Re: disk encryption for remote server
Stefan Kreutz writes: > Can you access the machine's serial console, maybe redirected over IP? I concur that a remote serial console access (maybe via a web interface serviced by your provider) is your best option here. I used to do (almost) FDE without console access but here is list of drawbacks/requirements: - It is not really FDE because / was not encrypted - It required patching /etc/rc with the patch at the end of this message - The "/root/sshd" from this patch is a self-contained sshd without the need of any external library. It is *not* a copy of /usr/sbin/sshd and you have to compile it yourself (and I don't remenber how) --- rc.orig Wed Jul 27 15:23:24 2011 +++ /etc/rc Thu Jul 28 15:28:28 2011 @@ -294,8 +294,18 @@ exit 1 ;; 8) - echo "Automatic file system check failed; help!" - exit 1 + echo "Automatic file system check failed; help (from outterspace)!" + ifconfig em0 a.b.c.d netmask 255.255.255.0 + route -qn add default a.b.c.1 + mount -uw / + /root/sshd -De \ + -o PasswordAuthentication=no \ + -o ChallengeResponseAuthentication=no \ + -o UsePrivilegeSeparation=no \ + -o UseDNS=no + mount -ur / + route -qn flush + ifconfig em0 down delete ;; 12) echo "Boot interrupted." Best regards, -- Manuel Giraud
Re: Relayd forward to multiple ports on one target host?
Paul Pace writes:
> On 2024-05-02 07:32, Manuel Giraud wrote:
>> table { 127.0.0.1 }
>> table { 127.0.0.1 }
>> table { 127.0.0.1 }
>
> On 2024-05-02 07:02, ZĂ© Loff wrote:
>> table { 10.17.16.10 }
>> table { 10.17.16.10 }
>> table { 10.17.16.10 }
>
> Multiple tables - I didn't see that!
Yes, AFAIU, a table is *not* just an alias for say 192.0.2.99. It is
the structure that maintain the link between a protocol an a relay
(surely this explanation is not quite right: you better read the man
pages ;)
--
Manuel Giraud
Re: Relayd forward to multiple ports on one target host?
Paul Pace writes:
> Hello!
>
> I have an OpenBSD server that hosts multiple services listening on
> various ports (some projects have their own web server, some projects
> require a reverse proxy, some projects just use httpd, etc.). This
> server receives requests via relayd on a different server. I was
> hoping to not insert relayd between every request to the host, but
> it's not the end of the world if this is the only viable solution
> while using relayd.
>
> The requests to relayd go to domains (e.g., www.example.com,
> serviceone.example.com, servicetwo.example.com, etc.) for web services
> (ports 80 and 443), but I cannot figure out a way to specify a port on
> the target server to forward requests to when there are multiple ports
> (e.g., www is on port 80, serviceone is on port 8080, servicetwo is on
> port 3, etc.). Running relayd -n does not report syntax errors
> when there are multiple forward to rules for the same target server
> with different ports in the relay block, but I can't find a way to
> specify which request should go to which port.
Hi,
I'm not sure this could answer your issue but here is a sketch of what
I'm using on some servers:
--8<---cut here---start->8---
table { 127.0.0.1 }
table { 127.0.0.1 }
table { 127.0.0.1 }
http protocol "secure" {
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
tls { no tlsv1.0, ciphers HIGH, keypair example.com }
# Matching is done here on Host
match request quick header "Host" value "example.com" \
forward to
match request quick header "Host" value "service1.example.com" \
forward to
match request quick header "Host" value "service2.example.com" \
forward to
}
relay "secure-proxy" {
listen on 0.0.0.0 port 443 tls
protocol "secure"
# Forward to different services
forward with tls to port 80 check tls
forward with tls to port 8080 check tls
forward with tls to port 3 check tls
}
--8<---cut here---end--->8---
Best regards,
--
Manuel Giraud
Re: sftp server empty password login
Sylvain Saboua writes: [...] > $ more /etc/ssh/sshd_config # relevant extracts and changes : > ... > PermitRootLogin no > ... > # override default of no subsystems > #Subsystem sftp/usr/libexec/sftp-server -d /home/media > Subsystem sftp internal-sftp # -d /home/media > > Match User media > ForceCommand internal-sftp -d /home/media > ChrootDirectory /home/media > PasswordAuthentication yes > AuthenticationMethods none > PermitEmptyPasswords yes Hi, I have a setup that looks like this (except I'm using pubkey authentication). The only other difference I see is that I have not specified the "-d" option for the internal-sftp command. It is not clear to me (by manpages) if it should be the same as ChrootDirectory or a path *under* ChrootDirectory. Maybe you could try to remove this "-d" option. -- Manuel Giraud
Re: relayd fallback when using tag/tagged
Joel Carnat writes:
> Hello,
>
> I'm trying to configure relayd(8) to use tags, to allow legit host
> names only and modify HTTP headers, and fallback. But I can't have it
> working properly.
>
> Using such a configuration:
> #-8<---
> table { 192.0.2.4 }
> table { 192.0.2.7}
> http protocol www {
> block
> match request header "Host" value "www.example" tag "example"
> pass request tagged "example" forward to
> }
I've not tested it but maybe you're missing this last rule in the
previous block:
pass request forward to
--
Manuel Giraud
Re: OpenBSD_one_site_web_hosting_software_recommendation
"Peter N. M. Hansteen" writes: > On Thu, Nov 09, 2023 at 12:38:27PM +0100, soko.tica wrote: >> I have a task to launch from scratch one site web hosting google cloud >> instance. >> >> I know OpenBSD does have httpd web server, but I couldn't have found >> neither wordpress nor joomla software neither in packages nor in ports (7.4 >> -stable). >> >> Is there a possibility to launch wordpress or joomla on such an instance on >> OpenBSD? Which manpages should I read? > > You're probably right that those systems do not come pre-packaged for > OpenBSD. Yes and I think there is no point in pre-packaging them. Wordpress wants to manage its update. I have some sites with this stack (OpenBSD/mariadb/php-fpm/httpd) and it just works. >From this stack, the only thing that you will find in man pages is what is related to httpd. You could also read pkg-readmes for mariadb and php-fpm. And, as Peter said, the rest will be on internet. Good luck. -- Manuel Giraud
Re: vmd and /dev/sd*
Mike Larkin writes: > On Thu, Oct 12, 2023 at 09:24:33AM -0600, Theo de Raadt wrote: >> Manuel Giraud wrote: >> >> > > Manuel Giraud writes: >> > > >> > >> Hi, >> > >> >> > >> I can't find the information on this list (or elsewhere). Is it >> > >> possible to have a vm that access a disk through its device? The >> > >> following does not seem to work: >> > >> >> > >> # vmctl start -cL -m 1G -b /bsd.rd -d /dev/sd1c myvm >> > >> vmctl: start vm command failed: Unknown error: -1 >> > > >> > > No, passing file descriptors to devices over ipc sockets isn't currently >> > > allowed by the kernel. You'd need to use the raw character device, too, >> > > afaik if passing them were allowed. >> > >> > Ok, noted. BTW I have the same error passing the raw character device. >> >> >> >> I made the decision to not allow passing of weird file descriptor types >> very intentionally. I'm still very sure that is the right decision. >> >> Here's 1 program which wants to do it, but the other 1000 pledge'd programs >> are being protected from being passed an incorrect fd and then doing system >> calls upon it which behave "different". By that, I mean seek, read, and >> write short-operation behaviours are subtly different outside of files and >> sockets, and it would also expose some ioctl (which is MOSTLY limited by >> pledge, but ioctl "request" values are just numbers, and they can overlap in >> surprising ways). >> > > I would like to make clear that vmd does not "want to do it", and that I agree > that the current design of not being able to pass these types of fds is > correct. It may be slightly inconvient for certain niche use cases, but not > worth weakening everything else or putting in hacks. Just dd the device you > want to a .raw file and use that. Thanks for making that clear. I do not understand all the security implications but you do :) Maybe to prevent future request, you could have a more explicit error message. -- Manuel Giraud
Re: vmd and /dev/sd*
Dave Voutila writes: > Manuel Giraud writes: > >> Hi, >> >> I can't find the information on this list (or elsewhere). Is it >> possible to have a vm that access a disk through its device? The >> following does not seem to work: >> >> # vmctl start -cL -m 1G -b /bsd.rd -d /dev/sd1c myvm >> vmctl: start vm command failed: Unknown error: -1 > > No, passing file descriptors to devices over ipc sockets isn't currently > allowed by the kernel. You'd need to use the raw character device, too, > afaik if passing them were allowed. Ok, noted. BTW I have the same error passing the raw character device. >> What would be the alternatives? > > None I know of. FTR, I end up creating a disk image, configure as vnd and copy my files here. I could then use this image as vmctl disk. Thanks. -- Manuel Giraud
vmd and /dev/sd*
Hi, I can't find the information on this list (or elsewhere). Is it possible to have a vm that access a disk through its device? The following does not seem to work: # vmctl start -cL -m 1G -b /bsd.rd -d /dev/sd1c myvm vmctl: start vm command failed: Unknown error: -1 What would be the alternatives? Thanks, -- Manuel Giraud
Re: httpd and locale
Omar Polo writes: > On 2023/01/30 15:57:03 +0100, Manuel Giraud wrote: >> Hi, >> >> Is it possible to serve files with non ASCII UTF-8 charaters in their >> names with httpd? I have tried to start httpd like this: >> >> $ env LC_CTYPE=en_US.UTF-8 httpd -d >> >> But, I always get a 404 error on such files. Am I missing something? >> Or maybe this behaviour is on purpose? > > The encoding of the filename shouldn't matter. UNIX file names are > just bytestrings where only '/' and '\0' are disallowed. Thanks for this explanation! I was wrong. httpd is not the cause here. A file was upload through a CMS and store as latin-1 in base and then copied over by another mean (that should have translate it to UTF-8). Encodings problems are fun :-| Sorry for the noise. -- Manuel Giraud
httpd and locale
Hi, Is it possible to serve files with non ASCII UTF-8 charaters in their names with httpd? I have tried to start httpd like this: $ env LC_CTYPE=en_US.UTF-8 httpd -d But, I always get a 404 error on such files. Am I missing something? Or maybe this behaviour is on purpose? Thanks. -- Manuel Giraud
Re: Can I undo OpenBSD GPT partition table and recover my data? was: Triple booting Windows/Debian/OpenBSD?
Ottavio Caruso writes: [...] > So I officially joined the club of idiots who don't back up their > partition table. And hopefully, you have it backup on this mailing list. Both screenshots are big for a list and useless (you probably already created a GPT so what you see is a fresh EFI sys and openbsd area). But if what you sent before (from debian) is correct, you have all the numbers you need: that is what you should reproduce with fdisk to retrieve your 654264320 sectors of FAT32. And then, make a backup. -- Manuel Giraud
Re: Dell PowerEdge 730xd
Jonathan Matthew writes: > On Mon, Sep 27, 2021 at 05:30:01PM +0200, Manuel Giraud wrote: >> Hi, >> >> Does anyone use one of those? I can reliably freeze them with some I/O >> load with rsync for example. I don't have much more to say. Here is the >> dmesg: > > Does this IO load involve either of the SSDs you have set up as physical > disks, or just the logical volumes? mfii(4) has problems with > physical disks. This IO load is on the logical volumes… but the OS is on one of those two physical disks. So this might be a bad idea to have the system on a physical disk handled by mfii? -- Manuel Giraud
Dell PowerEdge 730xd
on 0 "Intel C610 PCIE" rev 0xd5 pci7 at ppb5 bus 6 ppb6 at pci1 dev 28 function 7 "Intel C610 PCIE" rev 0xd5: msi pci8 at ppb6 bus 7 ppb7 at pci8 dev 0 function 0 "Renesas SH7758 PCIE Switch" rev 0x00 pci9 at ppb7 bus 8 ppb8 at pci9 dev 0 function 0 "Renesas SH7758 PCIE Switch" rev 0x00 pci10 at ppb8 bus 9 ppb9 at pci10 dev 0 function 0 "Renesas SH7758 PCIE-PCI" rev 0x00 pci11 at ppb9 bus 10 "Matrox MGA G200eR" rev 0x01 at pci11 dev 0 function 0 not configured ehci1 at pci1 dev 29 function 0 "Intel C610 USB" rev 0x05: apic 8 int 18 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 pcib0 at pci1 dev 31 function 0 "Intel C610 LPC" rev 0x05 ahci1 at pci1 dev 31 function 2 "Intel C610 AHCI" rev 0x05: msi, AHCI 1.3 scsibus4 at ahci1: 32 targets isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 spkr0 at pcppi0 vmm0 at mainbus0: VMX/EPT efifb0 at mainbus0: 1024x768, 32bpp wsdisplay0 at efifb0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) dt: 445 probes uhub2 at uhub0 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.05 addr 2 uhub3 at uhub2 port 6 configuration 1 interface 0 "no manufacturer Gadget USB HUB" rev 2.00/0.00 addr 3 uhub4 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.05 addr 2 vscsi0 at root scsibus5 at vscsi0: 256 targets softraid0 at root scsibus6 at softraid0: 256 targets root on sd2a (2e19b7092ee0e5d1.a) swap on sd2b dump on sd2b -- Manuel Giraud
Re: Reinstall to upgrade
Stuart Henderson writes: [...] > What you need is: > > $ pkg_delete -an 2>&1 > /tmp/foo > > - redirect stderr to stdout, then redirect stdout (which now includes > stderr) to /tmp/foo. This does not really work. There is some information left but not the list of unused dependencies. This list seems to be part of the progress bar. With script, as proposed by Navan, the output is mangled with * and escape sequence. And if you use -x, you do not get the list either. -- Manuel Giraud
Re: Reinstall to upgrade
Chris Bennett writes: [...] > Sometimes you just have to do tedious. upgrade vs install does not give > you the same system. I almost never do a fresh install, but every once > in a while, it's a good choice. > Hope this is helpful. Others may give different or better advice. > sysupgrade is a tool of convenience. I like it, but never had any > problems doing things manually. Thanks for your reply. The "pkg_delete -an" did the trick: I saved some GB with this. I have one (somewhat) related question left: is possible to capture the output of pkg_delete -an in a file? I tried the following (without luck): $ pkg_delete -an > /tmp/foo $ pkg_delete -an > /tmp/foo 2>&1 > Useful advice: Learn to use ed. It will save your butt during > disasters! Yes I know :-) I always have to look that up mostly to change DUID in /etc/fstab. -- Manuel Giraud
Re: Reinstall to upgrade
Sebastien Marie writes: > looks at the output of: > # pkg_delete -a -n That was quick! Thanks to both of you. -- Manuel Giraud
Reinstall to upgrade
Hi, I'd like to upgrade (on -current) and, in the process, remove some cruft accumulated over the years. I usually do sysupgrade and sysclean for system. But for packages, I think I would be better to reinstall everything since "pkg_check -F" does not seems to complain and I can see I have, for example, some firefox-57 files left. I think I could do the following but I don't know if it is safe: - sysupgrade (+ sysclean) - pkg_info -mz > mypkg - umount /usr/local - newfs partition_of_usr_local - mount /usr/local - pkg_add -l mypkg Or maybe, I should dump, do a complete reinstall, pkg_add -l mypkg, restore /home and, tediously, restore some /etc files. How would you do this? -- Manuel Giraud
Re: password-less user (without bothering security(8))?
Evan Silberman writes: > Why not assign a long, random password and then not share it with the > user? Or you can set your encrypted password to "*" as it is done for other daemon users. You can use chpass(1) for this. -- Manuel Giraud
Re: sbcl vs uvm
Gregor Best writes: > that looks like a stack space exhaustion. I've had something similar > while compiling > OCaml's merlin package. I solved it with the brutest of forces by adding > > :stacksize=infinity:\ Thank you for the hint but this does not work for sbcl (w/ thread) compilation. AFAIU, for each thread sbcl mmap a rather big area (about 5MB) as MAP_STACK. Don't know if it is usual? -- Manuel Giraud
sbcl vs uvm
Hi, I used to build current sbcl (common lisp compiler) with threads support on -current amd64. For maybe 2/3 month, it does not compile anymore. On sbcl self test for threads, I get the following strange dmesg entry: trap [sbcl]46252/177072 type 6: sp 2f76e78b8 not inside 2f74f8000-2f76e8000 My question is: should I look for sbcl doing something nasty here or should I look for a bug in uvm? (I've cc'ed Josh because he has taken care of upstream patch after the MAP_STACK introduction) -- Manuel Giraud
Re: httpd+relayd behind a proxy
Manuel Giraud <man...@ledu-giraud.fr> writes: > Hi, > > I have a website that is served with httpd+relayd behind a proxy (that I > don't control). The said proxy is responsible for the public side TLS > handshake with clients and I serve with relayd TLS and a local httpd > without TLS. > > The problem is that I end up serving "mixed content" because the > $_SERVER[HTTPS] variable is not set. What would be the best (easier) way > to have this variable set? Reply to self: All I had to do was to listen with tls on in httpd.conf and do a "forward with tls to" in relayd.conf (BTW thanks for those great man pages!) -- Manuel Giraud
httpd+relayd behind a proxy
Hi,
I have a website that is served with httpd+relayd behind a proxy (that I
don't control). The said proxy is responsible for the public side TLS
handshake with clients and I serve with relayd TLS and a local httpd
without TLS.
The problem is that I end up serving "mixed content" because the
$_SERVER[HTTPS] variable is not set. What would be the best (easier) way
to have this variable set?
Here is my relayd.conf:
addr1="172.16.13.17"
addr2="172.16.13.14"
table { 127.0.0.1 }
table { 127.0.0.1 }
http protocol reverse_proxy {
match request path "/events*" forward to
match response header set "Connection" value "close"
# Various TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
}
http protocol http {
# Various TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
}
http protocol http+cache {
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
match response header set "Cache-Control" value "max-age=1814400"
return error
pass
}
relay wwwtls {
listen on $addr1 port 443 tls
protocol reverse_proxy
forward to port 8080 check tcp
forward to port 8083 check tcp
}
relay wp {
listen on $addr2 port 80
protocol http
forward to port 8081 check tcp
}
--
Manuel Giraud
Re: Screen brightness
G <gp...@mailbox.org> writes: > vga1 at pci0 dev 2 function 0 "Intel HD Graphics 520" rev 0x07 Hi, you have an Intel HD Graphics 520 for which inteldrm(4) support was add very recently. So, to have graphic acceleration and backlight support, you have to upgrade to current or wait for 6.2. -- Manuel Giraud
reverse proxy with relayd(8) (but not nginx)
Hi, I'd like to setup a http reverse proxy where http://foo.org/someapp is forwarded to 127.0.0.1:8081 and http://foo.org/* is forwarded to somewhere else. AFAIU, it is not possible with httpd(8) so I'm trying to do this with relayd(8). There is an example in httpfiler protocol in /etc/examples/relayd.conf that does this to block an url: # Block disallowed sites match request label "URL filtered!" block request quick url "www.example.com/" value "*" But, I can't make it to forward to a server and port. Does anyone have such a config? -- Manuel Giraud
Re: Headphone with Conexant CX20724
Maurice McCarthy <mansel...@gmail.com> writes: > I'm no expert but I'd check audioctl for the number of play channels. > Mine looks so~ I also have 2 play.channels: name=azalia0 mode= pause=0 active=0 nblks=2 blksz=960 rate=48000 encoding=s16le play.channels=2 play.bytes=0 play.errors=0 record.channels=2 record.bytes=0 record.errors=0 > $ mixerctl outputs.hp_mute=off I don't have this entry and mixerctl said so. I think I'll have to dive into understanding azalia, now. -- Manuel Giraud
Re: Headphone with Conexant CX20724
Edgar Pettijohn <ed...@pettijohn-web.com> writes: > mixerctl (1) handles a lot of stuff. Take a look at it's output and > you may find something that needs tweaking. I started with mixerctl but did not found anything. And everything seems reasonable (no?): inputs.dac-0:1_mute=off inputs.dac-0:1=126,126 inputs.dac-2:3_mute=on inputs.dac-2:3=126,126 inputs.beep=108 record.adc-0:1_source=mic2 record.adc-0:1_mute=off record.adc-0:1=126,126 record.adc-2:3_source=mic2 record.adc-2:3_mute=off record.adc-2:3=126,126 outputs.spkr_source=dac-2:3 outputs.spkr_eapd=on inputs.mic=85,85 outputs.mic_dir=input-vr80 inputs.mic2=85,85 outputs.hp_source=dac-0:1 inputs.hp=85,85 outputs.hp_dir=output outputs.hp_boost=off outputs.hp_eapd=on outputs.mic_sense=unplugged outputs.hp_sense=plugged outputs.spkr_muters=hp outputs.master=126,126 outputs.master.mute=off outputs.master.slaves=dac-0:1,dac-2:3 record.volume=126,126 record.volume.mute=off record.volume.slaves=adc-0:1,adc-2:3 -- Manuel Giraud
Headphone with Conexant CX20724
" rev 2.00/1.06 addr 4 video0 at uvideo0 sdmmc0: can't enable card vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed sd1: 244197MB, 512 bytes/sector, 500116577 sectors root on sd1a (78813a0896b25226.a) swap on sd1b dump on sd1b iwm0: hw rev 0x200, fw ver 16.242414.0, address f0:d5:bf:1f:cb:5b -- Manuel Giraud
acme-client(1) and http_proxy
Hi, I'm trying to use the new acme-client on a server behind a corporate proxy (i.e. I have to set a http_proxy to get out). It seems (from reading the code) that acme-client(1) does not honor http_proxy. Is this on purpose? If so, can someone point me to another acme client that does this? -- Manuel Giraud
Re: Help with server not accepting new connections but is still accessible through ONE existing open ssh-session
Erling Westenvik <erling.westen...@gmail.com> writes: > However, I got inspired and when I disabled pf (pfctl -d) I got full > contact! (But -- when I turned pf back on (pfctl -e) I lost the one > connection I had... Now I have to wait 48 minutes for the server to > reboot. Not much more to do now except for crossing my fingers...) Err, yes but won't pf be enabled at boot time? Hopefully, some of your pf tables will be reset. -- Manuel Giraud
dump(8) file size
Hi, Say I have a dump file of some level (>0) and I want to know the size of files in it, how can I do that? It seems that the ls of restore -i can only gives me inode numbers. -- Manuel Giraud
Re: lynx is gone?
Peter Hessler phess...@theapt.org writes: 1) lynx has some amazingly insecure code 2) the installer installs a functional pkg.conf if you installed from the network. 3) nethack is not in base -- Manuel Giraud
Re: disk change-out and packages
Ed Ahlsen-Girard eagir...@cox.net writes: I decided to upgrade the internal drive, so I hooked up the new on on the CD's usual SATA channel and installed, having adjust the disklabel more to suit me (the auto partition of /usr left it really tight on space, and home was not big enough). First method: mount all the slices in /tree and run a series of cp -R as root. Files seemed to get there but something was not right with permissions when I tried booting the new disk, so I dropped back and did some research. For this kind of things, dump/restore is a good way too that won't mess anything. AFAIK your differents source directories (/, /home, ...) have to already be differents partitions, then you can go like this: # mount -o async /dev/sd?a /tree # cd /tree # dump -0a -f - / | restore -rf - # mount -o async /dev/sd?d /tree/home # cd /tree/home # dump -0a -f - /home | restore -rf - -- Manuel Giraud
Re: DUMP: fopen on /dev/tty fails
Jan Stary h...@stare.cz writes: On Jan 05 12:19:13, o...@drijf.net wrote: On Mon, Jan 05, 2015 at 11:33:13AM +0100, Jan Stary wrote: On Jan 05 10:58:02, o...@drijf.net wrote: On Mon, Jan 05, 2015 at 10:19:54AM +0100, Jan Stary wrote: This is a daily mail from my Alix router. I do a dump in daily.local (see below) and most of the time it works just fine. Occasionaly though, the DUMP fails saying DUMP: End of tape detected DUMP: Volume 1 completed at: Mon Jan 5 01:30:44 2015 DUMP: Volume 1 took 0:00:07 DUMP: Volume 1 transfer rate: 2101 KB/s DUMP: Change Volumes: Mount volume #2 DUMP: fopen on /dev/tty fails: Device not configured DUMP: The ENTIRE dump is aborted. That puzzles me, as I dump to stdout, redirecting to a file (see below). (I vaguely remember that the reason I switched from dump -f file.dump ... to dump -f - ... file.dump was that I was advised her by a developer about the tape legacy of dump, but I forgot what exactly was the problem then and can't find it in archives.) Why would dump -f - ... file.dump think that it reached an end of tape? Because dump is a bit dumb. You need to use -a, see man page. But I do, see the code below. Hmm indeed, then it's my guess you are running out of disk. The numbers do not seems to warrant that, though. Hm. This is dump of level 0, on a Monday morning, when I rm the previous dumps and start anew - could it be that the free space made by rm only becomes available a _bit_ late due to softdep? [ x$l = x0 ] rm -f $BKPDIR/dump$fsname.? f=$BKPDIR/dump$fsname.$l $f chown $BKPUSR:$BKPGRP $f chmod 600 $f dump -$l -a -u -f - $fs $f 2 $BKPLOG Because that happens, right? Create a few huge files on a softdep FS, then remove them; the free space only appears a bit later. I will try to add a sync in between the rm and the dump -0 I have had this type of message when dump asks some question to the operator. I don't remember what the issue was and cannot reproduce. It was on level 1 dump too. -- Manuel Giraud
Re: mail.ssh with netstat command
Indunil Jayasooriya induni...@gmail.com writes: How to find this mail.ssh ? I'll start with a netstat -n -- Manuel Giraud
Re: Encrypting httpd/nginx and friends
Erling Westenvik erling.westen...@gmail.com writes: Since none of the servers have tools for remote administration, my only option for unlocking any crypto volumes will be over ssh(4). AFAIK that means I cannot encrypt any parts of the OS itself since all partitions are required to be present for the OS to be able to boot up to a point where it can offer sshd(8), right? I have a not-so-simple setup for this. Everything but / is into a crypto softraid. Upon startup I run a self-content sshd with the following patch against a 5.4 /etc/rc: --- etc/rc Tue Jul 30 19:52:22 2013 +++ /etc/rc Tue Mar 25 15:23:48 2014 @@ -284,8 +284,19 @@ exit 1 ;; 8) - echo Automatic file system check failed; help! - exit 1 + echo Automatic file system check failed; help (from outterspace)! + ifconfig em0 x.x.x.x netmask 255.255.255.0 + route -qn add default x.x.x.x + mount -uw / + /root/sshd -De \ + -o PasswordAuthentication=no \ + -o PermitRootLogin=yes \ + -o ChallengeResponseAuthentication=no \ + -o UsePrivilegeSeparation=no \ + -o UseDNS=no + mount -ur / + route -qn flush + ifconfig em0 down delete ;; 12) echo Boot interrupted. I can then connect as root (with the correct authorized_keys) and bioctl the crypto softraid and finally kill this sshd. Drawbacks: - compile a self-content sshd (see crunchgen(8) for this) (if possible do this with after the time_t patch) - be careful with /etc/rc merge -- Manuel Giraud
ntfs with big files
Hi, I have a ntfs partition with rather large (about 3GB) files on it. When I copy these files on a ffs partition they are corrupted. When I try to checksum them directly from the ntfs partition the checksum is not correct (compared to the same file on a fat32 partition copied with Windows). I tried this (with same behaviour) on i386 5.3 release and on i386 last week current. I'm willing to do some testing to fix this issue but don't really know where to start. -- Manuel Giraud
Re: Xwindows Startup without user login
Renaud Allard ren...@allard.it writes: # echo 'su - auser -c /usr/X11R6/bin/startx' /etc/rc.local The problem with this is that the end /etc/rc won't be executed. Most notably you won't have cron running. -- Manuel Giraud
rtorrent is pmrwaiting
Hi, After a recent upgrade to -current (yesterday from ftp.fr.openbsd.org), rtorrent (with ~10 active torrents) ends up waiting on pmrwait (according to top). I cannot even kill -9 this process. I never run into this issue with a one month old -current. OpenBSD 5.2-current (GENERIC) #13: Sat Jan 5 10:57:54 MST 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 499 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW real mem = 259252224 (247MB) avail mem = 244035584 (232MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 01/16/09, BIOS32 rev. 0 @ 0xfa960 apm0 at bios0: Power Management spec V1.2 (slowidle) pcibios0 at bios0: rev 2.1 @ 0xf/0xdfb4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/112 (5 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 5 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0xa800 0xef000/0x1000! cpu0 at mainbus0: (uniprocessor) amdmsr0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33 vga1 at pci0 dev 1 function 1 AMD Geode LX Video rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES vr0 at pci0 dev 13 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address 00:0d:b9:0d:cd:38 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio, i2c gpio0 at glxpcib0: 32 pins iic0 at glxpcib0 pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: TS4GCF133 wd0: 1-sector PIO, LBA, 3823MB, 7831152 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) auglx0 at pci0 dev 15 function 3 AMD CS5536 Audio rev 0x01: irq 11, CS5536 AC97 ac97: codec id 0x414c4770 (Avance Logic ALC203 rev 0) ac97: codec features headphone, 20 bit DAC, 18 bit ADC, No 3D Stereo audio0 at auglx0 ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 5, version 1.0, legacy support ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x41 lm1 at wbsio0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1 mtrr: K6-family MTRR support (2 registers) umass0 at uhub0 port 4 configuration 1 interface 0 Western Digital My Passport 071A rev 2.00/20.19 addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: WD, My Passport 071A, 2019 SCSI2 0/direct fixed sd0: 715377MB, 512 bytes/sector, 1465092096 sectors ses0 at scsibus0 targ 1 lun 1: WD, SES Device, 2019 SCSI2 13/enclosure services fixed ses0: unable to read enclosure configuration vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on wd0a (c917c85befe4920c.a) swap on wd0b dump on wd0b WARNING: / was not properly unmounted -- Manuel Giraud
Re: OpenBSD's webpage desing
Chris Cappuccio ch...@nmedia.net writes: Duh, this is OpenBSD. We use banner `ftp -o - http://www.openbsd.org/` You mean: banner `lynx -dump http://www.openbsd.org/` -- Manuel Giraud
libc.so.64.1?
Hi, I've just tried to update and it seems that the current snapshots/i386/base51.tgz doesn't contains /usr/lib/libc.so.64.1. If that's to be expected following -current, i'll wait a couple of day before re-update.
[SOLVED] Re: ssh vpn
Manuel Giraud man...@ledu-giraud.fr writes: Hi, I've set up an openssh based vpn as described in ssh(1). Now, I want to send all my traffic through this pipe. So I've put the following nat rules on both ends of the pipe: match out on em0 from tun0:network nat-to (em0) and modified the client route table like this: route add ssh-server-ip isp-gw route change default 10.1.1.1 # --- IP on tun0 It works as needed but now I need to access a service (e.g. a www server) on ssh-server-ip and the www port is filtered by isp-gw. How can I do this? (I've tried some rdr-to and route-to rules on specific port without success). Ok, I reply to myself because I found something that works. I prepend the two following rules to my client /etc/pf.conf: match out proto tcp from em0 to ssh-server-ip port www \ rdr-to tun0:peer pass out quick proto tcp from em0 to tun0:peer port www \ nat-to tun0 Don't know if it is the best way to do it though. -- Manuel Giraud
ssh vpn
Hi, I've set up an openssh based vpn as described in ssh(1). Now, I want to send all my traffic through this pipe. So I've put the following nat rules on both ends of the pipe: match out on em0 from tun0:network nat-to (em0) and modified the client route table like this: route add ssh-server-ip isp-gw route change default 10.1.1.1 # --- IP on tun0 It works as needed but now I need to access a service (e.g. a www server) on ssh-server-ip and the www port is filtered by isp-gw. How can I do this? (I've tried some rdr-to and route-to rules on specific port without success). -- Manuel Giraud
spamd-setup in crontab
Hi, I've just set up a mail server with 5.0. I have put spamd in front (in default greylisting mode). It works great following the man pages but when I activate the spamd-setup entry in root's crontab, I receive the following error by mail: spamd-setup: ftp: Could not add blacklist uatrapsWriting -: : Illegal seek Broken pipe If i call spamd-setup as root i have no error message. (note: I've used the default /etc/mail/spamd.conf file). How can I sort this out? -- Manuel Giraud
Re: i386 softraid crypto panic
Matthew Dempsky matt...@dempsky.org writes: That line is from my softraid scsibus diff, which was included in the Jun 5 snapshots. There was a bug where it didn't properly unwind a failed BIOCCREATERAID attempt. Ok, it works now with a more recent snapshot. I thought it could be one of those FBI patches. Thanks. -- Manuel Giraud
i386 softraid crypto panic
Intel 82801JD SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using apic 8 int 18 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: ST3160318AS wd0: 16-sector PIO, LBA48, 152587MB, 31250 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6 atapiscsi0 at pciide1 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TSSTcorp, DVD+-RW TS-H653G, DW10 ATAPI 5/cdrom removable cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 82801JD SMBus rev 0x02: apic 8 int 18 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-6400CL5 spdmem1 at iic0 addr 0x52: 2GB DDR2 SDRAM non-parity PC2-6400CL5 pciide2 at pci0 dev 31 function 5 Intel 82801JD SATA rev 0x02: DMA, channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide2: using apic 8 int 18 for native-PCI interrupt usb2 at uhci0: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1 usb6 at uhci4: USB revision 1.0 uhub6 at usb6 Intel UHCI root hub rev 1.00/1.00 addr 1 usb7 at uhci5: USB revision 1.0 uhub7 at usb7 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support uhidev0 at uhub4 port 1 configuration 1 interface 0 TypeMatrix.com USB Keyboard rev 1.10/1.30 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub4 port 1 configuration 1 interface 1 TypeMatrix.com USB Keyboard rev 1.10/1.30 addr 2 uhidev1: iclass 3/1, 3 report ids uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=2, output=0, feature=0 uhid2 at uhidev1 reportid 3: input=2, output=1, feature=0 uhidev2 at uhub4 port 2 configuration 1 interface 0 Dell Dell USB Optical Mouse rev 2.00/43.01 addr 3 uhidev2: iclass 3/1 ums0 at uhidev2: 3 buttons, Z dir wsmouse0 at ums0 mux 0 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on wd0a (41e54036910b1fd3.a) swap on wd0b dump on wd0b -- Manuel Giraud
Re: install on softraid
Mindless Gr nomindles...@yahoo.com writes: The last time i have done it i remember that was a little tricky from install to initialize second disk from the shell Dont remember how have done it though AFAICR, you have to cd to /dev/ and sh MAKEDEV the new devices. -- Manuel Giraud
Re: restore wants a new tape but none exists!
Brett Lymn bl...@baea.com.au writes: [...] The safest way to do a dump is when the machine is in single user mode for this very reason but many people play fast and loose because they cannot wear the outage for a backup, in that case you must quiesce the file systems as best you can. Really, this is well known unix sys admin procedure. That make sense but it makes me wonder how one practically use dump/restore to do regular backup ? Tell users, go to the machine room, boot -s and dump ? I thought that it was something done in cron on a running machine. -- Manuel Giraud
Re: Printing (well anything) using lpd...
Jacob Meuser jake...@sdf.lonestar.org writes: On Tue, Feb 01, 2011 at 03:59:02PM +0100, Manuel Giraud wrote: Jacob Meuser jake...@sdf.lonestar.org writes: foomatic is pretty easy to set up. Thread hijacker here. I tried to setup a lpd/foomatic for a printer over network and always end-up with this kind of message in /var/log/lpd-errs: Well. Searching the web, this seems to be related to this: http://old.nabble.com/foomatic-stops-working-again-td29285534.html#a29287775 And might be already fixed in -current (i think i should shut up and test then). as we're now at 4.9-beta, it's definitely a good time to be testing -current. FWIW it works like a charm with a snapshot and a recent hpijs, foomatic-filters. -- Manuel Giraud
Re: Printing (well anything) using lpd...
Jacob Meuser jake...@sdf.lonestar.org writes: foomatic is pretty easy to set up. Thread hijacker here. I tried to setup a lpd/foomatic for a printer over network and always end-up with this kind of message in /var/log/lpd-errs: --8---cut here---start-8--- Feb 1 13:46:29 K lpd[6548]: restarted foomatic-rip version 4.0.4.217 running... called with arguments: '-w132', '-l66', '-i0', '-n', 'manuel', '-j', 'foo.pdf', '-h', 'K', '/etc/foomatic/HPcolor.ppd' Parsing PPD file ... Added option Resolution Added option PageSize Added option Model Added option PrintoutMode Added option InputSlot Added option Duplex Added option Quality Added option ImageableArea Added option PaperDimension Added option Font Parameter Summary - Spooler: lpd Printer: Shell: /bin/ksh PPD file: /etc/foomatic/HPcolor.ppd ATTR file: Printer model: HP Color LaserJet 4500 hpijs pcl3, 3.10.4.16 Options: foo.pdf Job title: foo.pdf File(s) to be printed: STDIN Printing system options: Pondering option 'foo.pdf' Unknown boolean option foo.pdf. Options from the PPD file: File: STDIN Filetype: PDF Process is dying with Cannot find a writable temp dir., exit stat 9 Cleaning up... Feb 1 13:46:58 K lpd[24642]: col: filter 'f' exited (retcode=9) Feb 1 13:48:01 K lpd[24642]: mail sent to user manuel about job foo.pdf on printer col (FILTERERR) Feb 1 13:48:01 K lpd[24642]: col: job could not be printed (cfA007K) --8---cut here---end---8--- I'm using 4.8 stable with packages. /etc/foomatic/HPcolor.ppd is a copy of /usr/local/share/foomatic/db/source/PPD/HP/hp-color_laserjet_4500-hpijs-pcl3.ppd.gz from the hpijs package. I've also installed foomatic-filters and my /etc/printcap is: --8---cut here---start-8--- col|HP Color: \ :lp=9100@192.168.0.12:\ :af=/etc/foomatic/HPcolor.ppd:\ :if=/usr/local/bin/foomatic-rip:\ :sd=/var/spool/output:\ :lf=/var/log/lpd-errs:\ :sh: --8---cut here---end---8--- Well. Searching the web, this seems to be related to this: http://old.nabble.com/foomatic-stops-working-again-td29285534.html#a29287775 And might be already fixed in -current (i think i should shut up and test then). -- Manuel Giraud
Re: Running ksh -l in terminal window under XFCE
Paolo Aglialoro paol...@gmail.com writes: Is there some variable to set or am I missing some obvious parameter config? I had the same problem and starting my .xsession with #!/bin/ksh -l does the trick as any child process (not just shells) will have the correct environment. -- Manuel Giraud
Re: bioctl -P, change passwords on crypto volumes
Christopher Zimmermann madro...@zakweb.de writes: Is it possible to change the number of rounds, too, or do I have to backup/restore the volume? At the moment I have to wait for about 7s for my crypto volume to come up. I'd rather use a slightly longer passphrase. I think not because the man page says When creating volume and it seems in sync with source because the number of rounds are read from disk in the bio_changepass function (AFAIU). -- Manuel Giraud
Re: application key mappings in cwm
Michael W. Lucas mwlu...@blackhelicopters.org writes: Any suggestions for remapping keys to restore control-shift-arrow highlighting in apps, without losing cwm's behavior? Is there a specific OpenBSD way to do that, or a particular man page I should read? man 5 cwmrc rebinding example: bind C-Down unmap bind 4-Down movedown -- Manuel Giraud
-current or -stable [was: Not another Browser Question]
J.C. Roberts list-...@designtools.org writes: The short answer is painfully simple; if you're running OpenBSD as your desktop/laptop and you have a clue, then run just -current. These days, the -stable branch still exists primarily due to historical precedence for people unwilling to update their thinking. After 6 month using -current as desktop I was about to follow the opposite path and try to stay -stable (after 4.7 is released). Using -current, I sometimes have had to upgrade to the latest snapshot just because I wanted to install some new package and bumped into an error like not good version of libc. In fact, I thought that having a -release (and -stable) was a strength of OpenBSD (if not why put so much effort for that). -- Manuel Giraud
Re: -current or -stable [was: Not another Browser Question]
Scott McEachern sc...@erratic.ca writes: Huh? Let me get this straight. You want to use a *new* package. You have to use -current to get the new package. How do you figure running -stable will help? I wasn't clear enough: by new package, I meant a package not installed on my system yet and not the bleeding edge version of one package. I'm with J.C. Roberts on this one. I got tired of seeing the cool kids playing with the new toys on -current, got over the (wrong) impression that -current is unstable, and started using -current with the goodies. I haven't looked back since. Maybe I'll stick to -current too. But I'd like to give try staying -stable for a while and I could still play with the new toys every 6 month anyway. I wonder why does the FAQ recommend -stable over -current? -- Manuel Giraud
Re: -current or -stable [was: Not another Browser Question]
J.C. Roberts list-...@designtools.org writes: There's a story I remember reading about an OpenBSD user from Japan (possibly Mark Uemura?) who met an interesting fellow at a conference who asked what operating system he was running on his laptop. The OpenBSD user proudly stated, I'm running OpenBSD X.Y Stable, and the interesting fellow replied, You should be running current. Said interesting fellow turned out to be Theo. It's good to know that -current stays such a stable system. But I think that the 6 month release cycle is good thing in OpenBSD. -- Manuel Giraud
Re: Announcing: JigglyPuffBSD
Jason Dixon ja...@dixongroup.net writes: http://jigglypuffbsd.blogspot.com/ Pokemon on OpenBSD at last! -- Manuel Giraud
Re: the root is on
Brad Tilley b...@16systems.com writes: Not sure I understand, but I have similar softraid crypto setups and there's no need to boot bsd.rd to edit /etc/fstab. When booting bsd or bsd.mp and you are dumped to sh to run bioctl, use ed to correct /etc/fstab there. Yes, but I cannot edit /etc/fstab from here since the root_device is mounted read-only. In fact, I first do a mount -uw / and now I can edit fstab. But if the root_device (as detected by kernel) is not what is said in fstab then this won't work. -- Manuel Giraud
Re: the root is on
Raimo Niskanen raimo+open...@erix.ericsson.se writes:
You can always mount -t ffs / /dev/sd1a.
Thanks for that! I didn't want to mess the real /etc/rc so I end up with
the following script that I put in /bin.
#!/bin/ksh
set_kbd() {
local _layout _resp _default=1
[[ -x /sbin/kbd ]] || return
while :; do
echo -n Keyboard layout (1: fr; 2: fr.dvorak; 3: us)? [$_default]
read _resp : ${_resp:=$_default}
case $_resp in
1) _layout=fr ;;
2) _layout=fr.dvorak ;;
3) _layout=us ;;
esac
[[ -z $_layout ]] || { /sbin/kbd $_layout break; }
done
}
# Set ROOT and RAID global var
get_devname() {
local _str _arr
_str=`ed -s !dmesg EOF
/^root on/,p
q
EOF`
set -A _arr $_str
ROOT=${_arr[2]}
RAID=${ROOT%%a*}d
}
build_fstab() {
cat EOF /etc/fstab
/dev/${ROOT} / ffs rw 1 1
swap /tmp mfs rw,nodev,nosuid,-s=40960 0 0
/dev/${DECRYPT}f /home ffs rw,nodev,nosuid,noatime,softdep 1 2
/dev/${DECRYPT}e /usr ffs rw,nodev,noatime,softdep 1 2
/dev/${DECRYPT}d /var ffs rw,nodev,nosuid,noatime,softdep 1 2
EOF
}
decrypt() {
local _str _arr
bioctl -c C -l /dev/$RAID softraid0
# Reads revelant bioctl line
_str=`ed -s !bioctl -i softraid0 EOF
/CRYPTO/,p
q
EOF`
(( $? )) return 1
# Split it
set -A _arr $_str
DECRYPT=${_arr[4]}
return 0
}
# ed needs a /tmp
mount -t mfs -o rw,nodev,nosuid,-s=1000 swap /tmp
get_devname
mount -t ffs /dev/${ROOT} /
set_kbd
decrypt build_fstab
fsck -p
--
Manuel Giraud
Re: the root is on
Otto Moerbeek o...@drijf.net writes: Here's a probably stupid question: since the kernel can detect the root on sd0a why is there still a need for fstab entry for it? Because you might want to specify mount options, or an alternate root. In fact, I was wondering because I have installed OpenBSD on an usb flash drive. I use softraid and have a script to decrypt the RAID partition and setup a custom fstab with the correct 'sd?' for decrypted devices, it works alrigh. But if root is not sd0a, I have to 'boot bsd.rd' and 'ed /etc/fstab' before. Does anybody doing this and have a better solution? -- Manuel Giraud
the root is on
Hi, Here's a probably stupid question: since the kernel can detect the root on sd0a why is there still a need for fstab entry for it? -- Manuel Giraud
Re: What does your environment look like?
Peter Miller feu...@gmail.com writes: I saved and re-use my config files everywhere. All my files stay on 1 usb drive that I plug in to whatever cpu i'm using. I keep it backed up. I'm curious about how you deal with that. I have the same annoying problem of little differences in config files from system to system. Do you make this usb drive your home, or rsync, or what? I've once setup an usb thumb drive with a complete OpenBSD and boot on it everywhere I can but the writes were so slow that the thing is barely usable (I think I might try it with an external HD). -- Manuel Giraud
