + NTPd for OBSD guests? Martin ‐‐‐ Original Message ‐‐‐ On Sunday, April 19, 2020 4:15 PM, j3s wrote: > > Will I encounter the same issue with clock > synchronization on VMM based > > Unfortunately you will, the clock issues aren’t quite worked out yet.
Re: BGP spamd AS working addresses to have realtime list updates
Hello, Peter. How can I help you to maintain EU server in a good shape? I think spam related AS is really good tool to all the people in the community who use spamd engine. Martin ‐‐‐ Original Message ‐‐‐ On Sunday, April 19, 2020 4:40 PM, Peter Hessler wrote: > Hi Martin > > The eu.bgp-spamd.net server is no longer available. I have not had any > time for maintanence of these systems for several years, so do not > expect many future updates. > > -peter > > On 2020 Apr 19 (Sun) at 14:39:08 + (+), Martin wrote: > :I'm going to have spamdb updates from AS using BGP as configured. > :But both AS rs.bgp-spamd.net eu.bgp-spamd.net points to the same IP address > according to ping: > : > :ping eu.bgp-spamd.net > :217.31.80.170 > :ping rs.bgp-spamd.net > :217.31.80.170 > : > :Which system can be used for redundancy? Any other spamd-AS online? > : > :$ cat /etc/bgpd.conf > :AS 65xxx > :fib-update no > : > :group "spam" { > : remote-as 65066 > : multihop 64 > : export none > : neighbor 64.142.121.62 { > : descr "rs.bgp-spamd.net" > : } > : neighbor 217.31.80.170 { > : descr "eu.bgp-spamd.net" > : } > :} > :... > : > :Martin > > --- > > Did you know ... > > That no-one ever reads these things?
UNIX crash course
Looking to the list for suggestions on becoming at least a semi-competent admin. Long-time members may remember my trial-by-fire 15+ years ago when the boss ordered a T1 and the carrier's tech "helpfully" pointed the dmz interface at the (already outdated) NT4 file server. My current situation is nothing like that, but thanks to all the recent trolls, I discovered that following the IEEE's transition from their email service being little more than a .forward alias into a full-fledged GMail suite, that Google wasn't forwarding emails it deemed spammy and caused the partial loss of nearly seven months' worth of mail. Since I don't trust Google or pretty much any "free" provider at this point, that means doing it myself. Some steps (registering a domain, ordering business-class service or a static IP, etc) are self-evident. But after that, there's a lot I really need to learn beyond what's in the man pages, and my copy of 'Absolute OpenBSD' is quite dated at this point. I've also got that misbehaving ARC-1200B card, so if dlg@ or another team member in the US/Canada has interest in figuring out what's going sideways, I'll pay for shipping both ways.
Re: List a package's dependencies
Hi Ingo, On Sun, 19 Apr 2020, at 15:36, Ingo Schwarze wrote: > The above list is not complete. For example, i skipped ways to > inspect test dependencies, and i refrained from explaining > possibilities that use the port "databases/sqlports", which > is very powerful. Finally, i may have missed some ways this > can be done. Perhaps not complete but certainly many options. Thank you for taking the time to write them all down. > We certainly don't need yet more ways to do the same, and certainly > not by creating wrappers around what is already there. Besides, > directly inspecting the contents of /var/db/pkg/ by anything that > is not part of the pkg tools is fragile and not acceptable. Yes, I agree; messing around in /var/db/pkg was just a means to an end but I certainly didn't consider it stable. > All that said, it might be useful if, in addition to -S, pkg_add(1) > could recursively list run-time dependencies. [...] > > * writing your own script recursively calling "pkg_info -qS", >then postprocessing with sort(1) and uniq(1) I modified my original script to make use of pkg_info -qS as suggested by yourself and Erling. pkg_info(1) is able to query $PKG_PATH when a dependency is not installed locally. This has the nice benefit of being able to examine all the dependencies before they hit your system. Another benefit over the original script I posted is that it reuses pkg_* tool's pkg-name format as a consequence of using pkg_info(1) so now things like python--%3.7, mutt--gpgme, etc. are possible. $ pkg_dependents python pkg_dependents: Ambiguous: python-2.7.16p1 python-3.7.4 $ pkg_dependents python--%3.7 Information for inst:python-3.7.4 Directly depends on: bzip2-1.0.8 gettext-runtime-0.20.1p0 libffi-3.2.1p5 sqlite3-3.29.0 xz-5.2.4 Transitively depends on: libiconv-1.16p0 $ pkg_dependents mutt pkg_dependents: Ambiguous: mutt-1.12.2v3 mutt-1.12.2v3-gpgme mutt-1.12.2v3-gpgme-sasl mutt-1.12.2v3-sasl mutt-1.12.2v3-sasl-slang $ pkg_dependents mutt--gpgme Information for inst:mutt-1.12.2v3-gpgme Directly depends on: gettext-runtime-0.20.1p0 gpgme-1.13.1p0 libidn2-2.0.0p0 qdbm-1.8.78p2 Transitively depends on: bzip2-1.0.8 curl-7.66.0 gnupg-1.4.23p3 libassuan-2.5.1p0 libgpg-error-1.36p0 libiconv-1.16p0 libunistring-0.9.7 nghttp2-1.39.2 -- Chris Rawnsley #!/bin/sh bin=$(basename "$0") usage() { cat &2 cleanup; exit 1 fi if ! pkg_sig=$(pkg_info -qS "$1"); then printf '%s\n' "${bin}: unable to find package" 1>&2 cleanup; exit 1 fi if [ $(printf '%s\n' "${pkg_sig}" | wc -l) -gt 1 ]; then printf '%s\n' "${bin}: Ambiguous:" 1>&2 printf '%s\n' $(printf '%s\n' "${pkg_sig}" | cut -d, -f1) 1>&2 cleanup; exit 1 fi pkg=$(printf '%s' "${pkg_sig}" | cut -d, -f1) deps_from_sig "${pkg_sig}" | sort | tee "${temp_deps}" >"${direct_deps}" while deps=$(comm -23 "${temp_deps}" "${all_deps}" | grep .); do printf '%s\n' ${deps} >>"${all_deps}" deps_from_sig "$(pkg_info -qS ${deps})" >>"${temp_deps}" sort -uo "${all_deps}" "${all_deps}" sort -uo "${temp_deps}" "${temp_deps}" done printf 'Information for inst:%s\n\n' "${pkg}" printf 'Directly depends on:\n' printf '%s\n' $(cat ${direct_deps}) printf '\n' printf 'Transitively depends on:\n' printf '%s\n' $(comm -23 "${all_deps}" "${direct_deps}") cleanup
Re: ATI Mobility 1 support on Dell Latitude L400
Paolo Aglialoro writes: > Btw, does "rcctl enable xenodm" also allow running programs remotely > with ssh -X|Y u...@obsd.box, or is there something more to do? Yes, in my experience I use it with -Y. Allan
Re: Problem with mixerctl on latest snapshot
On Sun, Apr 19, 2020 at 09:11:16AM +0200, zeurk...@volny.cz wrote: > > > Now programs connect to sndiod which does the hardware access for > > them, this has other advantages as well: > > - programs control the volume of the right device on systems with > > multiple audio devices (ex. usb head sets) > > - there's always a volume control, even if the hardware lacks one, as > > may usb devices. > > - unified view of hardware and software controls, network > > transparency, etc > > That may all be, but like xenodm(1), memight find (future tense, as me's > not running -current or snapshots) the above proposed solution > inadequate for me needs. Hi, I'm curious, what use-case is not handled and still requires access to the device nodes?
Re: BGP spamd AS working addresses to have realtime list updates
Hi Martin The eu.bgp-spamd.net server is no longer available. I have not had any time for maintanence of these systems for several years, so do not expect many future updates. -peter On 2020 Apr 19 (Sun) at 14:39:08 + (+), Martin wrote: :I'm going to have spamdb updates from AS using BGP as configured. :But both AS rs.bgp-spamd.net eu.bgp-spamd.net points to the same IP address according to ping: : :ping eu.bgp-spamd.net :217.31.80.170 :ping rs.bgp-spamd.net :217.31.80.170 : :Which system can be used for redundancy? Any other spamd-AS online? : :$ cat /etc/bgpd.conf :AS 65xxx :fib-update no : :group "spam" { : remote-as 65066 : multihop 64 : export none : neighbor 64.142.121.62 { : descr "rs.bgp-spamd.net" : } : neighbor 217.31.80.170 { : descr "eu.bgp-spamd.net" : } :} :... : :Martin -- Did you know ... That no-one ever reads these things?
Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic
> Will I encounter the same issue with clock > synchronization on VMM based Unfortunately you will, the clock issues aren’t quite worked out yet.
Re: Problem with mixerctl on latest snapshot
On Sat, Apr 18 2020, Alexandre Ratchov wrote: You could use the sndioctl utility to adjust the volume, it's similar to mixerctl. Thank you. sndioctl works perfectly :) -- Renato Aguiar
Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic
Try setting sysctl kern.timecounter.hardware=tsc on the OpenBSD vmm guest and run ntpd. I have not tried without ntpd but I know without using tsc, time skews too much. > On Apr 19, 2020, at 10:25 AM, Martin wrote: > > Thanks all of you guys for suggestions. > > Just one question to OpenBSD VMM based VPS hosters. I use vmd with OBSD 6.6 > and Debian guests locally just for testing and stuck with clock > synchronization issue with both guests. > > Will I encounter the same issue with clock synchronization on VMM based VPSes? > > Martin > > > ‐‐‐ Original Message ‐‐‐ >> On Saturday, April 18, 2020 12:20 AM, j3s wrote: >> >>> On 4/10/20 4:51 AM, Martin wrote: >>> >>> I'm looking for relatively cheap VPS with OpenBSD installation support and >>> with ~1Tb of unfiltered traffic. In any words all in/out VPS ports must be >>> opened by default. >>> Any recommendations? >> >> Ohai. Co-founder of Cyberia Computer Club here - we're a US-based >> nonprofit - part of our deal is providing good & open services. >> >> We host our own hardware in a US datacenter, and offer OpenBSD VMs for >> decent prices. You can see the whole shtick at https://capsul.org >> >> No filtering or snooping, you just get a box on a public IPv4 and that's it. >> >> Just wanted to toss my own hat in the ring! >> >> j3s > >
Re: Double fault trap in rtable_l2
On Sun, Apr 19, 2020 at 10:26:20AM +0200, Thomas de Grivel wrote: > Hello, > > I got this error last night on an OpenBSD 6.6-stable amd64 on which I > recently enabled IKEv2 : > > > kernel: double fault trap, code=0 > > Stopped atrtable_l2+0x27: callq srp_enter+0x4 > > I'm a bit puzzled by the "double fault trap" part of the message, what > does it mean ? > > The relevant sources seem to be /sys/net/rtable.c and > /sys/kern/kern_srp.c though I don't really grok what I'm looking at > there either. > > -- > Thomas de Grivel > kmx.io > Googling is not that hard: https://en.wikipedia.org/wiki/Double_fault -Otto
BGP spamd AS working addresses to have realtime list updates
I'm going to have spamdb updates from AS using BGP as configured. But both AS rs.bgp-spamd.net eu.bgp-spamd.net points to the same IP address according to ping: ping eu.bgp-spamd.net 217.31.80.170 ping rs.bgp-spamd.net 217.31.80.170 Which system can be used for redundancy? Any other spamd-AS online? $ cat /etc/bgpd.conf AS 65xxx fib-update no group "spam" { remote-as 65066 multihop 64 export none neighbor 64.142.121.62 { descr "rs.bgp-spamd.net" } neighbor 217.31.80.170 { descr "eu.bgp-spamd.net" } } ... Martin
Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic
Thanks all of you guys for suggestions. Just one question to OpenBSD VMM based VPS hosters. I use vmd with OBSD 6.6 and Debian guests locally just for testing and stuck with clock synchronization issue with both guests. Will I encounter the same issue with clock synchronization on VMM based VPSes? Martin ‐‐‐ Original Message ‐‐‐ On Saturday, April 18, 2020 12:20 AM, j3s wrote: > On 4/10/20 4:51 AM, Martin wrote: > > > I'm looking for relatively cheap VPS with OpenBSD installation support and > > with ~1Tb of unfiltered traffic. In any words all in/out VPS ports must be > > opened by default. > > Any recommendations? > > Ohai. Co-founder of Cyberia Computer Club here - we're a US-based > nonprofit - part of our deal is providing good & open services. > > We host our own hardware in a US datacenter, and offer OpenBSD VMs for > decent prices. You can see the whole shtick at https://capsul.org > > No filtering or snooping, you just get a box on a public IPv4 and that's it. > > Just wanted to toss my own hat in the ring! > > j3s
Re: List a package's dependencies
Hi Chris, Chris Rawnsley wrote on Sun, Apr 19, 2020 at 01:34:28PM +0100: > I am looking for a way to show a package's dependencies. As far as i know, the normal ways to do that are: # direct run dependencies only cd /usr/ports/mail/mutt; make run-depends-list cd /usr/ports/mail/mutt; make show=RUN_DEPENDS # direct library package dependencies only cd /usr/ports/mail/mutt; make lib-depends-list cd /usr/ports/mail/mutt; make show=LIB_DEPENDS # direct run and library package dependencies only pkg_info -qf mutt | grep ^@depend grep -F '|mail/mutt|' /usr/local/share/ports-INDEX | cut -d \| -f 8 # direct build dependencies only grep -F '|mail/mutt|' /usr/local/share/ports-INDEX | cut -d \| -f 9 cd /usr/ports/mail/mutt; make build-depends-list # all run dependencies, recursive cd /usr/ports/mail/mutt; make print-run-depends cd /usr/ports/mail/mutt; make full-run-depends cd /usr/ports/mail/mutt; make show-run-depends cd /usr/ports/mail/mutt; make run-dir-depends # all shared library dependencies, recursive pkg_info -qf mutt | grep ^@wantlib # direct run and package library dependencies, and all shared libs recursive pkg_info -qS mutt # all build dependencies, recursive cd /usr/ports/mail/mutt; make print-build-depends cd /usr/ports/mail/mutt; make full-build-depends cd /usr/ports/mail/mutt; make build-dir-depends # all dependencies, recursive cd /usr/ports/mail/mutt; make full-all-depends cd /usr/ports/mail/mutt; make all-dir-depends The above list is not complete. For example, i skipped ways to inspect test dependencies, and i refrained from explaining possibilities that use the port "databases/sqlports", which is very powerful. Finally, i may have missed some ways this can be done. All this is kind of typical for the pkg tools: one question typically allows several different answers. There typically isn't one single, canonical way of doing something. There typically isn't one unified output format, but several different ways to represent information in the output. Part of that is due to the unavoidable complexity of the system. Other parts may be influenced by the fact that espie@ is not tedu@. > Does such a command such as this already exist? I guessed that the > pkg_* tools would have this covered but I was not able to find it > in the manpages. Yes, finding stuff in the pkg/ports manual pages sometimes isn't easy due to their size and complexity - even though they are typically concise, at times even terse. > In making the above example, I created a proof of concept shell > script that demonstrates the desired behaviour. We certainly don't need yet more ways to do the same, and certainly not by creating wrappers around what is already there. Besides, directly inspecting the contents of /var/db/pkg/ by anything that is not part of the pkg tools is fragile and not acceptable. All that said, it might be useful if, in addition to -S, pkg_add(1) could recursively list run-time dependencies. That isn't possible for packages that are not installed, but it should be possible to implement for installed packages. The current situation is arguably not ideal for users since i don't see a way to recursively get run-time dependencies without either * going to /usr/ports/ and running make(1) * using databases/sqlports * writing your own script recursively calling "pkg_info -qS", then postprocessing with sort(1) and uniq(1) Yours, Ingo
Re: ATI Mobility 1 support on Dell Latitude L400
Hello Allan, it looks that, besides using openbsd as server in the cloud, it was quite a while I wasn't running X on a client, actually it was xenodm the thing, now I know. I had formerly tried to start it manually as normal user (as well as startx), but, reading updated faq, I discovered it's run as a service from root. Now everything works back. Unless for the fact which I discovered that, with 256M RAM, no serious www browser runs anymore (at 6.2 still something worked besides netsurf and dillo, a sign of the times!). Btw, does "rcctl enable xenodm" also allow running programs remotely with ssh -X|Y u...@obsd.box, or is there something more to do? Thanks again and have a nice day! Pasha On Sat, Apr 18, 2020 at 4:54 AM Allan Streib wrote: > Paolo Aglialoro writes: > > > considering that 6.6 nuked X for my T23 as mentioned in previous recent > > post, I decided to refresh my old Dell L400, which was lagging behind at > > 6.2, with a fresh 6.6 install. > > > > Unfortunately X crashes. The first error in the log file was about > setting > > machdep.allowaperture=1 and rebooting (I always used 2 before). After > > changing its value in sysctl.conf to 1, this is the new error in the log > > file: > > Are you using xenodm instead of startx? Beginning in 6.5, "Xorg(1), the > X window server, is no longer installed setuid. xenodm(1) should be used > to start X." > > https://www.openbsd.org/65.html >
iked cannot estabilsh tunnel when responder provides address configuration
Hi all, I'm trying (again) to setup iked. I want to set up a site-to-site IKEv2 VPN where both sides are behind NAT with a central OpenBSD responder which handles openbsd and strongswan initiators on both sides. But first I'm starting small and I try to create a small site-to-site VPN with 2 peers where one is behind NAT using OpenBSD iked on both sides. Both sides run OpenBSD 6.6 with all syspatches applied. This simple configuration is working, however I'm confronted with a strange finding where the setup stops working when I add an address configuration directive on the responder side. Now I know that the OpenBSD iked client does not support IP configuration but I expected it to ignore the directive instead of going into what seems to be a wait loop. I could not find any information regarding this issue in documentation or forums. I want to set up the address configuration because I plan to use it for the strongswan client later on. Here is the working configuration: Responder: ikev2 passive esp \ from 0.0.0.0/0 to 10.201.201.0/24 \ local 1.2.3.4 peer any \ srcid vpn.example.com \ tag "IKED" Initiator: ikev2 active esp \ from 0.0.0.0/0 to 10.201.201.0/24 \ peer 1.2.3.4 \ srcid initiator \ tag "IKED" Responder iked -dv: ikev2 "policy1" passive esp inet from 0.0.0.0/0 to 10.201.201.0/24 local 1.2.3.4 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.example.com lifetime 10800 bytes 536870912 signature tag "IKED" spi=0xc1079b808ecf48e5: recv IKE_SA_INIT req 0 peer 5.6.7.8:500 local 1.2.3.4:500, 510 bytes, policy 'policy1' spi=0xc1079b808ecf48e5: send IKE_SA_INIT res 0 peer 5.6.7.8:500 local 1.2.3.4:500, 451 bytes spi=0xc1079b808ecf48e5: recv IKE_AUTH req 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 784 bytes, policy 'policy1' spi=0xc1079b808ecf48e5: send IKE_AUTH res 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 720 bytes, NAT-T spi=0xc1079b808ecf48e5: sa_state: VALID -> ESTABLISHED from 5.6.7.8:4500 to 1.2.3.4:4500 policy 'policy1' Now if I change the responder config to add address configuration without changing the initiator config: ikev2 passive esp \ from 0.0.0.0/0 to 10.201.201.0/24 \ local 1.2.3.4 peer any \ srcid vpn.example.com \ config address 10.201.201.0/24 \ tag "IKED" Responder: ikev2 "policy1" passive esp inet from 0.0.0.0/0 to 10.201.201.0/24 local 1.2.3.4 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.example.com lifetime 10800 bytes 536870912 signature config address 10.201.201.0 tag "IKED" spi=0x9b7bbe0baad5565b: recv IKE_SA_INIT req 0 peer 5.6.7.8:500 local 1.2.3.4:500, 510 bytes, policy 'policy1' spi=0x9b7bbe0baad5565b: send IKE_SA_INIT res 0 peer 5.6.7.8:500 local 1.2.3.4:500, 451 bytes spi=0x9b7bbe0baad5565b: recv IKE_AUTH req 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 784 bytes, policy 'policy1' spi=0x9b7bbe0baad5565b: recv IKE_AUTH req 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 784 bytes, policy 'policy1' spi=0x9b7bbe0baad5565b: recv IKE_AUTH req 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 784 bytes, policy 'policy1' spi=0x9b7bbe0baad5565b: recv IKE_AUTH req 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 784 bytes, policy 'policy1' (... repeat forever) Initiator: ikev2 "policy1" active esp inet from 0.0.0.0/0 to 10.201.201.0/24 local any peer 1.2.3.4 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-25 6,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid initiator lifetime 10800 bytes 536870912 rsa tag "IKED" spi=0x9b7bbe0baad5565b: send IKE_SA_INIT req 0 peer 1.2.3.4:500 local 0.0.0.0:500, 510 bytes spi=0x9b7bbe0baad5565b: recv IKE_SA_INIT res 0 peer 1.2.3.4:500 local 192.168.5.2:500, 451 bytes, policy 'policy1' spi=0x9b7bbe0baad5565b: send IKE_AUTH req 1 peer 1.2.3.4:4500 local 192.168.5.2:4500, 784 bytes, NAT-T (... repeat forever) Thanks for your insights. Best regards, Jona JOACHIM smime.p7s Description: S/MIME Cryptographic Signature
Re: List a package's dependencies
After a little more digging I have found a reply from Ingo Schwarze to the exact same query. https://marc.info/?l=openbsd-misc=155675569919423=2 >From their response, it sounds as though such an option does not currently exist in in pkg_info(1) and there is no desire for it to have such a feature. Hopefully the shell script I posted can be useful for some. Cheers -- Chris Rawnsley
Re: List a package's dependencies
On Sun, 19 Apr 2020, at 14:29, Erling Westenvik wrote: > Way out of my league here, but perhaps: > > $ pkg_info -S python-3.7.6p1 | tail -n 2 | tr ',' '\n' | grep @ > @bzip2-1.0.8 > @gettext-runtime-0.20.1p1 > @libffi-3.3 > @sqlite3-3.31.1p0 > @xz-5.2.4p0 This gets you the direct dependencies but doesn't show the full tree. In this case, gettext-runtime itself depends on libiconv. Using Firefox as a more complex example the output might be: Information for inst:firefox-esr-68.7.0 Directly depends on: atk-2.32.0 cairo-1.16.0 desktop-file-utils-0.24p0 gdk-pixbuf-2.38.2 gettext-runtime-0.20.1p0 glib2-2.60.7p0 gtk+2-2.24.32p5 gtk+3-3.24.12 icu4c-64.2p0 nspr-4.22 nss-3.46 pango-1.42.4p3 sqlite3-3.29.0 Transitively depends on: adwaita-icon-theme-3.32.0 at-spi2-atk-2.32.0 at-spi2-core-2.32.1 bzip2-1.0.8 dbus-1.12.16v0 dconf-0.32.0p0 fribidi-1.0.7p0 gnome-icon-theme-3.12.0p5 gnome-icon-theme-symbolic-3.12.0p3 graphite2-1.3.13p0 gtk-update-icon-cache-3.24.12 harfbuzz-2.6.2 hicolor-icon-theme-0.17 jasper-2.0.14 jpeg-2.0.3v0 libcroco-0.6.13 libffi-3.2.1p5 libiconv-1.16p0 librsvg-2.46.4 libxml-2.9.9 lzo2-2.10p1 pcre-8.41p2 png-1.6.37 python-3.7.4 shared-mime-info-1.10p5 tiff-4.0.10 xz-5.2.4 -- Chris Rawnsley
Re: List a package's dependencies
On Sun, Apr 19, 2020 at 01:34:28PM +0100, Chris Rawnsley wrote: > I am looking for a way to show a package's dependencies. The output > might look similar to how -R looks in pkg_info(1), e.g.: > > Information for inst:python-3.7.4 > > Directly depends on: > bzip2-1.0.8 > gettext-runtime-0.20.1p0 > libffi-3.2.1p5 > sqlite3-3.29.0 > xz-5.2.4 > > Transitively depends on: > libiconv-1.16p0 > > Does such a command such as this already exist? Way out of my league here, but perhaps: $ pkg_info -S python-3.7.6p1 | tail -n 2 | tr ',' '\n' | grep @ @bzip2-1.0.8 @gettext-runtime-0.20.1p1 @libffi-3.3 @sqlite3-3.31.1p0 @xz-5.2.4p0 Cheers, Erling > I guessed that the > pkg_* tools would have this covered but I was not able to find it > in the manpages. > > In making the above example, I created a proof of concept shell > script that demonstrates the desired behaviour. It has limitations > on what package names it can accept, it only works locally and > probably has numerous other problems :). It is inlined below. > > -- > Chris Rawnsley > > > #!/bin/sh > > bin=$(basename "$0") > > usage() { > cat < usage: ${bin} pkg-name > EOF > } > > PKG_DBDIR=${PKG_DBDIR:-/var/db/pkg} > direct_deps=$(mktemp -t "${bin}.direct_deps.XX") > temp_deps=$(mktemp -t "${bin}.temp_deps.XX") > all_deps=$(mktemp -t "${bin}.all_deps.XX") > > cleanup() { > rm -f "${direct_deps}" "${temp_deps}" "${all_deps}" > } > trap cleanup INT TERM QUIT > > if ! touch "${direct_deps}" "${temp_deps}" "${all_deps}" 2>/dev/null; then > printf '%s\n' "${bin}: Unable to make temporary files:" > cleanup; exit 1 > fi > > # Does not account for categories, variants or versions... > pkg_unresolved=$1 > pkg_dir=$(find "${PKG_DBDIR}" -type d -iname "${pkg_unresolved}-*" -print | > head -1) > > if [ -z "${pkg_dir}" ]; then > printf '%s\n' "${bin}: unable to find package" > cleanup; exit 1 > fi > > pkg=$(basename "${pkg_dir}") > > pkg_requiring="${pkg_dir}/+REQUIRING" > if [ -s "${pkg_requiring}" ]; then > sort "${pkg_requiring}" | tee "${temp_deps}" >"${direct_deps}" > fi > > while deps=$(comm -23 "${temp_deps}" "${all_deps}" | grep .); do > printf '%s\n' ${deps} >>"${all_deps}" > for d in ${deps}; do > cat "${PKG_DBDIR}/$d/+REQUIRING" >>"${temp_deps}" 2>/dev/null > done > sort -uo "${all_deps}" "${all_deps}" > sort -uo "${temp_deps}" "${temp_deps}" > done > > printf 'Information for inst:%s\n\n' "${pkg}" > > printf 'Directly depends on:\n' > printf '%s\n' $(cat ${direct_deps}) > > printf '\n' > > printf 'Transitively depends on:\n' > > printf '%s\n' $(comm -23 "${all_deps}" "${direct_deps}") > > cleanup >
List a package's dependencies
Hi, I am looking for a way to show a package's dependencies. The output might look similar to how -R looks in pkg_info(1), e.g.: Information for inst:python-3.7.4 Directly depends on: bzip2-1.0.8 gettext-runtime-0.20.1p0 libffi-3.2.1p5 sqlite3-3.29.0 xz-5.2.4 Transitively depends on: libiconv-1.16p0 Does such a command such as this already exist? I guessed that the pkg_* tools would have this covered but I was not able to find it in the manpages. In making the above example, I created a proof of concept shell script that demonstrates the desired behaviour. It has limitations on what package names it can accept, it only works locally and probably has numerous other problems :). It is inlined below. -- Chris Rawnsley #!/bin/sh bin=$(basename "$0") usage() { cat "${direct_deps}" fi while deps=$(comm -23 "${temp_deps}" "${all_deps}" | grep .); do printf '%s\n' ${deps} >>"${all_deps}" for d in ${deps}; do cat "${PKG_DBDIR}/$d/+REQUIRING" >>"${temp_deps}" 2>/dev/null done sort -uo "${all_deps}" "${all_deps}" sort -uo "${temp_deps}" "${temp_deps}" done printf 'Information for inst:%s\n\n' "${pkg}" printf 'Directly depends on:\n' printf '%s\n' $(cat ${direct_deps}) printf '\n' printf 'Transitively depends on:\n' printf '%s\n' $(comm -23 "${all_deps}" "${direct_deps}") cleanup
Double fault trap in rtable_l2
Hello, I got this error last night on an OpenBSD 6.6-stable amd64 on which I recently enabled IKEv2 : > kernel: double fault trap, code=0 > Stopped atrtable_l2+0x27: callq srp_enter+0x4 I'm a bit puzzled by the "double fault trap" part of the message, what does it mean ? The relevant sources seem to be /sys/net/rtable.c and /sys/kern/kern_srp.c though I don't really grok what I'm looking at there either. -- Thomas de Grivel kmx.io
Re: BGPD announce deprecation query
On Sun, Apr 19, 2020 at 08:07:48AM +0100, Richard Chivers wrote: > Hi, > > Just been building a copy of our production system in vagrant to test > upgrading to the latest version, in order to resolve an issue we were > having. > > In our current config we have: > > group "core" { > local-address $localaddr > remote-as xx > announce all > neighbor x.x.x.x { > descr "router-a" > } > neighbor x.x.x.x { > descr "router-b" > } > } > > From the upgrade guide it says: In OpenBSD 6.4, the announce keyword was > deprecated in bgpd.conf(5). It has now been removed and must be replaced > with export. > > We also have another group with announce none > > Is it fair to suggest that removing the announce all will be the same as > not having it in >= 6.4, and that we replace announce none with export none. > > Probably a stupid question, but I only touch BGP occasionally, and was just > hoping to understand in more detail. > > The group core is our own internal bgp speakers, each of these also have > transit connections too. > > All our config is templated using ansible, so we can easily adjust the > config based on the actual version. > > Probably worth saying we are running on 6.6 with patches applied, in the > test environment. Yes, you can just remove announce all from your config. I guess you already have the needed input and output filters in place to ensure only the right thing is accepted and announced. Actually since the core group is ibgp even in the old config announce all is not needed since that was the default for ibgp sessions. announce none can just be replaced with export none. The result is the same and no prefix will be announced to these peers even if the filters would allow them. As mentioned the important change was that the filter switched from a default allow rule to a default deny rule both for incoming and outgoing filters. So you need to check your ruleset and maybe add some additional filters. Something like allow from ibgp allow to ibgp may do the trick. -- :wq Claudio
A shell script to create chroot jails
Hi, I wrote a script to create chroot jails. Please feel free to use and comment. Thanks. https://gist.github.com/siegfried/907904752b1b5db760782f476f44fca4 Sincerely yours, Siegfried zhiqiang@gmail.com
RE: Problem with mixerctl on latest snapshot
Haai, "Alexandre Ratchov" wrote: > On Sat, Apr 18, 2020 at 03:53:19PM -0700, Renato Aguiar wrote: >> Hi, >> >> After updating to latest snapshot, mixerctl stopped working with non-root >> user: >> >> $ mixerctl >> mixerctl: /dev/audioctl0: Permission denied >> $ ls -l /dev/audioctl0 >> crw-rw 1 root _sndiop 42, 192 Apr 18 14:29 /dev/audioctl0 >> $ >> >[snip] > > Access to audio and MIDI related device nodes is now disabled for > security reasons. We don't want programs we run, possibly processing > untrusted input, to be allowed to directly access low level drivers > and attempt to exploit kernel bugs. Mefinds this issue to be analogous to the X(7) permission one (the one that led to -s for Xorg(1)). > Now programs connect to sndiod which does the hardware access for > them, this has other advantages as well: > - programs control the volume of the right device on systems with > multiple audio devices (ex. usb head sets) > - there's always a volume control, even if the hardware lacks one, as > may usb devices. > - unified view of hardware and software controls, network > transparency, etc That may all be, but like xenodm(1), memight find (future tense, as me's not running -current or snapshots) the above proposed solution inadequate for me needs. Right now, for both X(7) and the parts of audio not covered for me by sndio(7), me's somewhat working around the security issues by having the relevant device nodes only accessible (and Xorg(1) only executable) by me as a luser (via groups 'x11' and 'audio', respectively). Me's not propagating the above as a solution; yet, as a workaround, me's found it to be a life-saver. Take care, --zeurkous. -- Friggin' Machines!
BGPD announce deprecation query
Hi, Just been building a copy of our production system in vagrant to test upgrading to the latest version, in order to resolve an issue we were having. In our current config we have: group "core" { local-address $localaddr remote-as xx announce all neighbor x.x.x.x { descr "router-a" } neighbor x.x.x.x { descr "router-b" } } >From the upgrade guide it says: In OpenBSD 6.4, the announce keyword was deprecated in bgpd.conf(5). It has now been removed and must be replaced with export. We also have another group with announce none Is it fair to suggest that removing the announce all will be the same as not having it in >= 6.4, and that we replace announce none with export none. Probably a stupid question, but I only touch BGP occasionally, and was just hoping to understand in more detail. The group core is our own internal bgp speakers, each of these also have transit connections too. All our config is templated using ansible, so we can easily adjust the config based on the actual version. Probably worth saying we are running on 6.6 with patches applied, in the test environment. Thanks Richard
at(1) and cron(8) (was: Re: Regarding randomized times in crontab)
Just as a note for the future: mefeels that it'd be great (for clarity as well as simplicity) if cron(8) would be merged into at(1) at some point: % echo make-coffee | at teatime every day (Or similar.) Such a change would allow each job to be individually manipulated, as well. --zeurkous. P.S.: No patch for UNIX, at least from me: you folks'll have to do w/ me advice :) -- Friggin' Machines!
Re: Problem with mixerctl on latest snapshot
On Sat, Apr 18, 2020 at 03:53:19PM -0700, Renato Aguiar wrote: > Hi, > > After updating to latest snapshot, mixerctl stopped working with non-root > user: > >$ mixerctl >mixerctl: /dev/audioctl0: Permission denied >$ ls -l /dev/audioctl0 >crw-rw 1 root _sndiop 42, 192 Apr 18 14:29/dev/audioctl0 >$ > Hi, You could use the sndioctl utility to adjust the volume, it's similar to mixerctl. Access to audio and MIDI related device nodes is now disabled for security reasons. We don't want programs we run, possibly processing untrusted input, to be allowed to directly access low level drivers and attempt to exploit kernel bugs. Now programs connect to sndiod which does the hardware access for them, this has other advantages as well: - programs control the volume of the right device on systems with multiple audio devices (ex. usb head sets) - there's always a volume control, even if the hardware lacks one, as may usb devices. - unified view of hardware and software controls, network transparency, etc mixerctl remains as a configuration tool, /etc/mixerctl.conf is still processed on system startup.