Re: lcamtuf on the recent xz debacle
On Sat, Mar 30, 2024 at 9:32 PM Peter N. M. Hansteen wrote: > > "This dependency existed not because of a deliberate design decision > by the developers of OpenSSH, but because of a kludge added by some > Linux distributions to integrate the tool with the operating > system’s newfangled orchestration service, systemd." > As if I needed another reason to intensely dislike systemd... -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: crawling network with ix driver when routing trafic
Hi!
It's my understanding that the Realtek network adapters are pretty
craptacular under load since they basically defer to the OS for
everything, raising an interrupt each time. Try the fourth test again
while running top and see if the interrupts (intr) spike during that
time.
On Mon, Mar 4, 2024 at 7:46 AM Pierre Peyronnel
wrote:
>
> Hey misc,
>
> Note : I posted on this topic in r/openbsd and before I open a bug, I
> thought I'd ask you.
>
> My OBSD router has a Realtek (onboard) and an intel (X540 pcie) network
> card, and in one particular situation I get very slow speed.
> I tested using iperf3 and also sftp put/get.
>
> Here goes:
> (1) When I transfer from/to a host/net A to the router on re0 I get
> symmetrical 1Gbps
> (2) When I transfer from/to a host/net B to the router on ix0 I also get
> symmetrical 1Gbps
> (3) When I transfer from host/net A to host/net B through the router (re0
> -> ix0) I get 1Gbps
> (4) When I transfer from host/net B to host/net A through the router (ix0
> -> re0) I get a crawling 3Mbps
>
> To make sure, I did a fresh install from 7.4 from scratch (okay i forgot to
> syspatch it), pfctl -d, sysctl net.ip.forwarding=1 and I got the same
> result.
>
> When I use another OS (tried Arch linux and OPNSense) I get full 1Gbps in
> all 4 scenarios.
>
> I'm at a loss and will appreciate any help, short of filing a bug.
> Below dmesg and pcidump.
> Thanks in advance !
> Pierre
>
> {SNIP}
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: Backup ISP
Hi Lars Maybe this might be helpful? https://www.openbsd.org/faq/pf/pools.html#outgoing On Thu, Feb 29, 2024 at 12:14 AM Lars Bonnesen wrote: > > I now have two ISPs > > A primary on vmx2 and a backup (4G) on vmx4 > > Both needs to initiate connection with a dhcp request, so I have: > inet autoconf description Internet > in hostname.vmx2 > and > inet autoconf description Internet4Gbackup > in hostname.vmx4 > > My idea is to have an active/passive setup being able to ssh from the > internet to both vmx2 and vmx4 > > Seems that I am only able to access vmx2 from the internet > > vmx2: flags=808843 mtu > 1500 > lladdr 00:0c:29:e0:88:a6 > description: Internet > index 3 priority 0 llprio 3 > groups: egress > media: Ethernet autoselect (10GbaseT) > status: active > > vmx4: flags=808843 mtu > 1500 > lladdr 00:0c:29:e0:88:7e > description: Internet4Gbackup > index 5 priority 0 llprio 3 > media: Ethernet autoselect (10GbaseT) > status: active > > > I cannot see "egress" under vmx4 - I guess this is part of the problem. > > How do I get incoming traffic via vmx2 to return out via vmx2 and visa > versa incoming traffic via vmx4 to return out vmx4 > > Regards, Lars. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: forwarding email to outlook,com fails
On Tue, Dec 5, 2023 at 10:27 AM F Bax wrote: > > A couple of email addresses on my OpenBSD server are forwarded to microsoft > domains. For quite some time; this has worked flawlessly. Recently > something changed. Now, an email sent from sendgrid.com to my server > results in a bounced message from outlook.com with this error. > > received-spf: Fail (protection.outlook.com: domain of > u3352509.wl010.sendgrid.net does not designate 64.140.xxx.yyy as permitted > sender) receiver=protection.outlook.com; client-ip=64.140.xxx.yyy; helo= > myserver.ca; > > Where xxx,yyy & myserver hide real values. > It seems outlook.com believes my server is "sending" email for sendgrid; > whereas originating server is valid and my server is just forwarding. > Anyone else encounter this situation; is there a way to resolve this? I would suspect that this is because you unwittingly are - if the email gets forwarded as is rather than changing the To: field in transit, the email goes out as "bounce+blahblahhardtofilterbulls...@u3352509.wl010.sendgrid.net" rather than something like "postmas...@myserver.ca", triggering Sendgrid's SPF protection. I'm guessing Outlook Online/MS364 is being more aggressive in SPF checks now. As for a way to resolve, that may depend on your MTA (base or one from ports? Not a safe assumption to make), but as I'm not doing this or using an MTA on OpenBSD, I'm not at a liberty to say. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Starting Homebridge / nodejs daemon at boot
On Wed, Oct 11, 2023 at 11:38 AM Manuel Kuklinski wrote: > > Hi! > > I can't get homebridge started at boot - it starts with the following > rc.d script if running as root after logging in, but fails to be present > at boot time: > I have a similar issue with PHP and Perl based FastCGI apps. My solution was a startup script that runs every minute in cron, that would give me the ability to command a restart and offer a brake if the program crashes. Something like this: #!/bin/sh NOSTART=~/path/to/nostart KILLFILE=~/path/to/killfile PIDFILE=~/path/to/pidfile if [ -e "$KILLFILE" ] then # Kill and cleanup kill `cat "$PIDFILE"` rm -f $KILLFILE $PIDFILE elif [ -e "$PIDFILE" ] then # Check if it's still running if ! kill -0 `cat "$PIDFILE" 2>/dev/null then rm -f $PIDFILE else exit 0 fi fi # Don't try to start if the nostart file is there [ -e "$NOSTART" ] && exit 0 /path/to/the/executable --option1 -o 2 & echo $!>>$PIDFILE # Create no start file so it doesn't try to restart after a failure touch $NOSTART -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: non-amd64 vps's in europe?
Oracle Cloud offers arm64 VPS. It does tend to be picky when it comes to the credit card you use for signup, though - your details need to be a near exact match. On Sun, Aug 13, 2023 at 5:28 PM Peter J. Philipp wrote: > > Hi, > > I'm asking for a friend in spain. He would like to know if there is any > openbsd vps providers in europe that provide non-amd64 vps's such as > hetzner's arm64 instance. > > He doesn't want to deal with hetzner because of their tight control checks > regarding id cards and stuff. Is there anything else out there that works > with OpenBSD? He does not want amazon either. > > Best Regards, > -peter > > -- > Over thirty years experience on Unix-like Operating Systems starting with QNX. > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Restrict SSH to local network only except for Git users?
On Thu, Jul 27, 2023 at 10:28 AM lain. wrote: > > I have a pretty nifty network setup that allows me to host from home via > WireGuard. > But there's one thing I'm struggling with. > Because for security reasons, I made it impossible for people outside > the network to connect via SSH, but for Git to function properly, I need > to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that > to my home network so they can do stuff like "git pull", "git push", and > all the other fancy stuff. > > My pf.conf rules look like this: > > pass in quick on wg0 proto tcp from 192.168.0.0/24 to any port 22 > > pass in on $externalinterface proto tcp from any to $externalip port 22 > > rdr-to $internalip > > block in quick on egress proto tcp from any to any port 22 > > And my sshd_config: > > AllowUsers lain@192.168.0.0/24 > > AllowUsers git@(DOMAIN) > > AllowUsers git@(PUBLIC IP) > > Where exactly am I doing wrong here? I suspect you're overthinking this. Rather than preventing access altogether, turn off password authentication and use SSH keys for authentication - for the git accounts, change the shell to git-shell if you haven't already. That way, bad faith actors can try all they want, they ain't gettin' in unless they get a hold of someone's key, and even if they do, it's likely a git key and the shell (barring any security vulns in git) will prevent them from doing anything not git related. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: (fwd) [FD] OpenBSD kernel relinking is not transactional and a local exploit exists
On Tue, Jun 20, 2023 at 9:27 AM Tomasz Rola wrote: > > [REDACTED] > > https://marc.info/?l=openbsd-bugs=159074964523007=2 (noted lack of > idempotency) > https://marc.info/?l=openbsd-bugs=168688579123005=2 (noted lack of > integrity or provenance verification and the consumption of invalid > objects) Had a flick through the threads listed above. That's some Olympics-level mental gymnastics right there. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: (fwd) [FD] OpenBSD kernel relinking is not transactional and a local exploit exists
Like Theo said, if an attacker has root on your system, having the kernel relink messed with is the least of your concerns. On Tue, Jun 20, 2023 at 9:27 AM Tomasz Rola wrote: > > This happened in my mailbox today. FD means "full disclosure" and is > publicly available mailing list. > > I repost onto misc because if this is a real cat, seems it is out of > the bag already. Other than being subscribed to FD, I have no > connection. > > - Forwarded message from "Schech, C. W. (\"Connor\")" > - > > Date: Sat, 17 Jun 2023 09:40:16 + > From: "Schech, C. W. (Connor)" > To: fulldisclos...@seclists.org > Subject: [FD] OpenBSD kernel relinking is not transactional and a local > exploit > exists > > The automatic and mandatory-by-default reordering of OpenBSD kernels > is NOT transactional and as a result, a local unpatched exploit exists > which allows tampering or replacement of the kernel. Arbitrary build > artifacts are cyclically relinked with no data integrity or provenance > being maintained or verified for the objects being consumed with > respect to the running kernel before and during the execution of the > mandatory kernel_reorder process in the supplied /etc/rc and > /usr/libexec scripts. The reordering occurs at the end of installation > process and also automatically every reboot cycle thereafter unless > manually bypassed by a knowledgable party. > > The kernel_reorder routine verifies a SHA256 signature for the linked > kernel from last boot but does not verify the integrity or provenance > of any objects kept in the kernel "link kit" installed in > /usr/share/relink, so arbitrary objects can be injected and > automatically relinked at the next startup. I have verified that it is > indeed the case that both valid kernels with a different uname and > kernels which cause data destruction due to over-tuning of a subset of > the components which were compiled manually and copied into > /usr/share/relink and crash the system after being booted once > relinked but which do not match the build of the running kernel at the > time they were copied into /usr/share/relink as working > proof-of-concept exploits. > > Install media are also open to tampering and exploitation as signed > checksum data are not carried with the install sets inside the > installation image and an improperly-encapsulated poorly-documented > tarball of unverifiable (in the sense of SLSA) kernel objects is > embedded in the base distribution and then relinked with a new random > ordering of the objects cyclically between boot cycles. > > Sites with a strong security posture are advised that this is a > critical vulnerability and likely deliberate back door into the > system. Additionally, OpenBSD leaks the state of the pseudorandom > number generator to predictable locations on disk and in system memory > at a fixed point during every start up and shutdown procedure. The > lack of build process hardening has been on-going for over three > years. Theo de Raadt is disinterested in improving or reviewing the > design or providing any further clarification, as he has stated on the > mailing list when shortfalls in the relinking process were reported > over the past ~3 years. I hope that this can come to the attention of > a third-party technical expert with standing in the computer security > industry. > > Workaround: > > As the link kit is embedded in the base distribution and automatically > relinked without an option to disable it in the provided installation > script it requires manual removal at present. > > Cf. > > https://marc.info/?l=openbsd-bugs=159074964523007=2 (noted lack of > idempotency) > https://marc.info/?l=openbsd-bugs=168688579123005=2 (noted lack of > integrity or provenance verification and the consumption of invalid > objects) > > https://slsa.dev/spec/v1.0/levels#build-l2-hosted-build-platform: > > "Track/Level Requirements Focus > Build L3 Hardened build platform Tampering during the build" > ___ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: https://seclists.org/fulldisclosure/ > > > - End forwarded message - > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: About Intel C3000 eMMC
On Sun, Jun 11, 2023 at 9:33 PM Aaron Mason wrote: > Looks like it's picking it up, but can't enable it - from the attached dmesg: > > sdhc0 at pci0 dev 28 function 0 "Intel C3000 eMMC" rev 0x11: apic 2 int 16 > sdhc0: SDHC 3.0, 200 MHz base clock > sdmmc0 at sdhc0: 8-bit, sd high-speed, mmc high-speed, ddr52, dma > [REDACTED] > sdmmc0: can't enable card > > Maybe getting some debugging from that driver will help a dev - I > don't know the option off hand but I'll have a look unless someone > more knowledgeable can point you in the right direction. > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse Ok so the option is SDMMC_DEBUG - if you're able, try rebuilding the kernel but add this line to the config file: option SDMMC_DEBUG Send the output to tech@ rather than here - someone there can have a look and see where it's tripping up. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: About Intel C3000 eMMC
On Sun, Jun 11, 2023 at 9:16 PM Valdrin MUJA wrote: > > Hello OpenBSD, > > I'm trying to install OpenBSD 7.3 on a Cordoba Edge Gateway CPE(*) device > manufactured by Silicom-USA. However, OpenBSD does not recognize the Intel > C3000 eMMC (SOC type) disk that comes on it. > Is there a way to run this? > Thanks. > > Also you can find the dmesg output in the attachment of this email. > > (*) > https://www.silicom-usa.com/pr/4g-5g-products/4g-5g-appliances/cordoba-edge-gateway-cpe/ > Looks like it's picking it up, but can't enable it - from the attached dmesg: sdhc0 at pci0 dev 28 function 0 "Intel C3000 eMMC" rev 0x11: apic 2 int 16 sdhc0: SDHC 3.0, 200 MHz base clock sdmmc0 at sdhc0: 8-bit, sd high-speed, mmc high-speed, ddr52, dma [REDACTED] sdmmc0: can't enable card Maybe getting some debugging from that driver will help a dev - I don't know the option off hand but I'll have a look unless someone more knowledgeable can point you in the right direction. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: softdep / softraid RAID1 issue?
On Mon, Jun 5, 2023 at 3:07 AM Nick Holland wrote: > > =- > PREVIOUS=(find previous backup) > TODAY=(today's date) > OLDEST=(find oldest backup in the set) > REMOTE=(machine we are backing up) > > # remove oldest backup > rm -r $OLDEST & > > mkdir $TODAY > > # make new backup > rsync --link-dest $PREVIOUS $REMOTE $TODAY > =- > > [REDACTED] > > Here's where it gets weird -- removing the '&' after the rm -r $OLDEST > line seems to have FIXED THE PROBLEM. No problems in 18 days, which is > a pretty good record. > Just spitballing here... you were running the removal of the oldest in the background while bringing in new data for the backup. Maybe it was hitting an I/O ceiling of some kind under those conditions? May still warrant investigation since it could still hit this "ceiling" under a big enough I/O load. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: sysctl ddb.trigger
On Mon, May 29, 2023 at 4:08 AM Paul de Weerd wrote:
>
> Hi folks,
>
> I'm trying to debug an issue where my machine partially locks up after
> some hours (somewhere between 12 and 48, is my current window). The
> extent of the locking is still unclear, that's part of what I'm trying
> to figure out.
>
> While debugging, I thought I'd try to enter ddb, so I set ddb.console
> to 1 in /etc/sysctl.conf and tried to write to ddb.trigger:
>
> pom# sysctl ddb.{console,panic}
> ddb.console=1
> ddb.panic=1
> pom# sysctl ddb.trigger=1
> sysctl: ddb.trigger: Operation not supported by device
>
> Am I holding this thing wrong? According to ddb(4), the above should
> be sufficient, no?
>
> One thing to note is that I'm running this from a chroot into a mfs
> system (as part of the debugging of the locking up), could that affect
> things? Even if it's from a chroot, I can still change sysctl MIBs -
> is ddb.trigger special?
>
> I'm doing all this through the serial console (glass console and
> network both are unresponsive in the locked up state), could that be
> related? (for the record, BREAK doesn't work either to enter ddb, I
> guessed it was due to the USB-to-serial dongle I'm using (uplcom(4)
> lacking support for sending a proper BREAK .. but this may be the same
> issue?)
>
> Paul
>
> --
> >[<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<---->-]<+.--.[-]
> http://www.weirdnet.nl/
>
Just spitballing... could it be something blocked by kern.securelevel?
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: PC Engines APU platform EOL
On Thu, May 4, 2023 at 1:17 PM Damian McGuckin wrote: > > > > Happy apu2 & apu4 user here. > > Ditto. > > > Are there other OpenBSD friendly options? > > Same question but qualifying that to add FANLESS and RACKMOUNT. > > I am thinking of trying an Intel Ruggest NUC for some scenarios but at > best, they have dual RJ45 ethernets. > > Thanks - Damian > The ZimaBoards are x86 based, again dual NICs but they do have the PCIe slot to add extra. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Very slow smtp connection to mail.openbsd.org
On Thu, May 4, 2023 at 8:33 AM S V wrote: > > Hello, > > I'm trying to setup my own mail server and while I can send email to > any already tested and interesting for me domains. > I always get "delayed" with misc@openbsd.org: Connection closed > unexpectedly while trying openbsd lists. > I telnet to 25 port and see that it has extremely slow speed like 1 > character per second. I telnet from other "non-mail" vps > and I see that for first seconds it is also slow, but later it become > "instant". > > Are there any "delay" filter for spammers? If yes then why it detects > my non-mail vps as ok and still slows my "mail server" (with existing > PTR)? > If there are no delay... ugh, guess I'm out of luck with my ISP ? But > then again why vps is ok? > Very likely the IP block used by your ISP is in a blacklist, probably by default if it's residential. You can ask your ISP to get it removed but that's entirely at their discretion. > Thanks in advance for any suggestions! > > -- > Nerfur Dragon > -==(UDIC)==- > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Booting OpenBSD 7.3's i386 bsd.rd
How are you getting to the boot> prompt? On Mon, May 1, 2023 at 12:28 PM Damian McGuckin wrote: > > > What is required please? > > I am trying to boot this bsd.rd (which is a file 4Mb big) on an old > NET5500 which has 512MBytes of RAM. On a running system, > > From the > > boot> > > prompt, doing > > boot> boot bsd.rd > > it appears to loads bsd.rd, but then drops straight back into the BIOS > and starts the BIOS boot. > > Any suggestions. > > Thanks - Damian > > Pacific Engineering Systems International . 20D Grose St, Glebe NSW 2037 > Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here > Views & opinions here are mine and not those of any past or present employer > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OpenBSD 7.2 on Oracle Cloud
On Mon, May 1, 2023 at 10:08 AM Aaron Mason wrote: > > I can reproduce it with this in QEMU 8.0 in Winders (thanks Antun who > sent something like this to the bugs@ list): > > qemu-system-x86_64 -accel whpx,kernel-irqchip=off -machine q35 \ >-cpu EPYC-Rome,-monitor -m 8g -smp 6,sockets=1,cores=6 \ >-nic user,model=virtio-net-pci,hostfwd=tcp::10022-:22 -vga virtio \ >-drive if=virtio,file=miniroot73.img -device virtio-scsi-pci,id=scsi > > The temporary workaround patch results in a booting system. > The same occurs in 7.2 under Winders. > On Mon, May 1, 2023 at 4:56 AM Stefan Fritsch wrote: > > > > Hi, > > > > what qemu version are you using? I cannot reproduce this with qemu 7.2. > > Can you try with a newer qemu? > > > > Cheers, > > Stefan > > > > Am 25.04.23 um 14:53 schrieb Aaron Mason: > > [REDACTED] -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OpenBSD 7.2 on Oracle Cloud
I can reproduce it with this in QEMU 8.0 in Winders (thanks Antun who
sent something like this to the bugs@ list):
qemu-system-x86_64 -accel whpx,kernel-irqchip=off -machine q35 \
-cpu EPYC-Rome,-monitor -m 8g -smp 6,sockets=1,cores=6 \
-nic user,model=virtio-net-pci,hostfwd=tcp::10022-:22 -vga virtio \
-drive if=virtio,file=miniroot73.img -device virtio-scsi-pci,id=scsi
The temporary workaround patch results in a booting system.
On Mon, May 1, 2023 at 4:56 AM Stefan Fritsch wrote:
>
> Hi,
>
> what qemu version are you using? I cannot reproduce this with qemu 7.2.
> Can you try with a newer qemu?
>
> Cheers,
> Stefan
>
> Am 25.04.23 um 14:53 schrieb Aaron Mason:
> >>>> Yeah I'm getting the same thing. Trying a build in QEMU and
> >>>> transferring in to see if that helps. Will report back.
> >>>>
> >>>
> >>> Ok, good news, it still crashes at the same spot, but this time I've
> >>> got more data. Copying in tech@ - if I've forgotten anything let me
> >>> know and I'll fire up a fresh instance.
> >>>
> >>> [REDACTED]
> >>> vioscsi_req_done(e,80024a00,fd803f81c338,e,80024a00,800
> >>> d3228) at vioscsi_req_done+0x26
> >>> [REDACTED]
> >>
> >> Ok, so based on the trace I got, I was able to trace the stop itself
> >> back to line 299 of vioscsi.c (thank. you. random relink. And
> >> anonymous CVS):
> >>
> >> 293 vioscsi_req_done(struct vioscsi_softc *sc, struct virtio_softc
> >> *vsc,
> >> 294 struct vioscsi_req *vr)
> >> 295 {
> >> 296 struct scsi_xfer *xs = vr->vr_xs;
> >> 297 DPRINTF("vioscsi_req_done: enter vr: %p xs: %p\n", vr,
> >> xs);
> >> 298
> >> -->299 int isread = !!(xs->flags & SCSI_DATA_IN);
> >> 300 bus_dmamap_sync(vsc->sc_dmat, vr->vr_control,
> >> 301 offsetof(struct vioscsi_req, vr_req),
> >> 302 sizeof(struct virtio_scsi_req_hdr),
> >> 303 BUS_DMASYNC_POSTWRITE);
> >>
> >> Maybe if I follow the rabbit hole enough, I might find out what's
> >> going wrong between the driver and OCI. I've got a day off tomorrow
> >> (yay for war I guess), I'll give it a bash and see where we end up.
> >>
> >> --
> >> Aaron Mason - Programmer, open source addict
> >> I've taken my software vows - for beta or for worse
> >
> > I enabled debugging on the vioscsi driver, rebuilt the RAMDISK kernel
> > with those drivers enabled, and got this:
> >
> > vioscsi0 at virtio1: qsize 128
> > scsibus0 at vioscsi0: 255 targets
> > vioscsi_req_get: 0xfd803f80d338
> > vioscsi_scsi_cmd: enter
> > vioscsi_scsi_cmd: polling...
> > vioscsi_scsi_cmd: polling timeout
> > vioscsi_scsi_cmd: done (timeout=0)
> > vioscsi_scsi_cmd: enter
> > vioscsi_scsi_cmd: polling...
> > vioscsi_vq_done: enter
> > vioscsi_vq_done: slot=127
> > vioscsi_req_done: enter vr: 0xfd803f80d338 xs: 0xfd803f8a5e58
> > vioscsi_req_done: done 0, 2, 0
> > vioscsi_vq_done: slot=127
> > vioscsi_req_done: enter vr: 0xfd803f80d338 xs: 0x0
> > uvm_fault(0x813ec2e0, 0x8, 0, 1) -> e
> > fatal page fault in supervisor mode
> > trap type 6 code 0 rip 810e6190 cs 8 rflags 10286 cr2 8 cpl e
> > rsp 81606670
> > gsbase 0x813dfff0 kgsbase 0x0
> > panic: trap type 6, code=0, pc=810e6190
> >
> > That "xs: 0x0" bit feels like a clue. It should be trivial to pick up
> > and handle, but what would be the correct way to handle that?
> >
> > If I have it return if "xs" is found to be NULL, it continues - the
> > debugging suggests it goes through each possible target before
> > finishing up. I don't know if that's correct, but it seems to continue
> > booting after that even if my example didn't detect the drive with the
> > kernel I built (I used the RAMDISK kernel and it was pretty stripped
> > down).
> >
> > I'm about to attempt a -STABLE build (I've got 7.3 installed and thus
> > can't yet build a snapshot, but I will do that if this test succeeds)
> > - here's the patch that hopefully fixes the problem. (and hopefully
> > gmail doesn't clobber the tabs)
> >
> > Index: sys/dev/pv/vioscsi.c
> > ===
> > RCS file: /cvs/src/sys/dev/pv/vioscsi.c,v
> > retrieving revision 1.30
> > diff -u -p -u -p -r1.30 vioscsi.c
> > --- sys/dev/pv/vioscsi.c 16 Apr 2022 19:19:59 - 1.30
> > +++ sys/dev/pv/vioscsi.c 25 Apr 2023 12:51:16 -
> > @@ -296,6 +296,7 @@ vioscsi_req_done(struct vioscsi_softc *s
> >struct scsi_xfer *xs = vr->vr_xs;
> >DPRINTF("vioscsi_req_done: enter vr: %p xs: %p\n", vr, xs);
> >
> > + if (xs == NULL) return;
> >int isread = !!(xs->flags & SCSI_DATA_IN);
> >bus_dmamap_sync(vsc->sc_dmat, vr->vr_control,
> >offsetof(struct vioscsi_req, vr_req),
> >
> >
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: Minimum install size
On Fri, Apr 28, 2023 at 5:11 PM Janne Johansson wrote: > > Den fre 28 apr. 2023 kl 06:12 skrev Yoshihiro Kawamata : > > > > In the OpenBSD FAQ, in the Installation Guide section, it says > > "OpenBSD can be installed in as little as 512MB, but using a device > > that small is something for advanced users". > > https://www.openbsd.org/faq/faq4.html#Partitioning > > > > In fact, the installation of only the kernel and base73.tgz required > > 629MB for i386 and 1GB for amd64. > > > > For example, if I delete the files under /usr/share/relink, I can > > get within 512MB, but this is not a desirable installation method, is > > it? > > Do not assume "desireable" and "possible" are always the same. > > -- > May the most significant bit of your life be positive. > If you wanted to go super hard core, you could build crunchgen in src and build a busybox-style setup - though such things would be super unsupported and you'd get to keep all the pieces if it breaks. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OpenBSD 7.2 on Oracle Cloud
On Wed, Apr 26, 2023 at 7:36 AM Antun Matanović
wrote:
>
> I tested the patch you provided on my local qemu install and it booted
> successfully.
>
>> Index: sys/dev/pv/vioscsi.c
>> ===
>> RCS file: /cvs/src/sys/dev/pv/vioscsi.c,v
>> retrieving revision 1.30
>> diff -u -p -u -p -r1.30 vioscsi.c
>> --- sys/dev/pv/vioscsi.c 16 Apr 2022 19:19:59 - 1.30
>> +++ sys/dev/pv/vioscsi.c 25 Apr 2023 12:51:16 -
>> @@ -296,6 +296,7 @@ vioscsi_req_done(struct vioscsi_softc *s
>> struct scsi_xfer *xs = vr->vr_xs;
>> DPRINTF("vioscsi_req_done: enter vr: %p xs: %p\n", vr, xs);
>>
>>
>> + if (xs == NULL) return;
>> int isread = !!(xs->flags & SCSI_DATA_IN);
>> bus_dmamap_sync(vsc->sc_dmat, vr->vr_control,
>> offsetof(struct vioscsi_req, vr_req),
>>
Sorry just got this email - it got caught in gmail's spam filter. I
managed to test it in OCI as well, and bsd.rd boots and detects the
virtual disk without issue.
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: OpenBSD 7.2 on Oracle Cloud
On Tue, Apr 25, 2023 at 10:53 PM Aaron Mason wrote:
>
> On Mon, Apr 24, 2023 at 3:47 PM Aaron Mason wrote:
> >
> > On Fri, Apr 21, 2023 at 2:50 PM Aaron Mason
> > wrote:
> > >
> > > On Fri, Apr 21, 2023 at 1:39 PM Aaron Mason
> > > wrote:
> > > >
> > > > On Fri, Apr 7, 2023 at 3:25 AM Antun Matanović
> > > > wrote:
> > > > >
> > > > > On Thu, 6 Apr 2023 at 12:55, Fabio Martins wrote:
> > > > > >
> > > > > > Try to add an entry in grub like in this article:
> > > > > >
> > > > > > https://raby.sh/installing-openbsd-on-ovhs-vps-2016-kvm-machines.html
> > > > >
> > > > > I have tried that, but it did not resolve the issue. Sorry I forgot to
> > > > > mention it originally.
> > > > >
> > > > > On Thu, 6 Apr 2023 at 14:24, Janne Johansson
> > > > > wrote:
> > > > > >
> > > > > > That is very much not the same issue. The arm64 instances on Oracle
> > > > > > finds the correct kernel and boots it, it just crashes at or after
> > > > > > the
> > > > > > scsi attachment.
> > > > >
> > > > > This has been my experience as well, except on the amd64 instance,
> > > > > haven't tried arm64.
> > > > >
> > > >
> > > > Yeah I'm getting the same thing. Trying a build in QEMU and
> > > > transferring in to see if that helps. Will report back.
> > > >
> > >
> > > Ok, good news, it still crashes at the same spot, but this time I've
> > > got more data. Copying in tech@ - if I've forgotten anything let me
> > > know and I'll fire up a fresh instance.
> > >
> > > [REDACTED]
> > > vioscsi_req_done(e,80024a00,fd803f81c338,e,80024a00,800
> > > d3228) at vioscsi_req_done+0x26
> > > [REDACTED]
> >
> > Ok, so based on the trace I got, I was able to trace the stop itself
> > back to line 299 of vioscsi.c (thank. you. random relink. And
> > anonymous CVS):
> >
> >293 vioscsi_req_done(struct vioscsi_softc *sc, struct virtio_softc *vsc,
> >294 struct vioscsi_req *vr)
> >295 {
> >296 struct scsi_xfer *xs = vr->vr_xs;
> >297 DPRINTF("vioscsi_req_done: enter vr: %p xs: %p\n", vr, xs);
> >298
> > -->299 int isread = !!(xs->flags & SCSI_DATA_IN);
> >300 bus_dmamap_sync(vsc->sc_dmat, vr->vr_control,
> >301 offsetof(struct vioscsi_req, vr_req),
> >302 sizeof(struct virtio_scsi_req_hdr),
> >303 BUS_DMASYNC_POSTWRITE);
> >
> > Maybe if I follow the rabbit hole enough, I might find out what's
> > going wrong between the driver and OCI. I've got a day off tomorrow
> > (yay for war I guess), I'll give it a bash and see where we end up.
> >
> > --
> > Aaron Mason - Programmer, open source addict
> > I've taken my software vows - for beta or for worse
>
> I enabled debugging on the vioscsi driver, rebuilt the RAMDISK kernel
> with those drivers enabled, and got this:
>
> vioscsi0 at virtio1: qsize 128
> scsibus0 at vioscsi0: 255 targets
> vioscsi_req_get: 0xfd803f80d338
> vioscsi_scsi_cmd: enter
> vioscsi_scsi_cmd: polling...
> vioscsi_scsi_cmd: polling timeout
> vioscsi_scsi_cmd: done (timeout=0)
> vioscsi_scsi_cmd: enter
> vioscsi_scsi_cmd: polling...
> vioscsi_vq_done: enter
> vioscsi_vq_done: slot=127
> vioscsi_req_done: enter vr: 0xfd803f80d338 xs: 0xfd803f8a5e58
> vioscsi_req_done: done 0, 2, 0
> vioscsi_vq_done: slot=127
> vioscsi_req_done: enter vr: 0xfd803f80d338 xs: 0x0
> uvm_fault(0x813ec2e0, 0x8, 0, 1) -> e
> fatal page fault in supervisor mode
> trap type 6 code 0 rip 810e6190 cs 8 rflags 10286 cr2 8 cpl e
> rsp 81606670
> gsbase 0x813dfff0 kgsbase 0x0
> panic: trap type 6, code=0, pc=810e6190
>
> That "xs: 0x0" bit feels like a clue. It should be trivial to pick up
> and handle, but what would be the correct way to handle that?
>
> If I have it return if "xs" is found to be NULL, it continues - the
> debugging suggests it goes through each possible target before
> finishing up. I don't know if that's correct, but it seems to continue
> booting after that even if my example didn't detect the drive with the
> kernel I built (I used the RAMDISK kernel and it was pretty stripped
>
Re: OpenBSD 7.2 on Oracle Cloud
On Mon, Apr 24, 2023 at 3:47 PM Aaron Mason wrote:
>
> On Fri, Apr 21, 2023 at 2:50 PM Aaron Mason wrote:
> >
> > On Fri, Apr 21, 2023 at 1:39 PM Aaron Mason
> > wrote:
> > >
> > > On Fri, Apr 7, 2023 at 3:25 AM Antun Matanović
> > > wrote:
> > > >
> > > > On Thu, 6 Apr 2023 at 12:55, Fabio Martins wrote:
> > > > >
> > > > > Try to add an entry in grub like in this article:
> > > > >
> > > > > https://raby.sh/installing-openbsd-on-ovhs-vps-2016-kvm-machines.html
> > > >
> > > > I have tried that, but it did not resolve the issue. Sorry I forgot to
> > > > mention it originally.
> > > >
> > > > On Thu, 6 Apr 2023 at 14:24, Janne Johansson
> > > > wrote:
> > > > >
> > > > > That is very much not the same issue. The arm64 instances on Oracle
> > > > > finds the correct kernel and boots it, it just crashes at or after the
> > > > > scsi attachment.
> > > >
> > > > This has been my experience as well, except on the amd64 instance,
> > > > haven't tried arm64.
> > > >
> > >
> > > Yeah I'm getting the same thing. Trying a build in QEMU and
> > > transferring in to see if that helps. Will report back.
> > >
> >
> > Ok, good news, it still crashes at the same spot, but this time I've
> > got more data. Copying in tech@ - if I've forgotten anything let me
> > know and I'll fire up a fresh instance.
> >
> > [REDACTED]
> > vioscsi_req_done(e,80024a00,fd803f81c338,e,80024a00,800
> > d3228) at vioscsi_req_done+0x26
> > [REDACTED]
>
> Ok, so based on the trace I got, I was able to trace the stop itself
> back to line 299 of vioscsi.c (thank. you. random relink. And
> anonymous CVS):
>
>293 vioscsi_req_done(struct vioscsi_softc *sc, struct virtio_softc *vsc,
>294 struct vioscsi_req *vr)
>295 {
>296 struct scsi_xfer *xs = vr->vr_xs;
>297 DPRINTF("vioscsi_req_done: enter vr: %p xs: %p\n", vr, xs);
>298
> -->299 int isread = !!(xs->flags & SCSI_DATA_IN);
>300 bus_dmamap_sync(vsc->sc_dmat, vr->vr_control,
>301 offsetof(struct vioscsi_req, vr_req),
>302 sizeof(struct virtio_scsi_req_hdr),
>303 BUS_DMASYNC_POSTWRITE);
>
> Maybe if I follow the rabbit hole enough, I might find out what's
> going wrong between the driver and OCI. I've got a day off tomorrow
> (yay for war I guess), I'll give it a bash and see where we end up.
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse
I enabled debugging on the vioscsi driver, rebuilt the RAMDISK kernel
with those drivers enabled, and got this:
vioscsi0 at virtio1: qsize 128
scsibus0 at vioscsi0: 255 targets
vioscsi_req_get: 0xfd803f80d338
vioscsi_scsi_cmd: enter
vioscsi_scsi_cmd: polling...
vioscsi_scsi_cmd: polling timeout
vioscsi_scsi_cmd: done (timeout=0)
vioscsi_scsi_cmd: enter
vioscsi_scsi_cmd: polling...
vioscsi_vq_done: enter
vioscsi_vq_done: slot=127
vioscsi_req_done: enter vr: 0xfd803f80d338 xs: 0xfd803f8a5e58
vioscsi_req_done: done 0, 2, 0
vioscsi_vq_done: slot=127
vioscsi_req_done: enter vr: 0xfd803f80d338 xs: 0x0
uvm_fault(0x813ec2e0, 0x8, 0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip 810e6190 cs 8 rflags 10286 cr2 8 cpl e
rsp 81606670
gsbase 0x813dfff0 kgsbase 0x0
panic: trap type 6, code=0, pc=810e6190
That "xs: 0x0" bit feels like a clue. It should be trivial to pick up
and handle, but what would be the correct way to handle that?
If I have it return if "xs" is found to be NULL, it continues - the
debugging suggests it goes through each possible target before
finishing up. I don't know if that's correct, but it seems to continue
booting after that even if my example didn't detect the drive with the
kernel I built (I used the RAMDISK kernel and it was pretty stripped
down).
I'm about to attempt a -STABLE build (I've got 7.3 installed and thus
can't yet build a snapshot, but I will do that if this test succeeds)
- here's the patch that hopefully fixes the problem. (and hopefully
gmail doesn't clobber the tabs)
Index: sys/dev/pv/vioscsi.c
===
RCS file: /cvs/src/sys/dev/pv/vioscsi.c,v
retrieving revision 1.30
diff -u -p -u -p -r1.30 vioscsi.c
--- sys/dev/pv/vioscsi.c 16 Apr 2022 19:19:59 - 1.30
+++ sys/dev/pv/vioscsi.c 25 Apr 2023 12:51:16 -
@@ -296,6 +296,7 @@ vioscsi_req_done(struct vioscsi_softc *s
struct scsi_xfer *xs = vr->vr_xs;
DPRINTF("vioscsi_req_done: enter vr: %p xs: %p\n", vr, xs);
+ if (xs == NULL) return;
int isread = !!(xs->flags & SCSI_DATA_IN);
bus_dmamap_sync(vsc->sc_dmat, vr->vr_control,
offsetof(struct vioscsi_req, vr_req),
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: OpenBSD 7.2 on Oracle Cloud
On Fri, Apr 21, 2023 at 2:50 PM Aaron Mason wrote:
>
> On Fri, Apr 21, 2023 at 1:39 PM Aaron Mason wrote:
> >
> > On Fri, Apr 7, 2023 at 3:25 AM Antun Matanović
> > wrote:
> > >
> > > On Thu, 6 Apr 2023 at 12:55, Fabio Martins wrote:
> > > >
> > > > Try to add an entry in grub like in this article:
> > > >
> > > > https://raby.sh/installing-openbsd-on-ovhs-vps-2016-kvm-machines.html
> > >
> > > I have tried that, but it did not resolve the issue. Sorry I forgot to
> > > mention it originally.
> > >
> > > On Thu, 6 Apr 2023 at 14:24, Janne Johansson wrote:
> > > >
> > > > That is very much not the same issue. The arm64 instances on Oracle
> > > > finds the correct kernel and boots it, it just crashes at or after the
> > > > scsi attachment.
> > >
> > > This has been my experience as well, except on the amd64 instance,
> > > haven't tried arm64.
> > >
> >
> > Yeah I'm getting the same thing. Trying a build in QEMU and
> > transferring in to see if that helps. Will report back.
> >
>
> Ok, good news, it still crashes at the same spot, but this time I've
> got more data. Copying in tech@ - if I've forgotten anything let me
> know and I'll fire up a fresh instance.
>
> [REDACTED]
> vioscsi_req_done(e,80024a00,fd803f81c338,e,80024a00,800
> d3228) at vioscsi_req_done+0x26
> [REDACTED]
Ok, so based on the trace I got, I was able to trace the stop itself
back to line 299 of vioscsi.c (thank. you. random relink. And
anonymous CVS):
293 vioscsi_req_done(struct vioscsi_softc *sc, struct virtio_softc *vsc,
294 struct vioscsi_req *vr)
295 {
296 struct scsi_xfer *xs = vr->vr_xs;
297 DPRINTF("vioscsi_req_done: enter vr: %p xs: %p\n", vr, xs);
298
-->299 int isread = !!(xs->flags & SCSI_DATA_IN);
300 bus_dmamap_sync(vsc->sc_dmat, vr->vr_control,
301 offsetof(struct vioscsi_req, vr_req),
302 sizeof(struct virtio_scsi_req_hdr),
303 BUS_DMASYNC_POSTWRITE);
Maybe if I follow the rabbit hole enough, I might find out what's
going wrong between the driver and OCI. I've got a day off tomorrow
(yay for war I guess), I'll give it a bash and see where we end up.
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: OpenBSD 7.2 on Oracle Cloud
On Fri, Apr 21, 2023 at 1:39 PM Aaron Mason wrote: > > On Fri, Apr 7, 2023 at 3:25 AM Antun Matanović > wrote: > > > > On Thu, 6 Apr 2023 at 12:55, Fabio Martins wrote: > > > > > > Try to add an entry in grub like in this article: > > > > > > https://raby.sh/installing-openbsd-on-ovhs-vps-2016-kvm-machines.html > > > > I have tried that, but it did not resolve the issue. Sorry I forgot to > > mention it originally. > > > > On Thu, 6 Apr 2023 at 14:24, Janne Johansson wrote: > > > > > > That is very much not the same issue. The arm64 instances on Oracle > > > finds the correct kernel and boots it, it just crashes at or after the > > > scsi attachment. > > > > This has been my experience as well, except on the amd64 instance, > > haven't tried arm64. > > > > Yeah I'm getting the same thing. Trying a build in QEMU and > transferring in to see if that helps. Will report back. > Ok, good news, it still crashes at the same spot, but this time I've got more data. Copying in tech@ - if I've forgotten anything let me know and I'll fire up a fresh instance. OpenBSD 7.3 (GENERIC.MP) #1125: Sat Mar 25 10:36:29 MDT 2023 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 1056817152 (1007MB) avail mem = 1005449216 (958MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf7050 (9 entries) bios0: vendor SeaBIOS version "?-20171121_152543-x86-ol7-builder-01.us.oracle.c om-4.el7.1" date 04/01/2014 bios0: QEMU Standard PC (i440FX + PIIX, 1996) acpi0 at bios0: ACPI 1.0 acpi0: sleep states S3 S4 S5 acpi0: tables DSDT FACP APIC HPET acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD EPYC 7551 32-Core Processor, 1997.30 MHz, 17-01-02 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,C FLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MO VBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP, LONG,LAHF,CMPLEG,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,TOPEXT,CPCTR,FSGSBASE,TSC_AD JUST,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,VIRTSSBD,XSAVEOPT, XSAVEC,XGETBV1,XSAVES cpu0: 64KB 64b/line 2-way D-cache, 64KB 64b/line 2-way I-cache, 512KB 64b/line 1 6-way L2 cache, 16MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 1000MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD EPYC 7551 32-Core Processor, 3377.48 MHz, 17-01-02 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,C FLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MO VBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP, LONG,LAHF,CMPLEG,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,TOPEXT,CPCTR,FSGSBASE,TSC_AD JUST,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,VIRTSSBD,XSAVEOPT, XSAVEC,XGETBV1,XSAVES cpu1: 64KB 64b/line 2-way D-cache, 64KB 64b/line 2-way I-cache, 512KB 64b/line 1 6-way L2 cache, 16MB 64b/line 16-way L3 cache cpu1: smt 0, core 0, package 1 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins acpihpet0 at acpi0: 1 Hz acpiprt0 at acpi0: bus 0 (PCI0) "ACPI0006" at acpi0 not configured acpipci0 at acpi0 PCI0 acpicmos0 at acpi0 com0 at acpi0 COM1 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo com0: console "QEMU0001" at acpi0 not configured "PNP0A06" at acpi0 not configured "PNP0A06" at acpi0 not configured "PNP0A06" at acpi0 not configured "QEMU0002" at acpi0 not configured "ACPI0010" at acpi0 not configured acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) pvbus0 at mainbus0: KVM pvclock0 at pvbus0 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 w ired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11 piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9 iic0 at piixpm0 vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02 wsdisplay at vga1 not configured virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 vio0 at virtio0: address 02:00:17:00:21:c1 virtio0: msix shared virtio1 at pci0 dev 4 function 0 "Qumranet Virtio SCSI" rev 0x00 vioscsi0 at virtio1: qs
Re: OpenBSD 7.2 on Oracle Cloud
On Fri, Apr 7, 2023 at 3:25 AM Antun Matanović wrote: > > On Thu, 6 Apr 2023 at 12:55, Fabio Martins wrote: > > > > Try to add an entry in grub like in this article: > > > > https://raby.sh/installing-openbsd-on-ovhs-vps-2016-kvm-machines.html > > I have tried that, but it did not resolve the issue. Sorry I forgot to > mention it originally. > > On Thu, 6 Apr 2023 at 14:24, Janne Johansson wrote: > > > > That is very much not the same issue. The arm64 instances on Oracle > > finds the correct kernel and boots it, it just crashes at or after the > > scsi attachment. > > This has been my experience as well, except on the amd64 instance, > haven't tried arm64. > Yeah I'm getting the same thing. Trying a build in QEMU and transferring in to see if that helps. Will report back. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Enhancing Privacy in 2020 attached screenshot
On Sat, Dec 19, 2020 at 2:01 PM Ashlen wrote: > > On 20/12/16 22:55, pipus wrote: > > haha Stuart. > > Always there to make a low IQ entrance :) > Ever hear of Dunning-Kruger, pipus? > > https://lsa.umich.edu/psych/news-events/all-news/faculty-news/the-dunning-kruger-effect-shows-why-some-people-think-they-re-gr.html > First rule of Dunning-Kruger club is you don't know you're in Dunning-Kruger club. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Advice on using intrusion detection
On Sun, Nov 22, 2020 at 1:14 AM Nick Holland wrote: > > On 2020-11-20 17:15, Erik Lauritsen wrote: > > Is it recommended to run some kind of intrusion detection on an > > OpenBSD router/firewall? > > > > I suspect that any kind of system like Snort or Suricata will give a > > lot of false positives? > > [SNIP] > > One thing I have been doing for a while is rsync --link-dest backups of > systems, both in-house and at various workplaces. FANTASTIC tool, > giving incredibly "useful" backups, with relatively low impact and > resource requirements. My I use a -v on rsync to get verbose backups, > and log it to a file. > > Just recently, I realized these logs are basically a "changed file" > report, which is a starting point for a file alteration reporting > tool. Combine that with a carefully crafted "ignore" file (you > can do that with a grep -vf ignorefile logfile), and you have an > interesting file monitoring system. > This sounds similar to what I do with logs - something Marcus Ranum called "artificial ignorance". Using grep, you fill a file with patterns to remove things you know aren't interesting, and once you apply it to your logs what remains will absolutely be interesting. If anything else uninteresting shows up, update the pattern file to filter those entries out. I used this method on the logs of my OpenBSD-based Request Tracker server and found that the reason a commercial piece of software running on a Hyper-V virtual machine kept needing to be reactivated was because the server's MAC address would regularly change if you left it set to Dynamic. Really, Microsoft? > The painful part with any such system is crafting the list of what > to ignore vs. what to panic over. Everyone wants to tick the > checkbox that says "We have an intrusion detection system", and > everyone wants one of two results: "No problem" and "intruder > detected". So far, I don't think any tool does that. An IDS > without careful human monitoring is just for show (and it's a > potential security risk of its own), and more likely to be the > cause of a problem than a solution. Careful monitoring takes > time and resources. > Problems like "we're only getting 56Mbps from our 1000mbit fibre connection". Yes, really. Bypassing the IDS/IPS actually led to better performance - or at least better numbers on the speed test. You got some 'splaining to do, Sophos. > One nifty thing I have found in "rolling my own" is that I found > a lot of little oddities, no security problems, but things that > needed fixing. I'd call that a win. > Exactly, it just takes effort. Something that is in short supply whether by overwork or laziness. > Nick. > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OBSD 6.8 vlan communication issues
0 26 - 1 aggr0 > > 10.10.70.3 e0:63:da:8e:78:d7 UHLc 0 7158 - 3 aggr0 > > 10.10.70.255 10.10.70.1 UHPb 00 - 1 aggr0 > > 10.10.70.255 10.10.70.0 UHPb 00 - 1 vlan70 > > 10.10.77/2410.10.77.1 UCPn 01 - 4 aggr0 > > 10.10.77/2410.10.77.0 UCPn 00 - 4 vlan77 > > 10.10.77.0 fe:e1:ba:d0:f4:8c UHLl 00 - 1 vlan77 > > 10.10.77.1 fe:e1:ba:d0:f4:8c UHLl 0 31 - 1 aggr0 > > 10.10.77.255 10.10.77.1 UHPb 00 - 1 aggr0 > > 10.10.77.255 10.10.77.0 UHPb 00 - 1 vlan77 > > 10.10.79/2410.10.79.1 UCPn 01 - 4 aggr0 > > 10.10.79/2410.10.79.0 UCPn 00 - 4 vlan79 > > 10.10.79.0 fe:e1:ba:d0:f4:8c UHLl 0 0 - 1 vlan79 > > 10.10.79.1 fe:e1:ba:d0:f4:8c UHLl 0 36 - 1 aggr0 > > 10.10.79.255 10.10.79.1 UHPb 00 - 1 aggr0 > > 10.10.79.255 10.10.79.0 UHPb 00 - 1 vlan79 > > 127/8 127.0.0.1 UGRS 00 32768 8 lo0 > > 127.0.0.1 127.0.0.1 UHhl 1 17 32768 1 lo0 > > 192.168.7/24 192.168.7.4UCn10 - 4 re0 > > 192.168.7.100:1b:21:18:88:72 UHLch 514796 - 3 re0 > > 192.168.7.48c:ec:4b:7a:04:dc UHLl 0 184 - 1 re0 > > 192.168.7.255 192.168.7.4UHb00 - 1 re0 > > > > > > the pf rules when pf enabled > > > > pfctl -sr > > block return all > > pass all flags S/SA > > block return in on ! lo0 proto tcp from any to any port 6000:6010 > > block return out log proto tcp all user = 55 > > block return out log proto udp all user = 55 > > pass out log on aggr0 inet proto icmp from 10.10.70.0/24 to any label > > "pings" > > pass out log on aggr0 inet proto icmp from 10.10.77.0/24 to any label > > "pings" > > pass out log on aggr0 inet proto icmp from 10.10.79.0/24 to any label > > "pings" > > pass in on vlan70 all flags S/SA label "vlan70" tag vlan70 > > pass out on vlan70 all flags S/SA label "vlan70o" tag vlan70o > > > > sysctl for ip forwarding is set > > > > net.inet.ip.forwarding=1 > > > > > > > > -- > Kindest regards, > Tom Smyth. Good catch, didn't notice the IPs on the aggr0 interface. I retract my advice. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OBSD 6.8 vlan communication issues
1 re0 > > > the pf rules when pf enabled > > pfctl -sr > block return all > pass all flags S/SA > block return in on ! lo0 proto tcp from any to any port 6000:6010 > block return out log proto tcp all user = 55 > block return out log proto udp all user = 55 > pass out log on aggr0 inet proto icmp from 10.10.70.0/24 to any label > "pings" > pass out log on aggr0 inet proto icmp from 10.10.77.0/24 to any label > "pings" > pass out log on aggr0 inet proto icmp from 10.10.79.0/24 to any label > "pings" > pass in on vlan70 all flags S/SA label "vlan70" tag vlan70 > pass out on vlan70 all flags S/SA label "vlan70o" tag vlan70o > > sysctl for ip forwarding is set > > net.inet.ip.forwarding=1 > > What is your management VLAN set to on the switch? Did you set up those ports in a LAG as well as on those VLANs? -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: chromium has troubles showing videos from youtube
On Wed, Nov 11, 2020 at 7:42 AM Gregory Edigarov wrote: > > Hello, > > chromium-86.0.4240.185, installed from packages > is showing spinner and goes no further after the first ad before video, > and not. > at first I thought it is some extension, but with clean chromium the > behavior is > still the same. > > does anybody else observing this? or is it just me? > > -- > With best regards, >Gregory Edigarov > Hi If you open up the developer console and start a video, do you see any requests that end in an error in the Network tab? -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Multiple USB NICs
On Tue, Oct 20, 2020 at 12:29 PM Lee Nelson wrote: > > > > On Mon, 19 Oct 2020, Allan Streib wrote: > > > Lee Nelson writes: > > > >> I had considered some late-running script that would query the MAC's of > >> each NIC and then configure them accordingly or rewrite the hostname.* > >> files and call netstart on them, but that just seems sloppy and > >> unreliable. > > > > What about DHCP? It supports MAC-specific configurations. > > > > Allan > > > Very good point, except in my case, this machine would be the dhcp server. > You could run scripts to set the IP address based on the MAC with this in each hostname.axenN file: !/path/to/script axeN And then write that script to pick the IP address based on the MAC. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Understanding download speed reduction by introducing an inline Ubiquity ERL device
410.0/s > >> ip-option 261640.1/s > >> proto-cksum00.0/s > >> state-mismatch 107580.0/s > >> state-insert 00.0/s > >> state-limit00.0/s > >> src-limit 00.0/s > >> synproxy 00.0/s > >> translate 00.0/s > >> no-route 00.0/s > >> > >> pfctl -s memory: > >> > >> stateshard limit 10 > >> src-nodes hard limit1 > >> frags hard limit16384 > >> tableshard limit 1000 > >> table-entries hard limit 20 > >> pktdelay-pkts hard limit1 > >> > >> The netlivlocks value keeps on increasing regularly: > >> kern.netlivelocks=57911 > >> > >> netstat -m: > >> > >> 1009 mbufs in use: > >> 917 mbufs allocated to data > >> 5 mbufs allocated to packet headers > >> 87 mbufs allocated to socket names and addresses > >> 801/7256 mbuf 2048 byte clusters in use (current/peak) > >> 0/15 mbuf 2112 byte clusters in use (current/peak) > >> 0/24 mbuf 4096 byte clusters in use (current/peak) > >> 0/8 mbuf 8192 byte clusters in use (current/peak) > >> 0/0 mbuf 9216 byte clusters in use (current/peak) > >> 0/0 mbuf 12288 byte clusters in use (current/peak) > >> 0/0 mbuf 16384 byte clusters in use (current/peak) > >> 0/8 mbuf 65536 byte clusters in use (current/peak) > >> 6512/17088/131072 Kbytes allocated to network (current/peak/max) > >> 0 requests for memory denied > >> 0 requests for memory delayed > >> 0 calls to protocol drain routines > >> > >> netstat -i: > >> > >> NameMtu Network Address Ipkts IfailOpkts Ofail > >> Colls > >> lo0 32768 198 0 198 0 > >>0 > >> lo0 32768 localhost/1 localhost 198 0 198 0 > >>0 > >> lo0 32768 fe80::%lo0/ fe80::1%lo0198 0 198 0 > >>0 > >> lo0 32768 127/8 localhost 198 0 198 0 > >>0 > >> cnmac0 1600a8:28:dc:cc:2e:6f 56088774 0 22283491 2688 > >>0 > >> cnmac0 1600 73.231.60/2 c-73-231-60-128.h 56088774 0 22283491 2688 > >>0 > >> cnmac1 160078:8a:20:46:a8:c1 23646497 4 5656985348 > >>0 > >> cnmac2 160078:8a:20:46:a8:c214823 0 226198 226198 > >> 0 > >> enc0* 00 00 0 > >>0 > >> bridge0 1500 23187238 0 57022219 0 > >>0 > >> vether0 32768 fe:e1:ba:d0:c8:a9 23056709 0 56795991 0 > >>0 > >> vether0 32768 192.168.10/ 192.168.10.1 23056709 0 56795991 0 > >>0 > >> pflog0 331360 026171 0 > >>0 > > > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Bluetooth adapter that works with OpenBSD
On Tue, Sep 22, 2020 at 2:22 PM Tito Mari Francis Escaño wrote: > > Hi misc, > I'm building an OpenBSD desktop PC and would like to use my Royal Kludge > RK71 mechanical keyboard with it via USB Bluetooth dongle. > Can somebody please point me to USB Bluetooth dongles tested working with > OpenBSD? > Hopefully you can guide me. > Thanks so much. No Bluetooth in OpenBSD, I'm afraid. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Creating a Partition for RAID Arrays
On Thu, Sep 17, 2020 at 1:51 PM Justin Noor wrote: > > Hello Misc, > Hi! > We need to create a partition on an OpenBSD server for the sole purpose of > mounting RAID arrays. > > [LE SNIP] > How big should this partition be? As big as you need to store any actual data. If you're not storing anything on it, there's no reason to have one at all, just create the directory in your root filesystem. Is there a reason you can't just do that? -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: How to split install.wim
On Wed, Sep 2, 2020 at 4:44 PM Peter Nicolai Mathias Hansteen wrote: > > Urgh. I’s probably due to the lack of a useful dd analogue that they make > users jump through hoops like that. > > Otherwise my initial reaction before reading the article was ‘just use dd’, > but that would be totally foreign territory to most Windows admins most > likely. > Sadly, this very sensible approach didn't occur to Microshaft, either. As a consequence, the ISO isn't a hybrid one - "burning" the ISO to a USB stick doesn't work. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: How to split install.wim
On Wed, Sep 2, 2020 at 3:35 PM Predrag Punosevac wrote: > > Hi All, > > I am using my desktop > > predrag@oko$ uname -a > OpenBSD oko.int.bagdala2.net 6.7 GENERIC.MP#5 amd64 > > to create a bootable Windows 10 USB flash drive. It is a paid job > although I would not be surprised that my consent to do it, is > consistent with the early signs of dementia. I just wasted a few hours > of my life to find out that install.wim is too large to be written on > Fat32 file system as described in this article > > https://www.zdnet.com/article/windows-10-installer-files-too-big-for-usb-flash-drive-heres-the-fix/ > > I need to split it in two before I can write it to a bootable USB. Has > anybody done this on an OpenBSD machine? It seems that the library for > manipulation of Windows Imaging exists > > https://wimlib.net/ > > but I can't find anything in the ports tree. > > https://openports.pl/ > > And just for the curios you will not be able to mount Windows ISO image > using mount_udf > > This thread is right on money > > https://marc.info/?l=openbsd-misc=139271029815043=2 > > You will have to use > > 7z e Win10_2004_English_x64.iso > > command to extract the files from the iso image provided by Microsoft. > > Best, > Predrag > You would be better to use NTFS than muck around with splitting the installer file. Pretty sure it needs to be NTFS to boot anyway, at least for non-UEFI machines. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Microsoft's war on plain text email in open source
On Thu, Aug 27, 2020 at 7:27 AM Chris Bennett wrote: > > I was recently told by a youngster that I was a total idiot for working > my way through the new CSS to understand it well. I needed to go > straight over to some Framework that assumes I am stupid, which I > would be if I didn't take the time to understand what I'm really > accomplishing. > This. So many projects I've picked up from others use jQuery like it's somehow a requirement to do anything, when really it just makes bashing out crappy code faster (something something premature optimisation) - I refuse to use it partly for that reason, mostly because I fail to see the benefit in lugging around a sizeable framework when I intend to use a tiny part of it (never chop down a tree when just the branch will do - old Aussie proverb) that can easily be done in vanilla JS. Someone posted on Quora about a nasty trick they cooked up for a painful tester to essentially gaslight him (it would randomly resize elements on the web page, and this guy would claim that everything was fine on his end and then turn it off before he went over to look at it) and it was jQuery all the way - with minimal effort I ported it to vanilla JS. It's not that hard. Also, I use gmail with an old account that got overtaken by spam that I use for mailing lists as well, and it handles patches just fine. Never been an issue. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: aggr(4) not working with Intel XXV710 SFP28 on a Supermicro X11DPi-N(T)
On Wed, Aug 19, 2020 at 12:00 AM Winfred Harrelson wrote: > > On Tue, Aug 18, 2020 at 04:53:42PM +1000, Jonathan Matthew wrote: > > > > This sounds like multicast filters aren't working properly with your nic. > > trunk(4) puts trunk ports in promisc mode, so multicast filters don't > > matter, > > but aggr(4) doesn't. Could you try running 'tcpdump -ni ixl0' for a while > > and > > see if that side of the aggr starts working? > > I left the tcpdump running for a little over 5 minutes but that changed > nothing: > Did anything come up on the tcpdump while it was running? Maybe there's a clue there. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Tunefs(8)
On Tue, Aug 11, 2020 at 2:07 AM Rupert Gallagher wrote: > > Omit the last line of the manual, because there is no need for it. > Well of course there's no need for it, but why on Earth should that mean that it shouldn't be there? -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Bug? having no monitor plugged in causes a reboot in bsd.rd
On Sun, Jul 19, 2020 at 9:06 AM Alfred Morgan wrote: > > OpenBSD upgrade.lan 6.7 GENERIC.MP#182 amd64 > > If I set tty com0 then bsd.rd boots fine. If I have a monitor plugged in > bsd.rd boots fine. If I don't have a monitor and I don't direct tty to com0 > then bsd.rd reboots my machine after a few seconds. > Any tips on how I can inspect what is going on here? > > -alfred It might help if we knew a bit more about your system. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Shell account service providers
On Thu, Jul 16, 2020 at 11:53 AM Ibsen S Ripsbusker wrote: > > Are there services that sell managed OpenBSD shell accounts? > I mean a service similar to sdf.org. > What are you looking for in such a service? -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OpenBSD master volume GUI TCL, how to contribute?
On Thu, Jul 2, 2020 at 4:50 AM wdaver wrote: > > There are posts asking for a GUI to control volume for OpenBSD. > I wanted the same and wrote an 85 line TCL (8.5) script. It calls > sndioctl, has a volume slider and mute button, sized for touch > screen convenience. I use it every day. > > I am ok with just posting here, for users to copy and paste. > > It could be a port (maybe the smallest port ever). I know there is an > introduction in the FAQ for ports and I have zero experience creating > ports. Seems like it would need a brief man page. > > The script may stop people from asking about it... > > Suggestions for the best way to contribute this tiny script to OpenBSD? > Putting it here is a good start. Maybe put it in a publicly accessible repository (maybe Gitlab? I'd suggest GitHub, but Microsoft) so you can also push any changes needed, and anyone who wants to can suggest improvements and report bugs. >From there, if you (or anyone) wants to submit a port, they've got a central place to pick up the latest version. If you wanted to do this yourself, your best bet is to look for any ports that have TCL as a prerequisite, and go from there. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OpenBSD Readonly File System
On Mon, Jun 22, 2020 at 4:24 PM Mogens Jensen
wrote:
>
> Tuesday, June 9, 2020 7:59 AM, Vertigo Altair
> wrote:
>
> > Hi Misc,
> > I have a firewall device and I'm using OpenBSD on it.
>
> Last year I had to configure an OpenBSD 6.5 firewall for use in a
> remote location, and was concerned about power loss corrupting the
> filesystem and making the system unbootable without manual
> intervention. As I did not want to modify OpenBSD in unsupported ways,
> I decided to test what kind of damage power loss could do, by
> randomly removing and applying power to the firewall, many many times.
>
> What I found was that 99% of the time, the system would just repair the
> filesystem and boot without problems, but if by chance the power was
> removed at a short time window during kernel relinking, the kernel
> would become corrupt and leave the system completely unbootable and
> not easy to repair. It was suggested to me that I tried to mount root
> partition with the sync option, so I arranged the partition layout in a
> way that would make it feasible and added the option to fstab.
>
> Only other problem I found, was that a few times after removing power
> when writing a large file, the system would require me to run fsck -y
> manually, this is by design, but I decided it was more important to me
> that the system could boot unattended, with a minuscule risk of
> completely ruining the filesystem, so I wrote a small unsupported patch
> for the rc script (sorry if the formatting gets messed up by posting):
>
> The patch has only been tested on OpenBSD 6.5.
>
> ---
> Index: src/etc/rc
> ===
> RCS file: /cvs/src/etc/rc,v
> retrieving revision 1.536
> diff -u -p -u -p -r1.536 rc
> --- src/etc/rc 1 Apr 2019 11:39:46 - 1.536
> +++ src/etc/rc 20 Aug 2019 22:47:49 -
> @@ -1,5 +1,8 @@
> # $OpenBSD: rc,v 1.536 2019/04/01 11:39:46 tedu Exp $
>
> +# NOTE: The do_fsck() function has been patched to run 'fsck -y' if an
> +# automatic file system check fails with exit code 8.
> +
> # System startup script run by init on autoboot or after single-user.
> # Output and error are redirected to console by init, and the console is the
> # controlling terminal.
> @@ -271,8 +274,14 @@ do_fsck() {
> echo "Reboot failed; help!"
> exit 1
> ;;
> - 8) echo "Automatic file system check failed; help!"
> - exit 1
> + 8) echo "Automatic file system check failed; trying fsck -y"
> + fsck -y
> + case $? in
> + 0) ;;
> + *) echo "Could not repair file system unattended; help!"
> + exit 1
> + ;;
> + esac
> ;;
> 12) echo "Boot interrupted."
> exit 1
> ---
>
> After mounting root filesystem with sync option and applying the patch,
> I was no longer able to make the system unbootable by power loss in my
> test setup. It may be possible, but the risk is now so small that it is
> not a concern for me and the risk of something else breaking is
> probably bigger. During operation in remote location, the system has
> always been able to completely boot after a power loss so far.
>
> So while it was not possible for me to not make any unsupported
> modifications at all, I think it is a very small change compared to
> have read only filesystems. Anyone who knows OpenBSD, will be able to
> manage the firewall without special instructions.
>
>
> Regards,
> Mogens Jensen
>
Auto filesystem repair is bad juju.
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: Disabling OpenBSD Login Prompt
On Wed, Jun 10, 2020 at 5:57 PM Valdrin MUJA wrote: > > Hi Misc, > > > > I want to disable OpenBSD Login prompt at startup -and also after logging > out-. Because I want to run my external program instead of ksh. There is an > login prompt also in my program and I want to use it. > > > > I updated the /etc/ttys ; > > valdrin# cat /etc/ttys > # > # $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $ > # > # name getty typestatus comments > # > console "/usr/libexec/getty std.9600" vt220 off secure > ttyC0 "/usr/libexec/getty std.9600" vt220 on secure > ttyC1 "/usr/libexec/getty std.9600" vt220 on secure > ttyC2 "/usr/libexec/getty std.9600" vt220 on secure > ttyC3 "/usr/libexec/getty std.9600" vt220 on secure > ttyC4 "/usr/libexec/getty std.9600" vt220 off secure > ttyC5 "/usr/libexec/getty std.9600" vt220 on secure > ttyC6 "/usr/libexec/getty std.9600" vt220 off secure > ttyC7 "/usr/libexec/getty std.9600" vt220 off secure > ttyC8 "/usr/libexec/getty std.9600" vt220 off secure > ttyC9 "/usr/libexec/getty std.9600" vt220 off secure > ttyCa "/usr/libexec/getty std.9600" vt220 off secure > ttyCb "/usr/libexec/getty std.9600" vt220 off secure > tty00 "/root/myprogram" vt220on secure > tty01 "/usr/libexec/getty std.9600" unknown off > tty02 "/usr/libexec/getty std.9600" unknown off > tty03 "/usr/libexec/getty std.9600" unknown off > tty04 "/usr/libexec/getty std.9600" unknown off > tty05 "/usr/libexec/getty std.9600" unknown off > tty06 "/usr/libexec/getty std.9600" unknown off > tty07 "/usr/libexec/getty std.9600" unknown off > > > > I'm connected the device with com0 port so I updated the tty00 to run my > external program. However; system is stucking after date appears on startup. > > > > starting network > reordering libraries: done. > starting early daemons: syslogd ntpd. > starting RPC daemons:. > savecore: no core dump > checking quotas: done. > clearing /tmp > kern.securelevel: 0 -> 1 > creating runtime link editor directory cache. > preserving editor files. > starting network daemons: sshd. > starting local daemons: cron. > Wed Jun 10 10:27:04 +03 2020 > > > > > > Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt appears.. > How can I overcome this issue? > > > > Thanks.. Are you able to access other terminals after boot (i.e. Ctrl+Alt+F2)? -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog
On Thu, May 28, 2020 at 2:21 PM Aaron Mason wrote: > > On Thu, May 28, 2020 at 2:20 PM Quantum Robin > wrote: > > > > Hi, > > > > While surfing on the Google to learn more about OpenBSD, I encountered this > > one: "OpenBSD: Not Free Not Fuctional and Definetly Not Secure ( > > https://aboutthebsds.wordpress.com/2013/01/25/20/) > > > > Is the author telling the truth? Or just yet another anti-BSD thing? > > If it has to tell you it's "the truth" in its title, it probably isn't. > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse It's also difficult to take someone seriously when they can't spell the words they're using, like "functional" and "definitely" -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog
On Thu, May 28, 2020 at 2:20 PM Quantum Robin wrote: > > Hi, > > While surfing on the Google to learn more about OpenBSD, I encountered this > one: "OpenBSD: Not Free Not Fuctional and Definetly Not Secure ( > https://aboutthebsds.wordpress.com/2013/01/25/20/) > > Is the author telling the truth? Or just yet another anti-BSD thing? If it has to tell you it's "the truth" in its title, it probably isn't. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Help, i want to ask if my Asus Vivobook Ryzen 3 , Vega 3 can run openbsd
On Mon, May 25, 2020 at 1:49 PM Digital Crow wrote: > > Help, i want to ask if my Asus Vivobook Ryzen 3 , Vega 3 can run openbsd > I have problems with freebsd i can't run xorg it has a problem with efi > framebuffer and amdgpu driver. > It seems that this laptop can boot only efi partitions there's no setting > on bios about csm or anything else related to it. > Is it possible openbsd would work ? > Also is the process the same as freebsd ? > I need to install drm-kmod and add kld_list amdgpu on rc.conf > The openbsd installer create efi boot partition ? > I think this laptop can boot only efi partitions There's only one way to find out... -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: LDAP database choice
On Thu, May 21, 2020 at 2:31 AM Aisha Tammy wrote: > > Hi all, > Is there any particular reason why ldapd has its own version of btree.c > instead of using the db.h standard btree ? > > Aisha > Probably. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: freeze on startup
On Sun, May 17, 2020 at 4:32 AM Joseph A Borg wrote: > > I can boot into bsd.rd, which I assume to be still at version 6.5 > Don't assume, find out. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: fw_update verify firmware?
On Fri, May 15, 2020 at 3:39 AM Nick Holland wrote: > > On 2020-05-14 11:08, i...@aulix.com wrote: > > I actually had Adaptec give me a firmware update with a time bomb in > it, and didn't bother to tell me that after X days, it would brick my > adapter and prevent me from updating/downdating it. If it had been > stored in RAM, I might have been able to recover it, but since it was > flashed into EEPROM and prevented the machine from booting, the card > had to be replaced...and my customer had an outage. Apropos of nothing, that saga is worth reading in full: Episode 4: A New Flaw - http://marc.info/?l=openbsd-misc=125783114503531=2 Episode 5: The Firmware Strikes Back: http://marc.info/?l=openbsd-misc=126775051500581=2 Episode 6: Return of the Vendor: http://marc.info/?l=openbsd-misc=128779369427908=2 -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Secure end points for Internet tunnel, the most secure hardware
On Tue, May 12, 2020 at 1:27 PM wrote: > > Aaron, thank you for your suggestion. > > For now I prefer to try to use the oldest suitable hardware I can find, not > sure if it is a good idea. > YMMV. Don't fall into the sunk cost fallacy. > Please someone let me know if AllWinner SoC backdoor described at: > > https://www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_nasty_root_backdoor/ > > can be exploited in OpenBSD? > That is a kernel level issue, not an SOC level one. https://github.com/friendlyarm/h3_lichee/blob/master/linux-3.4/arch/arm/mach-sunxi/sunxi-debug.c Anyone who suggested this be put in OpenBSD's kernel would likely receive a visit from Theo brandishing a flamethrower fuelled by Substance N to melt their PC, house, land, self. > Is it a bad idea to run a small communication server on a AllWinner A20 board > like a Cubitruck if it works with OpenBSD (it is not on the list though). > What about other compatible boards like AllWinner A10 Orange PI One? > If it isn't on the list, it either isn't supported or hasn't been tested. If you have the hardware on hand, it never hurts to try the latest snap and send a dmesg to the the openbsd-arm mailing list so they can update their docs or get an idea of what's missing. > I just want my DNS (local) and postfix, dovecot (Internet) and SSH (local > and Internet) work on it protected from hackers. Running OpenBSD and spamd on your router and any non-internet facing services on other systems behind it, and not making silly decisions like password based root logins (or any login for that matter) and employing a default permit policy on your firewall are a good start. Anything else is service-specific. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Secure end points for Internet tunnel, the most secure hardware
On Mon, May 11, 2020 at 5:16 PM wrote: > > Hi, Hi! > > [SNIP] > > Can you offer anything better than Cortex A7 board which is immune to Spectre? > What is the most secure Cortex A7 board on which OpenBSD can run? I guess it > shall have as little BLOBs as possible - only a small Boot ROM like > Beaglebone Black which unfortunately is not Cortex A7, but rather Cortex A8. > The Pine A64 (US$15 for the 512mb version or US$21 for the 1GB plus version) and the Rock64 (US$24.95 for the 1GB version) that both use a Cortex-A53 CPU that is immune to Spectre, can't speak to the blobbiness, though. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On Fri, May 8, 2020 at 2:30 AM jeanfrancois wrote: > > As long as there's no material published it's worth just any other word. > To quote Douglas Adams on whether you can trust people on the internet, "of course not, it's just people talking". -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: More than 16 partitions
On Sat, Apr 25, 2020 at 2:41 PM Theo de Raadt wrote: > > Amelia A Lewis wrote: > > > So, and I recognize that the answer might reasonably be "go read more > > code and figure it out yourself," a question for Theo and others if you > > have a moment: why couldn't an arch expand past sixteen? It seems, both > > from the math calculating struct size (which may be mistaken, in which > > case I apologize) and in the comment for MAXMAXPARTITIONS that more > > *are* possible. > > Because there is another reason. Here are the device nodes for > two sequentially-numbered disks. > > brw-r- 1 root operator4, 0 Apr 17 11:50 sd0a > brw-r- 1 root operator4, 1 Apr 17 11:50 sd0b > brw-r- 1 root operator4, 2 Apr 17 11:50 sd0c > brw-r- 1 root operator4, 3 Apr 17 11:50 sd0d > brw-r- 1 root operator4, 4 Apr 17 11:50 sd0e > brw-r- 1 root operator4, 5 Apr 17 11:50 sd0f > brw-r- 1 root operator4, 6 Apr 17 11:50 sd0g > brw-r- 1 root operator4, 7 Apr 17 11:50 sd0h > brw-r- 1 root operator4, 8 Apr 17 11:50 sd0i > brw-r- 1 root operator4, 9 Apr 17 11:50 sd0j > brw-r- 1 root operator4, 10 Apr 17 11:50 sd0k > brw-r- 1 root operator4, 11 Apr 17 11:50 sd0l > brw-r- 1 root operator4, 12 Apr 17 11:50 sd0m > brw-r- 1 root operator4, 13 Apr 17 11:50 sd0n > brw-r- 1 root operator4, 14 Apr 17 11:50 sd0o > brw-r- 1 root operator4, 15 Apr 17 11:50 sd0p > brw-r- 1 root operator4, 16 Apr 17 11:50 sd1a > brw-r- 1 root operator4, 17 Apr 17 11:50 sd1b > brw-r- 1 root operator4, 18 Apr 17 11:50 sd1c > brw-r- 1 root operator4, 19 Apr 17 11:50 sd1d > brw-r- 1 root operator4, 20 Apr 17 11:50 sd1e > brw-r- 1 root operator4, 21 Apr 17 11:50 sd1f > brw-r- 1 root operator4, 22 Apr 17 11:50 sd1g > brw-r- 1 root operator4, 23 Apr 17 11:50 sd1h > brw-r- 1 root operator4, 24 Apr 17 11:50 sd1i > brw-r- 1 root operator4, 25 Apr 17 11:50 sd1j > brw-r- 1 root operator4, 26 Apr 17 11:50 sd1k > brw-r- 1 root operator4, 27 Apr 17 11:50 sd1l > brw-r- 1 root operator4, 28 Apr 17 11:50 sd1m > brw-r- 1 root operator4, 29 Apr 17 11:50 sd1n > brw-r- 1 root operator4, 30 Apr 17 11:50 sd1o > brw-r- 1 root operator4, 31 Apr 17 11:50 sd1p > > Look very carefully at this column ^^ > Are they allocated in the kernel in a linear fashion? If not, you could allocate additional nodes under a spare major for the extra partitions. If so, well I'm just talking out of my arse. I'd see for myself if I could find where they're allocated. I'll have more of a deep dive later. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: MIdnight Commander won't run
On Wed, Apr 22, 2020 at 11:17 AM Jay Hart wrote: > > Upgraded my router from 6.5 to 6.6. Followed the upgrade guide and installed > most, not all, of > the file sets. I did not install the games set or several of the X sets. > > I ran pkg_add -u and also used sysclean to find and remove all unneeded files. > > Afterwards, trying to run 'mc' results in: > > tangerine# mc > ld.so can't load library libpcre.so.3.0 > Killed > > libpcre.so.3.0 is in /usr/local/lib > > Not sure how to go about fixing this, google searches did not turn up > anything on this. > > Looking for a bit of help. > > Thanks, > > Jay > I find it rare that an upgrade ever goes smoothly for any OS. Have you tried running ldconfig(8)? -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: I see you guys are full of shit when it comes to one thing:
This isn't the airport, no need to announce your departure. On Wed, Apr 15, 2020 at 3:27 PM zap wrote: > > you think proprietary softwatre is secure as much as linux loves being > shit. > > > I had hoped you guys had better self respect, and had some moral > integrity within. > > And if you think i sound sad for dissing GNU, I was going to hold this > back, but your fucking attitudes are shit as are your attempts to block > software that could be useful just because you get into an argument with > people. (Palemoon) :P > > Same with wine! > > Please by all means get me off your damn list. You guys are as bad as > the linux organization. > > and while your all at it, since your unwilling to understand the truth > that proprietary software sucks, just go wank yourselves somewhere. > > I really don't care about being on this list anymore. You guys are > fucking heartless. That's a fact. > > And Theo, if I said anything nice about you, please forget I said > anything. I don't take kindly to hostile assholes who refuse to be civil. > > > Sigh... I guess trying to praise you for the good you guys do is just > not constructive. I see you guys live in a bubble of your own choosing. > > Wee proprietary software totally doesn't have any flaws or > weaknesses! GNU has the right to be shit, same with Linux! and BSD can > refuse software that could otherwise benefit their users just because it > has a license you hate! GOD damn > > > Smell you later assholes. > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Failed to install bootblocks. You will not be able to boot OpenBSD
On Sat, Apr 4, 2020 at 1:14 AM Justin Noor wrote: > > Hello OpenBSD Community, > Hi! > [SNIP] > had no data on them, other than the FreeBSD installation sets, I decided > not to clean the boot code area with 'dd if=/dev/zero of=/dev/rsd0c bs=1 > count=1'. > > That clears one byte. You may have intended this: dd if=/dev/zero of=/dev/rsd0c bs=1M count=1 -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: mapserver httpd configuration
Hi Rashad
Is mapserv.sock in /var/www/run? Also, does the web server have
access to the socket file?
I use a similar method to run RT:
# cat /etc/httpd.conf
[SNIP]
server $domain {
listen on egress tls port 443
fastcgi socket "/run/rt/rt-server.sock"
log syslog
tls {
key "/etc/ssl/private/server.key"
certificate "/etc/ssl/server.crt"
}
connection max request body 104857600
}
[SNIP]
# ls -l /var/www/run/rt/rt-server.sock
srwxrwxrwx 1 www www 0 Apr 3 08:27 /var/www/run/rt/rt-server.sock
Also, yes I know 777 is a security risk. I think RT did that, I don't
tell it to have any particular mode. chmod o-rwx didn't break RT, so
I'll see about turning those off on startup and diving into the code
to see if I can fix that at the source.
Should be able to chown it after it starts, or you can just run it as
www and put it in its own directory under /run.
On Fri, Apr 3, 2020 at 9:03 PM Rashad Kanavath
wrote:
>
> Hello all,
>
> Does anybody had tried to mapserver using httpd.
>
> I had latest mapserver 7.3 installed but cannot configure as it gives 500
> internal server error
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/geo/mapserver/pkg/README-main?rev=1.4=text/x-cvsweb-markup
>
> The above readme show information on ngix and supervisor.
> I tried to copy the ngix config into my httpd.conf and got that 500
> internel server error.
> See my httpd.conf below:
>
> server "mydomain.com" {
> listen on * port 80
> root "/htdocs/ mydomain.com"
> location "*.php*" {
> fastcgi socket "/run/php-fpm.sock"
> }
> location "/cgi-bin/mapserv" {
> fastcgi socket "/run/mapserv.sock"
> fastcgi param SCRIPT_FILENAME "/cgi-bin/mapserv"
> }
> }
>
> I had php script working correctly and /var/www/cgi-bin/mapserv -v is
> working correctly
>
> MapServer version 7.2.2 OUTPUT=PNG OUTPUT=JPEG OUTPUT=KML SUPPORTS=PROJ
> SUPPORTS=AGG SUPPORTS=FREETYPE SUPPORTS=CAIRO SUPPORTS=ICONV
> SUPPORTS=FRIBIDI SUPPORTS=WMS_SERVER SUPPORTS=WMS_CLIENT
> SUPPORTS=WFS_SERVER SUPPORTS=WFS_CLIENT SUPPORTS=WCS_SERVER
> SUPPORTS=SOS_SERVER SUPPORTS=FASTCGI SUPPORTS=GEOS SUPPORTS=PBF INPUT=JPEG
> INPUT=POSTGIS INPUT=OGR INPUT=GDAL INPUT=SHAPEFILE
>
>
> In the Readme on cvs give details on chroot, but I don't know it usage for
> using OpenBSD httpd
>
> thanks for your help.
> --
> Regards,
>Rashad
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: Openbsd 6.6 amd64 stable bridge with 90 vlans does not forward packets after reboot
Hi Tom Just looking at /etc/netstart (admittedly for 6.1) and by all rights that shouldn't be happening - the VLAN interfaces should be starting well before the bridges. Maybe add !sleep 1 to the top of the /etc/hostname.bridge101 file and see if it does better? On Fri, Mar 20, 2020 at 12:22 PM Tom Smyth wrote: > > Hello, > > I have a box that I use to aggregate a number of vlans which are > isolated from each other(using port protection groups and bridged > onto a 10G interface ix0 > these are configured using a standard hostname.bridgefile as follows, > cat /etc/hostname.bridge101 > maxaddr 16384 timeout 300 > up > add ix0 -stp ix0 > add vlan604 protected vlan604 1 -stp vlan604 > add vlan4069 protected vlan4069 1 -stp vlan4069 > . > . > . > add vlan3982 protected vlan43982 1 -stp vlan3982 > > when I reboot the box ... the system does not seem to forward frames ) > > but if I run > sh /etc/netstart bridge101 > > then the bridge forwards the packets just fine. > > interface configs are as follows > cat /etc/hostname.ix0 > mtu 1700 up > > cat /etc/hostname.ix1 > mtu 1708 up > > cat /etc/hostname.vlan3982 > parent ix1 vnetid 3982 mtu 1700 up > > > ifconfig bridge101 yields similar results after reboot as opposed to > ifconfig bridge101 after restarting the interface > > the only differences I saw was the index > > after reboot the index of bridge101 was 6 > > but after restarting the bridge101 the index of bridge101 was 98 > (which sounds to me like perhaps the bridge was being started before > the vlans on bootup) > > > has anyone come across this issue before? > Thanks > > > > > -- > Kindest regards, > Tom Smyth. > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Hosting a CDN question
In that case, relayd would be the most likely port of call. On Wed, Mar 18, 2020 at 10:06 AM Flipchan wrote: > > Yeah the point with a cdn is to lower the latency of it so therefor you what > is needed is just not only a fast http server but a traffic redirector > depending on the end users origin > > On March 17, 2020 3:44:27 AM GMT+01:00, Aaron Mason > wrote: >> >> You can easily "write" one in Go with 9 lines of code. And since Go >> builds static binaries, you can chroot it for security. >> >> I just did a quick test between httpd and a web server written in Go >> and on a simple text file with 20,000 requests from 10 threads I saw a >> 2.3x improvement on a pair of tests. >> >> On Mon, Mar 16, 2020 at 9:28 PM Flipchan wrote: >>> >>> >>> Hey all, >>> >>> My company needs to put up a cdn for fast hosting of javascript, images >>> and css for websites, and then i would need something faster then httpd. >>> >>> >>> Does anyone here run a cdn for static website content? >>> >>> If so what software did u use to set it up ? >>> >>> have a good one >>> Sincerely >>> Filip >> >> >> > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Hosting a CDN question
It's worth noting that httpd didn't go over ~30% in the test, whereas the Go web server absolutely slammed the system. On Tue, Mar 17, 2020 at 1:44 PM Aaron Mason wrote: > > You can easily "write" one in Go with 9 lines of code. And since Go > builds static binaries, you can chroot it for security. > > I just did a quick test between httpd and a web server written in Go > and on a simple text file with 20,000 requests from 10 threads I saw a > 2.3x improvement on a pair of tests. > > On Mon, Mar 16, 2020 at 9:28 PM Flipchan wrote: > > > > Hey all, > > > > My company needs to put up a cdn for fast hosting of javascript, images and > > css for websites, and then i would need something faster then httpd. > > > > > > Does anyone here run a cdn for static website content? > > > > If so what software did u use to set it up ? > > > > have a good one > > Sincerely > > Filip > > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Hosting a CDN question
You can easily "write" one in Go with 9 lines of code. And since Go builds static binaries, you can chroot it for security. I just did a quick test between httpd and a web server written in Go and on a simple text file with 20,000 requests from 10 threads I saw a 2.3x improvement on a pair of tests. On Mon, Mar 16, 2020 at 9:28 PM Flipchan wrote: > > Hey all, > > My company needs to put up a cdn for fast hosting of javascript, images and > css for websites, and then i would need something faster then httpd. > > > Does anyone here run a cdn for static website content? > > If so what software did u use to set it up ? > > have a good one > Sincerely > Filip -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: experience setting up a low memory machine
On Wed, Mar 11, 2020 at 6:47 PM Jordan Geoghegan wrote: > > > > On 2020-03-11 00:13, Stuart Longland wrote: > > On 15/2/20 6:43 pm, Dumitru Moldovan wrote: > >> [SNIP] > > [SNIP] > > > > Sometimes it's better to realise when something has past its prime. > > A year or two ago I had OpenBSD working on my iBook with 64MB of RAM, > even got FVWM working on it. For fun and testing purposes, I ran some > small OpenBSD virtual machines with 64MB RAM as well. A few years back I > got OpenBSD to boot with 32MB, but it wasn't particularly usable. I've > found 128MB to be usable for basic terminal work, but you're definitely > correct about 256MB being the bare minimum for anything fancy or GUI > related. > > At work I run OpenBSD 6.1 in a VM for Request Tracker. It has 512MB RAM and it seems that may very well be overkill. At previous jobs I can ManageEngine ServiceDesk Plus and even in Linux you needed 2GB minimum just for it to get out of bed. I plan on rebuilding it with 6.6 (can't update RT because packages are too old in 6.1) and might run it on 256MB for shits and giggles. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Dell Latitude e6400 OpenBSD Drive Issue
On Tue, Feb 11, 2020 at 3:04 AM Adam Thompson wrote: > > [SNIP] > > The older the Latitude, the harder it is to open, but even an E6400 is > pretty easy, even if you've never opened up a laptop before. Yes. The E6400 and E6410 were favourites of mine, with a single spring-mounted screw and a slide clip holding the bottom in place. The E6420 with its eleventy billion screws on the base (none held in place with anything) was a major step backwards, but still easier than many business-grade laptops I'd seen. > > Good luck, > -Adam > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out
Hi Kris On Thu, Feb 6, 2020 at 5:22 AM krishh61 wrote: > > HI, > > I can give mine: > > > cut -- > OpenBSD 6.6 (GENERIC.MP) #4: Wed Jan 15 08:56:09 MST 2020 > > r...@syspatch-66-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP > real mem = 3210944512 (3062MB) > avail mem = 3136659456 (2991MB) > [SNIP] > root on sd0a (d3d7274cd817feba.a) swap on sd0b dump on sd0b > [drm] *ERROR* CPU pipe B FIFO underrun > [drm] *ERROR* [CRTC:34:pipe ] flip_done timed out > vblank wait timed out on crtc 0 > [drm] *ERROR* [CRTC:34:pipe ] flip_done timed out > [drm] *ERROR* [CONNECTOR:54:SVIDEO-] flip_done timed out > inteldrm0: 1024x768, 32bpp > wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0 > wsdisplay0: screen 1-5 added (std, vt100 emulation) > [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out > vblank wait timed out on crtc 1 > [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out > [drm] *ERROR* [CONNECTOR:54:SVIDEO-] flip_done timed out > > --- cut --- > > ThinkPad R61i > > regards > > Kris > > > > -- > Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html > Thanks, that's very helpful. For shits and giggles, say we disable inteldrm: boot> boot -c [...] UKC> disable inteldrm UKC> quit Can you give this a try and report back please. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out
Hi Jacek On Tue, Feb 4, 2020 at 4:42 AM Jacek Kowalczyk wrote: > > Hi, > > I am running Openbsd 6.6 at ThinkPad R61i with graphic card Intel GMA X3100. > I am getting errors like in the subject: > [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out > [drm] *ERROR* [CONNECTOR:51:SVIDEO- ] flip_done timed out > And my laptop is booting quite long time, around 5 minutes. > What I need to set or install and where to solve it? > > > BR > Jacek Kowalczyk > http://jacekkowakczyk82.github.ii > > > -- Wysłane za pomocą K-9 Mail. > Can you reply with a full dmesg please. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: How to hide my server's IP?
Why would ifconfig be in your chroot? On Mon, Feb 3, 2020 at 8:28 AM Arthur Wayside wrote: > > Hello. > > Say I run a websapp inside a chroot and someone manages to hack it and gain > shell access. Can I then somehow hide my server's IP from the likes of > ifconfig? > > Thanks! > > Artur. > > Sent with [ProtonMail](https://protonmail.com) Secure Email. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Brand new server - bad adventures
After reviewing your dmesg and googling the model of your CPU, might I suggest/recommend turning off hyperthreading if you can. Bad security juju. On Thu, Jan 23, 2020 at 6:29 PM Andreas Kusalananda Kähäri wrote: > > On Wed, Jan 22, 2020 at 11:30:51PM +0300, Özgür Kazancci wrote: > > Hello everyone! Greetings to misc people! > > > > Got a brand new dedicated server with a hardware: Intel Xeon-E 2274G - 64GB > > DDR4 ECC 2666MHz - 2x SSD NVMe 960GB > > and installed "brand new" OpenBSD 6.6 on it. (I'm managing it remotely via > > KVM/IPMI) > > > > After the first boot, dmesg is outputting sequentally between few seconds > > delays: > > "wsdisplay0 at inteldrm0 mux 1 > > init: can't open /dev/console: Device not configured" and the system doesn't > > boot at all. > > Is it possible that it does actually boot but that you just don't see the > messages. Did you try pinging the machine or accessing it through SSH? > > > > > > Please refer to the screenshot attached: https://ibb.co/sQbt7F7 > > > > And after few hours of forums/IRC-logs readings, I tried to try the > > suggestion of lots of similar-people: "disable inteldrm" > > > > To do that, during the boot I typed "boot -c", then got a brand new error > > (IPMI/KVM freezes, no more keyboard input): > > "kbc: cmd word write error" (with a weird cursor) > > Please refer to the screenshot attached: https://ibb.co/QchqhtY > > > > Anyways, wanted to skip that -for now-, rebooted the server again, and > > booted into bsd.rd, mounted the / and /usr on the harddisk, chrooted into > > there and did; > > "config -ef /bsd", then "disable inteldrm" and "quit" to save the changes. > > Finally rebooted. > > > > The system booted up fine! Got the login prompt shell, logged in, well, with > > -an another- brand new error :) > > > > "reorder_kernel: failed - see /usr/...GENERIC.MP/relink.log" > > This sometimes indicates that the previous boot got to the kernel > re-linking stage but that it got interrupted there. I see this on VMs > if I forcefully reboot them as soon as the login prompt appears. > > > > > > I guess that was because I modified the kernel, anyway, wanted to skip that > > too -for now-. Did what I always do the first: syspatch > > > > installed the patches, rebooted the system, aand...Tada! "inteldrm0 is back, > > b1tch3z!" :) > > > > Dmesg has again: "init: can't open /dev/console: Device not configured" and > > delays there. No boot, again. > > > > My questions are: > > > > How can I get the rid of the error "init: can't open /dev/console: Device > > not configured" to be able to boot into the system? > > > > if that was the only way (disabling inteldrm), would I repeat it each time I > > issue syspatch? > > > > And each time syspatch (re)installs the kernel, should I get the error > > "reorder_kernel: failed", because I modified (disabled inteldrm) kernel? > > > > Any words on "kbc: cmd word write error" when I tried the 'boot -c'? > > > > I thank you for your time in reading all these, > > And many thanks for your suggestions, in advance! > > > > Best, > > Özgür Kazancci > > -- > Andreas (Kusalananda) Kähäri > SciLifeLab, NBIS, ICM > Uppsala University, Sweden > > . > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: install libreoffice OpenBSD 6.6
Hi What command did you use to install libreoffice and what is your PKG_PATH? On Thu, Jan 23, 2020 at 1:59 PM Jovany Leandro G.C wrote: > > > hello community, > > i recently install OpenBSD 6.6 and works great. > > now i try install libreoffice and throws: > > > quirks-3.182 signed on 2020-01-22T10:10:52Z > Can't install rasqal-0.9.33p2 because of libraries > |library gmp.10.0 not found > | not found anywhere > Direct dependencies for rasqal-0.9.33p2 resolve to libgcrypt-1.8.5 > raptor-2.0.15p2 pcre-8.41p2 e2fsprogs-1.42.12p5 mpfr-3.1.5.2p1 > Full dependency tree is libxslt-1.1.33 e2fsprogs-1.42.12p5 libyajl-2.1.0 > curl-7.66.0 libgpg-error-1.36p0 pcre-8.41p2 xz-5.2.4 libiconv-1.16p0 > raptor-2.0.15p2 libgcrypt-1.8.5 libxml-2.9.9 gettext-runtime-0.20.1p0 > mpfr-3.1.5.2p1 nghttp2-1.39.2 > Can't install redland-1.0.17p6: can't resolve rasqal-0.9.33p2 > Can't install libreoffice-6.3.2.2v0: can't resolve redland-1.0.17p6 > Couldn't install libreoffice-6.3.2.2v0 rasqal-0.9.33p2 redland-1.0.17p6 > > > what can i do? > > thanks any help > > > -- > Jovany Leandro G.C > Desarrollador Software Libre > Cel: (57) 3165387562 > Git: https://gitlab.com/bit4bit > Fossil: https://efossils.somxslibres.net > E-Sitio: https://www.somxslibres.net > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: What is you motivational to use OpenBSD
On Thu, Aug 29, 2019 at 12:40 AM Mohamed salah wrote: > > I wanna put something in discussion, what's your motivational to use > OPENBSD what not other bsd's what not gnu/Linux, if something doesn't work > fine on openbsd and you love this os so much what will do? For most of my purposes, it Just Works(TM). The firewall rules are user readable and easy to understand, most of the out of the box software with configs follows the same easy-to-read scheme, and it doesn't load anything out of the box that I don't need, it leaves that decision to me and never insults my intelligence. And those man pages... When I changed jobs and needed a service desk suite, I opted for Request Tracker and rolled up a Hyper-V VM running OpenBSD 6.1. Even though no doco exists for this, I was able to make my way well enough that I started to document my process as best I could on the httpd GitHub repo wiki. As a case study, at previous jobs I ran ManageEngine ServiceDesk Plus on Windows Server, and the whole required 2GB of RAM minimum. My pokey little RT server has 512MB of RAM and it's all it has ever needed. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Iked dead-peer-detection and DynDNS
On Thu, Jan 9, 2020 at 9:09 AM List wrote: > > Hi, > I am using Iked to tunnel to my home router from an openbsd machine. > Everything works fine that far. Problems occur when my router reboots at > night and gets a new IP assigned. (DSL) > Afer receiving the new IP the tunnel is not rebuilt. Because the active > part doesn't recognize that the IP has changed. > How do you guys handle that ? Is there a builtin mechanism? > I've got the impression that once iked startup it reads the hostname of the > destination server > (FQDN && DynDNS) and saves that permanently and doesn't recheck untils > it is manually killed and restarted. > > And is second part of the problem. Is there a way to do > Dead-peer-detection as part of ikeds builtin mechanism? > > How do you guys handle all of that ? > > Enlighten me ! > > > I'd greatly appreciate any help ! > > Best regards, > Stephan > Maybe try using ifstated(8) to ping a host on your home network and restart iked to re-establish the tunnel when the tunnel falls over. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Leaving OpenBSD (with patch)
On Thu, Jan 9, 2020 at 3:54 AM Roderick wrote: > > > Theo, please, give him the travel blessing, before departure. > > Rod. > > > On Wed, 8 Jan 2020, cho...@jtan.com wrote: > > > Some people have needs that OpenBSD doesn't meet. Of course the > > logical thing to do is to adapt it to meet them or to use something > > which does but to some -- in line with the general complexication > > that's progressing nowadays -- this simple solution is not enough > > and the need to announce one's inadequacy to the world in passive > > aggressive tones arises. > > > > Indeed this happens so commonly that it has become something on the > > order of a FAQ, and in order not to have to eat my own words from > > the other day I've spent actual time in the other text editor doing > > some actual hacking (I know, right?!?) and include this diff for > > the developers' consideration. > > > > I have taken the liberty of assuming you want to be at least > > moderately polite as you tell people to kindly fuck off. My apologies > > if that's an oversight; I can re-do it if you wish. > > > > Matthew > > > > > > cvs diff: Diffing . > > Index: faq1.html > > === > > RCS file: /home/flask/src/openbsd/cvsync/www/faq/faq1.html,v > > retrieving revision 1.238 > > diff -u -p -r1.238 faq1.html > > --- faq1.html 2 Oct 2019 15:40:06 - 1.238 > > +++ faq1.html 8 Jan 2020 16:12:30 - > > [SNIP] > > > > > I'd probably add a note to say something along the lines of "this isn't the airport, no need to announce your departure". Though the Venn diagram of "people who loudly leave an open source project's mailing list because said project didn't do 'X'" and "people who don't RTFM" is probably a circle... -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Riello IPG 800 USB Driver and NUT
On Wed, Jan 8, 2020 at 10:52 AM Marcos Madeira | Secure Networks
wrote:
>
> Hello again,
>
> I have a tried a few other things, but without much success.
>
> In regards to using to using ucycom0 or uhidev0 or ucom0 as the virtual
> devices, I was not able to do this, because of how NUT needs a device to
> connect to. None of those devices have a file like /dev/ucycom0 .
>
> In regards to using a serial driver, NUT mentions that the supported
> driver is riello_usb. I did try riello_ser, but it makes the system drop
> to ddb after service start. The nut driver port in this case is
> /dev/cuaU0. I actually reached a somewhat interesting state, where at
> every boot the system drops to ddb, because the upsd service is enabled.
> I am not sure if this is expected behavior as far as OpenBSD goes. I can
> gather more data, but need to get different hardware, because (I assume)
> that the problem is in the USB stack resulting in the keyboard not being
> available to even do 'show panic'. Should this error be pursued or is it
> expected? It can be replicated by using cu -l /dev/cuaU0. The error is
> as follows:
>
> (0, 0, 1) -> e
>
> kernel: page faut trap, code=0
>
> Stopped at usbd_is_dying+0xb: cmpb $0,0x8(%ecx)
>
> ddb{0}>
>
>
> Finally, when using the riello_usb driver, I get much different upsc
> output on Ubuntu as compared to OpenBSD. For example, the ups.status
> does not even change when unplugging the UPS. I will be checking this
> separately as it could be just a problem with the versions of the nut
> port. The following is the relevant output:
>
> $ upsc ups@127.0.0.1
>
> [SNIP]
>
> Thank you for your consideration,
>
> Marcos Madeira
> Secure Networks Lda
> Tel.: 911 881 590
> mmade...@securenetworks.pt
> https://www.securenetworks.pt
>
> On 03/01/20 11:58, Marcos Madeira | Secure Networks wrote:
> >
> > Hello misc,
> >
> > I am looking to use several Riello UPSs of model IPG 800 DE with
> > OpenBSD through the nut port. These UPSs also go by the name iPlug.
> > This is a compact UPS with only a single USB-B connector for
> > connectivity as is usual with low-end UPSs. However, I am facing an
> > obstacle due to how OpenBSD is discovering the UPS via the USB interface.
> >
>
> > Thank you for your consideration,
> >
> > --
> > Marcos Madeira
>
Just a thought... IIRC on laptops you can access battery info in
sysctl(8) - charge level, charge remaining, whether it has AC input,
etc. Could you do the same here?
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: dmesg for Riverbed Steelhead 250/550
On Fri, Nov 22, 2019 at 6:57 PM Mik J wrote: > > Hello, > > > The primary and AUX NICs work, the LAN0/0 and WAN0/0 ports do not, > > likely because there's some GPIO magic required to switch back the > > relays. > > It's strange because when the OS is switched off, the relays are closed (act > as a wire). I would have thought at least, you could plug cables on these > interfaces and a ping would go through. > You would think that, but it seems the Riverbed OS flicks those relays on boot, and there are configuration commands to flick them back manually. There's clearly some magic going on but there doesn't seem to be any GPIO available, at least not in OpenBSD. > Which benefits do you find in recycling these hardwares ? What is your usage ? > I heard they make good pfSense firewalls, no reason we couldn't do PF natively :) They're cheap, low profile, rack mountable devices with ECC memory, gigabit NICs and (at least for the 550 at the time of manufacture) somewhat enterprise-grade CPUs. Most "appliance" style systems one finds tend to run mobile CPUs or the old Core 2s - or worse, first gen Atoms. There's no beating that level of bang for buck. > Regards > > > > Le mardi 19 novembre 2019 à 03:45:11 UTC+1, Aaron Mason > a écrit : > > > Here's a quick rundown on how I got it installed - you will need an > existing OpenBSD installation. > > 1. Download the FS install image. > 2. Mount it in your existing OpenBSD system and edit etc/boot.conf to > set the tty to com0. > 3. Write the resulting image to a USB stick. > 4. Plug in your USB stick, then plug in the power. > 5. When it says to press any key, do so. When the GRUB menu appears, hit 'c'. > 6. Set the root device (which will likely be hd2): root (hd2) > 7. Fire up the chainloader: chainloader +1 > 8. Boot: boot > 9. ??? > 10. Profit! > > On Tue, Nov 19, 2019 at 1:31 PM Aaron Mason wrote: > > > > All > > > > Fired up OpenBSD 6.6 on a Riverbed Steelhead 250 and a 550, purchased > > from fleabay for about $30 ea (plus shipping) - the 250 runs a single > > core Celeron M @ 1.66GHz and 1GB DDR2, the 550 runs a low power > > dual-core Xeon at the same speed and 2GB DDR2 - both x86 only. Both > > have a 2GB USB DOM and a separate laptop HDD (120GB for the 250 and > > 320GB for the 550) likely for caching (these being WAN accelerators). > > > > The primary and AUX NICs work, the LAN0/0 and WAN0/0 ports do not, > > likely because there's some GPIO magic required to switch back the > > relays. The Xeon-powered 550 definitely seems to have a bit more > > oompf than the 250's hamster whee-- err, Celeron M CPU. > > > > The output for dmesg for each is attached. > > > > -- > > Aaron Mason - Programmer, open source addict > > I've taken my software vows - for beta or for worse > > > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: dmesg for Riverbed Steelhead 250/550
Here's a quick rundown on how I got it installed - you will need an existing OpenBSD installation. 1. Download the FS install image. 2. Mount it in your existing OpenBSD system and edit etc/boot.conf to set the tty to com0. 3. Write the resulting image to a USB stick. 4. Plug in your USB stick, then plug in the power. 5. When it says to press any key, do so. When the GRUB menu appears, hit 'c'. 6. Set the root device (which will likely be hd2): root (hd2) 7. Fire up the chainloader: chainloader +1 8. Boot: boot 9. ??? 10. Profit! On Tue, Nov 19, 2019 at 1:31 PM Aaron Mason wrote: > > All > > Fired up OpenBSD 6.6 on a Riverbed Steelhead 250 and a 550, purchased > from fleabay for about $30 ea (plus shipping) - the 250 runs a single > core Celeron M @ 1.66GHz and 1GB DDR2, the 550 runs a low power > dual-core Xeon at the same speed and 2GB DDR2 - both x86 only. Both > have a 2GB USB DOM and a separate laptop HDD (120GB for the 250 and > 320GB for the 550) likely for caching (these being WAN accelerators). > > The primary and AUX NICs work, the LAN0/0 and WAN0/0 ports do not, > likely because there's some GPIO magic required to switch back the > relays. The Xeon-powered 550 definitely seems to have a bit more > oompf than the 250's hamster whee-- err, Celeron M CPU. > > The output for dmesg for each is attached. > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
dmesg for Riverbed Steelhead 250/550
All
Fired up OpenBSD 6.6 on a Riverbed Steelhead 250 and a 550, purchased
from fleabay for about $30 ea (plus shipping) - the 250 runs a single
core Celeron M @ 1.66GHz and 1GB DDR2, the 550 runs a low power
dual-core Xeon at the same speed and 2GB DDR2 - both x86 only. Both
have a 2GB USB DOM and a separate laptop HDD (120GB for the 250 and
320GB for the 550) likely for caching (these being WAN accelerators).
The primary and AUX NICs work, the LAN0/0 and WAN0/0 ports do not,
likely because there's some GPIO magic required to switch back the
relays. The Xeon-powered 550 definitely seems to have a bit more
oompf than the 250's hamster whee-- err, Celeron M CPU.
The output for dmesg for each is attached.
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
OpenBSD 6.6 (GENERIC) #298: Sat Oct 12 11:06:10 MDT 2019
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
real mem = 1073037312 (1023MB)
avail mem = 1037803520 (989MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 10/22/13, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @
0x9f800 (40 entries)
bios0: vendor American Megatrends Inc. version "MINOW035" date 10/22/2013
bios0: Riverbed Technology, Inc. DTABA
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET
acpi0: wakeup devices P0P1(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) M CPU @ 1.66GHz ("GenuineIntel" 686-class) 1.67 GHz,
06-0e-0c
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,PBE,SSE3,MWAIT,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 166MHz
cpu0: mwait min=64, max=64, C-substates=0.2, IBE
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 7 (EPA0)
acpiprt2 at acpi0: bus 6 (EPA1)
acpiprt3 at acpi0: bus 5 (P0P4)
acpiprt4 at acpi0: bus 4 (P0P5)
acpiprt5 at acpi0: bus 3 (P0P6)
acpicpu0 at acpi0: C1(@1 halt!)
acpitz0 at acpi0: critical temperature is 99 degC
acpipwrres0 at acpi0: GFAN, resource for SBRG, FN00
"PNP0A08" at acpi0 not configured
acpicmos0 at acpi0
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 3100 Host" rev 0x00
"Intel 3100 Error Reporting" rev 0x00 at pci0 dev 0 function 1 not configured
vendor "Intel", unknown product 0x35b5 (class system subclass miscellaneous,
rev 0x00) at pci0 dev 1 function 0 not configured
ppb0 at pci0 dev 2 function 0 "Intel 3100 EDMA" rev 0x00
pci1 at ppb0 bus 7
ppb1 at pci0 dev 3 function 0 "Intel 3100 PCIE" rev 0x00
pci2 at ppb1 bus 6
em0 at pci2 dev 0 function 0 "Intel 82571EB" rev 0x06: apic 1 int 16, address
00:0e:b6:95:dc:0e
em1 at pci2 dev 0 function 1 "Intel 82571EB" rev 0x06: apic 1 int 17, address
00:0e:b6:95:dc:0f
ppb2 at pci0 dev 28 function 0 "Intel 6321ESB PCIE" rev 0x01
pci3 at ppb2 bus 5
em2 at pci3 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address
00:0e:b6:3e:23:08
ppb3 at pci0 dev 28 function 1 "Intel 6321ESB PCIE" rev 0x01
pci4 at ppb3 bus 4
em3 at pci4 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address
00:0e:b6:3e:23:09
ppb4 at pci0 dev 28 function 2 "Intel 6321ESB PCIE" rev 0x01: apic 1 int 18
pci5 at ppb4 bus 3
ppb5 at pci0 dev 28 function 3 "Intel 6321ESB PCIE" rev 0x01
pci6 at ppb5 bus 2
uhci0 at pci0 dev 29 function 0 "Intel 6321ESB USB" rev 0x01: apic 1 int 23
uhci1 at pci0 dev 29 function 1 "Intel 6321ESB USB" rev 0x01: apic 1 int 19
ehci0 at pci0 dev 29 function 7 "Intel 6321ESB USB" rev 0x01: apic 1 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00
addr 1
ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc9
pci7 at ppb6 bus 1
ichpcib0 at pci0 dev 31 function 0 "Intel 6321ESB LPC" rev 0x01: PM disabled
ahci0 at pci0 dev 31 function 2 "Intel 6321ESB AHCI" rev 0x01: apic 1 int 19,
AHCI 1.1
ahci0: port 0: 1.5Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: naa.50e0448be8ca
sd0: 114473MB, 512 bytes/sector, 234441648 sectors
ichiic0 at pci0 dev 31 function 3 "Intel 6321ESB SMBus" rev 0x01: apic 1 int 19
iic0 at ichiic0
ichiic0: abort failed, status 0x41
iic0: addr 0x24 a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff e1=02 e3=02 words
00=01aa 01=01aa 02=01aa 03=01aa 04
Re: Encrypting my keydisk
On Fri, Oct 25, 2019 at 12:20 PM Normen Wohner wrote: > > > > > Am 24.10.2019 um 03:27 schrieb Aaron Mason : > > > > On Wed, Oct 23, 2019 at 7:45 PM Normen Wohner wrote: > >> > >> To enable two factor encryption? > >> One passcode is in his head the other on a key. > >> If either is missing the data on drive is unreadable. > >> I don’t know what is hard to understand about it. > >> In an ideal world you’d use the manual passcode > >> to decrypt the keydisk and then the keydisk > >> to decrypt the fs. > >> You should also not be able to tell > >> whether the keydisk was in fact encrypted, > >> the bootloader should try and on failure ask > >> for a passcode, not expect there to be some > >> 'RSA-2048' written at the end. > >> It’s hard for me to understand why nobody asked for this sooner. > >> > > > > You could just use a passphrase on the original disk to the same > > effect. No sense over-complicating things. > > No, you could not, that way whoever has the keydisk has access to the files > on disk, otherwise you still need a password. Not sure what is unclear about > this. Maybe you think this is about login? It is actually about obfuscating > the login process and enabling 2FA. > Maybe you think live files are still encrypted when the OS runs but no user > is logged in. That is sadly not the case. Or maybe I think the password is asked for on boot. No access to files until that passphrase is entered, regardless of whether someone is logged in or not. If you wanted the files hidden prior to login, write two scripts - one to mount the encrypted volume, the other to unmount - allow them to be run without password in doas.conf(5), then run them from ~/.profile, using trap (see https://www.cyberciti.biz/faq/linux-unix-run-commands-when-you-log-out/ for more details) to run the unmount script on logoff. > > > Regarding your second question, whatever part or level of the "bootloader" > normally checks for keydisk already has access to the full range of supported > en- and decryption mechanisms as it uses the key to do just that to the disk. > This would simply add a second decrypt trial. > > That doesn't answer the question of how it's going to access an encrypted key without the key to decrypt it. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Encrypting my keydisk
On Thu, Oct 24, 2019 at 10:44 AM List wrote: > > One would obviously NOT store the key on harddisk. That wouldn't make > any sense and is not necessary. > > This could be similarly achieved as the normal FDE with passphrase. But > instead of the actual harddisk as target, the target of the "yet to > implement" encryption of the keydisk would be the key on the keydisk > itself. > So how would the system access the key if it's encrypted? > g > > On 2019-10-22 23:40, Aaron Mason wrote: > > On Wed, Oct 23, 2019 at 5:11 AM List wrote: > >> I'm sorry I might have not been so clear about it. I meant a way to > >> encrypt the actual keydisk with a passphrase. > >> > >> On 2019-10-18 13:34, Jan Stary wrote: > >>>>> On Wednesday, October 16, 2019 11:06 PM, List > >>>>> wrote: > >>>>>> I was wondering if there is a reason for the lack of keydisk > >>>>>> encryption. > >>> $ man bioctl > >>> # bioctl -h -v -c C ... > >>> > > To what end? At some point you're going to have to store the > > passphrase somewhere it can be easily read, and all you've really > > achieved is a way to, at best, slow down a potential attacker. > > > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Fwd: Encrypting my keydisk
On Wed, Oct 23, 2019 at 7:45 PM Normen Wohner wrote: > > To enable two factor encryption? > One passcode is in his head the other on a key. > If either is missing the data on drive is unreadable. > I don’t know what is hard to understand about it. > In an ideal world you’d use the manual passcode > to decrypt the keydisk and then the keydisk > to decrypt the fs. > You should also not be able to tell > whether the keydisk was in fact encrypted, > the bootloader should try and on failure ask > for a passcode, not expect there to be some > 'RSA-2048' written at the end. > It’s hard for me to understand why nobody asked for this sooner. > You could just use a passphrase on the original disk to the same effect. No sense over-complicating things. > > Am 22.10.2019 um 23:43 schrieb Aaron Mason : > > > > On Wed, Oct 23, 2019 at 5:11 AM List wrote: > >> > >> I'm sorry I might have not been so clear about it. I meant a way to > >> encrypt the actual keydisk with a passphrase. > >> > >> On 2019-10-18 13:34, Jan Stary wrote: > >>>>>> On Wednesday, October 16, 2019 11:06 PM, List > >>>>>> wrote: > >>>>>>> I was wondering if there is a reason for the lack of keydisk > >>>>>>> encryption. > >>> $ man bioctl > >>> # bioctl -h -v -c C ... > >>> > >> > > > > To what end? At some point you're going to have to store the > > passphrase somewhere it can be easily read, and all you've really > > achieved is a way to, at best, slow down a potential attacker. > > > > -- > > Aaron Mason - Programmer, open source addict > > I've taken my software vows - for beta or for worse > > > (NOTE: Just realised I sent this directly to Normen rather than the list. Sorry for the noise, Normen.) -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: On blindly running code
On Fri, Oct 18, 2019 at 11:23 PM wrote: > > Frank Beuth writes: > > On Fri, Oct 18, 2019 at 11:54:18AM +0100, cho...@jtan.com wrote: > > >Virtualisation is not a panacea. I have managed to achieve data loss > > >through destructi > > ve actions taken within a "safe" virtualised sandbox. > > > > How did you manage that feat? > > Basically assuming "safe" then taking actions to subvert that, namely > mounting an SMB share within the VM. rm(1) does not discriminate. My own > fault obviously but it's notable that the "virtual environment == safe" > assumption was shattered so effectively, so easily, and by actions which in > most circumstances would be benign. > Been there, done that, got the t-shirt. Only in my case it was a mounted VFAT volume in my home directory. Oops. Praise the programmer for undelete. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Encrypting my keydisk
On Wed, Oct 23, 2019 at 5:11 AM List wrote: > > I'm sorry I might have not been so clear about it. I meant a way to > encrypt the actual keydisk with a passphrase. > > On 2019-10-18 13:34, Jan Stary wrote: > >>> On Wednesday, October 16, 2019 11:06 PM, List > >>> wrote: > >>>> I was wondering if there is a reason for the lack of keydisk encryption. > > $ man bioctl > > # bioctl -h -v -c C ... > > > To what end? At some point you're going to have to store the passphrase somewhere it can be easily read, and all you've really achieved is a way to, at best, slow down a potential attacker. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Companies using openbsd
Not our own product, but we run Request Tracker on OpenBSD - after using ManageEngine ServiceDesk Plus on Windaz, requiring 2GB RAM minimum. Our RT server has 512mb RAM and it's all it has ever needed. On Mon, Oct 21, 2019 at 8:10 AM List wrote: > > Hi, > > are there companies known to you who use openbsd for their products ? > > For building let's say their own OS based upon OpenBSD ? > > Thanks for your time. > > Regards, > > Stephan > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Strong Host Model in OpenBSD network stack
Bastian
Did you perform this same test in FreeBSD/NetBSD? What were your results?
Seems to me that the results you got in test 2 are entirely consistent
with normal behaviour - you are routing packets to the 10.0.0.0/24
network via 192.168.100.1, so it will return a ping from 10.0.0.97 -
the other interface on VM1 - as the packet was passed from em0 to em1,
from which the reply was initiated.
Of course, I could be wrong. if you haven't already done so, try the
same tests in (Free|Net)BSD with net.inet.ip.check_interface set to 1
and see what you get.
On Fri, Oct 18, 2019 at 6:53 AM Bastian Kanbach wrote:
>
> Hello,
>
> recently I was performing some checks that relate to the "Strong Host
> Model" and "Weak Host Model", and I noticed that OpenBSD was behaving
> different than I expected. I always assumed that the network stack of
> OpenBSD was following the "Strong Host Model", but I might be wrong with
> that:
>
> Basically the Strong Host Model means that the network stack "accepts
> locally destined packets if the destination IP address in the packet
> matches an IP address assigned to the network interface on which the
> packet was received."
>
> FreeBSD and NetBSD have a sysctl property for this, called
> "net.inet.ip.check_interface", which defaults to 0 (Weak Host Model).
> However for OpenBSD I haven't seen such a property at all.
>
>
> Basically my setup consisted of the following virtual machines and
> network interfaces (IP-Forwarding disabled):
>
>
> VM 1 (OpenBSD 6.5):
>
> em0: 192.168.100.1/24 ("Internal Network")
>
> em1: 10.0.0.97/24 ("NAT")
>
>
> VM 2 (Ubuntu Server 18.10):
>
> ens33: 192.168.100.2/24 ("Internal Network")
>
>
>
>
>
> As expected, ens33 of VM2 can communicate with em0 of VM1, since both
> interfaces are associated with the same Virtualbox network, and both IP
> addresses are part of the same /24 subnet.
>
> ens33 of VM2 can't directly communicate with em1 of VM1, since the IP
> addresses are part of different subnets and no routes were configured.
>
>
> Then I performed 2 tests:
>
>
> Test 1:
>
> Perform an arping from ens33/VM2 (192.168.100.2) to 10.0.0.97 (VM1). The
> packet was NOT answered by VM1.
>
>
> Test 2:
>
> Set the following route on VM2: ip r add 10.0.0.0/24 via 192.168.100.1.
> Then send an ICMP echo request to 10.0.0.97 (VM1), originating from
> 192.168.100.2 (VM2). VM1 replied with an ICMP echo reply (with a source
> MAC address of interface em0).
>
>
> While the behaviour of Test 1 indicates that the Strong Host Model is
> followed, Test 2 shows the behaviour of a "Weak Host Model".
>
>
> What of both is actually supposed to be the default for OpenBSD? Is
> there any kernel parameter to control these behaviours, like
> net.inet.ip.check_interface for FreeBSD or NetBSD?
>
>
> Thanks,
>
> Bastian
>
>
>
>
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: Softraid data recovery
On Tue, Oct 15, 2019 at 7:34 AM Steven Surdock wrote: > > I have a simple RAID1 configuration on wd0, wd1. I was in the process of > performing a rebuild on wd1, as it failed during some heavy reads. During > the rebuild wd0 went into a failure state. After some troubleshooting I > decided to reboot and now my RAID disk, sd1, is unavailable. Disks wd0 and > wd1 don't show any errors, but I have a replacement disk. I have backups for > the critical data and I'd like to try and recover as much recent data as > possible. My thought was to create a disk image of the "/home/public" data > and mount it using vnconfig, but I seem to be having issues with the > appropriate 'dd' command to do that. > > How can I recover as much data as possible off the failed RAID array. > If I recreate the array, "bioctl -c 1 -l /dev/wd0d,/dev/wd1d softraid0", will > the existing data be preserved? > > root@host# disklabel wd0 > # /dev/rwd0c: > type: ESDI > disk: ESDI/IDE disk > label: WDC WD4001FAEX-0 > duid: acce36f25df51c8c > flags: > bytes/sector: 512 > sectors/track: 63 > tracks/cylinder: 255 > sectors/cylinder: 16065 > cylinders: 486401 > total sectors: 7814037168 > boundstart: 64 > boundend: 4294961685 > drivedata: 0 > > 16 partitions: > #size offset fstype [fsize bsize cpg] > c: 78140371680 unused > d: 7814037104 64RAID > > root@host# more /var/backups/disklabel.sd1.backup > # /dev/rsd1c: > type: SCSI > disk: SCSI disk > label: SR RAID 1 > duid: 8ec2330eabf7cd26 > flags: > bytes/sector: 512 > sectors/track: 63 > tracks/cylinder: 255 > sectors/cylinder: 16065 > cylinders: 486401 > total sectors: 7814036576 > boundstart: 64 > boundend: 7814036576 > drivedata: 0 > > 16 partitions: > #size offset fstype [fsize bsize cpg] > a: 2147488704 64 4.2BSD 8192 65536 1 # > /home/public/ > c: 78140365760 unused > d: 5666547712 2147488768 4.2BSD 8192 65536 1 # > /home/Backups/ > I think at this point you're far better off restoring from backup. You do have a backup, right? As for the disks, ddrescue would be a better option than dd - it'll keep trying if it encounters another URE whereas dd will up and quit. Expect it to take several days on disks that big - it's designed to be gentle to dying disks. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: A sad raid/fsck story
Thanks for the cautionary tale. Will definitely keep this in mind for any RAID arrays I manage. On Fri, Oct 4, 2019 at 2:04 AM sven falempin wrote: > > Dear readers, > > I was running a OpenBSD (6.4) device, with a raid mirror array. > One of the disk failed, so the system ask me to fsck, > which I did before checking the raid status manually ( :'( ) , > THEN I rebooted and softraid told me: one of the hard drive is dead. > > But fsck already destroyed a few file on the mirror. > > Probably a user error, nevertheless, In openbsd 'simply work' mindset, > maybe the /etc/rc could warn or even perform some bioctl check on raid > array when first fsck / mount > fails. > > Cheers. > > ( Lost data recovered from backup ) -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Alix 2d13 and OpenBSD 6.5 Problems
Hi Sean
Maybe plug in a spare USB drive and format it for swap? Swap on CF is
rarely a good idea, especially if you swap often.
On Thu, Oct 3, 2019 at 2:01 PM Sean Kamath wrote:
>
> Just wanted to say a thank you for everyone’s comments. I’ve combined all my
> replies into one mostly to sum everything up.
>
> > On Oct 2, 2019, at 02:16, Stefan Sperling wrote:
> > Try adding swap space.
> > I have added 2GB of swap space on my alix and it has been running fine ever
> > since.
>
> My “disk” is 2GB. I don’t even have any X sets loaded as they won’t fit.
>
> > On Oct 2, 2019, at 09:03, Olivier Cherrier wrote:
> > On mine (only 32 MB of swap), I had to disable kernel relinking.
> > Otherwise, the system more or less collapses at boot time.
>
>
> Yeah, I believe I only have 32MB of swap (I chose the default disk layout oh
> so long ago).
>
>
> > On Oct 2, 2019, at 08:34, Joe Barnett wrote:
> > I cannot comment on the upgrade process, but I have had zero fatal issues
> > running 6.5 on my alix2d13 boards. That said, memory has been getting
> > tighter with more recent OpenBSD versions, and swap (as someone else
> > suggested) should help. I love these reliable boards, but they are
> > starting to show their age (at least relative to how I use them with
> > OpenBSD).
>
> Yeah, so I’m wondering if I want to get a larger CompactFlash card and
> reinstall, try and be clever and go off the reservation, or just pack in the
> 9 of these things I have and get an APU.
>
> > On Oct 2, 2019, at 09:15, Stuart Henderson wrote:
> > After boot, the kernel is relinked in a random order in the background
> > ("/usr/libexec/reorder_kernel &" in /etc/rc).
>
> Yes, I’m familiar with why it’s done. I was mostly wondering if I broke
> something because I’ve not had this problem since I got these things (I don’t
> even know how long ago), and 6.5 just killed it.
>
> > Unfortunately the Alix doesn't have much RAM and if you have pretty
> > much anything other than a minimal set of daemons running it won't
> > cope well.
>
> I’m running nsd and unbound. I can turn off smtpd. . . What I would be nice
> to do is delay starting daemons until relinking is done. Regardless, I think
> I have my answer about why it’s falling over.
>
> > You can disable the reordering by removing /var/db/kernel.SHA256
> > but be aware that syspatch relies on the reorder_kernel mechanism in
> > order to apply kernel patches.
>
> Good to know. I’m going to do everything I can to avoid turning off
> relinking, because I want to go on the big boy rides! :-)
>
> Sean
>
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
Re: Recommended web and database server specification
Hi Tito Can you tell us more about the database? How often will its data be changed, added to, etc? How much data do you have? How complex are your DB queries? These answers will help determine the RAM and processor requirements for the database. As for the web server daemon itself, I think Reyk Floeter would be the best placed to answer that question - also paging Nick Holland for more hardware expertise. On Thu, Aug 15, 2019 at 12:57 PM Tito Mari Francis Escano wrote: > > Hi to everyone at misc, > > I'm recently working on an OpenBSD-based PHP7 web application with > PostgreSQL-backend for a local government agency and was wondering what > would you recommend as the acceptable server specification. This web > application won't reach the Google or Facebook level of visits per day, > but I was hoping to prepare this be deployed and run for quite a long > time and ready for about 60,000 visits per day at most. > > Your advise and recommendation would be greatly appreciated. Thanks so much. > > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Boot NVME device on sparc64
Could you boot from another bootable device and use boot.conf(8) to tell it to boot the kernel on the SSD? Bit of a round-about way of doing it but it could work if boot(8) can see the SSD. If the CD boot loader can see the SSD, you could burn it to a CD-R along with your boot.conf and use it to boot - just make sure you put it back if you use the drive to install software. Just spitballing here, I don't have a sparc64 device readily available for testing. On Fri, Jul 26, 2019 at 8:31 AM John Gould wrote: > > Hi there, Does anyone have a way of booting a pcie nvme device on sparc64. > I can install OBSD on the device but of course there is no way OBP can see > it > as a boot device. I can also use it for storage under OpenBSD which works > fine. > > But! Is there any way to boot OpenBSD 6.5 installed on this drive on > sparc64. > > I'm using a Sun t5120. > > Kind regards John. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: SCM
On Mon, Jul 29, 2019 at 3:25 AM Nathan Hartman wrote: (snip) > * Hg does not mean Au. I see what you did there :) > 9. Apache license. Not BSD but much closer than any GPL revision. Yeah, hard pass. The Apache license is full of encumbering legalese. They stopped including Apache in base (after supporting a 1.x tree for years) for this very reason. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: wsmouse: disable touch-panel
Found an approach that might be worth considering: https://marc.info/?l=openbsd-misc=155751021025538=2 On Tue, Jun 11, 2019 at 1:07 PM Aaron Mason wrote: > > I had a similar issue with a Surface Pro 3 with a faulty touch screen > running Windaz, the solution was to disable the USB input device for > the touch screen. > > On OpenBSD, you could try using "boot -c" at boot to remove > wsmouse[123] device from the kernel (see > https://man.openbsd.org/config for details). If that works, it's a > matter of working out how to get the kernel relink to carry that > change into the relinked kernel. Someone on list worked it out, can't > remember how long ago though. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: wsmouse: disable touch-panel
I had a similar issue with a Surface Pro 3 with a faulty touch screen running Windaz, the solution was to disable the USB input device for the touch screen. On OpenBSD, you could try using "boot -c" at boot to remove wsmouse[123] device from the kernel (see https://man.openbsd.org/config for details). If that works, it's a matter of working out how to get the kernel relink to carry that change into the relinked kernel. Someone on list worked it out, can't remember how long ago though.
Re: hw.ncpu=1, hw.ncpuonline=1, hw.ncpufound=4
Looks to me like you're not running bsd.mp. A dmesg would clear this up. On Mon, Apr 8, 2019 at 2:19 AM Otto Moerbeek wrote: > > On Sun, Apr 07, 2019 at 01:54:35PM +, Ipsen S Ripsbusker wrote: > > > My hw.ncpu and hw.ncpuonline are less than my hw.ncpufound. > > I tried setting hw.smt, but that alone was apparently not enough. > > What should I do if I want to use all 4 CPUs? > > > > Also, now that I have realized this, I have a theory about a related > > issue, and I would like to know how I can debug it. I am using softraid > > CRYPTO, and I have found that accessing the disk with one process will > > interrupt the other processes accessing the disk. Now I wonder this > > happens because the sole core must switch encryption/decription > > processes for the different files. How could I determine whether this is > > indeed happening? > > > > More hardware information follows. It is a ThinkPad T530 with > > two SSDs and two corresponding softraid CRYPTO disks. > > This type of question *requires* a dmesg. > > -Otto > > > > > $ sysctl hw > > hw.machine=amd64 > > hw.model=Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz > > hw.ncpu=1 > > hw.byteorder=1234 > > hw.pagesize=4096 > > hw.disknames=sd0:c4ae9aa6707fe6a0,sd1:10319ae393cc594d,sd2:72b7961f3a883f2a,sd3:9067e68ce463822c > > hw.diskcount=4 > > hw.sensors.cpu0.temp0=44.00 degC > > hw.sensors.acpitz0.temp0=47.00 degC (zone temperature) > > hw.sensors.acpibtn0.indicator0=On (lid open) > > hw.sensors.acpibat0.volt0=11.10 VDC (voltage) > > hw.sensors.acpibat0.volt1=12.11 VDC (current voltage) > > hw.sensors.acpibat0.power0=0.00 W (rate) > > hw.sensors.acpibat0.watthour0=28.20 Wh (last full capacity) > > hw.sensors.acpibat0.watthour1=1.41 Wh (warning capacity) > > hw.sensors.acpibat0.watthour2=0.20 Wh (low capacity) > > hw.sensors.acpibat0.watthour3=28.20 Wh (remaining capacity), OK > > hw.sensors.acpibat0.watthour4=73.26 Wh (design capacity) > > hw.sensors.acpibat0.raw0=0 (battery full), OK > > hw.sensors.acpiac0.indicator0=On (power supply) > > hw.sensors.acpithinkpad0.temp0=47.00 degC > > hw.sensors.acpithinkpad0.temp1=47.00 degC > > hw.sensors.acpithinkpad0.temp2=47.00 degC > > hw.sensors.acpithinkpad0.temp3=47.00 degC > > hw.sensors.acpithinkpad0.temp4=47.00 degC > > hw.sensors.acpithinkpad0.temp5=47.00 degC > > hw.sensors.acpithinkpad0.temp6=47.00 degC > > hw.sensors.acpithinkpad0.temp7=47.00 degC > > hw.sensors.acpithinkpad0.fan0=2121 RPM > > hw.sensors.acpithinkpad0.indicator0=Off (port replicator), UNKNOWN > > hw.sensors.softraid0.drive0=online (sd3), OK > > hw.cpuspeed=2901 > > hw.setperf=100 > > hw.vendor=LENOVO > > hw.product=2392ASU > > hw.version=ThinkPad T530 > > hw.serialno=PK2X772 > > hw.uuid=81c1c6e7-7653-cb11-b4d1-97bd37f8963e > > hw.physmem=16845565952 > > hw.usermem=16811044864 > > hw.ncpufound=4 > > hw.allowpowerdown=1 > > hw.perfpolicy=auto > > hw.smt=1 > > hw.ncpuonline=1 > > > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: RS-232 serial to ethernet
On Tue, Apr 9, 2019 at 2:34 AM Tom Smyth wrote: > > Hello LÉVAI Dániel, > If I understand you correctly you want a serial server > > you could use something like a PCengines apuc2. running OpenBSD > that would work ok, as a serial console box thjat would liekly set you > back about 150 euro ... which is good value considering what you get > Heck, even the outmoded ALIX1 will do this job. And it has more than one port, plus PCI expansion to add more serial ports. Some vendors sell cases with a PCI slot, but it's mini ITX so you could even put it in a standard PC case if you have one laying around. US$59.50 + shipping for a board and I/O bracket (unless you're in the EU and can't order directly) and you're laughing. SSH for a serial server, plus there's still plenty of capacity in its 500MHz Geode for other things - I use mine for booting remote installers and DBAN, and it barely breaks a sweat. > or if security is not a big deal for you mikrotik does have a pretty flexible > suite of options for a serial -->TCPIP (serial server)/ virtual serial ports) > and you can get a solution for sub 100 euro ... for that soemthing > like an rb450G or RB411 would do... > > Hope this helps > > On Mon, 8 Apr 2019 at 17:16, Joseph Mayer wrote: > > > > Daniel, > > > > Ethernet to serial is normally done using ppp [1]. > > > > Why add unneeded hardware. > > > > Do you have RJ45 or RS232 on the OpenBSD machine already? > > > > Joseph > > > > [1] http://man.openbsd.org/ppp > > > > ‐‐‐ Original Message ‐‐‐ > > On Tuesday, April 9, 2019 12:04 AM, LÉVAI Dániel wrote: > > > > > Hi misc@! > > > > > > I was wondering if I could use some budget solution to access my OpenBSD > > > machine via its serial console over the network, and I stumbled upon > > > this piece of hardware: [1] [2] [3] (the same device "USR-TCP232-302", > > > I'm just not sure which one will be up at the time someone looks at > > > them) > > > > > > It basically should be able convert the serial port to TCP/IP > > > networking. Is this something anyone else has used before -- or if you > > > know something similar, I'm really interested! > > > > > > Thanks, > > > Dani > > > > > > [1] - > > > https://www.aliexpress.com/item/Q18041-USR-TCP232-302-Tiny-Size-Serial-RS232-to-Ethernet-TCP-IP-Server-Module-Ethernet-Converter/32683105763.html > > > [2] - > > > https://www.aliexpress.com/item/USR-TCP232-302-Tiny-Size-Serial-RS232-to-Ethernet-TCP-IP-Server-Module-Ethernet-Converter-Support/32899179930.html > > > [3] - > > > https://www.aliexpress.com/item/Q18041-USR-TCP232-302-Tiny-Size-Serial-RS232-to-Ethernet-TCP-IP-Server-Module-Ethernet-Converter/32685599659.html > > > > > > --- > > > > > > LÉVAI Dániel > > > PGP key ID = 0x83B63A8F > > > Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F > > > > > > > -- > Kindest regards, > Tom Smyth > > The information contained in this E-mail is intended only for the > confidential use of the named recipient. If the reader of this message > is not the intended recipient or the person responsible for > delivering it to the recipient, you are hereby notified that you have > received this communication in error and that any review, > dissemination or copying of this communication is strictly prohibited. > If you have received this in error, please notify the sender > immediately by telephone at the number above and erase the message > You are requested to carry out your own virus check before > opening any attachment. > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: ~OT, ARM64 becoming more useful: RK3399 laptop w M2 slot & A64 phone coming
I like the look of the Rock64 Pro - quad core A53 + dual core A72, gigabit NIC, PCIe slot that can be used with a SATA card in the Rock64Pro NAS enclosure. Seems OpenBSD supports the Rock64Pro, it's not clear if the NIC is supported (as some rumblings on the OpenBSD subreddit suggest). That said, someone posted a NetBSD dmesg[1] that shows the NIC appearing (two PHYs appear for some reason) though I'll keep my unlimitless credit card tucked away until I know for sure. That said, the thought that you could have a low power NAS with the capability of encrypted softraid is a nice one... [1] http://www.netbsd.org/~jmcneill/rockpro64.txt On Wed, Mar 13, 2019 at 7:17 PM Tinker wrote: > > This is bordering on off-topic to this list, but, the ARM64 architecture > is becoming more useful: > > An RK3399 laptop with > * magnesium chassi, > * M.2 PCIe NVMe SSD slot (four-lane PCIe v3) and > * 4K@60hz displayport output, > * full HD IPS display, > for 200 USD is coming to market. > > Keyboard layout may be UK/ISO. > > Its hardest functionality limit then should be the CPU/SoC's 4GB RAM > cap. > > https://liliputing.com/2019/01/pinebook-pro-linux-laptop-coming-this-year-for-199-and-up.html > > https://www.omgubuntu.co.uk/2019/01/pinebook-pro-linux-laptop-coming-soon > > https://www.forbes.com/sites/jasonevangelho/2019/01/30/the-new-pinebook-pro-will-challenge-google-chromebooks-for-199/ > > And they're making an Allwinner A64 smartphone. > > Both these SoC:s are supported by OpenBSD. > > Some day these devices will break through their 4GB RAM cap, and some > day they'll become faster. > > And some day RISCV will take the steps ARM64 is taking now. > > This is great heterogenicity progress. > > Tinker > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: _XSERVTransSocketUNIXAccept: accept() failed
What were you trying to do when you got these messages? On Thu, Feb 14, 2019 at 1:27 PM Joe M wrote: > > Hello, > > I see these messages in /var/log/Xorg.0.log > > joe:10424$ tail Xorg.0.log > [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed > [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed > [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed > [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed > [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed > [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed > [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed > [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed > [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed > [2616181.045] _XSERVTransSocketUNIXAccept: accept() failed > > > joe:10425$ tail /var/log/xenodm.log > _XSERVTransSocketUNIXAccept: accept() failed > _XSERVTransSocketUNIXAccept: accept() failed > _XSERVTransSocketUNIXAccept: accept() failed > _XSERVTransSocketUNIXAccept: accept() failed > _XSERVTransSocketUNIXAccept: accept() failed > _XSERVTransSocketUNIXAccept: accept() failed > _XSERVTransSocketUNIXAccept: accept() failed > _XSERVTransSocketUNIXAccept: accept() failed > _XSERVTransSocketUNIXAccept: accept() failed > _XSERVTransSocketUNIXAccept: accept() failed > > > Any suggestions on how to figure out why this is happening. > > Thanks > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: SSH disconnects right after accepting
Can you share your sshd_config file, and ~user/.ssh/rc and ~user/.ssh/config files (if they exist) please. On Fri, Feb 8, 2019 at 12:07 PM Lars Bonnesen wrote: > > No, clear text login also does not work. Only when I log on through the > console, not say. > > Regards, Lars. > > On Fri, Feb 8, 2019, 02:03 Aaron Mason > >> Hi >> >> Does it work fine if you log in with the user's password? >> >> On Fri, Feb 8, 2019 at 11:25 AM Lars Bonnesen >> wrote: >> > >> > OpenBSD 6.4 >> > >> > Putty just reports "Authenticating with public key "XXX" from agent" and >> > then I am disconnected. If I run sshd with -ddd, I get the following >> > output. I can't seem to get any error, and therefor I can't tell what is >> > wrong. Anyone has any idea? Thanks >> > >> > >> > debug2: load_server_config: filename /etc/ssh/sshd_config >> > debug2: load_server_config: done config len = 204 >> > debug2: parse_server_config: config /etc/ssh/sshd_config len 204 >> > debug3: /etc/ssh/sshd_config:25 setting LogLevel DEBUG >> > debug3: /etc/ssh/sshd_config:30 setting PermitRootLogin no >> > debug3: /etc/ssh/sshd_config:39 setting AuthorizedKeysFile >> > .ssh/authorized_keys >> > debug3: /etc/ssh/sshd_config:86 setting Subsystem sftp >> > /usr/libexec/sftp-server >> > debug1: sshd version OpenSSH_7.9, LibreSSL 2.8.2 >> > debug1: private host key #0: ssh-rsa SHA256:XXX >> > debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:XXX >> > debug1: private host key #2: ssh-ed25519 SHA256:XXX >> > debug1: rexec_argv[0]='/usr/sbin/sshd' >> > debug1: rexec_argv[1]='-ddd' >> > debug2: fd 3 setting O_NONBLOCK >> > debug1: Bind to port 22 on 0.0.0.0. >> > Server listening on 0.0.0.0 port 22. >> > debug2: fd 4 setting O_NONBLOCK >> > debug1: Bind to port 22 on ::. >> > Server listening on :: port 22. >> > debug1: fd 5 clearing O_NONBLOCK >> > debug1: Server will not fork when running in debugging mode. >> > debug3: send_rexec_state: entering fd = 8 config len 204 >> > debug3: ssh_msg_send: type 0 >> > debug3: send_rexec_state: done >> > debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 >> > debug1: inetd sockets after dupping: 3, 3 >> > Connection from 172.17.4.3 port 63721 on 172.17.1.2 port 22 rdomain "0" >> > debug1: Client protocol version 2.0; client software version >> > PuTTY_Release_0.70 >> > debug1: no match: PuTTY_Release_0.70 >> > debug1: Local version string SSH-2.0-OpenSSH_7.9 >> > debug2: fd 3 setting O_NONBLOCK >> > debug3: ssh_sandbox_init: preparing pledge sandbox >> > debug2: Network child is on pid 89382 >> > debug3: preauth child monitor started >> > debug3: privsep user:group 27:27 [preauth] >> > debug1: permanently_set_uid: 27/27 [preauth] >> > debug1: list_hostkey_types: >> > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] >> > debug3: send packet: type 20 [preauth] >> > debug1: SSH2_MSG_KEXINIT sent [preauth] >> > debug3: receive packet: type 20 [preauth] >> > debug1: SSH2_MSG_KEXINIT received [preauth] >> > debug2: local server KEXINIT proposal [preauth] >> > debug2: KEX algorithms: >> > curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 >> > [preauth] >> > debug2: host key algorithms: >> > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] >> > debug2: ciphers ctos: chacha20-poly1...@openssh.com >> > ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com, >> > aes256-...@openssh.com [preauth] >> > debug2: ciphers stoc: chacha20-poly1...@openssh.com >> > ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com, >> > aes256-...@openssh.com [preauth] >> > debug2: MACs ctos: umac-64-...@openssh.com,umac-128-...@openssh.com, >> > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, >> > hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 >> > [preauth] >> > debug2: MACs stoc: umac-64-...@openssh.com,umac-128-...@openssh.com, >> > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, >> > hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hma
Re: SSH disconnects right after accepting
se_uid: 1000/1000 (e=0/0) > debug1: trying public key file /home/user/.ssh/authorized_keys > debug1: fd 4 clearing O_NONBLOCK > debug1: /home/user/.ssh/authorized_keys:5: matching key found: RSA > SHA256:XXX > debug1: /home/user/.ssh/authorized_keys:5: key options: agent-forwarding > port-forwarding pty user-rc x11-forwarding > Accepted key RSA SHA256:XXX found at /home/user/.ssh/authorized_keys:5 > debug1: restore_uid: 0/0 > debug3: mm_answer_keyallowed: publickey authentication test: RSA key is > allowed > debug3: mm_request_send entering: type 23 > debug3: send packet: type 60 [preauth] > debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth] > debug3: user_specific_delay: user specific delay 0.000ms [preauth] > debug3: ensure_minimum_time_since: elapsed 84.236ms, delaying 6.470ms > (requested 5.669ms) [preauth] > Postponed publickey for user from 172.17.4.3 port 63721 ssh2 [preauth] > debug3: receive packet: type 50 [preauth] > debug1: userauth-request for user user service ssh-connection method > publickey [preauth] > debug1: attempt 2 failures 0 [preauth] > debug2: input_userauth_request: try method publickey [preauth] > debug3: userauth_pubkey: have ssh-rsa signature for RSA SHA256:XXX [preauth] > debug3: mm_key_allowed entering [preauth] > debug3: mm_request_send entering: type 22 [preauth] > debug3: mm_request_receive entering > debug3: monitor_read: checking request 22 > debug3: mm_answer_keyallowed entering > debug3: mm_answer_keyallowed: key_from_blob: 0x5c404dc0 > debug1: temporarily_use_uid: 1000/1000 (e=0/0) > debug1: trying public key file /home/user/.ssh/authorized_keys > debug1: fd 4 clearing O_NONBLOCK > debug1: /home/user/.ssh/authorized_keys:5: matching key found: RSA > SHA256:XXX > debug1: /home/user/.ssh/authorized_keys:5: key options: agent-forwarding > port-forwarding pty user-rc x11-forwarding > Accepted key RSA SHA256:XXX found at /home/user/.ssh/authorized_keys:5 > debug1: restore_uid: 0/0 > debug3: mm_answer_keyallowed: publickey authentication: RSA key is allowed > debug3: mm_request_send entering: type 23 > debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] > debug3: mm_request_receive_expect entering: type 23 [preauth] > debug3: mm_request_receive entering [preauth] > debug3: mm_sshkey_verify entering [preauth] > debug3: mm_request_send entering: type 24 [preauth] > debug3: mm_request_receive entering > debug3: monitor_read: checking request 24 > debug3: mm_answer_keyverify: publickey 0x5f9500c0 signature verified > debug1: auth_activate_options: setting new authentication options > debug3: mm_request_send entering: type 25 > Accepted publickey for user from 172.17.4.3 port 63721 ssh2: RSA SHA256:XXX > debug1: monitor_child_preauth: user has been authenticated by privileged > process > debug3: mm_get_keystate: Waiting for new keys > debug3: mm_request_receive_expect entering: type 26 > debug3: mm_request_receive entering > debug3: mm_get_keystate: GOT new keys > debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth] > debug3: mm_request_receive_expect entering: type 25 [preauth] > debug3: mm_request_receive entering [preauth] > debug1: auth_activate_options: setting new authentication options [preauth] > debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa [preauth] > debug3: user_specific_delay: user specific delay 0.000ms [preauth] > debug3: ensure_minimum_time_since: elapsed 68.769ms, delaying 21.937ms > (requested 5.669ms) [preauth] > debug3: send packet: type 52 [preauth] > debug3: mm_request_send entering: type 26 [preauth] > debug3: mm_send_keystate: Finished sending state [preauth] > debug1: monitor_read_log: child log fd closed > debug3: ssh_sandbox_parent_finish: finished > User child is on pid 24651 > debug3: monitor_apply_keystate: packet_set_state > debug2: set_newkeys: mode 0 > debug1: rekey after 4294967296 blocks > debug2: set_newkeys: mode 1 > debug1: rekey after 4294967296 blocks > debug1: ssh_packet_set_postauth: called > debug3: ssh_packet_set_state: done > debug3: notify_hostkeys: key 0: ssh-rsa SHA256:XXX > debug3: notify_hostkeys: key 1: ecdsa-sha2-nistp256 SHA256:XXX > debug3: notify_hostkeys: key 2: ssh-ed25519 SHA256:XXX > debug3: notify_hostkeys: sent 3 hostkeys > debug3: send packet: type 80 > debug1: active: key options: agent-forwarding port-forwarding pty user-rc > x11-forwarding > debug3: sending debug message: /home/user/.ssh/authorized_keys:5: key > options: agent-forwarding port-forwarding pty user-rc x11-forwarding > debug3: send packet: type 4 > debug3: sending debug message: /home/user/.ssh/authorized_keys:5: key > options: agent-forwarding port-forwarding pty user-rc x11-forwarding > debug3: send packet: type 4 > debug1: Entering interactive session for SSH2. > debug2: fd 6 setting O_NONBLOCK > debug2: fd 7 setting O_NONBLOCK > debug1: server_init_dispatch > debug3: receive packet: type 90 > debug1: server_input_channel_open: ctype session rchan 256 win 16384 max > 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug2: session_new: allocate (allocated 0 max 10) > debug3: session_unused: session id 0 unused > debug3: mm_request_receive entering > debug1: do_cleanup -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: i386 release build machines
There's an image in the bottom left of the OpenBSD website that shows the server rack where all releases and ports are built. It was taken in 2009, so it's probably changed a bit since then, but you'll get a good idea of what is used. I've toyed with the idea of using an old, heat-belching computer to build snapshots over and over again, and use a fan to push out the resulting heat. Not sure how it would go with heating a room, but it would certainly use less energy than a standard space heater, albeit probably a bit noisier. If it weren't for the fact that it sounds like a 747 on take off, that's what I'd do with my SunFire V210. Also, you might want to check your SPF records - GMail is complaining about not being able to verify its authenticity. On Fri, Jan 25, 2019 at 6:45 AM Luis Coronado wrote: > > What machines (brand/model/specs) do you guys > use to create the releases/snapshots for i386? I am curious to find out if > possible as I would think that the bigger boxes out there even though could > have more than 4G of RAM the extra would go unused. > > I recently got a few old 32 bit servers and thought about building my own > snapshots just because is cool to do that. Not that matters exactly what > the project uses but I am sure you guys expect to have a build ready in a > reasonable time. > > Thanks > > -luis -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Blocking "shodan.io" - What are my options?
I knew it wouldn't trigger on the first attempt, but I had a sneaking suspicion that you'd need something to listen on that port. Is there a way to achieve what we seek, in that case, without userland tools? On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson wrote: > > On 2019-01-09, Aaron Mason wrote: > > Hi Jordan > > > > I've set it up to try it, but I'm not having much luck. Even when I > > trigger more than one, it still doesn't populate the bad_hosts table, > > even again when I extend the rate period to 86400 seconds. I've added > > logging so I know the rule is triggering. See below. > > max-src-conn-rate is only triggered when a TCP connection is > established, you need to have something listening (and it will only > trigger on the *second* connection). > > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Blocking "shodan.io" - What are my options?
Hi Jordan
I've set it up to try it, but I'm not having much luck. Even when I
trigger more than one, it still doesn't populate the bad_hosts table,
even again when I extend the rate period to 86400 seconds. I've added
logging so I know the rule is triggering. See below.
git# tcpdump -i pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
08:50:41.100611 111-222-33-45.dyn.isp.net.au.49643 >
git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192 (DF)
08:50:41.630593 111-222-33-45.dyn.isp.net.au.49643 >
git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192 (DF)
08:50:42.155612 111-222-33-45.dyn.isp.net.au.49643 >
git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192 (DF)
08:50:43.496590 111-222-33-45.dyn.isp.net.au.49649 >
git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192 (DF)
08:50:44.038541 111-222-33-45.dyn.isp.net.au.49649 >
git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192 (DF)
08:50:44.571563 111-222-33-45.dyn.isp.net.au.49649 >
git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192 (DF)
08:50:46.879666 111-222-33-45.dyn.isp.net.au.49660 >
git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192 (DF)
08:50:47.408720 111-222-33-45.dyn.isp.net.au.49660 >
git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192 (DF)
08:50:47.938650 111-222-33-45.dyn.isp.net.au.49660 >
git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192 (DF)
^C
9 packets received by filter
0 packets dropped by kernel
git# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
ext_if=vio0
ext_ip=111.222.33.44
set skip on lo
block return# block stateless traffic
pass# establish keep-state
block quick from
pass in log on $ext_if proto tcp to $ext_ip port telnet keep state
(max-src-conn-rate 1/86400, overload flush global)
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
git#
On Wed, Jan 9, 2019 at 1:30 PM Jordan Geoghegan wrote:
>
>
>
> On 01/08/19 18:08, tomr wrote:
> >
> > On 1/9/19 12:42 PM, Jordan Geoghegan wrote:
> >> Yikes. Everything you are (erroneously) trying to do here can be done
> >> without leaving your pf.conf.
> >>
> >> Remember, KISS.
> >>
> > Is there a way to add an address to a table from within a rule, or
> > something to that effect? I can't see such an option. A la...
> >
> > block in quick on $ext_if to any port ! { $allowed_ports } add-to
> >
> >
> > (Otherwise I don't see how the whole show could be completed without
> > logging, monitoring the log, then running pfctl, ie with leaving your
> > pf.conf)
>
> Without wasting too much time on this, the "overload" example from the
> pf.conf man page could be pretty easily adapted to meet the specified needs:
>
> pass in on egress proto tcp to egress port 22 keep state
> (max-src-conn-rate 1/10, overload flush global)
>
> or to copy basically verbatim from the man page, (with only the
> src-conn-rate and port number adjusted):
>
> block quick from
> pass in on $ext_if proto tcp to $webserver port ssh keep state \
>(max-src-conn-rate 1/10, overload flush global)
>
>
> I havent tested this personally, but it should be adequate.
>
>
>
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
