Re: Can't cron sct.

[Joerg Jung]

> On 27. Oct 2020, at 16:10, avv. Nicola Dell'Uomo 
>  wrote:
> 
> maybe I'm missing something trivial, but I can't figure out how to cron sct(1)
> 
> My user cron config works and cron log reports sct was executed, but screen 
> temp doesn't change ...
> 
> Here's my user crontab:
> 
> #   $OpenBSD: crontab,v 1.28 2020/04/18 17:22:43 jmc Exp $
> #
> # SHELL=/bin/sh
> PATH=/bin:/sbin:/usr/bin:/usr/sbin
> HOME=/var/log
> #
> #minute hourmdaymonth   wday[flags] command
> #
> # rotate log files every hour, if necessary
> # 3519   *   *   *  touch /home/nicola/sct
> 
> 3519   *   *   *  /usr/local/bin/sct  5000
> 
> # touch /home/nicola/sct was a test in order to verify I had not 
> misconfigured crontab.
> # cron was tested with SHELL variable defined and then commented out and the 
> result was the same.

FYI, there is a small sctd in the sct package, which probably
does exactly what you try to achieve manually here.
 

Re: 6.2-current on a MacBook

[Joerg Jung]

> Am 13.01.2018 um 16:35 schrieb Jan Stary :
> 
> What do people use for pasting instead of
> the nonexistent and shift-insert?

Do you have a  key?

Try ++ to get insert,
works for me on newer models.

Similar page scroll up/down can be reached 
through fn and cursor keys.
delete is backspace + fn.

Re: Installing openbsd on MacBook air 2014

[Joerg Jung]

> On 17. May 2017, at 13:51, flipchan  wrote:
> 
> Yeah the amd64 works to install and it boots but it disabled all port 
> includeing the keyboard:
> 
> I have tried both 6.1 6.0 and 5.9 all same 
> error: [drm:pid0:intel_uncore_check_errors] eERROR Unclaimed register before 
> interupt
> nvram invalid checksum
> uhub0: device problem, disabling port 1,3,5,12

Are you sure that you bootet a amd64 6.1 or 6.0? If I remember correctly, the 
“nvram invalid checksum” 
message was removed earlier. 
Are your EFI/SMC/firmwares up2date (patched via OSX)? Does any other OS boot 
and work, e.g. can 
you rule out that the hub is is not broken? I used similar MacBook Air's from 
various generations all 
working fine here.

> On May 16, 2017 3:49:57 PM GMT+02:00, Stefan Sperling  wrote:
>> On Tue, May 16, 2017 at 12:22:18PM +, flipchan wrote:
>>> Here is the output:
>>> 
>>> 
>>> first boot didnt work so i searched around and found this blog post
>> http://www.sacrideo.us/openbsd-on-macbook/ and i tried typing in the
>> mkdir commands i it booted
>>> 
> OpenBSD/i386 BOOT 3.31
>>> boot>
>>> boot>mkdir cd-dir
>>> boot>cd cd-dir
>>> boot>mkdir -p 4.2/i386
>>> boot>mkdir -p etc
>>> boot>cp ~/cdboot ~/cdbr ~/bsd.rd 4.2/i386
>>> boot>config -ef 4.2/i386/bsd.rd
>> 
>> These aren't commands for the boot loader. This guide recommends that
>> you create a custom ISO image. It's very outdated. I would not rely on
>> it.
>> 
>>> Welcome to the OpenBSD/i386 6.1 installation program:
>> 
>> Please try amd64 instead of i386.
> 
> -- 
> Take Care Sincerely flipchan layerprox dev

Re: lyrics.html nit.

[Joerg Jung]

On Fri, Aug 12, 2016 at 01:14:56PM +, Michal Bozon wrote:
> > -With twitchy fingers on flashing keys
> > +Twitchy fingers, flashing keys
> > 
> > -always claiming "it was just a prank!"
> > +Claiming "it was just a prank!"
> 
> hi, this time (60c), i hear this:
> 
>  Money, donate your pay.
>  Automate with a cron job and we'll be ok.
> +Money, donate your pay.
>  Thoughtful programming versus "just make it fast".
>  ...
>  Not donating, it's a crime.
>  ...

Fixed, thanks!

> finnally, i would do s/\.$//, to be consistent.
> 
> ps: not guilty, bought at least 0b100 mugs

Re: opensmtpd-extras-[clamav|spamassassin] packages in 6.0

[Joerg Jung]

> Am 10.10.2016 um 17:59 schrieb mabi :
>
> Hi,
>
> Just noticed that the OpenBSD 6.0 release does not include the
opensmtpd-extras-clamav nor the opensmtpd-extras-spamassassin packages. I
would like to upgrade my 5.9 OpenBSD mail gateway to 6.0 and was wondering if
I can use the old packages from 5.9 with 6.0?

No.

> Or what is the alternative to these two packages?

Various options. One could be to proxy mails through spampd and clamsmtp.
Amavisd might also be an option.

> Regards,
> Mabi

Re: [Q] Thinkpad x230, softraid crypto and ZZZ

[Joerg Jung]

> On 03 Jul 2016, at 20:30, Mike Larkin  wrote:
>
> On Sun, Jul 03, 2016 at 01:40:39PM -0400, Bryan Everly wrote:
>> Hi,
>>
>> I have suspend to RAM working just fine on this system but when I try to
>> suspend to disk (ZZZ) it just hangs the system (I thought it might just
>> be slow so I let it run for 2 hours and it never completed).  Some data
>> points:
>>
>> 1.  I encrypt my boot drive (sd0) with softraid
>>
>> 2.  My /etc/fstab points to a swap partition outside of the softraid
>> volume and is 2x my RAM size
>>
>
> from your dmesg below:
>> root on sd2a (71b4bf84dbfc9f74.a) swap on sd2b dump on sd2b
>
> That's where we take the swap location from. And that's your sr crypto
> device according to the dmesg. Is this large enough?
>
> Try putting swap inside the sr crypto volume and it should be fine.
> Don't try to use some strange mix of half-crypto and half-not. (why
> someone would go to the effort of encrypting everything *except* swap
> leaves me scratching my head).

If I remember correctly, swap is encrypted by default anyway.

> Note - you have just about the exact same machine as I do, where
> ZZZ was developed. I also have sr crypto in use and 16GB. As a matter of
> fact, the x230 in configs like yours probably received the most testing
> of any machine out there as that's what most developers had during the
> timeframe ZZZ was being shaken out.
>
> Generally, when ZZZing, an x230 with 16GB writes out about 600-800MB
> when doing general purpose stuff like browsing, compiling, etc. Strictly
for
> ZZZ, you don't need 2X RAM size. Just 1X RAM size is "enough" as if we can't
fit
> the hibernated image into a size 1X the size of your RAM, you're hooped
> anyway. This will still take a few minutes as the I/O routines used by
> ZZZ are not optimal, but you should see the disk activity light (faintly,
> as you are using SSDs).
>
> If you still can't get it working, you'll need to do some surgery to
> see what's failing. You'll need to disable X and inteldrm temporarily,
> and remove the call to wsdisplay_suspend around line 2370 in
> sys/dev/acpi/acpi.c to leave the screen on while ZZZing. Then, initiate
> a ZZZ from the text console and see what's going on. Maybe a panic. If you
do
> this test, remember that the suspending and resuming kernels must match
(eg,
> if you ZZZ after booting "/bsd.test", make sure you boot "/bsd.test" again
> after powering back up or it will discard the hibernated image).
>
> -ml
>
>> 3.  I am running apmd with the -A flag
>>
>> 4.  I have 16gb of RAM on the machine
>>
>> Thanks in advance for any help.  Some relevant information below:
>>
>> $ cat /etc/fstab
>>
>> 71b4bf84dbfc9f74.a / ffs rw,softdep,noatime 1 1
>> 71b4bf84dbfc9f74.g /home ffs rw,softdep,noatime,nodev,nosuid 1 2
>> 71b4bf84dbfc9f74.d /tmp ffs rw,softdep,noatime,nodev,nosuid 1 2
>> 71b4bf84dbfc9f74.f /usr ffs rw,softdep,noatime,nodev,wxallowed 1 2
>> 71b4bf84dbfc9f74.e /var ffs rw,softdep,noatime,nodev,nosuid 1 2
>> /dev/sd0b none swap sw 0 0
>>
>> $ doas disklabel -p g sd0
>> # /dev/rsd0c:
>> type: SCSI
>> disk: SCSI disk
>> label: Samsung SSD 850
>> duid: 25c676a513f5cd3d
>> flags:
>> bytes/sector: 512
>> sectors/track: 63
>> tracks/cylinder: 255
>> sectors/cylinder: 16065
>> cylinders: 121601
>> total sectors: 1953525168 # total bytes: 931.5G
>> boundstart: 64
>> boundend: 1953520065
>> drivedata: 0
>>
>> 16 partitions:
>> #size   offset  fstype [fsize bsize  cpg]
>>   a:   899.5G 67119570RAID
>>   b:32.0G   64swap   # none
>>   c:   931.5G0  unused
>>
>> $ doas disklabel -p g sd2
>> # /dev/rsd2c:
>> type: SCSI
>> disk: SCSI disk
>> label: SR CRYPTO
>> duid: 71b4bf84dbfc9f74
>> flags:
>> bytes/sector: 512
>> sectors/track: 63
>> tracks/cylinder: 255
>> sectors/cylinder: 16065
>> cylinders: 117422
>> total sectors: 1886399967 # total bytes: 899.5G
>> boundstart: 64
>> boundend: 1886384430
>> drivedata: 0
>>
>> 16 partitions:
>> #size   offset  fstype [fsize bsize  cpg]
>>   a: 1.0G   64  4.2BSD   2048 163841 # /
>>   c:   899.5G0  unused
>>   d: 4.0G 35904832  4.2BSD   2048 163841 # /tmp
>>   e:35.7G 44293408  4.2BSD   2048 163841 # /var
>>   f:   400.0G119248640  4.2BSD   4096 327681 # /usr
>>   g:   442.6G958100480  4.2BSD   4096 327681 # /home
>>
>> $ cat /etc/rc.conf.local
>> apmd_flags=-A
>> hotplugd_flags=
>> httpd_flags=
>> pkg_scripts=postgresql nagios php56_fpm slim
>> postgresql_flags=-D /var/postgresql/data
>> slowcgi_flags=""
>>
>> $ swapctl -l
>> Device  512-blocks UsedAvail Capacity  Priority
>> /dev/sd0b 671195060 67119506 0%0
>>
>> dmesg attached as dmesg.txt
>> OpenBSD 6.0-beta (GENERIC.MP) #2: Sun Jul  3 10:17:41 EDT 2016
>>

Re: Fifteen questions

[Joerg Jung]

> Am 11.06.2016 um 11:42 schrieb "danston...@yahoo.com.hk"
:
>
> Hi guys!
>
> I am currently thinking of buying a new MacBook Air and setting up a
dual-boot OpenBSD + MacOSX. Reading the mailing-list, I understood that
OpenBSD is mostly working well on Mac hardware, but I still have some
questions:
> a. I read that the wifi is not working, so I will have to buy a wifi usb
stick.
>Which one is the best working with OpenBSD?

Driver man pages contain suggestions.
http://man.openbsd.org/?query=wireless=1=0=default=O
penBSD-current

I use run and urtwn devices.

> b. Would it be possible to write a driver for the wifi?

Yes, but very, very hard.

>If I want to write one, where should I look at?

Probably, the existing Linux one might be a start.

> c. Some people reported that the SSD drive was working, others reported the
opposite.
>I really would like to use a SSD drive instead of a standard hard drive.
(I am the kind of guy who drops his laptop…)
>Is there a way to determine if the SSD drive gonna work or not? (I mean,
before buying the MacBook Air.)

I'm not aware of any Air where the SSD is not working and
I own(ed) and tested various older to new(est) models.

However, for recent MacBooks (not Air, not Pro) the NVMe
connected SSD is not working.

> d. Just to be sure: hibernate/ZZZ can be used over a softraid-crypto disk,
huh?

Never tried myself, but I expect it to work.

> e. Some time ago, I read that RAID & encryption cannot be used altogether -
Is it still true?

No. AFAIK, the vnd related issues seems to be fixed in -current.

>I am interested in privacy and reliability. So I am thinking of combining
a mirroring discipline and an encrypting discipline: a RAID 1 system, and each
disk of the RAID 1 would contains the same encrypted data. Can I do that?

Yes, but expect slow disk throughputs, due to encryption.
Btw. how did you plan to add the second disk into the Air?

> f. In a RAID 1 system with three disks, what happened if one read byte is
not the same on all the disks?

Three disks in the Air?

> g. Is it possible to set up a RAID 1 system on a single physical drive?
>   (The physical drive would be split in two equal parts, and the second part
would be a copy of the first part.)

Makes no sense. If disk dies, both parts are gone.
Just setup a proper backup instead.

>When I read
>  https://www.openbsd.org/faq/faq14.html#softraid
>  http://man.openbsd.org/OpenBSD-current/man4/softraid.4
>it does not seem possible.
> h. For softraid-crypto, are there multiple encrypting algorithms provided?
Is it possible to choose?
>I mean something like "ssh -c cipher_spec".

AFAIK, no. However, you may want to check bioctl man page and -r argument.

> i. As RAID is good but not enough, I think of using rsnapshot for backing up
data (to a remote server).
>But dump(8) seems good too - Is there any cases in which dump(8) should
be used instead of rsnapshot?

Both can be used to achieve different goals, so it depends on the use case.

> j. Just to be sure: Would it make sense to back up encrypted data? Or is
there no other choice but to decrypt, back up, and then encrypt the backed up
data?

Depends on how you encrypted the data.

> k. Between the i386 and amd64 arch, which one would make more sense to use?
As far as I am concerned, I am interested in reliability and simple-ness (not
interested in speed nor coffee-and-toasts-making-features).

On the Air: amd64.

> l. I understood that signify(1) only signs a file - It cannot encrypt it. To
encrypt a file, a software like gnupg should be used, right?
>Does OpenBSD come up with any in-house software to encrypt a file? Or do
I have to use gnupg?
> m. Is it possible to encrypt a disk image file? Replacing 'sd' by 'vnd' in
the document
>  http://man.openbsd.org/OpenBSD-current/man4/softraid.4
>should do it, right?
> n. In reading
>  https://www.openbsd.org/faq/faq14.html#MountImage
>it seems like that mounting a disk image file needs to be root, true? Is
there a way so that a user could mount a disk image?
> o. Finally, I am thinking of resizing a disk image file. I understood that
it can done in using disklabel(8), then growfs(8), finally fsck(8) - That's
it? Any comments that I should be aware of?
>
> Thanks a lot for your help.
>
> Romain

Re: letsencrypt redux

[Joerg Jung]

> Am 15.05.2016 um 18:56 schrieb Kristaps Dzonsons :
> 
> A few days ago, there was a thread regarding letsencrypt clients and
> their, um, cavalier approach to security.  Since I like my free certs
> and I like automation, and I also like not worrying about being owned, I
> reckoned I could do better than mystery-meat clients.
> 
> https://github.com/kristapsdz/letskencrypt
> 
> This isolates the steps of refreshing a certificate into isolated
> processes, each of which is priv-dropped, chrooted, pledged, etc.  The
> manpage says it all:
> 
> https://github.com/kristapsdz/letskencrypt/blob/master/letskencrypt.1
> 
> It's obviously brand-new, but it works and I thought I'd see if
> anybody's interested in looking over the libcrypto bits--if not the
> approach in general.  The stuff that has manpages I think I get, but
> there's some (e.g., X509v3 extension handling, properly seeding RAND,
> calling _free if the ptr is NULL, memory management, ...) that's
> undocumented and is just shot in the dark.  Moreover, the answers
> offered on OpenSSL mailing lists seem... questionable.
> 
> It's designed to run on OpenBSD but works crappily on Mac OS X and
> Linux.  Crappily because both are hostile to good security practises.
> I'm not going to put any extra effort into these for compatibility.

I think you already added a lot of compatibility goo. 
Might have been better if you started with a clean OpenBSD only client.

> (Side note: this requires the patch to json-c posted 09/05/2015 to the
> ports list.  Or is there a better json parser in C?)

This one looks promising: http://zserge.bitbucket.org/jsmn.html

> Thoughts?  Letsencrypt experts?
> 
> Best,
> 
> Kristaps

Re: bioctl: unable to read passphrase

[Joerg Jung]

> Am 13.05.2016 um 21:56 schrieb Ted Unangst :
>
> Theo Buehler wrote:
>>> On Fri, May 13, 2016 at 07:28:51PM +0200, Leo Unglaub wrote:
>>> Hey friends,
>>> i have two identical ssd drives in my laptop. sd0 and sd1. I created a
Raid
>>> 1 (mirroring) on them resulting in sd3. I used the following command:
>>>
 bioctl -c 1 -l sd0a,sd1a softraid0
>>>
>>>
>>> On the resulting disk i created sd3b with 2 GB Swap and sd3a with 100GB
with
>>> a type RAID.
>>>
>>> Now i want to put a crypto layer (Cryptoraid) on the resulting sd3a. I
>>> wanted to use the following command:
>>>
 bioctl -c C -l sd3a softraid0
>>>
>>> But i get the following error message: bioctl: unable to read passphrase.
>>>
>>> Do you have any ideas why this is happening?
>>
>> I think this is due to the fact that nested disciplines are not (yet?)
>> supported. See stsp@'s notes on softraid:
>> https://www.openbsd.org/papers/eurobsdcon2015-softraid-boot.pdf
>> page 5 where it says:
>>
>>Disciplines cannot be nested yet!
>>So no CRYPTO on top of RAID 1, for instance
>
> that will cause problems later

Which problems? This should really be mentioned
in softraid(4) CAVEATS section then, no?

Personally, I'm running CRYPTO on top of a large
RAID1 for years without any problems.

Re: httpd apex->www redirect issues

[Joerg Jung]

> Am 05.05.2016 um 20:50 schrieb alex :
>
> Hi all,
>
> I'm trying to set up httpd to do an apex->www redirect, and it works except
for the fact that other subdomains also get redirected. It seems as if 'server
"pnnk.org"' matches any subdomain.

Which OpenBSD version?

> DNS:
> pnnk.org. A 192.30.33.33
> phoenix   A 192.30.33.33
> mail  A 192.30.33.33
> www   CNAME phoenix
> pnnk.org. MXmail
>
> $ cat /etc/httpd.conf
> server "pnnk.org" {
>listen on * port 80
>listen on :: port 80
>block return 301 "http://www.pnnk.org;
> }
>
> server "www.pnnk.org" {
>listen on * port 80
>listen on :: port 80
> }
>
> Here's an example of the problem. I expected this to fail, not redirect:
>
> $ telnet mail.pnnk.org 80
> Trying 192.30.33.33...
> Connected to mail.pnnk.org.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: mail.pnnk.org
>
> HTTP/1.0 301 Moved Permanently
> Date: Thu, 05 May 2016 13:21:19 GMT
> Server: OpenBSD httpd
> Connection: close
> Content-Type: text/html
> Content-Length: 374
> Location: http://www.pnnk.org
>
> 
> 
> 
> 301 Moved Permanently
> 
> 
> 
> 301 Moved Permanently
> 
> OpenBSD httpd
> 
> 
> Connection closed by foreign host.
>
> Is there something I can do to get the behavior I expect?
>
> Thanks,
> Alex
>
> p.s. I apologize if my message shows up more than once, I had an issue with
my mail setup but I think it's fixed now.

Re: httpd - POST request size problem

[Joerg Jung]

> On 29 Apr 2016, at 15:29, Romain  wrote:
>
> Dear All,
>
> I use OpenBSD 5.8, and the httpd & php & sqlite3 which are provided with.
> ($ uname -a => OpenBSD xx.my.domain 5.8 GENERIC#1170 amd64)
>
> I have a problem with the length of a POST request with seems to be limited
to 6588 (more or less) characters.
> (I use a simple html form with a hidden input which has many characters.)
>
> I tried with lighttpd + php + sqlite3 and it works without this problem.
>
> I tried to add this line to httpd.conf:
>  connection max request body 8388608

Can you show your whole httpd.conf please?
Are you using a subdomain like foo.example.com?
There is a known bug were this directive needs to be added
earlier on the main domain to be applied/passed through to the subdomain.

> And then I restarted httpd.
> But it did not solve to the problem.
>
> And now I do not know what to do.
>
> Thanks for your help.
>
> Best,
> Romain

Re: MacBook 9,1 or 8,1

[Joerg Jung]

> On 28 Apr 2016, at 09:00, Marcus MERIGHI <mcmer-open...@tor.at> wrote:
> 
> m...@umaxx.net (Joerg Jung), 2016.04.27 (Wed) 21:53 (CEST):
>> On Wed, Apr 27, 2016 at 09:41:50AM -0400, Bryan Everly wrote:
>>> 
>>> Has anyone had success with either of the new 12" Retina MacBooks?  My
>>> search of marc.info came up empty.
>> 
>> I own a MacBook8,2 and efiboot as well as inteldrm graphics seems to
>> work fine.  However, internal nvme(4) ssd is not detected and the SPI
> 
> Before or after this one?

After of course, with an additional diff to enable it (see below), 
but the controller does not work (yet).

> http://marc.info/?l=openbsd-cvs=146069961907725
> Log message:
> enable nvme(4)
> ok dlg@
> 
> Bye, Marcus
> 
> 
>> connected trackpad/mouse also does not work.  The built-in WLAN might
>> never work.  A standard USB3 HUB (connected via adapter), I tested was
>> not really working. So you you can either only attach a USB keyboard or
>> disk or wlan card to the single USB-C port, your choice :) 
>> 
>> Due to this fact I can not provide a copy dmesg.
>> Linux support seems not much better [1].
>> 
>> I have no idea about the 9,x but would like to see a dmesg. 
>> Newer MacbookAir might have the same nvme(4) problem.
>> 
>> Regards,
>> Joerg
>> 
>> [1] https://bugzilla.kernel.org/show_bug.cgi?id=99891
>> 
>> 
>> !DSPAM:57211a01134006737330760!

Index: sys/dev/pci/nvme_pci.c
===
RCS file: /cvs/src/sys/dev/pci/nvme_pci.c,v
retrieving revision 1.3
diff -u -p -r1.3 nvme_pci.c
--- sys/dev/pci/nvme_pci.c  14 Apr 2016 11:18:32 -  1.3
+++ sys/dev/pci/nvme_pci.c  20 Apr 2016 22:10:22 -
@@ -70,6 +70,10 @@ nvme_pci_match(struct device *parent, vo
PCI_INTERFACE(pa->pa_class) == NVME_PCI_INTERFACE)
return (1);

+   if (PCI_VENDOR(pa->pa_id) == PCI_VENDOR_APPLE &&
+   PCI_PRODUCT(pa->pa_id) == PCI_PRODUCT_APPLE_NVME)
+   return (1);
+
return (0);
}

Index: sys/dev/pci/pcidevs
===
RCS file: /cvs/src/sys/dev/pci/pcidevs,v
retrieving revision 1.1792
diff -u -p -r1.1792 pcidevs
--- sys/dev/pci/pcidevs 8 Apr 2016 09:59:47 -   1.1792
+++ sys/dev/pci/pcidevs 20 Apr 2016 22:10:22 -
@@ -923,6 +923,7 @@ product APPLE INTREPID2_ATA 0x0069  Intre
product APPLE INTREPID2_FW  0x006a  Intrepid 2 FireWire
product APPLE INTREPID2_GMAC0x006b  Intrepid 2 GMAC
product APPLE BCM5701   0x1645  BCM5701
+product APPLE NVME 0x2001  NVM Express Controller

/* Aralion products */
product ARALION ARS106S 0x0301  ARS106S
Index: sys/dev/pci/pcidevs.h
===
RCS file: /cvs/src/sys/dev/pci/pcidevs.h,v
retrieving revision 1.1786
diff -u -p -r1.1786 pcidevs.h
--- sys/dev/pci/pcidevs.h   8 Apr 2016 10:00:24 -   1.1786
+++ sys/dev/pci/pcidevs.h   20 Apr 2016 22:10:22 -
@@ -928,6 +928,7 @@
#define PCI_PRODUCT_APPLE_INTREPID2_FW  0x006a  /* Intrepid 2 FireWire 
*/
#define PCI_PRODUCT_APPLE_INTREPID2_GMAC0x006b  /* Intrepid 2 
GMAC */
#define PCI_PRODUCT_APPLE_BCM5701   0x1645  /* BCM5701 */
+#definePCI_PRODUCT_APPLE_NVME  0x2001  /* NVM Express 
Controller */

/* Aralion products */
#define PCI_PRODUCT_ARALION_ARS106S 0x0301  /* ARS106S */
Index: sys/dev/pci/pcidevs_data.h
===
RCS file: /cvs/src/sys/dev/pci/pcidevs_data.h,v
retrieving revision 1.1781
diff -u -p -r1.1781 pcidevs_data.h
--- sys/dev/pci/pcidevs_data.h  8 Apr 2016 10:00:24 -   1.1781
+++ sys/dev/pci/pcidevs_data.h  20 Apr 2016 22:10:23 -
@@ -2024,6 +2024,10 @@ static const struct pci_known_product pc
"BCM5701",
},
{
+   PCI_VENDOR_APPLE, PCI_PRODUCT_APPLE_NVME,
+   "NVM Express Controller",
+   },
+   {
PCI_VENDOR_ARALION, PCI_PRODUCT_ARALION_ARS106S,
"ARS106S",
},

Re: MacBook 9,1 or 8,1

[Joerg Jung]

On Wed, Apr 27, 2016 at 09:41:50AM -0400, Bryan Everly wrote:
> 
> Has anyone had success with either of the new 12" Retina MacBooks?  My
> search of marc.info came up empty.

I own a MacBook8,2 and efiboot as well as inteldrm graphics seems to
work fine.  However, internal nvme(4) ssd is not detected and the SPI
connected trackpad/mouse also does not work.  The built-in WLAN might
never work.  A standard USB3 HUB (connected via adapter), I tested was
not really working. So you you can either only attach a USB keyboard or
disk or wlan card to the single USB-C port, your choice :) 

Due to this fact I can not provide a copy dmesg.
Linux support seems not much better [1].

I have no idea about the 9,x but would like to see a dmesg. 
Newer MacbookAir might have the same nvme(4) problem.

Regards,
Joerg

[1] https://bugzilla.kernel.org/show_bug.cgi?id=99891

Re: OpenSMTPD with filter-spamassassin / max-children

[Joerg Jung]

> Am 18.04.2016 um 16:56 schrieb ML mail :
>
> I have configured OpenSMTPD on OpenBSD 5.9 with the filter-spamassassin as a
relay for a few of my webapp servers and have the problem when a webapp
suddently sends over 30 mails at the same time. Basically the problem is that
as I have configured spamd with 30 as max-children, as soon as I receive 30
mails at the same time OpenSMTPD stops answering because all spamd childs are
in busy state. This means that as long as all spamd child are in busy state I
can not receive any more mails during that time.

So you get what you configured/requested.

> So in theory I would just raise the max-children setting of spamassassin but
then it just postpones the problem really... so is there maybe another way to
deal better with that issue?

Not really.

If these are your own web servers they
will not send spam, right?
So considering skip the filtering for them?

There is a max-inflight limit in smtpd.conf(5)
which you may want to lower (below your 30).

Also, the most recent git head of -extras contains
a limit option which restricts the messages piped
to spamassassin based on their size. The idea is:
fewer/smaller mails are checked (fast),
assuming that larger ones are rarely spam.

Re: puppet and cross-platform password hashes

[Joerg Jung]

> On 05 Feb 2016, at 08:33, Peter N. M. Hansteen  wrote:
>
> I'm assuming I'm not the first to encounter this -
>
> the scenario is a group of admins who have so far run mainly Linux and some
Solaris,
> and who have a fairly well developed Puppet setup for maintaining among
other things
> local users for admins to log in and fix, running sudo as required. For
non-admin role
> users, LDAP (AD) is considered good enough, but that's out of scope here.
>
> The interesting part is when we start introducing OpenBSD machines to the
mix, and
> creating users with the password hashes from Linux or Solaris fails,
apparently because
> the hashes are not bcrypt hashes.
>
> I see two obvious solutions to this. Either
>
> 1) skip password logins, require key logins for all local users (they're
>   admins after all), tackle any extra privilege needs via specific sudo or
>   doas config, or
>
> 2) maintain a separate set of user definitions with bcrypt hashes for the
OpenBSD
>   boxes in the puppet setup. Then supplement as before with sudo or doas
tricks.
>
> My next question is, what other workable options are there? When you found
yourself
> in a similar situation, introducing OpenBSD to an existing environment of
other
> unixes, what did you do? Are there other solutions out there, possibly with
more
> sophisticated approaches than the ones I've mentioned here?

There is: 3) dynamically chose the pass hash string depending on OS.
Last time I used puppet was with 2.x release, so I do not know the exact
syntax,
but something like this should work:

@user {
myuser:
comment => “my user”,
ensure = “present”,
password => case $operatingsystem {
OpenBSD: { “$2b$….” },
RedHat: { “$6$...” },
Solaris: { “...” }
   }
}

I do similar in Ansible, setting a dynamic variable “user_hash” to either
“blowfish” or “sha512”
depending on the OS, and the use this variable to choose the right hash string
from an dict,
which looks like this:

users:
  root:
blowfish: $2b$...
sha512: $6$…

…referencing it later (in loops), like this:

user: name=root password=users[root][user_hash]

> Good suggestions may merit a beverage of choice (within reason) at the
first
> possible opportunity.
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: filter-spamassassin

[Joerg Jung]

On Sat, Jan 02, 2016 at 07:21:13PM -0600, Edgar Pettijohn wrote:
> I finally got around to trying out filter-spamassassin.  It appears to work
> correctly.  However, I was trying to change the default action from accept
> to reject. I've tried everything I can think of but continue to get syntax
> errors.  I assumed something like this would work:
> 
> filter spam spamassassin -s reject

You need to quote the args: filter spam spamassassin "-s reject" 
 
> listen on egress filter spam
> 
> But it didn't.
> 
> Any help is appreciated.
> 
> Edgar Pettijohn

Re: Fwd: CVS: cvs.openbsd.org: src

[Joerg Jung]

On Mon, Nov 30, 2015 at 04:48:05PM -0500, Daniel Ouellet wrote:
> Even removed the table password?

Yes.
 
> NO way anymore to have difference password for emails then the system
> password without smtp-extra install?

You may want to read table(5) the section about credentials tables.
 
> I can understand may be sqlite and ldap, but as a base system having
> different password from the system was and is very useful and I do it on
> all systems.

Still possible.

> Or am I missing something or miss understand the commit?

Yes, it looks like you never used table-passwd, 
that is why it is removed.


>  Forwarded Message 
> Subject: CVS: cvs.openbsd.org: src
> Date: Mon, 30 Nov 2015 12:54:26 -0700 (MST)
> From: Joerg Jung <j...@openbsd.org>
> To: source-chan...@openbsd.org
> 
> CVSROOT:  /cvs
> Module name:  src
> Changes by:   j...@cvs.openbsd.org2015/11/30 12:54:26
> 
> Modified files:
>   usr.sbin/smtpd : Makefile
> Removed files:
>   usr.sbin/smtpd : aldap.c aldap.h ber.c ber.h table_ldap.c
>table_passwd.5 table_passwd.c table_sqlite.c
>   usr.sbin/smtpd/table-ldap: Makefile
>   usr.sbin/smtpd/table-passwd: Makefile
>   usr.sbin/smtpd/table-sqlite: Makefile
> 
> Log message:
> remove table-passwd, table-sqlite, and table-ldap
> about 4k lines seldom used code
> 
> people who rely on this install mail/opensmtpd-extras
> 
> direction discussed (and agreed) with many
> 
> ok gilles

Re: MacbookPro 11,1

[Joerg Jung]

> Am 26.11.2015 um 00:50 schrieb Bryan Vyhmeister <br...@bsdjournal.net>:
>
>> On Thu, Nov 26, 2015 at 12:02:18AM +0100, Joerg Jung wrote:
>> The problem with the MacBook8,1 is the USB trackpad/keyboard is connected
>> via SPI internally.  No SPI driver in OpenBSD.
>> Moreover, the internal SSD is connected via NVMe, also not supported.
>>
>> Also, both seem not really working in any other open source OS yet.
>> See here http://moepi.net/?page_id=213
>>
>> Interesting is, MacBookPro12,1 seems to use same SPI Trackpad as well,
>> but (ACPI?) behaves differently and seems working using Linux, see here:
>> http://www.spinics.net/lists/linux-acpi/msg61848.html
>
> Perhaps all the "Force Touch" trackpads are SPI connected?
>
>>> His solution was a
>>> USB keyboard and a USB hub. I didn't have either handy but may try that
>>> later today. In the case of the 12-inch Retina MacBook, there is only
>>> that single USB-C port so I'm not sure if the USB hub was needed for any
>>> reason other than to provide at least two ports (one for USB flash drive
>>> and one for USB keyboard).
>>
>> No real success here, the USB 3.x hub I tried was passive (likely not
enough power)
>> and crashed the machine on attach/detach.
>
> It sounds like the MacBook8,1 does not work for now then. That's too
> bad. I wonder if the MacBookPro11,4 (2015 15-inch with integrated
> graphics) also has the same SPI trackpad? I wonder if it also has
> storage issues with OpenBSD?
>
> My goal is to document how well OpenBSD works on all the recent Apple
> hardware I can. I'm intending to purchase a MacBookPro11,1 (2014
> 13-inch) which it sounds like from the thread works pretty well. I am
> interested to find out if the SD card slot works.
>
> I'm also hoping to find out more about the storage, SD card, and
> trackpad of the MacBookPro11,4 (2015 15-inch with integrated graphics)
> and also of the MacBookPro11,2 (2014 15-inch with integrated graphics).
> Both of these machines still have Haswell chips (unlike the
> MacBookPro12,1).
>
> The MacBookAir6,1 (2013/2014 11-inch MacBook Air) I have works very well
> in all respects but since it's the 11-inch it does not have an SD card
> and my MacBookAir7,2 (2015 13-inch MacBook Air) works reasonably well
> but lacks X acceleration (due to Broadwell) and the brightness cannot be
> adjusted with xbacklight(1). The SD card slot also is not detected in
> any way.

Can you send a dmesg for this Air7,2 please?

> I'm hoping to get some feedback on the SD card slot on the
> MacBookAir6,2 if possible as well.
>
> Bryan

Re: MacbookPro 11,1

[Joerg Jung]

> Am 23.11.2015 um 18:15 schrieb Bryan Vyhmeister <br...@bsdjournal.net>:
>
>> On Mon, Nov 23, 2015 at 09:22:04AM -0500, Bryan C. Everly wrote:
>> I tried a few months ago to boot this into OpenBSD and one of the big
>> problems I ran into was that this is a USB 3 only machine and as such, the
>> keyboard worked at the boot prompt but did not work when I got to the
first
>> installer prompt.
>
> I never had any success with any Apple machine of recent vintage until
> efiboot became available very recently. Now with the changes to
> inteldrm(4) over the weekend, most things are working well for me.
>
>> I'm seeing people talking about working on Macbook Air machines (some of
>> quite recent vintage) so I'm wondering if:
>>
>> 1.  There is a patch I can apply to get keyboard support working on the
>> Macbook Pro Retina; or
>
> I was corresponding with Joerg Jung about his 2015 12-inch Retina
> MacBook and he also has the same issue. I also booted up my 2015 12-inch
> Retina MacBook yesterday and had no keyboard at all.

The problem with the MacBook8,1 is the USB trackpad/keyboard is connected
via SPI internally.  No SPI driver in OpenBSD.
Moreover, the internal SSD is connected via NVMe, also not supported.

Also, both seem not really working in any other open source OS yet.
See here http://moepi.net/?page_id=213

Interesting is, MacBookPro12,1 seems to use same SPI Trackpad as well,
but (ACPI?) behaves differently and seems working using Linux, see here:
http://www.spinics.net/lists/linux-acpi/msg61848.html

> His solution was a
> USB keyboard and a USB hub. I didn't have either handy but may try that
> later today. In the case of the 12-inch Retina MacBook, there is only
> that single USB-C port so I'm not sure if the USB hub was needed for any
> reason other than to provide at least two ports (one for USB flash drive
> and one for USB keyboard).

No real success here, the USB 3.x hub I tried was passive (likely not enough
power)
and crashed the machine on attach/detach.

>> 2.  The Macbook Air doesn't have all USB 3 ports so this isn't a problem
>> for that hardware
>
> The last several generations only show xhci(4) rather than any uhci(4).
> I don't know what is different about the MacBook Air systems that allows
> the keyboard to work since the keyboard does attach as ukbd(4).
>
>> Any suggestions would be appreciated.
>
> My solution was to create an OpenBSD efiboot flash drive and then things
> worked fairly well. In your case, you probably need a USB keyboard and
> possibly a USB hub. I will post a separate post soon with more
> information about both of my MacBook Air systems but, in short, the 2013
> MacBook Air, which is a Haswell system like your MacBook Pro, works
> quite well.  Obviously wireless is not supported but a urtwn(4) USB
> wireless adapter works fine. X acceleration works fine as does
> xbacklight(1) to set screen brightness. The brightness buttons on the
> keyboard do not work though. Keyboard backlight is functional (although
> not yet adjustable) due to Joerg Jung's recent asmc(4) driver.
>
> The 2015 MacBook Air which is a Broadwell system works almost as well
> but does not have X acceleration at this time (disabled for now due to
> instability) and also does not respond to xbacklight(1) so there is no
> way to adjust screen brightness. To see the state of things in Linux, I
> also installed Fedora 23 last week which comes with Linux kernel 4.2 and
> that also could not adjust the brightness of the display at all even
> though it acted as though it was working.
>
> I am interested to see what you find with your system since I am looking
> to pick up a similar Haswell Retina MacBook Pro from the refurbished
> store to use with OpenBSD as well.
>
> Bryan

Re: inteldrm(4) display corruption on MacBook

[Joerg Jung]

On Sat, Nov 21, 2015 at 04:27:34PM +0100, Mark Kettenis wrote:
> Hi Ossi,
> 
> Your digging:
> 
> > I went digging what produces the error
> >
> >   error: [drm:pid0:inteldrm_attach] *ERROR* failed to init modeset
> >
> > and it looks like in sys/dev/pci/drm/drm_irq.c:1.66
> >
> > drm_irq_install() calls
> >
> > if (drm_dev_to_irq(dev) == 0)
> > return -EINVAL;
> >
> > drm_dev_to_irq(dev) returns 0 and my skills end here to dig this
> > further.
> > 
> > these lines in dmesg are my debugging from kernel (and "stacktrace"):
> >
> > error: [drm:pid0:drm_dev_to_irq] *ERROR* irq == 0
> > error: [drm:pid0:drm_irq_install] *ERROR* oherrala: drm_irq_install: 
> > drm_dev_to_irq
> > error: [drm:pid0:i915_load_modeset_init] *ERROR* oherrala: 
> > i915_load_modeset_init: drm_irq_install
> > error: [drm:pid0:inteldrm_attach] *ERROR* oherrala: i915_drm.c: failed to 
> > init modeset
> 
> Helped quite a bit.  I'm fairly certain the diff I just committed will fix 
> your problem.

This also fixed the 12" Macbook Retina (2015).

Thanks!

Re: Rspamd with smtpd

[Joerg Jung]

> Am 11.11.2015 um 05:44 schrieb Daniel Ouellet :
> 
> Does anyone use this port yet Rspamd.
> 
> I saw Stuart + a few helpers making a port of Rspamd. Only on current
> now, so I install current on a server and try to run it.
> 
> But anyone have any clue stick to provide on how to actually plug it
> with smtpd?

I do not use it, but I guess you can use it in LDA mode 
with "... deliver to mda rspamc..."  in smtpd.conf,
as described here https://rspamd.com/doc/integration.html

> Looks like Rspamd accept only input via the http standard.
> 
> I have to say google provide me more questions, then answers.
> 
> I thought that may be relay to the rspamd port 11333 where it is
> listening at would work, but well, it's not coming back on port 11334
> that appear to definitely listening for http request
> 
> In any case, either ports doesn't do it.
> 
> It appear to be a nice port to use and fast, but well, can't fugue out
> how to use it yet...
> 
> # telnet 127.0.0.1 11333
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> EHLO home.ouellet.biz
> Connection closed by foreign host.
> 
> # telnet 127.0.0.1 11334
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> EHLO home.ouellet.biz
> HTTP/1.1 14 (NULL)
> Connection: close
> Server: rspamd/1.0.9
> Date: Wed, 11 Nov 2015 04:43:20 GMT
> Content-Length: 38
> Content-Type: text/plain
> 
> HTTP parser error: invalid HTTP methodConnection closed by foreign host.
> 
> So, how one can or would use this if I would like to try it?

Re: (U)EFI install and boot not finding hd0a:/bsd

[Joerg Jung]

> On 06 Nov 2015, at 21:39, Sevan / Venture37  wrote:
> 
> It's still not possible to boot miniroot58.fs on a mid-2012
> MacBookAir5,1, the miniroot58.fs I tried is dated 06-Nov-2015 13:24
> from ftp.fr.openbsd.org.
> 
> https://pbs.twimg.com/media/CTJ9GCcUcAAtDvh.jpg

Yes, this is a known problem.
See https://github.com/yasuoka/openbsd-uefi/issues/2
Try latest install58.fs and boot the uncompressed bsd.rd.

Pre-orders for 5.8

[Joerg Jung]

To celebrate the upcoming 20 years anniversary release of OpenBSD,
four (instead of the usual one) songs are contributed and will be
included in the release. The song I contributed is being released
today:

   http://www.openbsd.org/lyrics.html#58c
 
By the way, pre-orders for 5.8 CDs and posters were enabled moments ago.

Also, please see:

   http://www.openbsd.org/58.html

for more details about what is coming in this release.

Re: IPv6 and OpenBSD

[Joerg Jung]

Am 18.02.2014 um 20:46 schrieb Vigdis vigdis+o...@chown.me:

 I recently set up IPv6 on my computers, and now I have some questions :
 
 1) Why is there a difference with the -I option whether it is ping or
 ping6? (ping -I wants an ifaddr and ping6 -I an interface name)

AFAIK this is because of IPv6 scoped addresses With link-local addresses, 
the kernel does not know which interface to use, so you need to specify.

 2) From man resolv.conf: By default IPv4 addresses are queried first,
 and then IPv6 addresses. Why this choice ? According to
 [1], this policy is since 4.6, so were IPv6 queried first before?

Commit message says:
 Add a resolv.conf option to specify the order in which getaddrinfo
  PF_UNSPEC queries are made. While there change the default from inet6
  first then inet4 to inet4 first then inet6, this prevents the many
  people with IPv4 only connectivity from constantly trying to contact
  IPv6 addresses, and also unbreaks many ports who don't use getaddrinfo
  right. [...]

 3) I saw that jung@ worked during b2k13 to make spamd IPv6 capable [2],
 any chance that it will be IPv6 capable in 5.5?

Nope. Not yet ready.

Regards,
Joerg