Re: Kernel debugging
Hello again, Is there any way to build the kernel on Linux preferably Arch Linux? Best regards, Daniel Hejduk 11. května 2024 22:05:50 SELČ, "Kirill A. Korinsky" napsal: >On Sat, 11 May 2024 20:28:08 +0100, >Daniel Hejduk wrote: >> >> I want to enable kernel debugging how can I do it? >> > >See: https://man.openbsd.org/options > >-- >wbr, Kirill >
Kernel debugging
Hello, I want to enable kernel debugging how can I do it? Best regards, Daniel Hejduk
Re: My PC is crashing
Hello again, I tried memtest and it passed :D But after some trying to debug it I found something the sudden shutdown corrupts disk. One particular file "/share/relink/kernel/GENERIC.MP/gap.o" was always corrupted. So it happens when kernel is relinking. How you told me I tried using i386 but it didn't boot by flashing it on USB nor using Ventoy. Ventoy will always prompt me "Maybe the image does not support X64 UEFI", so I tried enabling legacy but again nothing. Is there way to boot i386, or fix the relinking error? Thank you for helping me on my journey. Best regards, Daniel Hejduk 10. května 2024 9:33:59 SELČ, Stuart Henderson napsal: >On 2024-05-10, Peter N. M. Hansteen wrote: >> On Fri, May 10, 2024 at 08:48:56AM +0200, Anders Andersson wrote: >>> Missing from the FAQ is IMO step 0: Run memtest over night to rule out >>> hard to debug hardware problems. It won't catch everything of course, >>> but it usually finds RAM issues which is its main job. >> >> That is a very valid point. >> >> Bad RAM could very well be the cause of the problems described. And on >> a side note, given that the memory allocation in OpenBSD is different than >> what some other systems do, it is not unlikely that other systems never >> or only rarely would hit the failing memory location while OpenBSD would, >> more often. > >Yet it was able to do an install and relink the kernel while in the >installer. Also IME memory-related problems are more likely to result in >crashes rather than the machine shutting down. This doesn't completely >rule out memory problems, but it's more likely to result from a >difference between RAMDISK and GENERIC.MP kernels. > >First things first, Daniel: > >- if you used i386, try amd64 instead. > >- if you configured to run X in the installer, try without that. > >- try going back a release or two, is there any difference? > >-- >Please keep replies on the mailing list. >
My PC is crashing
Hello, I installed OBSD on my IdeaPad. Install went fine I installed offline using .iso file. But after rebooting it works for ~30 seconds and after that it shutdowns, without any errors kernel panics nothing. How can I debug it? I will send you more info if I found something. Best regards, Daniel Hejduk
Re: Power consumption of Pinebook Pro running OpenBSD
On Sat, May 04, 2024 at 05:56:10PM +1000, Brett Mahar wrote: > Hi misc, > > I am getting a Pinebook Pro soon and just wondering how many hours the > battery tends to last from a full charge with OpenBSD? I ran openbsd on my PBP for a while. To answer your question: a lot less than Linux. The lack of hardware accelerated video *anything* on the PBP (unless this has changed in the last couple of releases) will murder your battery life and make videos rather stuttery. This may be at least partially resolved since I last used it (I don't know if mali drivers would be pulled in during a resync of DRM,) but another thing to be aware of with installing OpenBSD is that (again, unless I'm out of date) there's no tty driver. This means you'll have to do the installation with a 3.5mm to serial adapter. The Pine store sells defective ones, but you can take your chances if you like. You can also repair them if you like. From the factory they're specced to put 5v on the PBP which is expecting 3.3v. It probably won't fry your laptop, but it might. I think it's just swapping one resistor in the cable. Just a heads up. I'd be curious if the experience is much better these days, but given how garbage even support for Linux is when Pine nominally "supports" linux on their products, I'm not holding out too much hope. Best of luck, Danny
Re: ubnt edgerouter 8
I replaced my 8 Pro fans with Noctua units and I'm pretty happy with them; they came with several adapters that allow you to choose the speed of the fans. Converting to passive cooling, if you have enough room on the cabinet and are a proficient user of drills, I'd try to (i) remove the heatsink of the CPU, (ii) drill a hole on the top case, (iii) put a little wire to measure the distance from the case to the surface of the CPU, (iv) go to the hardware store to get some aluminium profiles, (v) cut and pile then up the distance between cover and CPU and there you go. With a little luck the case top will go HOT, and the CPU will chump happily. No guarantees implied (take into account I live in a quite cold place xDDD). Regards! El lun, 29 abr 2024 a las 15:41, Peter J. Philipp () escribió: > Hi, > > What sort of things can I do to keep an edgerouter 8 cool that doesn't have > fans? I'm ready to pull the fans out of it because they have a certain > harmonic that makes me physically ill. But I like the octeon! > > So short of throwing it out I'm thinking of pulling the plug (on the fans). > Would running it with 1 core instead of multicpu keep it cooler? Would it > be enough? Should I glue some rasperry pi heatsinks to the CPU? I have a > few extra. > > These are the 2nd fans on this thing they were supposed to be quieter but > they still annoy me. I understand I'm a very sensitive person to noise and > vibration (ever since I was a baby). > > Other than running off one core only to keep thermals low, is there any > other stuff one can do like step the processor cycles down? > > Any help is much appreciated. The ER-8 right now idles a lot anyhow and > I plan on using it for the 8 RJ45 ports. > > Best Regards, > -pjp > > -- > my associated domains: callpeter.tel|centroid.eu|dtschland.eu| > mainrechner.de > >
Re: Firewall setup
, but also stop outgoing one. This mean, KNOW your
traffic and let get out what you want to go out!
Define your needs first then address them one by one.
So if I continue with my example, I see you did this:
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
I would ask again WHY?
If you DO NOT host any services, then you don't need to define any...
Again, it is NOT because you can do something that you should do it.
And IF you would have some, why define them in two places
Properly define needs will avoid basic mistakes like this that sooner or
later WILL bit you in the butts!
And even here IF I go deeper, if it is only for you, why have both
secure one and insecure one and even why pop3 and IMAP? Don't you know
the configuration of your mail client?
If that was ONLY for you, do you actually setup your mail clients to use
all of them?
Here I would argue no.
I would very strongly FIRST start by thinking what you want to do,
define your needs, argue them and why you want them. Are they needed and
justify them.
After they are define and you understand why, then and ONLY then would
you start doing your config for it.
AND you should do one at the time, test, make sure it works the way you
want then to, then do the next one.
If you have no service you are hosting, then you should simply do a NAT
setup and that's it as you would have no other needs.
Knowing what you want and why, is the key to understand your setup and
know why you did what you did, and trust me, you will know how to
maintain it too because you will know what you did and why you did it!
Look to me, you haven't done the basic yet. Meaning define what you want
and justify why...
And you sure try to do a setup that is way to complicated for your needs
and doing that, specially if you go bridge way, you will think you are
prospected and you will have a Swiss cheese setup big time.
There is nothing worst then a false sense of security.
Now as you can see I didn't suggest ANY configuration, as I see no needs
on your setup, yet. You haven't given any reason for any specific
configuration needs.
And last VERY important point, if you asked for help, then PROVIDE YOUR
FULL configuration, NOT what you might think is relevant as you said you
don't have the knowledge for it, so don't assume what you send is useful.
If you want people to help you, start by helping them helping you and
give them ALL the information!
Hope this provide you some help from the start and yes I mean from the
start.
Define what you want to do and FORGET any configuration until you can
explain what you want very clearly and simply.
You might be surprise how simple it can be...
Could be as simple as:
match out on egress inet from !(egress:network) to any nat-to egress:0
Here I am not saying to do this. I only type this as an example to show
how simple it possibly can be on a NAT setup with no simple needs.
Daniel
Re: Installing shellinabox on OpenBSD
Use a UBS drive and run it from that... You don't need to install it on the window machine. Anyway in 2024 still not have a decent native ssh client on Window say how interested Microsoft are in making a secure OS really... On 2/12/24 3:41 PM, Chris Narkiewicz wrote: On Mon, Feb 12, 2024 at 02:38:25PM -0500, Daniel Ouellet wrote: I am not sure why people say they can't have a safe ssh client for window... OP mentioned he cannot install software on the machine. This is pretty common issue if machine is managed by somebody else. Best regards, Chris Narkiewicz
Re: Installing shellinabox on OpenBSD
Just use Putty if you want a window ssh client. It exists for more then 25 years now. and it is still supported. Just maintain your systems via ssh and move on. Putty also allow you to use ssh keys as well. I am not sure why people say they can't have a safe ssh client for window... On 2/12/24 2:20 PM, Chris Narkiewicz wrote: On Mon, Feb 12, 2024 at 07:12:49PM +, Chris Narkiewicz wrote: If security is not a problem, you can use telnet. Windows has telnet client built-in. Also, ttyd is in ports. This could be handy: https://openports.pl/path/www/ttyd Best regards, Chris Narkiewicz
Re: OT: SSH3 proposal
On Mon, Feb 05, 2024 at 07:26:27AM +, Carlos Lopez wrote: > Hi all, > > https://blog.apnic.net/2024/02/02/towards-ssh3-how-http-3-improves-secure-shells/ > > Uhmm ... ssh over http/3? What do you think about it? > > Best regards, > C. L. Martinez > I'm not an ssh dev but it seems like it'd technically *work*, it's just cursed as all hell.
Re: Cannot PXE Boot PC Engines APU.1D4
On 1/1/24 3:12 PM, Stuart Henderson wrote: On 2024-01-01, Kenneth Hendrickson wrote: --- On Monday, January 1, 2024 at 06:10:57 AM EST, Stefan Sperling wrote: Booting 7.4 or -current kernels with an old pxeboot binary won't work. Make sure that both the kernel image and pxeboot originate from the 7.4 release or -current. I was using pxeboot and bsd.rd from 7.4. Did you create etc/boot.conf in the tftp server dir with the commands to switch to serial console? (stty com0 , set tty com) I think set tty com0 ^ Mine works with: gateway$ cat /etc/boot.conf set timeout 5 stty com0 115200 set tty com0
Re: Cannot PXE Boot PC Engines APU.1D4
I don't have any problem with many of my pc engine. But if you want something else I used these now because they support Core Boot. https://protectli.com/ I am not going back to BIOS that are not right and not supported after a year. No thanks! On 12/31/23 8:56 PM, Kenneth Hendrickson wrote: Cannot PXE Boot PC Engines APU.1D4 Have tried both i386 and amd64. Verified that my tftpd server is working. This used to work. Now fails. Hardware is about 10 years old. Do I need new hardware?? What is recommended? Need minimum of 3 ethernet ports. Thanks in advance.
Re: man.openbsd.org failure?
On Thu, 21 Dec 2023 21:22:49 -0500, Dave Anderson wrote: > Safari isn’t providing much useful information, but starting today > I’m consistently getting a “server stopped responding” error when > trying to access the online man pages at man.openbsd.org. > www.openbsd.org is working fine. Yes, it's a maintenance: https://marc.info/?l=openbsd-misc=170301839017559=2 Cheers, Daniel
Re: Appimage
On Tue, Dec 19, 2023 at 10:31:00PM +0200, Mihai Popescu wrote: > > The point of appimage is to work on any Linux distro. > > But it is not working. Like many other ideas created to work on any distro ... > That's a whole other discussion beyond making it work on OpenBSD ;) As I understand it that's because packagers don't understand that you're supposed to include *every* library in your appimage.
Re: Appimage
On Tue, Dec 19, 2023 at 03:50:26PM +, Kevin Chadwick wrote: > I'm not sure if this is a pipe dream but atleast I imagine the filesystem API > and /proc avoidance is likely possible. > > "https://github.com/AppImage/AppImageKit/issues/98; > The point of appimage is to work on any Linux distro. There's only one OpenBSD. An AppImage written for Linux with the Linux ABI won't run on OpenBSD even if /proc is implemented.
Re: Getting stuck on trying a fresh install to 7.4
On 12/8/23 3:34 AM, Stuart Henderson wrote: On 2023-12-07, Daniel Ouellet wrote: On 12/7/23 7:37 AM, Stuart Henderson wrote: On 2023-12-06, Daniel Ouellet wrote: Any suggestion woudl be greattly appreciated. Old boot loaders cannot boot 7.4 kernels. Upgrade your 6.7 system to 7.3 first (the usual advice to avoid skipping releases during upgrades applies). Then upgrade to 7.4. Specifically the interface used for communicating system console information between the boot loader and the kernel was changed. There was backwards compat but sadly it was removed after one single release. I think this brings the total number of people I know who have been affected by this up to 6 now. I didn't care what's on it now. All fresh install will do. I have 22 to do. :( You can copy a new bootloader to the old machines and run installboot. Hi Stuart, Just to be clear and to help others here. You are talking about these two files only right? /usr/mdec/boot /usr/sbin/installboot or should this one below be included too? I don't think it's needed, but just want to be sure and make the info complete. /usr/mdec/biosboot Assuming standard partition table not GPT: /usr/mdec/boot and /usr/mdec/biosboot. *Not* /usr/sbin/installboot, the new binary is unlikely to run on new OS. Thanks Stuart. I will test it out. Plenty to test with anyway. (;
Re: Getting stuck on trying a fresh install to 7.4
On 12/7/23 7:37 AM, Stuart Henderson wrote: On 2023-12-06, Daniel Ouellet wrote: Any suggestion woudl be greattly appreciated. Old boot loaders cannot boot 7.4 kernels. Upgrade your 6.7 system to 7.3 first (the usual advice to avoid skipping releases during upgrades applies). Then upgrade to 7.4. Specifically the interface used for communicating system console information between the boot loader and the kernel was changed. There was backwards compat but sadly it was removed after one single release. I think this brings the total number of people I know who have been affected by this up to 6 now. I didn't care what's on it now. All fresh install will do. I have 22 to do. :( You can copy a new bootloader to the old machines and run installboot. Hi Stuart, Just to be clear and to help others here. You are talking about these two files only right? /usr/mdec/boot /usr/sbin/installboot or should this one below be included too? I don't think it's needed, but just want to be sure and make the info complete. /usr/mdec/biosboot
Re: Getting stuck on trying a fresh install to 7.4 (solved)
On 12/6/23 3:42 PM, Daniel Ouellet wrote: Any suggestion woudl be greattly appreciated. Old boot loaders cannot boot 7.4 kernels. Upgrade your 6.7 system to 7.3 first (the usual advice to avoid skipping releases during upgrades applies). Then upgrade to 7.4. I didn't care what's on it now. All fresh install will do. I have 22 to do. :( All fresh as docs are good on what's needed and it's time to wipe clean. Or try booting fresh 7.4 install media from a USB stick. I do one to 7.3 now and it boot, so will see if after that I can boot bsd.rd 7.4. Thank you for the clue stick, will know soon! Daniel Many thanks for the clue stick. Simple solution as usual. I wish I thought of it, but never the less done. All wipe out, fresh install, patch, configured, files restored and back in operation. Thanks again! 21 more to go... New dmesg - rebooting OpenBSD 7.4 (GENERIC.MP) #0: Sun Oct 22 12:13:42 MDT 2023 r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34306371584 (32717MB) avail mem = 33246916608 (31706MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb4c0 (54 entries) bios0: vendor American Megatrends Inc. version "2.0c" date 04/30/2013 bios0: Supermicro X9SCD acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT PRAD SPMI SSDT SSDT EINJ ERST HEST BERT acpi0: wakeup devices UAR1(S4) P0P1(S4) USB1(S4) USB2(S4) USB3(S4) USB4(S4) USB5(S4) USB6(S4) USB7(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.18 MHz, 06-3a-09, patch 0021 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 8MB 64b/line 16-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.17 MHz, 06-3a-09, patch 0021 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 8MB 64b/line 16-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.32 MHz, 06-3a-09, patch 0021 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 8MB 64b/line 16-way L3 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.30 MHz, 06-3a-09, patch 0021 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu3: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 8MB 64b/line 16-way L3 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (P0P1) acpiprt2 at acpi0: bus -1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bu
Re: Getting stuck on trying a fresh install to 7.4
Any suggestion woudl be greattly appreciated. Old boot loaders cannot boot 7.4 kernels. Upgrade your 6.7 system to 7.3 first (the usual advice to avoid skipping releases during upgrades applies). Then upgrade to 7.4. I didn't care what's on it now. All fresh install will do. I have 22 to do. :( All fresh as docs are good on what's needed and it's time to wipe clean. Or try booting fresh 7.4 install media from a USB stick. I do one to 7.3 now and it boot, so will see if after that I can boot bsd.rd 7.4. Thank you for the clue stick, will know soon! Daniel
Re: Getting stuck on trying a fresh install to 7.4
On 12/6/23 3:26 PM, Crystal Kolipe wrote: On Wed, Dec 06, 2023 at 03:08:09PM -0500, Daniel Ouellet wrote: I try to do a fresh install on servers that run 6.7 to 7.4, but no matter what I try, I get stuck. I tried previous version and I was able to load 7.3. DMESG below for the bsd.rd. When you say, "fresh install", are you actually using the _bootloader_ from 7.4-release, or just trying to load the bsd.rd kernel from your existing installation? Or to put it another way, did you download the 7.4-release miniroot image or just bsd.rd? I did jut the download of bsd.rd, but I am not doing a full install of 7.3 as suggested by Stefan and will try again and see. I should know in a few minutes form now. Thanks Daniel
Getting stuck on trying a fresh install to 7.4
Hi, Hopefully you may have a clue stick to offer me. I try to do a fresh install on servers that run 6.7 to 7.4, but no matter what I try, I get stuck. I tried previous version and I was able to load 7.3. DMESG below for the bsd.rd. I try BIOS change for EFI ONLY, or Legacy & EFI, or Legacy only. No eval. It's not the console issue either. I try to boot -c and disable the efi, no difference. I try to load the bdr.rd i386 to see, or the amd64, still on both case no eval and I put before the different output of each one. The i386 reboot after a few second, the amd64 get stuck until I force a reboot. I put the actual working dmesg of the current install s wlel for more info. On google I saw a few reference at the output I got saying may be the cpu doesn't support 64 bits, bnut it is and have been runnign the AMD for years. So that's not it either. That really shoildn't make a difference, but just for the records, I also run softradi on these servers as shown below. Could this be a cause may be? Any suggestion woudl be greattly appreciated. Thanks Daniel -- Try to boot with i386 bsd.rd -- I get this and the server reboot after a few seconds. [88+160+28]=0x9183001888\ entry point at 0xd02010003291667- Nothing after that -- Try to boot with amd64 bsd.rd -- I get this and stop, nothing happens after that. +444888+297417]=0xa7679847 entry point at 0x81001000808+3886664+0| -- Also I tried to load the 74 bsd. I know it wouldn't work, or shouldn't with the userland, etc but I just wanted to see if it start to boot anyway and it just display the below and reboot. -- +368672+0+1241088 [1340407+128+1321080+1013316]=0x1973738 entry point at 0x81001000142096| -- And I tried to load the 74 bsd.mp. Same results, reboot after displaying the following. -- +4137992+363792+0+1236992 [1342507+128+1317840+1011174]=0x1959a68 entry point at 0x81001000 -- Then I tried the 7.3 bsd.rd and it was able to load. I didn't a full install, nbut I sure can, I just want to do a fresh install of 7.4 and I can't. DMESG below of the working version 7.3 amd64 bsd.rd -- [109+440424+293778]=0xa667f0 entry point at 0x8100100047616- ?Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2023 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 7.3 (RAMDISK_CD) #1063: Sat Mar 25 10:41:49 MDT 2023 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 34306371584 (32717MB) avail mem = 33262641152 (31721MB) random: boothowto does not indicate good seed mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb4c0 (58 entries) bios0: vendor American Megatrends Inc. version "2.0c" date 04/30/2013 bios0: Supermicro X9SCD acpi0 at bios0: ACPI 5.0 acpi0: tables DSDT FACP APIC FPDT MCFG HPET SSDT PRAD SPMI SSDT SSDT EINJ ERST HEST BERT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz, 3100.55 MHz, 06-3a-09 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 64b/line 8-way L2 cache, 8MB 64b/line 16-way L3 cache cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (P0P1) acpiprt2 at acpi0: bus -1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus 1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0: not present acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x acpicmos0 at acpi0 com0 at acpi0 UAR1 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo com1 at acpi0 UAR2 addr 0x2f8/0x8 irq 3: ns16550a, 16 byte fifo com1: console "IPI0001" at acpi0 not configured "PNP0C0C" at acpi0 not configured "PNP0C0B" at acpi0 not configured "PNP0C0B" at acpi0 not configured "PNP0C0B" at acpi0 not configured "PNP0C0B" at acpi0 not configured &q
Re: pf queues
On 11/29/23 6:47 PM, Stuart Henderson wrote: On 2023-11-29, Daniel Ouellet wrote: yes, all this can be make without hierarchy, only with priorities(because hierarchy it's priorities), but who and why decided that eight would be enough? the one who created cbq- he created it for practical tasks. but this "hateful eight" and this "flat-earth"- i don't understand what use they are, they can't even solve such the simplified task :\ so what am i missing? man pf.conf Look for set tos. Just a few lines below set prio in the man age, You can have more then 8 if you need/have to. Only useful if devices upstream of the PF router know their available bandwidth and can do some QoS themselves. Same can be said for CoS as well. You can only control what's going out of your own network. After that as soon as it reach your ISP or what not, you have no clue if they reset everything or not. At a minimum ToS can cross routers, CoS not so much unless it is build for it. Either way, your QoS will kick in when bandwidth is starving, so if you don't know that, what's the point...
Re: pf queues
yes, all this can be make without hierarchy, only with priorities(because hierarchy it's priorities), but who and why decided that eight would be enough? the one who created cbq- he created it for practical tasks. but this "hateful eight" and this "flat-earth"- i don't understand what use they are, they can't even solve such the simplified task :\ so what am i missing? man pf.conf Look for set tos. Just a few lines below set prio in the man age, You can have more then 8 if you need/have to.
Ideas for a mix of Arista Leyer 3 switches and OpenBSD BGPd setup.
I am looking at ideas to improve the setup, or if you do this, your experience with it. The setup have to account for so far. 4 main transit access in different locations and 249 peering setup in major data center for public and private peering. Currently ~945,000 IPv4 routes, ~196,000 IPv6 routes. The use of Arista switch for routes in hardware is good, but limited obviously. Not possible to have full table in it. IPv4 and IPv6 are on different boxes to take advantage of the TCAM capacity as much as possible for each version. Put into the Arista boxes the most use routes and have the rest process by the OpenBSD boxes. Use route reflector is kind of obvious to keep things manageable and help to track what's best to dump into the layer 3 boxes. Sure you can use SFlow and NetFlow to track usage, but it is resources intensive. I don't think this exists, but I thought it would be nice IF, somehow there was a simple counter into the BGP table that increment each time a route is selected, so sorting by that counter periodically and then add these routes to the Arista switch would keep the process as fast as possible. One in hardware. the other in software. But I am not aware of anything that can do that super easy and cheap in resources is it? Having two BGP transit sessions on a /29 per locations isn't always welcome by transit providers and none would really want, or like to peer to route reflector on your side and have to add static route to your main layer 3 switch to accommodate your traffic priority back to your layer 3 switch. And if they do, it's not a standard setup, sooner or later they will be remove and then your stuck, and then have to find someone welling to listen to you and do it again, until someone else change it back. Best to not have to do this obviously! One way to make it work, might be to have one feed to the Arista box, then you limit what you accept there, (No choice as TCAM is limited) then the second to the OpenBSD one. On Arista you can limit all routes from /18 and bigger and allow all your routes from your public/private direct peering as long as you keep the total under the hardware limit of the Arista boxes. If you specialize it to only IPv4 and the other to IPv6 and layer 3 only, giving up the layer 2, then you could go almost to 350,000 routes in hardware. Very respectable. Sure it's not the full internet routes, but unless you are really big, may be your customers don't use more then 100,000 routes. Speculation on my side here, that would need to be proven. I just pick the 100K, may be 200K, or may be 50K is the most realistic number. And the setup to your transit is both your switch and server announce your full IP space the same except the server one may be using med if your transit will honor it, or if not, then prepend your AS instead. And then you have your default route form your switch go to your server, instead of your transit. I explain why below. Not ideal obviously as the best would be two switch that would provide 100% redundant setup, but they can't have the full table in hardware. Why having the default route from the switch to your server, well it has the full table, so it may send the traffic to a better exit, oppose to your line to your transit, your switch would use and it may not be the best path anyway. Remember that your switch can't have the full table in hardware... Now the issue would be to find the best way to update the routes in your switches that doesn't take to much resources like sflow (switch) and netflow (server) would. And instead dedicate as much resources to routing as possible. Splitting setup between IPv4 and IPv6 is already a good thing as long as your peering point do not also limit your connection by mac address too. Two different boxes, two different MAC and if you do IPv4 and IPv6 as well, that's 4 mac address. :( Equinix will ONLY allow you 1 MAC address per dedicated fiber connection to your side. Anyone with more experience with this type of unconventional setup have input, suggestions, experience, good/bad story, gotcha, etc? That's why I thought to have a simple counter in the BGP would be nice and simple, but obviously NOT in the RFC, so definitely NOT build in. However that would be so easy to use I guess. Any feedback on these ideas would be greatly appreciated. Thanks for your time and reading this. Daniel
Re: Upgrading, release by release, from 6.8 to 7.4 -- my experience
else. (; And may be this might make a different for you now, or in the future, or not. I would be curios anyway to know for sure if your resize of partition and the use of newfs, if your system was using FFS1 created them as the new default as FFS2? May be if it was a continuous upgrade from before 6.7, you might have a mix of partition types now. It's not like the system can't support different partition type anyway. But something to may be think about just in case and the pros/cons of each one. Thanks, Daniel On 11/15/23 5:12 PM, Austin Hook wrote: Just finished the series of incremental upgrades of my farmhouse "home office" system from 6.8 to 7.4. Finally am current for the first time in years! And I am amazed and grateful for the all the incredible work the developers and leadership have done. The sysupgrade process got smoother and smother with each incremental release. I had been used to the gotchas in the upgrading process from years ago, even though the sysupgrade method had well become the norm by 6.8. I still was a bit too gun shy to upgrade for some years, since I normally have so little time to really dig into the inner workings of OpenBSD to figure out gotchas at upgrade time. The only scary point was when after one of the upgrades, a "pkg_add -u" overfilled my /usr/local and the process aborted before finishing. So I did a bit of searching and found an article on reddit addressing that problem by deleting the /src and /obj partitions (i and j, I think they were), which follow /usr/local (partition h), and then expanding /usr/local. /src and /obj are not necessary unless one is recompiling the system. Regretted a bit, seeing them go, but all these years, never really had the time to dig as deep into OpenBSD as I would have wished. The article suggested, doing a "df", then doing the arithmetic on the sizes of i and j and adding the freed space to h, using disklabel carefully. Nest step was to be doing a "growfs" on h. But the latter didn't work for me, for reasons I wasn't able to quickly figure out. For many years I only did any kind of backup using tar and ./tgz's, and never had learned to do dump and restore. But it looked like it was time to learn how to use dump and restore now, and then dump /usr/local onto a big additional partition I usually add to my install which I call /backups. Thank goodness for the age of terabyte hard drives. Could have mounted a USB hard drive, and used that instead, but there was room enough in my extra partition, so long as I didn't screw up everything, like the whole partition table on disk! Anyway, so I did that, just deleted /usr/local and rebuilt it with disklabel and the greater size parameter. Then I made it pristine with a newfs. Next step was to "restore" the dump I had made. Wow, that works great. I didn't realize that it would preserve all the links as well. What did I ever do without it! OK, so back to restarting "pkg_add -u" and let 'er rip. Seemed to Work! Continued the incremental sysupgrades. Now I am running 7.4 happily. Did an df and see that /usr/local is filled to 89%. Obviously I should spend some time deleting packages I no longer use. Only thing that disappoints me it that it looks like, from the package update process, that maxima is discontinued. It was the one package I most rely on, for doing math for my studies of quantum computing. I'll dig deeper later. One little glitch from all the process is that somehow I must have lost a file or failed to delete a file that has something to do the default character set files or pointers for xterm under "fvwm". A new xterm starts automatically in a super super small font. Can't even read it. Control-right-mouse on an xterm gives the menu for selecting the font size and also the choice of using Truetype fonts, which works, OK, but I have to do it each time I open a new xterm. I also notice that when I start up xclock, it also comes up with a very tiny font to small to read. I usually call it up with: xclock -d -render -twelve -strftime "%A %d % and put it at the top right hand corner of my big screen. Maybe now I have to to add a parameter for the font size or something. Perhaps something similar for xterm itself. Will have a little extra job to figure what that's all about, and also to perhaps to change some defaults for xterm. Other than that, everything else seems to work perfectly! Now I can do the same in downtown Milk River. Still have what remains of the Computer Shop of Calgary working there, and my mail server is there too. Looks like that might be a bit more touchy with a number changes to the SMPT driver and setup. But I guess I can deal with it. Thanks guys! Austin
Re: veb and vport on apu2 -- config feedback
Hi,
A few things here.
Comcast DO NOT use 9000 mtu, so don't try to use that.
They sadly ONLY support 1500.
if you force 9000 mtu, you will only create fragments.
You can find it if you search for it as well.
https://forums.xfinity.com/conversations/your-home-network/mtu-size/602db12cc5375f08cd47b1ad
Also if you actually want to use the martian table, make it complete
also available is you search for the reserved IP's
table const { 0/8, 10/8, 100.64/10, 127/8, 169.254/16, \
172.16/12, 192/24, 192.0.2/24, 192.168/16, 198.18/15, 198.51.100/24, \
203.0.113/24, 224/4, 240/4, 255.255.255.255/32 }
Daniel
On 9/8/23 9:41 PM, Amarendra Godbole wrote:
On Fri, Jun 23, 2023 at 6:18 PM David Gwynne wrote:
looks good to me after a quick read.
On 23 Jun 2023, at 12:15, Amarendra Godbole wrote:
I am planning to experiment with veb on my PC Engines apu2e4 board. It
has three ports (em0, 1 and 2). Current configuration has em0 hooked
up to cable modem, while em1 and em2 are internal LAN. I don't have a
good ability to troubleshoot via a serial console, since the apu board
sits in the garage on top of a cabinet -- running serial cable to a
laptop is challenging, though not impossible. So I am looking for
feedback so as to keep this troubleshooting time minimal.
[...]
Thanks for the review, David. I finally managed to find a window when
my family was away from the internet, so I could experiment. :-) My
internet is delivered via Comcast cable modem, hooked to the APU's em0
port. A Ruckus wireless AP connects to em1.
Here is a fully working configuration:
$ cat hostname.em0
dhcp description "comcast uplink"
$ cat hostname.em1
mtu 9000
up
$ cat hostname.em2
mtu 9000
up
$ cat hostname.veb0
add em1
add em2
add vport0
link0
up
$ cat hostname.vport0
inet 192.168.1.1 255.255.255.0 192.168.1.255
mtu 9000
group internal
up
$ cat pf.conf
table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24
224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15
198.51.100.0/24 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
antispoof quick for egress
block in from no-route
block in quick from urpf-failed
block in quick on egress from to any
block return out quick on egress from any to
block all
match out on egress nat-to (egress)
pass out quick inet
pass in on internal inet
block return in quick on internal proto { udp tcp } to ! internal port
{ domain domain-s }
$ cat rc.conf.local
dhcpd_flags=vport0
unbound_flags=
unbound_timeout=240
$ ifconfig
lo0: flags=8049 mtu 32768
index 5 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff00
em0: flags=808843 mtu 1500
lladdr 00:0d:b9:56:f4:fc
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 98.35.243.87 netmask 0xff00 broadcast 98.35.243.255
em1: flags=8b43
mtu 9000
lladdr 00:0d:b9:56:f4:fd
index 2 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
em2: flags=8b43
mtu 9000
lladdr 00:0d:b9:56:f4:fe
index 3 priority 0 llprio 3
media: Ethernet autoselect (none)
status: no carrier
enc0: flags=0<>
index 4 priority 0 llprio 3
groups: enc
status: active
veb0: flags=9843
index 6 llprio 3
groups: veb
em1 flags=3
port 2 ifpriority 0 ifcost 0
em2 flags=3
port 3 ifpriority 0 ifcost 0
vport0 flags=3
port 7 ifpriority 0 ifcost 0
vport0: flags=8943 mtu 9000
lladdr fe:e1:ba:d0:18:bd
index 7 priority 0 llprio 3
groups: vport internal
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
pflog0: flags=141 mtu 33136
index 8 priority 0 llprio 3
groups: pflog
Thanks.
-Amarendra
Re: Update from 6.5 to 7.3
I did a few from 6.6 to 7.3 and it was real easy. The source I used was: http://ftp.eu.openbsd.org/pub/OpenBSD/ Looks like this it the one that have the most files from the older version. They have all the files from 2.0 and up. (; Nice if you want to see how the system evolved over time. (; Not saying it's the only one, but that's the best I found with all the oldest one and it worked like a charm. The only thing is that the file system change for the default type in 6.7 from ffs to ffs2. The sysupgrade started in 6.6, so may be that's why my upgrades were super easy. But anything older then 6.7, I did the fresh installed because of the file system change in 6.7 I didn't have any issue with softraid either for any systems that were 6.7 all the way to 7.3 and it was fairly quick. At the end I also used the sysclean as well, BUT SETUP the /etc/sysclean.ignore FIRST. Really that was took me more time to be sure I did this right. But if your careful and know your systems, I see no problem. If you use it without being careful, you CAN MESS YOURSELF real bad! Anything 6.6 and older I did fresh install to change the file system use by default. On softraid system upgrade from 6.7 to 7.3 easy as well. And you can see the file syetem you use as well. Softraid here: sp1$ doas dumpfs /dev/rsd2a | head -1 magic 19540119 (FFS2) timeFri Sep 8 16:38:40 2023 So that's the only hickup may be that I can see. One NONE Softraid system you see the same thing except this is $ doas dumpfs /dev/rsd0a | head -1 magic 11954 (FFS1)timeThu Aug 24 16:29:48 2023 But on system like Octeon, the space from the /usr is just a bit to small. :( I didn't try top do it because of this. Hope this help you and answer your question. Daniel On 9/8/23 1:54 PM, Marc Espie wrote: On Fri, Sep 08, 2023 at 06:36:57PM +0200, Alessandro Baggi wrote: Il 08/09/23 18:24, Peter N. M. Hansteen ha scritto: On Fri, Sep 08, 2023 at 10:01:45AM +0200, Alessandro Baggi wrote: I've a problem. I need to upgrade OpenBSD from 6.5 to 7.3 on an APU2D. This is a firewall. The problem is that I cannot find older ISO of OpenBSD. Can someone point me in the right direction? If you are planning to go the supported route and upgrade from release to release, you have eight rounds of upgrading ahead. If this is a firewall that does not do anything else, I would join a few of the other posters here in recommending that you back up the tiny number of files that could differ from a default install do a fresh reinstall, only editing in the things you need from your old /etc/ such as (likely most of) pf.conf. - Peter Actually I upgraded from 6.5 to 7.0 and I learned many new things. Wow...I love OpenBSD. Please tell us about your experience ! it's probably going to be rather interesting.
Re: non-hardware 2fa options for openssh
On Tue, 29 Aug 2023 13:18:53 -0400, Dave Voutila wrote: > > You can also want to look at sysutils/login_oath (which I've been > > using for years), but maybe for new setups, the login_totp from > > base makes more sense. > > > > login_totp is in base? Wow, I was sure https://github.com/reyk/login_otp was imported, and the man I was looking at actually comes from sysutilis/login_oauth lol thanks for catching my mistake!
Re: non-hardware 2fa options for openssh
On Tue, 29 Aug 2023 10:07:18 -0500, "myml...@gmx.com" wrote: > Hi All, > > I want to secure an openssh server with two factor authentication and > have seen the hardware token methods, most recently i've been seeing > yubi/FIDO methods. > > Ideally I would like to avoid having to depend on a usb size device > that could easily be lost. Using something based on TOTP (Cf. rfc6238) is probably your best bet then. > I looked around and found mention of google authenticator as an > option, phones aren't much bigger than usb sticks but people protect > their phone as if it was their soul, but the newest mention I can > find is many years old. AFAIK, google authenticator is simply an app doing the math for TOTP. There are multiple basic opensource apps (on both Android and iphones) which can provide you with the right TOTP based on the seed/secret. And if you don't want to use a phone, you can use oathtool(1) from security/oath-toolkit. I think some password managers also are able to generate the TOTP. > My question is there any recent documentation / information on setting > up an openssh server with non-hardware based two factor > authentication? This does NOT have to be google authenticator, any > similar service will suffice. login_totp(8), login.conf(5), sshd_config(5), and maybe a couple of others. You can also want to look at sysutils/login_oath (which I've been using for years), but maybe for new setups, the login_totp from base makes more sense. Have fun, Daniel
Re: pf state-table-induced instability
On Thu, Aug 24, 2023 at 12:31 PM Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > For over a year now we have been seeing instability on our firewalls > that seems to kick in when our state tables approach 200K entries. > The number varies, but it's a safe bet that once we cross the 180K > threshold, the machines start getting cranky. At 200K+ performance > visibly degrades, often leading to a complete lockup of the network > stack, or a spontaneous reboot. ... > Our pf settings are pretty simple: > > set optimization normal > set ruleset-optimization basic > set limit states 40 > set limit src-nodes 10 > set loginterface none > set skip on lo > set reassemble yes > > # Reduce the number of state table entries in FIN_WAIT_2 state. > set timeout tcp.finwait 4 I don't know if there is any relation, but, with 40 states defined, adaptive scaling should start to kick in at around 24 states.
Re: pf state-table-induced instability
On Thu, Aug 24, 2023 at 2:57 PM Gabor LENCSE wrote: > I used OpenBSD 7.1 PF during stateful NAT64 benchmarking measurements > from 400,000 to 40,000,000 states. (Of course, its connection setup and > packet forwarding performance degraded with the number of states, but > the degradation was not very drastic.) > > If you are interested, you can find the results in Tables 18 - 20 of > this (open access) paper: https://doi.org/10.1016/j.comcom.2023.08.009 Seriously awesome paper with volumes of detail--thank you!
Re: Pausing/Freezing issues with Protectli FW4B
On 8/11/23 7:06 PM, Tim Baumgard wrote: On Fri, Aug 11, 2023 at 5:56 PM Stuart Henderson wrote: On 2023-08-11, Tim Baumgard wrote: I'm having an issue with my Protectli FW4B that's become more of a problem lately. Essentially, it's the same thing that this person [0] encountered. IIRC those are the machines that have problems if there's no display connected I put in a dummy HDMI plug from another piece of tricky hardware, and that seems to have fixed it. 200 pings and not a single spike over 1 ms. Thanks! For what ever it's worth, I did order my ProtectLi like 6 months ago and yes it is not the FW4B, but the VP2420. But the first thing I did on this, is the REQUEST Core Boot, NOT the "vendor American Megatrends Inc. version "5.11" date 06/18/2021" one. FYI. There is an update BIOS available for this. Your not running the latest one. Last release was "August 31, 2021" https://kb.protectli.com/kb/bios-versions-for-the-vault/?seq_no=2 Not saying it would fix your problem, but I had issue with BIOS on SuperMicro servers that didn't load bios after the date was later the 2020 or something and had the hardest time to upgrade the BIOS and after that I swear to myself to NEVER use ANY servers or computers that do not have core boot or support it. I never look back. May be this might fix your problem too. I do not know for sure. Just my $0.02 worst for that ever it is. Daniel
Re: Feedback on redesigned OpenBSD.org
On Wed, Aug 9, 2023 at 3:12 PM wrote: > Child Pages. > > I'd like to draw peoples attention to the child pages of > my redesign. > > Just a few examples (but note, ALL child pages have been > updated with new design): > > A. FAQ > > before: http://www.openbsd.org/faq/index.html > after: https://www.openbsd.design/cvs/www/faq/index.html > > B. FAQ - Install Guide > > before: http://www.openbsd.org/faq/faq4.html > after: https://www.openbsd.design/cvs/www/faq/faq4.html > > C. Platforms > > before: http://www.openbsd.org/plat.html > after: https://www.openbsd.design/cvs/www/plat.html > > D. Songs > > before: http://www.openbsd.org/lyrics.html > after: https://www.openbsd.design/cvs/www/lyrics.html > > E. Porters Handbook > > before: http://www.openbsd.org/faq/ports/index.html > after: https://www.openbsd.design/cvs/www/faq/ports/index.html > > These are just a few examples. I really like this! I don't know what the drawbacks are, if any, but it massively modernizes the design and the responsiveness is a huge benefit as well! Thank you for taking the time to do this and I hope it, or something very similar, comes to fruition soon.
Re: OT: Running SOFTRAID on PCEngine APU2 via mPCIe to M.2 convertor board for NVME 2230 or 2242
Just a follow up on this for general interest. I got boards made in Hong Kong from the design done by Tobias Schramm generously made available on github. I received the board a few days ago, I ordered then the nvme 2230 to test and received it today and here we are. The following tests are done on an APU1 as the others are in use now and I had this one available so I used it. Put the mPCIE broad in the mPCIe1 and put the nvme on the board and it worked right away. I will do the tests on the APU2 soon as well when I get the additional nvme boards I order. Just FYI, the tests below are done on NIXOS as that's what I had running on the APU1 now testing stuff, so I used that. If there is a need for the tests on OpenBSD I can do that later if anyone interested. The ONLY thing I am not sure is on the APU2, the line on the mPCIe schematics for J14 pins 23 and 25 are reverse compare to the mPCIe J13. There is a note on the schematics for that. Why that is I can't say but the APU1 doesn't. Based on Tobias, he never said that the nvme didn't work in both slots, so I will find out somehow. In any case, the mini,um order was 5 boards and the difference in price was pretty small that I order 25 instead, so if anyone might be interested, I would be happy to ship some if needed. I d the board made as I couldn't find some and only 3 company made them, two of them were out, or none available the third one in China, I didn't order there. This is nvme M-Key for either 2230 or 2242. It doesn't support bigger one at all. No space in the APU for it. Just also remember that the mPCIe connectors in the APU use only one lane, not 4. So 1x if you want. But still the results are pretty good. 10x speed compare to mSATA in there., both dogfish one, so fare comparison I guess. The third drive is an SSD SanDisk one. So if you want to make a little NAS out of an APU I guess you can and it would be decent I suppose. If you want to know more, fell free to contact me off list, unless more here want to know more. I used fio a standard benchmark tests. I only did the write test on the nvme as my other two drives have data and I didn't want to loose it! (; I did the test on the raw device to eliminate anything else that could affect it and hopefully give a more real results. Same tests on all 3 different drives in the same box. The number speak for themselves. And that's MBytes, not Mbits speed. I can only imagine if I had 4 PCIE lanes... Really not bad for the small APU's = NVME (READ) 401MB/sec = [nix-shell:~]# fio --filename=/dev/nvme0n1 --rw=read --direct=1 --bs=1M --ioengine=libaio --runtime=60 --numjobs=1 --time_based --group_reporting --name=seq_read --iodepth=16 seq_read: (g=0): rw=read, bs=(R) 1024KiB-1024KiB, (W) 1024KiB-1024KiB, (T) 1024KiB-1024KiB, ioengine=libaio, iodepth=16 fio-3.33 Starting 1 process Jobs: 1 (f=1): [R(1)][100.0%][r=383MiB/s][r=383 IOPS][eta 00m:00s] seq_read: (groupid=0, jobs=1): err= 0: pid=1383: Fri Jun 9 17:54:30 2023 read: IOPS=382, BW=382MiB/s (401MB/s)(22.4GiB/60042msec) slat (usec): min=110, max=4089, avg=156.26, stdev=68.23 clat (usec): min=13238, max=78390, avg=41671.32, stdev=4830.72 lat (usec): min=13494, max=80091, avg=41827.59, stdev=4827.39 clat percentiles (usec): | 1.00th=[21103], 5.00th=[40109], 10.00th=[41157], 20.00th=[41681], | 30.00th=[41681], 40.00th=[41681], 50.00th=[41681], 60.00th=[41681], | 70.00th=[41681], 80.00th=[41681], 90.00th=[41681], 95.00th=[42206], | 99.00th=[64226], 99.50th=[68682], 99.90th=[71828], 99.95th=[71828], | 99.99th=[77071] bw ( KiB/s): min=339968, max=394475, per=100.00%, avg=391725.72, stdev=4887.40, samples=119 iops: min= 332, max= 385, avg=382.43, stdev= 4.77, samples=119 lat (msec) : 20=0.93%, 50=96.11%, 100=2.96% cpu : usr=1.25%, sys=7.95%, ctx=22974, majf=0, minf=4108 IO depths: 1=0.1%, 2=0.1%, 4=0.1%, 8=0.1%, 16=99.9%, 32=0.0%, >=64=0.0% submit: 0=0.0%, 4=100.0%, 8=0.0%, 16=0.0%, 32=0.0%, 64=0.0%, >=64=0.0% complete : 0=0.0%, 4=100.0%, 8=0.0%, 16=0.1%, 32=0.0%, 64=0.0%, >=64=0.0% issued rwts: total=22954,0,0,0 short=0,0,0,0 dropped=0,0,0,0 latency : target=0, window=0, percentile=100.00%, depth=16 Run status group 0 (all jobs): READ: bw=382MiB/s (401MB/s), 382MiB/s-382MiB/s (401MB/s-401MB/s), io=22.4GiB (24.1GB), run=60042-60042msec Disk stats (read/write): nvme0n1: ios=91589/0, merge=0/0, ticks=3717080/0, in_queue=3717080, util=100.00% == NVME (WRITE) 363MB/sec == [nix-shell:~]# fio --filename=/dev/nvme0n1 --rw=write --direct=1 --bs=1M --ioengine=libaio --runtime=60 --numjobs=1 --time_based --group_reporting --name=seq_read --iodepth=16 seq_read: (g=0): rw=write, bs=(R) 1024KiB-1024KiB, (W) 1024KiB-1024KiB, (T) 1024KiB-1024KiB, ioengine=libaio, iodepth=16 fio-3.33 Starting 1
Re: OpenBSD on Thinkpad X13s ARM-based laptop
there is a dmesg of one running current as well in the archive with what's working and not as well. All in the archive. On 6/2/23 6:55 AM, Alexander Hall wrote: Search the archives for "support of thinkpad arm". This was asked just this Tuesday. /Alexander On June 1, 2023 10:46:33 PM GMT+02:00, "Tito Mari Francis Escaño" wrote: Hi everyone, Has anyone tried to install and run OpenBSD on ARM-based Thinkpad X13s? What are the challenges on making OpenBSD run on it? Thank you.
OT: Thank you for a second to none documentation in OpenBSD!!!
Hi, I just wanted to take a moment to give you guys thanks big time! I guess I have been spoiled for the last 2+ decades using OpenBSD and always find what I need in the man pages and rarely needed to search the web for additional info. Even for a noob trying OpenBSD I realize how easy it is and how much the docs provide what's needed and even the FAQ are very useful and get get anyone form nothing to a full system quickly just by some right to the point reading! Now how this come may be as a surprise, well in all fairness I have been trying on/off to test NixOS, sure I have to also come clean and say the last time I touch Linux was more then 20 years ago. So things changes and when I discover OpenBSD, I never looked back. I run my businesses with it and it always been loyal to me big time! Where people say, well it not as fast then Linux, or what not, I say, I don't care I put more systems in place and it does the job. It's easier for me that way and it just work! But now that I am really trying to give a fair shut to NixOS, not a bad system sure, but the DOCS SUCK!!! Try to find something gin the man page on the local system well good luck. Try to find how to configure things the way you want good luck. Sure there is docs, don't get me wrong, but it is useful for the one that really don't need them! May be it's just me and I will admit, I have VERY HIGH expectation from docs as that's what I am used too and I just realize that I have been spoiled big time and for this I really needed to say it and thanks needed to be given. Many many thanks for the great work done not only on the system, but the docs as well! Like the say is, you never know what you had until you loose it! Docs in OpenBSD is incredibly well done. And as it's been said in the project, if there is mistake in the docs, it's consider a bug, then if I apply that to NixOS, it is so full of bugs that it is sad... Sure after I get use to it and play with it for a year may be I will fell comfortable again, but the point here is that, docs in OpenBSD doesn't need for you to invest years and spend weeks full time to get to a point that is good. Sure I am not so young anymore so I guess I don't learn as fast as i used to, but man the system is so clean and docs are so good, that trying something new makes it painful! Thank you guys! You did such a wonderful work over the years, you may not realise how different and beautiful it is or may be you know it. I just wanted to take the time to thank you all! Specially Nick, as when I started he was the one in change of the FAQ on the site and he started a work that was second to none and made me fall in love with OpenBSD then. Please just don't stop. way to many times there is winning on misc@, but know that many may be silent, but we do appreciate your work and gift to the community big time. I always loved it and new it was great here, but never realize how much better it was until I had to actually try to do the same on other systems. I have been spoiled to the point that at my age now trying something else makes me sick! Thank you a million times! Best regards, Daniel
Protectli VP2420 with Dasharo (coreboot+UEFI) v1.1.0 can't load any UEFI bsd.rd
Hi, I search the archive on this and saw many post on this including one from Marc Kettenis on October 30, 2020 in: $OpenBSD: conf.c,v 1.32 2020/10/30 19:39:00 kettenis Exp $ At the time looks like it fixed many issues, but now looks like it is back. Or may be just on my system with the new coreboot from Dasharo (coreboot+UEFI) v1.1.0 I tried as well as some posting suggested to load earlier version, so I did try all the way back to 6.7 as that's the latest version available on ftp.openbsd.org Still same results. The unit does work with the AMI BIOS, but not Dasharo coreboot one. There isn't any way to have Legacy BIOS. They have either Dasharo (coreboot+SeaBIOS) and Dasharo (coreboot+UEFI) So stay old, or go new, and remove the extra to keep it lean and clean. Here is what I get now same end results as before. Anything new possible to do? I would love to send a dmesg, but I can't get one as I can't boot anything. With current probing: pc0 mem[636K 1878M 12M 5M 76K 172K 700K 6M 5M 30732M] disk: hd0 hd1* hd2* hd3* hd4* >> OpenBSD/amd64 BOOTX64 3.64 boot> cannot open hd0a:/etc/random.seed: No such file or directory booting hd0a:/7.3/amd64/bsd.rd: 3969732+1655808+3882232+0+704512 [109+56+297 056]=0xa74478 entry point at 0x1001000 With 7.3 probing: pc0 mem[636K 1878M 12M 5M 76K 172K 700K 6M 5M 30732M] disk: hd0 hd1* hd2* hd3* hd4* >> OpenBSD/amd64 BOOTX64 3.63 boot> cannot open hd0a:/etc/random.seed: No such file or directory booting hd0a:/7.3/amd64/bsd.rd: 3924676+1647616+3886216+0+704512 [109+440424+293 778]=0xa667f0 entry point at 0x1001000 with 7.1 probing: pc0 mem[636K 1878M 12M 5M 76K 172K 700K 6M 5M 30732M] disk: hd0 hd1* hd2* hd3* hd4* >> OpenBSD/amd64 BOOTX64 3.63 boot> cannot open hd0a:/etc/random.seed: No such file or directory booting hd0a:/7.3/amd64/bsd.rd: 3924676+1647616+3886216+0+704512 [109+440424+293 778]=0xa667f0 entry point at 0x1001000
Re: RSS or Atom syndication for security advisories?
Not only you can subscribe to the list for the announcement for these patches, but you already have it on the front page of the OpenBSD Journal site as well. https://undeadly.org/cgi?action=front Look right column under: OpenBSD Errata So all you asked for is already there. Not sure how quickly the site is updated, but you may get it faster via the announcement. Either way, you have two sources for what you want. It was already there, just needed to look for it. Hope this answer your question. No need to add anything. Daniel On 5/21/23 3:27 PM, Hiltjo Posthuma wrote: On Sun, May 21, 2023 at 06:26:12PM +, Xavier B. wrote: Thanks, Hiltjo, for your help. I very appreciate that. Perhaps it could be useful to place it in official site. What do you think? What kind of software do you use to generate the web page? Perhaps I could help you to add RSS security advisories. Hi, You're welcome, but to be clear: I only posted the link. http://undeadly.org/cgi?action=about Thanks, Xavier On Sun, 21 May 2023 16:03:54 +0200 Hiltjo Posthuma ha escrit: On Sun, May 21, 2023 at 11:34:57AM +, Xavier B. wrote: Hi, I just want to know if there is an RSS or Atom syndication advisories. I have several machines with several operaring system in them: GNU/Linux (alpine and arch), FreeBSD and OpenBSD. I have a news reader and I'm subscribed to many operating systems security advisories so ocassionally I know there are some security bugs and then I need to update one of my machine system. Regarding to OpenBSD I just saw this errata page [https://www.openbsd.org/errata73.html] but it is not RSS/atom and it's version specific. Is it anywhere else? If not, please consider to provide it from an user point of view. Thanks in advance, Hi, http://undeadly.org/errata/errata.rss -- Kind regards, Hiltjo
Re: RSS or Atom syndication for security advisories?
https://www.openbsd.org/faq/faq10.html#Patches Subscribe to the list and you will know it. On 5/21/23 7:34 AM, Xavier B. wrote: Hi, I just want to know if there is an RSS or Atom syndication advisories. I have several machines with several operaring system in them: GNU/Linux (alpine and arch), FreeBSD and OpenBSD. I have a news reader and I'm subscribed to many operating systems security advisories so ocassionally I know there are some security bugs and then I need to update one of my machine system. Regarding to OpenBSD I just saw this errata page [https://www.openbsd.org/errata73.html] but it is not RSS/atom and it's version specific. Is it anywhere else? If not, please consider to provide it from an user point of view. Thanks in advance,
OT: Running SOFTRAID on PCEngine APU2 via mPCIe to M.2 convertor board for NVME 2230 or 2242
Hi, Anyone ever was able to find a mPCIe to M.2 convertor board on Amazon that works for using M.2 NVME 2230 or 2242 drives or even M.2 SATA (NGFF) in the APU2 like this: https://github.com/TobleMiner/M.2-NVMe-SSD-to-miniPCIe-adapter Scroll to the end and see the picture of the drives inside the APU2. The mSATA goes in the J12 slot as explained below (URL), but the J13 and J14 are mPCIe slot, so it should be possible with the proper adapter to also have an M.2 drives in this small box. https://github.com/pcengines/apu2-documentation/blob/master/docs/APU_mPCIe_capabilities.md Then may be I can run softraid on my OpenBSD APU2. I would very much appreciated if anyone happen to know the model that they use or know that is working. Amazon have a very long list, but the description isn't to useful and describe for use with USB, or wireless card and there is so many different keys type, etc. Many thanks for your time. Daniel
Re: A messed-up fresh install due to a careless user
If that's a new install, may as well just redo it. The install is really fast, so this way you are sure you have a clean system and NOT one that you may have problem down the road, specially if that's your first time. That's what I would do anyway. Compare to any other IS, the install for OpenBSD is the fastest I ever seen, except may be NixOS when you move it to a new system. (; On 4/27/23 5:31 PM, Odd Martin Baanrud wrote: Hello, I’m blind, and got sighted help to install OpenBSD on the machine which should become a new router. Unfortunately, I was stupid enough to detach the USB stick I booted from, before I was to hit R for the reboot. The result was that the last selection disappeared due to the detach message from the kernel, and I didn’t manage to get it back. The only way I thaught could be used for reboot was to hit ctrl+Z, and then type reboot. And it “worked”. When I connected the machine to the LAN afterwords, I didn’t get contact. After trying a few things, I finally got an IP on it, with the correct hostname. (I connected a keyboard, logged in as root, and configured one of the interfaces with ifconfig $if autoconf.) I’ve good expereince doing so without braille. So the machine got an IP, but still no contact, either with ping or ssh. I then realized that mandatory files has not been written, including the hostname.if file for the NIC used durring install. And I guess others too. :-) Which files are actually written when rebooting the corret way? I’ve OpenBSD 7.3 installed on both a arm64 and a i386 machine. Can I use the missing files from one of those? I should be able to copy them to a USB stick, and mount it and get the files in place without sighted help. And the network interface can be configured with dhcp for now. As soon as the machine is on the lan, I’ll ssh into it from a linux machine with a braille display. Regards, Martin PS: I’ve now learned that one should reboot _BEFORE_ detaching any external device when the installer is still running. :-)
Re: Recommended place to store static arp entries
On Tue, 28 Feb 2023 14:35:18 +0100, Claudio Jeker wrote: > To be honest I never had the need to store static arp entries. So for > me the best place is /dev/null. Not op, but I have such a need: I own an wifi AP which tends to not being able to let arp pass, in one direction. All the rest is fine, so as long the router can reach the hosts in the LANs. I ended up having in my router: $ cat /etc/rc.local arp -Fs 192.0.2.1 00:11:22:33:44:55 [...] for the required devices using wifi. Of course I'm not happy about the situation, but it's a good work around for this shitty device. Cheers, Daniel
VPN and Forwarding Performance (was Selecting a 10G NIC)
On Fri, Feb 17, 2023 at 11:28 AM Hrvoje Popovski wrote: > On 17.2.2023. 18:29, Nicolas Goy wrote: > > I know this question has been answered multiple times, but I wonder if > > things changed with 7.2. > > > > Which NIC would provide the best performance with 10G physical layer > > with open bsd? > > > > I have choice between intel e810, x710, x550, x520, broadcom > > BCM957414A4142CC or maybe even something else. > > go with x520 or x710. e810 is not supported and broadcom in my > experience is not that stable. > > x520 can have up to 16 queues > x710 can have up to 8 queues but with power of 2 > > with or without pf and with standard imix traffic you could saturate 10G > if you have fast cores ... and by fast i mean amd fast, not intel fast :) > > if you have pfsync forwarding will be slower > if you have ipsec tunnels forwarding will be much slower Do you know if WireGuard improves on IPsec in this regard?
Re: poor routing/nat performance
With 7.2 on the APU 2 when I tested it was about 650 or so. I didn't send the info as it is not connected now. But either way, you can't get Gb speed on it no matter what. On 12/19/22 2:43 PM, Stuart Henderson wrote: On 2022-12-19, Daniel Ouellet wrote: OpenBSD 6.8 (GENERIC.MP) #4: Thu Aug 5 11:02:18 MDT 2021 This is too old for a good comparison, many improvements have been made since then.
Re: poor routing/nat performance
I have the APU 1 and here is what I get TEST_DATE TIME_ZONE DOWNLOAD_MEGABITS UPLOAD_MEGABITS 12/19/2022 11:52GMT 429.05 422.17 LATENCY_MS SERVER_NAME DISTANCE_MILES CONNECTION_MODE 3 Ashburn VA 0multi SERVER_COUNT multi 4 I haven't tested with the APU 2 that I have, but with NAT I don't think you can get the full 1Gb speed. I have 1Gb symmetric line and with NAT I can't come close to the full line speed. OpenBSD 6.8 (GENERIC.MP) #4: Thu Aug 5 11:02:18 MDT 2021 t...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4246003712 (4049MB) avail mem = 4102266880 (3912MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdf16d820 (7 entries) bios0: vendor coreboot version "4.0" date 09/08/2014 bios0: PC Engines APU acpi0 at bios0: ACPI 4.0 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP SPCR HPET APIC HEST SSDT SSDT SSDT acpi0: wakeup devices AGPB(S4) HDMI(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PE20(S4) PE21(S4) PE22(S4) PE23(S4) PIBR(S4) UOH1(S3) UOH2(S3) UOH3(S3) UOH4(S3) UOH5(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpihpet0 at acpi0: 14318180 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD G-T40E Processor, 1000.13 MHz, 14-02-00 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: 8 4MB entries fully associative cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 199MHz cpu0: mwait min=64, max=64, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD G-T40E Processor, 1000.01 MHz, 14-02-00 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: 8 4MB entries fully associative cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (AGPB) acpiprt2 at acpi0: bus -1 (HDMI) acpiprt3 at acpi0: bus 1 (PBR4) acpiprt4 at acpi0: bus 2 (PBR5) acpiprt5 at acpi0: bus 3 (PBR6) acpiprt6 at acpi0: bus -1 (PBR7) acpiprt7 at acpi0: bus 5 (PE20) acpiprt8 at acpi0: bus -1 (PE21) acpiprt9 at acpi0: bus -1 (PE22) acpiprt10 at acpi0: bus -1 (PE23) acpiprt11 at acpi0: bus 4 (PIBR) acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 acpicmos0 at acpi0 acpibtn0 at acpi0: PWRB acpicpu0 at acpi0: C2(0@100 io@0x841), C1(@1 halt!), PSS acpicpu1 at acpi0: C2(0@100 io@0x841), C1(@1 halt!), PSS cpu0: 1000 MHz: speeds: 1000 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "AMD 14h Host" rev 0x00 ppb0 at pci0 dev 4 function 0 "AMD 14h PCIE" rev 0x00: msi pci1 at ppb0 bus 1 re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:3e:d5:5c rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 4 ppb1 at pci0 dev 5 function 0 "AMD 14h PCIE" rev 0x00: msi pci2 at ppb1 bus 2 re1 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:3e:d5:5d rgephy1 at re1 phy 7: RTL8169S/8110S/8211 PHY, rev. 4 ppb2 at pci0 dev 6 function 0 "AMD 14h PCIE" rev 0x00: msi pci3 at ppb2 bus 3 re2 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:0d:b9:3e:d5:5e rgephy2 at re2 phy 7: RTL8169S/8110S/8211 PHY, rev. 4 ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x40: apic 2 int 19, AHCI 1.2 ahci0: port 0: 6.0Gb/s scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: naa.5000 sd0: 15272MB, 512 bytes/sector, 31277232 sectors, thin ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "ATI EHCI root hub" rev 2.00/1.00 addr 1 ohci1 at pci0 dev 19 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18, version 1.0, legacy support ehci1 at pci0 dev 19 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 configuration 1 interface 0 "ATI EHCI root hub" rev
Re: Unable To Use Headset Microphone
On Thu, May 26, 2022 at 07:48:26AM +, dak wrote: > Hi, > > I wrote a blog post similar to your topic. > I'm also explaining the sndiod settings in use. > > Maybe that helps you. > > https://dkrefft.de/external-usb-speakerphone-on-openbsd/ > > BR > dak > Hi, I think that issue is vaguely similar but not quite right. In my case the only device I'm dealing with is azalia because they're wired headphones; sndiod -confirms that there's only an snd0. The issue (as far as I can tell) is that when I plug my headphones in sndio correctly switches the output to use 0/output1 but it doesn't change the input to use 0/input1 (This is just my best guess, I don't know that the subdevices there actually correspond to speakers/internal mic and speaker/mic through 3.5mm.) Thanks for the suggestion, Danny
Unable To Use Headset Microphone
Hey y'all,
I had my headset plugged in on my Thinkpad T480 but when I tried recording
audio it only ever went through the awful laptop microphone. Poking around
in mixerctl I was able to find audio sources for outputs but I wasn't able
to select the headset microphone (mic2 I think) as the normal output. I know
that it's possible to tell sndio to use a different device but I wasn't able
to find anything in the man page about having sndiod set a different
"sub-device" as the default for recording. Can anyone point me in the right
direction here? I've attached mixerctl, sndioctl, and dmesg output.
---mixerctl---
inputs.dac-2:3=152,152
inputs.dac-0:1=152,152
record.adc-0:1_mute=on [ off on ]
record.adc-0:1=152,152
record.adc-2:3_mute=off [ off on ]
record.adc-2:3=152,152
record.adc-4:5_mute=off [ off on ]
record.adc-4:5=152,152
inputs.mic=85,85
outputs.spkr_source=dac-2:3 [ dac-2:3 ]
outputs.spkr_mute=on [ off on ]
outputs.spkr_eapd=on [ off on ]
inputs.mic2=85,85
outputs.mic2_dir=input-vr80 [ none input input-vr0 input-vr50 input-vr80
input-vr100 ]
outputs.hp_source=dac-0:1 [ dac-2:3 dac-0:1 ]
outputs.hp_mute=off [ off on ]
outputs.hp_boost=off [ off on ]
outputs.hp_eapd=on [ off on ]
record.adc-4:5_source=mic2 { mic2 }
record.adc-2:3_source=mic2,mic { mic2 mic }
record.adc-0:1_source=mic [ mic ]
outputs.mic2_sense=plugged [ unplugged plugged ]
outputs.hp_sense=plugged [ unplugged plugged ]
outputs.spkr_muters=hp { hp }
outputs.master=153,153
outputs.master.mute=off [ off on ]
outputs.master.slaves=dac-2:3,dac-0:1,spkr,hp { dac-2:3 dac-0:1 spkr hp }
record.volume=153,153
record.volume.mute=off [ off on ]
record.volume.slaves=adc-0:1,adc-2:3,adc-4:5 { adc-0:1 adc-2:3 adc-4:5 mic
mic2 }
record.enable=sysctl [ off on sysctl ]
---sndioctl
input.level=0.600
input.mute=0
output.level=0.600
output.mute=0
server.device=0
app/firefox0.level=1.000
app/firefox1.level=1.000
dmesg
OpenBSD 7.1 (GENERIC.MP) #461: Tue Apr 5 12:11:12 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 38362574848 (36585MB)
avail mem = 37182623744 (35460MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x6ecc4000 (63 entries)
bios0: vendor LENOVO version "N24ET49W (1.24 )" date 04/19/2019
bios0: LENOVO 20L50054US
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT
SSDT SSDT BOOT BATB SLIC SSDT SSDT SSDT LPIT WSMT SSDT SSDT SSDT DBGP DBG2 MSDM
DMAR ASF! FPDT UEFI
acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) PXSX(S4)
RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4)
RP06(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1591.24 MHz, 06-8e-0a
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1593.31 MHz, 06-8e-0a
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1596.28 MHz, 06-8e-0a
cpu2:
Re: hostnames in syslogd
On Mon, 25 Apr 2022 14:27:19 -0400, "Sven F." wrote: > Moreover just like -h send the hostname , in a SSL setup it would be > useful to log the CN of the client certificat , with -i maybe, > since it is a strong ID sorting logs with that feels more reliable > than ip, or modified hostnames. > > I may miss some important legacy behavior but a `-i` option that logs > the CN after the hostname in a similar manner looks non breaking and > useful. Ah that reminds me an issue I have. On my central logging machine, I filter logs by hostname. However, it appears sometimes my dns fails so it doesn't get a hostname and the logs with the IP address escape the filter. If I could filter based on the client's certificate hostname, that would be much more reliable! Cheers, Daniel
Re: time drift in OpenBSD in proxmox (qemu-kvm) guest
On Thu, 14 Apr 2022 23:47:42 +0200, Stefan Sperling wrote: > > $ sysctl kern.timecounter > > kern.timecounter.tick=1 > > kern.timecounter.timestepwarnings=0 > > kern.timecounter.hardware=pvclock0 > > kern.timecounter.choice=i8254(0) pvclock0(1500) acpihpet0(1000) > > acpitimer0(1000) > > > > Anyone have ideas of things I could try that are less wrong than > > running rdate from cron? Thanks. > > I have a -current built-a-week-ago guest on stock Debian KVM, no > problems with time-keeping. It picks acpihpet as timecounter instead > of pvclock: > > $ sysctl kern.timecounter > kern.timecounter.tick=1 > kern.timecounter.timestepwarnings=0 > kern.timecounter.hardware=acpihpet0 > kern.timecounter.choice=i8254(0) pvclock0(500) acpihpet0(1000) > acpitimer0(1000) I've some VMs using $ sysctl kern.timecounter kern.timecounter.tick=1 kern.timecounter.timestepwarnings=0 kern.timecounter.hardware=pvclock0 kern.timecounter.choice=i8254(0) pvclock0(1500) acpitimer0(1000) for two months on this particular host and no issue. That said I'm using an Intel CPU and I force kvm to virtualize some "recent" hardware (because I hated seeing a floppy disk c* in my dmesg) so I run > QEMU Standard PC (Q35 + ICH9, 2009) full dmesg for the curious: $ dmesg OpenBSD 7.1 (GENERIC.MP) #457: Sun Apr 3 00:33:57 MDT 2022 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3204300800 (3055MB) avail mem = 3089903616 (2946MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5af0 (11 entries) bios0: vendor SeaBIOS version "1.14.0-2" date 04/01/2014 bios0: QEMU Standard PC (Q35 + ICH9, 2009) acpi0 at bios0: ACPI 3.0 acpi0: sleep states S5 acpi0: tables DSDT FACP APIC MCFG WAET acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-9700T CPU @ 2.00GHz, 674.06 MHz, 06-9e-0d cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 999MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-9700T CPU @ 2.00GHz, 750.80 MHz, 06-9e-0d cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu1: smt 0, core 0, package 1 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xb000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) "ACPI0006" at acpi0 not configured acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001 com0 at acpi0 COM1 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo acpicmos0 at acpi0 "PNP0A06" at acpi0 not configured "PNP0A06" at acpi0 not configured "QEMU0002" at acpi0 not configured "ACPI0010" at acpi0 not configured acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) pvbus0 at mainbus0: KVM pvclock0 at pvbus0 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82G33 Host" rev 0x00 vga1 at pci0 dev 1 function 0 "Bochs VGA" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb0 at pci0 dev 2 function 0 vendor "Red Hat", unknown product 0x000c rev 0x00: apic 0 int 22 pci1 at ppb0 bus 1 virtio0 at pci1 dev 0 function 0 "Qumranet Virtio 1.x Network" rev 0x01 vio0 at virtio0: address 52:54:00:06:db:02 virtio0: msix shared ppb1 at pci0 dev 2 function 1 vendor "Red Hat", unknown product 0x000c rev 0x00: apic 0 int 22 pci2 at ppb1 bus 2 xhci0 at pci2 dev 0 function 0 vendor "Red Hat", unknown product 0x000d rev 0x01: apic 0 int 22, xHCI 0.0 usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "Red Hat
Re: Error in dconf-0.40.0: @tag gio-querymodules definition not found
Ok, I think I got it figured out after some time away from the computer. My use of -n was causing the error. I thought I would check for problems before making changes permanent. Since nothing was being installed, the package manager couldn't use functions from the dependencies either hence causing the error. Oops, sorry for the idiocy.
Error in dconf-0.40.0: @tag gio-querymodules definition not found
I have searched all over the place and cannot find anywhere in man or on openbsd.org what I am supposed to do with a "@tag gio-querymodules definition not found" error. This happens whenever dconf-0.40.0 gets pulled as dependency, but I see a similar error for other packages too (such as librsvg-2.50.7). Can someone please point me in the right direction here? I am on a relatively fresh install, only having done: syspatch reboot pkg_add -Uu sysmerge -d Attached is dmesg and output from pkg_add -n firefox-esr OpenBSD 7.0 amd64 /etc/installurl: https://cdn.openbsd.org/pub/OpenBSD quirks-4.54 signed on 2022-03-21T17:41:55Z Error in dconf-0.40.0: @tag gio-querymodules definition not found Direct dependencies for dconf-0.40.0 resolve to glib2-2.68.4 Full dependency tree is glib2-2.68.4 pcre-8.44 python-3.8.12 libffi-3.3p1 sqlite3-3.35.5p0 libiconv-1.16p0 bzip2-1.0.8p0 xz-5.2.5 gettext-runtime-0.21p1 Error in librsvg-2.50.7: @tag update-gdk-pixbuf definition not found Direct dependencies for librsvg-2.50.7 resolve to pango-1.48.10 libxml-2.9.12p0 gdk-pixbuf-2.42.6 Full dependency tree is fribidi-1.0.10 xz-5.2.5 tiff-4.3.0 shared-mime-info-2.1 libxml-2.9.12p0 png-1.6.37 libffi-3.3p1 lz4-1.9.3p0 lzo2-2.10p2 harfbuzz-2.9.1 sqlite3-3.35.5p0 gettext-runtime-0.21p1 zstd-1.5.0 pango-1.48.10 bzip2-1.0.8p0 graphite2-1.3.14 gdk-pixbuf-2.42.6 glib2-2.68.4 cairo-1.16.0 libiconv-1.16p0 jpeg-2.1.1v0 pcre-8.44 python-3.8.12 Can't install adwaita-icon-theme-40.1.1: can't resolve librsvg-2.50.7 Can't install gtk+3-3.24.30: can't resolve adwaita-icon-theme-40.1.1,dconf-0.40.0 Can't install firefox-esr-91.7.0: can't resolve gtk+3-3.24.30 The following new rcscripts were installed: /etc/rc.d/messagebus See rcctl(8) for details. New and changed readme(s): /usr/local/share/doc/pkg-readmes/dbus /usr/local/share/doc/pkg-readmes/glib2 Couldn't install adwaita-icon-theme-40.1.1 dconf-0.40.0 firefox-esr-91.7.0 gtk+3-3.24.30 librsvg-2.50.7 OpenBSD 7.0 (GENERIC.MP) #232: Thu Sep 30 14:25:29 MDT 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8473923584 (8081MB) avail mem = 8201093120 (7821MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe8ad1 (27 entries) bios0: vendor Hewlett-Packard version "L04 v02.31" date 05/18/2018 bios0: Hewlett-Packard HP EliteDesk 800 G1 DM acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT MCFG HPET SSDT SSDT SSDT SLIC MSDM ASF! TCPA DMAR acpi0: wakeup devices PS2K(S3) PS2M(S3) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S3) EHC2(S3) XHC_(S3) HDEF(S4) PEG0(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz, 1995.80 MHz, 06-3c-03 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz, 1995.39 MHz, 06-3c-03 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz, 1995.39 MHz, 06-3c-03 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Core(TM)
Re: Identifying a network
El mié, 23 mar 2022 a las 15:12, Zé Loff () escribió: > > > Hi all > > I have a laptop in which I use ifstated to determine whether it is "at > home" or whether it is "roaming", and bring up the VPN -- used to be > iked, now its wg -- for unwind and some NFS shares, if it is. > > My question is: how would you detect if the machine it's "at home"? > > My present setup is a combination of checking the BSSID of the AP if it > is connected to one, and some MAC addresses of other machines on the > network. I can think of a couple other ways (SSH host keys, external IP > -- though it might change --, DHCP-assigned domain, etc). Is there an > easier way I'm not thinking of? How would you do it? The DHCP solution (i.e. option 15) seems to be a sane way of solving your problem from the client side. To solve the situation the other way around (getting to know from which AP your client is connecting at the DHCP server) I would get some APs that cope with option 82. Then you would know from where you are connecting, on both sides of the wire. > > Note that this doesn't have 100% fail proof nor am I worried about > covering absolutely all corner cases, or paranoid about someone spoofing > my network's BSSID, MAC addresses, etc, etc, just to prevent me from > setting up a VPN. This is just for convenience. > > Cheers and TIA > Zé > > -- > > Regards!
Re: How much does battle-testing weigh?
Economics 101: doesn't matter what you say, it matters what you DO. Everyone says security is important; few actually give a shit about it. Amen brother! That's right to the point! Nick.
Re: Installer fails to boot on Raspberry Pi 400
El lun, 28 feb 2022 a las 18:12, escribió: > > I followed the documented procedure (https://www.openbsd.org/arm64.html > and https://ftp.openbsd.org/pub/OpenBSD/7.0/arm64/INSTALL.arm64) for > installing on Raspberry Pi 400 systems: > > - put install70.img on a USB stick > - boot from UEFI firmware v1.21 on a microSD card > - `set tty fb0` > - boot installer > > The installer boots, but only halfway. The usual blue text scrolls past > but then it reboots midway through. This happens too quickly for me to > see the error message immediately preceeding the reboot. > > Any suggestions for troubleshooting? I am working on getting a serial > adapter so I can log the boot messages. > Just for the sake of curiosity: With a cellphone at hand, you could get a cue recording the full boot sequence and playing it frame by frame a couple of times.
Re: Install latest package without prompts on OpenBSD 7.0
El lun, 10 ene 2022 a las 4:10, Jeffrey Walton () escribió: > Hi Everyone, > > I am working on OpenBSD 7.0, x86_64. I'm trying to script an install > of developer tools I use, like GCC and Git. When I attempt to install > GCC I am prompted: > > $ sudo pkg_add gcc g++ > quirks-4.54 signed on 2022-01-09T19:08:35Z > Ambiguous: choose package for gcc > a0: > 1: gcc-8.4.0p9 > 2: gcc-11.2.0p0 > > I've looked over the man page at https://man.openbsd.org/pkg_add, but > I don't see an option to tell pkg_add to install the latest version of > the package. > > How do I tell pkg_add to install the latest version without prompting me? > By the way, talking about packages, it should be noted that stating 'latest version' here is an abuse of notation, as those are two different ports, and each one already represents its latest package version. Regards! > Thanks in advance. > >
Re: Install latest package without prompts on OpenBSD 7.0
El lun, 10 ene 2022 a las 4:10, Jeffrey Walton () escribió: > > Hi Everyone, > > I am working on OpenBSD 7.0, x86_64. I'm trying to script an install > of developer tools I use, like GCC and Git. When I attempt to install > GCC I am prompted: > > $ sudo pkg_add gcc g++ > quirks-4.54 signed on 2022-01-09T19:08:35Z > Ambiguous: choose package for gcc > a0: > 1: gcc-8.4.0p9 > 2: gcc-11.2.0p0 > > I've looked over the man page at https://man.openbsd.org/pkg_add, but > I don't see an option to tell pkg_add to install the latest version of > the package. > > How do I tell pkg_add to install the latest version without prompting me? > Not being ambiguous, i.e. with 'sudo pkg_add gcc-12.2.0p0'. If you're looking forward to finding a one-liner able to install the latest version on packages, I'm not aware of any standard way. Taking output from 'pkg_info', filtering and feeding into 'pkg_add' should do the trick. Regards! > Thanks in advance. >
Re: No firefox on OpenBSD 7.0 i386?
Crystal Kolipe wrote: * https://sourceforge.net/projects/midori-browser/ (as on Raspbian) Midori might be worth looking at as a light-weight browser replacement for Firefox, although I haven't used it for a number of years. Worth nothing that this version of Midori has been abandoned for the better part of a decade by this point. Modern Midori's a web app (https://astian.org/en/midori-browser/) so it's probably not a viable choice for this case.
Re: Must interface unit numbers start with 0?
On Fri, 22 Oct 2021 19:13:18 -0400, "Allan Streib" wrote: > can I name the interface vlan101 Yes you can. I've a machine where there's only vlan206. Cheers, Daniel
Re: 7.0 upgrade dmesg confusion
On Fri, 15 Oct 2021 20:09:16 -0400, Jon Fineman wrote: > I was preparing the dmesg to send off and I noticed it looks like the > old message from 6.9. How could that occur? What did I miss? >From dmesg(8): On some systems the message buffer can survive reboot and be retained (in the hope of exposing information from a crash). FILES /var/run/dmesg.boot copy of dmesg saved by rc(8) at boot time Cheers, Daniel
Re: IPv6: how to trigger script when address prefix changes?
On Thu, 7 Oct 2021 02:52:13 +0200, Mike Fischer wrote: > Would a IPv6 address prefix change be something the hotplug(4) / > hotplugd(8) mechanism would see? It would rather be ifstated(8), but I don't think so. I've never looked into this, but if I were, I would check the route(8) monitor command: https://man.openbsd.org/route#monitor
Re: 6.9/amd64 runaway acpi process on Thinkpad T580
On Wed, Sep 29, 2021 at 06:29:08PM -0700, Mike Larkin wrote: > On Wed, Sep 29, 2021 at 08:44:54PM -0400, David Anthony wrote: > > After enabling "BIOS Thunderbolt Assist", I experience consistent machine > > slowdown on my T480. Previously, I experienced slowdown after power cycling > > my machine occasionally. Currently, with this BIOS setting enabled, I > > experience slowdown consistently. > > > > I am sorry but I don't know enough technically as to discern why. I am > > simply reporting my user experience. I will re-disable the Thunderbolt > > assist for now. > > > > If someone would build an ACPI_DEBUG kernel and show us what GPE is stuck > then we can make forward progress (we need an acpidump of that machine > also). > > Otherwise, its like throwing darts in the dark. > > -ml I could give it a shot. Do you want all three possible states for the dumps? (disabled, working. Disabled, looped acpi0. Enabled, working.) It probably won't be until tomorrow since it's already pretty late, though. Danny
Re: SOLVED Re: 6.9/amd64 runaway acpi process on Thinkpad T580
On Wed, Sep 29, 2021 at 11:47:34AM -0600, Theo de Raadt wrote: > It would be great if someone figures out why "BIOS Thunderbolt Assist" > disable, causes a pin to get stuck on resume, and/or figures out how we > can recognize to handle/clear the event. The detail in my BIOS options specifically mentions it as a Linux workaround. Obviously patches couldn't be imported but I'll poke around to see if there's any discussion/a description of what exactly is happening. Aside from that is there any data I can send y'all? Jonathan's built up a pretty comprehensive set of dmesgs at this point, it seems like. (No need to cc me, I'm on misc@) Danny
Re: 6.9/amd64 runaway acpi process on Thinkpad T580
On Tue, Sep 28, 2021 at 10:08:47PM -0600, Theo de Raadt wrote: > There are a few people who have experience with this. Maybe one of > them will mail you privately. > I'm glad this thread suddenly got revived, since I tried to find it in my backlog but it got lost. All you have to do is go into your bios' settings and turn on "BIOS Thunderbolt Assist" then everything will work 100% fine. Thanks to jcs on IRC for pointing me at that (dunno what his email is.)
Re: 6.9/amd64 runaway acpi process on Thinkpad T580
I dunno if this is helpful, but I just unplugged my thinkpad and triggered the behavior. ACPI shot right up, and in this case the "charging" LED has stayed on. I've never triggered it by unplugging before, but the symptoms are the same. The system was under some load while doing so (watching a video in Firefox and extracting a backup.) The last line in dmesg also seems weird to me; it might be a firmware thing, from that. Danny OpenBSD 7.0 (GENERIC.MP) #224: Mon Sep 20 11:44:33 MDT 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 38362574848 (36585MB) avail mem = 37183885312 (35461MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x6ecc4000 (63 entries) bios0: vendor LENOVO version "N24ET49W (1.24 )" date 04/19/2019 bios0: LENOVO 20L50054US acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT SSDT SSDT BOOT BATB SLIC SSDT SSDT SSDT LPIT WSMT SSDT SSDT SSDT DBGP DBG2 MSDM DMAR ASF! FPDT UEFI acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 2399 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1591.45 MHz, 06-8e-0a cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 24MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1596.28 MHz, 06-8e-0a cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1596.28 MHz, 06-8e-0a cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1596.28 MHz, 06-8e-0a cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 cpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1596.28 MHz, 06-8e-0a cpu4:
Re: New desktop CPU/chipset recommendation
On Mon, Sep 20, 2021 at 02:56:31PM -0400, Andre Smagin wrote: > Good day. > > I am looking for a hardware advice. > I don't upgrade my desktop very often - last one was about ten > years ago (AMD FX-8350 CPU), which I recently made my home server > running -current, no issues. Now I am looking for a new desktop that > will last another ten years, hence the question: if I buy the latest > available AMD chipset (X570 I think) and Ryzen 9 CPU - are there any > current issues with using it for OpenBSD desktop? I would like to > overkill it with the choice of hardware now, so I don't have to worry > about it for a while. > > I am ten years out of touch with hardware development progress, so will > appreciate any input you may have. > > -- > Andre > You got me curious, so I went ahead and installed OpenBSD on the desktop I rebuilt this year. I've got a Ryzen R9 3900X with an MSI MAG B550 TOMAHAWK for the motherboard, and an R9 380 for the graphics card. Works totally fine from my initial impressions. Sound works, USB works, plays full HD videos fine over DP, drives the 1440p display with no issues, etc. The only thing "wrong" is that I don't think Audio-over-HDMI works. Hope this might help a bit, Danny
Re: Determining the number of CPU cores and hyperthreads from userspace
Hyperthreads are easy: they've been disabled for years (unless they got flipped on and I didn't notice.)
Re: 6.9/amd64 runaway acpi process on Thinkpad T580
I've ran into this on my T480, it seems most consistently triggered by power cycles caused by running out of battery. The bug's existed for quite a few years (I think I first noticed it in 2019.) If I recall correctly I've posted it to the list a couple of times but I don't think any concrete answers ever emerged; your report is more thorough than mine were though. I do remember that it never happened on my T430, but that's quite the hardware gap.
Hyper-V and Intel 10Gbe NIC DDA/Pass-Through
Has anyone done this successfully with OpenBSD? I’m not looking for SR-IOV via a Virtual Function (VF) device like iavf(4) (although I might try this route, but I think there’s no VF support for this NIC in OpenBSD). I’d like OpenBSD to see this as a native Intel X552 NIC and use the ix(4) driver. My server supports all the related SR-IOV, VT-d and friends and this is enabled in the BIOS. Not looking to have my hand held—at least not just yet—just want to know if someone has done this before so that I can continue trudging through. Cheers.
Re: ssh authlog: Failed none for invalid user
On Mon, 9 Aug 2021 14:52:40 -0700, Jordan Geoghegan wrote: > Hello, > > I was hoping somebody could set me straight here. On one of my > machines I have a number of entries in my /var/log/authlog file that > look like this: > > Failed none for invalid user admin from 14.239.50.255 port 51796 > > The machine has been being hammered with SSH bruteforce attempts and > I noticed that "Failed none" entry popping up frequently. > > What exactly does "Failed none" mean here in this in this context? > > Any insight would be greatly appreciated as my Google-fu has failed > me in my search for an answer. I don't have any experience with ssh's code but after a quick grep, it seems to come from https://github.com/openbsd/src/blob/73b5c081a08ab8132aaab716c8f4da9aebb020e7/usr.bin/ssh/auth.c#L272-L282 I guess the "none" is the auth method selected by the client. Someone with more knowledge on the ssh protocol can surely give you a more detailed answer. Cheers, Danie
Re: Openbsd pf firewall ipv6 routing
On Thu, Jul 29, 2021 at 10:10 PM Irshad wrote:
> I have following setup at home ,I am sharing internet
> with neighbour , our ISP provides IPV6
> With 2001:16a2:cdd2:xx00::/56 prefix delegation , until now I was only using
> IPv4 NAT with following setup
>
> ISP-RouterOPENBSD/PFVLAN10—openWRT—Macbook
> |
> VLAN20__openWRT some Devices
> |
> |
> Neighbour Access Point
>
> Recently I tried to enable IPv6 in openbsd
> i can ping6 google.com from openbsd firewall itself
> but i cannot route ipv6 traffic from LAN side devices
> i can get ipv6 address assigned to my LAN devices
>
> ps:isp provides only dynamic ip's not static
>
> /etc/hostname.iwn0
> inet6 autoconf -soii -temporary
> inet 192.168.100.177 255.255.255.0
>
> Ifconfig iwn0
> inet 192.168.100.177 netmask 0xff00 broadcast 192.168.100.255
> inet6 2001:16a2:cdd2:xx00:xxx:faff:fe92:c7c6 prefixlen 64 autoconf pltime
> 86081 vltime 86081
>
> This is connecting to ISP Router with ipv4 LAN side ip
>
> And NAT with pf firewall
>
> vlan10
> /etc/hostname.vlan10
> 192.168.10.1/24 192.168.10.255 parent em0 vnetid 10
> inet6 autoconf
>
> ifconfig vlan10
> inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255
> inet6 fe80::5e26:aff:fe0e:d6ea%vlan10 prefixlen 64 scopeid 0x8
>
> ip forwarding for ipv6
> sysctl net.inet6.ip6.forwarding=1
>
> rad.conf(5)
> interface vlan10 {
> prefix 2001:16a2:cdd2:xx01::/64
> }
>
> openbsd netstat -nr
> DestinationGatewayFlags
> Refs Use Mtu Prio Iface
> defaultfe80::1%iwn0 UGS
> 0 90 -12 iwn0
>
> macOS netstat -nr
> Internet6:
> Destination Gateway Flags
> Netif Expire
> default fe80::5e26:aff:fe0e:d6ea%en0UGcg
> en0
> 2001:16a2:cdd2:9500::/64link#4 UC
> en0
> 2001:16a2:cdd2:xx00:1c07:xxc4:1577:55e1 8:6d:41:de:6d:4aUHL
> lo0
You might want to consider using dhcpcd, in ports, to help you with
the PD and doling out /64s to your networks.
Re: SSL issue on 6.8 arm64 when upgrading to 6.9
On Fri, 18 Jun 2021 23:21:40 -0300, "Nenhum_de_Nos" wrote: > TLS handshake failure: handshake failed: error:1404B410:SSL > routines:ST_CONNECT:sslv3 alert handshake failure > > is also present when I try to install any package on 6.8. I looked > for it over google and found no clues, just one patch that looks like > to issue tihs, but a full recompile would last longer then a fresh > 6.9 install. There was a problem a few days ago with cloudflare: https://marc.info/?l=openbsd-bugs=162336101708589=2 It seems it's still the case for me: $ nc -zvc cloudflare.cdn.openbsd.org 443 Connection to cloudflare.cdn.openbsd.org (104.17.249.92) 443 port [tcp/https] succeeded! nc: tls handshake failed (handshake failed: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version) https://www.ssllabs.com/ssltest/analyze.html?d=cloudflare.cdn.openbsd.org says Assessment failed: Failed to communicate with the secure server I would try another CDN/mirror if I were you: $ nc -zvc fastly.cdn.openbsd.org 443 Connection to fastly.cdn.openbsd.org (151.101.126.217) 443 port [tcp/https] succeeded! TLS handshake negotiated TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 with host fastly.cdn.openbsd.org Peer name: fastly.cdn.openbsd.org Subject: /CN=fastly.cdn.openbsd.org Issuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Atlas R3 DV TLS CA 2020 Valid From: Mon Feb 22 20:12:22 2021 Valid Until: Sat Mar 26 20:12:22 2022 Cert Hash: SHA256:ca2b5d20050ce1e32adb901ed2fdffc2613b6f1ecec2fa89efa2338d8e8e6a96 OCSP URL: http://ocsp.globalsign.com/ca/gsatlasr3dvtlsca2020 Cheers, Daniel
Re: Counting traffic of one host through an OpenBSD computer
On Thu, Jun 17, 2021 at 3:01 PM Ibsen S Ripsbusker wrote: > I want to know how much network traffic a Windows computer is > responsible for. The Windows computer is connected to a switch, > the switch is connected to a router running OpenBSD, and the router is > connected eventually to the internet service provider. > > Windows -- Switch OpenBSD ISP > Other computers --/ > > How can I find out how many bytes this Windows computer sent or received > through the router within some time period? > > I'm concerned only about communication with the internet, not > communication between Windows and "other computers", so it suffices > to count all bytes passing through the OpenBSD computer that originate > from or are destined for the Windows computer. If you didn't set up something ahead of time to capture this, you likely can't. Ideally you'd want to export IPFIX/NetFlow data from your switch or router and report on this data.
Re: nc(1) fails the tls handshake when destination ends with a full stop
On Sun, 30 May 2021 19:55:42 +0200, Theo Buehler wrote: > On Sun, May 30, 2021 at 01:43:54PM -0400, Daniel Jakots wrote: > > On Sun, 30 May 2021 17:45:22 +0200, Theo Buehler > > wrote: > > > > > Unsure. If people really think this is useful and necessary, I > > > can be convinced. It's easy enough to do. And you're right, curl > > > strips the trailing dot after resolving a host name for SNI and > > > HTTP host header. > > > > Given the current error message makes it hard to understand what the > > problem is, I think it's nicer to fix the user error like curl(1) > > does. > > What I do not quite see is why you would want or expect to be able to > have a trailing dot there. None of nc's examples have it and in > ftp/curl it seems even weirder. I think what happened is I was fucking around with my certificates file, and they're named like example.com.pem. I wanted to check something so I double-clicked on the string and pasted it, and then removed only "pem". I left the trailing dot both out of laziness and because I didn't expect it to break things. I recently learned that you can include the DNS name trailing dot in a url even if it looks weird. But I just tested some more and for instance: https://datatracker.ietf.org./doc/html/rfc6066#section-3 # works https://openbsd.org./ # doesn't work with Error code: SSL_ERROR_ILLEGAL_PARAMETER_ALERT $ nc -zvc datatracker.ietf.org. 443 Connection to datatracker.ietf.org. (4.31.198.44) 443 port [tcp/https] succeeded! nc: tls handshake failed (name `datatracker.ietf.org.' not present in server certificate) (and adding -Tnoname makes it work) so I guess LibreSSL is stricter than OpenSSL?
Re: nc(1) fails the tls handshake when destination ends with a full stop
On Sun, 30 May 2021 17:45:22 +0200, Theo Buehler wrote: > Unsure. If people really think this is useful and necessary, I can be > convinced. It's easy enough to do. And you're right, curl strips the > trailing dot after resolving a host name for SNI and HTTP host header. Given the current error message makes it hard to understand what the problem is, I think it's nicer to fix the user error like curl(1) does. Thanks, Daniel
nc(1) fails the tls handshake when destination ends with a full stop
Hi, $ nc -zvc openbsd.org 443 # works as expected Connection to openbsd.org (129.128.5.194) 443 port [tcp/https] succeeded! TLS handshake negotiated TLSv1.3/AEAD-AES256-GCM-SHA384 with host openbsd.org [...] $ nc -zvc openbsd.org. 443 # fails Connection to openbsd.org. (129.128.5.194) 443 port [tcp/https] succeeded! nc: tls handshake failed (handshake failed: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version) And FWIW I get a different error when the destination runs nginx: $ nc -zvc px.chown.me. 443 Connection to px.chown.me. (198.48.202.221) 443 port [tcp/https] succeeded! nc: tls handshake failed (handshake failed: error:1404B417:SSL routines:ST_CONNECT:sslv3 alert illegal parameter) I checked with -Tnoname to be sure, and it didn't change anything. Is that normal? Cheers, Daniel
Re: Openbsd 6.9 Default gateway
On Sat, 8 May 2021 02:37:41 +0300, Irshad Sulaiman wrote: > Thank you for the reply > > > I could do by > Delete and adding route with route command manually > But is there any better way to do this If you used the same network both on wired and wireless, you could use a trunk(4) in failover mode for a transparent transition. Check "Trunking Your Wireless Adapter" in https://www.openbsd.org/faq/faq6.html Cheers, Daniel
Re: .profile not being loaded (ksh) when opening shell in X
On Tue, Apr 27, 2021 at 12:17:55PM +, tetrahe...@danwin1210.me wrote: > On Tue, Apr 27, 2021 at 08:04:32AM +0300, Pierre-Philipp Braun wrote: > > I believe there's no need for neither login-shells nor those X-level > > tricks. To load the interactive environment into xterms or screen, I > > usually to define ENV accordingly in /etc/profile or .profile. Not sure > > it's the right way to also put PATH in (k)shrc, but it would also work. > > > > /etc/profile: export ENV=/etc/shrc > > > > or > > > > ~/.profile: export ENV=/root/.shrc > > That's very interesting. Can someone explain what this does? This is incorrect (see upthread.) ENV is for setting what your interactive rc ought to be. You usually point it at ~/.kshrc. If your session hasn't loaded ~/.profile in order to load $ENV then the kshrc won't necessarily be loaded by your shell no matter what. For ~/.profile to be in your environmnt you definitely need to load it in your xsession. Danny
Re: Remote wipe software
On Tue, Apr 27, 2021 at 08:06:46AM -0400, Nick Holland wrote: > # dd if=/dev/random of=/dev/rsdXc bs=1m I don't know Oliver's specific case but it's worth noting that you probably want to check the output of mount rather than hardcoding a value; if you need remote wipes then you probably need full disk encryption and if I remember correctly your device number isn't always guaranteed there. Root is on sd3 for now, it might be on sd2 next boot, etc. I may be misinformed though.
Re: .profile not being loaded (ksh) when opening shell in X
On Mon, Apr 26, 2021 at 11:31:33PM +0200, Jan Vlach wrote: > > Hi, > > you need: > > xterm*loginShell: true > > in ~/.xresources and something like xrdb ~/.Xresources in ~/.xsession > > JV > > On Mon, Apr 26, 2021 at 09:26:19PM +, tetrahe...@danwin1210.me wrote: > > I have some custom additions to my $PATH. They're defined in ~/.profile and > > they are correctly loaded when I log in from a text console. > > > > When I log in to X (cwm) and open a terminal window, $PATH does not contain > > the entries. > > > > I tried `chmod +x` on my .profile but that didn't help. > > > > Both the text console and the X terminal window are using ksh. > > > > When I call `/bin/ksh -l` then the resulting shell contains the correct > > additions to $PATH. > > > > It looks like the custom $PATH is not being passed from the login shell on > > downwards, since ~/.profile is only read by a login shell. > > > > ~/.kshrc is (according to ksh(1)) read by every spawning shell, but I don't > > see any documentation or examples on the Internet where someone defined > > their $PATH in ~/.kshrc ... > > > > What's the correct way to set $PATH and have it stick no matter where and > > when the shell is spawned? > > > Could also just source your profile in your .xsession. That's what I'm in the habit of doing.
Re: Small/Mini 10Gbe Router Recommendation
On Thu, Apr 8, 2021 at 1:52 PM Hrvoje Popovski wrote: > On 8.4.2021. 20:56, Daniel Melameth wrote: > > On Thu, Apr 8, 2021 at 3:57 AM Stuart Henderson > > wrote: > >> On 2021-04-07, Daniel Melameth wrote: > >>> Looking to finally part with my legacy OpenBSD router and upgrade to > >>> something that can push more than 2Gbps out of a single port. Since > >>> my switching equipment is still only 1Gbe, I also want something that > >>> has, at least, two Gbe ports. > >>> > >>> Any recommendations that work well with OpenBSD? I am currently > >>> thinking > >>> https://www.supermicro.com/en/products/system/Mini-ITX/SYS-E300-8D.cfm, > >>> but would like other opinions. > > my thinking is that if you want to push 10G traffic you'll need at least > 8 faster cores .. > for now you won't be using them, but when multiqueue RSS forwarding is > unlocked you will be happy ... > > this is vmstat -iz from 12 core box with ixl, mcx and ix The dmesg you noted below is for a box with 4 cores, and I was hoping to future proof a bit with that. If I understand you correctly, you are saying I'll need 12 cores to do 10Gbps eventually? What bandwidth are you getting out of the box with the dmesg below? Thank you. > irq114/ixl0270 > irq115/ixl0:0 40 > irq116/ixl0:1 00 > irq117/ixl0:2 00 > irq118/ixl0:3 00 > irq119/ixl0:4 00 > irq120/ixl0:5 00 > irq121/ixl0:6 00 > irq122/ixl0:7 80 > irq123/ixl1270 > irq124/ixl1:0 40 > irq125/ixl1:1 00 > irq126/ixl1:2 00 > irq127/ixl1:3 00 > irq128/ixl1:4 00 > irq129/ixl1:5 00 > irq130/ixl1:6 00 > irq131/ixl1:7 80 > irq132/mcx0350 > irq133/mcx0:0 110 > irq134/mcx0:1 00 > irq135/mcx0:2 00 > irq136/mcx0:3 00 > irq137/mcx0:4 00 > irq138/mcx0:5 00 > irq139/mcx0:6 00 > irq140/mcx0:7 00 > irq141/mcx1390 > irq142/mcx1:0 110 > irq143/mcx1:1 00 > irq144/mcx1:2 00 > irq145/mcx1:3 00 > irq146/mcx1:4 00 > irq147/mcx1:5 00 > irq148/mcx1:6 00 > irq149/mcx1:7 00 > irq150/ix0:0 130 > irq151/ix0:100 > irq152/ix0:200 > irq153/ix0:300 > irq154/ix0:420 > irq155/ix0:500 > irq156/ix0:620 > irq157/ix0:700 > irq158/ix0:800 > irq159/ix0:900 > irq160/ix0:10 00 > irq161/ix0:11 00 > irq162/ix0 00 > irq163/ix1:0 130 > irq164/ix1:100 > irq165/ix1:220 > irq166/ix1:300 > irq167/ix1:420 > irq168/ix1:500 > irq169/ix1:600 > irq170/ix1:700 > irq171/ix1:800 > irq172/ix1:900 > irq173/ix1:10 00 > irq174/ix1:11 00 > irq175/ix1 00 > > dmesg for this one: > https://www.supermicro.com/en/products/system/1U/5018/SYS-5018D-FN8T.cfm > > OpenBSD 6.8-current (GENERIC.MP) #120: Sun Oct 18 09:31:14 MDT 2020 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 17054588928 (16264MB) > avail mem = 16522625024 (15757MB) > random: good seed from bootblocks > mpath0 at roo
Re: Small/Mini 10Gbe Router Recommendation
On Thu, Apr 8, 2021 at 3:57 AM Stuart Henderson wrote:
> On 2021-04-07, Daniel Melameth wrote:
> > Looking to finally part with my legacy OpenBSD router and upgrade to
> > something that can push more than 2Gbps out of a single port. Since
> > my switching equipment is still only 1Gbe, I also want something that
> > has, at least, two Gbe ports.
> >
> > Any recommendations that work well with OpenBSD? I am currently
> > thinking
> > https://www.supermicro.com/en/products/system/Mini-ITX/SYS-E300-8D.cfm,
> > but would like other opinions.
>
> I have several routers using that same motherboard (been using them for
> 3-4 years), they work nicely and have a useful selection of NICs. dmesg below
> -
> the onboard SFP+ are ix0/1, the ixl(4) in there are a PCIE card. DOM works ok
> on the fibre ports ("ifconfig ix0 sff" etc).
Wonderful--and the dmesg is even better.
> Note that the BMC defaults to sharing em0 if it doesn't have link on the
> separate management port, you may want to change that to dedicated, it
> can be done in config (or IIRC you can also change that setting by
> poking at it with ipmitool/freeipmi if you enable ipmi in kernel config;
> that also gets you additional sensors in hw.sensors rather than just
> the cpu temperature).
Appreciate this detail--will definitely be using the ipmi and didn't
know about the added sensors.
> Might not be an issue for your use but be aware the 40x28mm fans in
> CSE-E300 are pretty whiny. You can change the power management profile
> in bios config which helps, and the noctua 40x20 fans can be made to
> work if that's not enough (though it's a bit of a faff and you will
> need to find screws that work, noctua's usual rubber mounts won't
> fit and their screw holes are weird sizes) but even with those changes
> it's not the best chassis for a noise-sensitive location. The 1Ux19"
> chassis aren't really quieter but the noise profile is more pleasant.
Yes. I've heard these are loud and appreciate the extra detail on
other available options in case I go down this route, but this will be
sitting in an unfinished space behind a door so I expect I'll be okay.
Small/Mini 10Gbe Router Recommendation
Looking to finally part with my legacy OpenBSD router and upgrade to something that can push more than 2Gbps out of a single port. Since my switching equipment is still only 1Gbe, I also want something that has, at least, two Gbe ports. Any recommendations that work well with OpenBSD? I am currently thinking https://www.supermicro.com/en/products/system/Mini-ITX/SYS-E300-8D.cfm, but would like other opinions. Thank you.
Re: Performance Degradation And acpi0 CPU Usage
I think I've found a correlation: it seems like the system gets stuck in some sort of hard power save mode once the battery hits critical, even after plugging the charger in. Has anyone seen this behavior?
Performance Degradation And acpi0 CPU Usage
Hey all, I'm using snapshots on a Thinkpad T480 and I've noticed that I eventually run into performance issues: videos start lagging, the keyboard starts to repeat inputs, programs take several second to respond to clicks or keypresses, etc. It seems to happen eventually, but at rando with no reliable trigger. Not tied into desktop environment and iirc this has happened to me in previous releases as well. One consistent thing is that if I go into systat, the acpi0 process will be using a lot (80%+) of CPU. As far as I know it can't be fixed except for rebooting, and on rare occasions I've run into this behavior being triggered by the time booting is finished and I'm in gdm. Anyone know what might be going on? Danny OpenBSD 6.9-beta (GENERIC.MP) #428: Wed Mar 24 11:12:16 MDT 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 38362574848 (36585MB) avail mem = 37184536576 (35461MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x6ecc4000 (63 entries) bios0: vendor LENOVO version "N24ET49W (1.24 )" date 04/19/2019 bios0: LENOVO 20L50054US acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT SSDT SSDT BOOT BATB SLIC SSDT SSDT SSDT LPIT WSMT SSDT SSDT SSDT DBGP DBG2 MSDM DMAR ASF! FPDT BGRT UEFI acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 2399 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1591.98 MHz, 06-8e-0a cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 24MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1596.29 MHz, 06-8e-0a cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1596.29 MHz, 06-8e-0a cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1596.29 MHz, 06-8e-0a cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 cpu4 at mainbus0: apid 1 (application processor) cpu4: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1596.28 MHz, 06-8e-0a cpu4:
Re: blacklistd analogue
On Thu, 25 Mar 2021 19:00:52 +0200, Kapetanakis Giannis wrote: > How about a distributed setup? > > Has anyone thought of a way getting IPs from various servers (say > linux & fail2ban) to the central OpenBSD (pf) firewall? > > Ideally with history in order to punish more the frequent abusers. > > I had plans on looking to bgp to distribute the IPs around but maybe > there is already a better way doing this. > > thanks and sorry for hijacking but I believe its quite relevant. I did this for my machines: https://chown.me/blog/acacia It's not clever enough to punish more the frequent abusers though. Cheers, Daniel
Re: Protecting entire LAN subnet with Wiregaurd
On Sun, 21 Mar 2021 23:49:37 -0400, Daniel Jakots wrote: > On Mon, 22 Mar 2021 14:34:00 +1100, Antonino Sidoti > wrote: > > > I am confused on how to force all lan clients in my home network to > > use wireguard tunnel via local firewall. Do I need to add routes and > > if so how do I do this on my local firewall if the public IP is > > dynamic and the default gateway changes regularly. > > To make all the traffic goes through Wireguard®, you can do > # route add default -link -iface wg0 > > Having a dynamic IP at home means that if the IP changes, the server > won't be able to initiate the tunnel but AFAIK, that's the only > problem. After thinking more about it, I see what the problem is. So maybe using some rdomains/rtables as described in https://codimd.laas.fr/s/NMc3qt5PQ#
Re: Protecting entire LAN subnet with Wiregaurd
On Mon, 22 Mar 2021 14:34:00 +1100, Antonino Sidoti wrote: > I am confused on how to force all lan clients in my home network to > use wireguard tunnel via local firewall. Do I need to add routes and > if so how do I do this on my local firewall if the public IP is > dynamic and the default gateway changes regularly. To make all the traffic goes through Wireguard®, you can do # route add default -link -iface wg0 Having a dynamic IP at home means that if the IP changes, the server won't be able to initiate the tunnel but AFAIK, that's the only problem. Cheers, Daniel
Re: pf firewall packet size
On Thu, Mar 11, 2021 at 12:33 PM da...@hajes.org wrote: > I am trying to find out way how to port my Linux netfilter into OpenBSD pf. > > I want to prioritize small new SYN connection SYN/ACK, ACK. > > In Linux I simply set a packet size 0-128 bytes that covers usual 3-way > handshake. This simple rule makes all faster. > > There seems to be no "packet size" capability in OpenBSD. > > Something similiar used for small packets under OpenBSD > > match out on egress set prio (5, 6) > > > next thing what may work is playing with packet flags > > SYN is start of new connection so "pass out flags S/" and SYN-ACK with > flags SA/ should do the trick no? > > There is just small ACK packets left. I wonder what is solution for > small packets in OpenBSD I believe quantum is what you are looking for--see the QUEUEING section in pf.conf(5).
Re: What determines source IP of traffic from OpenBSD box ?
On Fri, 26 Feb 2021 11:53:40 +0100 (CET), Rachel Roch wrote: > Let's say I'm running "pkg_add -u" on a OpenBSD-based router with > multiple interfaces. > > What determines the source IP ? On -current there is route [-T rtable] sourceaddr [-inet|-inet6] [address] route [-T rtable] sourceaddr [-inet|-inet6] -ifp interface Cheers, Daniel
Re: rdsetroot and gzip'd bsd.rd
On Tue, 2 Feb 2021 15:29:12 +0100, Sebastien Marie
wrote:
> On Mon, Feb 01, 2021 at 08:30:17PM -0500, Daniel Jakots wrote:
> > On Mon, 01 Feb 2021 18:18:43 -0700, "Theo de Raadt"
> > wrote:
> >
> > > Should rdsetroot be able to edit gzip'd files? I am not sure
> > > about that.
> >
> > Yeah, I don't think so either. gzip(1) can be easily used to
> > uncompress it beforehand.
> >
> > But the result is still that rdsetroot on -current is not able to
> > extract a bsd.rd even when given an uncompressed bsd.rd (i.e. a "ELF
> > 64-bit LSB executable, x86-64, version 1" bsd.rd).
> >
>
> I looked at what it is done for amd64/ramdisk_cd
>
> bsd.rd target is made from bsd (kernel) + mr.fs (rdboot filesystem)
> with rdsetroot(8) bsd.gz target is made from bsd.rd with strip(1) +
> gzip(1).
>
> with current method, it is bsd.gz which is installed in RELEASEDIR as
> bsd.rd file.
>
>
> the problem is rdsetroot(8) doesn't support extracting the mr.fs part
> from image when the image is stripped: it expects to find
> "rd_root_size" and "rd_root_image" symbols to locate the size and the
> offset of the mr.fs part inside the image.
>
> It is possible to use strip with -K rd_root_size -K rd_root_image
> option to preserve these specifics symbols (and make rdsetroot -x to
> work again). I tested it successfully on i386.
>
> diff a6394f126ec0ed0606e8aac07a82ab1a4c4f2988
> /home/semarie/repos/openbsd/src blob -
> 77fdc3e10fc525e725a40528b728c06976eefc06 file +
> distrib/i386/ramdisk_cd/Makefile --- distrib/i386/ramdisk_cd/Makefile
> +++ distrib/i386/ramdisk_cd/Makefile
> @@ -56,8 +56,8 @@ MRMAKEFSARGS= -o
> disklabel=${MRDISKTYPE},minfree=0,den
> bsd.gz: bsd.rd
> cp bsd.rd bsd.strip
> - strip bsd.strip
> - strip -R .comment -R .SUNW_ctf bsd.strip
> + strip -K rd_root_size -K rd_root_image bsd.strip
> + strip -K rd_root_size -K rd_root_image -R .comment -R
> .SUNW_ctf bsd.strip gzip -9cn bsd.strip > bsd.gz
>
> bsd.rd: mr.fs bsd
>
> Please note that the second strip call need -K option too, else the
> symtab is removed. I am a bit surprised by this behaviour.
>
> I am unsure I will be able to provide a patch for all
> architectures. Please comment if the direction is right or not.
>
> Thanks.
Thanks for looking at it!
I built a release (without the xenocara part) to test a similar diff to
yours for amd64 (I didn't know which bsd.rd was which, so I did both):
Index: ramdiskA/Makefile
===
RCS file: /cvs/src/distrib/amd64/ramdiskA/Makefile,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile
--- ramdiskA/Makefile 18 May 2020 06:20:43 - 1.10
+++ ramdiskA/Makefile 5 Feb 2021 19:01:06 -
@@ -36,8 +36,8 @@ MRMAKEFSARGS= -o disklabel=${MRDISKTYPE}
bsd.gz: bsd.rd
cp bsd.rd bsd.strip
- strip bsd.strip
- strip -R .comment -R .SUNW_ctf bsd.strip
+ strip -K rd_root_size -K rd_root_image bsd.strip
+ strip -K rd_root_size -K rd_root_image -R .comment -R .SUNW_ctf
bsd.strip
gzip -9cn bsd.strip > bsd.gz
bsd.rd: mr.fs bsd
cvs server: Diffing ramdisk_cd
Index: ramdisk_cd/Makefile
===
RCS file: /cvs/src/distrib/amd64/ramdisk_cd/Makefile,v
retrieving revision 1.24
diff -u -p -r1.24 Makefile
--- ramdisk_cd/Makefile 5 Jan 2021 15:10:42 - 1.24
+++ ramdisk_cd/Makefile 5 Feb 2021 19:01:06 -
@@ -59,8 +59,8 @@ MRMAKEFSARGS= -o disklabel=${MRDISKTYPE}
bsd.gz: bsd.rd
cp bsd.rd bsd.strip
- strip bsd.strip
- strip -R .comment -R .SUNW_ctf bsd.strip
+ strip -K rd_root_size -K rd_root_image bsd.strip
+ strip -K rd_root_size -K rd_root_image -R .comment -R .SUNW_ctf
bsd.strip
gzip -9cn bsd.strip > bsd.gz
bsd.rd: mr.fs bsd
And it works:
$ doas cp /home/RELEASEDIR/bsd.rd .
$ mv bsd.rd bsd.rd.gz
$ gunzip bsd.rd.gz
$ doas rdsetroot -x bsd.rd disk.fs
$ file disk.fs
disk.fs: Unix Fast File system [v1] (little-endian), last mounted on , last
written at Fri Feb 5 18:06:46 2021, clean flag 1, number of blocks 7360,
number of data blocks 7071, number of cylinder groups 1, block size 4096,
fragment size 512, minimum percentage of free blocks 0, rotational delay 0ms,
disk rotational speed 60rps, SPACE optimization
Thanks,
Daniel
Re: rdsetroot and gzip'd bsd.rd
On Mon, 01 Feb 2021 18:18:43 -0700, "Theo de Raadt" wrote: > Should rdsetroot be able to edit gzip'd files? I am not sure about > that. Yeah, I don't think so either. gzip(1) can be easily used to uncompress it beforehand. But the result is still that rdsetroot on -current is not able to extract a bsd.rd even when given an uncompressed bsd.rd (i.e. a "ELF 64-bit LSB executable, x86-64, version 1" bsd.rd).
rdsetroot and gzip'd bsd.rd
Hi, Running -current amd64, I fetched a -current amd64 bsd.rd, then run $ rdsetroot -x bsd.rd ramdisk rdsetroot: bsd.rd: not an elf I didn't expect that, so I run file on it which said bsd.rd: gzip compressed data, max compression, from Unix I naively tried to gunzip it: $ mv bsd.rd bsd.rd.gz && gunzip bsd.rd.gz $ file bsd.rd bsd.rd: ELF 64-bit LSB executable, x86-64, version 1 so I ran rdsetroot again $ rdsetroot -x bsd.rd ramdisk rdsetroot: symbol table not found I guess it's because of https://github.com/openbsd/src/commit/aa6c3ec2488169493ed4877eea65efb00c967050 Is it because now bsd.rd is stripped and rdsetroot needs to be updated to not expect a symbol table? Or am I missing something? Cheers, Daniel
SIOCSIFPARENT SIOCAIFADDR SIOCSIFFLAGS in bsd.rd
Hi,
I upgraded my APU2 on 2021-01-16 and I have this in the upgrade log
email:
Terminal type? [vt220] vt220
Available disks are: sd0.
Which disk is the root disk? ('?' for details) [sd0] sd0
Checking root filesystem (fsck -fp /dev/sd0a)... OK.
Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK.
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFFLAGS: Device not configured
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFFLAGS: Device not configured
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFFLAGS: Device not configured
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFFLAGS: Device not configured
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFFLAGS: Device not configured
Force checking of clean non-root filesystems? [no] no
[...]
The upgrade log before (2020-12-10) was just
Terminal type? [vt220] vt220
Available disks are: sd0.
Which disk is the root disk? ('?' for details) [sd0] sd0
Checking root filesystem (fsck -fp /dev/sd0a)... OK.
Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK.
Force checking of clean non-root filesystems? [no] no
[...]
I guess this comes from me switching from trunk(4) to aggr(4).
Is it normal/expected?
It doesn't cause me any trouble but I would have expected the same
'behavior' from trunk(4) and aggr(4) in this regard. Or is it to keep
bsd.rd on a diet?
Cheers,
Daniel
Re: Managed to mess up the system encrypted disk. I can no longer boot.
On Wed, 27 Jan 2021 11:31:13 -0500, Ashton Fagg wrote: > Do you want "rm -rf /" to hold your hand also? As a matter of fact, it does :) https://github.com/openbsd/src/commit/c11d908c7069eb03d103482ce1d0227f3d47b349
Re: Website - Missing kstat man page
On Sat, 2 Jan 2021 22:57:06 -0500, tiredtech wrote: > I came across a broken link during some pre-install research. > > While browsing URL https://www.openbsd.org/68.html, > I noticed URL link on the webpage for kstat(1) generates > a "No results found." message when pointing to its man page: > > https://man.openbsd.org/kstat > > Flagged as new, so I was curious about its general function. > > Regards > It looks like kstat isn't linked to the build so it's not built by default, therefore it's not present on the man.o.o server. The source is in src/usr.bin/kstat. If you don't have any src tree around, you can either read it on github [1] or you can fetch the raw version [2] and give it to mandoc(1) [1]: https://github.com/openbsd/src/blob/a09091e54b85e8cd86ccf4763998e3800065d5dc/usr.bin/kstat/kstat.1 [2]: https://raw.githubusercontent.com/openbsd/src/a09091e54b85e8cd86ccf4763998e3800065d5dc/usr.bin/kstat/kstat.1 (I could copy paste the resulting man page in this email, but you'd lose all the fancy markup :)) Actually, mandoc(1) supports html output, here's what it gives https://static.chown.me/private/misc/kstat.html Cheers, Daniel
Re: Wireguard
On Mon, 28 Dec 2020 21:17:42 +, Peter Fraser wrote: > This is my first attempt to set up wireguard, and of course I can't > get it to work. > > The wg man page shows "ifconfig wgN debug" as an option to help > debugging. The man page for ifconfig does document the option. > Nor does the man page tell how to turn the option off. As any other ifconfig option, with a leading -, i.e. ifconfig wg0 -debug > I hoped it might show me my problem, I don't now where the messages > are going, dmesg(8) or /var/log/messages Cheers, Daniel
Re: Programmed wakeup from suspend/hibernate
Ian Darwin wrote: I think you forgot to cc misc@, so the OP won't see your reply. On Thu, Dec 24, 2020 at 10:34:19AM -0500, Daniel Wilkins wrote: Ian Darwin wrote: Otherwise a $10 mechanical timer to cut the power (well after the suspend is finished!) and turn it back on in the morning. You'd want to make sure to *hibernate* for that rather than suspend. Almost all motherboards have wake-on-lan these days. You could get a tiny board that consumes no power whose only job is to send a WoL packet to the server for real suspend if that's viable. I did; my bad. Fixing now.
Re: Enhancing Privacy in 2020 attached screenshot
On Wed, 16 Dec 2020 22:55:17 +, pipus wrote: > haha Stuart. > Always there to make a low IQ entrance :) > Would you be more receptive if it was made by Linus and used Linux I > wonder... ? Try not to be to childish was just a bit of excitement > over something we have been waiting for for many decades. While you were "waiting for many decades" (because I assume you were not able to do the work), Stuart has done more than 17000 commits in OpenBSD. It could be funny to see how clueless you are, if it wasn't appalling because of your lack of respect. Cheers, Daniel
Re: Switching from trunk(4) to aggr(4)
On Wed, 16 Dec 2020 15:04:36 +1000, David Gwynne wrote: > By default LACP only sends packets every 30 seconds. Did you run > tcpdump for long enough to make sure you saw at least one? If you get > rid of "-D in" do you see the LACP packets that OpenBSD is > transmitting? You were right, I didn't wait long enough. (I didn't know about the "every 30 seconds"). But I tried again and I never saw them with -D in, and with -D out I saw the one from OpenBSD. > Alternatively your switch is configured with a static aggregation, > ie, what the "loadbalance" in trunk(4) does. You were right again. As I didn't see the LACP packets, I looked more carefully and yeah it appeared it was not configured as a LACP trunk. I deleted the trunk and recreated it (it was immutable) and now aggr0 is active. Yay! I thought that since trunk0 in lacp mode was working, it meant the switch was correctly configured. Out of curiosity, I tried the commands from sthen, and indeed now they show something: TL-SG3216#show lacp internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in active mode P - Device is in passive mode Channel group 1 LACP port Admin OperPortPort Port Flags State Priority Key Key Number State Gi1/0/2 SA Up32768 0x1 0x345 0x2 0x4d Gi1/0/4 SA Up32768 0x1 0x345 0x4 0x4d Gi1/0/6 SA Up32768 0x1 0x345 0x6 0x4d TL-SG3216#show lacp neighbor Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in active mode P - Device is in passive mode Channel group 1 LACP port Admin Oper PortPort Port Flags Priority Dev ID KeyKeyNumber State Gi1/0/2 SP 0 .. 0 0 0 0 Gi1/0/4 SP 0 .. 0 0 0 0 Gi1/0/6 SP 0 .. 0 0 0 0 Thank you very much! Daniel
Re: Switching from trunk(4) to aggr(4)
On Tue, 15 Dec 2020 14:30:16 +1000, David Gwynne wrote: > Can you try tcpdump -p -veni em0 -D in and see if any LACP packets > appear to come in on the port? If not, can you remove the -p and see > if em0 starts to work? > > There are two main differences between how aggr(4) and trunk(4) > works. The first you've already found, which is that trunk(4) uses > the address from one of the ports it's given, while aggr(4) generates > one when it's created. The second difference is that trunk(4) makes > member ports promisc, while aggr(4) tries to be a lot more precise > and takes care to program the ports properly. This means that in your > environment em(4) has to support changing it's MAC address to the one > provided by aggr(4), and it has to support joining multicast groups > properly, including the one that LACP packets are sent to. > > tcpdump with -p means that it won't make the interface promiscuous. > If you don't see LACP packets come in while the port is promisc, that > means the multicast filter isn't working properly. It should start > working if you're running tcpdump without -p on the em(4) ports, or > on aggr(4) itself. Thanks for your reply! Here's what I did (spoiler alert, I couldn't get aggr0 to work): I switched back the hostname files, and rebooted. During boot: starting network aggr0 em0 trunkport: creating port aggr0 em0 mux: BEGIN (BEGIN) -> DETACHED aggr0 em0 rxm: BEGIN (BEGIN) -> INITIALIZE aggr0 em0 rxm: INITIALIZE (UCT) -> PORT_DISABLED aggr0 em1 trunkport: creating port aggr0 em1 mux: BEGIN (BEGIN) -> DETACHED aggr0 em1 rxm: BEGIN (BEGIN) -> INITIALIZE aggr0 em1 rxm: INITIALIZE (UCT) -> PORT_DISABLED aggr0 em2 trunkport: creating port aggr0 em2 mux: BEGIN (BEGIN) -> DETACHED aggr0 em2 rxm: BEGIN (BEGIN) -> INITIALIZE aggr0 em2 rxm: INITIALIZE (UCT) -> PORT_DISABLED vlan10: no linkaggr0 em0 rxm: PORT_DISABLED (port_enabled) -> EXPIRED .aggr0 em2 rxm: PORT_DISABLED (port_enabled) -> EXPIRED aggr0 em1 rxm: PORT_DISABLED (port_enabled) -> EXPIRED ..aggr0 em0 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED aggr0 em2 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED aggr0 em1 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED ... sleeping root@pancake:~# tcpdump -p -veni em0 -D in tcpdump: listening on em0, link-type EN10MB 18:04:03.996369 80:56:f2:b7:9c:09 ff:ff:ff:ff:ff:ff 8100 60: 802.1Q vid 70 pri 1 arp who-has 10.70.70.254 tell 10.70.70.101 18:04:04.016123 00:17:10:8e:44:a5 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 10 pri 1 arp who-has 24.48.69.20 tell 24.48.69.1 18:04:04.034874 00:17:10:8e:44:a5 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 10 pri 1 arp who-has 24.48.69.109 tell 24.48.69.1 (vlan10 is my uplink to my isp's modem), I didn't have anything but those arp who-has. root@pancake:~# ifconfig aggr0 -> still no carrier root@pancake:~# tcpdump -veni em0 -D in tcpdump: listening on em0, link-type EN10MB 18:05:11.247455 52:54:00:06:aa:01 00:0d:b9:43:9f:fc 8100 1423: 802.1Q vid 20 pri 1 10.10.10.44.5638 > 198.48.202.251.25826: udp 1377 (ttl 64, id 2495, len 1405) 18:05:11.248427 52:54:00:06:aa:01 00:0d:b9:43:9f:fc 8100 1390: 802.1Q vid 20 pri 1 10.10.10.44.5638 > 198.48.202.251.25826: udp 1344 (ttl 64, id 47470, len 1372) 18:05:11.249478 52:54:00:06:aa:01 00:0d:b9:43:9f:fc 8100 1424: 802.1Q vid 20 pri 1 10.10.10.44.5638 > 198.48.202.251.25826: udp 1378 (ttl 64, id 57431, len 1406) 18:05:11.570690 00:17:10:8e:44:a5 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 10 pri 1 arp who-has 184.161.78.225 tell 184.161.78.1 18:05:11.586920 00:17:10:8e:44:a5 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 10 pri 1 arp who-has 192.222.131.28 tell 192.222.131.1 18:05:12.050180 00:17:10:8e:44:a5 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 10 pri 1 arp who-has 24.48.76.202 tell 24.48.76.1 nothing else than those udp packets (my collectd setup) and the arp who-has root@pancake:~# ifconfig aggr0 -> still no carrier At that point I thought "sthen asked me to try to reboot the switch, let's do it now" and shortly after I got in my console aggr0 em0 rxm: DEFAULTED (!port_enabled) -> PORT_DISABLED aggr0 em1 rxm: DEFAULTED (!port_enabled) -> PORT_DISABLED aggr0 em2 rxm: DEFAULTED (!port_enabled) -> PORT_DISABLED aggr0 em2 rxm: PORT_DISABLED (port_enabled) -> EXPIRED aggr0 em1 rxm: PORT_DISABLED (port_enabled) -> EXPIRED aggr0 em0 rxm: PORT_DISABLED (port_enabled) -> EXPIRED aggr0 em2 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED aggr0 em1 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED aggr0 em0 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED I tried again putting in promiscuous mode. I thought also let's do it on all physical interface as well to be safe :D # tcpdump -veni aggr0 -D in # tcpdump -veni em0 -D in # tcpdump -veni em1 -D in # tcpdump -veni em2 -D in root@pancake:~# ifconfig aggr0 -> still no carrier Cheers, Daniel
