Re: Tricks for install OpenBSD under Virtualbox, host Windows XP
On Tue, Jan 8, 2013 at 6:40 AM, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: Hi, I installed Virtualbox 2.2.4 and everything is 100%. You hope so but make it clear if you ever hit problems that you are not on bare metal as bug reports have been looked at and been found to be the fault of Virtualbox in the past with Theo commenting on their forum that he couldn't believe any OS would allow what it was doing with memory. I didn't speak up because others have said it's fixed, I wonder now if it is just the VT-X that fixed Virtualbox. Also, Windows XP (which the original poster is using) is very old, and very close to end-of-life. Hosting virtualization on it, for an inherited non-commercial project which Oracle inherited from Sun, is unlikely to be a long-term stable solution for anything, especially on XP. Not that Virtualbox is bad, I use it extensively myself for personal virtualization. But it means that he should make sure that his disk images are compatible with other vortia;ozatopm tpp;s, and that his backups of his OpenBSD system or of the disk image are working well, in case VirtualBox fails with new releases and he needs to host it elsewhere.
Re: BSD licensed gnupg replacement question
On Fri, Dec 7, 2012 at 4:24 PM, Chris Cappuccio ch...@nmedia.net wrote: Maximo Pech [mak...@gmail.com] wrote: I said I can't code that. If you already knew the answer was write it, then you asked the wrong question. I know that gnupg is in the ports tree, but it just seems strange to me that it isn't on the base system, because for me it sounds logical that if one of the key points of openbsd is cryptography, it would have a bsd tool like gnupg. The netpgp thing looks very cool, I didn't know about it. Do you have any idea how abusrd this is? So my question is why there isn't a tool like that on base, I'm asking out of curiosity, maybe some historical, reason, technical... I'm not trying to point this as a fault, I just want to understand better the fact that gnupg or a bsd licensed equivalent isn't in the base system. The original PGP program was mostly public domain. As time went on, it went to a highly restrictive license. GnuPG, and later, NetPGP represent the people who had desires to fix that problem. If you want to do it again, nobody will stop you. OpenSSH and OpenBSD IPsec represent the OpenBSD solutions to the quality and licensing problems in those areas. OpenSSH is still the gold standard, OCF/IPsec, maybe not. PGP worked, was public domain, encrypts files, and solved one problem. Network layer encryption is an entirely different, and for many, a much more important problem. SSH is the gold standard: OpenSSH is the popular and effective freeware version, which did solve a number of issues. The early history of SSH is interesting, and covered reasonably well at http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch01_05.htm.
Re: Low latency High Frequency Trading
On Thu, Nov 8, 2012 at 12:58 PM, Ariel Burbaickij ariel.burbaic...@gmail.com wrote: If money is not a problem -- go buy high-trading on the chip solutions and have sub-microsecond resolution. http://lmgtfy.com/?q=high+frequency+trading+FPGA Seconded as a much more viable approach. The existing multicast approach for such data is much like trying to hurl apple pies with F-6 jets. By the time you've packaged the original data, blown it across the wire, re-assembled it, *and tagged and checksummed it for validity and correct packet order*, you're rarely any faster than a normal TCP transmission. This doesn't matter much for streaming video, but when you're talking about billion dollar stock prices and tracking and responding to very small changes in prices of large companies, the validity of each packet becomes critical. Other factors also start becoming critical. Normal kernels on aren't very good about consistently treating one service as incredibly high priority *and evening out the delays as they handle other processes* too keep behavior consistent. That's why I would *never* run such processing on Windows, between fancy graphics, unnecessary daemons, and critical anti-virus software, you just don't know when things will be delayed. And that's one of the many reasons that the ability to use FPGA'a, which entirely sidestep the what else is the kernel doing process, are ideal for putting on much smaller, more module devices. And the devices don't need anything so powerful or complex as even a stripped, optimized, BSD style kernel. (Though these can admittedly be very lean and very fast as OS kernels go.)
Re: OpenSSL handling intermediate certificates
On Thu, Aug 9, 2012 at 3:22 PM, Justin N. Lindberg justin.lindb...@gmail.com wrote: On Thu, 09 Aug 2012 09:18:00 +0200 Moritz Grimm mgmlist...@mrsserver.net wrote: You always put trust into the whole chain (that's why you need intermediate certs in the first place), starting with your trusted root. If that trust turns out to be misplaced in any one of the components (root, intermediate, server), you lose. For a server certificate you can generally only lose inasmuch as that server or domain name is concerned. But for misplaced trust in an intermediate cert with certificate-signing capability, you lose big-time, because that cert can be used to sign a server cert for any domain whatsoever. Such certificates have already been stolen. They're dependent on the security of the intermediate key owners, and the are demonstrably unsecure: Check this URL for more details on the release of rogue SSL signing certificates through a Dutch firm: http://www.computerworld.com/s/article/9219606/Hackers_stole_Google_SSL_certificate_Dutch_firm_admits This is precisely why revocation of certificates is such a key aspect of SSL, and why the longstanding lack of such revocation or even revocation of SSH host or user keys remains a significant security concern. Very few infrastructures are really secure once someine is inside the network or has access to backps, and it's why the most secure OS in the world is, in many ways, an expensive waste of time if the basic security policies aren't in place.
Re: Shellscript escaping problem
On Fri, Aug 3, 2012 at 4:10 AM, Martijn Rijkeboer mart...@bunix.org wrote: RSYNC_CMD=/usr/local/bin/rsync -v -n \ --rsync-path='rsync sudo' \ This doesn't do what you think it does. The single quotes are getting literally passed to rsync, they're not reinterpreted after $RSYNC_CMD is interpolated. Yep. $RSYNC_CMD will be splitted by space, tab or newline by default, or by the contents of $IFS, if set. if you need it to be reusable, I'd suggest making it a function or so: synchronize() { /usr/local/bin/rsync -v -n \ --rsync-path='/usr/bin/sudo /usr/local/bin/rsync' \ --archive --one-file-system --compress --hard-links \ --numeric-ids --human-readable --delete-after \ --backup --backup-dir=deleted/$TODAY \ --exclude=deleted \ $@ } synchronize backup@fqdn:$DATADIR/dir/ $DATADIR/dir Using a function works without problems. Thanks to all who gave input. Kind regards, Martijn Rijkeboer If you're doing complex rsync setups, you might also consider using rsnapshot as a wrapper. I just joined the maintainer list on that, it's a very useful old perl tool, well organized for frequent and well managed backups.
Re: missing /etc/fstab
On Sun, Jul 8, 2012 at 8:29 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: I remember some early 5.1 snapshot which installed and successfully run without /etc/fstab however, 5.1-RELEASE came with /etc/fstab it would be nice to move system from one server to another without having to bother about /etc/fstab (I moved several of them due to buggy hardware). is it possible to run without /etc/fstab ? is it supported configuration ? Sorry, but you are wrong. A system must have a /etc/fstab file, and it is created by the installer. To move or replicate a system to other hardware, the /etc/fstab aneeds to be reviewed and edited for any partition layout, or it will not be able to find the partitions for / or other partitions you happen to need. Some folks get cute and do NFS or similar targets with automounting of varous sorts, so those aren't in fstab on such systems. I've never seen anyone using that on OpenBSD. I've done this sort of replicate-and-edit-config-files stunt for roughly 20,000 hosts in my careerm, espcially 15,000 Linux hosts in one month, so I know the approach can be much faster than installing from normal installation media. /etc/fstab can also be deleted after a system is up and running with all the UNIX or UNIX like operating systems, I've seen people accidentally do that. But woe betide them when they try to reboot!
Re: missing /etc/fstab
On Sun, Jul 8, 2012 at 8:18 PM, Andres Perera andre...@zoho.com wrote: On Sun, Jul 8, 2012 at 7:41 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Sun, Jul 8, 2012 at 8:29 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: I remember some early 5.1 snapshot which installed and successfully run without /etc/fstab however, 5.1-RELEASE came with /etc/fstab it would be nice to move system from one server to another without having to bother about /etc/fstab (I moved several of them due to buggy hardware). is it possible to run without /etc/fstab ? is it supported configuration ? Sorry, but you are wrong. A system must have a /etc/fstab file, and it is created by the installer. To move or replicate a system to other hardware, the /etc/fstab aneeds to be reviewed and edited for any partition layout, or it will not be able to find the partitions for / or other partitions you happen to need. Some folks get cute and do NFS or similar targets with automounting of varous sorts, so those aren't in fstab on such systems. I've never seen anyone using that on OpenBSD. afaik, the duid is stored on the disklabel, so if you're making images of the media there's no need to edit fstab I wasn't making disk images, which are unsuitable if you're re-arrangig partitions or altering partition sizes (which I was doing). I made compressed tarballs of the mounted filesystems from installation media: *MUCH* more efficient. I've done this sort of replicate-and-edit-config-files stunt for roughly 20,000 hosts in my careerm, espcially 15,000 Linux hosts in one month, so I know the approach can be much faster than installing from normal installation media. your sites are extremely heterogeneous Amen, brother! My predecessor used disk images, which created all sorts of unnecessary storage and image update problems.
Re: OpenBSD - UEFI Secure Boot
On Sun, Jul 8, 2012 at 6:18 AM, Alexey Suslikov alexey.susli...@gmail.com wrote: Remember SOPA/ACTA? If somebody is planning to have a regulation, this somebody should take care about tools which guarantee direct, not circumstantial, evidence of somebody else broke this regulation. UEFI implements network stack so it can be a long-standing strategy. UEFI is about remote monitoring without you even knowing about it, or your corporate firewall sniffing for somebody else. It's not the only thing it's about. The old Palladium project, now known as Trusted Computing, is designed to have secured access to each level of hardware and software. Since every step individually can be circumvented with known technologies if not part of the secure stack, they've tried very hard to embed it at every level: CPU, boot loader, kernel, applications, data, and hardware. Expect to see this whole stack pushed for secure storage media and private information, because some of the primary goals are portable storage media and backup data. By securing every stage, it's also effectively digital rights managed, and for that to work, it needs to exist at every stage rom motherboard chipsets on up. Where it's going to be problematic for OpenBSD is on Windows 8 certified hardware, which has the UEFI enabled by default. It's theoretically possible for OpenBSD's boot loaders to emulate what Red Hat has done for Fedora: buy a signature for UEFI compatible shim that will load the kernel. The problem then, will be locally compiled kernels, which all my OpenBSD managing peers create as a matter of course. Many of us can comfortably disable UEFI, but it's going to be problematic for our less skilled colleagues. You buying UEFI hardware will be a sponsor of somebody sniffing on you. What an irony. Or saving $100 on buying the latest hot box, or of graciously accepting a gift, or of doing a successful dumpster dive for laptops, desktops, and server grade hardware. Also, UEFI will possibly take down a dozens of Linux/BSD-oriented hardware suppliers businesses because their customers will deny to run security critical tasks on UEFI hardware. Good support for stagnating world economy. Go look at what Fedora is doing to handle this. OpenBSD boot loaders are going to have to make some kind of accomodation with this in the next 5 years, or throw in the towel for new hardware and go directly to virtualization only. (That's admittedly how I use it these days, mostly for testing components like OpenSSH before 6.0p1 was bundled.) IMO, it is smarter to spent on Raspberry Pi port than UEFI bullshit. Good luck with that.
Re: OpenBSD forked
On Wed, Jun 13, 2012 at 4:34 PM, Matthew Dempsky matt...@dempsky.org wrote: On Wed, Jun 13, 2012 at 10:44 AM, Dominguez, Roland roland.doming...@tamucc.edu wrote: I just came across this article and was wondering if it's legit: http://www.h-online.com/open/news/item/OpenBSD-forked-to-create-Bitrig-161695 4.html They also plan to port libc++ and the compiler-rt runtime library in order to remove the GPL-licensed libstdc++ and libgcc.a libraries. I've been busy lately in Germany at SVNday, a Subversion conference. It was fun, but I've been too busy to see this. Coming back and checking the thread, allow me to start laughing *REALLY HARD* at this, since I've seen no other comments on it. The ability to lock your hardware with libc and glibc errors is only exceeded by the kernel itself, and maintaining compilers to take advantage of new libc features is.. well, it's a lot of work too. And keeping it compatible with the various other GPL or open source tools that are commonly used in the real world? Really, really good luck with those If they succed, I'm going to be very, very surprised.
Re: Solid state disk geometry
On Mon, Jun 11, 2012 at 8:05 PM, Nick Holland n...@holland-consulting.netwrote: On 06/11/12 19:25, Jens A. Griepentrog wrote: Dear Mailing Listeners, Let me know, please, whether it makes sense to modify disk geometry for solid state disks? no Which meaning have the default values of cylinders, heads, and sectors for these devices? roughly the exact same thing it has meant for IDE, SATA, and SCSI disks since..well...about 20 years or so...not a thing. All modern drives, and really anything made in probably the last 20 years (i.e., anything worth putting on an OpenBSD machine) use translation...the geometry and reality are unrelated in any recognizable way. Like many such generalizations, ignoring the details can cause catastrophic failures. If your systems are virtualized, particularly virtualized on NetApps which use 4096 byte block drives on the back end, that translation layer can be overwhelmed. In particular, the use of the classic msdos compatibility and the 63 blocks of 512 bytes typically assigned for MBR and parttition can have a disastrous impact, which is tied to an old, old standard for boot loaders and partition information. Whether or not OpenBSD uses such an alignment structure, ignoring it by aying oh, we just translate and we've ignored that for decads can cause catastrophic slowdowns of the NetApp when the buffer on the NetApp used for translation overflows and the NetApp goes into single CPU mode. The white paper on the problem is here: http://www.citrix.com/site/resources/dynamic/partnerDocs/BestPracticesforFileSystemAlignmentinVirtualEnvironments.pdf The burden is not as catastrophic on a local drive with a sane local controller, but that re-alignment is still an unnecessary performance hit that should be avoided in any high performance system.
Re: OpenBSD 5.1 i386- ports vs packages
On Sat, May 5, 2012 at 7:15 PM, Dimitry T dimitryr...@hotmail.com wrote: After a long reading I am still confused. On OpenBSD FAQ recommend to use packages, most users speak the same, but some speak that it is safer to compile programs from ports and then programs have better performance. Did I get the better performance of the program on my hardware if i compile that program on my hardware from ports? I try to compare md5 of package compiled from ports with package downloaded from package server, and values b b do not match. Surely I wrong somewhere, but I would like someone to explain me packages vs ports Oh, my. You've entered a world of exciting pain learning this stuff. Enjoy the adventure, and I do hope you have a safe word so you can step back if you've had enough. First: md5sums are unlikely to match unless the program is very simple and the build environment very tightly defined. Simple compilation options, such as gcc -O2 or gcc -O3 are likely to modify the contents in subtle and performance modifying ways. Slightly differnt libraries or source code with patches applied, or strings such as the building hosts hostname or date of the build are sometimes incorporated in the compiled object, or the $Id$ from CVS, RCS, or Subversion source code management is sometimes included as well. That is why I like to use chroot cages for build environments: I can use a really well-definied encironment, and be sure I've identified all the dependencies, rather than working in a more fluid development environment that may have had local, critical components updated that are unlikely to be found in a production environment. The pre-compiled packages are usually much easier, and much safer, to work with because someone familiar with the standards has become familiar with the basic requirements. They've also often asembled and built the requirements that go with it, and submitted them as well, and they are reported to package management and can be relied on and updated somewhat automatically as issues are published and repaired upstream. And they often play better with others, not overlapping with or replaced by updates of base packages that happen to use the same files. (Perl. oh, dear lord, Perl, with modules moving into and out of the main tarball over time) This takes work, because many tools do not have standard build architectures. Compare OpenBSD kernels, sendmail, Apache, Perl, PHP, and Maven to see just how wacky it can get. For enormous fun, take a look at how gcc is built, in order to build the compiler, build the compiler with the compiler, rebuild the compiler with the new compiler, etc. to make sure that what the compile builds with itself matches between builds and is predictable. But many people like to have the intimate familiarity with and tune things for their particular environment. For example, there are *gazilliohn* of Perl and PHP modules which are not in the main OS repositories for *any* OS because they proliferate and change so fast. And somebody has to *write* the packaged tools when updates occur. I do a ton of work with Subversion upsteam, and try to keep an eye on the Subversion/SSH authentication tools and features., If you can spare the time and contribute, publishing patches and reporting bugs for building and managing both OpenBSD and useful 3rd party software, please do!! I've been doing this for holy hopping pogo sticks, 24 years. (BSD 4.2 in my first job.). Last, you will also have the opportunity to *tune* your features. Kernels and daemons can often benefit in subtle performance from updates and compilatoin options, but you can also break things in subtle ways from untested options, so it's a real tradeoff. It's much valued work by good developers. I also had some open source and freeware license comments, but I'll just say check the licenses on what you build locally. I still remember with loathing the weird Dan J. Bernstein licenses on daemontools and djbdns, where you couldn't publish modified source code or binaries built from it, only source and patch files.
Re: Suggestion
License and Windows piracy issues aside, ReactOS is definitely not ready for production. I actually grabbed the VirtualBox instance, and the installation ISO, and tried them both. Definitely not working well enough yet to run the built-in web browser effectively enough to go grab Putty or CygWin based OpenSSH.
Re: Which high end multichannel audio interfaces work?
On Fri, Mar 9, 2012 at 12:17 PM, Jochen Fabricius jfabric...@web.de wrote: Hi, I'm looking for a really high end multichannel (at least 2 in 8 out, breakout box) audio interface that works with OpenBSD. Obviously the M-Audio Delta 1010 does, because it is listed in envy(4). But this interface needs an external power supply, and I want to avoid it is possible. So I found the Echo Layla 3G http://www.echoaudio.com/Products/PCI/Layla3G/index.php Does anybody know if this card works with OpenBSD? Or any other interface of similar quality? I want to build a very flexible PC based digital crossover solution, with room equalizing and music playback from an internal storage (planned for later). Yes, I know that there are much cheaper and easier solutions for this task, but where is the fun with these? Processing costs power. Audio output costs power: you may be stuck with an external power fupply to do that much work with any kind of quality.
Re: My OpenBSD 5.0 installation experience (long rant)
On Sat, Mar 10, 2012 at 3:39 AM, Lars nore...@z505.com wrote: Barry Grumbine wrote: On Thu, Mar 8, 2012 at 3:18 AM, Dmitrij D. Czarkoff czark...@gmail.com wrote: Though OpenBSD installer is not the main feature of OpenBSD for me (it is only used to install OS anyway), I wouldn't like it to change in any way now, as I just can't think of a way to make it better. Sorry, hate to beat a dead horse... There is one use case where I would like to see the installer enhanced: I have a laptop with OpenBSD installed. I want to install to a flash/USB drive, or SD card, or eSATA drive... I start the laptop with boot bsd.rd Select (I)nstall Eventually get to the question: Available disks are: sd0 sd1 sd2 Which one is the root disk? (or 'done') [sd0] At this point I usually say oh crap, hit ^c, and go read the dmesg or `disklabel sd1` to make sure I pick the right disk. It would be nice if the installer would tell me a little something about the available disks so I could pick the right one: sd0: 238418MB, 512 bytes/sector, 488281250 sectors sd1: 1907MB, 512 bytes/sector, 3905536 sectors sd2: 3751MB, 512 bytes/sector, 7683072 sectors Available disks are: sd0 sd1 sd2 Which one is the root disk? (or 'done') [sd0] Agree. Even the BIOS boot up screen tells you more information about your hard drive when the pc boots up (sometimes even the company that made the drive, like samsung.. when you boot up.) Things like sd0 are cryptic and don't provide much information. With multiple drives, especially for bulky softraid setups, it might get overwhelming pretty fast. The idea is interesting, and especially helpful if the machine was previously built and the drives ordered differently in a different OS or BIOS configuration, changes in hardware RAID or drive controller manipulation in the BIOS, or the drives were installed in a different machine.
Re: My OpenBSD 5.0 installation experience (long rant)
On Sat, Mar 10, 2012 at 12:29 PM, Johan Beisser j...@caustic.org wrote: On Sat, Mar 10, 2012 at 9:15 AM, Nico Kadel-Garcia nka...@gmail.com wrote: With multiple drives, especially for bulky softraid setups, it might get overwhelming pretty fast. The idea is interesting, and especially helpful if the machine was previously built and the drives ordered differently in a different OS or BIOS configuration, changes in hardware RAID or drive controller manipulation in the BIOS, or the drives were installed in a different machine. I don't see why it's hard to shell out. ! # dmesg | grep [hs]d[0-9] # exit If you're skilled enough to have the working interfaces and know, from experience, how to dig it up manually, you can. That would certainly not be lost. I was thinking it could be useful for some of the odd setups I've encountered. When I swap hard drives to another host, it's not always clear that I've preserved hard drive ordering. If you've never swapped IDE controller ports accidentally when replacing a motherboard, then you've not done a lot of hardware rebuilding.
Re: Suggestion
[ Accidentally replied privately. ] On Sat, Mar 10, 2012 at 12:50 PM, Renzo Fabriek rfabr...@nerdshack.comwrote: On Saturday 10 March 2012 18:26:29 you wrote: On Fri, Mar 9, 2012 at 11:28 AM, Renzo Fabriek rfabr...@nerdshack.com wrote: On Friday 09 March 2012 13:10:13 Nomen Nescio wrote: Who in their right mind would EVER want to run this crap? You answered your own question. My guess? People who are too cheap to buy Windows and too stupid to figure out how to find a free copy of XP or Win 7 on the net and do the activation or find a password. That's a pretty small user space. Free copy's of Windows? Do they exist? Violating copyright laws because software should be free or I found it on the Internet!!! is dangerous if you actually have a job or your mommy and daddy aren't willing to pay your legal costs if you get caught. Like stealing money from winos, you might not get caught but it teaches dangerous habits that shouldn't be taught in your social life or professional life. OpenBSD and the other open sourced operating systems have been very good about this: Nomen should not be suggesting dangerous habits on a public mailing list. Also, since so many of do need to work with Windows based software for work, it's potentially useful. Samba started tis way, and is now a mainstay of filesharing systems. And when Microsoft drops XP support, a workable open source toolkit could be very helpful to access legacy data from legacy applications. I've had this sort of thing happen with Windows, Mac, UNIX, and Linux software from obsolete operating systems. It's also handy for old games: I've got a really old Resident Evil game I can only play in emulation, because the hardware it ran on is broken. (I keep it in the basement so I can say I have a right to the emulator ROM images.) Did you CC the list? otherwise I'm the only one who recieved it. :) My question was retorical. I'm afraid that some folks do think that pirated copies are free. Ethics can be very difficult: is it ethical to steal from a thief? For someone who's living in the I can steal it for free, why bother with a freeware one world, explaining ethical or moral behavior can be awkward. But to respond a bit. It is always funny that the risc is being argued as reason not to do it while the main reason should be cause it is unethical. But... i also do make the same mistake. But that doesn't make it less true. Oh, not always! Perhaps I've spent too much time around people whose ethical values are horrible, trying to convince them by other means to do the right thing. I fully agree with your message. gr Renzo
Re: Trusting the Installation
On Tue, Feb 28, 2012 at 9:44 PM, Nathan Stiles stiles.nat...@gmail.comwrote: Hello, I've recently installed 5.0 and based upon my experience I expected a checksum to be posted for the ISO. Also I've noticed that HTTPS isn't implemented on openbsd.org. I was also expecting the checksum to be served over HTTPS. I'm sure theres a good reason why this isn't necessary? I want to check the files I've downloaded against something? Obviously I can check a few random mirrors to ensure that files are identical. What are others doing? Thanks, Nathan There is a SHA256 file published in the same directory, which lists checksums of the ISO's and other files. This just came up in the Scientific Linux mailing list. While checksums are useful, they're not helpful if both the checksum and the file itself are corrupted. Someone (namely me!) also pointed out the possibility of manipulating the FTP or HTTP transmission en route, and I pointed out the risk of a Trojan infested mirror, Bittorrent, or other popular network access source. It's why I'm happy to use Bittorrent to get ISO's in a speedy fashion, but *ALWAYS* check the checksums against the original source when download is complete. Even a shipped CD has some subtle, secondary risks: if I put that copy in my software box and put the ISO image online locally for building virtual hosts (which I've done ion the last year), what prevents some weasel at work from replacing my ISO? Yes, I trust the people I work with, but assuring the provenance of an ISO image can be a useful bit of extra certainty. This is especially the case when your local mirror is *not* as secure as you might like.
Re: ethernet-to-serial support
On Fri, Feb 24, 2012 at 12:01 PM, Dewey Hylton dewey.hyl...@gmail.comwrote: - Original Message - From: Henning Brauer lists-open...@bsws.de To: misc@openbsd.org Sent: Thursday, February 23, 2012 10:45:52 AM Subject: Re: ethernet-to-serial support * Dewey Hylton dewey.hyl...@gmail.com [2012-02-23 15:21]: i used the digi equipment over a decade ago with both hpux and aix with success. i'd really like to access these from my openbsd workstation and laptop, though the documentation mentions support for just about everything other than bsd. are any of these usable with bsd? and by that i mean can openbsd connect to the serial ports via ethernet with cu or something similar? i dunno the digi stuff, but console servers usually provide access to the serial ports via telnet or ssh. in general you don't wanna expose these to the 'net, but it's good enough for a seperate vlan or the like to an openbsd box that you either run conserver on or just use to jump through. ahhh, and now it is clear to me how much 'smarter' these devices have become since i used them before. i'm relatively certain the ethernet connectivity was limited to 10Mbps, and i certainly don't remember any ssh options. that tidbit right there fixes all my worries. thanks! From personal experience, every schmuck and his brother thinks they can whip such devices up out of el cheapo microcomputer cards, but after you add up all the connectors and cabling and especially design time to get it *right*, it's usally worth the investment to just buy a commercial box with cables. Figure roughly $50/port with cabling, and you'll be in the right price range. These are *invaluable* when testing kernel configurations.
Re: Backup Redundancy Etcetera
On Mon, Feb 6, 2012 at 4:10 AM, David Walker davidianwal...@gmail.com wrote: Hey. Currently my backup regime is woeful. I have years worth of work on a Windows machine and some stuff scattered across OpenBSD machines. Uh-oh. I'm thinking of building a machine (the file server) to provide some backup and central storage. I'll probably try and get my head around softraid for redundancy redundancy on the file server and I'm looking at these ideas for data transfer ... Being able to push data to the server manually from Windows and other operating systems over the network. SSH or IPsec or similar is my idea here. Pull through CIFS mounting, don't try to pull over SSH. (See the old thread at http://fixunix.com/ssh/73787-mcafee-cygwin-ssh.html .) Also, running rsync on a Windows box is. fragile, due to the way Windows locks processes when they try to open a file that is busy. It makes rsync very fragile because the set of such files is almost impossible to pre-identify and exclude, and some of them are really important, such as Outlook backups. That said, there's a very useful toolkit called rsnapshot that I've been using for years which is very flexible and can easily be targeted at CIFS shares. I've been using it on numerous UNIX and Linux systems, including OpenBSD, quite effectively. Having some mechanism where I can pull onto the server from the clients at selected times or poll the machines for changes and update the server or something. I have no experience here and I'm thinking about acronyms like NFS, rsync, etcetera. The one you want is CIFS, where the BSD system can mount authorized shares from the Windows boxes using the Samba software. This is for a small number of machines and low rate data changes but if I can find something that's in base, scalable, robust, secure, simple, quick ... :] Please give me some recommended acronyms, man pages, etcetera. Best wishes.
Re: Backup Redundancy Etcetera
On Mon, Feb 6, 2012 at 10:21 AM, David Coppa dco...@gmail.com wrote: On Mon, Feb 6, 2012 at 3:43 PM, Nico Kadel-Garcia nka...@gmail.com wrote: The one you want is CIFS, where the BSD system can mount authorized shares from the Windows boxes using the Samba software. OpenBSD does NOT have cifs support Then what do you call Sharity? http://openports.se/net/sharity-light It might not be a built-in, but it works quite well according to the various Google reports.
Re: locate weirdness
On Sun, Jan 22, 2012 at 5:38 PM, L. V. Lammert l...@omnitec.net wrote: On Sun, 22 Jan 2012, Philip Guenther wrote: snip the BS There is no way of knowing if it would have found the problem, so why continue with this drivel? Contrary to the lengthy diatribes here trying to distract from the original problem an solution: 1) The problem with locate was traced to a bunch of session files; 2) The problem was fixed by cleaning them the hard way. There is no way to know if an upgrade would have fixed the problem, as upgrading is/was/would be just a distraction; it is not good practice to try and obscure the problem, and I do not understand why some people here like to expouse such practices. Sure, there is no support for 4.3, but, then I did not ASK for support on 4.3 (to read the OP). Don't bother to try and dixtract from the original problem - it juse makes it harder for those LOOKING for the problem and solution to find it in all the noise. As someone who's faced this kind of thing from both sides, I think you're going to have a long term problem with the just help me fix the system I have, don't bother with telling me to upgrade approach. Too many bugs are fixed as part of re-engineering or feature addition, and expecting even the authors, whom you are not paying for contracted work, to maintain the old releases becomes futile pretty quickly. It's difficult for them to maintain the old environments as test beds, or to dredge back that far into memory of how things used to be done. I've been running into this for decades, all the way back to the shift from BSD 4.2 to BSD 4.3. (Note that that is not OpenBSD, it's BSD.) The yelling and namecalling is unfortunate. But from observation and professional experience, if you want professional grade support for a software livecycle of over 3 years, you should be willing to pay for it.
Re: mailserv project
On Mon, Jan 16, 2012 at 9:32 AM, Nick Holland n...@holland-consulting.net wrote: On 01/16/12 02:09, Wesley M. wrote: On Mon, 16 Jan 2012 07:40:57 +0100, Tomas Bodzar tomas.bod...@gmail.com wrote: There's sendmail in base system and there's ongoing work on smtpd by OpenBDS devs (other components are in ports). Anyway you're welcome to start port see http://www.openbsd.org/faq/ports/index.html It is not an other MTA. It is a script with config files, it installs a secure mail server (Administration using a Web interface) Postfix+Nginx+Spamd+Spamassassin+Dovecot+Roundcube+sql database Actually works on OpenBSD 4.8 / 4.9 It doesn't work on OpenBSD 5.0 There's a lot of changes like Nginx/Dovecot/php If someone can update the work : http://[cobwebsite deleted]/ Ah, sounds like you found a good reason NOT to use projects like this. Do this, do that, download this, run that, *poof!* you have a mail server with no idea what you are doing! Be nice to tne newbs! Showing them a well written tool, especially a configuration interface, that they can follow the workflow of is priceless to a busy admin or a busy programmer. There's a well known essay by Eric Raymond on this topic, concerning freeware and open source GUI's, called The Luxury of Ignorance. The time to make the configuration manager clean and intelligible is invaluable, and also helps avoid entire classes of errors that even a skilled admin can make.
Re: DLINK DUB-E100
On Sun, Jan 8, 2012 at 6:01 AM, Tomas Bodzar tomas.bod...@gmail.com wrote: On Sun, Jan 8, 2012 at 11:42 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: On 01/08/2012 11:38 AM, Tomas Bodzar wrote: On Sun, Jan 8, 2012 at 11:16 AM, Alessandro Baggi alessandro.ba...@gmail.com B wrote: Hi there, I would buy an Ethernet card usb, and I've found the Dlink dub-e100. It is supported on OpenBSD 5.0? Why don't you check? http://www.openbsd.org/cgi-bin/man.cgi?query=usbapropos=0sektion=4manpath= OpenBSD+5.0arch=i386format=html Someone has ever used it? Thanks in advance. Sorry, I'm new to OpenBSD, and I don't know that there was the manual page for usb. Thanks for info. Ah, probably Linux background. Then this http://www.openbsd.org/faq/index.html and man pages (man help and man afterboot for start) can be good start for you. One of the pros of BSD world is quality of documentation. That documentation unfortunately does not answer the question, because many USB devices share the same chipsets and simply have manufactures relabel the packages with their name. Since that device was not specifically listed, that's not a really strong indicator one way or the other. Form working with various devices and various OS's, I'd estimate that the chances are good that it will work right out of the box. Try it and publish your results, so people like yourself can know whether it works! For all OS's, for laptops, deskops, or servers, I've carried a spare USB/Ethernet adapter for years in my toolkit for exactly the situations where a new network driver is needed to get the updates with new network driver in it at install time. And I keep replacing them because people won't give them back.
Re: Hylafax 6.0.5p0
On Fri, Nov 25, 2011 at 2:27 AM, man Chan openbsd...@yahoo.com.hk wrote: Dear All, I am now try to setup the hylafax 6.0.5 for my machine running openbsd-5.0 stable. I go through all the processes faxsetup, faxaddmodem with no luck. Can anyone show me some pointer of examples that works. Thanks. Clarence I've not needed it under openBSD, but *wrote* the SunOS port for that, many years back, and some of the early Red Hat compatible RPM's. What does faxstat say? And what did faxaddmomdem say? And what kind of modem are you using? And you might benefit from poking your nose in the HylaFAX mailing lists, especially the ones for the Sourceforge published HylaFAX+ software. Many of the cheaper modems today are Winmodems, and rely extensively on commercially provided Windows drivers to do their processing with main CPU instead of on the serial port connected modem itself. You'll be able to use them on a free or open operating system only if someone has ported drivers, so that's why I'm asking what modem you're using. I've personally relied on external USR modems for some years, and these days rely on Efax, a commercial service that actually uses HylaFAX as its back end.
Re: OpenBSD and shebang line to a script not supported?
The underlying question, not asked here, is why do you want to do this ? It's a few more lines of code to take the first wrapper script and pass the arguments to another intepriter script, much like this: #!/bin/sh second-perl-script $@ There might be some command line argument handling issues, especially for arguments with spaces, But the use a sript as a secondary interpreter is ripe for awkward abuse.
Re: traffic shaping in OpenBSD
On Tue, Nov 1, 2011 at 4:10 AM, Gregory Edigarov g...@bestnet.kharkov.ua wrote: On Tue, 1 Nov 2011 08:53:46 +0100 Bret S. Lambert bret.lamb...@gmail.com wrote: On Tue, Nov 01, 2011 at 09:47:35AM +0200, Gregory Edigarov wrote: On Tue, 1 Nov 2011 11:17:56 +0400 ZZ Wave zzw...@gmail.com wrote: What solution should be used for traffic shaping on real-life, production gateways with tens and hundreds users? PF queues seem to be too userspace-ish and CPU consuming. Pardon? What do you mean userspace-ish ? I believe he wants to communicate with the kernel with the power of his mind. Where's my brain implant? ;-) Hold still. (I actually used to design electronics for those: they used a *BIG* and wonderfully frightening drill.)
Re: do not understand how to upgrade to-CURRENT
On Sun, Oct 23, 2011 at 3:39 PM, Zantgo zan...@gmail.com wrote: Please do not offend! I'm not a fool, and if you do not want to help, please do not comment. Zantgo El 23-10-2011, a las 16:25, Marc Espie es...@nerim.net escribiC3: On Sun, Oct 23, 2011 at 10:33:58AM -0300, Marcos Ariel Laufer wrote: This idiot, zantgo, has been bothering everybody on a mexican (spanish speaking) openbsd list and refusing to read the faq or manuals. Imagine that on that mailing list they tend to help everybody including the least advanced users, and he's been kicked off anyway. Good to know. I was almost ready to cut him some slack due to his very poor mastery of the english language. But if he also acts like a moron on spanish mailing-lists, well, I guess that no-one actually speaks the same language as he does... He's been polite here: I speak enough Spanish to vouch for that.
Re: Are there any virtualization solutions for OpenBSD? (!important: no package from ports!)
On Sat, Sep 17, 2011 at 6:17 AM, lancebaynes87 lancebayne...@zoho.com wrote: http://unix.stackexchange.com/questions/20917/are-there-any-virtualization-solutions-for-openbsd-important-no-package-from I'm searching for Virtualization solutions: OpenBSD: host CentOS: guest What are my solutions? I'm searching for one that doesn't use packages from ports. Are there any? Thank you in anticipation. Do it the other way around. RHEL, CentOS, and Scientific Linux 6.x all work well with the VirtualBox and other virtualization servers, though VirtualBox has the best interface for freeware. And OpenBSD runs quite happily in virtualization. I use it for testing OpenBSD tools in a primarily RHEL environment, and even use VirtualBox for easy virtualization in places where I'm only handed a Windows desktop or laptop. You don't get the same vaunted OS security or kernel performance on the serverr, but you do get access to other familiar tools and layouts that may not be available in OpenBSD yet. (I do note the availability of recent tools I care about in 4.9, such as httpd-2.x and libreoffice-3.x and subversion-1.6.x. Good)
Re: frontpage openbsd
On Fri, Sep 9, 2011 at 4:25 PM, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: On Fri, 09 Sep 2011 11:22:38 -0700 Carlos A. Garcia G. wrote: ok ill try to find out how to puch the webmaster so he change his mind, let me get the info from the webmaster. the only reason he said its Frontpage have a marvelous tools and with my frontpage i can upload the website without messing the ftp hummm! See what he thinks of sftp (it is ssh not secure ftp making it reliable, secure and silky smooth) with filezilla or gftp and never look back. Dreamweaver supports sftp but only password based auth as far as the latest version I've seen. The WWW consortium's tool, Amaya, also works quite well to avoid FrontPage's limitations. And it actually follows the standards for HTML encoding, correctly handling relative URL's, creating far more reliable and compatible web pages than Microsoft's tools. If the last avaiable version of FrontPage still supports it, and for many other tools which *do* support it such as the World Wide Web consortium's tool Amaya, WebDAV is a much, much better protocol than FTP. It uses HTTP or preferably HTTPS, it's built into core UNIX and Linux system tools such as Subversion so it's well supported, it doesn't have the split data and command channel problems that FTP has always had at firewalls, and no one blocks outgoing HTTPS at their firewalls in environments where the web must be accessible. Many sites very casually block the SSH port 22 that SFTP uses (to my occasional regret, and often so that the proxy servers or intervening network tools can monitor user's traffic for content). I've helped several companies migrate from FTP to WebDAV over HTTPS with good success and excellent reliability. Is this open to you?
Re: Most secure Operating-System?
On Wed, Sep 7, 2011 at 8:44 PM, Clint Pachl pa...@ecentryx.com wrote: Alec Taylor wrote: What's the most secure operating system? /me is thinking OpenBSD SELinux by far. I just listened to an interview with one of the devs on the project (http://twit.tv/show/floss-weekly/156). Wow! With SELinux, you basically just flip a switch and boom, you're secure. No process can talk to any other processes without your permission. No process can access the Internet if you don't want it to. Say goodbye to buffer overflows! It's implemented by the USA's NSA so you know it's the most secure OS in the Universe. It's truly amazing security. Set it and forget it! Alec, I think you really need to refocus on SELinux. I'm afraid to say that at most sites, they turn off SELinux by default. Developers are too unwilling to learn the File System Hierarchy to actually follow it, and developers of tools like OpenSSH have few ways to predict its consequences and code in concert with it. See https://bugzilla.redhat.com/show_bug.cgi?id=524276 for a typical example of SELinux breaking the ssh-copy-id tool.
Re: installing OpenBSD 4.9 to external USB harddisk: Disk does not boot
On Sun, Aug 7, 2011 at 11:25 PM, Brett brett.ma...@gmx.com wrote: I'm assuming your USB drive has an external power supply, right? In the past, I had installed OpenBSD (I think it was 4.7, either i386 or amd64) to an external usb drive, powered from the usb port. It would appear to install ok, start the boot process, then about halfway through would appear to power cycle or something for a split second, causing the boot to fail. Same thing would happen with FreeBSD and Slackware, though Ubuntu and Fedora could successfully boot from that drive. Now that this topic has come up on the lists, I am just wondering are there some non-externally powered usb drives that OpenBSD can boot from? Would be helpful to run and test -current on external drive, and have the release version on internal drive. Besides flash drives, which are trivially available in 8 Gig size at your local supermarket?
Re: OpenBSD alternative to cpanel/plesk
2011/7/30 Mikael Vsterdahl m.osterd...@gmail.com: I use webmin and it works ok, need a few tweaks, but works. Not in ports though. /Mikael Webmin is what open source interfaces *should* be. Modular, clean, cross-platform, and actually edits the config files rather than some strange intermediate database, which means that changes in webmin show up directly in the config files, and vice versa. Individual modules of it may not be as sophisticated as the older, most popular ones, such as the DNS and Samba and sendmail, bit in general it helps prevent a whole variety of accidents from people who think I'll just hand-edit this config file like this web page told me to and create havoc. There's an old essay by Eric Raymond, called the Luxury of Ignorance about the CUPS configuration tool. All the things Eric ranted about, with cause, were done *properly* by the webmin developers and contributors.
Re: Bug Tracking system does not work
On Tue, Jul 19, 2011 at 12:59 PM, Johan Beisser j...@caustic.org wrote: On Tue, Jul 19, 2011 at 9:57 AM, Amit Kulkarni amitk...@gmail.com wrote: http://openports.se/www/rt ? written in perl. As someone who uses this for ticket tracking, let me be the first to say it's terrible. It takes significant, thoughtful re-organizaton and a saner workflow. What would be considered to not suck? Stability? Security? Flexibility? Reliable database on the back end? Ease of email submissions for newbs?
Re: Bug Tracking system does not work
On Tue, Jul 19, 2011 at 7:38 PM, Ted Unangst t...@tedunangst.com wrote: On Tue, Jul 19, 2011, STeve Andre' wrote: On 07/19/11 12:27, Ted Unangst wrote: On Tue, Jul 19, 2011, Paul Suh wrote: On Jul 18, 2011, at 6:24 PM, Ted Unangst wrote: On Mon, Jul 18, 2011, Sergey Bronnikov wrote: may be proper link is http://www.openbsd.org/query-pr.html The bug tracker is down and will still that way for some time. Ted, Is there something that we can do to help? Write a bug tracker that doesn't suck. Suggestions about existing bug trackers that don't suck aren't helpful, however, because obviously, if it didn't suck we'd already be using it, ergo it does suck. Ted, Is it worth looking at the current system to see if the suck factor can be vacuumed from it, or is it a hopeless case in your opinion? It is hard to imagine a bug tracker that could actually suck more than gnats. The current replacement, email bugs@ and search the marc.info archives, is vastly superior. Siebel. Trust me, I've helped support open revolts in companies that tried to use it. It's not a likely candidate for UNIX or Linux users of any sort, but lord, it's bad.
Re: Laffs with Lennart
On Sun, Jul 17, 2011 at 1:22 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: On Sat, Jul 16, 2011 at 5:22 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: It does look like an open source result of some talented people, not an OpenBSD or BSD specific result. OpenSSH happened as a *direct result* of the types of decisions that OpenBSD developers make. Hi, Theo. That would be a compelling point if those decisions were automatically good ones. Simply being the types of decisions that OpenBSD developers make is not automatically a selling point, as evidenced by the relatively small market share of OpenBSD itself. I'm gong to dig into some history here. The result of the types of decisions that OpenBSD developers make are precisely why it is marginalized. The core technology is robust and excellent, but the featureset is not only limited, but actively dangerous. I'll explain why: this gots into some serious way-back history, but I'm not seeing any change. Fascinating. And justified. Notice the complete lack of actually addressing the issues. [ Technicial issues snipped for brevity. ] Wow, it's a real bummer that OpenBSD has caused you so much harm. Have you considered trying to live 100% without our software? Of course, if you did that, you'd have to keep your mouth shut, wouldn't you. That does not seem in your nature.. And submitting patches, bug reports, or concerns is what a mailing list. [ More examples of OpenSSH pain snipped for brevity. ] Your pain runs very deep. Have you considered suicide? This is compounded by the longstanding refusal to accept chroot cage integration for SSH or SCP. (Yes, it's me: I was one of the people publishing such patches over a decade ago.) Debian has actually provided some tools for helping set that up, Ah, yes, Debian. They have an amazing history when it comes to patching our code good luck with that. My first patches were on SunOS. I updated someone else's patches and republished roughly. 5 years ago? It's not difficult, the underlying codebase is robust. They're not actually patching your code: they're generating wholesale chroot cages with dedicated OpenSSH servers inside them, which is more awkward but creates less risk of destablizing the code base. It's awkward, but functional if you don't mind users seeing local /lib, /etc., /usr/bin. etc. infrastructure. Not so good if you wnat to create a software mirror repository: you need to integrate in something like rsync with a wrapper for that. The result (for those of you who haven't had to pursue this sort of thing) is a bit precarious. [ More details excluded for brevity. ] If we couple all of those decisions, mostly policy decisions, with the longstanding incapability to transfer symlinks as symlinks, rather than as the targets of the symlink, by both SFTP and SCP, and the direct result of those decisions doesn't look so hot, even though the underlying protocol and implementation in OpenSSH have much to recommend them. Your grief would seem more sincere if didn't look like a shopping list. Except your name or those you work for do not occur in the donations list or anywhere else... I'm not acting as their representative on this mailing list. I'll send you a couple of names privately, if you like, but I've been a patch and bug and integrator for long enough with OpenSSH and with open source and freeware projects in general that I think I've earned better. I'll send you a couple of employer's names privately if you like, or to someone who has access to your contributors list to verify that they've lived up to their agreements with me. (They should have: OpenSSH was a lot cheaper than 10,000 F-Secure licenses, and easier to integrate.) Has NX been sending any money? I've been steering clients their way to their superior, low bandwidth toolkit for X services, which usually reside on top of OpenSSH. They've got a new release in alpha testing. This last one is actually built into the RFC's, but if a new RFC is needed, then it's about time. We don't author the RFC. But thanks for trying to make us responsible for that, too. Pray tell, what are you responsible for, besides bitching out other people's efforts? Lately? Among other things, I wrote an ssh-keyscan toolkit for correctly integrating domain scans and integration of alternate port entries into ssh_known_hosts. I've got to pull out the source control integratoin before publishing, and need paperwork signed to publish it, but it helps deal with the ssh-keyscan does not list alternative ports used in its output. Very useful when you have dedicated SSH servers in high availability mode scattered around a network and CNAME's used to swap the service. (See previous comments on Subversion repository SSH integration.) Mostly sys-admin work these days, less chance to play with source. The result is that I'd *rather* trust the end-to-end encryption of the underlying SSH protocol. But
Re: CVS: cvs.openbsd.org: ports
On Sun, Jul 17, 2011 at 2:55 AM, Rajneesh N. Shetty shettyrajne...@yahoo.com.au wrote: would obsd 4.9 work ok on the attached specifications? please advise if anyone has tried it so far. this one is a notebook. they have an athlon version as well which is a netbook, but i'am not too sure i want to try that one for bsd yet... [ text snipped ] [demime 1.01d removed an attachment of type application/pdf which had a name of TL120 Series_VXL.pdf] Looks like your PDF got snipped. Perhaps you can publish a URL instead?
Re: CVS: cvs.openbsd.org: ports
On Sun, Jul 17, 2011 at 4:32 AM, Stuart Henderson s...@spacehopper.org wrote: On 2011/07/16 23:55, Rajneesh N. Shetty wrote: would obsd 4.9 work ok on the attached specifications? please advise if anyone has tried it so far. this one is a notebook. they have an athlon version as well which is a netbook, but i'am not too sure i want to try that one for bsd yet... [ Stuart's well organized suggetions snipped, very helpful stuff. I hope someone is paying you well. ] Ranjeesh, is this for a machine you're considering buying? Or for a machine you've already got? Can you do a backup of what's on it and just *try* the 4.9 install?
Re: Laffs with Lennart
On Sat, Jul 16, 2011 at 6:40 AM, Peter N. M. Hansteen pe...@bsdly.net wrote: Chris Cappuccio ch...@nmedia.net writes: Lennart Poettering has graced the world with his brilliance one more time. Why? Lennart doesn't think BSD is too relevant anymore. http://linuxfr.org/nodes/86687/comments/1249943 It would be almost tempting to ask if he uses ssh much and if so which one, but I'm not sure I'd bother. Don't mistake OpenSSH for OpenBSD. The early history is fascinating. http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch01_05.htm (I was involved in very early SunOS ports of ssh-1 and ssh-2, before OpenSSH existed.)
Re: How does OpenBSD compare to Ubuntu Server?
On Mon, Jul 11, 2011 at 8:16 PM, J Sisson sisso...@gmail.com wrote: On Mon, Jul 11, 2011 at 6:58 PM, Juan Miscaro jmisc...@gmail.com wrote: On 7 July 2011 15:06, jirib ji...@devio.us wrote: Are you kidding? Ubuntu? Where installed daemons are running by default, where there is no command to disable shitty upstart daemons? Which daemons are those again? apt-get install some_insecure_daemon Oh look, some_unsecure_daemon is running before I have a chance to configure it and lock it down the way I see fit. sarcasmGood thing we all know those Ubuntu/Debian guys are so damned smart and all.../sarcasm Far too many daemons are installed by default on Ubuntu. It's a give people everything they might desire some day approach, rather than a keep it stable by giving them only what they need and ask for. This is particularly evidenced by plethora of 3rd party repositories with fascinating components that are easily merged into Ubuntu, and require more manual integration and local compilation with OpenBSD. And the reliance on older, stable, well-debugged components makes leading edge development of Java and web apps more awkard in OpenBSD. But OpenBSD is vastly more secure and avoids craziness such as NetworkManager and 3 million useless and poorly implemented web proxies and chat servers.
Re: Laffs with Lennart
On Sat, Jul 16, 2011 at 5:22 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: It does look like an open source result of some talented people, not an OpenBSD or BSD specific result. OpenSSH happened as a *direct result* of the types of decisions that OpenBSD developers make. Hi, Theo. That would be a compelling point if those decisions were automatically good ones. Simply being the types of decisions that OpenBSD developers make is not automatically a selling point, as evidenced by the relatively small market share of OpenBSD itself. I'm gong to dig into some history here. The result of the types of decisions that OpenBSD developers make are precisely why it is marginalized. The core technology is robust and excellent, but the featureset is not only limited, but actively dangerous. I'll explain why: this gots into some serious way-back history, but I'm not seeing any change. First is the amazing foolishness of having the default key generators accept blank passphrases without even requiring a special command line option. Second is lack of a reliable key expiration mechanism. Once a blank passphrase is in use, clearing them up is very difficult to detect and very awkward to revoke the keys. These are deadly aspects of the SSH protocol and toolkits that could, and should, have been addressed a decade ago, even before OpenSSH existed. The result is that I've personally had one hell of a time getting people off of less technologically secure tools, such as HTTPS access for Subverson which stores passwords in clear text on UNIX and Linux clients. This tool has SSH based access available to avoid the UNIX or Linux client password storage of HTTPS, but lacks an integral chroot cage or dedicated shell to restrict the users: the results are various weird, homegrown integrations. (Sourceforge uses one, and it's messy due to the lack of chroot cage compatible integration for Subversion.) Git does a better job of this, by the way, which is a good reason to prefer it. But I've dealt with 6 such source control integration efforts in the last 5 years, and it's painful to deal with the passphrase free keys and having to hand-build an expiration mechanism *eveyr single time*, even if I do keep my old notes. This could be eased by client side software changes, such as refusing to accept a blank password without a special command line option or user privilege, or even a setting in ssh_config to block such behavior. If a client can override that, then it's their problem, but the lack of any significant barrier to generating such keys is a long standing issue I've had to clean up after again, and again, and again. This is compounded by the longstanding refusal to accept chroot cage integration for SSH or SCP. (Yes, it's me: I was one of the people publishing such patches over a decade ago.) Debian has actually provided some tools for helping set that up, and they're quite useful for at least raising the bar for clients with locally authorized access to escape their cages. SFTP does a better job of it, and its relatively new built-in chroot cages are welcome. But the chroot cages for SSH are long-desired for Subversion and CVS repository access, and software regression testing environments. (By the way, the better security models of git with its dedicated shell and good key management tools well justify switching to it from CVS or Subversion, along with its vastly better merge behavior.) If we couple all of those decisions, mostly policy decisions, with the longstanding incapability to transfer symlinks as symlinks, rather than as the targets of the symlink, by both SFTP and SCP, and the direct result of those decisions doesn't look so hot, even though the underlying protocol and implementation in OpenSSH have much to recommend them. This last one is actually built into the RFC's, but if a new RFC is needed, then it's about time. The result is that I'd *rather* trust the end-to-end encryption of the underlying SSH protocol. But the missing basic security features, whose absence is either tacitly accepted (such as making passphrase keys more difficult to use), or a matter of deliberate policy (such as refusal to work with chroot cages for SSH or SCP) have seriuosly impeded the use and security of OpenSSH itself. So I have some longstanding, and I think well-founded, concerns about the types of decisions that OpenBSD developers make.
Re: How does OpenBSD compare to Ubuntu Server?
On Thu, Jul 7, 2011 at 1:45 PM, Alexander Schrijver alexander.schrij...@gmail.com wrote: For starters, there is 100% consensus among developers that we'll never use newfangled overengineered stuff like System V init. You mean Upstart! or wait You mean systemd! Or the oddness that is daemontools!!
Re: Recompile OpenBSD without built-in Apache 1.3
On Wed, Jun 29, 2011 at 4:29 AM, Fred Crowson fred.crow...@gmail.com wrote: On 29 June 2011 09:12, Benny Lofgren bl-li...@lofgren.biz wrote: Not to encourage or discourage the OP either way, I don't think you should assume that he's only got one system to play with. After all, it is perfectly feasible to make install builds on one system and installing them on another (or a thousand others). Who knows, he might have invented a new extremely secure and robust toaster he needs firmware for? :-) A toaster without a web server is so last century. There are also components that require the apr libraries. Subversion, for example, uses various Apache components at compile time to build mod_dav_svn, and avoiding its compilation is. not well supported. Subversion these days, however, pretty much needs Apache 2.x. Stripping a few meg can make a big difference when building a live CD or a USB stick setup, so the desire to do so is understandable. But you do have to factor in the time spent tuning the install, rather than doing something useful like ripping unnecessary perl components out, bleeding and screaming, to avoid CPAN dependency whimsies. (Yes, I was doing that last week.)
Re: vmmap: bad software everywhere
On Sat, Jun 4, 2011 at 10:39 AM, Marc Espie es...@nerim.net wrote: Well, the official fix for mono is in, from the mono team. Guess what ? Mono uses MAP_32BIT if it's available. From Linux's mmap manpage: MAP_32BIT (since Linux 2.4.20, 2.6) Put the mapping into the first 2 Gigabytes of the process address space. This flag is only supported on x86-64, for 64-bit programs. It was added to allow thread stacks to be allocated somewhere in the first 2GB of memory, so as to improve context-switch performance on some early 64-bit processors. Modern x86-64 processors no longer have this performance prob- lem, so use of this flag is not required on those systems. The MAP_32BIT flag is ignored when MAP_FIXED is set. From my point of view, it certainly looks like MAP_32BIT was only put there to address one specific issue in the lifetime of 64 bit platforms, but that some people got some nifty ideas about how to abuse it, and now it's probably there to stay, since software would break without it... Thanks. That's vastly better than simply impugning other people's code without reading it.
Re: vmmap: bad software everywhere
On Fri, Jun 3, 2011 at 6:26 PM, Marc Espie es...@nerim.net wrote: On Fri, Jun 03, 2011 at 06:11:31PM -0400, Nico Kadel-Garcia wrote: On Tue, May 31, 2011 at 6:51 AM, Marc Espie es...@nerim.net wrote: How comes nobody in other OSes noticed ? Well, people probably did, and tweaked their allocators to work, by using preferably the low address space, and having addresses that increase slowly, so that a lot of pointers are below 4GB, and a lot of pointer diffs are under 4GB. Or you could just be engaging in an ad hominem attack without actually looking at their implementations and assuming they're not doing it right because they're not you or your favorite platform. But hey, we don't know anyone who'd do *that* in the OpenBSD community. Right? Wrong. An ad hominem attack would require me asserting all this for a fact, which is not what I'm doing. Notice the probably ? it makes all the difference in the world. No, I'm afraid it really doesn't require asserting the truth. To quote from Wikipedia, An ad hominem (Latin: to the man), short for argumentum ad hominem, is an attempt to link the truth of a claim to a negative characteristic or belief of the person advocating it It's what I just did to you, in turn. How's it feel? An example or two would have lent powerful credence to your claim. The fix for mono, which Marc Espie notes in this thread, is a very powerful such indicator. Now, up to you. What explanation do you have for those problems not being that visible on other 64 bit platforms ? That is, other than their mmap not being very random and stuff tending to group together near the low end of the address space... I can personally comment on only a few: I see a mix. I've done some software porting from 32-bit to 64-bit in the last few years. (Including a fascinating open source project a few years ago, I know it works well in OpenBSD.) I agree that the poor randomization of memory allocation contribute profoundly to not noticing it in testing. (And how often do you *need* 2 GB of RAM for small applicatoins) For others, they simply set the compilation architecture to be 32-bit to avoid problems (which I've certainly done!) For others, they've relied extensively on the better supported 32-bit Java from Sun. and not dug into the code to fix the issue. (They were solviing a problem, not designing an architecture, and were happy to wait and try to fix it later, despite my personal advice.) The Java projects have been a chronic source of this kind of problem: the lack of stability of the early 64-bit implementations led a lot of Java programmers to insist on 32-bit toolkits, and they've never bothered to upgrade and support both. Java isn't supposed to be architecture dependent, but this belief is fundamentally mistaken when you have to pay attention to resource allocation and optimization. I'm doing other things this year: I'll be very curious if OpenJDK is good enough in 64-bit land to help improve performance and testing there and reduce this behavior. Waiting for a good explanation here. Do you think we make problems just to make other OSes look bad ? No, but the snarking is sometimes tedious. It goes both ways. No, we encounter problems, and we do our best to fix them. In my personal experience, most of the time, those problems are bugs in apparently portable software. In the case at hand, we already fixed several issues with some programs. All of them related to some very dirty assumptions about memory... *GOOD*. My last notable migration project involved well-written C. It partly needed shifting between the older use of int and nailing it down as int32_t or other well-defined structures as necessary, to avoid confusion when compiled on 64-bit. But it also needed considerable attention to inherent assumptions about its own, unique databases, and that kind of time and attention is expensive.
Re: How do I exclude a directory using tar in OpenBSD?
On Thu, Jun 2, 2011 at 8:34 AM, David Vasek va...@fido.cz wrote: On Thu, 2 Jun 2011, Nico Kadel-Garcia wrote: GNU tools have become the industry standard, for a stack of reasons. I've had similar issues with the cp command, and its lack of cp -a. I've had similar issues with pax(1) command missing from systems based on GNU industry standard, and their lack of pax -rw. But why should one care about POSIX if we can choose to follow that great GNU industry standard now. Regards, David I've got my Fedora 15 testing environment open in front of me for other reasons. pax -rw works fine. Where is that feature not available? Note also that POSIX compliance does not say you *can't* have a feature. Frankly, I'd love to see POSIX include these features for cp and tar for their next updated standards. It would make cross-platform work notably easier, especially for backup utilitiies like Amanda and rsnapshot (both of which I've done on UNIX and Linux systems).
Re: problem in ntp time synch
On Thu, Jun 2, 2011 at 10:51 AM, Amit Kulkarni amitk...@gmail.com wrote: I am new to your site. Hope i will have answers and help.I am facing a problem while synchronizing client to nearest server for ntp synchorinization(linux)I have configured the IP of nearest server in file /etc/ntp.conf and restarted the service ntpd using /etc/init.d/ntpd restart. ntpd service is started and there seems no problem with the service but whenever i use cmd to check the peer 'ntpq -p' the prompt is:ntpq: read: Connection refused Have checked log messages and also the service and is running fine; can you please help me to solve the error. ntpd is on a linux server? then why post here on a OpenBSD forum? OpenNTPD doesn't use /etc/init.d ... google and your problem will be solved. Telling people go use google is not helpful. It often means I don't actually know, and there's way, way, way too many hits, many of which are confusing or confused. Amit? I assume English is not your first language? It's a little tough to figure out where your issue is. Have you verified that ntp is not just running, but can be contacted from your OpenBSD box? Try ntp -q linuxhost to see if you can reach it, just to start out. Just because you're running ntp on a server doesn't mean the server permits other hosts to ask it for information.
Re: vmmap: bad software everywhere
On Tue, May 31, 2011 at 6:51 AM, Marc Espie es...@nerim.net wrote: How comes nobody in other OSes noticed ? Well, people probably did, and tweaked their allocators to work, by using preferably the low address space, and having addresses that increase slowly, so that a lot of pointers are below 4GB, and a lot of pointer diffs are under 4GB. Or you could just be engaging in an ad hominem attack without actually looking at their implementations and assuming they're not doing it right because they're not you or your favorite platform. But hey, we don't know anyone who'd do *that* in the OpenBSD community. Right?
Re: I don't get where the load comes from
On Thu, Jun 2, 2011 at 1:12 AM, Nico Kadel-Garcia nka...@gmail.com wrote: On Thu, Jun 2, 2011 at 12:48 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: 100% right. The load average calculation has not changed in 25 years. Anyone who says otherwise hasn't got a single fact on their side. What has changed, however, is that the kernel has more kernel threads running (for instance, ps aguxk, and look at the first few which have the 'K' flag set in the 'STAT' field. Some kernels have decided to not count those threads, others do count them. Since these kernel threads make various decisions for when to do their next tasks and how to context switch, the statistical monitoring of the system which ends up creating load values can get perturbed. That's what this comes down to. Which.. sounds exactly like a change in the load average calculation, due to kernel changes, that has occurred in the last 25 years. You clearly cannot read. The calculation has NOT CHANGED. The way that work is done in the kernel has changed. You better get back to class; your potty break is over. Then perhaps lean to write. If you're measuring a different phenomenon, one that has different units, then it's a distinctly different *calculation* becuase you're measuring a distinct collection of objects. One may as well add up a restaurant bill, leave out the tax and tip, and say it's unchanged because I used the same plus signs. It's particularly confusing, as the original poster was confused, when trying to comparae prices, in this case system loads. Thinking about this. I'm not saying that this implies *OpenBSD* changed its calculaton. As Theo pointed out, other kernels have changed what they report to the load tool. So that shifts the measure on other kernels. Perhaps he took this personally.
Re: I don't get where the load comes from
On Thu, Jun 2, 2011 at 4:58 AM, Paul de Weerd we...@weirdnet.nl wrote: On Thu, Jun 02, 2011 at 01:12:54AM -0400, Nico Kadel-Garcia wrote: | Then perhaps lean to write. If you're measuring a different | phenomenon, one that has different units, then it's a distinctly | different *calculation* becuase you're measuring a distinct collection | of objects. One may as well add up a restaurant bill, leave out the | tax and tip, and say it's unchanged because I used the same plus | signs. No different measurement, nothing has changed. Your tax+tip example is off; day one you just have soup, the next day you have soup plus a main course. The *price* changed, not the tax rate or the tip rate. With a changed price, the final sum is different but the calculation is exactly the same. You're not arguing that the calculation is different because the outcome changes, are you ? If that's your point then I'm not really sure what you're doing here; that's just inane. No, no. I did read Theo's note, especially where he said: Some kernels have decided to not count those threads, others do count them. The kernel is still running the processes, in both cases. They're consuming system resources. Running too many such processes will still interfere with other production. I'm still having the soup, either way. These days there's more processes on a machine, including those kernel threads, you know...the ones with non-random (ie sequential) PIDs that also do work. Also, the speed of the system has changed. Units do not change; variables change (just like the amount of work a machine does over the course of 1, 5 or 15 minutes) but the calculation does not: it gathers some variables and outputs a neigh meaningless number. So you're implying that because we make more money, and don't notice the tax and tip so much on the bill. It still matters. It's still part of the bill, and very comfusing when comparison shopping. It's a metaphor I use because I'm in Massachusetts, not that far from New Hampshire: different things are tax free in each state. The money, or in this case the resources, is coming ouf of *somebody's* pocket.
Re: How do I exclude a directory using tar in OpenBSD?
On Tue, May 31, 2011 at 8:39 AM, Stuart Henderson s...@spacehopper.org wrote: On 2011-05-31, Marian Hettwer m...@kernel32.de wrote: On Tue, 31 May 2011 10:53:58 +0200, LEVAI Daniel l...@ecentrum.hu wrote: On Tue, May 31, 2011 at 11:42:24 +0300, Michael Sioutis wrote: Hello! I can't find it in the man page, and it seems it is not supported (?) I am trying to backup some folders and want to exclude some and nth will work. I've tried: --exclude=/folder/ --exclude=/folder/ --exclude /folder --exclude folder I will get an error: --exclude... directory doesn't exist. Excluding will work in Linux. That is a GNU extension. You can work this around with find(1) and the tar(1)'s '-I' option. bsdtar from the FreeBSD project supports --exclude too. The OP could as well install gnu tar from packages. bsdtar doens't seem to exist... At least that's what I do at work (Debian, Solaris, OpenBSD env). It's a pain to walk around every nifty details of different unixes... The other way you can do it is just use posix-specified options and not rely on vendor-specific extensions. But unfortunately many of the vendors (*cough*gnu*cough*) don't make it clear which options are standard and which are extensions... And, sadly, even some of the BSD-derived OS have replaced a bunch of their standard tools with GNU. GNU tools have become the industry standard, for a stack of reasons. This sort of useful feature for tar, its protective autostripping of leading slashes, and its built-in compression access are only a few of the reasons its become so popular. Transforming a simple --exclude based command line into a set of included targets can become extremely awkward, especially when snapshotting a dynamic target (for backup purposes) or dealing with file names from a shared file system (such as an NFS or Samba published system in international settings) that parsing the names can cause. chaos. I've had similar issues with the cp command, and its lack of cp -a. I've taken to using rsync, first, to generate a target space that I can then run the tar or other commands against. With cheaper, faster disk these days, it's usually cheaper for me as a programmer to do this.
Re: I don't get where the load comes from
On Wed, Jun 1, 2011 at 11:49 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: On 2011-06-01 15.53, Joel Wiramu Pauling wrote: On 2 June 2011 01:41, Benny Lofgren bl-li...@lofgren.biz mailto:bl-li...@lofgren.biz wrote: I agree with what you are saying, and I worded this quite badly, the frame I was trying to setup was back in the day when multi-user meant something (VAX/PDP) - the load average WAS tied to core utilization - as you would queue a job, and it would go into the queue and there would be lots of stuff in the queue and the load average would bumo, because there wasn't much core to go around. Not wanting to turn this into a pissing contest, I still have to say that you are fundamentally wrong about this. I'm sorry, but what you are saying simply is not correct. I've worked in-depth on just about every unixlike architecture there is since I started out in this business back in 1983, and on every single one (that employed it at all) the load average concept has worked similarly to how I described it in my previous mail. (Not always EXACTLY alike, but the general principle have always been the same.) The reason I'm so adamant about this is that the interpretation of the load average metric truly is one of the longest-standing misconceptions about the finer points of unix system administration there is, and if this discussion thread can set just one individual straight about it then it is worth the extra mail bandwidth. :-) 100% right. The load average calculation has not changed in 25 years. Anyone who says otherwise hasn't got a single fact on their side. What has changed, however, is that the kernel has more kernel threads running (for instance, ps aguxk, and look at the first few which have the 'K' flag set in the 'STAT' field. Some kernels have decided to not count those threads, others do count them. Since these kernel threads make various decisions for when to do their next tasks and how to context switch, the statistical monitoring of the system which ends up creating load values can get perturbed. That's what this comes down to. Which.. sounds exactly like a change in the load average calculation, due to kernel changes, that has occurred in the last 25 years.
Re: I don't get where the load comes from
On Thu, Jun 2, 2011 at 12:48 AM, Theo de Raadt dera...@cvs.openbsd.org wrote: 100% right. The load average calculation has not changed in 25 years. Anyone who says otherwise hasn't got a single fact on their side. What has changed, however, is that the kernel has more kernel threads running (for instance, ps aguxk, and look at the first few which have the 'K' flag set in the 'STAT' field. Some kernels have decided to not count those threads, others do count them. Since these kernel threads make various decisions for when to do their next tasks and how to context switch, the statistical monitoring of the system which ends up creating load values can get perturbed. That's what this comes down to. Which.. sounds exactly like a change in the load average calculation, due to kernel changes, that has occurred in the last 25 years. You clearly cannot read. The calculation has NOT CHANGED. The way that work is done in the kernel has changed. You better get back to class; your potty break is over. Then perhaps lean to write. If you're measuring a different phenomenon, one that has different units, then it's a distinctly different *calculation* becuase you're measuring a distinct collection of objects. One may as well add up a restaurant bill, leave out the tax and tip, and say it's unchanged because I used the same plus signs. It's particularly confusing, as the original poster was confused, when trying to comparae prices, in this case system loads.
Re: sparc64 v120 needed in the Netherlands
On Wed, May 18, 2011 at 6:48 PM, Ariane van der Steldt ari...@stack.nl wrote: Hi, For development on OpenBSD, I need a sun v120 machine in Eindhoven, the Netherlands. It turns out, I don't have a 64-bit big-endian machine (and suns are just awesome). Please contact me if you have one. Thanks, I assume this is for legacy compatibility work? While Sun made good hardware, My friends in Boston universities, such as MIT and Harvard, with Sun hardware have been extremely unhappy with Oracle's support. The Oracle presented upgrade paths for such hardware has been basically replace the hardware and install a more supported OS such as the Oracle rebundled RHEL called Unbreakable Linux. OpenBSD might have some very useful openings for legacy support there, but I don't see Oracle being aggessive with releasing new Sun-style architecture there, especially since the advent of the x86 based Sun machines.
Re: impact of unaligned partitions/slices on 4kB sector drives (wd10ears)
On Sat, May 14, 2011 at 9:14 PM, Kenneth R Westerback kwesterb...@rogers.com wrote: 1) Don't cross post. 2) Install something more recent that 4.6 (e.g. 4.9) and you will find that partitions and filesystems will be aligned on 4K boundaries. 3) If you can, without trying hard, end up with misaligned partitions on a fresh 4.9 install then please detail the steps you followed and I for one would be very interested. Perhaps not top-posting, and trimming excessive quoted material which is not actually relevant to the content you're adding, would help as well? That said 4096 byte block alignment is an ongoing issue in virtualization. If your storage on your virtualization server is 4096 byte block aligned, such as NetApp fibre channel or NFS images for high availability VMWare environments, Since the guests currently have no way to be aware of the back-end storage, and won't until virtualization technologies include options for 4096 byte block drive emulation, it's a problem. it's vital that the guest images have their partitions aligned. It's particularly criticla to avoid the 63-block DOS compatibility before the first partition. I've personally written and posted tools for that for Linux environments, but haven't tried it for OpenBSD: I'd welcome guidelines for that.
Re: xxxterm and firefox35 May 11 snapshot
On Sun, May 15, 2011 at 4:24 PM, Martin Pelikan martin.peli...@gmail.com wrote: 2011/5/15 Ted Unangst ted.unan...@gmail.com: On Sat, May 14, 2011 at 4:05 PM, Amit Kulkarni amitk...@gmail.com wrote: Determining which package needs rebuilding is really hard. B It's much easier to install a complete matched set. I believe some Linuxes do something like 'find /usr/local/lib -name lib*.so* -exec ldd {} ; stuff' and then match stuff's not found lines against all installed packages' PLIST. Is there more difficulty to it? I mean, besides that OpenBSD's ldd fails to write anything if only one library is missing, but that can't be too hard to write/port, can it? ??? Slow down there, you've just glossed over a lot of resource tracking, which can save your tail when you have difficulty resolving a dependency, but cause absolute chaos when it's ignored by someone taking a short cut and never documenting it. dpkg and RPM based systems assess the library dependencies reported by the binaries, at build time, against the build environment. Making that build environment consistent and based on only registered, well defined, repository provided resources soaks up a lot of engineering time. To install that other package with the necessary library, *if* that package has a dependency on another library or binary, that dependency is supposed to be recorded in the first library's list of dependency and resolved by the package management system. This is a lot of work, but very useful for assuring that individual component variants or upgrades do not drag in a tremendous and incompatible toolchain of madness that breaks existing components. (CPAN is famous for this problem: two different updates of components that rely on each other can rely on incompatible, overlapping components. Used to drive me nuts when people would just slap in whatever module they wanted and I'd have to resolve the discrepancies: don't get me going on mod_perl..) And yes, it's painfully slow and stupid, but fortunately for us unneccessary most of the time. It's usually pretty automatic with both deb and RPM formats. Some attention has to be paid, but I've assembled about. 200 RPM's for components that were not in the main code tree that developers needed for their work. That includes recent backports of OpenSSH to older operating systems, by the way,. and the identification of the dependencies fo the build environments was very helpful.
Re: Why does GENERIC kernel for OpenBSD 4.8 and 4.9 not support software RAID
On Wed, May 4, 2011 at 7:01 PM, roberth rob...@openbsd.pap.st wrote: On Wed, 04 May 2011 15:38:46 -0700 Tyler Morgan tyl...@tradetech.net wrote: On 5/4/2011 10:04 AM, Josh Grosse wrote: http://www.ec (plz all stop pushing that links search engine rank.) I think this is mainly due to the fact that softraid can't be used for the root partition (or booted off of, for now). This leads everyone to follow RAIDFrame guides to install OpenBSD onto software RAID1, but nobody bothers to mention that RAIDFrame isn't actually maintained anymore. Give the man a kewpie doll!!! I'm dealing with modest server hardware, which didn't have workable hardware RAID. I've found the hardware RAID compatibility chart to be awkward: much of the recommended hardware is no longer manufactured or not sufficiently specified to rely on. Naming a chipset is not enough: a model number is really ideal, because saying LSI or Dell Perc covers dozens of different cards, some of which may be very reliable but others are not. I used to recommend 3Ware from good experience and and general UNIX/Linux compatibillity, but they got bought by LSI: gods only know what their quality is these days. Also, I just went and tried the sensible guidelines at http://jpiasetz.tumblr.com/post/483365684/software-raid-on-openbsd-using-softraid, which use softraid for non-/boot partitions. Seems reasonable, but this command simply fails: # bioctl -C force -c 1 -l /dev/wd0d,/dev/wd1d softraid0 # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 bioctl: Can't locate raid0 device via /dev/bio The documentation on bioctl is reasonably, and detailed, and not very useful due to not having examples for noobs.
Why does GENERIC kernel for OpenBSD 4.8 and 4.9 not support software RAID
I've been using the very helpful notes at http://www.eclectica.ca/howto/openbsd-software-raid-howto.php, which works, but does document needing to build a new kernel to enable software RAID. (I included GENERIC.MP in my GENERIC.MPRAID configuration: it's a multi-core machine.) But I had a fascinating chat with another engineer, who I suspect has worked more with OpenBSD than I have, who is very surprised at this requirement. He pointed out that GENERIC is normally the kitchen sink kernel, with everything possible enabled. I've checked the source, and I see where the RAID is disabled in the GENERIC kernel, but would like to know why. Is there a significant performance or reliability risk with that feature enabled? I've not found anything in the archives that explains this, although it's *awfully* hard to find useful information with such generic keywords as software RAID.
Re: Any suggests for modest, known compatible servers with RAID 1?
On Sat, Apr 30, 2011 at 1:34 AM, George Georgalis geo...@galis.org wrote: Nico, I don't know what your risk is, but if it's a perimeter box running pf and ssh maybe consider running on cflash or usb stick? Or one of those bootable cdroms? I log to a ram fs so I think the only media writes are for ntp.drift, and yes I'm more concerned about the other hardware failing than the OS media. -George Those are not really OpenBSD issues, but architectural ones you're addressing. It's also hosting upload/download content, so non-writable OS's are not going to work: if I could gracefully and quickly do it, I'd actually make it a live CD based setup, but configured user SSH keys and uploaded files need someplace to be. You've raised an interesting point with flash hardware. How well is that working for you? Note that I have significantly more write traffic because the host is an SFTP/SCP server as well as mer SSH passthrough.
Re: Any suggests for modest, known compatible servers with RAID 1?
On Sat, Apr 30, 2011 at 5:13 AM, Stuart Henderson s...@spacehopper.org wrote: On 2011-04-29, Nico Kadel-Garcia nka...@gmail.com wrote: On Fri, Apr 29, 2011 at 12:09 PM, Stuart Henderson s...@spacehopper.org wrote: On 2011-04-29, Nico Kadel-Garcia nka...@gmail.com wrote: So, I'm looking for recommendations. Modest 1U pizza boxes? R210? (as long as you don't need externally accessible disks.) Even brand names for known-good PCI or PCIe SATA controllers would be helpful, LSI Thanks for the thought. I was unclear: I wanted the model name, not the manufacturer's name. I've had.. harsh experience when some components by a particular vendor work well, but others do not. And even model names can be *very* confusing when a vendor deliberately has a name on the box that doesn't match the spec sheet that doesn't match the BIOS reported component name. (Dear lord, don't *get* me going on the old 3com network cards and the Mega[notworking]RAID cards of various vintages. Anything supported by mpi(4) mfi(4) or mpii(4) should be ok (covering all the hardware raid options on dell boxes should work). Out of these mpi and mfi are more widely used, so will have had more testing. For older hardware ami(4) is ok too but it sounds like you're looking for something new. I was hoping for model numbers. Now that I'm up with software RAID, I can take ktime and look to the future for hardware RAID. The software RAID basically took me 2 days poring through documents and details. I'm still writing up my notes to submit to the current guideline maintainer. (The originals are very good notes!! I'd love to see them linked to directly on the OpenBSD faq, or incorporated there. B, but I can make some steps safer.) I've actually spent a bit more time and gotten software RAID working and will send some updates to the authors of the very helpful software RAID guidelines that I found. The only _maintained_ software raid on OpenBSD is softraid(4), that has only just recently had code written to allow booting from it and it's not committed yet. Really? The notes at http://www.eclectica.ca/howto/openbsd-software-raid-howto.php are for OpenBSD 3.7. For what you're talking about using the machine for, I'd be much happier with a single disk than an unmaintained software raid setup. And if there's a choice between two (carp'd?) boxes with single disks, or one box with raid, two boxes would be hugely preferable. I'm inclined to agree, for personal experience reasons. I've done a lot of high availability setups, and hardware failures have been one of the *least* of the sources of failures. Configuration screwups, especially for feature filled and highly tuned setups, have been far more of a risk. There are other reasons not put more boxes in the relevant rack right now. So, in the longer term, I'll be pursuing that. I might even virtualize it: I've got OpenBSD 4.8 running very well under VirtualBox and reasonably well under KVM right now, except for some bridge configurationi reasons, and could consider VMWare.
Re: Any suggests for modest, known compatible servers with RAID 1?
On Fri, Apr 29, 2011 at 12:24 AM, Abel Abraham Camarillo Ojeda acam...@verlet.org wrote: On Thu, Apr 28, 2011 at 10:25 PM, Nico Kadel-Garcia nka...@gmail.com wrote: I just went halfway through the build your own custom kernel, manually configure partition tables, etc., etc. rituals to set up software RAID for OpenBSD 4.8, and have concluded that it's not economical the engineering time to do all that manual work for something available in hardware. So, I'm looking for modest servers simply act as a locked down external SSH server. I can lock down the OpenSSH pretty thoroughly, I'm just looking for modest, known-compatible server hardware. Any good recommendations? The listings for RAID compatibility include a lot of higher end cards, and for this application, RAID 1 is plenty. Be sure to buy two of them, for when the RAID card fails. My prepositions also seem to have run shrieking for the hills while writing that note. My English is usually better than that This is a fair point, and I did intend to buy several for various other uses as well. I'm looking at replacing/upgrading a set of hardware, so standardizing on hardware and keeping several hosts compatible with robust OpenBSD is reasonable. I'd like to start it right: even though the software RAID is available, I found the very helpful server compatibility list at http://www.armorlogic.com/openbsd-information-server-compatibility-list.html, and the RAID compatible chipset list at http://www.openbsd.org/i386.html#hardware. Problem is, the twain don't easily meet. I don't need RAID6, just RAID1, and drilling down through server specs to find whether they're compatible is fairly painful. And for the server compatibility list, a lot of those aren't being manufactured anymore, or are way, way more server than I need. (I just need pizza boxes, not virtualizaton clustering servers.) So, I'm looking for recommendations. Modest 1U pizza boxes? Even brand names for known-good PCI or PCIe SATA controllers would be helpful, rather than having to chew through the chipsets. (Been there done that, lots of vendors keep it really obscured, and my old favorite 3Ware got bought by LSI.)
Re: Any suggests for modest, known compatible servers with RAID 1?
On Fri, Apr 29, 2011 at 12:09 PM, Stuart Henderson s...@spacehopper.org wrote: On 2011-04-29, Nico Kadel-Garcia nka...@gmail.com wrote: So, I'm looking for recommendations. Modest 1U pizza boxes? R210? (as long as you don't need externally accessible disks.) Even brand names for known-good PCI or PCIe SATA controllers would be helpful, LSI Thanks for the thought. I was unclear: I wanted the model name, not the manufacturer's name. I've had.. harsh experience when some components by a particular vendor work well, but others do not. And even model names can be *very* confusing when a vendor deliberately has a name on the box that doesn't match the spec sheet that doesn't match the BIOS reported component name. (Dear lord, don't *get* me going on the old 3com network cards and the Mega[notworking]RAID cards of various vintages. I've actually spent a bit more time and gotten software RAID working and will send some updates to the authors of the very helpful software RAID guidelines that I found.
Any suggests for modest, known compatible servers with RAID 1?
I just went halfway through the build your own custom kernel, manually configure partition tables, etc., etc. rituals to set up software RAID for OpenBSD 4.8, and have concluded that it's not economical the engineering time to do all that manual work for something available in hardware. So, I'm looking for modest servers simply act as a locked down external SSH server. I can lock down the OpenSSH pretty thoroughly, I'm just looking for modest, known-compatible server hardware. Any good recommendations? The listings for RAID compatibility include a lot of higher end cards, and for this application, RAID 1 is plenty.