PCI passthru now working for OpenBSD guests in FreeBSD bhyve
Hi All, Just FYI, after years of PCI passthru* not working for OpenBSD guests in FreeBSD bhyve due to 2 bugs, a week ago the fixes were made available in FreeBSD 12.1-RELEASE-p7. Now it's possible to use a OpenBSD guest as a main firewall for a FreeBSD host, OpenBSD guest taking full control of the internet-connected NIC, isolating this way the host and other guests from unrestricted network flow. The details were recently published in the FreeBSD Quarterly Status Report - Second Quarter 2020: [1]. Regards, Anatoli * PCI devices passthru is a technique to pass host PCI devices to a virtual machine for its exclusive control and use. [1] https://www.freebsd.org/news/status/report-2020-04-2020-06.html#PCI-passthrough-with-bhyve-on-Intel-and-for-OpenBSD-guests
Re: Restore pf tables metadata after a reboot
> Even then it seems that some of them turn up again pretty much > instantly after expiry. You could update the expire time on each new connection/port scan attempt. This way you could put say 4 days expire time and block these IPs on all ports on all your systems and new connection attempts would update the expire for all the systems. 4 days is because 5 days is a typical timeout for a temporary error for SMTP. It may happen that someone used for 24hs a cloud instance and then got banned by the cloud provider, the IP used for spam/scans/attacks could be reused for another client for a legit activity. So if that new client for the old IP sends to your client some important mail, it's not lost and doesn't generate an undeliverable mail report, it just takes some days to reach the destination (with retries by the origin server). 4 weeks looks excessive for cloud shared IPs. On 30/5/20 07:25, Peter Nicolai Mathias Hansteen wrote: > > >> 30. mai 2020 kl. 11:54 skrev Walter Alejandro Iglesias : >> >> The problem is most system administrators out there do very little. If >> you were getting spam or attacks from some IP, even if you report the >> issue to the respective whois abuse@ address, chances are attacks from >> that IP won't stop next week, nor even next month. >> >> So, in general terms, I would refrain as much as possible from hurry to >> expiring addresses. Just my opinion. > > Yes, there are a lot of systems out there that seem to be not really > maintained at all. After years of advocating 24 hour expiry some time back I > went to four weeks on the ssh brutes blacklist. Even then it seems that some > of them turn up again pretty much instantly after expiry. > > All the best, > > — > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > > >
Re: WLAN throughput less 10Mb/s
How do the same drivers work in Linux? Can't "we" "just" "copy" the code from there? Or does the GPL licensing absolutely prevents from analyzing Linux code and using their implementation details? Two years ago FreeBSD started implementing AC stack [1]. Maybe there could be a collaborative project among the BSDs to get wifi working on the same (or better) level as in Linux? FreeBSD Foundation announced a month ago they are starting to sponsor work on full AC support [2]. Why not to seize the opportunity and unify the wifi stacks so that the drivers are more or less same code between the 2 BSDs? Then any improvement to the stack and any driver would be useful for both projects. Otherwise it looks like it's too much work to be done by one-two devs on occasional basis. The FreeBSD AC todo list [3] (which is still incomplete) looks overwhelming. Anyway, thanks a lot for what is already done! [1] https://adrianchadd.blogspot.com/2017/04/bringing-up-80211ac-on-freebsd.html [2] https://www.phoronix.com/scan.php?page=news_item=802.11ac-FreeBSD-Sponsor [3] https://wiki.freebsd.org/WiFi/80211ac On 14/4/20 08:01, Stefan Sperling wrote: > On Tue, Apr 14, 2020 at 11:37:24AM +0100, Kevin Chadwick wrote: >> On 2020-04-14 09:21, Stefan Sperling wrote: >>> Regarding other chipsets, if you want the fastest possible AP on OpenBSD >>> your best option right now is to get a bwfm(4) device, which offloads almost >>> all of its 802.11 operation into a firmware blob running in the embedded >>> system on the device. >> >> Interesting. >> >> BWFM(4) >> CAVEATS >> The firmware is outdated and contains known vulnerabilities. >> >> Any more information on the seriousness of these vulnerabilities? >> >> I can probably look it up in CVS actually but figured it *may* be prudent of >> me >> to highlight that caveat on the list explicitly, in any case. > > I honestly don't know and don't really care. Even if we knew what publicly > known or unknown bugs linger in there, we couldn't do anything about it. > All we can really do is upgrade the firmware and hope for the best. > > The same is true for the Intel wifi chips. > > What's nice about athn(4) is that the full software stack from driver to > hardware is open source, including firmware for USB devices. So it's > possible to fix issues, though it can be quite hard to fix known bugs. > No firmware abstraction means the driver needs to deal with a lot of > complexity all by itself, i.e. problems that engineers at vendors with > proper testing equipment and low-level expertise tend to deal with. >
OpenBSD 6.6 inside bhyve with NIC pci passthru: no data
Hi All, Is anyone using PCI passthru of network adapters with OpenBSD 6.6 inside bhyve? I tried different combinations: * Host: FreeBSD 12.1R and 13C * CPUs: Intel i7 7600U, 8550U, AMD Opteron 6300 and Ryzen 1200 * NICs: Intel PRO/1000 (onboard) & RTL8111/8168/8411 (onboard and PCIe slot) The behavior is always the same: OpenBSD guest sees the adapters and in most of cases even correctly senses the media state, but it can't send/receive packets. Though once I've seen with tcpdump on another machine directly connected to the host an ARP request packet coming from the OpenBSD guest, the other machine send a corresponding ARP reply, but then nothing. So probably only the incoming traffic is not working. I'm investigating it with FreeBSD devs (here is a bug report with dmesgs and all other relevant info: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245392), it looks like something related to MSI interrupts, but I'd like to confirm if anyone has a working setup of bhyve nic pci passthru with OpenBSD as a guest. Thanks, Anatoli
Re: Issues with the Thunderbolt/USB-C port on my ThinkPad T480
Hi Jeffrey, You should start by sending your complete dmesg (with the problematic devices attached) so we all see what's your hardware. Then, USB-C is a connector [1], it doesn't imply anything in particular. What is important is the USB protocol version of your devices (on both ends). It would help if you describe in detail some particular scenario that you say doesn't work. Regards, Anatoli [1] https://en.wikipedia.org/wiki/USB-C On 8/10/19 15:14, Jeffrey Abbinante wrote: > Hello all, > > I am a relatively new OpenBSD user and an ex-Arch and Gentoo user and I'm > liking the experience so far. Everything feels lighter than GNU/Linux but > there is one huge issue. My USB-C ports don't really work. Sometimes they > work and sometimes they don't. When they do the performance of the system > degrades and the only way to fix it is to suspend the laptop. I kinda need > the USB-C ports to work but I don't know where to start. Any suggestions? > > Thank you, > > Jeffrey Abbinante >
Re: Cloudflare mirror link broken & more
> looking at the number of bytes moved in the sessions is sufficient to > determine which firmwares were selected and downloaded. Theo, I may be completely wrong here (please excuse my ignorance if it is the case), but I see it this way: On a shared server (or one fronted by a CDN) on the same pool of IPs there are lots of domains hosted (at cdn.openbsd.org right now there are 140 domains of which 63 are wildcards and they are shuffled all the time), they could have infinite amount of files. With ESNI there's no way to know which domain we are requesting, so we could be downloading/requesting anything (files and dynamic content, RTC, streaming) from hundreds of unrelated domains. On top of this, if we use HTTP/2 multiplexing and request all the firmware binaries over the same connection, the exact size wouldn't be known either. You can add additional obfuscations if needed, like randomly mix-querying small files over the same multiplexed connection. I know tls1.3 is not there yet in LibreSSL and ESNI is at draft-04 at this moment, but I'm not talking about an immediate fully-DPI-resistant deployment. All CloudFlare hosted domains are with ESNI already for a year [1] and ff has it in nightly. OpenSSL, Fastly, Apple and Google are also working on it, there's a fairly good interop testing ground. My question was about why not to cloud-front-with-https (like cdn.openbsd.org is) the firmware sub-domain too (or cdn.firmware.openbsd.org). Just my 2-cents-IMO :) Regards, Anatoli [1] https://blog.cloudflare.com/encrypted-sni/ On 7/10/19 15:38, Theo de Raadt wrote: > Anatoli wrote: > >> And thank you for your detailed explanation about the certs for firmware >> sub-domain. Just wanted to say that IMO there's actually one thing that >> it would solve: the privacy of the requests, i.e. we wouldn't be leaking >> info about our devices with proprietary fw to anyone listening on the >> wires. But I see it's a considerable effort to set it up. I already know >> whom to contact to collaborate with the infrastructure. > > oh really, https solves that?? > > Sorry to burst your bubble, but looking at the number of bytes moved in > the sessions is sufficient to determine which firmwares were selected > and downloaded. >
Re: Cloudflare mirror link broken & more
Hi Stuart, Sorry for late reply. Upon Theo's request I provided job@ with the needed info and the issues were triaged and fixed. cdn.openbsd.org now works fine. And the location of files at cloudflare.cdn.openbsd.org is correct again too. BTW, > Is https://openbsd.c3sl.ufpr.br/pub/OpenBSD/ any better for you? This mirror works well from Brazil, but very slow from Argentina as the route goes via Miami when it already reaches Brazil (hop 8 is at Brazil, then it goes to Miami, then back to Brazil :) Telecom Italia Sparkle (aka seabone.net) is the main backbone provider for Argentina but they have (there are) some issues with intl routing in Brazil. traceroute to sagres.c3sl.ufpr.br (200.236.31.1), 64 hops max, 40 byte packets 1 192.168.0.1 (192.168.0.1) 1.585 ms 6.74 ms 10.435 ms 2 * * * 3 * * * 4 * * * 5 * * 132-208-88-200.fibertel.com.ar (200.88.208.132) 107.303 ms 6 185.70.203.32 (185.70.203.32) 77.977 ms host63.181-96-120.telecom.net.ar (181.96.120.63) 112.473 ms 185.70.203.32 (185.70.203.32) 59.782 ms 7 185.70.203.32 (185.70.203.32) 99.471 ms * * 8 ntt-verio.sanpaolo8.spa.seabone.net (149.3.181.65) 41.224 ms * 40.239 ms 9 unknown.r20.miamfl02.us.bb.gin.ntt.net (129.250.2.196) 170.192 ms 194.816 ms ntt-verio.sanpaolo8.spa.seabone.net (149.3.181.65) 49.554 ms 10 unknown.r20.miamfl02.us.bb.gin.ntt.net (129.250.2.196) 175.984 ms 176.301 ms 174.46 ms 11 ae-8.r05.miamfl02.us.bb.gin.ntt.net (129.250.3.150) 183.177 ms ae-2.a01.miamfl02.us.bb.gin.ntt.net (129.250.3.167) 182.203 ms ae-3.a01.miamfl02.us.bb.gin.ntt.net (129.250.3.208) 181.342 ms 12 xe-0-0-26-2.a01.miamfl02.us.ce.gin.ntt.net (129.250.202.94) 181.301 ms ae-3.a01.miamfl02.us.bb.gin.ntt.net (129.250.3.208) 177.877 ms ae-2.a01.miamfl02.us.bb.gin.ntt.net (129.250.3.167) 185.902 ms 13 xe-0-0-26-2.a01.miamfl02.us.ce.gin.ntt.net (129.250.202.94) 181.56 ms 201.18 ms 181.97 ms 14 * * * 15 * * * 16 p2-v103-araucaria-lapa.pop-pr.rnp.br (200.238.139.10) 257.613 ms * 323.722 ms 17 p2-v103-araucaria-lapa.pop-pr.rnp.br (200.238.139.10) 343.196 ms 474.198 ms 200.17.202.62 (200.17.202.62) 974.067 ms 18 200.17.202.62 (200.17.202.62) 259.173 ms sagres.c3sl.ufpr.br (200.236.31.1) 257.664 ms 200.17.202.62 (200.17.202.62) 256.431 ms And thank you for your detailed explanation about the certs for firmware sub-domain. Just wanted to say that IMO there's actually one thing that it would solve: the privacy of the requests, i.e. we wouldn't be leaking info about our devices with proprietary fw to anyone listening on the wires. But I see it's a considerable effort to set it up. I already know whom to contact to collaborate with the infrastructure. Regards, Anatoli On 25/9/19 15:26, Stuart Henderson wrote: > On 2019-09-24, Anatoli wrote: >> Hi All, >> >> I see for some time that the link to Cloudflare CDN is broken. >> https://www.openbsd.org/ftp.html says it is >> https://cloudflare.cdn.openbsd.org/pub/OpenBSD/ but it gives 404. >> >> It looks like Cloudflare removed /pub/ and renamed to lowercase OpenBSD >> so the link that works is https://cloudflare.cdn.openbsd.org/openbsd/. > > That would be due to the origin server which the cloudflare CDN is pointed at. > (The CDNs aren't "real" content servers, they are just caching proxies). > If this is still happening, please show the output from > ftp -o- https://cloudflare.cdn.openbsd.org/pub/OpenBSD/ and > ftp -o- https://cloudflare.cdn.openbsd.org/openbsd/ so we can get > a better idea which origin server it's using etc. > >> Also, the Fastly (CDN) mirror frequently (like half the times) gives >> connection errors, at least using it from Latin America. The IPs I get >> from different LA countries are 151.101.2.217 (Brazil) & 151.101.218.217 >> (Argentina). ftp.openbsd.org works always so when I get errors with >> Fastly, I switch to it and it works well (but slowly), or to Cloudflare >> which works well too and it's fast (at the modified URL). > > Is https://openbsd.c3sl.ufpr.br/pub/OpenBSD/ any better for you? > >> The Fastly errors are of the form "connection closed at byte xxx", "ftp: >> connect: operation timed out \n signify: gzheader truncated", something >> like "no valid ip address found" and similar. Probably it's a faulty or >> overloaded server serving some LA countries? > > Or a slow link between the CDN and the origin server, or maybe some other > reasons. Personally I would normally only regard the CDNs as a fallback > option if other ways to fetch the files are not working well .. > >> And right now I'm getting an invalid cert error for >> https://firmware.openbsd.org. It resolves to 145.238.209.46 >> (pond.obspm.bsdfrog.org) and 94.142.244.34. The certificate is only >> valid for the following names: distfiles.bsd
Re: Multi media keys on wired USB keyboard not responding
Erling, :) can happen to anyone. I supposed there was something like this going on as if usbhidctl shows the keys, there's basically no way for usbhidaction not to work for some internal issue as uhid devices are sort of character pseudo-devices and you can even read some keypress events with doas cat /dev/uhid0 | od -x (or even without od). The only thing usbhidaction does is it checks at init for descriptor pages to see whether all the requested keys are defined (could be ignored with -i) and starts listening for keypress events on the specified uhid instance. My next suggestion would have been to play with -v and -d args to usbhidaction, but you figured it out yourself. With respect to the PrintScreen button, I was experiencing the same and I almost have a fix for it. If you search the archive for my email titled "HID keyboard + usbhidctl weirdness" you'll see I was reporting the same issues, but I went further and started to mess with the kernel XD. The issue is basically the scancode for keypress is masked in one of the mapping tables in keyboard drivers. I already figured the table for wscons, had to find it for X. I'll send you a diff to test when ready. Meanwhile, could you please send me the output from usbdevs -v and lsusb -v (pkg_add usbutils) that corresponds to your keyboard device (there could be more than one entry at different addresses – you can see which devices correspond to your keyboard by running tail -f /var/log/messages while you unplug and plug it again)? Regards, Anatoli On 5/10/19 21:06, Erling Westenvik wrote: > Stupid me. The keyboard is working! For some reason I don't yet > understand, the usbhidaction(1) config file I created was set to "dos" > by vim(1) early in the process. Perhaps I copied in something I found on > the web. Anyway; hidden ^M's prevented mixerctl command executions, and > moreover; when Anatoli suggested I echo values into a dumpfile > /tmp/uhid_debug, I touch(1)ed that file before proceding, but then > usbhidaction created /tmp/uhid_debug^M instead and put its things in > there while I was busy looking at "tail -f /tmp/uhid_debug)".. > After changing filetype to "unix" everything works as expected. (Except > for my Print Screen key, but that was not covered by my OP anyway.) > > Sorry for the noise! (..?! Curiously enough I discovered the "hidden" > debug file while testing noice(1)..) > > Regards, > > Erling > > On Fri, Oct 04, 2019 at 04:39:18PM +0200, Erling Westenvik wrote: >> On Thu, Oct 03, 2019 at 03:08:54PM -0300, Anatoli wrote: >>> Hi Erling, >> Hi Anatoli, sorry for the late reply. Your answer somehow ended up in >> in Gmail spam. >> >>> Your problem is probably with the page name. Check it with usbhidctl -r >>> -f /dev/uhid0 (the value you're interested in is what is shown for >>> "Collection page"). >> >> $ usbhidctl -r -f /dev/uhid0 >> Report descriptor: >> Collection page=Consumer usage=Consumer_Control >> Input size=16 count=1 Array page=Consumer usage=Unassigned..0x03ff, >> logical range 0..1023 >> Input size=8 count=1 Array page=Keyboard usage=No_Event..0x00ff, logical >> range 0..255 >> Input size=1 count=1 page=Microsoft usage=0xfe03, logical range 0..1 >> Input size=1 count=1 page=Microsoft usage=0xfe04, logical range 0..1 >> Input size=5 count=1 page=Microsoft usage=0xff05, logical range 0..31 >> Input size=8 count=1 page=Microsoft usage=0xff02, logical range 0..255 >> End collection >> Total input size 7 bytes >> Total output size 0 bytes >> Total feature size 0 bytes >>> >>> Also, it's probably required for the actions to go on new lines in the >>> action config. >> >> They do in my config. I just joined the lines in my original email >> before sending. For no really good reason I admit. >> >>>And for dubugging I'd use something like `echo 1 >> >>> /tmp/uhid_debug` so you know that it's working, e.g.: >>> Consumer:Volume_Decrement 1 >>> echo 1 >> /tmp/uhid_debug >> >> Absolutely no output. It's like the keys don't exist no matter what I >> try. Are there ways to test for keyboard input at a lower level – like >> in single user mode, before the USB driver potentially gets clogged by >> other devices/processes? >> >>> On the other hand, I'm working on a new driver that would make all this >>> usbhid* operations unnecessary, the keys would work natively. >> >> I'm looking forward to that! Please feel free to contact me for testing >> diffs. >> >> Regards, >> Erling >> >>> >>> Regards, >>> Anatoli >
Re: Multi media keys on wired USB keyboard not responding
Hi Erling, Your problem is probably with the page name. Check it with usbhidctl -r -f /dev/uhid0 (the value you're interested in is what is shown for "Collection page"). Also, it's probably required for the actions to go on new lines in the action config. And for dubugging I'd use something like `echo 1 >> /tmp/uhid_debug` so you know that it's working, e.g.: Consumer:Volume_Decrement 1 echo 1 >> /tmp/uhid_debug On the other hand, I'm working on a new driver that would make all this usbhid* operations unnecessary, the keys would work natively. Regards, Anatoli On 2/10/19 09:54, Erling Westenvik wrote: > Hi, > I am unable to get the four multimedia keys (Play/Pause, Volume > Decrement/Increment, Mute) on my old'ish USB Microsoft Wired Keyboard > 600 to respond. > I have tried to do my homework by reading man pages, like > usbhidaction(1) and usbhidctl(1), and I've been looking at how-tos on > the net [1], but to no prevail and I've decided to reach out to misc@ > for guidance. dmesg(1) below [2]. > > This is what I have tried: > > 1. Identifying key strokes: > >$ usbhidctl -l -f /dev/uhid0 >Consumer_Control.Play/Pause=1 >Consumer_Control.No_Event=1 >Consumer_Control.0xfe03=0 >Consumer_Control.0xfe04=0 >Consumer_Control.0xff05=0 >Consumer_Control.0xff02=0 > >Consumer_Control.Unassigned=1 >Consumer_Control.No_Event=1 >Consumer_Control.0xfe03=0 >Consumer_Control.0xfe04=0 >Consumer_Control.0xff05=0 >Consumer_Control.0xff02=0 > >[...identical output (except for name) for the other four keys...] > > 2. usbhidaction(1) configuration file: > >$ cat ~/.usbhidaction.conf >Consumer:Play/Pause 1 mixerctl outputs.master.mute=toggle >Consumer:Volume_Decrement 1 mixerctl outputs.master=-8 >Consumer:Volume_Increment 1 mixerctl outputs.master=+8 >Consumer:Mute 1 mixerctl outputs.master.mute=toggle > > 3. Executing usbhidaction during xsession or from xterm.. > >$ usbhidaction -c ~/.usbhidaction.conf -f /dev/uhid0 > >..exits without errors but keys are not responding. > > Bwt: > - I used to have a PS/2 keyboard with multi media keys and it was > working well with the machine in question. > - The current USB keyboard is tested and fully functional on another > machine running Windows 7. > - None of the multi media keys gets detected by xev(1). > > > Regards, > > Erling > > --- > [1] https://www.bsdhowto.ch/extrakeys.html > [2] $ dmesg > OpenBSD 6.6-beta (GENERIC.MP) #314: Mon Sep 16 19:13:24 MDT 2019 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 12867665920 (12271MB) > avail mem = 12464992256 (11887MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xfcdf0 (57 entries) > bios0: vendor American Megatrends Inc. version "V1.15" date 03/04/2011 > bios0: MICRO-STAR INTERNATIONAL CO.,LTD MS-7599 > acpi0 at bios0: ACPI 1.0 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP APIC MCFG OEMB SRAT HPET SSDT > acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4) > PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) P0PC(S4) UHC1(S4) UHC2(S4) > UHC3(S4) USB4(S4) [...] > acpitimer0 at acpi0: 3579545 Hz, 32 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: AMD Athlon(tm) II X4 635 Processor, 2907.73 MHz, 10-05-03 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC > cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB > 64b/line 16-way L2 cache > cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative > cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative > cpu0: AMD erratum 721 detected and fixed > tsc_timecounter_init: TSC skew=0 observed drift=0 > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 200MHz > cpu0: mwait min=64, max=64, IBE > cpu1 at mainbus0: apid 1 (application processor) > TSC skew=3 > cpu1: AMD Athlon(tm) II X4 635 Processor, 2907.34 MHz, 10-05-03 > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC > cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-
Cloudflare mirror link broken & more
Hi All, I see for some time that the link to Cloudflare CDN is broken. https://www.openbsd.org/ftp.html says it is https://cloudflare.cdn.openbsd.org/pub/OpenBSD/ but it gives 404. It looks like Cloudflare removed /pub/ and renamed to lowercase OpenBSD so the link that works is https://cloudflare.cdn.openbsd.org/openbsd/. Also, the Fastly (CDN) mirror frequently (like half the times) gives connection errors, at least using it from Latin America. The IPs I get from different LA countries are 151.101.2.217 (Brazil) & 151.101.218.217 (Argentina). ftp.openbsd.org works always so when I get errors with Fastly, I switch to it and it works well (but slowly), or to Cloudflare which works well too and it's fast (at the modified URL). The Fastly errors are of the form "connection closed at byte xxx", "ftp: connect: operation timed out \n signify: gzheader truncated", something like "no valid ip address found" and similar. Probably it's a faulty or overloaded server serving some LA countries? And right now I'm getting an invalid cert error for https://firmware.openbsd.org. It resolves to 145.238.209.46 (pond.obspm.bsdfrog.org) and 94.142.244.34. The certificate is only valid for the following names: distfiles.bsdfrog.org, emma-en-quete.com, ftp.fr.openbsd.org, pond.obspm.bsdfrog.org, pond.stats.bsdfrog.org, portroach.openbsd.org, www.emma-en-quete.com. Not sure if it's a configuration error of some mirror server or something else. I know that the firmware as well as all other files are checked with signify so https is not strictly required for authenticity (though it does for privacy) and I don't remember if this domain has ever worked via https before, anyway just in case there's really some misconfiguration. Regards, Anatoli
Re: Question regarding server hardware
As to the initial question, I'd suggest Supermicro with the new AMD EPYC Rome CPUs (I should receive them in november-december when NVMe-native models are ready). Much better than Intel+Dell, though still proprietary. If you are ok with something more exotic but more open and in server class, you have Talos II from Raptor Computing: https://secure.raptorcs.com/content/base/products.html, but to run OpenBSD on it ppc64 arch support would be needed. Some 2 years ago I was thinking about buying a Talos II Entry-Level Developer System and sending it to some dev to get the support, but then I learned about RISC-V (though it's not in the server class even in mid-term plans). On 7/9/19 17:30, James Huddle wrote: > I recently purchased a Dell T-330 server that I had intended to > install OpenBSD on and use as a serious web server. My goal was to > have more control than would be (naturally) given with, say an AWS VM. > And by control, I mean what is *not* running on the box - security-wise. > > Apparently, Dell ships these with an abundance of "security features" > already on the box. And not a lot of obvious opt-outs. And a proclivity > not not understand that "no means no" in regard to turning off these > features. > One of which used 60% of (one of 8) processors, all the time. Constantly > running > one of my processors at 60% - as long as it was powered up. > > I understand that there are times when good security requires such measures. > I do. And if I trusted Dell with 100% of my security needs, I'd be ok if > it phoned > home a lot, or repeatedly powered up my external HD after a total power > down, > etc. > > But I am under-educated and over-paranoid, and so I'm hoping that the > people on this list can offer some suggestions of machines that they use > as internet servers. I'm looking for *more* power and *less* stuff running > in the background when booting from a newly-installed OS (like obsd). > I can and will go with a 10-yr-old desktop model, if that's what it takes to > achieve "radio silence" when I'm not running anything. > > Can you tell me what you like to use? > Thank you in advance. > -Jim Huddle >
Re: Getting screen to lock on suspend with Lenovo Thinkpad X1 Carbon
On surface this is the correct configuration. I would try putting something like: echo "lock" >> /tmp/lock.log to /etc/apm/suspend to see if it's executed at all and then something like: pgrep xidle >> /tmp/lock.log to see if xidle is running at that moment, then ls /usr/local/bin/slock >> /tmp/lock.log. Also would check for the correct permissions. Please let us know what it was when you identify the problem. BTW, you can put the timeout value and program to ~/.Xresources and just execute xidle &. On 3/9/19 22:09, Trey Sizemore wrote: On Tue, Sep 3, 2019, at 8:54 PM, joshua stein wrote: On Tue, 03 Sep 2019 at 19:41:40 -0400, Trey Sizemore wrote: One remaining issue is getting the screen to lock when the laptop lid is closed and the laptop suspends. The screen does not lock and just resumes to the XFCE4 desktop. I have the following in my .xsession: bsd$ cat .xsession xidle -timeout 300 -program "/usr/local/bin/slock" & Any help greatly appreciated. xidle locks on SIGUSR1, so you could send it such a signal upon suspend. With apmd enabled, add "pkill -USR1 xidle" to /etc/apm/suspend Thank you. I should have said, I have the following: bsd# cat /etc/apm/suspend #!/bin/sh pkill -USR1 xidle and that file is executable.
Re: Ergonomic USB wired mouse
> dmesg | grep "uhid. at uhidev4" Yepp, this one is good for manual device identification, but I was hoping for a more direct way to be used in a hotplugd script, executed on each device attachment, to avoid any race conditions and peaks of high load (on a physical USB hub with multiple HID devices there could be dozens of uhid instances that are all reported at the same moment when a hub is attached). But it looks like there's no way at this moment to get this info apart from dmesg. Ideally hotplugd would allow to filter devs by vendor/product (as devd in FreeBSD) or at least to report them. It looks like hotplug(4) could be rather easily extended to also report parent (like in hotplug_device_attach(cd->cd_class, dev->dv_xname, *parent*) at 407@sys/kern/subr_autoconf.c) and maybe even bus so hotplugd could be extended to query all properties of the reported device. Regards, Anatoli On 25/8/19 12:28, Bruno Flueckiger wrote: On 24.08., Anatoli wrote: Hi Bruno, AWESOME!! Thanks a lot! You can add "MX Vertical" to the list of the successfully tested pointing devices :D I just made some minor changes as this mouse only has 2 additional physical buttons (no secondary wheel, nor anything else). I removed the WAxis and lowered the button numbers on the ZAxis: Section "InputClass" Identifier "Logitech MX Vertical" MatchDriver "ws" Driver "ws" Option "Buttons" "16" Option "Device" "/dev/wsmouse" Option "Floating" "false" Option "ZAxisMapping" "6 7" EndSection And adjusted xmodmap: xmodmap -e "pointer = 1 2 3 8 9 4 5 6 7 10 11 12 13 14 15 16" This way everything works as expected! Nice! Thanks for reporting back your success. I like to read that my writing is useful to others. The mapping of the axes to the different buttons will vary for most devices. But if my article gave you what you needed to get it running yourself my goal is reached. Some time ago I also saw your other great guide about extra keys on USB keyboards (https://www.bsdhowto.ch/extrakeys.html) and used some ideas from it. I'd like to suggest one thing though: not to run usbhidaction from rc (it could be started under regular users from their WM startup scripts) and not to put the actual commands in the usbhidaction config, but rather to call from there xdotool for each button with the key codes to generate (e.g. "xdotool key XF86Mail" XF86LaunchA-Z, XF86AudioPlay/Stop, etc.) and then to capture them with xbindkeys. I do not use any X11 tools on purpose. It is my goal to describe a way that works independently from X11. If you exec programs directly by usbhidaction the way you launch it, they'd be executed under root and some users reading your guide may not understand the implications. Also this way it's impossible for each user to customize the actions. You're right about the security implications and the lack of multiuser support in my article. From a security perspective it is better to run usbhidaction as an unprivileged user. rc allows this by setting the user parameter like this: $ doas rcctl set user I've updated my article to include this setting. By the way it also solves some trouble when you try to send commands to other media players like moc (https://moc.daper.net/) which check for security. The lack multi user support is left to the reader as an exercise :-) I tried to go even further and to detect the keyboard when it's attached with hotplugd & usbdevs/lsusb (for vendor/product IDs), but then I couldn't solve the link between uhidev & uhid instances (https://marc.info/?l=openbsd-misc=156499209423144=2). Please let me know if you have any idea how to solve this. Regards, Anatoli I would try to grep the output of dmesg(8) for the uhids attached to the uhidev. Something like that should give you a list of uhid belonging to the uhidev that got just attached: dmesg | grep "uhid. at uhidev4" Cheers, Bruno
Re: Ergonomic USB wired mouse
Hi Bruno, AWESOME!! Thanks a lot! You can add "MX Vertical" to the list of the successfully tested pointing devices :D I just made some minor changes as this mouse only has 2 additional physical buttons (no secondary wheel, nor anything else). I removed the WAxis and lowered the button numbers on the ZAxis: Section "InputClass" Identifier "Logitech MX Vertical" MatchDriver "ws" Driver "ws" Option "Buttons" "16" Option "Device" "/dev/wsmouse" Option "Floating" "false" Option "ZAxisMapping" "6 7" EndSection And adjusted xmodmap: xmodmap -e "pointer = 1 2 3 8 9 4 5 6 7 10 11 12 13 14 15 16" This way everything works as expected! Nice! Some time ago I also saw your other great guide about extra keys on USB keyboards (https://www.bsdhowto.ch/extrakeys.html) and used some ideas from it. I'd like to suggest one thing though: not to run usbhidaction from rc (it could be started under regular users from their WM startup scripts) and not to put the actual commands in the usbhidaction config, but rather to call from there xdotool for each button with the key codes to generate (e.g. "xdotool key XF86Mail" XF86LaunchA-Z, XF86AudioPlay/Stop, etc.) and then to capture them with xbindkeys. If you exec programs directly by usbhidaction the way you launch it, they'd be executed under root and some users reading your guide may not understand the implications. Also this way it's impossible for each user to customize the actions. I tried to go even further and to detect the keyboard when it's attached with hotplugd & usbdevs/lsusb (for vendor/product IDs), but then I couldn't solve the link between uhidev & uhid instances (https://marc.info/?l=openbsd-misc=156499209423144=2). Please let me know if you have any idea how to solve this. Regards, Anatoli On 20/8/19 03:25, Bruno Flueckiger wrote: On 19.08., Anatoli wrote: I'm using Logitech MX Vertical. Nice mouse, IMO one of the most ergonomic ones though it needs some adaptation. It has 2 additional buttons which do NOT work on -current (better to say, they work like scrolling the wheel instead being left and right), I'd like to know how to make them work BTW. On Linux it works well. Oliver Marugg wrote: Hi I am preparing switching my desktop from another OS to OpenBSD. Is anyone using an Evoluent USB Wired Mouse (C/4 or 4 small) with OpenBSD? Or any other great ideas about an ergonomic mouse working with OpenBSD? Many thanks. -oliver I use the Logitech Performance MX trackball. Like Anatoli I had the problem that the two additional buttons behave like the scroll wheel. I solved this issue last year. You can find my how-to here: https://www.bsdhowto.ch/mousekeys.html Cheers, Bruno
Re: Ergonomic USB wired mouse
I'm using Logitech MX Vertical. Nice mouse, IMO one of the most ergonomic ones though it needs some adaptation. It has 2 additional buttons which do NOT work on -current (better to say, they work like scrolling the wheel instead being left and right), I'd like to know how to make them work BTW. On Linux it works well. Oliver Marugg wrote: Hi I am preparing switching my desktop from another OS to OpenBSD. Is anyone using an Evoluent USB Wired Mouse (C/4 or 4 small) with OpenBSD? Or any other great ideas about an ergonomic mouse working with OpenBSD? Many thanks. -oliver
Enumerate uhid instances of uhidev
Hi Martin, all, Could you please give a hint on how to enumerate all child uhid instances of a given uhidev? I'm trying to accomplish the following: With hotplugd I get notifications for uhidev and uhid instances when I attach a keyboard. I'd like to perform some action (usbhidaction -f uhidX) on a specific uhid when a specific keyboard is attached. I can get vendor/product IDs of the corresponding uhidev of the keyboard with usbdevs -v (e.g. "driver: uhidev4"), but then I can't find how to enumerate the uhid instances corresponding to a uhidev instance. Judging by struct usb_device_info, there's no way to get the uhid list via USB_DEVICEINFO ioctl call and at the same time it looks like uhid instances don't know about their parent uhidev (the info extracted by usbhidctl). Is it at all possible to get this info? If it's currently not possible without extending the drivers, I'd appreciate to know this too. Thanks, Anatoli
HID keyboard + usbhidctl weirdness
Hi all, I have a Logitech diNovo Edge USB keyboard with multimedia keys. By default no multimedia keys work, but also the printscreen button doesn't work. With usbhidctl I can make most of the keys work, but they are split between 2 uhid devices. I have found no way to make printscreen key work (no feedback in xev, nor via usbhidctl). Also I tried setxkbmap -model logidinovoedge (initially it's pc105), but with no effect, probably I don't understand well what it does. dmesg goes below. # with the keyboard attached $ usbdevs Controller /dev/usb0: addr 01: 8086: Intel, xHCI root hub addr 02: 0424:2504 Standard Microsystems, Hub addr 03: 046d:c52b Logitech, USB Receiver addr 04: 046d:0b04 Logitech, Logitech BT Mini-Receiver addr 05: 046d:c713 Logitech, Logitech BT Mini-Receiver addr 06: 046d:c714 Logitech, Logitech BT Mini-Receiver # without the keyboard $ usbdevs Controller /dev/usb0: addr 01: 8086: Intel, xHCI root hub addr 02: 0424:2504 Standard Microsystems, Hub addr 03: 046d:c52b Logitech, USB Receiver $ setxkbmap -model logidinovoedge $ setxkbmap -query rules: base model: logidinovoedge layout: us $ usbhidctl -rvv -f /dev/uhid7 report ID=3 Report descriptor: Collection page=Consumer usage=Consumer_Control (12:0x1) Input size=16 count=2 Array page=Consumer usage=Consumer_Control..AC_Send (12:0x1..12:0x28c), logical range 1..652 End collection Total input size 4 bytes Total output size 0 bytes Total feature size 0 bytes $ usbhidctl -rvv -f /dev/uhid8 report ID=4 Report descriptor: Collection page=Generic_Desktop usage=System_Control (1:0x80) Input size=2 count=1 Array page=Generic_Desktop usage=System_Sleep (1:0x82), logical range 1..3 Input size=6 count=1 Const page=0x usage=0x (0:0x0), logical range 1..3 End collection Total input size 1 bytes Total output size 0 bytes Total feature size 0 bytes # Redundant output removed (pressing multimedia keys) $ usbhidctl -l -f /dev/uhid7 Consumer_Control.AC_Go_To=1 [0] Consumer_Control.AL_Newsreader=1 [0] Consumer_Control.AC_Back=1 [0] Consumer_Control.Stop=1 [0] Consumer_Control.Eject=1 [0] Consumer_Control.Play/Skip=1 [0] Consumer_Control.Scan_Previous_Track=1 [0] Consumer_Control.AL_Word_Processor=1 [0] Consumer_Control.AC_Zoom_Out=1 [0] Consumer_Control.AC_Zoom=1 [0] Consumer_Control.AC_Full_Screen_View=1 [0] Consumer_Control.Volume_Decrement=1 [0] Consumer_Control.Bass=1 [0] $ usbhidctl -l -f /dev/uhid8 System_Control.System_Sleep=1 System_Control.System_Sleep=0 # On Linux xev event for printscreen key KeyRelease event, serial 37, synthetic NO, window 0xe01, root 0x149, subw 0x0, time 266293215, (-940,-320), root:(485,528), state 0x10, keycode 107 (keysym 0xff61, Print), same_screen YES, XLookupString gives 0 bytes: XFilterEvent returns: False So, I have the following questions: 1. Why are there 2 HID devices for the same keyboard and the sleep button is the only button that is available only on the 2nd device (uhid8)? 2. Why not all keys are responding via usbhid (though the same happens on Linux)? The are 12 multimedia buttons for F1-F12 that are activated with Fn key, only 7 of them are working via usbhid, the other 5 don't respond on any uhid device. Other multimedia keys like zoom, volume control, etc. are all working fine via the 1st uhid device (uhid7). 3. Why printscreen key it not working? It looks like a standard key that should respond in xev. On Linux it's working fine and its scancode in xev is 107 (see above). 4. What does setxkbmap -model logidinovoedge is supposed to do? Is there anything it could help with? Should I put XkbModel in xorg.conf? What should then go in the `Identifier "idevname"` param? 5. In FreeBSD there's devd.conf where some action could be defined when a device with a specific vendor & product is attached. How should this be accomplished in OpenBSD? I suppose the /dev/uhid{7,8} could change depending on the order of initialization of the devices and it may be present or not, so I can't use it directly in usbhidaction. Thanks, Anatoli OpenBSD 6.5-current (GENERIC.MP) #154: Mon Jul 29 00:51:01 MDT 2019 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34240577536 (32654MB) avail mem = 33192677376 (31655MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7aeba000 (82 entries) bios0: vendor American Megatrends Inc. version "5.12" date 06/29/2018 bios0: Default string Default string acpi0 at bios0: ACPI 6.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT HPET SSDT SSDT SSDT UEFI SSDT LPIT SSDT SSDT SSDT SSDT DBGP DBG2 DMAR WSMT acpi0: wakeup devices RP09(S4) PXSX(S4) RP10(S4) PXSX(S4) RP11(S4) PXSX(S4) RP12(S4) PXSX(S4) RP13(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 a
Re: compared filesystem performance, was Re: 10GBit network performance on OpenBSD 6.4
> totally agree, Anatoli could you please compare ? Will try to make tests these days + will attach dmesg. Anyway, without a FS (sequentially writing to a raw device) we'd be testing just the sequential speed to a raw device, not even to a partition. I think this would be a practical maximum possible performance for that device, not a real-use scenario. But combined with other tests this could be an interesting stat to find the bottleneck. *From:* Chris Cappuccio *Sent:* Tuesday, April 09, 2019 10:36 *To:* Gwes *Cc:* Chris Cappuccio , Anatoli , Misc *Subject:* Re: compared filesystem performance, was Re: 10GBit network performance on OpenBSD 6.4 gwes [g...@oat.com] wrote: That doesn't answer the question: if you say dd if=/dev/zero of=/dev/sda (linux) /dev/rsd0c (bsd) bs=64k count=100 what transfer rate is reported totally agree, Anatoli could you please compare ? That number represents the maximum possible long-term filesystem performance on that drive. you mean non-filesystem?
Re: 10GBit network performance on OpenBSD 6.4
On top of this (and I don't know why, maybe because of softraid FS encryption?) I haven't seen any effect of the FS cache for files of any size (not even 128Mb) that is supposed to be using at least the 32-bit mem (some percent of the first 4Gb, https://unix.stackexchange.com/questions/61459/does-sysctl-kern-bufcachepercent-not-work-in-openbsd-5-2-above-1-7gb/62184#62184). In the presence of FS/hardware management inefficiencies, things could be dramatically improved with an efficient FS cache if one has enough RAM as reading from RAM should be in the range of dozens of GB/s with nanoseconds latency, but that's not the case unfortunately (at least in my setup). *From:* Joseph Mayer *Sent:* Monday, April 08, 2019 22:52 *To:* Chris Cappuccio *Cc:* Anatoli , Misc *Subject:* Re: 10GBit network performance on OpenBSD 6.4 On Tuesday, April 9, 2019 3:28 AM, Chris Cappuccio wrote: Anatoli [m...@anatoli.ws] wrote: I've seen extremely slow HDD performance in OpenBSD, like 12x slower than on Linux, also no filesystem cache, so depending on your HDD with scp you may be hitting the max throughput for the FS, not the network. 12x slower? That's insane. What are you talking about? USB HDD? USB Flash? SATA? Driver? You should submit a bug report with lots of details. Chris Chris, Isn't the filesystem layer in OpenBSD altogether serial-processing, all the way pretty much from userland fwrite() down to hardware access (as in no use of hardware multiqueueing). The non-use of multiqueueing is problematic for random reads from SSD:s as they have extremely high latency within the individual read op e.g. ~~1 millisecond. On the hardware where I tested, OpenBSD will give ~120MB/sec system-wide filesystem IO on any number of disks, also using an NVMe SSD which has ~500-900MB/sec random access performance. I took this as confirmation of the filesystem layer itself being the primary bottleneck. Also is the filesystem's internal sector size which it then accesses underlying hardware with, 4KB, 16KB or 512B? I always suspected the lastmentioned. One thing that will be very interesting to see in OpenBSD is how serial and random accesses perform on Intel Optane NVMe disks, with their incredibly low latency. These could offset OpenBSD filesystem limitations in not parallellizing IO. Also the filesystem logics can be sidestepped by doing 16KB aligned accesses to /dev/rsd* . Joseph
Re: 10GBit network performance on OpenBSD 6.4
Hi, I guess you're hitting 2 bottlenecks: the CPU performance for iperf and HDD performance for scp. Check how much CPU is consumed during iperf transfer and try scp'ing something not from/to HDD, e.g. /dev/zero. I've seen extremely slow HDD performance in OpenBSD, like 12x slower than on Linux, also no filesystem cache, so depending on your HDD with scp you may be hitting the max throughput for the FS, not the network. Regards, Anatoli *From:* Mark Schneider *Sent:* Saturday, April 06, 2019 17:52 *To:* Misc *Subject:* 10GBit network performance on OpenBSD 6.4 Hi, Please allow me few questions regarding 10GBit network performance on OpenBSD 6.4. I face quite low network performance for the Intell X520-DA2 10GBit network card. Test configuration in OpenBSD-Linux-10GBit_net_performance.txt - http://paste.debian.net/1076461/ Low transfer rate for scp - OpenBSD-10GBit-perftest.txt - http://paste.debian.net/1076460/ Test configuration: # --- # OpenBSD 6.4 on HP DL380g7 # - # 10GBit X520-DA2 NIC ix0: flags=208843 mtu 1500 media: Ethernet autoselect (10GbaseSR full-duplex,rxpause,txpause) inet6 fe80::d51e:1b74:17d7:8230%ix0 prefixlen 64 scopeid 0x1 inet 200.0.0.3 netmask 0xff00 broadcast 200.0.0.255 ix1: flags=208843 mtu 1500 media: Ethernet autoselect (10GbaseSR full-duplex,rxpause,txpause) inet 10.0.0.7 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::b488:caea:5d6f:9992%ix1 prefixlen 64 scopeid 0x2 # --- Compare to Linux the 10GBit transfer from/to OpenBSD is few times slower: # --- # OpenBSD to Linux (Asus P8BWS) # - srvob# iperf3 -c 10.0.0.2 ... - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 1.50 GBytes 1.29 Gbits/sec sender [ 5] 0.00-10.20 sec 1.50 GBytes 1.27 Gbits/sec receiver # --- # --- # Linux (DL380g7) to Linux (Asus P8BWS) # - root@kali:~# iperf3 -c 100.0.0.2 ... - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 10.9 GBytes 9.39 Gbits/sec 328 sender [ 5] 0.00-10.04 sec 10.9 GBytes 9.35 Gbits/sec receiver # --- The scp transfer rate is like 21MBytes/s only per ssh connection (OpenBSD <-> Linux): # --- root@kali:~# scp /re*/b*/ka*/kali-linux-kde-2019.1a-*.iso ironm@10.0.0.7:/home/ironm/t12.iso ironm@10.0.0.7's password: kali-linux-kde-2019.1a-amd64.iso 4% 173MB 21.5MB/s 02:40 ETA # --- The 1GBit cooper based NIC works also slower but reaching almost 40% of the max trasfer rate of 1 Gbit: # --- # OpenBSD 6.4 (DL380g7 1Gbit NIC) to Linux (DL380g7 1GBit NIC) # srvob# iperf3 -c 170.0.0.10 ... - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate [ 5] 0.00-10.00 sec 471 MBytes 395 Mbits/sec sender [ 5] 0.00-10.20 sec 471 MBytes 388 Mbits/sec receiver # --- # --- # Linux (Asus P8BWS) to Linux (DL380g7) # - root@kali:~# iperf3 -c 192.168.1.122 ... - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 1.09 GBytes 939 Mbits/sec 183 sender [ 5] 0.00-10.04 sec 1.09 GBytes 934 Mbits/sec receiver # --- Thank you in advance for your hints what OpenBSD 6.4 settings do I miss. Best regards Mark
Xeon or EPYC for heavy-duty web/DB?
Hi all, Could you please share your experience with AMD EPYC? I have to implement some heavy processing* for a project and I'd like to try to do it with OpenBSD. At this moment, I have to decide the hardware to use to start with the tests. Basically this would be either Xeon Platinum 81xx or similar EPYC, both in multi-socket versions (the idea is to have 2 processors per server). EPYC being NUMA, however, makes me doubt how well it's supported by OpenBSD. Should both CPUs perform similarly to how they work under Linux (especially 4.15, [1][2]) or should I expect some considerable disadvantage for EPYC under OpenBSD on heavy memory/nw I/O? *By heavy processing I mean full hw utilization for heavy networking (multiple 10G per server, the ideal would be to come close to 100G with something like dual Sierra 32716 (Intel 82599EB) from InterfaceMasters) for files serving (CDN with NginX), business logic (PHP & co for thousands of simultaneous connections) and RDBMS (MariaDB managing data for the business logic), each task at different physical server (or group of servers, e.g. MariaDB Galera Cluster). I've done similar projects with Linux, but never with OpenBSD, so probably the first question to ask should be whether OpenBSD is suitable for such setups at all? What performance impact, comparing to Linux, should I expect? The project can tolerate OpenBSD delivering 15% less performance, but if the impact is, say, 30% or more, this would be a difficult decision. If you have a similar real-world deployment experience, could you please share? Any tip on what could go wrong, possible tough issues comparing to identical setup under Linux? Thanks, Anatoli [1] https://www.phoronix.com/scan.php?page=news_item=AMD-EPYC-Linux-4.15-First-Test [2] https://www.servethehome.com/amd-epyc-7000-series-architecture-overview-non-ce-ee-majors/
Re: 4-ports router under $150
Thanks, Maxim. Have you tried it with OpenBSD? Or should all these j1900 devices work well? *From:* Максим *Sent:* Monday, April 09, 2018 02:30 *To:* Anatoli, Misc *Subject:* Re: 4-ports router under $150 Hi Anatoli, Another good device for $165 in basic setup: https://ru.aliexpress.com/item/Mini-Industrial-PC-Max-8G-DDR3-Dual-Core-Mini-Desktop-Computer-x86-4-Lan-port-12v/32692470253.html?spm=a2g0v.search0104.3.23.1e1e2025iFZAQt_ab_test=searchweb0_0,searchweb201602_2_10152_10151_10065_10344_10068_10342_5722912_10343_10340_5722612_10341_10698_10697_10696_5722812_10084_10083_10618_5722712_10307_10301_10059_10534_308_100031_10103_441_10624_10623_10622_10621_5723012_10620_5722512,searchweb201603_25,ppcSwitch_3_expid=55575e8e-990d-4e17-80a8-5eec917361f0-3_pvid=55575e8e-990d-4e17-80a8-5eec917361f0=ae803_1=0 -- С уважением, Родин Максим 08.04.2018, 02:45, "Anatoli" <m...@anatoli.ws>: Hi All! I'm looking for a modest 4-5 ports router under $150 that works well with OpenBSD. I don't need WiFi, USB or console port, and the throughput don't need to exceed 100Mbps. The ideal device would be EdgeRouter X (compact, 5 ports, $50) but I know it's not supported at this moment and probably never will be. EdgeRouter (ER) Lite only has 3 ports and the switch ports (eth2-4) of ERPOE-5 are not yet supported. ER-4 would be great, but the 4th port is SFP, I'd need to by an SFP NIC for one of my devices and I'm not sure it's supported as the octeon page says ER PRO SFP ports are not supported yet. Also it's a bit expensive ($190). Banana Pi R2 would be great too, but I couldn't find if it's supported by OpenBSD (it has MediaTek MT7623N, Quad-core ARM Cortex-A7). Are there 4-5 port devices that are known to work well with OpenBSD? Thanks, Anatoli
Re: 4-ports router under $150
Thanks for your suggestion, Joel. > If you want AES-NI then these are the Cheapest: https://www.aliexpress.com/item/Minisys-4-Lan-pfsense-minipc-Intel-atom-E3845-quad-core-mini-itx-motherboard-linux-firewall-computer/32825684280.html This one looks good, a bit more expensive ($172) than my limit, but probably I could expand it. > You can get 4 ports j1900's for sub $100 off ali-express Yeah, there're a lot of devices, but I don't know which one works well with OpenBSD. Could you please point me to a particular device that you know works well? *From:* Joel Wirāmu Pauling *Sent:* Sunday, April 08, 2018 23:54 *To:* Anatoli *Cc:* Misc *Subject:* Re: 4-ports router under $150 You can get 4 ports j1900's for sub $100 off ali-express. If you don't care about AES-NI they do 5gbit duplex slow path l3 forwarding just fine: If you want AES-NI then these are the Cheapest : https://www.aliexpress.com/item/Minisys-4-Lan-pfsense-minipc-Intel-atom-E3845-quad-core-mini-itx-motherboard-linux-firewall-computer/32825684280.html On 9 April 2018 at 12:20, Anatoli <m...@anatoli.ws> wrote: Guys, thank you all for your recommendations. I know it only has three NICs, so it's likely a non-started for the OP Yepp, there are a lot of nice devices with 3 NICs, but I need at least 4 and actually I don't need more than 5. The Edgerouter 6 is going to be coming out shortly, that is what I am holding out for to run my home network on I think the ER6 is going to be retailing for about $220 It's a nice device for the suggested price, but it's a bit expensive for my project. I need a number of the devices, the idea is not to surpass $150. https://ru.aliexpress.com/item/QOTOM-310G4-3215U-Barebone- mini-pc-Dual-core-4-nics-Mini-pc-Ubuntu-Industrial-desktop- Computer/32769767156.html This is what I bought for similar purposes. It has 4 Intel Gigabit ports and their efficiency is 99%. Thanks Максим, looks interesting, but again it's a bit expensive. The basic version with RAM costs about $232. apu4b4 provides 4 intel NICs: http://pcengines.ch/apu4b4.htm Thanks a lot Karel, I didn't know there was an apu4 board. I guess this is the device I'm looking for. Though, there's no information on internet about it, even the official page doesn't provide links to it, it appears only on the order page. Was it released just recently? Can you confirm it's working well with OpenBSD 6.2/6.3? Do you know where to buy it? On the official order page ( http://www.pcengines.ch/newshop.php?c=4) it says "No stock". Regards, Anatoli *From:* Karel Gardas *Sent:* Sunday, April 08, 2018 09:39 *To:* Jungle Boogie *Cc:* Misc *Subject:* Re: 4-ports router under $150 On Sat, 7 Apr 2018 19:01:50 -0700 jungle boogie <jungleboog...@gmail.com> wrote: Thus said Jordan Geoghegan on Sat, 7 Apr 2018 17:57:16 -0700 The Edgerouter 6 is going to be coming out shortly, that is what I am holding out for to run my home network on. Just curious, why this and not amd64 bit with something like the pcengine apu2 board? I know it only has three NICs, so it's likely a apu4b4 provides 4 intel NICs: http://pcengines.ch/apu4b4.htm
Re: 4-ports router under $150
Guys, thank you all for your recommendations. > I know it only has three NICs, so it's likely a non-started for the OP Yepp, there are a lot of nice devices with 3 NICs, but I need at least 4 and actually I don't need more than 5. > The Edgerouter 6 is going to be coming out shortly, that is what I am holding out for to run my home network on > I think the ER6 is going to be retailing for about $220 It's a nice device for the suggested price, but it's a bit expensive for my project. I need a number of the devices, the idea is not to surpass $150. > https://ru.aliexpress.com/item/QOTOM-310G4-3215U-Barebone-mini-pc-Dual-core-4-nics-Mini-pc-Ubuntu-Industrial-desktop-Computer/32769767156.html > This is what I bought for similar purposes. > It has 4 Intel Gigabit ports and their efficiency is 99%. Thanks Максим, looks interesting, but again it's a bit expensive. The basic version with RAM costs about $232. > apu4b4 provides 4 intel NICs: http://pcengines.ch/apu4b4.htm Thanks a lot Karel, I didn't know there was an apu4 board. I guess this is the device I'm looking for. Though, there's no information on internet about it, even the official page doesn't provide links to it, it appears only on the order page. Was it released just recently? Can you confirm it's working well with OpenBSD 6.2/6.3? Do you know where to buy it? On the official order page (http://www.pcengines.ch/newshop.php?c=4) it says "No stock". Regards, Anatoli *From:* Karel Gardas *Sent:* Sunday, April 08, 2018 09:39 *To:* Jungle Boogie *Cc:* Misc *Subject:* Re: 4-ports router under $150 On Sat, 7 Apr 2018 19:01:50 -0700 jungle boogie <jungleboog...@gmail.com> wrote: Thus said Jordan Geoghegan on Sat, 7 Apr 2018 17:57:16 -0700 The Edgerouter 6 is going to be coming out shortly, that is what I am holding out for to run my home network on. Just curious, why this and not amd64 bit with something like the pcengine apu2 board? I know it only has three NICs, so it's likely a apu4b4 provides 4 intel NICs: http://pcengines.ch/apu4b4.htm
4-ports router under $150
Hi All! I'm looking for a modest 4-5 ports router under $150 that works well with OpenBSD. I don't need WiFi, USB or console port, and the throughput don't need to exceed 100Mbps. The ideal device would be EdgeRouter X (compact, 5 ports, $50) but I know it's not supported at this moment and probably never will be. EdgeRouter (ER) Lite only has 3 ports and the switch ports (eth2-4) of ERPOE-5 are not yet supported. ER-4 would be great, but the 4th port is SFP, I'd need to by an SFP NIC for one of my devices and I'm not sure it's supported as the octeon page says ER PRO SFP ports are not supported yet. Also it's a bit expensive ($190). Banana Pi R2 would be great too, but I couldn't find if it's supported by OpenBSD (it has MediaTek MT7623N, Quad-core ARM Cortex-A7). Are there 4-5 port devices that are known to work well with OpenBSD? Thanks, Anatoli