SOLVED: Re: Thinkpad function-key wierdness

[Jonathan Thornburg]

For the archives: The problem was exactly as Mizsei_Zolt??n
suggested in <https://marc.info/?l=openbsd-misc=169446879525920=1>:
I had mistakenly toggled Fn-Lock.  (I normally have it on, and had failed
to notice it was off.)  Re-toggling that key solve my problems.

Thanks to all who replied (both on- and off-list),

-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   currently on the west coast of Canada
   "Dear everyone who says masks don't work:
Please get your next surgery with no one wearing masks.
Thank you for your cooperation.  -- anon"

Thinkpad function-key wierdness

[Jonathan Thornburg]

  f.title
"  Refresh" f.refresh
"  Resize Window"   f.resize
"forceMove Window"  f.forcemove
"  Raise or Lower"  f.raiselower
"  Magnify" !"xmag -source 128x128 &"
"  Dump >/tmp/bkis.xwd --> .pnm"!"(xwd -out /tmp/bkis.xwd; xwdtopnm 
/tmp/bkis.xwd >/tmp/bkis.pnm; /bin/rm -f /tmp/bkis.xwd) &"
"Dump >/tmp/bkis.xwd --> .png"  !"(xwd -out /tmp/bkis.xwd; xwdtopnm 
/tmp/bkis.xwd | pnmtopng >/tmp/bkis.png; /bin/rm -f /tmp/bkis.xwd) &"
""  f.nop
"Default Menu"  f.menu "default-menu"
""  f.nop
"sync; suspend  (NO LOCK)"  !"sync; sleep 1; sync; sleep 2; zzz"
"sync; blank screen (NO LOCK)"  !"sync; xlock -nolock -mode blank -delay 25 
&"
""  f.nop
"sync; lock screen" !"sync; xlock -mode blank -delay 25 &"
""  f.nop
## this doesn't work reliably -- sometimes it locks, sometimes it doesn't :(
##"sync; lock screen ; suspend" !"sync; (xlock -mode blank -delay 25 &); 
sleep 2; sync; sleep 3; zzz"
""  f.nop
"*** Kill Window ***"   f.destroy
""  f.nop
""  f.nop
"*** Kill twm ***"  f.quit
}

menu "Icon"
{
"Show Icon Mgr" f.showiconmgr
"Hide Icon Mgr" f.hideiconmgr
"(De)Iconify"   f.iconify
"DeIconify" f.deiconify
}

menu "default-menu"
{
"Default Menu"  f.title
"Refresh"   f.refresh
"Refresh Window"f.winrefresh
"Zoom"  f.zoom
"Icon actions"  f.menu "Icon"
"twm Version"   f.version
"Focus on Root" f.unfocus
"Source .twmrc" f.twmrc
"Cut File"  f.cutfile
"(De)Iconify"   f.iconify
"DeIconify" f.deiconify
"Move Window"   f.move
"Resize Window" f.resize
"Raise Window"  f.raise
"Lower Window"  f.lower
"Focus on Window"   f.focus
"Raise-n-Focus" f.function "raise-n-focus"
"Destroy Window"f.destroy
"Zoom Window"   f.zoom
"FullZoom Window"   f.fullzoom
"Kill twm"  f.quit
}
--- end ~/.twmrc ---


Thanks for any insights anyone can offer,
-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   currently on the west coast of Canada
   "!07/11 PDP a ni deppart m'I !pleH" -- slashdot.org page footer, 2022-10-16
   "eHpl !'I mrtpaep dnia P PD1 /107" -- slightly more plausible message given
 the PDP-11's little-endian byte order

Re: recommendations for web hosting in Canada?

[Jonathan Thornburg]

I wrote:
> I'm looking for a web hosting provider based in Canada.  Performance
> isn't critical (the websites will be relatively small, static, and
> low-traffic), but I'd like a firm whose customer support doesn't
> core-dump if I mention Perl or OpenBSD.  Any recommendations?

Thank you to the many people who replied, both privately and here in
misc@.  But, in hindsight I didn't express my actual question very well.
What I should have written was more like this:

  I'm looking for a web hosting provider based in Canada.  That is,
  I'm looking for a provider who will host my html, jpeg, css, etc.,
  files on their web server and manage certificates and DNS entries
  for my domain.  I don't need super-high performance (the websites will
  be relatively small, low-traffic, and static), but I'd like a provider
  based in Canada whose interface and "management console" don't require
  a proprietory Windows/Mac/Android client.  Any recommendations?

I'm sorry for confusing people with my original sloppily-worded query.

thanks, ciao,
-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   currently on the west coast of Canada
   "!07/11 PDP a ni deppart m'I !pleH" -- slashdot.org page footer, 2022-10-16
   "eHpl !'I mrtpaep dnia P PD1 /107" -- slightly more plausible message given
 the PDP-11's little-endian byte order

recommendations for web hosting in Canada?

[Jonathan Thornburg]

I'm looking for a web hosting provider based in Canada.  Performance
isn't critical (the websites will be relatively small, static, and
low-traffic), but I'd like a firm whose customer support doesn't
core-dump if I mention Perl or OpenBSD.  Any recommendations?

Thanks,
-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   currently on the west coast of Canada
   "!07/11 PDP a ni deppart m'I !pleH" -- slashdot.org page footer, 2022-10-16
   "eHpl !'I mrtpaep dnia P PD1 /107" -- slightly more plausible message given
 the PDP-11's little-endian byte order

SOLVED Re: PC Engines APU2 infinite loop rebooting immediate after kernel loads

[Jonathan Thornburg]

My problem was indeed a missing /etc/boot.conf.  Creating that with
contents
  stty com0 115200
  set tty com0
solved my immediate problem, and editing /etc/ttys to have a getty
running on the serial port (at the right baud rate) got me a fully
working system.

Thanks to everyone who responded (both here & by private email)
for reminding me about boot.conf -- I knew about that but had
brain-parity-error overlooked it.

ciao,
-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   on the west coast of Canada
   "Now back when I worked in banking, if someone went to Barclays,
pretended to be me, borrowed UKP10,000 and legged it, that was
`impersonation', and it was the bank's money that had been stolen,
not my identity.  How did things change?" -- Ross Anderson

SOLVED Re: any way to "redo" a botched upgrade?

[Jonathan Thornburg]

Thank you to all who responded in this thread and by private email --
your replies were very helpful!  Following Stuart Henderson's suggestion,
I found that I did indeed have a
  /usr/local/libdata/perl5/site_perl/amd64-openbsd/auto/Term/ReadLine/Gnu
containing (among other things) an out-of-date file Gnu.so.

I have now "solved" the problem by replacing the entire
  /usr/local/libdata/perl5/
tree with a copy of that from a twin machine (also amd64/7.3, just
upgraded from 7.2) which doesn't seem to have this problem.

After that the immediate problem (fatal error on /use Term::ReadPassword;/)
is gone.  I did another full 'pkg_add -uvv' to be on the safe side, which
found a few 'file already exists', but after overwriting those everything
seems to be working now.

Thanks again to everyone who helped!
ciao,
-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   on the west coast of Canada
   "Now back when I worked in banking, if someone went to Barclays,
pretended to be me, borrowed UKP10,000 and legged it, that was
`impersonation', and it was the bank's money that had been stolen,
not my identity.  How did things change?" -- Ross Anderson

Re: any way to "redo" a botched upgrade?

[Jonathan Thornburg]

In message <https://marc.info/?l=openbsd-misc=168195765101827=1>
I described an amd64 system which, after a 7.1-->7.2-->7.3 set of
upgrades, now has the perl Term::ReadPassword library inconsistent with
the system perl.


Jeremy Mates  asked
> Does the code error in the same way after the Term::ReadPassword package
> is removed, thus indicating that maybe a `cpan` run installed the module
> outside the OpenBSD package system?

Good idea, but no.  If the package is removed I get the expected failure
that perl can't find the package:
  # pkg_delete -vv !$
  pkg_delete -vv p5-Term-ReadPassword
  Running /usr/sbin/makewhatis -u /usr/local/man -- 
/usr/local/man/man3p/Term::ReadPassword.3p
  p5-Term-ReadPassword-0.11p2: ok
  Read shared items: ok
  Clean shared items: ok
  /dev/sd1g on /usr/local: -18737 bytes
  # /tmp/foo
  Can't locate Term/ReadPassword.pm in @INC (you may need to install the 
Term::ReadPassword module) (@INC contains: 
/usr/local/libdata/perl5/site_perl/amd64-openbsd 
/usr/local/libdata/perl5/site_perl /usr/libdata/perl5/amd64-openbsd 
/usr/libdata/perl5) at /tmp/foo line 4.
  BEGIN failed--compilation aborted at /tmp/foo line 4.
  #


Andrew Hewus Fresh  wrote:
> This usually happens when an XS module is installed outside of the
> package ecosystem, often with a CPAN client.
> 
> I would guess this error is Term::ReadLine::Gnu
> https://metacpan.org/pod/Term::ReadLine::Gnu

I've never used the CPAN client (I always install CPAN perl modules
"manually" via 'perl Makefile.PL'; 'make'; 'make test'; 'doas make install',
and follow dependency chains manually).  And I've never installed
Term::Readline::Gnu.  But I do see that I installed the p5-Devel-NYTProf
package, and maybe that dragged in some conflicting library?  But
deleting that package doesn't change the error I'm getting.

Hmm, since I have another -- fully working 7.3/amd64 system with what
should be the identical set of perl modules and packages, maybe comparing
recursive directory listings and/or file contents of the perl @INC
directories between the working and broken systems would be informative.
I'll try that.

Thanks to both of you for your suggestions!
ciao,
--
-- "Jonathan Thornburg [remove -color to reply]" 
   on the west coast of Canada, eh?
   "Now back when I worked in banking, if someone went to Barclays,
pretended to be me, borrowed UKP10,000 and legged it, that was
`impersonation', and it was the bank's money that had been stolen,
not my identity.  How did things change?" -- Ross Anderson

any way to "redo" a botched upgrade?

[Jonathan Thornburg]

I've just upgraded an amd64 machine from 7.1 to 7.3 (first a 7.1-->7.2
upgrade, immediately followed by a 7.2-->7.3 upgrade, both following the
FAQ instructions).  After a full 'pkg_add -uvv', at least one package
(p5-Term-ReadPassword) is out-of-sync with the new perl binary:
  # cat /tmp/foo
  #!/usr/bin/perl
  use warnings;
  use strict;
  use Term::ReadPassword;
  
  print "hello, world\n";
  # /tmp/foo
  Gnu.c: loadable library and perl binaries are mismatched (got first handshake 
key 0xec0, needed 0xeb8)
  # pkg_add -uvv p5-Term-ReadPassword
  Update candidates: quirks-6.121 -> quirks-6.121
  quirks-6.121 signed on 2023-04-19T08:30:26Z
  No change in quirks-6.121
  Update candidates: p5-Term-ReadPassword-0.11p2 -> p5-Term-ReadPassword-0.11p2
  No change in p5-Term-ReadPassword-0.11p2
  #

I've tried deleting and re-adding the p5-Term-ReadPassword package
('pkg_delete -vv p5-Term-ReadPassword', 'pkg_add -vv p5-Term-ReadPassword')
and rebooting, but this didn't change the above behavior.  My /etc/installurl
points to 
  https://cdn.openbsd.org/pub/OpenBSD

The output of 'perl -V' on this system is identical to that on another
amd64 machine (which I just upgraded from 7.2-->7.3) which does *not*
have this problem.  In both cases:
# perl -V
Summary of my perl5 (revision 5 version 36 subversion 0) configuration:
   
  Platform:
osname=openbsd
osvers=7.3
archname=amd64-openbsd
uname='openbsd'
config_args='-dse -Dopenbsd_distribution=defined -Dmksymlinks'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
  Compiler:
cc='cc'
ccflags ='-DNO_LOCALE_NUMERIC -DNO_LOCALE_COLLATE -fno-strict-aliasing 
-fno-delete-null-pointer-checks -pipe -fstack-protector-strong 
-I/usr/local/include'
optimize='-O2'
cppflags='-DBIG_TIME -DNO_LOCALE_NUMERIC -DNO_LOCALE_COLLATE 
-fno-strict-aliasing -fno-delete-null-pointer-checks -pipe 
-fstack-protector-strong -I/usr/local/include'
ccversion=''
gccversion='OpenBSD Clang 13.0.0'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
  Linker and Libraries:
ld='cc'
ldflags ='-Wl,-E  -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/lib /usr/lib/clang/13.0.0/lib
libs=-lm -lc
perllibs=-lm -lc
libc=/usr/lib/libc.so.97.0
so=so
useshrplib=true
libperl=libperl.so.23.0
gnulibc_version=''
  Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-R/usr/libdata/perl5/amd64-openbsd/CORE'
cccdlflags='-DPIC -fpic '
lddlflags='-shared -fpic  -fstack-protector-strong -L/usr/local/lib'


Characteristics of this binary (from libperl): 
  Compile-time options:
HAS_TIMES
PERLIO_LAYERS
PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_MALLOC_WRAP
PERL_OP_PARENT
PERL_PRESERVE_IVUV
USE_64_BIT_ALL
USE_64_BIT_INT
USE_LARGE_FILES
USE_LOCALE
USE_LOCALE_CTYPE
USE_LOCALE_TIME
USE_PERLIO
USE_PERL_ATOF
  Built under openbsd
  @INC:
/usr/local/libdata/perl5/site_perl/amd64-openbsd
/usr/local/libdata/perl5/site_perl
/usr/libdata/perl5/amd64-openbsd
/usr/libdata/perl5
#

I presume that I somehow botched one of the upgrades.
Is there any easy way to "redo the upgrade", or should I just give
up and do a clean 7.3 (re)install (followed by manual re-creation of
all of my system configuration)?

Thanks,
-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   on the west coast of Canada, eh?
   "Now back when I worked in banking, if someone went to Barclays,
pretended to be me, borrowed UKP10,000 and legged it, that was
`impersonation', and it was the bank's money that had been stolen,
not my identity.  How did things change?" -- Ross Anderson

PC Engines APU2 infinite loop rebooting immediate after kernel loads

[Jonathan Thornburg]

*Summary*
I have a PC Engines APU2 with a wierd problem: on power-on it starts
executing the PC Engines coreboot as it should, loads the OpenBSD boot
loader, and the OpenBSD boot loader then loads an OpenBSD kernel (either
7.2/amd64 bsd.rd from an SD card *or* 7.3/amd64 bsd.rd from a USB stick).
But immediately after printing
  entry point at 0x8100100
the APU2 reboots.  Memtest86 doesn't find anything wrong with the hardware.
Has anyone else seen these symptoms and/or have any suggestions for further
troubleshooting?


*Details*
The hardware is a PC Engines apu4d4 (4 ethernet ports, 2 USB, 4GB RAM)
with a 16GB SD card.  I bought the hardware in mid-2022 but didn't get
it working them; alas I don't recall just what I did then.  I'm now
returning to trying to get it operational.

The PC Engines coreboot BIOS has an option to run memtest86; I did a
full cycle (about 1.5 hours wall-clock time) and it didn't find any
problems with the cpu/memory.

There is a 7.2/amd64 bsd.rd on the SD card.  If I power the apu2 on and
don't interrupt the startup sequence, it gets as far as the OpenBSD boot
loader loading that kernel and printing the kernel entry address, but then
the apu2 reboots (and the cycle repeats forever if I don't interrupt it).
Here's a transcript of the serial-port output showing the startup and
first reboot:
--- begin ---
^@PC Engines apu4
coreboot build 20202905
BIOS version v4.12.0.1
4080 MB ECC DRAM

ESCcESC[?7lESC[2JESC[0mSeaBIOS (version rel-1.12.1.3-0-g300e8b70)

Press F10 key now for boot menu

Booting from Hard Disk...
Using drive 0, partition 3.
Loading..
probing: pc0 com0 com1 com2 com3 mem[639KKESC[08;42H 3325M 752M a20=on] 
disk: hd0+
>> OpenBSD/amd64 BOOT 3.55
boot> 
cannot open hd0a:/etc/random.seed: No such file or directory
booting hd0a:/7.2/amd64/bsd.rd: 3916484+1639424+3884040+0+704512 [109+438912+292
606]=0xa61d70
entry point at 0x8100100PC Engines apu4
coreboot build 20202905
BIOS version v4.12.0.1
4080 MB ECC DRAM

ESCcESC[?7lESC[2JESC[0mSeaBIOS (version rel-1.12.1.3-0-g300e8b70)
--- end ---

If this were the only problem, I could easily write it off as the
kernel on the SD card being corrupted, and/or the SD card being faulty.
But I get an almost-identical result if I follow
  https://www.openbsd.org/faq/faq4.html#MkInsMedia
and try to boot from a 7.3/amd64 install73.img on a USB stick:
--- begin ---
^@PC Engines apu4
coreboot build 20202905
BIOS version v4.12.0.1
4080 MB ECC DRAM

ESCcESC[?7lESC[2JESC[0mSeaBIOS (version rel-1.12.1.3-0-g300e8b70)

Press F10 key now for boot menu

Select boot device:

1. USB MSC Drive Lexar USB Flash Drive 8.07
2. SD card SE16G 15193MiB
3. Payload [setup]
4. Payload [memtest]

Booting from Hard Disk...
Using drive 0, partition 3.
Loading..
probing: pc0 com0 com1 com2 com3 mem[639K 3325M 752M a20=on] 
disk: hd0+ hd1+
>> OpenBSD/amd64 BOOT 3.55
boot> 
cannot open hd0a:/etc/random.seed::ESC[19;35H No such file or directory
booting hd0a:/7.3/amd64/bsd.rd: 3924676+1647616+3886216+0+704512 [109+440424+293
778]=0xa667f0
entry point at 0x8100100PC Engines apu4
coreboot build 20202905
BIOS version v4.12.0.1
4080 MB ECC DRAM

ESCcESC[?7lESC[2JESC[0mSeaBIOS (version rel-1.12.1.3-0-g300e8b70)
--- end ---

Since two different kernels and boot devices result in the same
infinite-reboot loop, with the reboot happening at the same place
in the boot sequence (immediately after the kernel entry point address
is printed), I don't think my problem is a corrupted kernel file.
I've also tried swapping power supplies, with no change in the outcome.

Has anyone seen this sort of problem (infinite reboot loop, rebooting
immediately after kernel entry point address is printed) before?  Should
I be looking at reflashing the BIOS with a newer (or older) version?

Thanks for any insights,
--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "!07/11 PDP a ni deppart m'I !pleH" -- slashdot.org page footer, 2022-10-16
   "eHpl !'I mrtpaep dnia P PD1 /107" -- slightly more plausible message
 given PDP-11 little-endian byte order

Re: Disabling .core file generation

[Jonathan Thornburg]

Another "low-tech" way of disabling .core file generation is to create
the core file yourself, as a symlink to /dev/null:

% ls -lFgd $HOME/*.core
lrwxr-xr-x  1 jonathan  jonathan  9 Feb 16  2022 
/home/jonathan/WebKitWebProcess.core@ -> /dev/null
lrwxr-xr-x  1 jonathan  jonathan  9 Apr 23  2022 /home/jonathan/ctwm.core@ -> 
/dev/null
lrwxr-xr-x  1 jonathan  jonathan  9 Feb 16  2022 /home/jonathan/evince.core@ -> 
/dev/null
lrwxr-xr-x  1 jonathan  jonathan  9 Feb 16  2022 /home/jonathan/firefox.core@ 
-> /dev/null
lrwxr-xr-x  1 jonathan  jonathan  9 Feb 16  2022 /home/jonathan/iridium.core@ 
-> /dev/null
lrwxr-xr-x  1 jonathan  jonathan  9 Feb 16  2022 /home/jonathan/mutt.core@ -> 
/dev/null
%

This is a bit ugly, but it takes effect immediately and doesn't require root.

-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   currently on the west coast of Canada
"To report on BitCoin without mentioning the drug dealing and child abuse
 involved is like a history book describing the booming economies of the
 ante-bellum cotton states without mentioning that it was all built on
 slavery."  -- Phill Hallem-Baker

how to get per-IP traffic statistics?

[Jonathan Thornburg]

I have a number of clients (2 OpenBSD systems, 3 Windows 10 systems,
an Android phone or two, and a VoIP phone) all connected to the internet
through an OpenBSD firewall (currently 7.1/amd64, will be 7.2 soon).
I'm trying to track down which client(s) is/are responsible for a 5-fold
increase in my overall data usage last month (and, I suspect, a similar
ongoing data usage).

So, I'd like to modify the firewall to somehow record the per-IP-address
number of bytes passed by the firewall (I can then match up the IP addresses
with the dhcpd logs to find the offending client(s)).  This StackExchange
question-and-answer
  https://serverfault.com/questions/303931/getting-per-ip-traffic-stats-from-pf
gives a possible solution
> export netflow data for all your traffic, grab it with Flow-Tools,
> and feed it to something like JKFlow to parse (and graph/report on).
but that was as of 2011.

Is this still the most straightforward way to get per-IP traffic stats?
If so, can anyone point me to any reasonably up-to-date "big picture"
tutorials/documentation?  The closest I've come so far is this discussion
  https://www.pantz.org/software/flowtools/configflowtoolspfflow.html
but it's from 2006.

Thanks,
-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   currently on the west coast of Canada
   "Now back when I worked in banking, if someone went to Barclays,
pretended to be me, borrowed UKP10,000 and legged it, that was
`impersonation', and it was the bank's money that had been stolen,
not my identity.  How did things change?" -- Ross Anderson

Re: 7.2: unbound(timeout) on startup

[Jonathan Thornburg]

Hi,

> I suspect that pppoe is a bit slow at startup, so unbound somehow times out
> but has no problems once the network setup/the machine is stable.

It's an ugly kludge, but what if you put a wrapper script around the
unbound binary which delays 30 or 60 seconds before executing the actual
unbound binary?

ciao,
-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   on the west coast of Canada
   "Now back when I worked in banking, if someone went to Barclays,
pretended to be me, borrowed UKP10,000 and legged it, that was
`impersonation', and it was the bank's money that had been stolen,
not my identity.  How did things change?" -- Ross Anderson

Re: 7.2: unbound(timeout) on startup

[Jonathan Thornburg]

Hi,

> since upgrading my router to 7.1 unbound doesn't start up automatically 
> anymore,
> instead it times out:
> 
> starting early daemons: syslogd pflogd unbound(timeout) ntpd.
> 
> It can be started successfully manually later. This setup worked with 7.0.

I have a very similar configuration (apu2 acting as a firewall/router
for home network), with a similar unbound.conf (given below) which is
working fine as of 7.1-stable.  I recently switched from one ISP to another
and there was no problem (literally: unplug ethernet cable from $OLD_ISP
router, plug into $NEW_ISP router, reboot firewall).  My outside interface
has

--- begin /etc/hostname.em0 ---
inet autoconf
--- end /etc/hostname.em0 ---

Does the -d unbound flag give any useful output for you?  More generally,
how are you starting unbound, i.e., what (if any) flags are you passing in
/etc/rc.conf.local?  I have

--- begin /etc/rc.conf.local ---
dhcpd_flags="em1 em2 em3"
unbound_flags=""
dhcpleased_flags=
--- end /etc/rc.conf.local ---

Here is my unbound.conf
--- begin /var/unbound/etc/unbound.conf ---
# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $

server:
interface: 127.0.0.1
interface: em1  # wired
interface: em2  # wifi
interface: em3  # voip
#interface: 127.0.0.1@5353  # listen on alternative port
#interface: ::1
do-ip6: no
prefer-ip4: yes

# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
#outgoing-interface: 192.0.2.1
#outgoing-interface: 2001:db8::53

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: 192.168.155.0/24 allow  # any internal address

private-address: 192.168.0.0/16 # block DNS rebinding attacks
# where local browser becomes
# a trojen

hide-identity: yes
hide-version: yes

# Perform DNSSEC validation.
#
root-hints: "/var/unbound/etc/root.hints"
auto-trust-anchor-file: "/var/unbound/db/root.key"
qname-minimisation: yes
#val-log-level: 2

# Synthesize NXDOMAINs from DNSSEC NSEC chains.
# https://tools.ietf.org/html/rfc8198
#
#aggressive-nsec: yes

# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
#local-zone: "2.0.192.in-addr.arpa." static
#local-data-ptr: "192.0.2.51 mycomputer.local"

# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes

# CA Certificates used for forward-tls-upstream (RFC7858) hostname
# verification.  Since it's outside the chroot it is only loaded at
# startup and thus cannot be changed via a reload.
tls-cert-bundle: "/etc/ssl/cert.pem"

remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock

# Use an upstream forwarder (recursive resolver) for some or all zones.
#
forward-zone:
name: "."   # use for ALL queries
##forward-addr: 192.168.1.254   # Telus router
# next non-comment line configures Cloudflare DNS-over-TLS
# ... hostname after the '#' is not a comment, it is used for TLS checks
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-tls-upstream: yes
    forward-first: no   # don't fallback to insecure DNS
--- end /var/unbound/etc/unbound.conf ---

ciao,
-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   on the west coast of Canada
   "Now back when I worked in banking, if someone went to Barclays,
pretended to be me, borrowed UKP10,000 and legged it, that was
`impersonation', and it was the bank's money that had been stolen,
not my identity.  How did things change?" -- Ross Anderson

Re: SOLVED: Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

[Jonathan Thornburg]

In message <https://marc.info/?l=openbsd-misc=166062861021368=1>
I described how I'm using an OpenBSD firewall (pf) to protect a VOIP
phone system.  A small correction:

I wrote:
> The firewall
> also runs unbound to provide caching DNS service to the VOIP box and the
> local computers, and to do secure DNS-over-TCP to an upstream DNSSEC
> provider.  (That way I don't need to trust the ISP box's DNS service.)

Oops, /dev/brain parity error there -- that should have been "DNS-over-TLS".
Sorry for any confusion,

-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   on the west coast of Canada, eh?
   "Why would we install sewers in London?  Everyone keeps getting cholera
again and again so there's obviously no reason to install sewers.  We
just need to get used to this as the new normal."
 -- 2022-07-25 tweet by "Neoliberal John Snow"

SOLVED: Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

[Jonathan Thornburg]

  64  32  16   8   4   2   1
# so a /26 has a netmask of 255.255.255.192 = 0xffc0
subnet_wired= "192.168.144.0/26"# .0 to .63
subnet_wifi = "192.168.144.64/26"   # .64 to .127
subnet_wired_or_wifi= "192.168.144.0/25"# .0 to .127
subnet_voip = "192.168.144.128/26"  # .128 to .191
subnet_internal = "192.168.144.0/24"# .0 to .255



set skip on lo
block return $MAYBE_LOG_BLOCK

# allow incoming ipv4 connections from any local machine
# to the firewall itself (localhost or any of the firewall's internal addresses)
# ... this is used for for dns lookups
# and for ssh from local machines to the firewall
pass in  $MAYBE_LOG_MAIN quick on $if_wired inet from $subnet_wired \
 to { localhost $if_internal }
pass in  $MAYBE_LOG_MAIN quick on $if_wifi  inet from $subnet_wifi  \
 to { localhost $if_internal }
pass in  $MAYBE_LOG_VOIP quick on $if_voip  inet from $subnet_voip  \
 to { localhost $if_internal }

# allow outgoing ipv4 connections from the firewall itself to any address
# ... traffic from the firewall itself may appear to come from localhost
# or from an interface address
pass out $MAYBE_LOG_MAIN quick on $if_internal inet \
 from { localhost  $if_internal  }
pass out $MAYBE_LOG_MAIN quick on $if_outside  inet \
 from { localhost ($if_outside ) }

##
## firewall rules to pass traffic from/to the wired/wifi subnets omitted here
##

# allow ipv4 connections from the voip subnet
# (but only the protocols/ports documented for our Ooma voip box)
# to/from the outside world and NAT these
pass in  $MAYBE_LOG_VOIP quick on $if_voipinet  \
 proto udp  \
 from $subnet_voip to !$subnet_internal \
 port { 53 1194 1294 67 123 3480 1:2 }
pass in  $MAYBE_LOG_VOIP quick on $if_voipinet  \
 proto tcp  \
 from $subnet_voip to !$subnet_internal \
 port { 53 1194 1294 80 110 443 }
pass out $MAYBE_LOG_VOIP quick on $if_voipinet  \
 proto udp  \
 to $subnet_voip    \
     port 49000:5
pass out $MAYBE_LOG_VOIP quick on $if_outside inet  \
 from $subnet_voip to !$subnet_internal \
 nat-to ($if_outside) modulate state
--- end firewall /etc/pf.conf ---


-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   on the west coast of Canada, eh?
   "Why would we install sewers in London?  Everyone keeps getting cholera
again and again so there's obviously no reason to install sewers.  We
just need to get used to this as the new normal."
 -- 2022-07-25 tweet by "Neoliberal John Snow"

how to completely reset all networking configuration without rebooting?

[Jonathan Thornburg]

In <https://marc.info/?l=openbsd-misc=165579145005202=1>,
Stuart Henderson  wrote
> netstart does nothing to clear existing configuration. It wouldn't make
> sense to do this for joinlist without also e.g. clearing IP addresses
> from interfaces as needed, resetting media options/MTU/rdomain/VLAN
> configuration, etc.

So, is there a way to to completely reset all networking configuration
without rebooting?

--
-- "Jonathan Thornburg [remove -color to reply]" 
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently on the west coast of Canada
   "C++ is to programming as sex is to reproduction. Better ways might
technically exist but they're not nearly as much fun." -- Nikolai Irgens
   "that applies to Perl, too!" -- me

Re: 7.1/amd64 DejaVuSansMono fonts are much larger than 7.0/amd64

[Jonathan Thornburg]

On Sun, May 01, 2022 at 07:07:36PM -0700, Jonathan Thornburg wrote:
> On a freshly installed 7.1/amd64 (Lenovo Thinkpad T530 laptop), the
> DejaVuSansMono fonts are much larger (i.e., each character occupies
> more screen pixels in both x and y) than on 7.0 and earlier.  This is
> true for both fvwm and twm.
[[...]]

On Mon, May 02, 2022 at 12:37:08PM +1000, Jonathan Gray replied:
> This is due to xserver dpi changes
> https://marc.info/?l=openbsd-tech=163674121630769=2

Ahh, now it all makes sense.  I wonder if this warrants a note in the
upgrade guide?

Thanks for the explanation!
Keep safe and COVID-free, -- Jonathan

7.1/amd64 DejaVuSansMono fonts are much larger than 7.0/amd64

[Jonathan Thornburg]

On a freshly installed 7.1/amd64 (Lenovo Thinkpad T530 laptop), the
DejaVuSansMono fonts are much larger (i.e., each character occupies
more screen pixels in both x and y) than on 7.0 and earlier.  This is
true for both fvwm and twm.

Empirically, I find that for 7.1,
  # xterm -fa DejaVuSansMono -fs 7
is needed to get what appears to be the same sized font (& hence the
same sized xterm window)
as
  # xterm -fa DejaVuSansMono -fs 10
and produced for 7.0 and earlier on the same hardware.

Is this as expected?  This being OpenBSD, Is there a Fine Manual I
should have read that would have informed me of this change before I
wound up with a bunch of giant xterm windows (whose sizes were/are
specified in character units)?

Below I give the output of 'dmesg' and 'xdpyinfo'.

Keep safe and COVID-free, -- Jonathan

--- begin dmesg ---
OpenBSD 7.1 (GENERIC.MP) #465: Mon Apr 11 18:03:57 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 16845565952 (16065MB)
avail mem = 16317718528 (15561MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdae9c000 (68 entries)
bios0: vendor LENOVO version "G4ETA7WW (2.67 )" date 08/24/2016
bios0: LENOVO 24292A9
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC TCPA SSDT SSDT SSDT HPET APIC MCFG ECDT FPDT ASF! 
UEFI UEFI POAT SSDT SSDT DMAR UEFI DBG2
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP3(S4) XHCI(S3) EHC1(S3) 
EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz, 2893.96 MHz, 06-3a-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz, 2893.44 MHz, 06-3a-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf800, bus 0-63
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus 4 (EXP3)
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
acpibat0 at acpi0: BAT0 model "45N1011" serial 54386 type LION oem "LGC"
acpiac0 at acpi0: AC unit online
"LEN0078" at acpi0 not configured
acpithinkpad0 at acpi0: version 1.0
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpicpu0 at acpi0: C2(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C2(350@80 mwait.1@0x20), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for XHCI, EHC1, EHC2
acpitz0 at acpi0: critical temperature is 103 degC
acpivideo0 at acpi0: VID_
acpivout0 at acpivideo0: LCD0
acpivideo1 at acpi0: VID_
cpu0: using VERW MDS workaround (except on vmm entry)
cpu0: Enhanced SpeedStep 2893 MHz: speeds: 2901, 2900, 2800, 2700, 2500, 2400, 
2300, 2200, 2000, 1900, 1800, 1700, 1600, 1400, 1300, 1200 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 4000" rev 0x09
drm0 at inteldrm0
inteldrm0: msi, IVYBRIDGE, gen 7
xhci0 at pci0 dev 20 function 0 "Intel 7 Series xHCI" rev 0x04: msi, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
"Intel 7 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address 
3c:97:0e:84:e7:c5
ehci0 at pci0 dev 26 function 0 "Intel 7 Series USB" rev 0x04: apic 2 int 16
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
azalia0 at pci0 dev 27 function 0 "Intel 7 Series HD Audio" rev 0x04: 

Re: laptop touchpad works fine for a while, then stops working

[Jonathan Thornburg]

On Fri, Jan 28, 2022 at 11:09:17PM +0100, Ulf Brosziewski wrote:
> Most likely this means it's a hardware or firmware problem.

Thanks for the diagnosis.  I guess I'll just have to live with the
problem (and hope it doesn't become more frequent).

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: has the definition of 'nice' changed?

[Jonathan Thornburg]

In <https://marc.info/?l=openbsd-misc=164212677602970=1> I wrote
> I've just noticed something odd about the scheduling of processes with
> varying 'nice' values (7.0-stable/amd64, GENERIC.MP): it appears that
> processes with 'nice 20' are given more favorable scheduling than those
> with 'nice 10', which is exactly the opposite of what I'd expect [[...]]

In <https://marc.info/?l=openbsd-misc=164214220808789=1>,
Otto Moerbeek replied
> Are youre processes multithreaded?? Check with top -H.

I apologise for the long delay in followup (unrelated work crises).

No, they're not multithreaded -- they're all instances of a (the same)
single-threaded "number-crunching" code written in C++ (compiled by
clang 11.1.0 from ports).  Here's the first part of the output of
'top -H -s -i -s1' for another set of such processes I have running
right now:

398 threads: 4 running, 390 idle, 4 on processor   up 21:36
CPU0:  0.0% user, 96.0% nice,  0.0% sys,  0.0% spin,  4.0% intr,  0.0% idle
CPU1:  0.0% user,  100% nice,  0.0% sys,  0.0% spin,  0.0% intr,  0.0% idle
CPU2:  1.0% user, 99.0% nice,  0.0% sys,  0.0% spin,  0.0% intr,  0.0% idle
CPU3:  0.0% user,  100% nice,  0.0% sys,  0.0% spin,  0.0% intr,  0.0% idle
Memory: Real: 2841M/8293M act/tot Free: 7195M Cache: 4179M Swap: 0K/34G

  PID  TID PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
88761   356466  84   10   21M   24M onproc/3  -16:36 99.02% smp-O3
87643   189282 104   20   39M   42M run/2 -14:38 98.93% smp-O3
 4015   151196 104   20   40M   43M onproc/0  - 4:47 51.27% smp-O3
92541   618295  84   10   22M   24M run/1 - 4:48 49.85% smp-O3
26221   169495  84   10   21M   24M onproc/1  - 9:55 49.17% smp-O3
 7827   115940 104   20   39M   42M run/0 -11:45 47.31% smp-O3
61507   342772   20   41M   87M sleep/0   poll  9:42  0.05% Xorg
61507   413182   20   41M   87M sleep/2   poll  0:29  0.05% Xorg

In this case I have 6 CPU-bound processes, 3 smaller ones started with
'nice -n 10 ...' and 3 larger ones started with 'nice -n 20', all running
on a 4-core machine.  I would have expected the three nice-10 processes
to get more CPU than the three nice-20 proesses, but clearly that's not
what's happening.

Looking at 'iostat 5' I see that I/O is pretty low (around 0.5 MB/s or
less).

I wonder if NaN handling might be causing kernel traps which change
the scheduling priority?

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: laptop touchpad works fine for a while, then stops working

[Jonathan Thornburg]

 00:14:38 gold /bsd: [wsmouse0-ev][8802] 11:37 18:0
Jan 28 00:14:38 gold /bsd: [wsmouse0-ev][8822] 11:36 18:0
Jan 28 00:14:38 gold /bsd: [wsmouse0-ev][8832] 11:37 18:0
Jan 28 00:14:38 gold /bsd: [wsmouse0-ev][8842] 11:36 18:0
Jan 28 00:14:38 gold /bsd: [wsmouse0-ev][8862] 11:37 18:0
Jan 28 00:14:38 gold /bsd: [wsmouse0-ev][8882] 11:36 18:0
Jan 28 00:14:38 gold /bsd: [wsmouse0-ev][8892] 11:37 18:0
Jan 28 00:14:38 gold /bsd: [wsmouse0-ev][8912] 11:39 18:0
Jan 28 00:14:38 gold /bsd: [wsmouse0-ev][8922] 11:37 18:0
Jan 28 00:14:38 gold /bsd: [wsmouse0-ev][8932] 11:38 18:0
Jan 28 00:14:38 gold /bsd: [wsmouse0-ev][8952] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][8972] 11:38 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][8982] 11:39 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][8992] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9002] 11:38 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9022] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9032] 11:39 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9042] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9052] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9062] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9092] 11:39 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9102] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9112] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9132] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9142] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9152] 11:38 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9162] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9172] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9242] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9252] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9272] 11:38 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9282] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9322] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9332] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9342] 11:35 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9362] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9442] 11:35 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9462] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9502] 11:35 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9522] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9542] 11:35 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9572] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9582] 11:35 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9592] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9612] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9632] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9642] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9652] 11:35 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9662] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9692] 11:35 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9702] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9712] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9752] 11:35 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9762] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9772] 11:35 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9782] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9802] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9832] 11:36 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9862] 11:37 18:0
Jan 28 00:14:39 gold /bsd: [wsmouse0-ev][9882] 11:36 18:0

Is there any further information I should gather the next time this
problem occurs?

Thanks,
-- 
-- "Jonathan Thornburg [remove -animal to reply]" 

   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently on the west coast of Canada
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

has the definition of 'nice' changed?

[Jonathan Thornburg]

I've just noticed something odd about the scheduling of processes with
varying 'nice' values (7.0-stable/amd64, GENERIC.MP): it appears that
processes with 'nice 20' are given more favorable scheduling than those
with 'nice 10', which is exactly the opposite of what I'd expect based
on the man page for setpriority(2), "lower priorities cause more favorable
scheduling" (and longstanding Unix experience).

In more detail:
Right now I have 5 CPU-bound processes running (all the same binary, but
with different command-line arguments and started from different working
directories), on hardware with 4 CPUs visible to OpenBSD (quad-core Intel
i7-8650U processor; hyperthreading is disabled both in the BIOS and by
default in OpenBSD).  Of those 5 processes, 3 are at 'nice 20', and the
other 2 are at 'nice 10'.  I expected the 2 'nice 10' processes to each
get more CPU time than the 3 'nice 20' processes, but 'top -S -i -s1'
shows exactly the opposite behavior: the 3 'nice 20' processes are each
getting MORE CPU time (about 100% of a CPU each) than the 2 'nice 1
' processes (about 50% of a CPU each):

load averages:  5.04,  4.99,  4.04   gold.bkis-orchard.net 18:02:38
176 processes: 4 running, 168 idle, 4 on processor up 7 days, 17:40
CPU0:  0.0% user, 97.0% nice,  0.0% sys,  0.0% spin,  3.0% intr,  0.0% idle
CPU1:  1.0% user, 99.0% nice,  0.0% sys,  0.0% spin,  0.0% intr,  0.0% idle
CPU2:  0.0% user,  100% nice,  0.0% sys,  0.0% spin,  0.0% intr,  0.0% idle
CPU3:  1.0% user, 99.0% nice,  0.0% sys,  0.0% spin,  0.0% intr,  0.0% idle
Memory: Real: 5686M/13G act/tot Free: 1929M Cache: 6785M Swap: 0K/34G

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
95910 jonathan 104   20   39M   42M onproc/3  -17:38 99.02% smp-O3
58006 jonathan 104   20   39M   42M run/2 -42:45 98.97% smp-O3
63085 jonathan 104   20   39M   42M run/1 -12:39 97.66% smp-O3
36985 jonathan  84   10   21M   24M onproc/0  - 5:57 49.66% smp-O3
95125 jonathan  84   10   21M   24M run/0 -11:53 49.32% smp-O3
64031 _firefox  280  959M 1057M run/2 -63:28  0.83% firefox-esr
77428 _firefox   20 1381M 1355M sleep/2   poll179:14  0.10% firefox-esr

Am I missing something obvious?

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: laptop touchpad works fine for a while, then stops working

[Jonathan Thornburg]

Hi Ulf,

On Fri, Jan 07, 2022 at 10:52:20PM +0100, Ulf Brosziewski wrote:
> When the touchpad stops working, you could enable wsmouse logging, make
> one or two movements on the touchpad, and extract and post the relevant
> part of /var/log/messages.  It might help to determine where the problem
> is.

I will try this the next time the touchpad stops working.


In the meantime...
> Does the problem persist when you throw away your xorg.conf?

I can't easily tell because without xorg.conf the system is unusable
due to the "cursor jumps to left or top of screen" problem.


> And BTW,
> you have different hardware now, is it still necessary to avoid those
> cursor jumps?

Yes, xorg.conf is still necessary on both my T530 and my T580 to avoid
the cursor jumps, at least for twm and ctwm.  xorg.conf is NOT necessary
for fvwm on either machine.

All the best, keep safe and COVID-free, -- Jonathan

laptop touchpad works fine for a while, then stops working

[Jonathan Thornburg]

dev/wsmouse: YAxisMapping: buttons 4 and 5
[97.874] (**) /dev/wsmouse: (accel) keeping acceleration scheme 1
[97.874] (**) /dev/wsmouse: (accel) acceleration profile 0
[97.874] (**) /dev/wsmouse: (accel) acceleration factor: 2.000
[97.874] (**) /dev/wsmouse: (accel) acceleration threshold: 4
[  3131.095] (II) AIGLX: Suspending AIGLX clients for VT switch
[  3648.522] (II) AIGLX: Resuming AIGLX clients after VT switch
[  3648.874] (II) modeset(0): EDID vendor "LEN", prod id 16570
[  3648.874] (II) modeset(0): Printing DDC gathered Modelines:
[  3648.874] (II) modeset(0): Modeline "1920x1080"x0.0  138.60  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (66.6 kHz eP)
[  3648.874] (II) modeset(0): Modeline "1920x1080"x0.0  110.88  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (53.3 kHz e)
[  3649.274] (II) modeset(0): EDID vendor "LEN", prod id 16570
[  3649.274] (II) modeset(0): Printing DDC gathered Modelines:
[  3649.274] (II) modeset(0): Modeline "1920x1080"x0.0  138.60  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (66.6 kHz eP)
[  3649.274] (II) modeset(0): Modeline "1920x1080"x0.0  110.88  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (53.3 kHz e)
[ 11023.284] (II) AIGLX: Suspending AIGLX clients for VT switch
[ 38175.525] (II) AIGLX: Resuming AIGLX clients after VT switch
[ 38175.876] (II) modeset(0): EDID vendor "LEN", prod id 16570
[ 38175.876] (II) modeset(0): Printing DDC gathered Modelines:
[ 38175.876] (II) modeset(0): Modeline "1920x1080"x0.0  138.60  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (66.6 kHz eP)
[ 38175.876] (II) modeset(0): Modeline "1920x1080"x0.0  110.88  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (53.3 kHz e)
[ 38176.277] (II) modeset(0): EDID vendor "LEN", prod id 16570
[ 38176.277] (II) modeset(0): Printing DDC gathered Modelines:
[ 38176.277] (II) modeset(0): Modeline "1920x1080"x0.0  138.60  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (66.6 kHz eP)
[ 38176.277] (II) modeset(0): Modeline "1920x1080"x0.0  110.88  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (53.3 kHz e)
[ 69269.112] (II) AIGLX: Suspending AIGLX clients for VT switch
[ 76530.530] (II) AIGLX: Resuming AIGLX clients after VT switch
[ 76530.881] (II) modeset(0): EDID vendor "LEN", prod id 16570
[ 76530.881] (II) modeset(0): Printing DDC gathered Modelines:
[ 76530.881] (II) modeset(0): Modeline "1920x1080"x0.0  138.60  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (66.6 kHz eP)
[ 76530.881] (II) modeset(0): Modeline "1920x1080"x0.0  110.88  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (53.3 kHz e)
[ 76531.298] (II) modeset(0): EDID vendor "LEN", prod id 16570
[ 76531.298] (II) modeset(0): Printing DDC gathered Modelines:
[ 76531.298] (II) modeset(0): Modeline "1920x1080"x0.0  138.60  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (66.6 kHz eP)
[ 76531.298] (II) modeset(0): Modeline "1920x1080"x0.0  110.88  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (53.3 kHz e)
[ 92491.444] (II) AIGLX: Suspending AIGLX clients for VT switch
[126992.538] (II) AIGLX: Resuming AIGLX clients after VT switch
[126992.889] (II) modeset(0): EDID vendor "LEN", prod id 16570
[126992.889] (II) modeset(0): Printing DDC gathered Modelines:
[126992.889] (II) modeset(0): Modeline "1920x1080"x0.0  138.60  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (66.6 kHz eP)
[126992.889] (II) modeset(0): Modeline "1920x1080"x0.0  110.88  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (53.3 kHz e)
[126993.290] (II) modeset(0): EDID vendor "LEN", prod id 16570
[126993.290] (II) modeset(0): Printing DDC gathered Modelines:
[126993.290] (II) modeset(0): Modeline "1920x1080"x0.0  138.60  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (66.6 kHz eP)
[126993.290] (II) modeset(0): Modeline "1920x1080"x0.0  110.88  1920 1968 2000 
2080  1080 1083 1088  -hsync -vsync (53.3 kHz e)
[167457.819] (II) AIGLX: Suspending AIGLX clients for VT switch
--- end /var/log/Xorg.0.log ---

thanks, keep safe and COVID-free,
--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: type checking/signalling shell and utilities?

[Jonathan Thornburg]

If you want to experiment in that direction, Tom Duff's 'rc' shell
has 'list of words' as a primative, and avoids re-parsing strings.
See
  https://en.wikipedia.org/wiki/Rc
for more information.  There doesn't seem to be an OpenBSD port of rc
(but there is 'es', which claims to be derived from rc).

anoncvs2.ca.openbsd.org ssh key fingerprint != OpenBSD website

[Jonathan Thornburg]

anoncvs2.ca.openbsd.org is reporting a different ssh key fingerprint
than that listed in https://www.openbsd.org/anoncvs.html.

That is, https://www.openbsd.org/anoncvs.html says that one of OpenBSD's
anoncvs servers is
>  * CVSROOT=anon...@anoncvs2.ca.openbsd.org:/cvs
>Location: Alberta, Canada.
>Maintained by Bob Beck.
>Protocols: ssh.
>SSH fingerprints:
>(RSA) SHA256:VfzLrOeqzIfWiNdJ0SpHvk3JU4a+VpNzwjxzZ7lWaNY
>(ECDSA) SHA256:IQrHoNZPHmhnR1R3qMURVH3e83f95IZXdkNjFZCnKfw
>(ED25519) SHA256:7grIp6jKgas/PLrVqaSwLh60k626+iaGw/BBFSfr7ck

but this machine reports a different key signature when I connect to it:

% setenv CVSROOT anon...@anoncvs2.ca.openbsd.org:/cvs
% cvs -d $CVSROOT update -Pd www
The authenticity of host 'anoncvs2.ca.openbsd.org (129.128.5.194)' can't be 
established.
ED25519 key fingerprint is SHA256:c9tOA7pOlwaGCRCkjqOn6ba0d7G6EAqJkwtXMCu5Hts.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

SOLVED Re: 6.9/amd64 runaway acpi process on Thinkpad T580

[Jonathan Thornburg]

Hi,

On 2021-09-28 14>18>49, Daniel Wilkins wrote
> All you have to do is go into your bios' settings and turn on
> "BIOS Thunderbolt Assist" then everything will work 100% fine.
> 
> Thanks to jcs on IRC for pointing me at that (dunno what his
> email is.)

Success!  With this (and the 7.0 snapshot I installed yesterday; dmesg
in my message <https://marc.info/?l=openbsd-misc=163289489310163=1>)
the problem is gone, and my T580 now does suspend/resume perfectly
(including idling with CPU usage under 1%).

A big thank-you to Daniel and to jcs (I'm guessing that's Joshua Stein,
https://jcs.org/) for the solution, and to Theo and Mike for their
suggestions too!

Thanks again,

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: 6.9/amd64 runaway acpi process on Thinkpad T580

[Jonathan Thornburg]

00 Series LPC" rev 0x21
"Intel 100 Series PMC" rev 0x21 at pci0 dev 31 function 2 not configured
azalia0 at pci0 dev 31 function 3 "Intel 200 Series HD Audio" rev 0x21: msi
azalia0: codecs: Realtek ALC257, Intel/0x280b, using Realtek ALC257
audio0 at azalia0
ichiic0 at pci0 dev 31 function 4 "Intel 100 Series SMBus" rev 0x21: apic 2 int 
16
iic0 at ichiic0
em0 at pci0 dev 31 function 6 "Intel I219-LM" rev 0x21: msi, address 
48:2a:e3:1b:f6:6b
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
wsmouse1 at pms0 mux 0
pms0: Synaptics clickpad, firmware 8.16, 0x1e2b1 0x940300 0x33cc40 0xf01fa3 
0x12e800
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT
dt: 445 probes
uvideo0 at uhub0 port 8 configuration 1 interface 0 "Azurewave Integrated 
Camera" rev 2.01/17.11 addr 2
video0 at uvideo0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
sd1 at scsibus3 targ 1 lun 0: 
sd1: 40962MB, 512 bytes/sector, 83890774 sectors
root on sd1a (9281496137c60ce1.a) swap on sd1b dump on sd1b
inteldrm0: 1920x1080, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)
iwm0: hw rev 0x230, fw ver 36.ca7b901d.0, address 18:56:80:24:28:40
--- end snapshot dmesg ---

Thanks,
--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: 6.9/amd64 runaway acpi process on Thinkpad T580

[Jonathan Thornburg]

After more experimentation, I find that the runaway ACPI process occurs
every time I suspend/resume (Fn-backspace).  (The system resumes fine
apart from the runaway ACPI process.)

Is there any to kill or reset the kernel ACPI process short of rebooting?
/ps/ doen't see it, and /pkill/ (even /pkill -9/) has no effect.

I will try compiling a custom kernel with ACPITHINKPAD_DEBUG defined
in /usr/src/sys/dev/acpi/acpithinkpad.c and see if that prints anything
interesting.  Are there any other particularly useful debugging things
I should explore to help track down the problem?

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: 6.9/amd64 runaway acpi process on Thinkpad T580

[Jonathan Thornburg]

I wrote

> During the installation (both in the bsd.rd install script and previously
> when I dropped into the bsd.rd shell to set up softraid-crypto) the machine
> acted incredibly slow, and there was a several-second delay in echoing
> typed characters.  I suspected that it was some device producing spurious
> interrupts, and just let the install run overnight until it finally
> finished.

I neglected to note that I also saw similar behavior with another T580
I previously bought (& then returned when it proved to have hardware
defects).  Combined with Daniel Wilkins' experience with a T480, this
suggests that this is a generic problem with Thinkpad T[45]80.  Does
anyone have a T[45]80 who has *not* seen this problem?

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

6.9/amd64 runaway acpi process on Thinkpad T580

[Jonathan Thornburg]

I have just installed 6.9-stable/amd64 on a new-to-me (used) Lenovo
Thinkpad T580 (dmesg below).  This was a from-scratch install on a
new-from-the-factory SSD (via booting the 6.9/amd64 bsd.rd from a usb
stick).

During the installation (both in the bsd.rd install script and previously
when I dropped into the bsd.rd shell to set up softraid-crypto) the machine
acted incredibly slow, and there was a several-second delay in echoing
typed characters.  I suspected that it was some device producing spurious
interrupts, and just let the install run overnight until it finally
finished.

After the install (booting into normal multiuser operation) the machine
seemed to work fine at first.  Notably, X "just works", screen brightness
adjust with Fn-F5/Fn-F6 "just works", iwm wifi "just works", and
suspend-to-RAM with Fn/Backspace "just works".

*BUT*, intermittently (maybe 25% of the time?) after a power-cycle and
reboot, there is what appears to be a system process 'acpi0' infinite-looping
(taking 100% of one CPU core, with 'top' showing ~80% system time for that
processor).  Here's a cut-n-paste of the beginning of 'top -S -i -s1'
output in that state, showing the runaway process:

load averages:  1.02,  1.10,  0.86   gold.bkis-orchard.net 00:41:44
134 processes: 130 idle, 4 on processorup  0:19
CPU0:  0.0% user,  0.0% nice, 80.2% sys,  1.0% spin, 17.8% intr,  1.0% idle
CPU1:  0.0% user,  0.0% nice,  0.0% sys,  1.0% spin,  0.0% intr, 99.0% idle
CPU2:  0.0% user,  0.0% nice,  1.0% sys,  2.0% spin,  0.0% intr, 97.0% idle
CPU3:  0.0% user,  0.0% nice,  1.0% sys,  2.0% spin,  0.0% intr, 97.0% idle
Memory: Real: 341M/1548M act/tot Free: 14G Cache: 665M Swap: 0K/34G

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
67563 root  1000K   19M sleep/0   acpi014:48 77.73% acpi0
59020 _x11   20   36M   59M sleep/1   poll  0:48  5.47% Xorg
48374 root   20 8952K   15M sleep/2   select0:09  0.73% perl

Specifying an additional '-H' option to 'top' ("show process threads")
didn't change the output significantly.

FWIW, I have apmd running

# cat /etc/rc.conf.local
apmd_flags='-A -t 60'
vmd_flags=''
xenodm_flags=''
#

apmd appears to be adjusting the CPU clock rate correctly, both now
and on those cold-boots where the infinite-loop problem does not occur.
As I noted above, suspend-to-RAM (via Fn-Backspace, which is the key
combination marked with the usual Thinkpad "moon" icon) "just works".

Is this sort of acpi (?) runaway a known T580 problem?  Neither google
nor the nycbug.org dmesg archive show any OpenBSD T580 dmesg, but I do
see occasional web posts mentioning OpenBSD on a T580.

Below I give my dmesg (from the current boot, the one that produced the
above runaway process).  What other information would be useful to try
to diagnose the problem?

Thanks,
--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?

--- begin dmesg ---
OpenBSD 6.9 (GENERIC.MP) #4: Tue Aug 10 08:12:23 MDT 2021

r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 16755720192 (15979MB)
avail mem = 16232525824 (15480MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xa86db000 (62 entries)
bios0: vendor LENOVO version "N27ET43W (1.29 )" date 08/13/2021
bios0: LENOVO 20L9001GUS
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT SSDT TPM2 UEFI SSDT SSDT HPET APIC MCFG ECDT SSDT 
SSDT BOOT BATB SLIC SSDT SSDT SSDT LPIT WSMT SSDT SSDT SSDT DBGP DBG2 MSDM DMAR 
ASF! FPDT UEFI
acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4) HDAS(S4) RP01(S4) PXSX(S4) 
RP02(S4) PXSX(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) 
PXSX(S4) RP07(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 1794.33 MHz, 06-8e-0a
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 24MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processo

Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

[Jonathan Thornburg]

Hi Stuart,

On Tue, Jul 06, 2021 at 08:23:06AM +1000, Stuart Longland wrote:
> One thing the OpenBSD host cannot know, is what specific port in that
> 1:3 range, is being used at any particular time.  I note they
> don't ask you to expose port 5060/udp, so presumably the device is
> _not_ receiving SIP traffic directly from incoming callers, but rather
> tunnels it via some sort of STUN-type arrangement or VPN (port 1194
> smells like OpenVPN).

A bit more web serching found some discussions
  https://forums.ooma.com/viewtopic.php?t=15326#p106898
  https://www.dslreports.com/forum/r28676066-Ooma-uses-SIP
  https://forums.ooma.com/viewtopic.php?t=7553#p53035
  https://forums.ooma.com/viewtopic.php?t=15072
where people claim that Ooma does in fact use an OpenVPN tunnel to
their own cloud infrastructure.


> What also we don't know, is whether the RTP traffic (the 1:3/udp
> range) is going to come from a single subnet, or from global addresses.
>  If you can find this information out, then it's possible to just
> expose yourself to your VSP (voice service provider) and be closed to
> everybody else.

Hopefully it only comes from Ooma's own IP addresses.  I will try to
run some experiments next week to see what the traffic actually looks
like.

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

[Jonathan Thornburg]

In <https://marc.info/?l=openbsd-misc=162550822403762=1> I asked
for advice on using an OpenBSD firewall to protect a VOIP box from
network attacks.

Several people have suggesting isolating the VOIP box in a separate
sublan.  This is a good idea.  In fact, the network topology I'm planning

> 
>  +--+
>   (internet) | $ISP DSL |
>  | modem/router |
>  +--+
> |
> |
>+--++---+
>| OpenBSD  || Omma Telo |.. analog
>| firewall || VOIP box  |   telephones
>+--++---+
>  |  |
>   ++ |  |
>   | Wifi   |-+  +-- wired client
>   | access |(or network switch for
>   | point  | multiple wired clients)
>   ++

already does this.  The firewall has separate network ports for
* uplink to $ISP DSL modem/router
* the wifi access point
* the wired client (or, in the future, a network switch connected to
  multiple wired clients)
* the VOIP box
so it's easy for the firewall's pf ruleset to keep the subnets' traffic
separate.

The harder problem, which I don't yet know how to solve, is how to
appropriately firewall the VOIP box from the (hostile) outside world.
Here there is some legitimate traffic (carrying phone calls and/or
Ooma software updates), and the problem is how to best configure the
the firewall so as to block as large a range of "nastygram" packets
from the outside world as possible, while still passing the legitimate
traffic.

--
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

[Jonathan Thornburg]

Short summary:

Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
phone system from internet attacks?  If so, how did you do it?  More
generally, how do people protect VOIP phone systems (regardless of brand)
from internet attacks?


Details:

My current home network topology is

 +--+
  (internet) | $ISP DSL |
 | modem/router |
 +--+
||
||
   +--++---+
   | OpenBSD  || Omma Telo |.. analog
   | firewall || VOIP box  |   telephones
   +--++---+
 |  |
  ++ |  |
  | Wifi   |-+  +-- wired client
  | access |(or network switch for
  | point  | multiple wired clients)
  ++

The OpenBSD firewall's pf is setup to NAT all the outbound traffic
and to block any incoming traffic except replies to previous outbound
traffic.

This works, but isn't as secure as I'd like, because the OpenBSD pf only
protects our computers; the Ooma Telo VOIP box is outside the firewall
and is only "protected" by the $ISP DSL modem/router (whose security I
don't at all trust).  That is, I suspect that both the $ISP-provided
DSL modem/router and the Ooma Telo VOIP box are ultimately "just" small
embedded Linux boxes running less-than-fully-patched 10-year-old software,
and are thus quite vulnerable to attack from the internet.

So, as part of a forthcoming upgrade of the OpenBSD firewall hardware,
I would like to move the Ooma box inside the firewall-protected network
by switching to the following network topology:

 +--+
  (internet) | $ISP DSL |
 | modem/router |
 +--+
|
|
   +--++---+
   | OpenBSD  || Omma Telo |.. analog
   | firewall || VOIP box  |   telephones
   +--++---+
 |  |
  ++ |  |
  | Wifi   |-+  +-- wired client
  | access |(or network switch for
  | point  | multiple wired clients)
  ++

This design would allow pf to protect the Ooma box as well as the
local computers.

The problem is that (as is pretty standard for VOIP systems) the Ooma
Telo carries voice traffic on UDP packets, and the UDP port numbers
can span a wide (dynamically-chosen) range, rather like ftp.  The
Ooma documentation says it needs the following ports:
https://support.ooma.com/home/advanced-connections-and-service-ports/
  outgoing UDP/TCP 53, 1194, 1294
  outgoing TCP 80, 110, 443
  outgoing UDP 67, 123, 3480
  incoming UDP 1 to 3

So, there are the usual problems of NAT with dynamically-chosen ports.

And, the range of incoming ports (1 to 3) is much broader than
I would like to leave open to the whole world.  I can (will) try to
restrict by IP source addresses, but Ooma offers no documentation on
what IP addresses from their network may need to send me UDP packets
for normal operation (notably, I don't know how incoming phone calls
are signalled), so I will need to do some reverse engineering here
(tcpdump to start with).  If I'm lucky the incoming UDP packets will
always come from IP addresses to which I've previously sent outgoing
traffic (so that the normal pf state table will grok them).

In any case, IP source addresses can be forged, so relying on them
alone gives somewhat limited security.  I don't know of an easy way
to work around this.  Do I need a full-fledged SIP proxy somewhere
(either on the firewall or on a separate dedicated machine)?

Overall, I would rather not have to re-invent the wheel here.  What
are other OpenBSD users doing to protect VOIP phone systems from
incoming "nastygram" attacks?

-- 
-- "Jonathan Thornburg [remove color- to reply]" 
   on the west coast of Canada, eh?
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: Increase optical mouse/Synaptics touchpad speed in X11/spectrwm

[Jonathan Thornburg]

In message <https://marc.info/?l=openbsd-misc=162125055304096=1>,
Martin  asks how people adjust pointer
speed on touchpads/mice/etc.

I use 'xset': my .xinitrc contains the line

  xset m 1/4

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 

   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently on the west coast of Canada
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: How to set ThinkPad battery charge thresholds?

[Jonathan Thornburg]

In message ,
Jan Stary asks for research/references supporting the claim that a
lithium-ion battery will last longer if it's not fully charged or
discharged.

None of these qualify as original research, but some sources for this
guideline include

https://www.wired.com/story/smartphone-battery-care-last-longer/

https://www.apple.com/batteries/maximizing-performance/

Table 4 and Figure 6 in
https://batteryuniversity.com/learn/article/how_to_prolong_lithium_based_batteries

The last of these is the most technical, and does cite some original
research.

thank you for 6.6 and bsd.rd

[Jonathan Thornburg]

I recently reinstalled my main laptop (which was at 6.5-stable/amd64)
with 6.6/amd64.  Almost everything "just worked", and the things that
didn't were 3rd-party stuff not from OpenBSD.  A big thank-you to everyone!

And... a specific itch-you-scratched-very-nicely I'd like to praise:

For the past few years I've usually (re)installed OpenBSD by burning a
boot DVD and then booting that.  But this time I found myself with the
combination of a broken built-in cd/dvd drive, and a computer which didn't
seem to want to boot from USB even after fiddling with bios settings.
Being able to copy the new (6.6) bsd.rd to an existing filesystem on the
(running) old OpenBSD system, then boot that bsd.rd to install, was
really really nice.  Thank you!

-- 
-- "Jonathan Thornburg [remove color- to reply]" 
   "He wakes me up every morning meowing to death because he wants to go
out, and then when I open the door he stays put, undecided, and then
glares at me when I put him out"
  -- Nathalie Loiseau (French minister for European Affairs,
   explaining why she named her cat "Brexit")

Re: T430 power draw unexpectedly high

[Jonathan Thornburg]

In <https://marc.info/?l=openbsd-misc=157417460803560=1>,
Dave Trudgian  writes
[[6.6 or a recent snapshot, Thinkpad T430]]
> Under OpenBSD with the system sitting idle at a GUI, WiFi active, 50%
> brightness I see ~15W power draw from the battery. This is with `apmd
> -A` and the output of `apm` showing that it is throttled to 1200MHz.
> The CPU fan is running at a constant low speed.

On a Thinkpad T530 (= similar hardware except for 14" --> 15.4" screen)
running 6.5-stable (amd64), also with WiFi active and the system sitting
idle at a GUI, I see a power draw of ~20W/10W with the screen at max/min
brightness, so overall very similar to what Dave Trudgian sees.  I've
never tried a non-OpenBSD OS on this hardware.

-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   "He wakes me up every morning meowing to death because he wants to go
out, and then when I open the door he stays put, undecided, and then
glares at me when I put him out"
  -- Nathalie Loiseau (French minister for European Affairs,
   explaining why she named her cat "Brexit")

how to configure directory in which X server logfile is written?

[Jonathan Thornburg]

In a fresh install of 6.6/amd64, if I login on a console as a non-root
user and start X via 'startx', the X server tries to write log information
in the file
  $HOME/.local/share/xorg/Xorg.0.log

I have two questions:
1. Is there any way to change the directory
 $HOME/.local/share/xorg/
   in which the X server logfile is written?
2. This being OpenBSD, is there a Fine Manual in which this configuration
   is documented?

None of
  man Xorg
  man Xserver
  man startx
  man xinit
  man xorg.conf
  man xorg.conf.d
  man -k log|egrep '^X'
  cd /etc/ && find . -type f | xargs fgrep share/xorg
  cd /usr/X11R6/share/X11/xorg.conf.d/ \
   && find . -type f | xargs fgrep share/xorg
  cd /usr/X11R6/share/X11/ \
   && find . -type f | xargs fgrep share/xorg
  cd /usr/X11R6/share/ \
   && find . -type f | xargs fgrep share/xorg
or grepping my (minimal) /etc/x11/xorg.conf have thus far yielded any
relevant info.

(The reason I'd like to change this directory is that in my setup
$HOME/.local is a symlink to a different filesystem which may not yet
be mounted at the time when 'startx' is run.)

thanks, ciao,
-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   "He wakes me up every morning meowing to death because he wants to go
out, and then when I open the door he stays put, undecided, and then
glares at me when I put him out"
  -- Nathalie Loiseau (French minister for European Affairs,
   explaining why she named her cat "Brexit")

Re: syspatch says 6.5 patch #011 (libexpat) is malformed

[Jonathan Thornburg]

For the archives: this was my silly mistake in putting a symlink to
gnu tar in a directory that was in front of /bin in $PATH.  Reverting
to a new login shell with the standard root $PATH solved the problem.
Thanks to Bryan Steele for unwedging my brain on this!  -- Jonathan

syspatch says 6.5 patch #011 (libexpat) is malformed

[Jonathan Thornburg]

I'm trying to use syspatch to update a firewall (a PC Engines Alix)
running 6.5-stable/i386, but syspatch dies with an error message saying
that the patch file contains inappropriate filenames:

# uname -a
OpenBSD sodium.bkis-orchard.net 6.5 GENERIC#3 i386
# cat /etc/installurl
https://cdn.openbsd.org/pub/OpenBSD
# ls -gFlk /bsd*
-rwx--  2 root  wheel  13518991 Sep 10 18:23 /bsd*
-rwx--  2 root  wheel  13518991 Sep 10 18:23 /bsd.booted*
-rw---  1 root  wheel   8843776 May 12 16:43 /bsd.rd
# syspatch -l
001_rip6cksum
002_srtp
004_bgpd
005_libssl
006_tcpsack
007_smtpd
010_frag6ecn
# syspatch -c
011_expat
# syspatch 
Get/Verify syspatch65-011_expat.tgz 100% |**|   546 KB00:00
Installing patch 011_expat
tar: Pattern matching characters used in file names
tar: Use --wildcards to enable pattern matching, or --no-wildcards to suppress 
this warning
tar: @usr/share/relink/kernel/GENERIC.MP/.*@@g: Not found in archive
tar: Exiting with failure status due to previous errors
# 

Is this a known issue with this patch?  Is there an alternate way
(besides updating from source) to track -stable ?

-- 
-- "Jonathan Thornburg [remove -color to reply]" 
   "He wakes me up every morning meowing to death because he wants to go out,
and then when I open the door he stays put, undecided, and then glares
at me when I put him out"
  -- Nathalie Loiseau (French minister for European Affairs,
   explaining why she named her cat "Brexit")

intermittent TCP-connection failure, suspect resolv.conf and/or unbound mis-configuration

[Jonathan Thornburg]

if validating DNSSEC.
#
#edns-buffer-size: 1480

# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes

forward-zone:
name: "."
forward-addr: 192.168.1.254
--- end firewall /var/unbound/etc/unbound.conf ---


Can anyone point out any problem with this configuration?  Is it appropriate
for the firewall's /etc/resolv.conf to list both 127.0.0.1 and the upstream
ISP router/firewall's DNS address?

thanks, ciao,
-- 
-- "Jonathan Thornburg [remove -animal to reply]" 

   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently on the west coast of Canada
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

SOLVED: Re: 6.5 pkg_add "Fatal error: Can't write session into tmp directory"

[Jonathan Thornburg]

[[for the archives]]

In message <https://marc.info/?l=openbsd-misc=156192613829968=1>,
I wrote that pkg_add was failing (on 6.5/i386 running on an alix board):
|   sodium# pkg_add -vv tcsh-6.20.00p1-static.tgz
|   Fatal error: Can't write session into tmp directory
|at /usr/libdata/perl5/OpenBSD/PackageRepository.pm line 1025.
|   sodium#
|
| I've checked that the firewall has adequate free memory & swap space,
| that all the obviously-relevant filesystems are mounted read-write and
| have free inodes and disk space, and that 'touch foo' can create a new
| file in each of /tmp, /var/tmp, and /usr/tmp.

Marc Espie's suggestion in
<https://marc.info/?l=openbsd-misc=156215779607119=1>
solved the problem:

> I would look more closely at your /var/tmp
> It's highly likely it has wrong permissions.
> 
> Checking that you can create a file in /var/tmp as root is definitely
> not enough.
> 
> pkg_add is privilege separated, it will run ftp(1)  as _pkgfetch

/var/tmp itself was ok (it's a symlink to ../tmp, and permissions on
symlinks don't matter).  But I had somehow gotten both /tmp and /usr/tmp
to be mode 755, so that non-root users didn't have write permission.
Correcting these directories to both be mode 777, so that non-root users
also had write permission, solved the problem.  (I also set the sticky
bit on both directories, as per sticky(8).)

Marc Espie also noted (private email) that in -current the pkg_* tools
produce a more detailed error message which makes it immediately clear
what's wrong in a situation like this.

For the record, my final (working) directory permissions are:

  sodium# ls -lFgd /tmp /usr/tmp /var/tmp 
  drwxrwxrwt  6 root  wheel  512 Jul 24 03:30 /tmp/
  drwxrwxrwt  2 root  wheel  512 Jul 18 00:31 /usr/tmp/
  lrwxr-xr-x  1 root  wheel6 Jul 24 17:26 /var/tmp@ -> ../tmp
  sodium# 

My thanks to all who replied either on the list or in private email,
and my apologies for the delayed followup (which was due to a hand injury
leaving me badly typing-impaired for several weeks).

ciao,
-- 
-- "Jonathan Thornburg [remove -animal to reply]" 

   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently on the west coast of Canada
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

6.5 pkg_add "Fatal error: Can't write session into tmp directory"

[Jonathan Thornburg]

I have 6.5/i386 installed on a PC Engines alix board (hostname 'sodium'),
acting as a home firewall and router.  I'd like to install some packages
the firewall it to make system adminstration easier.  So... I downloaded
the appropriate 6./i386 packages from a nearby OpenBSD mirror, ssh-ed them
to /tmp on the firewall, and then (logged into the firewall as root) tried
to  pkg_add  them.  Alas, pkg_add failed with an error message about being
unable to write into a temp directory:

  sodium# pkg_add -vv tcsh-6.20.00p1-static.tgz
  Fatal error: Can't write session into tmp directory
   at /usr/libdata/perl5/OpenBSD/PackageRepository.pm line 1025.
  sodium#

I've checked that the firewall has adequate free memory & swap space,
that all the obviously-relevant filesystems are mounted read-write and
have free inodes and disk space, and that 'touch foo' can create a new
file in each of /tmp, /var/tmp, and /usr/tmp.

Is there something obvious I'm overlooked here?  A Fine Man Page I should
be rereading before I start hacking debug prints into the pkg_add (perl)
source code?

Further information (cut-and-pasted from ssh session on the firewall):

  sodium# uname -a
  OpenBSD sodium.bkis-orchard.net 6.5 GENERIC#1 i386
  sodium# df -hi
  Filesystem SizeUsed   Avail Capacity iused   ifree  %iused  Mounted on
  /dev/wd0a  378M   47.7M311M13%1771   47379 4%   /
  mfs:54350 62.9M2.0M   57.7M 3%   88182 0%   /tmp
  /dev/wd0e  677M   15.1M628M 2% 352   87710 0%   /var
  /dev/wd0f  1.5G698M734M49%   16248  191622 8%   /usr
  mfs:42325 62.9M2.0K   59.7M 0%   18189 0%   /usr/tmp
  /dev/wd0g  516M138M352M28%8980   5860213%   /usr/X11R6
  /dev/wd0h  1.7G218K1.6G 0% 110  233744 0%   /usr/local
  /dev/wd0j  5.1G2.0K4.8G 0%   1  701565 0%   /usr/obj
  /dev/wd0i  1.3G2.0K1.3G 0%   1  181885 0%   /usr/src
  sodium# cat /etc/fstab
  5fd63b50b0c6cb1d.a /ffs rw,softdep,noatime  1 1
  5fd63b50b0c6cb1d.d /tmp mfs rw,async,nodev,nosuid,-s=64m0 0
  5fd63b50b0c6cb1d.e /var ffs rw,softdep,noatime,nodev,nosuid 1 2
  5fd63b50b0c6cb1d.f /usr ffs rw,softdep,noatime,nodev1 2
  5fd63b50b0c6cb1d.d /usr/tmp mfs rw,async,nodev,nosuid,-s=64m0 0
  5fd63b50b0c6cb1d.g /usr/X11R6   ffs rw,softdep,noatime,nodev1 2
  5fd63b50b0c6cb1d.h /usr/local   ffs rw,softdep,noatime,wxallowed,nodev  1 2
  5fd63b50b0c6cb1d.j /usr/obj ffs rw,softdep,noatime,nodev,nosuid 1 2
  5fd63b50b0c6cb1d.i /usr/src ffs rw,softdep,noatime,nodev,nosuid 1 2
  sodium# top|head
  load averages:  0.08,  0.02,  0.01sodium.bkis-orchard.net 13:12:00
  52 processes: 1 running, 50 idle, 1 on processor  up 14 days,  5:21
  CPU:  0.1% user,  0.0% nice,  0.3% sys,  0.0% spin,  0.3% intr, 99.3% idle
  Memory: Real: 35M/110M act/tot Free: 127M Cache: 46M Swap: 0K/548M
  
PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
  59735 root  1000K   19M sleep bored44:53  0.44% softnet
  65312 root -2200K   19M sleep -   339.9H  0.00% idle0
  57981 root  1000K   19M sleep bored 7:56  0.00% sensors
  39371 _unbound   20   12M   10M sleep kqread1:33  0.00% unbound
  sodium# cd /tmp
  sodium# ls -l
  total 4144
  drwxrwxrwt  2 root  wheel  512 Jun 16 07:51 .ICE-unix
  drwxrwxrwt  2 root  wheel  512 Jun 16 07:51 .X11-unix
  -rw-r--r--  1 root  wheel  1499861 Jun 30 12:31 lynx-2.8.9rel1.tgz
  drwxr-xr-x  2 root  wheel  512 Jun 16 07:51 sndio
  -rw-r--r--  1 root  wheel   564428 Jun 30 12:31 tcsh-6.20.00p1-static.tgz
  drwxrwxrwt  2 root  wheel  512 Jun 30 12:33 vi.recover
  sodium#
  sodium# pkg_info
  sodium# 
  sodium# which pkg_add
  /usr/sbin/pkg_add
  sodium# pkg_add -vv tcsh-6.20.00p1-static.tgz
  Fatal error: Can't write session into tmp directory
   at /usr/libdata/perl5/OpenBSD/PackageRepository.pm line 1025.
  sodium# env
  _=/usr/bin/env
  LOGNAME=root
  PWD=/tmp
  HOME=/root
  OLDPWD=/tmp
  SSH_TTY=/dev/ttyp0
  TOP=-S -i -s1
  MAIL=/var/mail/root
  SSH_CLIENT=192.168.105.0 4099 22
  
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin
  TERM=xterm
  SHELL=/bin/ksh
  SSH_CONNECTION=192.168.105.0 4099 192.168.105.62 22
  USER=root
  sodium# cd /tmp
  sodium# touch foo
  sodium# ls -l foo
  -rw-r--r--  1 root  wheel  0 Jun 30 13:07 foo
  sodium# /bin/rm foo
  sodium# 
  sodium# cd /var/tmp
  sodium# touch foo
  sodium# ls -l foo
  -rw-r--r--  1 root  wheel  0 Jun 30 13:08 foo
  sodium# /bin/rm foo
  sodium# 
  sodium# cd /usr/tmp
  sodium# touch foo
  sodium# ls -l foo
  -rw-r--r--  1 root  wheel  0 Jun 30 13:13 foo
  sodium# /bin/rm foo
  sodium# 
 
Thanks in advance for any assistance,
-- 
-- "Jonathan Thornburg [remov

how to install bsd.sp on a multiprocessor machine?

[Jonathan Thornburg]

Summary:
  Is there a way to tell the OpenBSD installer (6.5, i386) that
  even though it's running on a multiprocessor machine, I'm going
  to move the installed-upon disk to a uniprocessor machine, so
  I want /bsd to be the uniprocessor kernel and I want the
  uniprocessor (GENERIC) kernel object files installed into
/usr/share/relink/kernel/GENERIC/*.o
  so that kernel relinking will work properly when booting the
  uniprocessor kernel?

Details:

I'm trying to setup a PC Engines Alix 2d13 as a router, running
i386 6.5.  This machine uses a CF card as its "disk".  To install
OpenBSD on the CF card, I removed the CF card from the Alix and
plugged the CF card into a USB card reader, and connected that
reader to one of my (amd64, dual-core) laptop's USB ports.  Then
I rebooted the laptop from the i386 install65.fs, verified that I
had the correct sdN for the CF card, and did a normal (i386) install
onto the CF card.

My problem is that the OpenBSD installer helpfully noticed that the
laptop (running the installer) has a dual-core processor, and so the
installer made bsd.mp the default kernel.  So, I hand-mounted the CF
card on the laptop after the install and renamed the /bsd* files so
that /bsd was /bsd.sp.  I also setup /etc/boot.conf and /etc/ttys
so as to use the Alix's serial port.

Putting the CF card back in the Alix, the Alix boots and runs 6.5 i386
(GENERIC, i.e., uniprocessor) fine,

  sodium# uname -a
  OpenBSD sodium.astro.indiana.edu 6.5 GENERIC#1338 i386
  sodium# 

*except* that kernel relinking fails.

Poking around a bit I see that the Alix has GENERIC.MP kernel object
files (/usr/share/relink/kernel/GENERIC.MP/*.o) but no GENERIC kernel
object files (/usr/share/relink/kernel/GENERIC/*.o), so relinking GENERIC
isn't going to work.

Is there an easy way to tell the installer that the current installation
is going to use the uniprocessor kernel (and hence needs the GENERIC
kernel object files for relinking) even though the installer is running
on a multiprocessor machine?

Failing that, what's the easiest way to get the right set of object files
in the right directory post-install?  Would building GENERIC from source
on the Alix suffice?  (I suspect the answer to this question is yes, but
I'd like to confirm this.)

thanks,
-- 
-- "Jonathan Thornburg [remove -animal to reply]" 

   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently on the west coast of Canada
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

how to install perl modules w/ dependencies that mix packages & CPAN

[Jonathan Thornburg]

What's the "OpenBSD way" to install Perl modules which don't exist
as packages?

The usual Perl idiom for "install module foo & all of its (recursive)
dependencies" is "cpan install foo", but this fetches all dependencies
from CPAN, ignoring any OpenBSD packages which may exist.  What I'd like
is something like "cpan install foo", but with the semantics that for
each dependency, if there's OpenBSD package in /etc/installurl which
is the same module version as the latest CPAN version, then install
the OpenBSD package instead.  Is there a utility already around which
does this?

Re: 6.3/amd64 Thinkpad T530 touchpad problem (was ok in 6.2/amd64)

[Jonathan Thornburg]

Ulf Brosziewski wrote
> First, could you deactivate synaptics again, start X and
> capture the output of
> # wsconsctl | grep mouse
> when the touchpad has started to produce nonsense? (You must run
> that command as root or configure doas(1) for it).

Here is the output:

mouse.type=synaptics
mouse.rawmode=0
mouse.scale=1472,5470,1408,4498,0,60,85
mouse.tp.tapping=0
mouse.tp.scaling=0.182
mouse.tp.swapsides=0
mouse.tp.disable=0
mouse.tp.edges=0.0,5.0,0.0,5.0
mouse1.type=ps2


> And btw, does
> the trackpoint work normally when this happens?

Unfortunately I can't tell -- I physically removed the trackpoint
"nipple" a long time ago.

Thanks for all your efforts!
ciao,
-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently visiting Max-Plack-Institute fuer Gravitationsphysik
  (Albert-Einstein-Institut), Potsdam-Golm, Germany
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: 6.3/amd64 Thinkpad T530 touchpad problem (was ok in 6.2/amd64)

[Jonathan Thornburg]

On Sun, Apr 22, 2018 at 12:48:11AM +0300, IL Ka wrote:
> +1 for trying synaptics(4).
[[...]]

Success!  With synaptics(4) enabled via the xorg.conf you suggested
in <https://marc.info/?l=openbsd-misc=152435166200806=1>, the
touchpad works perfectly.  (I haven't experimented with multitouch
gestures yet.)

Thanks to both of you (IL and Ulf) for pointing me to the solution!

ciao,
-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently visiting Max-Plack-Institute fuer Gravitationsphysik
  (Albert-Einstein-Institut), Potsdam-Golm, Germany
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: 6.3/amd64 Thinkpad T530 touchpad problem (was ok in 6.2/amd64)

[Jonathan Thornburg]

In <https://marc.info/?l=openbsd-misc=152414708914473=1> I wrote
| I have a Lenovo Thinkpad T530.  Everything (including the builtin
| touchpad) was fine under 6.2/amd64, but under 6.3/amd64 there is a
| severe problem with the builtin touchpad when running X (autoconfigured
| with no xorg.conf; all other aspects of X operation are fine).
| 
| The problem is this: when I first start X the touchpad operates normally.
| But a minute or so of use the X cursor starts jumping to the left and/or
| top side of the screen each time I start a new finger-movement.
| 
| [[...]]

In <https://marc.info/?l=openbsd-misc=152414996116192=1>, IL Ka replied:
> Try to start ``wsmoused(8)`` and check if mouse works in console.
> ``/etc/rc.d/wsmoused start`` and move mouse around for minute or two.
> Does it work?
> 
> It will help us to understand if it is a X problem or wmouse(4) problem

With wsmoused(8) running the console mouse works fine.

ciao,
-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently visiting Max-Plack-Institute fuer Gravitationsphysik
  (Albert-Einstein-Institut), Potsdam-Golm, Germany
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

6.3/amd64 Thinkpad T530 touchpad problem (was ok in 6.2/amd64)

[Jonathan Thornburg]

I have a Lenovo Thinkpad T530.  Everything (including the builtin
touchpad) was fine under 6.2/amd64, but under 6.3/amd64 there is a
severe problem with the builtin touchpad when running X (autoconfigured
with no xorg.conf; all other aspects of X operation are fine).

The problem is this: when I first start X the touchpad operates normally.
But a minute or so of use the X cursor starts jumping to the left and/or
top side of the screen each time I start a new finger-movement.

That is, a normal sequence of touchpad operation is
1. touch finger to touchpad
2. drag finger to move X cursor to desired location
3. remove finger from touchpad
but once this problem starts, step 2 causes the X cursor to jump to the
left side of the screen (if the finger-drag is in a horizontal direction),
the top side of the screen (if the finger-drag is in a vertical direction),
or the top-left corner of the screen (if the finger-drag is in a diagonal
direction).

I see the same symptoms if ...
* ... I boot GENERIC instead of usual GENERIC.MP
* ... I comment out the line 'xset m 1/4' (which is the only 'xset m' line)
  from my $HOME/.xinitrc.
* ... I change from my usual window manager (twm, started from $HOME/.xinitrc),
  to the OpenBSD default fvwm (started if there is no $HOME/.xinitrc).
* ... I plug in a USB (optical) mouse, but continue to use the builtin
  touchpad,
* ... I plug in a USB (optical) mouse, and use that as a pointer device
  instead of the builtin touchpad.  In this case mouse movements trigger
  the X-cursor-jumping behavior: the X cursor jumps to the left side of
  the screen (if the mouse movement is in a horizontal direction), the top
  side of the screen (if the mouse movement is in a vertical direction),
  or the top-left corner of the screen (if the mouse movement is in a
  diagonal direction).

Once this problem starts, the only "cure" I have found is to kill the
X server (either 'pkill X' or Ctrl-Shift-Backspace -- the window-manager
menu is inaccessable due to the X cursor jumping) and start a new X session.
This gets me a minute or so of normal operation before the problem reoccurs.

I am not running xenodm -- I login on the console and start (or restart)
X via 'startx'.

Below I give my dmesg (6.3/amd64), a dmesg from 6.2/amd64 on this same
machine for comparison, and /var/log/Xorg.0.log (6.3/amd64).

Have other Thinkpad users encountered this behavior?  Is there a known
workaround?  Is there additional information I could supply to help
diagnose the problem?  (I could run with a debugging kernel or X server
for a while if that would help.)

Thanks, ciao,
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   currently visiting Max-Plack-Institute fuer Gravitationsphysik
  (Albert-Einstein-Institut), Potsdam-Golm, Germany

--- begin 6.3/amd64 /var/run/dmesg.boot ---
OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 16845565952 (16065MB)
avail mem = 16327950336 (15571MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdae9c000 (69 entries)
bios0: vendor LENOVO version "G4ETA7WW (2.67 )" date 08/24/2016
bios0: LENOVO 24292A9
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC TCPA SSDT SSDT SSDT HPET APIC MCFG ECDT FPDT ASF! 
UEFI UEFI POAT SSDT SSDT UEFI DBG2
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP3(S4) XHCI(S3) EHC1(S3) 
EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz, 2893.80 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
acpihpet0: recalibrated TSC frequency 2893437769 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz, 2893.43 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec

Re: OpenBSD Foundation on HTTPS

[Jonathan Thornburg]

>From  http://www.openbsdfoundation.org/donations.html :
>  Donations may be made by cheque in CAD/EUR/USD funds to:
> 
> The OpenBSD Foundation
> 8101 160 Street
> Edmonton, Alberta, Canada
> T5R 2G9

Without https, how can one verify that that is the correct address?

Re: Lenovo T60p touchpad not working (6.2-stable/amd64)

[Jonathan Thornburg]

A further update... after a suspend-resume cycle (suspend-to-RAM,
which 'just works' via Fn-F4), the touchpad works fine.  'dmesg' shows
15 new lines appended after my most recent suspend-resume cycle, but
none of them mention the mouse (pms0) explicitly:

WARNING !(rw_status(_config->mutex) == 0x0001UL) && 
!drm_modeset_is_locked(_config->connection_mutex) failed at 
/sys/dev/pci/drm/drm_crtc.h:1577
WARNING !(rw_status(_config->mutex) == 0x0001UL) && 
!drm_modeset_is_locked(_config->connection_mutex) failed at 
/sys/dev/pci/drm/drm_crtc.h:1577
uhub0 detached
uhub1 detached
uhub2 detached
uhub3 detached
uhub4 detached
uhub0 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
uhub1 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
uhub2 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
uhub3 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
uhub4 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
drm:pid80100:radeon_bo_unpin *WARNING* 0x80444390 unpin not necessary
WARNING !(rw_status(_config->mutex) == 0x0001UL) && 
!drm_modeset_is_locked(_config->connection_mutex) failed at 
/sys/dev/pci/drm/drm_crtc.h:1577
WARNING !(rw_status(_config->mutex) == 0x0001UL) && 
!drm_modeset_is_locked(_config->connection_mutex) failed at 
/sys/dev/pci/drm/drm_crtc.h:1577

Do other T60/T60p users see touchpad problems?

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently visiting Max-Plack-Institute fuer Gravitationsphysik
  (Albert-Einstein-Institut), Potsdam-Golm, Germany
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: Lenovo T60p touchpad not working (6.2-stable/amd64)

[Jonathan Thornburg]

In a recent message to misc@ I wrote
On Wed, Jan 10, 2018 at 03:14:43PM +0100, Jonathan Thornburg wrote:
> I have a Lenovo T60p laptop (amd64) currently running 6.2-stable (dmesg
> below).  [[...]]
> 
> My problem is that the touchpad does not work: [[...]]
> 
> As a temporary workaround I have plugged in a USB (wired) mouse, and I
> was delighted to see that it 'just worked'.  What's even more peculiar
> is that _when_the_USB_mouse_is_plugged_in_ the touchpad works again!

Amendment: when the USB mouse is plugged, the touchpad *sometimes*
works again.  And sometimes it doesn't (finger movements on the touchpad
are ignored again).

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently visiting Max-Plack-Institute fuer Gravitationsphysik
  (Albert-Einstein-Institut), Potsdam-Golm, Germany
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Lenovo T60p touchpad not working (6.2-stable/amd64)

[Jonathan Thornburg]

 at softraid0: 256 targets
sd1 at scsibus4 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd1: 35333MB, 512 bytes/sector, 72363664 sectors
root on sd1a (9373b8366123ff65.a) swap on sd1b dump on sd1b
radeondrm0: 1680x1050, 32bpp
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)
sd2 at scsibus4 targ 2 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd2: 674943MB, 512 bytes/sector, 1382284992 sectors
uhidev0 at uhub1 port 1 configuration 1 interface 0 "Logitech USB Optical 
Mouse" rev 2.00/54.00 addr 2
uhidev0: iclass 3/1
ums0 at uhidev0: 8 buttons, Z and W dir
wsmouse2 at ums0 mux 0
wsmouse2 detached
ums0 detached
uhidev0 detached
uhidev0 at uhub1 port 1 configuration 1 interface 0 "Logitech USB Optical 
Mouse" rev 2.00/54.00 addr 2
uhidev0: iclass 3/1
ums0 at uhidev0: 8 buttons, Z and W dir
wsmouse2 at ums0 mux 0
#

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   currently visiting Max-Plack-Institute fuer Gravitationsphysik
  (Albert-Einstein-Institut), Potsdam-Golm, Germany
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

where are antialiased fonts now documented?

[Jonathan Thornburg]

I'm trying to set up antialiased fonts in xterm.

The OpenBSD FAQ used to contain a section "Antialiased and Truetype
fonts in X" with lots of useful information on this subject
[e.g., an archived copy I have of the OpenBSD
web pages as of 5.8-stable (checked out from CVS
on 2016-06-23) has this as FAQ 8.20.],
but the current FAQ doesn't seem to address this subject.

Looking in the cvs logs, I see

> RCS file: /cvs/www/faq/Attic/truetype.html,v
> Working file: truetype.html
> head: 1.30
> branch:
> locks: strict
> access list:
> symbolic names:
> keyword substitution: kv
> total revisions: 30;selected revisions: 30
> description:
> 
> revision 1.30
> date: 2016/02/22 20:16:15;  author: tj;  state: dead;  lines: +0 -0;  
> commitid: 8xuyj7Vi3LgzLAdx;
> remove outdated "antialiased and truetype fonts in x" section.
> 
> ok matthieu
> 

suggesting that that information is now outdated.

What Fine Manual(s) should I be reading for up-to-date information
on antialiased fonts?  I can't find anything relevant in xterm(1) or
any of the X server man pages.  Interestingly, the example from the
5.8-stable FAQ,
  xterm -fa 'Mono' -fs 14
*does* work on my 6.0-stable system.  But I'd still like to read more
(e.g., about what font families are available).

ciao,

-- 
-- "Jonathan Thornburg [remove -color to reply]" <jthorn4...@gmail-pink.com>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

FFS parameters for SSD filesystem?

[Jonathan Thornburg]

Hi,

I'm preparing to set up a new 1TB SSD (Samsung 850pro) for use in an
OpenBSD laptop.  Like every other SSD I've seen, this SSD uses a 4K
byte block size.

I'm planning to use softraid crypto for this disk, and mount all the
main filesystems with softdep and noatime.

I understand that fdisk and disklabel partition boundaries should
be multiples of 4K bytes (= 8 512-byte sectors), e.g., starting the
'a' disklabel partition at offset=64 512-byte sectors is much better
than starting it at offset=63.

I've read the misc@ thread on "4k sector disks" from 2010,
  http://marc.info/?l=openbsd-misc=127071305915101=1
  http://marc.info/?l=openbsd-misc=127149466227162=1
tedu's 2011 blog post "lessons learned about TRIM",
  http://www.tedunangst.com/flak/post/lessons-learned-about-TRIM
and the 2014 daemonforums thread on SSD installs,
  http://daemonforums.org/showthread.php?t=8630

Questions:
* Should I set the FFS fragment size (newfs -f) to 4096 or larger?
* What about the FFS sector size (newfs -S): should this be left at
  its default, or set to 4096?
* Are there other fdisk and/or newfs parameters which should be set
  differently than I'd set them for a mechanical hard disk of similar
  size?
* What are the tradeoffs between FFS (newfs -O 1) and FFS2 (newfs -O 2)?
  Since this is OpenBSD, perhaps I should rephrase this question as
  "what Fine Manual should I have read to learn about these tradeoffs?"
* Does or should using softraid crypto change the answers to any of
  the above questions?

Thanks,
-- 
-- "Jonathan Thornburg [remove -color to reply]" <jthorn4...@gmail-pink.com>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

{file,directory} permissions within /usr/{src,xenocara,ports}

[Jonathan Thornburg]

What are the "best practices" file and directory permissions within
the /usr/{src,xenocara,ports} trees in the context of anonymous-cvs
updating?

http://www.openbsd.org/faq/faq5.html#wsrc  suggests that the top-level
directories /usr/{xenocara,ports} should be mode 775, but doesn't say
what permissions subdirectories and individual files should have.  The
current  {src,sys,ports,xenocara}.tar.gz  tarballs on my local mirror
show files/directories being modes 644 and 755 respectively (both owned
by deraadt/wheel in the tarball).  Unpacking these as a non-root user
(in the wsrc group) as suggested by http://www.openbsd.org/anoncvs.html
will leave permissions which depend on that user's umask.

Is the current "best practice" to create a separate user for source-tree
cvs operations, or do do it as "myself" (already in wsrc, wheel, operator,
and various other groups)?

Alternatively, is there a Fine Manual I've overlooked which documents
this?

Thanks, ciao,

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: A couple of password pointers to avoid failed login(1) via cu(1)

[Jonathan Thornburg]

In  I just grep some binary and encode it as passwords

Alas, this produces high-nonrandom (i.e., relatively easy-to-guess)
passwords.  A much safer -- and easier -- approach is to take data
directly from /dev/arandom and encode it as alphanumerics:

% dd if=/dev/arandom bs=50 count=1|alphanumeric.encode 
1+0 records in
1+0 records out
50 bytes transferred in 0.000 secs (602410 bytes/sec)
0WZr76geW6c6kipRUITDTNkpbGvmiS19ounWDqhCzBPIRDP6e6h7kiqx% 
% 

This makes use of the following script 'alphanumeric.encode', which 
should be somewhere in $PATH:


#!/usr/bin/perl -w
use strict;
use Getopt::Long;
my $false = 0;
my $true  = 1;



my $help_msg = <<'EOF';
Usage:
   dd if=/dev/arandom bs=100 count=1| alphanumeric.encode
or
   dd if=/dev/arandom bs=100 count=1| alphanumeric.encode  --lower-case

By default, this program encodes standard input binary-data into mixed-case
alphanumeric characgers ([a-zA-Z0-9]).

If the --lower-case option is specified, then this program encodes into
lower-case alphanumeric characters ([a-z0-9]).
EOF

#
# Bugs:
# The implementation might be cleaner if we used Math::Base36 and/or
# Math::Int2Base instead of hand-rolling our own base conversion.
#

#
# Mixed-case:
#   Since 2*26+10 = 62, and 62**3 = 14776336 = less than 256**3 = 16777216,
#   we can encode 3 chars (24 bits) of binary input into 4 base62 output
#   characters.  If we get an "unencodable" input 3-tuple we just discard
#   it and try again with the next input 3-tuple.
#
# Lower-case
#   Since 26+10 = 36, and 36**3 = 46656 = less than 256**2 = 65536,
#   we can encode 2 chars (16 bits) of binary input into 3 base36 output
#   characters.  If we get an "unencodable" input 2-tuple we just discard
#   it and try again with the next input 2-tuple.
#



my $debug   = 0;
my $help_flag   = $false;
my $lower_case_flag = $false;
GetOptions(
  'debug=i'=> \$debug,
  'help'   => \$help_flag,
  'lower-case' => \$lower_case_flag,
  ) || die $help_msg;   # *** ERROR EXIT ***
if ($help_flag)
{ print $help_msg; exit; }  # *** --help EXIT ***



my $N_in = $lower_case_flag ? 2 : 3;
my $in_base  = 256;
my $in_limit = $in_base ** $N_in;
my $N_out= $lower_case_flag ? 3 : 4;
my @out_alphabet = $lower_case_flag ? (0..9, 'a'..'z')
: (0..9, 'a'..'z', 'A'..'Z');
my $out_base = scalar(@out_alphabet);
my $out_limit= $out_base ** $N_out;

if ($debug > 0)
{
print "in_base=${in_base} N_in=${N_in} ==> in_limit = ${in_limit}\n";
print "out_base=${out_base} N_out=${N_out} ==> out_limit = 
${out_limit}\n";
}

binmode(STDIN);

my $count_on_line = 0;
my $buffer;
while (my $N_read = read(STDIN, $buffer, $N_in))
{
if ($N_read != $N_in)
{ last; }   # *** LOOP EXIT ***
my @in_chars  = split(//, $buffer);
my @in_digits = map {ord($_)} @in_chars;

# integer in [0, $in_limit)
my $N = $lower_case_flag
? $in_digits[0] + $in_base*$in_digits[1]
: $in_digits[0] + $in_base
  *($in_digits[1] + $in_base*$in_digits[2]);
if ($debug >= 6)
{ print "in_digits=(",join(',',@in_digits),") ==> N=${N}\n"; }

if ($N >= $out_limit)
{
if ($debug >= 6)
{ print "   N > out_limit ==> try again\n"; }
next;   # *** LOOP CONTROL ***
}

my @out_digits = ();

for (my $i = 0 ; $i < $N_out ; ++$i)
{
my $d  = $N % $out_base;
$N = int($N / $out_base);
push @out_digits, $d;
}
if ($debug >= 6)
{ print "   out_digits=(",join(',',@out_digits),")\n"; }

my @out_chars = map {$out_alphabet[$_]} @out_digits;

$count_on_line += $N_out;
if ($debug >= 6)
{ print '   :',join('',@out_chars),":\n"; }
   else { print join('',@out_chars); }
if ($count_on_line >= 60)
{
print "\n";
$count_on_line = 0;
}
}

6.0 thanks

[Jonathan Thornburg]

I recently did a fresh install of 6.0 (& immediate CVS-update to -stable)
on a laptop that had been at 5.8-stable.  I've been installing OpenBSD
since 2.8 (fall 2000), and I have to say this was about the cleanest
install yet.  Everything "just works" (even my various non-standard
system hacks).  A big thank-you to all the team!

ciao,
-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

6.0 CDs arrived west coast of Canada

[Jonathan Thornburg]

arrived in 2016-09-19 mail

how to setup multiboot with a shared /home?

[Jonathan Thornburg]

I'm trying to set up a disk so that it can multiboot either of two
distinct amd64 OpenBSD installations (I'll call them A and B).  Reading
the Fine FAQ suggests that a relatively straightforward way to do this
is to put the two OpenBSD installations inside distinct fdisk partitions,
and use the fdisk 'flag' command to select which fdisk partition
(and hence OpenBSD installation) is booted by default.  For example,
I could put OpenBSD installation A inside fdisk partition 0, and OpenBSD
installation B inside fdisk partition 1.

[Of course, to make this work I need to ensure that both root filesystems
are close enough to the start of the physical disk that I don't run into
BIOS disk addressing limits.]

My questions concern an extension of this setup: I'd like the two
installations to share a (large) common /home filesystem.  Because of BIOS
disk addressing limits, the large /home filesysgtem must be *after* both
the A and the B root filesystems on the physical disk.  This suggests a
disk layout like this:

OpenBSD A OSOpenBSD B OS
partitions  partitions   shared /home partition
 |---||--|
disk w x  y z   disk
startend

My question is, what sort of fdisk partition layout do I want here?

One possibility is to use overlapping fdisk partitions:
* fdisk partition 0 = sectors 64 to disk-end
* fdisk partition 1 = sectors x to disk-end (or maybe x+64 to disk-end)
Here the disklabel partitions inside fdisk partition 0 are set up
to contain the OpenBSD A OS filesystems and the shared /home, and
the disklabel partitions inside fdisk partition 1 are set up
to contain the OpenBSD B OS filesystems and the shared /home.

Another possibility is to use non-overlapping fdisk partitions,
and disklabel offsets which extend outside their fdisk "owners", as per
/usr/src/distrib/amd64/common/install.md:
> The offsets used in the disklabel are ABSOLUTE, i.e. relative to the
> start of the disk, NOT the start of the OpenBSD MBR partition.
That is,
* fdisk partition 0 = sectors 64 to w
* fdisk partition 1 = sectors x to y (or maybe x+64 to y)
* fdisk partition 2 = sectors z to disk-end (or maybe z+64 to disk-end)
Here the disklabel partitions inside fdisk partition 0 are set up
to contain the OpenBSD A OS filesystems and the shared /home, with
the latter having disklabel offsets pointing to fdisk partition 2.
Similarly, the disklabel partitions inside fdisk partition 1 are set up
to contain the OpenBSD B OS filesystems and the shared /home, with
the latter having disklabel offsets pointing to fdisk partition 2.

Clearly, both of these layouts require very careful setup of the disk
offsets -- if I miscalculate then all bets are off.  But, assuming that
I calculate correctly

Question: are there reasons why one or the other of these layouts is
preferable?  Or is there some other layout which would be better?

Question: are there any unobvious obstacles to making any/all of
the OpenBSD A OS partitions, the OpenBSD B OS partitions, and/or the
shared /home partition, softraid-crypto?

thanks,

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: Suggestion: new webpage for openbsd.org

[Jonathan Thornburg]

I tried both the current site (http://www.openbsd.org) and the proposed
new site (http://greatest-ape.github.io/openbsd-site/openbsd/index.html)
using a variety of OpenBSD 5.8-stable web browsers, displaying on a
monitor with 96x97 pixels/inch.  Sometimes one wants to have GUI web
browsers share screen space with other stuff, so I tried both "wide"
windows (> 1000 pixels width on my monitor) and narrower ones (down to
600 pixels or so).

Below I give a table with details of what I found.  To summarize:
* Both sites look ok with lynx running in an xterm.  This held true
  for a variety of xterm widths.
* For windows >= about 850 pixels wide, the current site looks great 
  on every GUI browser I tried.  For narrower windows the main text
  didn't flow, but rather required horizontal scrolling to read each
  line.
* The new site looks pale and washed-out in every GUI browser I tried,
  as if the monitor isn't delivering proper color saturation.
* The new site doesn't handle narrow windows well -- below about 800
  pixels width the main text is moved down to below the left menubar,
  resulting (for typical window heights) in the main text being invisible
  unless/until the user scrolls down.
* The new site renders particularly poorly in netsurf and dillo, with
  the logo misplaced (netsurf) or missing altogether (dillo), and wide
  windows having the same graphical problems as narrow windows.

Overall I strongly prefer the current site.



Details:

   existing site  proposed new site
   -  -
window width   wide   narrow  wide   narrow

firefoxgreat  mediocre (2)mediocre (3)   poor (3,4)
arora  great  mediocre (2)medoocre (3)   poor (3,4)
midori great  mediocre (2)mediocre (3)   poor (3,4)
xombrero   great  mediocre (2)mediocre (3)   poor (3,4)
netsurfgreat  mediocre (2)poor (3,5) poor (3,4)
dillo  great  mediocre (2)poor (3,6) poor (3,6)
lynx   ok  ok ok ok

Notes:
(1) "Wide" windows are about 1000 pixels wide.
(2) For windows less than around 850 pixels wide, text is chopped off
at the beginning/end of each line, and a horizontal scroll bar or
left/right arrow keys must be used to go back and forth to read
each line of text.
(3) The new site looks pale and washed-out (as if the monitor isn't
delivering proper color saturation), but it's readable.
(4) For windows less than about 800 to 810 pixels wide, the main text is
moved down to below the left sidebar, so it's not visible at all without
scrolling down.
(5) Logo is misplaced, left menubar is moved down to below the logo, and
all the main text after the first sentence is moved down to below the
menubar.
(6) There's no logo (only the text description of it, despite this being
a GUI X-windows browser).  All the main text after the first sentence
is moved down to below the menubar.

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

installboot with amd64 root on softraid crypto, NOT 'a' partition

[Jonathan Thornburg]

ypto installs, while stoutly maintaining my ignorance of softraid
| crypto. I failed to see a bug stsp@ introduced, which lead to some
| hilarity a few days later when I backed out the change at the same
| time that stsp@ was committing a real fix. Fortunately stsp@ was
| able to set things right, and installboot(8) now works for softraid
| crypto setups and non-softraid setups.

Is this bug relevant to my situation?  If so, then one route forward
might be to grab the -current installboot(8) source, nuke any pledge(2),
compile it on my 5.6-stable, and use that binary for my 'installboot'
invocation.  Would this be a good way to proceed?

ciao,

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 
<jth...@astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: swap on encrypted softraid, performance penalty?

[Jonathan Thornburg]

 1994 MHz: speeds: 2000, 1667, 1333, 1000 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03
ppb0 at pci0 dev 1 function 0 Intel 82945GM PCIE rev 0x03: msi
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 0 function 0 ATI Mobility FireGL V5250 rev 0x00
drm0 at radeondrm0
radeondrm0: msi
azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: msi
azalia0: codecs: Analog Devices AD1981HD, Conexant/0x2bfa, using Analog Devices 
AD1981HD
audio0 at azalia0
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: msi
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 Intel 82573L rev 0x00: msi, address 
00:16:41:e7:a7:b1
ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: msi
pci3 at ppb2 bus 3
wpi0 at pci3 dev 0 function 0 Intel PRO/Wireless 3945ABG rev 0x02: msi, MoW1, 
address 00:19:d2:c5:84:c5
ppb3 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x02: msi
pci4 at ppb3 bus 4
ppb4 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x02: msi
pci5 at ppb4 bus 12
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 1 int 16
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 1 int 17
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 1 int 18
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: apic 1 int 19
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x02: apic 1 int 19
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb5 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe2
pci6 at ppb5 bus 21
cbb0 at pci6 dev 0 function 0 TI PCI1510 CardBus rev 0x00: apic 1 int 16
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 22 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
pcib0 at pci0 dev 31 function 0 Intel 82801GBM LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x02: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: MATSHITA, DVD/CDRW UJDA775, CB03 ATAPI 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ahci0 at pci0 dev 31 function 2 Intel 82801GBM AHCI rev 0x02: msi, AHCI 1.1
scsibus2 at ahci0: 32 targets
sd0 at scsibus2 targ 0 lun 0: ATA, WDC WD7500BPKX-2, 01.0 SCSI3 0/direct 
fixed naa.50014ee65a76e6b3
sd0: 715404MB, 512 bytes/sector, 1465149168 sectors
ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x02: apic 1 int 23
iic0 at ichiic0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
wsmouse1 at pms0 mux 0
pms0: Synaptics touchpad, firmware 6.2
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
aps0 at isa0 port 0x1600/31
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
sd1 at scsibus4 targ 1 lun 0: OPENBSD, SR CRYPTO, 005 SCSI2 0/direct fixed
sd1: 45567MB, 512 bytes/sector, 93322736 sectors
root on sd1a (c2255fc9af18d55e.a) swap on sd1b dump on sd1b
drm: initializing kernel modesetting (RV530 0x1002:0x71D4 0x17AA:0x20A4).
radeondrm0: VRAM: 256M 0x - 0x0FFF (256M used)
radeondrm0: GTT: 512M 0x1000 - 0x2FFF
drm: PCIE GART of 512M enabled (table at 0x0004).
radeondrm0: 1680x1050
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)
#

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: vnconfig crypto alternative

[Jonathan Thornburg]

In message http://marc.info/?l=openbsd-miscm=140146687910205w=1
(dated 2014-05-30), tedu@ wrote:
 If you are using encrypted vnd (vnconfig -k or -K) you will want to
 begin planning your migration strategy.
 
 
 -- Forwarded message --
 From: Ted Unangst t...@cvs.openbsd.org
 Date: Fri 2014/05/30 10:14 -06:00
 Subject: CVS: cvs.openbsd.org: src
 To: source-chan...@cvs.openbsd.org
 
 CVSROOT:/cvs
 Module name:src
 Changes by: t...@cvs.openbsd.org2014/05/30 10:14:19
 
 Modified files:
 sbin/mount_vnd : mount_vnd.c
 
 Log message:
 WARNING: Encrypted vnd is insecure.
 Migrate your data to softraid before 5.7.

In message http://marc.info/?l=openbsd-miscm=141687050525646w=1
(dated 2014-11-24), deraadt@ wrote:
 That deprecation is not going to happen.  Keep using what you are
 using now.

I grok that (the current implementation of) vnd crypto is weak.  What's
the current migration/fixing/transition plan for this?  (I can't find any
mention of vnd or vnconfig in  http://www.openbsd.org/plus.html .)

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: athn(4) WPA2-PSK software crypto CPU loading

[Jonathan Thornburg]

In http://marc.info/?l=openbsd-miscm=141928659802658w=1 I asked
about the CPU overhead of doing wifi WPA2 crypto on a slow CPU.

I have received two very useful off-list replies, which I'll summarize
here for the archives:

One person has a very similar setup to the one I described (athn(4),
Atheros AR9220 radio), and wrote:
 My bottleneck seems to be the 802.11 stack of OpenBSD, it
 has some known performance issues: I get around 2MBps (16Mbit) data
 rates - the CPU could handle a lot more.

Another person reported good results with ral(4) and a Sparklan WMIR-200N
(Ralink RT2860/2850 chipset), which offloads the crypto to the hardware:
 over WPA2(PSK/AES/AES) it can push ~3MB/s at ~%33 cpu load, mostly
 interrupt handling.
with the caveat that
 Under OpenBSD 5.3 ral(4) caused kernel panics maybe twice a year.
 I never tracked down the cause but it seemed to occur when unfamiliar
 nodes joined the network and then only in certain circumstances.

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: athn(4) WPA2-PSK software crypto CPU loading

[Jonathan Thornburg]

In http://marc.info/?l=openbsd-miscm=141928659802658w=1 I asked
 Should I be worried about the CPU loading of software WPA2 crypto
 running on the (relatively slow) ALIX Geode processor?  That is, is
 the software crypto likely to limit the available wifi data rate?

In ttp://marc.info/?l=openbsd-miscm=141934666116217w=1 you replied
 I think the concern is warranted and yes, I expect this to be a
 bottleneck.
 
 I have no experience with that configuration, but I had a broadly
 comparable setup where a Soekris net5501 (same CPU as the ALIX) did
 IPsec for a .11g network.  With AES-128-CBC + HMAC-SHA1, the box
 seemed to be able to saturate the wireless link, but it was mostly
 busy, and it profited from the CPU's glxsb(4) hardware acceleration
 for AES-128-CBC.  With any other mode of encryption, e.g. AES-128-CTR,
 there just wasn't enough CPU.

What was the bandwidth of that network?

In my application there's no significant data traffic between different
machines on the wifi network, i.e., all data is between wifi machines
and the outside world.  The link-to-the-outside-world offers at most
16 MBit/second, so I don't need to worry about making the wifi faster
than that.

thanks, ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

athn(4) WPA2-PSK software crypto CPU loading

[Jonathan Thornburg]

I'm considering setting up a wifi access point using a PC Engines
ALIX board (500 MHz AMD Geode LX800 CPU, 256 MB RAM).  One way of
providing the wifi is via a radio card (e.g., the PC Engines DNMA92)
in the ALIX box.  This uses the Atheros AR9220 chipset, which has
good OpenBSD support -- including 802.11a/b/g WPA2-PSK support
(though not 802.11n) -- via athn(4).

However, 'man athn' says
 The athn driver relies on the software 802.11 stack for both
 encryption and decryption of data frames.

Should I be worried about the CPU loading of software WPA2 crypto
running on the (relatively slow) ALIX Geode processor?  That is, is
the software crypto likely to limit the available wifi data rate?

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: poor-man's sandbox (for web browser security, etc.)

[Jonathan Thornburg]

In message http://marc.info/?l=openbsd-miscm=141848398918562w=1,
Joel Rees wrote:
 I've used sudo to make a poor-man's sandbox in the past,
 like this:
 
 http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html
 
 Trying this on openbsd seems to work
 
 [[...]]
 
 It seems to run firefox just fine:
 
 sudo -H -u hexed-me firefox
 
 [[...]]
 
 I would appreciate any critiques or out-right criticisms of this.
 
 Is it worth the trouble?
 
 Does it perhaps open up new vulnerabilities instead?

This is better than nothing, but it still gives the firefox process
unlimited access to the X protocol and (through the X protocol) the
X server.  If firefox process were to be pwned (e.g., a drive-by web
attack were to exploit a firefox buffer overrun), you could have
malicious code doing some very nasty things.  For example:
(a) create a transparent window covering the entire screen, i.e.,
a keylogger, and use this to sniff passwords
(b) write to various user-hexme scripts to make the exploit persistent
(c) inject malicious input (e.g. 'rm -rf $HOME ') into various shells
(d) send anything stored in the firefox password manager to evil.com

I outlined some ideas for mitigating some of these risks in the thread
starting at http://marc.info/?l=openbsd-miscm=141616701418506w=1;
lots of people responded with useful suggestions.  Basically, my proposal
was (is) to run firefox as a separate nonpriviliged user, but via an
ssh -X tunnel to localhost, using public-key authentication:

  #!/bin/sh
  ssh -X -i $HOME/.ssh/firefox _firefox@localhost \
  firefox.bin -no-remote -new-instance \
  21 /dev/null 

This means that the firefox process is subjected to the X11 Security
Extension restrictions, which (in theory) would prevent the firefox
process from interfering with other X clients.  That is, in theory this
approach blocks exploits (a) and (c).

I've been using this for a while now on 5.6-stable/amd64, and it works
pretty well.  The main problem I've found so far is with X cut-n-paste;
in http://marc.info/?l=openbsd-miscm=141721398509425w=1, tedu@
pointed out that this is a feature, not a bug, of the way X security
works.  The result is:
* cut-n-paste from other clients into firefox works fine
* cut-n-paste from firefox out to other clients doesn't work;
  a shell script like this provides an 80% workaround to access
  the cut-n-pasted-from-firefox text

  #!/bin/sh
  ssh -X -i $HOME/.ssh/firefox _firefox@localhost \
  xsel -o
  echo ''

  I suspect that a slightly fancier script could then insert that text
  back into the regular outside-the-sandbox X cut buffer, but I haven't
  gotten around to trying that yet.

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: making firefox less insecure

[Jonathan Thornburg]

Summary
---
As described in another thread
(http://marc.info/?l=openbsd-miscm=141677224322425w=1),
I'm trying to run firefox as a non-privileged user _firefox, talking
to my X server (no Xephyr yet) via an ssh tunnel.  But I've discovered
a serious flaw in this scheme: cut-n-paste is completely broken.  In
fact, it looks like cut-n-paste from any X client with a diferent
uid/gid than the X server is broken. :(

My basic question is, is there any way to fix this?



Details:
---

Lenovo Thinkpad T60, 3GB RAM + 6GB swap.  Fresh install of OpenBSD 5.6
from the CD, updated to -stable as of 2014-11-19.  My usual login is
in login class staff, for which I've edited /etc/login.conf to set the
memoryuse, datasize, and stacksize limits (all both -cur and -max) to
'infinity', so there should be enough memory for firefox to run ok.

I use twm(1) as my window manager.  firefox is the 5.6 package, but
I've renamed the binary:

# cd /usr/local/bin; mv firefox firefox.bin

I used adduser(8) to create a new unpriviliged user _firefox,
group _firefox, no other group memberships, login class staff.
I've set up ssh authentication so I can ssh to _firefox.

Now, in an xterm, call it xterm #1:
% ssh -X -i $HOME/.ssh/firefox_id_rsa _firefox@localhost

This gives me a shell (in that same xterm #1) running as uid/gid
_firefox, with ssh proxying and tunneling X back to my X server.
(I'm not using Xephyr(1) at this point.)

Now, in the _firefox shell,

$ firefox.bin 

I get a a couple of warning messages that the ssh proxy/tunnel is
lacking some X protocol extensions

Xlib:  extension RANDR missing on display localhost:10.0.
Xlib:  extension MIT-SHM missing on display localhost:10.0.

but then firefox starts and runs fine.

Now suppose I try to cut-n-paste some text from the firefox window to
(say) a vi (in insert mode) which is running in some other xterm window
(call this one xterm #2).  [For twm, 'cut-n-paste' means double- or
triple-left-click to select, then middle-click to paste.]  This goes
badly awry:
* the cut appears to work normally (text is highlighted)
* the paste appears to be a no-op, ... but
* a few seconds later, the target xterm window (#2) disappears (and
  the vi and xterm processes are gone)



To see if this is a firefox issue, or a more generic problem with
cut-n-paste between X clients running with different uid/gid, I tried
starting an xterm instead of a firefox process.  That is, from the
_firefox shell, I typed

$ xterm 

and in the newly-started xterm (call it xterm #3) typed a few commands
to put some text on the screen

$ echo hello world
hello world
$ banner hello

 ##  ##  #   #
 ##  #   #   #   ##
 ##  #   #   #   ##
 ##  #   #   #   ##
 ##  #   #   #   ##
 ##  ##  ##  ##   

$

then I tried to cut-n-paste the banner 'hello' text from xterm #3
into somewhere else.

The result was that the cut operation killed the xterm #3 window, with
the following X error message displayed back in the _firefox shell
running in xterm #1:

$ xterm 
[1] 25801
$ xterm: warning, error event received:
X Error of failed request:  BadAccess (attempt to access private resource 
denied)
  Major opcode of failed request:  18 (X_ChangeProperty)
  Serial number of failed request:  599
  Current serial number in output stream:  600

[1] + Done (83)xterm 
$

(Interestingly, I had no problem cut-n-pasting that error text from
xterm #1 into a vi (in insert mode) over in still another xterm window.



What I conclude from all of this is that (apparently) my window manager
and/or X server have noticed that {firefox, xterm #3} are running as
uid/gid _firefox/_firefox, while my {window manager, X server} have my
usual (different) uid/gid, so the cut-n-paste attempt (indeed, the cut
itself, judging by the xterm error message) is blocked.

So... questions:
* is this indeed what's going on?
* it's been a long time since I tried cut-n-paste from a 'remote'
  window; is this what usually happens [I'll try some tests...]?
* what piece of software is enforcing this security policy?
  (once I find that out, then I can investigate if/how the policy
  might be configured to be more suitable to my needs)
* given my underlying goal of trying to exploit-mitigate firefox
  (http://marc.info/?l=openbsd-miscm=141616701418506w=1),
  what other options are there for handling cut-n-paste?
  (Maybe xcutsel(1) and/or xclipboard(1) would be useful here?)

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: making firefox less insecure

[Jonathan Thornburg]

In message http://marc.info/?l=openbsd-miscm=141710381310891w=1,
I wrote
 [For twm, 'cut-n-paste' means double- or
 triple-left-click to select, then middle-click to paste.]

Oops, that's wrong -- there are also other ways to select in twm.
The distinction between different ways of selecting is irrelevant here,
so what I should have written was

  [For twm, 'cut-n-paste' means select the text to be cut
  in the source window, then middle-click in the destination
  window to paste.]

Sorry for the confusion,

-- 
-- Jonathan Thornburg jth...@astro.indiana.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: making firefox less insecure

[Jonathan Thornburg]

 to use (e) (have firefox go through an ssh tunnel) instead.
This also gives a tiny bit more isolation for the firefox process --
no more shared-memory between firefox and the X server.

So, configured sshd to allow X forwarding and to allow (only) user
_firefox publickey authentication, added a pf rule to block outside
access to sshd, and activated sshd.

Then I created a new public keypair in ~/.ssh/firefox_id_rsa{,.pub}, with
no passphrase, and copied the public key to ~_firefox/.ssh/authorized_keys
(mode 600).  I renamed /usr/local/bin/firefox to /usr/local/bin/firefox.bin
and put the following script (executable, but no special priviliges) in
my ~/bin/ :

--- begin start-firefox script ---
#!/bin/sh
ssh -X -i ~/.ssh/firefox_id_rsa _firefox@localhost \
'/usr/local/bin/firefox.bin -no-remote -new-instance' \
21 /dev/null 
--- end start-firefox script ---

Running this script produces a couple of warning messages that we're
blocking some X progocol extensions:

Xlib:  extension RANDR missing on display localhost:10.0.
Xlib:  extension MIT-SHM missing on display localhost:10.0.

Blocking firefox from accessing these seems like a security boost to me:
according to  http://en.wikipedia.org/wiki/RandR , RANDR facilitate the
ability to resize, rotate and reflect the root window of a screen, and
MIT-SHM is a X protocol extension for using shared memory to communicate
between a client (firefox) and the X server.

After these warnings, firefox starts and runs ok as uid/gid _firefox.
It seems about as (un)responsive as usual.  (Perhaps a better way to
phrase that would be firefox is sluggish enough in its usual operation
that the extra overhead of the ssh tunnel isn't noticable.)  I haven't
tried any plugins yet.

Other notes:
* Firefox likes $HOME/Desktop as a spooling area for saving things,
  so I've made ~_firefox/ and ~_firefox/Desktop/ both mode 755, so that
  I can copy files out of that easily.  I don't see any security risk
  in this (given my context of a single-user desktop/laptop, with the
  Desktop directory only used as a transient spool directory).
* Making my home directory mode 750 (to block firefox from having any
  access to it) has the unfortunate side effect of excluding all my
  files from locate(1).  Since the locate database is built by user
  'nobody', my solution is to add myself to that group.  Is there a
  security risk in this?

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

secure(er) image viewer?

[Jonathan Thornburg]

Libraries for loading/parsing/processing common image formats like
JPEG, PNG, GIF, TIFF, etc, have a long history of buffer overruns and
other security problems.  This in turn has been reflected in various
exploits for command-line image-viewing tools like xv(1), xloadimage(1),
display(1) [ImageMagick], etc.

Do we (OpenBSD) have any image-viewing software that's written to
OpenBSD-style security standards?  Notably, do we have any image-viewing
software that's privilige-separated?  (I.e., which does the (dangerous)
image parsing/processing in a separate process which is chrooted, sending
back bitmaps/pixmaps over a constrained channel to a display process?)

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

PF User's Guide still refers to 5.5; patch to s/5.5/5.6/g

[Jonathan Thornburg]

===
RCS file: /cvs/www/faq/pf/shortcuts.html,v
retrieving revision 1.36
diff -u -r1.36 shortcuts.html
--- shortcuts.html  30 Jul 2014 21:57:19 -  1.36
+++ shortcuts.html  23 Nov 2014 00:51:31 -
@@ -171,7 +171,7 @@
 p
 Note that macros and lists simplify the ttpf.conf/tt file, but
 the lines are actually expanded by 
-a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfctlamp;sektion=8amp;manpath=OpenBSD+5.5;
+a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfctlamp;sektion=8amp;manpath=OpenBSD+5.6;
 pfctl(8)/a into multiple rules.  So, the above example actually
 expands to the following rules:
 blockquote
@@ -191,7 +191,7 @@
 As you can see, the PF expansion is purely a convenience for the writer
 and maintainer of the ttpf.conf/tt file, not an actual
 simplification of the rules processed by 
-a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfamp;sektion=4amp;manpath=OpenBSD+5.5;
+a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfamp;sektion=4amp;manpath=OpenBSD+5.6;
 pf(4)/a.
 
 p
Index: tables.html
===
RCS file: /cvs/www/faq/pf/tables.html,v
retrieving revision 1.38
diff -u -r1.38 tables.html
--- tables.html 30 Jul 2014 21:57:19 -  1.38
+++ tables.html 23 Nov 2014 00:51:31 -
@@ -72,9 +72,9 @@
 
 p
 Tables are created either in 
-a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confamp;sektion=5amp;manpath=OpenBSD+5.5;
+a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confamp;sektion=5amp;manpath=OpenBSD+5.6;
 ttpf.conf/tt/a or by using
-a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfctlamp;sektion=8amp;manpath=OpenBSD+5.5;
+a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfctlamp;sektion=8amp;manpath=OpenBSD+5.6;
 pfctl(8)/a.
 
 a name=config/a
@@ -84,7 +84,7 @@
 ul
 littconst/tt - the contents of the table cannot be changed once the
 table is created. When this attribute is not specified,
-a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfctlamp;sektion=8amp;manpath=OpenBSD+5.5;
+a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfctlamp;sektion=8amp;manpath=OpenBSD+5.6;
 pfctl(8)/a may be used to add or remove addresses from the
 table at any time, even when running with a
 a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=securelevelamp;sektion=7;
@@ -145,7 +145,7 @@
 a name=manip/a
 h2Manipulating with ttpfctl/tt/h2
 Tables can be manipulated on the fly by using
-a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfctlamp;sektion=8amp;manpath=OpenBSD+5.5;
+a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfctlamp;sektion=8amp;manpath=OpenBSD+5.6;
 pfctl(8)/a. For
 instance, to add entries to the lt;spammersgt; table created above:
 blockquote
@@ -170,7 +170,7 @@
 p
 For more information on manipulating tables with ttpfctl/tt,
 please read the
-a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfctlamp;sektion=8amp;manpath=OpenBSD+5.5;
+a 
href=http://www.openbsd.org/cgi-bin/man.cgi?query=pfctlamp;sektion=8amp;manpath=OpenBSD+5.6;
 pfctl(8)/a manpage.
 
 a name=addr/a



-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

making firefox less insecure

[Jonathan Thornburg]

Web browsers scare me: they're huge pieces of code, un-audited, they
have embedded Turing-complete interpreters, they live in a horribly
imsecure environment,
[I have to put in a plug here for James Mickens' classic
rant To Wash It All Aawy (Usenix ;login, March 2014, p.2-8):
https://www.usenix.org/system/files/1403_02-08_mickens.pdf
]
they pass untrusted data to image/audio/video plugins which are also
huge/unaudited/buggy, etc etc.

So, I'm thinking about how to exploit-mitigate a web browser (I'll use
firefox here for purposes of illustration, but this is basically generic
to any other web browser).  This is in the context of a single-user
OpenBSD desktop (say a laptop).

My threat model is basically:
* I run firefox
* by default, the firefox process (and any plugins) all run under
  my id, with the same priviliges I have
* I browse to a (unknown-to-me) hostile website
* hostile website exploits a vulnerability in firefox or plugin to
  run malicious code on my computer (with all the priviliges of the
  firefox process)
* malicious code can then
  - read and/or write my $HOME/.ssh/
  - create a transparent X window over the entire screen to act as
a keylogger to watch for the next time I type a credit card number
or login to a banking site
  - write to my login scripts to make that keylogger persistent
  - try to exploit vulnerabilities in my X server
  - if I'm in group wsrc, try to install a backdoor in /usr/src/*
  - if I'm in group wheel, try to sudo to root to install a rootkit
  - etc etc

I can see several possible forms of exploit-mitigation:
(a) use the noscript firefox extension to block javascript
(b) use capsicum to sandbox forefox and any plugin processes
(c) run firefox in a chroot jail
(d) have firefox talk to an Xephyr(1) instance
so it's semi-isolated from the main X server
(e) maybe have firefox go through an ssh tunnel to localhost
(f) run firefox as an unpriviliged user _firefox, group _firefox, and
use Unix file permissions to deny that user access to $HOME/

(a) works and offers a fair bit of protection until some site that
I whitelist has a drive-by exploit. :(  And noscript requires considerable
handholding in practice.

(b) and (c) could offer a lot of protection... but they would be a lot
of work to port/setup, probably more work than I can afford right now.

(d) seems promising; I don't know what it would do to the ability
to cut-and-paste between firefox and the outside world

I'm not sure if (e) is needed in combination with (d) in order to
block firefox from connecting to the main X server.

(f) seems pretty easy, and offers some (modest) protection.
I have some technical questions about doing that, which I'll save
for a seprate thread.

Some useful past discussions on this mailing list include
  http://marc.info/?l=openbsd-miscm=126116965209030w=1
  http://marc.info/?l=openbsd-miscm=135442405732373w=1
  http://marc.info/?l=openbsd-miscm=135569662813122w=1
  http://marc.info/?l=openbsd-miscm=135767126712239w=1
  http://marc.info/?l=openbsd-miscm=135767705914968w=1
  http://marc.info/?l=openbsd-miscm=135771549729476w=1
  http://marc.info/?l=openbsd-miscm=135771660029742w=1

So.

Are there other practical ways of securing an OpenBSD web browser?
[I'm afraid just say no fails the practical test. :( ]

What unobvious gotchas are there in (d), (e), and (f)?
Other tips-and-tricks?

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: strange behavior in disklabel partitioning of new disk

[Jonathan Thornburg]

A big thank-you to Christian Weisgerber -- your ASCII-art diagrams
explain the problem very clearly.  (Otto Moerbeek's tweaks also help.)
I think having these in the FAQ would be a great idea!


In parallel (i.e., at about the same time, but without yet having seen
those messages), I decided to retry my partitioning sd0a at an offset of
128 sectors from the start of sd0c (instead of the default 64-sector
offset I'd used previously).

For reasons that are now clear to me after grokking naddy  otto's
diagrams, this worked fine (zeroing the first megabyte no longer trashed
the partition table).  So I went ahead with setting up the softraid sd1
inside the newly-created sd0 partition:

# cd /dev  sh MAKEDEV sd1
# bioctl -c C -r 144025 -l sd0a softraid0
# fdisk -i sd1

# install
(select sd1, do a normal install)

The installer warned me

 The offsets used in the disklabel are ABSOLUTE, i.e. relative to the
 start of the disk, NOT the start of the OpenBSD MBR partition.

so I put sd1a at an offset of 256 sectors (I guess in hindsight 192
sectors would probably have sufficed, but wasting 64 sectors is trivial
nowdays.)

All is well, and I have a running 5.6 system.  Yea!


Question:  Should the installer warning

 The offsets used in the disklabel are ABSOLUTE, i.e. relative to the
 start of the disk, NOT the start of the OpenBSD MBR partition.

be added to the disklabel(8) man page and/or section 14 of the FAQ?
I had a vague memory that I'd seen it somewhere, but I can't find it
in either place.


thanks again to everyone who contributed to this thread,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

strange behavior in disklabel partitioning of new disk

[Jonathan Thornburg]

 at pci1 dev 0 function 0 ATI Radeon Mobility X1400 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
Intel 82801GB HD Audio rev 0x02 at pci0 dev 27 function 0 not configured
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: msi
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 Intel 82573L rev 0x00: msi, address 
00:16:41:e4:89:7b
ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: msi
pci3 at ppb2 bus 3
athn0 at pci3 dev 0 function 0 Atheros AR5418 rev 0x01: apic 1 int 17
athn0: MAC AR5418 rev 2, RF AR5133 (2T3R), ROM rev 3, address 00:19:7e:6d:f9:88
ppb3 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x02: msi
pci4 at ppb3 bus 4
ppb4 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x02: msi
pci5 at ppb4 bus 12
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 1 int 16
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 1 int 17
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 1 int 18
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: apic 1 int 19
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x02: apic 1 int 19
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb5 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe2
pci6 at ppb5 bus 21
cbb0 at pci6 dev 0 function 0 TI PCI1510 CardBus rev 0x00: apic 1 int 16
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 22 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
Intel 82801GBM LPC rev 0x02 at pci0 dev 31 function 0 not configured
pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x02: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4083N, 1.00 ATAPI 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ahci0 at pci0 dev 31 function 2 Intel 82801GBM AHCI rev 0x02: msi, AHCI 1.1
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: ATA, WDC WD7500BPKX-2, 01.0 SCSI3 0/direct 
fixed naa.50014ee604d7ebda
sd0: 715404MB, 512 bytes/sector, 1465149168 sectors
Intel 82801GB SMBus rev 0x02 at pci0 dev 31 function 3 not configured
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at mainbus0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
softraid0 at root
scsibus2 at softraid0: 256 targets
root on rd0a swap on rd0b dump on rd0b
--- end dmesg ---

thanks,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: Remove print/acroread

[Jonathan Thornburg]

In message http://marc.info/?l=openbsd-miscm=141460231808123w=1
I wrote
 [[various things that need fillable pdf forms of a sort that no
 native OpenBSD software seems to grok]]
 
 There's still a place in the computing world for Windoze machines. :(

In message http://marc.info/?l=openbsd-miscm=141460283508319w=1
Alexandre Ratchov asked
 not sure to understand; you mean that you're using the acroread
 port on openbsd?

and in message http://marc.info/?l=openbsd-miscm=141460396508823w=1
David Coppa further asked
 Indeed.
 
 I'm not questioning the usefulness of Adobe Acrobat Reader.
 
 I'm questioning the value of Acrobat Reader *7.0* running via
 compat_linux on OpenBSD/i386.

Oops.  I'm sorry, in hindsight my message was rather misleading.
I have not tried the i386 compat_linux acroread port, and I didn't
mean to imply anything about its usefulness or lack thereof.

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: Remove print/acroread

[Jonathan Thornburg]

In message http://marc.info/?l=openbsd-miscm=141459553404542w=1
Alexandre Ratchov wrote [[about acroread]]
 I don't see the point of keeping it, while we have other working
 pdf readers. I don't even understand why we have it at all. OK to
 remove it.

In message http://marc.info/?l=openbsd-miscm=141459635204943w=1
Marc Espie replied
 You don't use pdf form filling. Over the last few years, I've seen
 people want to do strange things with pdf.  Most things related
 to display work with default tools. afaik, password did not work
 with anything BUT acrobat reader AND now mutools.
 
 Form filling, in some cases (german taxes, iirr) does NOT work with
 other tools...

+1 on Marc's point.  And US tax forms too.  (Canada doesn't yet force
the use of fillable-pdf-forms, so I donno about those.)  Not to mention
the new-member-application forms on a certain Credit Union I just
joined

There's still a place in the computing world for Windoze machines. :(

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: openbsdstore: enable javascript and buy something or gtfo

[Jonathan Thornburg]

 | The OpenBSD Store

 | If you have JavaScript disabled you will not be able to order from
 | this site...

ludovic coues asked
| I'm curious, how did you get this message ?

(running 5.5-stable amd64)

lynx https://www.openbsdstore.com

or

lynx http://www.openbsd.org
-- Buy CDs/Shirts/Posters
-- the OpenBSD Store

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: does OpenMP work on 5.5/amd64?

[Jonathan Thornburg]

In message http://marc.info/?l=openbsd-miscm=140423832428907w=1,
I wrote:
| Has anyone gotten OpenMP to work on 5.5-{release,stable}/amd64?
| 
| 'man gcc' and /usr/local/info/gcc.info both describe gcc support for
| OpenMP (the -fopenmp compiler flag), but I'm getting fatal errors
| (either missing compiler spec file or missing omp.h header file)
| trying to compile even the simplest hello, world OpenMP programs
| with gcc (either base /usr/bin/gcc or ports /usr/local/bin/gcc).
[[...]]

In messagehttp://marc.info/?l=openbsd-miscm=140423912429329w=1,
you replied, quoting my message and adding the single word
 No.

Could you clarify which of the two different(-but-related) questions
I asked you were answering?  Have you gotten OpenMP to work on OpenBSD?
If so, how?

thanks, ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   currently on the west coast of Canada
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

does OpenMP work on 5.5/amd64?

[Jonathan Thornburg]

Has anyone gotten OpenMP to work on 5.5-{release,stable}/amd64?

'man gcc' and /usr/local/info/gcc.info both describe gcc support for
OpenMP (the -fopenmp compiler flag), but I'm getting fatal errors
(either missing compiler spec file or missing omp.h header file)
trying to compile even the simplest hello, world OpenMP programs
with gcc (either base /usr/bin/gcc or ports /usr/local/bin/gcc).

'locate omp.h' fails to find the header file anywhere, and
'man clang' doesn't mention OpenMP support at all.

I want to develop OpenMP programs on OpenBSD.  Do I need to build my
own gcc to do so?


Script started on Tue Jul  1 10:21:34 2014
% uname -a
OpenBSD copper.astro.indiana.edu 5.5 GENERIC.MP#0 amd64
% cat hello.c
#include stdio.h

int main(void)
{
  #pragma omp parallel
printf(Hello, world.\n);
  return 0;
}
% cat mt-hello.c
#include stdio.h
#include omp.h

int main(void)
{
#pragma omp parallel
  {
int id = omp_get_thread_num();
printf(hello(%d)\n,  id);
printf(world(%d)\n,  id);
  }
return 0;
}
%
%
% /usr/bin/gcc --version
gcc (GCC) 4.2.1 20070719
Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

% /usr/bin/gcc -fopenmp -o hello hello.c
gcc: libgomp.spec: No such file or directory
% /usr/bin/gcc -fopenmp -o mt-hello mt-hello.c
mt-hello.c:2:17: error: omp.h: No such file or directory
%
%
% /usr/local/bin/gcc --version
gcc (GCC) 4.8.2
Copyright (C) 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

% /usr/local/bin/gcc -fopenmp -o hello hello.c
gcc: error: libgomp.spec: No such file or directory
% /usr/local/bin/gcc -fopenmp -o mt-hello mt-hello.c
mt-hello.c:2:17: fatal error: omp.h: No such file or directory
 #include omp.h
 ^
compilation terminated.
%
%
% /usr/local/bin/clang --version
clang version 3.3 (tags/RELEASE_33/final)
Target: amd64-unknown-openbsd5.5
Thread model: posix
% /usr/local/bin/clang -fopenmp -o hello hello.c
clang-3.3: warning: argument unused during compilation: '-fopenmp'
% ./hello
Hello, world.
% /usr/local/bin/clang -fopenmp -o mt-hello mt-hello.c
clang-3.3: warning: argument unused during compilation: '-fopenmp'
mt-hello.c:2:10: fatal error: 'omp.h' file not found
#include omp.h
 ^
1 error generated.
% exit
Script done on Tue Jul  1 10:23:46 2014

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   currently on the west coast of Canada
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

running cvs update as root (was: Re: New install)

[Jonathan Thornburg]

In message http://marc.info/?l=openbsd-miscm=140224659303522w=1,
Miod Vallat wrote (about an anoncvs update to /usr/src)
 you should not run this command as root

http://www.openbsd.org/anoncvs.html  shows the 'cvs update' command being
run by root (# shell prompt), and I wouldn't expect any non-root user
to have write permission to /usr/src anyway.  So... why is doing the
cvs-update as root a bad idea?

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   currently on the west coast of Canada
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src

[Jonathan Thornburg]

In message  http://marc.info/?l=openbsd-miscm=140146687910205w=1,
Ted Unangst wrote:
 If you are using encrypted vnd (vnconfig -k or -K) you will want to
 begin planning your migration strategy.
[[...]]
 WARNING: Encrypted vnd is insecure.
 Migrate your data to softraid before 5.7.

Once this transition happens, what will be the right way to achieve
nested crypto volumes?

That is, with present-day OpenBSD I can have the following:

/home is a softraid-crypto filesystem
managed with 'bioctl -c C' via passphrase #1

/home/me/very-secret is a vnd-crypto filesystem
backed by the files  /home/me/very-secret-storage.{salt,data}
managed with 'vnconfig -c -K' via passphrase #2

/home/me/other-secret is a vnd-crypto filesystem
backed by the files  /home/me/other-secret-storage.{salt,data}
managed with 'vnconfig -c -K' via passphrase #3

What will be the right way to achieve such a nested-encryption setup
once encrypted vnd goes away?  Is/will it be safe (i.e., free from
data corruption, deadlock, or other kernel badness) to nest softraid
crypto volumes?

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: OpenBSD on T61/T500

[Jonathan Thornburg]

Dennis den Brok asked:
 I am considering getting a ThinkPad T61 or T500 to run OpenBSD on.
 My main concern is the noise level:  I'd prefer the fan not to run
 at all during text editing and web browsing.  Can anyone comment
 on that?  Are there other caveats?

I have a T60 and a T60p (both 15.4 widescreens with ATI graphics);
currently both run 5.4/amd64.

For both, the fan *does* run at a low speed even when the system is idle.
I'm ok with the (relatively low) noise, but your tastes/tolerances may
differ.

Other things of note:
* X autoconfigures fine, and the 1680x1050 pixel 15.4 display is great
* the T60-series keyboard is (IMHO) fantastic -- it was (is) my key
  reason for staying with the T60 generation and not a newer machine
* wifi (wpi or athn) works ok
* with the disable-ATI-video-repost kernel patch,
http://marc.info/?l=openbsd-miscm=131458407113428w=1
  suspend-to-ram worked ok for OpenBSD 4.9 and 5.1, but it's been broken
  (either for GENERIC or for GENERIC + disable-ATI-video-repost)
  since I moved to 5.4. :( :(
* apmd doesn't seem to grok multi-core processors, so 'apmd -C' will
  keep the clock rate at minimum even when 1 core is at 100% cpu
  (I think this is a software problem, not specific to thinkpads)
* both the T60 and the T60p have an irritating touchpad problem which
  I described in detail in
http://marc.info/?l=openbsd-miscm=138735540520268w=1
  I'm unsure whether this is a hardware, firmware, or software problem.

Overall I'm happy, and would get another T60-series as a replacement
if one of my current pair died.  As always with laptops, YMMV..

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Thinkpad T60/60p sticky touchpad problem

[Jonathan Thornburg]

hw.disknames=cd0:,sd0:0932913111ddd735,sd1:83dd06627955ee76,sd2:
hw.diskcount=4
hw.sensors.cpu0.temp0=41.00 degC
hw.sensors.cpu1.temp0=41.00 degC
hw.sensors.acpitz0.temp0=44.00 degC (zone temperature)
hw.sensors.acpitz1.temp0=41.00 degC (zone temperature)
hw.sensors.acpibat0.volt0=10.80 VDC (voltage)
hw.sensors.acpibat0.volt1=12.59 VDC (current voltage)
hw.sensors.acpibat0.power0=1.61 W (rate)
hw.sensors.acpibat0.watthour0=47.27 Wh (last full capacity)
hw.sensors.acpibat0.watthour1=2.36 Wh (warning capacity)
hw.sensors.acpibat0.watthour2=0.20 Wh (low capacity)
hw.sensors.acpibat0.watthour3=46.80 Wh (remaining capacity), OK
hw.sensors.acpibat0.raw0=2 (battery charging), OK
hw.sensors.acpiac0.indicator0=On (power supply)
hw.sensors.acpithinkpad0.temp0=44.00 degC
hw.sensors.acpithinkpad0.temp1=32.00 degC
hw.sensors.acpithinkpad0.temp2=34.00 degC
hw.sensors.acpithinkpad0.temp3=56.00 degC
hw.sensors.acpithinkpad0.temp4=25.00 degC
hw.sensors.acpithinkpad0.temp6=25.00 degC
hw.sensors.acpithinkpad0.fan0=2849 RPM
hw.sensors.acpidock0.indicator0=Off (not docked)
hw.sensors.aps0.temp0=32.00 degC
hw.sensors.aps0.temp1=32.00 degC
hw.sensors.aps0.indicator0=Off (Keyboard Active)
hw.sensors.aps0.indicator1=Off (Mouse Active)
hw.sensors.aps0.indicator2=On (Lid Open)
hw.sensors.aps0.raw0=504 (X_ACCEL)
hw.sensors.aps0.raw1=494 (Y_ACCEL)
hw.sensors.aps0.raw2=504 (X_VAR)
hw.sensors.aps0.raw3=494 (Y_VAR)
hw.sensors.softraid0.drive0=online (sd1), OK
hw.cpuspeed=1000
hw.setperf=0
hw.vendor=LENOVO
hw.product=87424GU
hw.version=ThinkPad T60
hw.serialno=L3A3615
hw.uuid=bad9de01-4976-11cb-a519-c08924c20f49
hw.physmem=3218931712
hw.usermem=3218915328
hw.ncpufound=2
hw.allowpowerdown=1
hw.machine=amd64
hw.model=Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz
hw.ncpu=2
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=cd0:,sd0:d5efdbece9b51f6a,sd1:30a41678e7f8ecfd,vnd1:bb2c3f419bf6ffb0,vnd2:3ae0697b308ec1c3,vnd3:ba9cb3db14c94aa7,sd2:
hw.diskcount=7
hw.sensors.cpu0.temp0=42.00 degC
hw.sensors.cpu1.temp0=42.00 degC
hw.sensors.acpitz0.temp0=44.00 degC (zone temperature)
hw.sensors.acpitz1.temp0=42.00 degC (zone temperature)
hw.sensors.acpibat0.volt0=10.80 VDC (voltage)
hw.sensors.acpibat0.volt1=12.52 VDC (current voltage)
hw.sensors.acpibat0.power0=0.00 W (rate)
hw.sensors.acpibat0.watthour0=63.98 Wh (last full capacity)
hw.sensors.acpibat0.watthour1=3.20 Wh (warning capacity)
hw.sensors.acpibat0.watthour2=0.20 Wh (low capacity)
hw.sensors.acpibat0.watthour3=63.80 Wh (remaining capacity), OK
hw.sensors.acpibat0.raw0=0 (battery idle), OK
hw.sensors.acpiac0.indicator0=On (power supply)
hw.sensors.acpithinkpad0.temp0=44.00 degC
hw.sensors.acpithinkpad0.temp1=31.00 degC
hw.sensors.acpithinkpad0.temp2=31.00 degC
hw.sensors.acpithinkpad0.temp3=64.00 degC
hw.sensors.acpithinkpad0.temp4=26.00 degC
hw.sensors.acpithinkpad0.temp6=24.00 degC
hw.sensors.acpithinkpad0.fan0=3419 RPM
hw.sensors.acpidock0.indicator0=Off (not docked)
hw.sensors.aps0.temp0=31.00 degC
hw.sensors.aps0.temp1=31.00 degC
hw.sensors.aps0.indicator0=On (Keyboard Active)
hw.sensors.aps0.indicator1=On (Mouse Active)
hw.sensors.aps0.indicator2=On (Lid Open)
hw.sensors.aps0.raw0=509 (X_ACCEL)
hw.sensors.aps0.raw1=505 (Y_ACCEL)
hw.sensors.aps0.raw2=509 (X_VAR)
hw.sensors.aps0.raw3=505 (Y_VAR)
hw.sensors.softraid0.drive0=online (sd1), OK
hw.cpuspeed=1000
hw.setperf=0
hw.vendor=LENOVO
hw.product=8742W1B
hw.version=ThinkPad T60p
hw.serialno=L3A6924
hw.uuid=f602fe01-49c4-11cb-80a3-b45c3b003c09
hw.physmem=3203203072
hw.usermem=3203186688
hw.ncpufound=2
hw.allowpowerdown=1
--- end T60p 5.4-release 'sysctl hw' ---

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

Re: Looking for good, small, canadian version laptop suggestions

[Jonathan Thornburg]

IBM sells refurbished ThinkPads:
  http://www.ibm.com/shop/used/pref
  
http://www-304.ibm.com/shop/americas/content/home/store_IBMPublicCanada/en_CA/icpepcs.html
I have bought a couple of laptops from them in the past, with generally
good experiences.

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

multiple softraid-crypto filesystems

[Jonathan Thornburg]

I have an amd64 laptop (Thinkpad T60) whose /, /var, and /usr are
standard FFS partitions (dksklabel fstype 4.2BSD), while /home is
encrypted via softraid crypto: on boot I login as root, and run a perl
script which executes (with lots of error checking  optional logging)
  # sd0 is the built-in disk; sd0j has disklabel fstype RAID
  bioctl -c C -r 10 -l /dev/sd0j softraid0
  mount -o softdep,noatime /dev/sd1a /home
This works nicely.

Now I want to set up a similarly-encrypted external USB backup disk
which I can access concurrently with my encrypted /home.  Since this
is to be a distinct physical disk, a distinct filesystem, and (presumably)
a distinct set of encryption parameters, I presume I need to use a
different softraid device from softraid0 (which is handling /home):
  # assume sd2 is the external disk, and sd2j has filesystem type RAID
  bioctl -c C -r 10 -l /dev/sd2j softraid1
  mount -o softdep,noatime /dev/sd3a /mnt

Unfortunately, this doesn't work:  as of either 5.3-release or 5.1-stable
(GENERIC.MP in all cases), bioctl gives the error message
  # bioctl -c C -r 10 -l /dev/sd2j softraid1
  bioctl: Can't locate softraid1 device via /dev/bio
Indeed, even a status-check on softraid1 fails:
  # bioctl softraid1
  bioctl: Can't locate softraid1 device via /dev/bio
and a quick grep through dmesg reveals only one softraid device
(softraid0) mentioned.

Question:  What's the right way to have multiple independent softraid
   crypto filesystems?
Question:  Which Fine Manual should I have read to learn this?
   I can't find any mention of this situation in softraid(4)
   or bioctl(8).

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time.  -- George Orwell, 1984

do we have a Perl interface to sysctl(3)?

[Jonathan Thornburg]

Is there an (OpenBSD) perl interface to sysctl(3)?  Parsing the output
of `sysctl $string` works, but is clumsy.

FreeBSD has the BSD-Sysctl perl module available from CPAN, which would
be ideal for my purposes... except that it doesn't (yet) support OpenBSD.
Rex::Commands::Sysctl looks like it could work... but browsing the source
code reveals that internally it just does `sysctl $string` and parses the
result.

What do OpenBSD people use for doing system-monitoring from Perl?

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy, Indiana University, Bloomington, Indiana, USA
   C++ is to programming as sex is to reproduction. Better ways might
technically exist but they're not nearly as much fun. -- Nikolai Irgens

Re: do we have a Perl interface to sysctl(3)?

[Jonathan Thornburg]

I wrote
| FreeBSD has the BSD-Sysctl perl module available from CPAN, which would
| be ideal for my purposes... except that it doesn't (yet) support OpenBSD.

On Mon, 14 Jan 2013, Philip Guenther wrote:
 So, uh, what fails if you try to build it?

% uname -a
OpenBSD cobalt.astro.indiana.edu 5.1 GENERIC.MP#1 amd64
% pwd
/usr/local/perl-modules/BSD-Sysctl-0.10
% head -13 README
This file is the README for BSD::Sysctl version 0.10

INSTALLATION

perl Makefile.PL
make
make test
make install

Building this module requires a FreeBSD system and a C compiler.
Support for OpenBSD and NetBSD will appear in future releases. In
theory, this module should be able to handle any system that uses
a sysctl interface to the kernel.
% perl Makefile.PL
OS unsupported (openbsd). Here's a nickel, go buy yourself a real OS.
%

Notes:
* As of yesterday, 0.10 is the latest version of BSD::Sysctl on CPAN.
* I'm well aware that OpenBSD 5.2 has been out for a while; I bought a
  CD.  If and when 5.1 proves inadequate for my needs, I'll reinstall.
  If not, I'll wait for 5.3.

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   on sabbatical in Canada starting August 2012
  Some languages give you enough rope to hang yourself with.  
   Perl gives you the rope, the scaffold, and the trapdoor under 
   your feet... plus a loaded gun and a vial of poison, because 
   hey, 'there's more than one way to do it'...   -- Eryq Hughes

problem SOLVED (was: Re: more Thinkpad T60 X/video woes (5.0-stable amd64))

[Jonathan Thornburg]

In a thread back in November 2011,
  http://marc.info/?t=132173453400070r=1w=1
I reported intermittent kernel/X hangs (usually under near-idle loads)
on a Thinkpad T60 widescreen laptop (alas I misspelled the name as
Tinkpad in the Subject: line) running 5.0-stable amd64.  My full
dmesg is given in the first message in that thread,
  http://marc.info/?l=openbsd-miscm=132105242827683w=1
along with various other (hopefully-)relevant information.  There's
also more information on the problem symptoms in my later messages in
that thread,
  http://marc.info/?l=openbsd-miscm=132103762123592w=1
  http://marc.info/?l=openbsd-miscm=132137790200900w=1
  http://marc.info/?l=openbsd-miscm=132813757309520w=1

I'm pleased to report that as of 5.1/amd64 (either -release or -stable)
the problem is solved -- the default autoconfigure-everything X works
fine, with no crashes or hangs and full video acceleration.

My thanks to all who contributed ideas in the thread (and to all the
developers for a *great* 5.1)!

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

Thinkpad T60 sticky touchpad (amd64/5.1-stable)

[Jonathan Thornburg]

azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: msi
azalia0: codecs: Analog Devices AD1981HD, 0x/0x, using Analog Devices 
AD1981HD
audio0 at azalia0
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: msi
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: msi, address 
00:16:41:e4:89:7b
ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: msi
pci3 at ppb2 bus 3
athn0 at pci3 dev 0 function 0 Atheros AR5418 rev 0x01: apic 1 int 17
athn0: MAC AR5418 rev 2, RF AR5133 (2T3R), ROM rev 3, address 00:19:7e:6d:f9:88
ppb3 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x02: msi
pci4 at ppb3 bus 4
ppb4 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x02: msi
pci5 at ppb4 bus 12
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 1 int 16
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 1 int 17
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 1 int 18
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: apic 1 int 19
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x02: apic 1 int 19
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb5 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe2
pci6 at ppb5 bus 21
cbb0 at pci6 dev 0 function 0 TI PCI1510 CardBus rev 0x00: apic 1 int 16
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 22 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
pcib0 at pci0 dev 31 function 0 Intel 82801GBM LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x02: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4083N, 1.00 ATAPI 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ahci0 at pci0 dev 31 function 2 Intel 82801GBM AHCI rev 0x02: msi, AHCI 1.1
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: ATA, WDC WD3200BEVT-0, 01.0 SCSI3 0/direct 
fixed naa.50014ee656688602
sd0: 305245MB, 512 bytes/sector, 625142448 sectors
ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x02: apic 1 int 23
iic0 at ichiic0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
wsmouse1 at pms0 mux 0
pms0: Synaptics touchpad, firmware 6.2
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
aps0 at isa0 port 0x1600/31
mtrr: Pentium Pro MTRR support
ugen0 at uhub4 port 2 STMicroelectronics Biometric Coprocessor rev 1.00/0.01 
addr 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (0932913111ddd735.a) swap on sd0b dump on sd0b
sd1 at scsibus3 targ 1 lun 0: OPENBSD, SR CRYPTO, 005 SCSI2 0/direct fixed
sd1: 267880MB, 512 bytes/sector, 548619249 sectors

thanks, ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

Re: undeadly (window managers)

[Jonathan Thornburg]

In message http://marc.info/?l=openbsd-miscm=133568945200754w=1,
Alexei Malinin Alexei.Malinin () mail ! ru wrote:
 I use twm (with a few initial settings made in the late 90s)
 more then 10 years (!), it fits all my needs at work and at home

old-fogie mode
I started with twm around 1986-7, and still have several old .twmrc
files with 1992-1993 timestamps.  Sometime or other I really ought to
get around to trying one of these new-fangled multi-desktop thingies... :)
/old-fogie mode

Seriously, I'm basically happy with twm, but a multi-desktop variant
would be nice.  Looking around for such a critter, I've found vtwm,
ctwm, and tvtwm.  What are the tradeoffs between them?

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

Re: more Thinkpad T60 X/video woes (5.0-stable amd64)

[Jonathan Thornburg]

I wrote
| In a thread back in November 2011,
|   http://marc.info/?t=132173453400070r=1w=1
| I reported intermittent kernel/X hangs (usually under near-idle loads)
| on a Thinkpad T60 widescreen laptop (alas I misspelled the name as
| Tinkpad in the Subject: line) running 5.0-stable amd64.
[[...]]

You asked:
 Do you have possibility to try a snapshot to see if problem still persist?

Hmm, good idea -- I see in http://openbsd.org/faq/current.html#20120125
that the radeon driver has just beeen updated.  Unfortunately I'm going
on a business trip in a week and I don't know if I'll have time for a
snapshot before I leave -- otherwise it will have to wait until March.

I've been using OpenBSD for 11+ years, but I've never tried snapshots.
I'll RT a few FMs on how stable--snapshot upgrades work.

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

more Thinkpad T60 X/video woes (5.0-stable amd64)

[Jonathan Thornburg]

   # [str]
#Option CPPIOMode # [bool]
#Option CPusecTimeout # i
#Option AGPMode   # i
#Option AGPFastWrite  # [bool]
#Option AGPSize   # i
#Option GARTSize  # i
#Option RingSize  # i
#Option BufferSize# i
#Option EnableDepthMoves  # [bool]
#Option EnablePageFlip# [bool]
#Option NoBackBuffer  # [bool]
#Option DMAForXv  # [bool]
#Option FBTexPercent  # i
#Option DepthBits # i
#Option PCIAPERSize   # i
#Option AccelDFS  # [bool]
#Option IgnoreEDID# [bool]
#Option DisplayPriority   # [str]
#Option PanelSize # [str]
#Option ForceMinDotClock  # freq
#Option ColorTiling   # [bool]
#Option VideoKey  # i
#Option RageTheatreCrystal# i
#Option RageTheatreTunerPort  # i
#Option RageTheatreCompositePort  # i
#Option RageTheatreSVideoPort # i
#Option TunerType # i
#Option RageTheatreMicrocPath # str
#Option RageTheatreMicrocType # str
#Option ScalerWidth   # i
#Option RenderAccel   # [bool]
#Option SubPixelOrder # [str]
#Option ShowCache # [bool]
#Option DynamicClocks # [bool]
#Option VGAAccess # [bool]
#Option ReverseDDC# [bool]
#Option LVDSProbePLL  # [bool]
#Option AccelMethod   # str
#Option DRI   # [bool]
#Option ConnectorTable# str
#Option DefaultConnectorTable # [bool]
#Option DefaultTMDSPLL# [bool]
#Option TVDACLoadDetect   # [bool]
#Option ForceTVOut# [bool]
#Option TVStandard# str
#Option IgnoreLidStatus   # [bool]
#Option DefaultTVDACAdj   # [bool]
#Option Int10 # [bool]
#Option EXAVSync  # [bool]
#Option ATOMTVOut # [bool]
#Option R4xxATOM  # [bool]
Identifier  Card0
Driver  radeon
BusID   PCI:1:0:0
EndSection

Section Screen
Identifier Screen0
Device Card0
MonitorMonitor0
SubSection Display
Viewport   0 0
Depth 1
EndSubSection
SubSection Display
Viewport   0 0
Depth 4
EndSubSection
SubSection Display
Viewport   0 0
Depth 8
EndSubSection
SubSection Display
Viewport   0 0
Depth 15
EndSubSection
SubSection Display
Viewport   0 0
Depth 16
EndSubSection
SubSection Display
Viewport   0 0
Depth 24
EndSubSection
EndSection

--- end /etc/X11/xorg.conf ---

thanks, ciao,

-- 
-- Jonathan Thornburg jth...@astro.indiana.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

Re: intermittent 5.0/amd64 kernel/X hangs on Tinkpad T60

[Jonathan Thornburg]

Hi,

On Wed, 16 Nov 2011, Stefan Wollny wrote:
 I have an T60 as well but running the i386-MP-kernel. I witnessed the
 same occasional behaviour prior to 4.9. From my memory: This was most
 likely to happen with heavy I/O operations on some interface. But I
 never investigated closer on this issue.

Did you ever try
* the i386 uniprocessor kernel?
* using the generic VESA video driver?
* AMD64, either uniprocessor or multiprocessor?

thanks, ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

Re: intermittent 5.0/amd64 kernel/X hangs on Tinkpad T60

[Jonathan Thornburg]

In an earlier message which apparently didn't make it to the mailing
list due to being oversized, I wrote
 I've just installed 5.0/amd64 (from the CD set) on a Lenovo
 Thinkpad T60 laptop (dmesg below).  I'm running GENERIC.mp.  I
 will probably move to -stable soon, but right now I'm running
 -release.  X autoconfigures and works nicely (1680x1050 pixels,
 /var/log/Xorg.0.log below), *but* occasionally it hangs. :( :(
[[...]]

I had 3 more hangs yesterday and 2 more today, the latter both
happening within a few minutes of (re)starting X.  I've gathered
some further information about what's wrong.  I'll give a dmesg and
/var/log/Xorg.0.log (again) below since the previous ones didn't
make it to the list.

The basic problem symptoms are that the machine hangs.  Most of the
times this has happened, the machine has been close to idle, with very
low disk/network traffic, no usb devices connected, just me typing in
an xterm.  When in the hung state:
* The screen image stays static.
* xclock and xmeter stop updating.
* Fn-PgUp DOES work to turn the ThinkLight on/off
* If I unplug/plug the AC power I DO get the usual 2-tone beep-bop
  sound.
* The speaker-volume up/down/mute buttons DO work to adjust the volume
  of that sound.
* There's no response (no movement or change of the X cursor) to the
  touchpad, touchpad buttons, or touchpoint nipple.
* There's no response to any other keyboard input.  In particular
  - There's no response to Fn-Home/Fn-End (which should ajust the
screen brightness).
  - There's no response to Ctrl/Alt/Backspace (which should kill the
X server)
  - There's no response to Ctrl/Alt/Delete (which should do a clean
OpenBSD halt)

I ran memtest86+ (from ports) overnight last night, and it didn't
find anything wrong in I think 6 or 8 full passes.

Because some Fn-Key operations still work when the machine is hung,
I infer that the CPU is still running.  Since memtest86+ didn't find
any hardware problems, and the machine (so far) never crashes when X is
NOT running, I infer (speculate? hope?) that my problem is probably with
X, not with the kernel or hardware.

I now have an sshd running (I'm currently rsync-ing /home to the spare
laptop from which I'm writing this message), so if/when the next hang
happens, I can try ssh-ing into the machine to see if the kernel is
still alive.

In the meantime, some questions:
* At the moment I do NOT have a /etc/xorg.conf -- I let X autoconfigure
  everything.  I need an X server that's reliable, but I don't need
  high performance graphics.  Would it be useful to force use of a
  more generic video driver instead of the fancier radeon one?  If
  so, what's the best way to do this?
* Is there extra logging available in the X server which would be useful
  in tracking down what's wrong?  If so, should I mount root and/or var
  (which I normally mount softdep,noatime) synchronous so more info makes
  it to disk before a crash/hang?
* If I'm able to ssh into the machine when X is hung, what information
  should I try to gather to help diagnose the problem?

--- begin dmesg ---
OpenBSD 5.0 (GENERIC.MP) #63: Wed Aug 17 10:14:30 MDT 2011
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3218931712 (3069MB)
avail mem = 3119185920 (2974MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (68 entries)
bios0: vendor LENOVO version 7IET23WW (1.04 ) date 12/27/2006
bios0: LENOVO 87424GU
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT SSDT SSDT 
SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3) DURT(S3) EXP0(S4) EXP1(S4) 
EXP2(S4) EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1995.28 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 166MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1995.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG
cpu1: 4MB 64b/line 16-way L2 cache
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 2, remapped to apid 1
acpimcfg0 at acpi0 addr 0xf000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (AGP_)
acpiprt2 at acpi0: bus 2 (EXP0)
acpiprt3 at acpi0: bus 3 (EXP1)
acpiprt4 at acpi0: bus 4 (EXP2)
acpiprt5 at acpi0: bus 12 (EXP3)
acpiprt6 at acpi0: bus 21 (PCI1)
acpicpu0 at acpi0: C3, C2, C1, PSS
acpicpu1 at acpi0: 

Re: intermittent 5.0/amd64 kernel/X hangs on Tinkpad T60

[Jonathan Thornburg]

In a message a few minutes ago, I wrote:
 I've just installed 5.0/amd64 (from the CD set) on a Lenovo
 Thinkpad T60 laptop (dmesg below).  I'm running GENERIC.mp.  I
 will probably move to -stable soon, but right now I'm running
 -release.  X autoconfigures and works nicely (1680x1050 pixels,
 /var/log/Xorg.0.log below), *but* occasionally it hangs. :( :(
[[...]]

A few other details:

I'm not running xdm.  I normally login at the console, then type
startx;logout to start X.  My .xinitrc is as follows (the ICON_X1
and ICON_X2 magic is to allow this same .xinitrc to work on two laptops
with different screen resolutions):

--- begin /home/jonathan/.xinitrc ---
#!/bin/sh

PATH=/usr/X11R6/bin:/usr/local/bin:$PATH
export PATH

xterm -C -g 80x28+0+0 -bw 4 -fn 7x14 -fg white -bg black -j -rw +s -sl 2000 +sb 
-si -sk +sf -wf -cm 

HOST=`hostname -s`
export HOST
DOMAIN=`domainname`
export DOMAIN

##xsetroot -solid grey15
xsetroot -solid black
xset m 2 10
##xset b 10
xset r on
xset r rate 250 40

# make Caps Lock key be another control key
# thanks to Philip Guenther for suggesting how to get this right!
xmodmap - 'EOF'
remove Lock = Caps_Lock
keysym Caps_Lock = Control_L
add control = Control_L
!! Swap Caps_Lock and Control_L (adapted from the xmodmap(1) man page)
!!remove Lock = Caps_Lock
!!remove Control = Control_L
!!keysym Control_L = Caps_Lock
!!keysym Caps_Lock = Control_L
!!add Lock = Caps_Lock
!!add Control = Control_L
EOF

# workaround for broken right-arrow on helium: map page-L/R to L/R arrow
# defaults on helium:
#   Page-left   = keycode 234 = no keysym
#   Page-right  = keycode 233 = no keysym
#   Left-arrow  = keycode 100 = keysym Left
#   Right-arrow = keycode 102 = keysym Right
xmodmap - 'EOF'
keycode 234 = Left
keycode 233 = Right
EOF

xclock -g 55x56-0+0 -update 60 -fg white -rv -pad 0 -bw 0 
xbatt -g 40x56-18+0 -bw 0  # logically this should be -g ...-56+0, but
# for some reason it comes out too far left
# that way
xmeter -g 50x56-96+0 -bw 0 -fn 6x10 -rv -sn -scpu 101 -update 1 -cpu $HOST 
##xcalc -g 200x300-192+0 -xrm '*iconGeometry:64x80-120+0' -iconic -rv 

sleep 1

xterm -g 80x68+0-0 -bw 4 -fn 7x14 -fg white -bg black -j -rw +s -sl 2000 +sb 
-si -sk +sf -wf -cm 
xterm -g 80x38-0+56 -bw 4 -fn 7x14 -fg white -bg black -j -rw +s -sl 2000 +sb 
-si -sk +sf -wf -cm 
xterm -g 80x28-0-0 -bw 4 -fn 7x14 -fg white -bg black -j -rw +s -sl 2000 +sb 
-si -sk +sf -wf -cm 

case `xdpyinfo | grep dimensions: | awk '{print $2}' -` in
1680x*) xterm -g 80x58+572-0 -bw 4 -fn 7x14 -fg white -bg black -j -rw +s -sl 
2000 +sb -si -sk +sf -wf -cm 
ICON_X1=-690
ICON_X2=-625
;;
*)  ICON_X1=+595
ICON_X2=+660
;;
esac

xterm -g 80x30+0+136 -iconic -xrm *iconGeometry:${ICON_X1}+0 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 
xterm -g 80x30+0+190 -iconic -xrm *iconGeometry:${ICON_X1}+20 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 
xterm -g 80x30+0+244 -iconic -xrm *iconGeometry:${ICON_X1}+40 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 
xterm -g 80x30+0+298 -iconic -xrm *iconGeometry:${ICON_X1}+60 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 
xterm -g 80x30+0+352 -iconic -xrm *iconGeometry:${ICON_X1}+80 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 
xterm -g 80x30+0+406 -iconic -xrm *iconGeometry:${ICON_X1}+100 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 

xterm -g 80x30-0+136 -iconic -xrm *iconGeometry:${ICON_X2}+00 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 
xterm -g 80x30-0+190 -iconic -xrm *iconGeometry:${ICON_X2}+20 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 
xterm -g 80x30-0+244 -iconic -xrm *iconGeometry:${ICON_X2}+40 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 
xterm -g 80x30-0+298 -iconic -xrm *iconGeometry:${ICON_X2}+60 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 
xterm -g 80x30-0+352 -iconic -xrm *iconGeometry:${ICON_X2}+80 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 
xterm -g 80x30-0+406 -iconic -xrm *iconGeometry:${ICON_X2}+100 -bw 4 -fn 7x14 
-fg white -bg black -j -rw +s -sl 2000 +sb -si -sk +sf -wf -cm 

##ctwm -n
twm
--- end /home/jonathan/.xinitrc ---

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

Re: local user can peek on key being set by ifconfig(8)

[Jonathan Thornburg]

In message http://marc.info/?l=openbsd-techm=131525927014250w=1,
Sviatoslav Chagaev sviatoslav.chagaev () gmail ! com wrote:

 Further ideas:
 * Maybe depracate and disable the ability to pass the key on the
 command line at all?

I have no objection to allowing keys to be entered from /dev/tty,
but I think forbidding passing them on the command line (in practice,
forbidding setting keys from a script) would be doubleplusungood.

The problem is that in some situations (e.g. a laptop on which I'm the
only user) I don't care about anyone grabbing the command line with ps,
and I'm happy to put the wpa passphrase in a shell script (maybe protected
by being owner root.root  mode 700).  I sometimes use scripts like that,
with one shell script for each place (wifi network) whose keys-and-other-
-special-configuration I need to setup.

If we forbid passing keys on the command line, then I'd have to hack up
an expect script to fake keyboard input of the key in each such case.
So I strongly prefer retaining scriptability here.

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

Re: status of ACPI suspend/resume on Thinkpad T60 w/ T7200 processor?

[Jonathan Thornburg]

: 256 targets
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
scsibus3 at softraid0: 1 targets
sd1 at scsibus3 targ 0 lun 0: OPENBSD, SR CRYPTO, 004 SCSI2 0/direct fixed
sd1: 267880MB, 512 bytes/sec, 548619249 sec total


-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy  IUCSS, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam