Re: Firewall setup

[Sean Kamath]

> On Apr 14, 2024, at 08:09, Karel Lucas  wrote:
> 
> Hi all,

Hi.

> So let's start simple and then proceed step by step. I want to continue with 
> ping so that I can test the connection to the internet. This works: ping -c 
> 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. As others 
> have stated, I have a problem with using DNS servers on the internet.

Does DNS resolution work without PF being enabled?

If you want to “start simple”, don’t enable PF (or disable it, or use the 
default ruleset that OpenBSD ships with) and make sure everything works.

Sean

Re: Bash instead of ksh

[Sean Kamath]

> On Apr 2, 2024, at 20:26, Brian Conway  wrote:
> 
> On Tue, Apr 2, 2024, at 10:08 PM, Nick Holland wrote:
>> What is it that you see bash doing so much better than stock pdksh?
> 
> Multiline command editing.
> 
> (I don't use bash, but it would be a nice feature.)

I dunno.  It’s a mixed bag.  With ksh for a billion years, I got used to 
setting FCEDIT=emacs, and using ‘r ’ and bob's your uncle you get an 
editor with your multiline history.  It was awesome because I would write damn 
near complete shell scripts at the prompt, then drop into the editor to save 
them as a. . . shell script.

Then I got tossed into Linux land with no option to use ksh, and. . . bash 
converts all my multiline commands into one goddamn long-ass line.

On the plus side, sometimes editing that is easier.  On the downside, I no 
longer use fcedit to edit the history, because why go into an editor a single 
damn-ass line.  But that also means the end of converting my long commands into 
a script when it got too unwieldy.

So, you know.  No.  I wish I didn’t have to deal with BASH and it’s multiline 
conversion to single lines and other jankiness (by jankiness, I mean “magic”).

Sean

Re: squid replacement

[Sean Kamath]

> On Oct 20, 2023, at 11:35, Lyndon Nerenberg (VE7TFX/VE6BBM) 
>  wrote:
> 
> Does anyone know of another HTTP proxy that supports squid-style
> ACLs?  That's a big part of why we chose it in the first place.  We
> restrict which hosts can connect to the proxy, and further restrict
> which hosts they can connect to upstream.  We don't need (or want)
> caching -- just connection pass through.

Just which hosts and ports?  No caching?

Kinda sounds like a pf.conf solution. . .  Maybe with relay to relay everything 
through a firewall?

Sean

Re: Update from 6.5 to 7.3

[Sean Kamath]

> On Sep 9, 2023, at 00:54, Alessandro Baggi  wrote:
>> Il 08/09/23 19:54, Marc Espie ha scritto:
>> On Fri, Sep 08, 2023 at 06:36:57PM +0200, Alessandro Baggi wrote:
>>> 
>>> Il 08/09/23 18:24, Peter N. M. Hansteen ha scritto:
 On Fri, Sep 08, 2023 at 10:01:45AM +0200, Alessandro Baggi wrote:
> I've a problem. I need to upgrade OpenBSD from 6.5 to 7.3 on an APU2D. 
> This
> is a firewall.
 
 If you are planning to go the supported route and upgrade from release to 
 release,
 you have eight rounds of upgrading ahead.
>>> 
>>> Actually I upgraded from 6.5 to 7.0 and I learned many new things. Wow...I
>>> love OpenBSD.
>> Please tell us about your experience ! it's probably going to be rather
>> interesting.
> 
> The process is really easy

I’ll echo Alessandro’s comments, and add:

I’ve been upgrading two OpenBSD Vultr instances since at LEAST 6.4.  I can say 
this authoritatively because I have a directory for each release, with a “Pre” 
and “Post” file of what to do.  I’m actually pretty sure I’ve done it since 
6.0, but wasn’t smart enough to keep notes back then.

My general process is:

* Clone the instance to a new instance
* Upgrade the clone and walk through everything in the upgradeXX.html page
  * sysupgrade
  * sysmerge
  * pkg_add -u
  * pkg_delete -a (check what it does!)
  * sysclean (confirm what it’s deleting!)
  * syspatch
  * reboot
* Rinse and repeat until everything comes up cleanly, documenting the things 
that often have to be handled:
  * Sysmerge issues (usually pretty straightforward, but sometimes I do wish I 
could (easily) use sdiff. :-) (it’s pretty easy to do it “manually”, but it 
took me a few tries to figure it out).
  * pkg_add -u issues (I’m lookin’ at you, PHP.  OMG.  I run roundcube, and 
every other release I have to put back in some extensions to PHP.). <- THIS IS 
WHERE THE NOTES ARE HELPFUL (doing the same thing over and over again).
  * The VERY rare “and make sure you do  before you even start” type stuff
* Take a snapshot
* Run the upgrade process with the notes.  To date, I’ve never had to revert to 
the snapshot for a failure.

I got WAY behind when OpenSMTPD changes syntax on a bunch of stuff, so I did 
6.4->7.1 in like a month.  Note, these are my production mail servers (yeah, 
personal mail servers, but still — the family is NOT happy when mail doesn’t 
work).  The biggest hiccup was having to ask Vultr to mark the instance as an 
OpenBSD 7.0 instance (which fixed some vm problem causing my instance to reboot 
randomly).

This worked so well, I started to do it for the ALIX/APUs at the house I use 
for firewalls.  Generally, same process.  Before that, I had a git repository 
of installation scripts (I still have that, and used it to go from the ALIX to 
the APU firewalls, rather than just copying files — keeps the installation bits 
fresh. :-)).

I’ll also say that the more you understand what you’re running on the system, 
how it’s configured, and how it works, the easier it is when something 
unexpected happens.  So don’t just install using recipes on the web.  I mean, 
it’s fine to use them as a guide, but understand what each step is doing, and 
why.  It really helps a couple of years later when you’re upgrading, and 
something breaks.

Sean

Re: recommendations for web hosting in Canada?

[Sean Kamath]

On Jul 6, 2023, at 23:09, Abel Abraham Camarillo Ojeda  
wrote:
> vultr seems to have vps in toronto, canada and last time I checked they
> supported OpenBSD via its deployment webapp

I literally deployed a Vultr VPS with OpenBSD 7.3 last night.  Took about 10 
minutes.  I only mention it because, well, it is apropos.

Generally, I’ve found their service fairly reliable, though they occasionally 
have network maintenance, and sometimes the VPS pukes — but they are responsive 
and don’t seem to be idiots when I contact them (there was some kerfuffle about 
the VM setting for OpenBSD, but they informed ME about the issue, and worked 
with me to get them properly set at the appropriate juncture).

I have no experience with any other provider.  I’m not shilling for them 
(though the do ask you to refer people, and get some benefit, but I don’t 
care).  They just basically do what I need them to do.  And for $5/VPS (plus 
other costs for backups and snapshots, of course), it’s a fine solution for a 
personal email+dns+http setup.

Sean

Re: ChatGPT writes a pf.conf by spec, earns an "F" grade

[Sean Kamath]

> On Jun 7, 2023, at 01:28, Peter N. M. Hansteen  wrote:
> 
> Recorded at https://nxdomain.no/~peter/chatgpt_writes_pf.conf.html for those
> who would be interested.

So in the thread that made you try it 
(https://bsd.network/@dch/110501874752402311) they said:

"@pitrh I’m still waiting for it to explain my pf .conf setup to me”

Which is kinda the inverse of “make me a pf.conf file”.  I am curious if 
“explain to me this pf.conf in plain english” would work.  :-)

Sean

Re: sysupgrade fails with "FAILED" when "verifying sets"?

[Sean Kamath]

> On Dec 14, 2022, at 03:03, Bodie  wrote:
>> On 14.12.2022 11:34, Why 42? The lists account. wrote:
>> Right you are, that's the one :-/ I used to be a SPARC kinda guy, but
>> those are all gone now.
> 
> OT - they are not, but those prices...
> 
> https://shop.eol.systems/servers/server/

Wow.  OK, so maybe there’s hope for me unloading the Ultra 80 and random other 
Spark boxes I still have! :-)

Sean

Re: Possible Bug - 7.1 stable - scsi_xfer pool exhausted

[Sean Kamath]

> On Dec 3, 2022, at 09:06, Stuart Henderson  wrote:
> AFAIK the main options available at that point are:
> 
> deadlocks waiting for resources
> detect the problem and randomly kill processes (e.g. linux oom killer)
> detect the problem and panic


I recall a long time ago reading on LKML that if the oom-killer is triggered, 
the recommendation is to reboot as soon as possible.  Many people don’t even 
know it runs until they can’t figure out why some random daemon is not running.

> (in particular a lot
> of software really doesn't behave well when malloc fails)

Thank you Linux for giving us the guaranteed success of malloc(). . .

I hate overcommit.  I get why it’s there, but that doesn’t mean I can’t hate it.

Sean

Re: OpmenBDS XFCE

[Sean Kamath]

> On Aug 13, 2022, at 02:58, Omar Polo  wrote:
> (Also, please, it's spelled OpenBSD -- where BSD stands for Berkely
> Software Distribution)

Super Minor Nit: Berkeley

For fun and wasting some time: 
https://en.wikipedia.org/wiki/Berkeley_Software_Distribution 

See the Simplified Evolution of Unix Systems image.  Quite enlightening for new 
folks.

Sean

Re: Trouble with lpr and Brother wireless printer

[Sean Kamath]

> On Aug 4, 2022, at 21:27, Ben Hancock  wrote:
> 
> So, to wrap up: I do not recommend the Brother HLL2350DW for your
> OpenBSD printing needs. I may end up heeding the suggestions to
> simply buy a printer that speaks PostScript. Recommendations welcome.

HP used to make freakin’ tanks, and I had a LasterJet 4MV or 4M+for something 
close to 15 years.  Bought it rebuilt (AFTER they stopped manufacturing it). 
:-). I can’t speak to anything they produced after 2005, though.

I’ve been extremely happy with my Canon — but I don’t use it from OpenBSD 
(though someday I will get around to it).  They make engines that a lot of 
other companies use.

I used to subscribe to the idea that buying a used “enterprise” printer was 
ideal (hence the used HPs — I had two, they both were awesome), but I’ve been 
seduced by short click-to-clack times.

What I still believe: Get a printer that does one thing: Print.  No gizmofrobs 
or wingdings.  And get a laser printer.  Ink is a nightmare.

Sean

PS I used to work at a printer company (actually two).  I used to know a LOT 
about printers (particularly PostScript printers).  I don’t anymore (I’ve been 
out of that space for . . . wow.  18 years now. . .).  It wasn’t HP.

Re: Trouble with lpr and Brother wireless printer

[Sean Kamath]

The shortest postscript I know to test a printer:

%!
newpath clippath stroke showpage

It will draw a line around the page clipping path (i.e., the outer most edge 
the printer can print at).

Sean

PS That’s also short enough to type at a printer if you connect to it with 
’nc’. :-)

> On Aug 2, 2022, at 06:11, Ben Hancock  wrote:
> 
> On Tue, 2 Aug 2022 02:09:37 -0400
> gwes  wrote:
> 
>> Are you sure that you're feeding the printer a valid postscript file?
>> If there isn't something like
>> (TimesRoman) findfont 48 scalefont setfont 200 300 moveto (text) show 
>> showpage
>> nothing happens.
> 
> I believe so. The two samples I've tried were generated with man and
> enscript. I can open them both fine with ghostscript and zathura.
> 
> - Ben

Re: OpenBSD 7.1 : reorder_kernel: failed

[Sean Kamath]

> On Aug 2, 2022, at 06:30, Nick Holland  wrote:
> 
> On 7/29/22 7:29 AM, Nicolas wrote:
> 
>> What's you opinion, could you help me with that message ?
> 
> Well, I'm not really sure what is going on, but I'm guessing you
> have done something odd in the past that left the kernel rebuild
> process in a strange state. 

Not suggesting this is the same problem, but this is exactly the problem I had 
when I was compiling a kernel on another machine, and deploying it to several 
other machines.  Maybe not exactly, but kernel relink failed spectacularly.

I hacked around with adding the newly compiled kernel modules to the relink 
area, and got it to work. . . but then got busy with other stuff.  Then later 
sysupgrade failed, and I had completely forgotten I was mucking about with it.

So my choices were:

* Actively maintain my own chain of commands for build and deployment of 
kernels *AND UPGRADES* (since you can’t use sysupgrade)
* Stop being stupid and just use the release kernels, and use sysupgrade.

I forget why I was doing this, but I think it might have been to fiddle with 
the blinky lights on an ALIX board.  I.e., it was just for fun, and it quickly 
became unfun.

I haven’t completely stopped being stupid, but I have enough projects going on 
that I don’t need to reengineer what the OpenBSD team has already done for me.

Sean

Re: xidle(1) and autosuspend

[Sean Kamath]

> On Jun 29, 2022, at 04:24, Stuart Henderson  wrote:
> 
> On 2022-06-07, Florian Obser  wrote:
>> So after 5 minutes xidle starts xlock and 5 minutes after that my laptop
>> autosuspends. If I unlock the laptop before 5 minutes expire the sleep
>> gets killed and the laptop doesn't suspend.
> 
> 
> this is neat, but it makes me wish for ssh resume ;)

I’ve considered making the effort to get EternalTCP working on OpenBSD — there 
have been some patches, but then there was a recent set of security changes, 
and I have a couple of 6.7 machines to get to 7.1, so that’s a higher priority.

I use it daily and it works very well for session resumption, regardless of 
changing IPs.  You can tunnel whatever you like over it.

https://github.com/MisterTea/EternalTerminal

Sean

Re: Another kernel fault incident on a Vultr OpenBSD VM

[Sean Kamath]

I’ve been running a few Vultr instances since. . . before 2018.  Periodically, 
something comes up.  I think in the 5-ish years, I’ve had 2 issues.  Raise an 
issue with their support team and state what happened.  Both times, they 
responded with some information and that they needed to change/rebuild some 
configuration.  They responded quickly and fixed the other instances that 
weren’t affected (because if they live migrated to other servers, it would then 
become a problem).

My point is just that, yeah, there can be issues, but the support folks seem to 
know how to handle OpenBSD reasonably well.

Sean

PS I forget exactly what the first issue was some 1453 days ago, but it 
apparently wouldn’t boot.  The second issue was 103 days ago, and would cause 
the VM to lockup after something like 10 hours (it was variable).

PPS I’m still way behind in upgrades, so can’t speak for anything after 6.7

> On Apr 17, 2022, at 16:42, Hakan E. Duran  wrote:
> 
> For whatever it is worth, I have been using an OpenBSD VM with Vultr
> since 6.7 edition and so far didn't have issues. I may have been a lucky
> one that landed on their good side, but I am quite happy with them so
> far.
> 
> Hakan
> 
> On 22/04/17 04:00PM, latin...@vcn.bc.ca wrote:
>>> 
>>> Mihai Popescu  writes:
>>> 
> It lowers my confidence in Vultr as a reliable OpenBSD host.
 
 Very well, it will match the confidence of running OpenBSD on a
 virtual machine.
>>> 
>>> Not sure exactly what you mean by that, but i can say i'm very
>>> happy with my OpenBSD VM provided by openbsd.amsterdam.
>>> 
>>> 
>>> Alexis.
>>> 
>> 
>> What are the most appropriated hosting vendors for OpenBSD vm? I have 3
>> with vultr! and thinking to use my old laptop for them!
>> 
>> 
>> 

Re: Please put vi in base

[Sean Kamath]

> On Mar 12, 2022, at 18:38, i...@tutanota.com wrote:
> 
> In my 30 years of doing sysadmin work, I have never - not even once - come 
> across a
> situation where a normal editor like vi or nano or something equally simple 
> didn't
> exist on the install media.

Lucky you, never ever having to fix something without a “real” editor (and 
never mind that ‘ed’ *is* a real editor, just not a curses based one).

I had to use ed (or maybe it was its predecessor, e) on a Vax 8650 with a 
DECwriter terminal for a console to fix an fstab issue in 1990(ish).  Wouldn’t 
have done me no good to fire up VI (on the VAX, on the paper console, it would 
have basically been ‘ex’, anyway — vi being the visual version of ex).

Sounds like your problem shouldn’t have prevented you booting single user and 
then fixing the problem.

It also sounds like you’re complaining that the install media should be a full 
OS with all the things you’re used to (hay, the first thing I installed on on 
the Suns running 4.1 was emacs — I understand!).

What confuses me is the “hours” it took you to fix this.  I mean, if you can 
type in an editor, you can type in the command line (no echo required):

cat > /tmp/fstab

^D

Don’t want to type?

grep -v ‘badline’ /mnt/etc/fstab > /tmp/fstab
echo “newline” >> /tmp/fstab

You broke something on every line?

sed ’s/mistake/correction/‘ < /mnt/etc/fstab > /tmp/fstab

And if, as you claim, you have 30 years of doing sysadmin work, I can’t imagine 
in 1992 you had vi on any install media (would love to see an example).  Every 
sysadmin I know (and I have been doing this since 1984) wouldn’t balk at using 
variations of the above to fix /etc/fstab, _because we have_.

Sean

PS why put output in /tmp/fstab?  You’re not going to overwrite your fstab, are 
you? ‘mv /mnt/etc/fstab /mnt/etc/fstab.orig; cp /tmp/fstab /mnt/etc/fstab’ once 
you’ve confirmed /tmp/fstab looks like you want it to. :-)

Re: What password manager do you recommend?

[Sean Kamath]

> On Jan 7, 2022, at 13:38, Crystal Kolipe  wrote:
> 
> On Fri, Jan 07, 2022 at 01:23:30PM -0800, Sean Kamath wrote:
>> gpg < file.gpg
> 
> Why gpg and not openssl?

21 years of muscle memory?

But that is a good point. . . Hrm.

Re: What password manager do you recommend?

[Sean Kamath]

> On Jan 7, 2022, at 11:53, fo...@dnmx.org wrote:
> 
> Hello. I hope this these types of questions are okay for an mailing list..
> I completely understand if they are not..
> 
> There's password-store, but it does need some shitty dependencies..
> Then there's opm, but since it doesn't seem to be popular fuck-knows-who
> if it's secure(ish)..
> 
> If I were to use password-store, I'd have dmenu pipe in the query, then
> just pipe the password to `xclip -i -selection clipboard` which is a
> decent setup I guess..

gpg < file.gpg

Sean

PS OK, it’s more complicated than that, but that’s what it boils down to.

Re: rc.firsttime after package daemons

[Sean Kamath]

> On Nov 3, 2021, at 01:42, Kapetanakis Giannis  
> wrote:
> Anyway, I followed Stuart's advice of adding a second DNS server in 
> resolv.conf apart from 127.0.0.1
> which was my usual practice for caching servers. I see no harm on this.

I generally always run resolving and authoritative servers as pairs.  For 
authoritative servers, that’s obvious.  For resolving servers, it’s less 
obvious, but it’s so I can do maintenance on one of them (at a time) and not 
kill everything that uses them.

And if you run two resolving servers, point both of them at both of them. :-)

Sean

Re: Are there any protection againts heisting the "shell builtin"s?

[Sean Kamath]

> On Sep 8, 2021, at 02:24, jim hook  wrote:
> ...
> ex.: "unset cd" would help, but any solution in general?

I alias ‘ls’ to my preferred args.  Sometimes I don’t want those.  In ksh, I 
just use \ls to not use the alias.

I confirmed \cd will use the builtin (at least on ksh) with:

$cd() {
> echo hello
> }
$ cd /tmp
hello
$ \cd /tmp
$ pwd
/tmp

Re: pf.conf parser/lint

[Sean Kamath]

> On Dec 21, 2020, at 14:24, Aham Brahmasmi  wrote:
> For the defaults, I try to explicitly write some of them sometimes. I
> find this helpful because it is difficult for me to remember what the
> defaults are. However, I do understand that I run the risk of being
> caught unawares if the defaults are changed for some good reason.
> Trade-offs :)

That is what I use comments for. ;-)

a) Tells me what I *think* the defaults are
b) Reminds me I’m *using* the defaults
c) When the defaults change, makes it easy to find out why things break (if 
they break, which they haven’t in recent memory)

Sean

iterm2 tmux integration with OpenBSD 6.8 failing?

[Sean Kamath]

Hi.

Just wondering if anyone else has seen any problems with tmux integration with 
iterm2 on 6.8.  I updated two i386 machines (alix 2c13) to 6.8 using 
sysupgrade, and both of them seem to be unresponsive to tmux integration using 
the latest version (3.4.2) of iterm2.  In 6.7 and earlier, I’ve had to hit ^C 
in the initial window, but other than that it worked as expect.  In 6.8, 
nothing will make it responsive.

I tested 6.7 up to syspatch 029_rpki (works fine), and 6.8 with no patches and 
also 006_rpki (both fail to work).

Not asking for a fix, just if anyone else has seen this.

Sean

Re: Input Filter and LPD

[Sean Kamath]

> On Oct 19, 2020, at 18:26, Predrag Punosevac  wrote:
> 
> CUPS is not needed around here.

Possibly it will not be needed sometime in the future: 
https://www.theregister.com/2020/10/15/apple_cups_develoment/

Re: home printer

[Sean Kamath]

> On Sep 17, 2020, at 09:48, Ingo Schwarze  wrote:
> That answer [HP] used to be spot on until about the year 2000.

I concur.  I used to work at a printer company that competed directly with 
them.  Once I no longer had a free printer, i bought a *used* HP LaserJet 4MV 
in 2006.  It had been refurbed by a guy locally.  Basically, rollers and pick 
pads dry out over the years.  It finally started leaking toner (due to recycled 
cartridges, I’m guessing) and I was tired of how slow it was.

Opted to go to a Canon, since they basically make the engine for a lot of other 
suppliers.  I have not been disappointed (LBP6670 to be specific).

Granted, I don’t use it with OpenBSD because. . . yeah, I hardly need to print 
from that (I hardly ever print at all, but the rest of the family sure does).  
However, I just tested it (and confirmed I haven’t forgotten all my PS) by 
telnetting to port 9100 and sending

%!
newpath clippath stroke showpage
^D

And it printed the box.  That snippet, by the way, is about the shortest way to 
test postscript (not in characters, but in remembering syntax :-)).  Do NOT 
replace “stroke” with “fill” unless you want to use up all your toner (a guy at 
work thought it was hilarious when he first showed me how to do this).

Sean

Re: Microsoft's war on plain text email in open source

[Sean Kamath]

> On Aug 27, 2020, at 01:16, Janne Johansson  wrote:
> It doesn't matter if it was "change spaces to tabs", "html made carriage
> returns where a space was found" or if it was "make two - - chars into one
> single utf-8 -- token" or "spell check/correction edited fnd_trgl_dsk() to
> find_triangle_disk()" in your C function. You did not ship what you had
> produced in that diff.

I just realized uuencode/uudecode is still shipped on macos, even if emacs 
isn’t anymore.  And it’s in base, of course.

Remembering the old days. . .

Sean

Re: Microsoft's war on plain text email in open source

[Sean Kamath]

> On Aug 26, 2020, at 12:08, Chris Bennett  
> wrote:
> 
> Can't get your email to go plain text, attachments work.
> If they don't, why not change providers?
> It's a bit of work, but almost anyone can setup their own email server
> for next to nearly free.

I encourage everyone to do this, but they should have their eyes open that 
there *is* a cost in time (maintenance, updates, etc).  Plus dealing with 
random places blocking you for no reason (I literally had one place tell me 
“everyone uses google, why don’t you?”).

Also, the sending of the mail, as far as I understand, is basically identical 
for all the providers — it’s the mail client that formats the messages (though 
sometimes I craft messages and deliver them to OpenSMTPD directly without a 
“client” per se).

And THAT is one of the biggest problems.

I use Apple Mail (don’t hate on me, it’s what I use).  One change they recently 
made was to remove the option of showing the paintext version of an email 
instead of the HTML version.  Now I have no choice, and if I *really* want to 
see the plaintext message, I have to view source.  This is not a rant against 
Apple (and for the love of god, don’t turn it into one), but rather a rant 
against all the “providers” who are trying to get everyone to use their 
“product” and damn the consequences of someone attaching 50MB of files/images 
in their messages, that’s not *their* problem (and fsck the infrastructure!).

It’s screaming into the wind to complain.  I used to rail against the bloat of 
browsers, and now you can run entire emulators in them.  They’re HUGE.  They do 
everything.

Still.  Run your own email server.  You’ll learn a LOT!

Sean

Re: sysupgrade with sysmerge failure

[Sean Kamath]

> On Jun 2, 2020, at 02:15, rgc  wrote:
> 
> On Mon, Jun 01, 2020 at 10:47:02PM -0700, Sean Kamath wrote:
>> I didn???t see any place in sysmerge that used mail, and did not receive any 
>> mail for the failed sysmerge. 
>> But I see in /etc/rc that it does mail the output of sysmerge to the root 
>> user.   Guess I got other issues.
> 
> did you already check /etc/mail/aliases and verified contents of 
> /root/.forward?

The clue was in the first email — merging smtpd.conf.  I had a jacked up 
smtpd.conf as I was working on getting internal relaying working.

Sean

Re: sysupgrade with sysmerge failure

[Sean Kamath]

> On Jun 1, 2020, at 03:43, Stuart Henderson  wrote:
> Normally the output from rc.firsttime is mailed to root. e.g.

I didn’t see any place in sysmerge that used mail, and did not receive any mail 
for the failed sysmerge.  But I see in /etc/rc that it does mail the output of 
sysmerge to the root user.   Guess I got other issues.

Thanks,
Sean

sysupgrade with sysmerge failure

[Sean Kamath]

Hi.

I just used the new ‘sysupgrade’ to upgrade my little Alix boxes to 6.7.  It 
worked very well, and thank you for this upgrade simplification tool.

I do have one question.  After upgrading the first machine, when I ran syspatch 
to patch the system, I got a failure saying that the user _rpki_client didn’t 
exist.  My question is not about that, but I realized that the sysmerge script 
apparently did not finish successfully.  I ran it and merged the files and then 
was able to proceed normally.  On another box, this time I was watching for it 
(I have a little terminal server on the alix machines), and indeed:

 /etc/mail/smtpd.conf unhandled, re-run sysmerge to merge the new version

My question is, is there a “standard” place/way to confirm that sysmerge 
finished successfully (other than looking at the console output on first boot)? 
 For some reason (I don’t know if I’m editing in a way that sysmerge doesn’t 
like to merge) this seems to happen a lot with unbound.conf, nsd.conf and 
smtpd.conf (for example), so I run into sysmerge conflicts often.

Sean

bsdauth being removed from Dovecot?

[Sean Kamath]

Hi.

Wondering if anyone noticed Timo’s email where he said:

> To start, the following features are likely to be removed in next few 
> releases of Dovecot.
> 
> - Authentication drivers: vpopmail, checkpassword, bsdauth, shadow, sia

I’m a bit behind so if the last couple of releases of OpenBSD have moved 
dovecot away from bsdauth, then N/M.  But if we’re still using bsdauth, has 
anyone looked at a Lua authentication replacement 
(https://doc.dovecot.org/configuration_manual/authentication/lua_based_authentication/
 was given replacing the deprecated authentication mechanisms)?

Sean

Re: But there is Fossil...

[Sean Kamath]

> On Jan 6, 2020, at 16:18, Constantine A. Murenin  wrote:
> 
> GitHub is so successful because it is non-trivial to get Git working.

I found gitea trivial to install.

Having said that, I use whatever repo projects provide.  I’m not here to say 
VCS “A” is better than VCS “B”, just saying installing various VCS’s under 
OpenBSD is pretty damn simple.

Sean

Re: dhcpd and unbound on a small LAN

[Sean Kamath]

> On Jan 6, 2020, at 04:24, Anders Andersson  wrote:
> Right now I'm considering something that monitors dhcpd.leases for
> changes and updates a running unbound using unbound-control(8) but I
> don't feel confident enough writing such a tool that does not miss a
> lot of corner cases and handle startup/shutdown gracefully. I'm also
> thinking that it can't be such an unusual use case, so someone surely
> must have written such a tool already. I just haven't found any in my
> search.
> 
> Or am I doing this the wrong way? I've now read about things like mDNS
> and Zeroconf and Avahi and I'm just getting more and more confused.
> Ideas are welcome!

So, on my little home network, I do the following (well, it’s in progress, but 
I used to do the same thing with Bind):

1) run unbound for name resolution for all devices (after the recent discussion 
about turning your network inside out, I’m debating turning on PF to redirect 
all DNS queries to my unbound server).

2) I run nsd to provide name services for my domains.  So, I use 
“int.domain.name” for all local addresses.  I just point unbound at nsd 
(running on a different port) for those domains.

3) I use static assignment of IPv4 address to *most* of my devices (this is the 
part in progress). This is what everyone’s talking about using:

host alice {
   hardware ethernet 00:19:b9:e0:2f:de;
   fixed-address 192.168.0.68;
}

Of course, I could use dynamic DNS updates for all devices, but I find that as 
the “owner” of basically everything, it’s easier to have fixed addresses 
instead.  The problem is for every device I need some sort of DB for every 
device that includes the ETHERNET address as well as the IP address (because 
devices get replaced, etc., but I want to keep the name and the IP, but change 
the ethernet).  From that, I can generate both the dhcpd.conf file *and* the 
nsd PTR and A records.  That’s the bit I’m working on now.

The upshot is that unbound redirects certain domains to nsd, NSD controls all 
the domains (both my internal ones and some external ones) and DHCPD points all 
the clients to unbound for name resolution.

I have a small range for non-known devices — I don’t mind friends coming over 
and using my wireless.  Soon I hope to put THOSE devices on another vlan and 
give them rate-limited access.  But I haven’t finished the whole “create 
everything from one DB” yet, so. . . WIP.

Yes, I could just have unbound return addresses for the local network, but 
what’s the fun in that? :-)

Sean

Re: ownership of mailboxes with dovecot

[Sean Kamath]

On Dec 31, 2019, at 08:30, Roderick  wrote:
> As said, I had UW imap serving system user mailboxes, and now
> cyrus imap serving virtual users. You have to decide. With
> dovecot I have no other experience than compiling it.
> 
> I think, I would preffer now UW Imap, because I have only few and trusted
> users, and because it is very simple, no much configuration and 
> mantainance needed: it just publishes the mailboxes with imap,
> accessed with the system user/password.

So I’ve been running Dovecot for I don’t know how long (but started on Solaris, 
so at least that long ago).  I used to have LDAP running, but decided it was 
overkill since I’m the only one who logs into the boxes, the other three people 
only read email.

Dovecot can seem complex, but it’s not at all.  It pretty much works out of the 
box, with very few changes necessary (and works well with Lets Encrypt certs as 
well).

My first OpenBSD configuration was based on 
https://frozen-geek.net/openbsd-email-server-1/

My next will be based on 
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/,
 because I want to used rspamd instead of all the stuff loaded in the first 
(for some reason, one of the daemons doesn’t start on boot — it does if I start 
it manually.  Frankly, my machine never reboots, so I keep forgetting even 
which one it is that doesn’t start.).  I got a little tripped up doing the 6.4 
migration, so I have some catching up to do.

Looking at 
https://www.tumfatig.net/20150620/opensmtpd-and-dovecot-on-openbsd-5-7/, it’s a 
little too copy-pasta for my taste.   But even so, it doesn’t configure dovecot 
for non-system users, so it’s unclear how virtual users were set up with 
Dovecot.

Anyway, having run UW imap, cyrus, and dovecot — I run dovecot.  I also use 
sdbox, BTW, which I believe no one but ancient MH people use.  My non-default 
configs are pretty much limited to per-host configuration (like hostname), 
sieve and SSL.

I think the biggest hurdle was getting used to LMTP.

Sean

Re: Hardware for Access Point on OpenBSD

[Sean Kamath]

I just got a Ruckus here in the US. You can just not use any of the cloud crap 
on it. Has PoE which made mounting it on the ceiling trivial. The OpenBSD 
router stays a router, and I have so many ssid options + vlans. It’s kinda 
crazy. 

Sean

Typed with my thumb.

> On Jan 1, 2020, at 12:39, Zé Loff  wrote:
> 
> 
>> On Wed, Jan 01, 2020 at 08:54:46AM -0700, List wrote:
>> Hi *, 
>> I am currently building a home router based upon OpenBSD. 
>> I therefore need some kind of WIFI Hardware. This piece of hardware
>> needs to be connected over usb. 
>> Do you have any suggestions or recommendations ? As far as I can see
>> it's pretty hard  to find an antenna which is connected  via USB an runs
>> on a supported chipset. It is  easy to get your hands on a
>> realtek-chipset driven device. But urtw(4) doesn't support  Host AP
>> mode. Only ones that do are: athn(4),  ral(4), ath(4). 
>> Finding those is hard. 
>> 
>> Maybe you guys know things I couldn't find ? 
>> 
>> g, 
>> Stephan
>> 
> 
> In all honesty, and I've tried what you are aiming for a couple of times
> in the past, it's just easier to get a dedicated AP (or a cheap wifi
> router with a cable on the ethernet switch, which is usually bridged
> with the wifi interface) and connect to an OpenBSD router which will
> do all the necessary packet filtering (including keeping the AP/router's
> firmware from reaching the internet, if needed be).  IMHO this will be
> stabler and faster than trying to find an adequate wifi board.  And
> these days you're bound to get nice perks like multiple SSIDs and
> 802.11ac speeds (or whatever the latest 802.11* protocol is), which
> AFAIK aren't available on OpenBSD yet.  Also, note that (if I am not
> mistaken) ural(4) are the only USB Wi-Fi interfaces that can handle Host
> AP mode, and they only do 802.11b/g which is kind of slow by today's
> standards.
> 
> -- 
>  

Re: Turn off Swap on boot disk

[Sean Kamath]

> On Nov 21, 2019, at 23:54, Theo de Raadt  wrote:
> 
> wait until you see the next thing i'm interested in.  modern
> machines will barely notice it, but alix's will quake.

I look forward to what’s in store.

As for all the other helpful comments (from Theo and others), thank you.  The 
workload is non-critical, and I’m just trying to figure out the best 
trade-offs.  If I felt the trade-offs weren’t worth it, I’d upgrade the 
machines.  I feel I’m on the edge, and, yes, likely 6.7 will be the end of 
their usefulness.  But I already own them, and they’re not useless yet.

Sean

Re: Turn off Swap on boot disk

[Sean Kamath]

> On Nov 21, 2019, at 09:55, Kenneth Gober  wrote:
> ...
> The need for more swap may be related to kernel relinking -- it might be an
> interesting experiment to see if your existing swap space is enough with
> kernel relinking disabled.

Yes, precisely.

I did add some larger CF cards on machines that needed more space.  I just 
happened to have a bunch of 1g thumb drives and figured I’d spare the CF all 
the writes and use the thumbdrive.

I was just hoping to avoid removing the default swap device so that in the even 
the thumb drive died or whatever that the machine would still boot (ideally, 
just setting the priority to 1 instead of 0 would do what I want).

But, it sounds like the answer is delete/change the partition or live with it.  
I’ll live with it, since I don’t want to disable kernel relinking.

Sean

Turn off Swap on boot disk

[Sean Kamath]

Hello.

Can someone provide me a pointer to how to do this?

I have a bunch of Alix 2d13 boxes.  With 6.6, I’ve found I need more swap than 
the default layout on a 2G compact flash drive has.  So, I got some 1G USB 
thumb drives, and want to use JUST those for swap.  Despite different attempts 
(setting the mount_opts to xx, setting mount_opts to “priority=1”), I can’t 
seem to prevent the swap on the boot disk being added with priority = 0.  

Can I do anything to turn it off or change the priority, short of changing the 
filesystem type?

Thanks,
Sean

Re: Misc i386 questions

[Sean Kamath]

I missed that (deprecating buslogic).  Sadly, Fusion on a Mac defaults to 
buslogic, but doesn’t put it in the config file.  Anyway, switching to lsilogic 
worked like a charm.  Thank you!

Sean

> On Oct 15, 2019, at 09:49, Todd C. Miller  wrote:
> 
> On Tue, 15 Oct 2019 10:37:41 -0600, Todd C. Miller wrote:
> 
>> There's your problem.  The bha driver is no longer supported by
>> OpenBSD.  You should use SATA or IDE as the disk type in VMWare.
> 
> Alternately, you should be able to switch the VM to use the mpi
> driver by editing the .vmx file for your VM (after shutting down
> the VM first).  Just change the lines like:
> 
> scsi0.virtualDev = "buslogic"
> 
> to:
> 
> scsi0.virtualDev = "lsilogic"
> 
> VMWare doesn't even support the buslogic driver on 64-bit guests
> these days.  New VMs created by VMWare fusion use lsilogic by
> default.
> 
> - todd

Re: Misc i386 questions

[Sean Kamath]

> On Oct 14, 2019, at 20:06, Nick Holland  wrote:
> 
> What SCSI hw are you emulating in your VM?

There doesn’t seem to be a lot of options in VMware Fusion.  There’s a popup in 
the config for “Bus Type” and you can select “SCSI” or “IDE”, “SATA” and “NVMe”.

On the 6.0 installation, using “SCIS”, I get:

bha3 at pci0 dev 16 function 0 "BusLogic MultiMaster" rev 0x01: apic 1 int 17, 
BusLogic 9xxC SCSI
bha3: model BT-958, firmware 5.07B
bha3: sync, parity
scsibus2 at bha3: 8 targets, initiator 7
sd0 at scsibus2 targ 0 lun 0:  SCSI2 0/direct 
fixed
sd0: 8192MB, 512 bytes/sector, 16777216 sectors

> What happens if you change that?

Not sure what you mean by “that”.  There is no other option for SCSI.  If I 
change it to “IDE”, for example, I get a “wd0” device:

pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 64-sector PIO, LBA, 6144MB, 12582912 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2’


Note that’s on 6,3

> And to be clear -- when you say it doesn't see the SCSI drive, how
> are you not seeing it (i.e., what did you do to "see it" and what
> was the result?).

By “see it” I mean the installer says there are no disks available to install 
on.

>From the dmesg when I set it to “SCSI”:




If you’d like I can boot the installer for 6.0, 6,.1, etc, and see where it 
starts to not see it. . .

Sean

Re: Misc i386 questions

[Sean Kamath]

Doh!

set tty com0

Alix is coming along OK now.  Still have questions about i386 and SCSI. . .

Sean


> On Oct 12, 2019, at 23:13, Sean Kamath  wrote:
> 
> Hi.
> 
> In my odyssey to get larger disks on my Alix machines, I bought some 16G 
> CompactFlash cards. I put install65.fs on a card and tried to boot it on the 
> Alix, but it just reboots after it loads the kernel.
> 
> Meanwhile, the VM I used to dd the install65.fs file to the CF card is 
> running 6.0, so figured I should update it (with a reinstall, rather than 
> updates).  I tried to boot bsd.rd and install 6.5, but it didn’t see the SCSI 
> drive on the VM (but 6.0 did with no issue).  I even downloaded install65.iso 
> and tried to install on a brand new VM (VMware Fusion 11.5 on a Mac running 
> Mojave) with a SCSI drive, but nope.  IDE drives are seen just fine.
> 
> So. . . did I just miss something about i386 and SCSI support?  Any 
> suggestions on what to do with the Alix board?  I’m going to see if I can 
> install on the CF card from the VM next.
> 
> Sean

Misc i386 questions

[Sean Kamath]

Hi.

In my odyssey to get larger disks on my Alix machines, I bought some 16G 
CompactFlash cards. I put install65.fs on a card and tried to boot it on the 
Alix, but it just reboots after it loads the kernel.

Meanwhile, the VM I used to dd the install65.fs file to the CF card is running 
6.0, so figured I should update it (with a reinstall, rather than updates).  I 
tried to boot bsd.rd and install 6.5, but it didn’t see the SCSI drive on the 
VM (but 6.0 did with no issue).  I even downloaded install65.iso and tried to 
install on a brand new VM (VMware Fusion 11.5 on a Mac running Mojave) with a 
SCSI drive, but nope.  IDE drives are seen just fine.

So. . . did I just miss something about i386 and SCSI support?  Any suggestions 
on what to do with the Alix board?  I’m going to see if I can install on the CF 
card from the VM next.

Sean

Re: Alix 2d13 and OpenBSD 6.5 Problems

[Sean Kamath]

On Oct 4, 2019, at 16:28, Stuart Henderson  wrote:
> 
> On 2019-10-03, Sean Kamath  wrote:
>>> You can disable the reordering by removing /var/db/kernel.SHA256
>>> but be aware that syspatch relies on the reorder_kernel mechanism in
>>> order to apply kernel patches. 
>> 
>> Good to know.  I’m going to do everything I can to avoid turning off 
>> relinking, because I want to go on the big boy rides! :-)
> 
> Even if you only occasionally trigger the relinking by hand when you have
> shutdown other daemons,, it's still better than not at all.

Agreed, but not necessary.

For the archives and anyone who might google this:

I installed fresh OBSD6.5 on another box (I have like 6 of these — this 
particular one had 4.7 on it.  Even getting bsd.rd from 6.5 to boot on it took 
installing a new bootbios :-)).  It took a while to relink the kernel before 
the reboot, but it worked just fine.  Reboots were also fine.  OK ,so a stock 
6.5 on the Alix works.

I thought perhaps the disk layout was updated in 6.5.  Nope (in fact, the other 
machine had a slightly larger swap partition).  OK.

Time to just try adding swap: I added progressively larger swap files until it 
worked, then I did some math.  I think I got down to the lowest reliable swap 
size that allows me to reboot and relink:  About 185M.

So, this seems kinda nuts, because literally the only non-stock thing is nsd 
and unbound, and they’re taking up 137M of VM, but whatever.  They’re tiny 
little boxes and someday just won’t work.  One itty bitty box per thingie, I 
guess (my primary reason for upgrading was to install smokeping to be able to 
bitch at AT about my DSL line.  I’ll do that on the box I just rebuilt.).

Just want to say thanks for all the sage advice.  I really do appreciate it.

Sean

Re: Alix 2d13 and OpenBSD 6.5 Problems

[Sean Kamath]

Just wanted to say a thank you for everyone’s comments.  I’ve combined all my 
replies into one mostly to sum everything up.

> On Oct 2, 2019, at 02:16, Stefan Sperling  wrote:
> Try adding swap space.
> I have added 2GB of swap space on my alix and it has been running fine ever 
> since.

My “disk” is 2GB. I don’t even have any X sets loaded as they won’t fit.

> On Oct 2, 2019, at 09:03, Olivier Cherrier  wrote:
> On mine (only 32 MB of swap), I had to disable kernel relinking.
> Otherwise, the system more or less collapses at boot time.


Yeah, I believe I only have 32MB of swap (I chose the default disk layout oh so 
long ago).


> On Oct 2, 2019, at 08:34, Joe Barnett  wrote:
> I cannot comment on the upgrade process, but I have had zero fatal issues 
> running 6.5 on my alix2d13 boards.  That said, memory has been getting 
> tighter with more recent OpenBSD versions, and swap (as someone else 
> suggested) should help.  I love these reliable boards, but they are starting 
> to show their age (at least relative to how I use them with OpenBSD).

Yeah, so I’m wondering if I want to get a larger CompactFlash card and 
reinstall, try and be clever and go off the reservation, or just pack in the 9 
of these things I have and get an APU.

> On Oct 2, 2019, at 09:15, Stuart Henderson  wrote:
> After boot, the kernel is relinked in a random order in the background
> ("/usr/libexec/reorder_kernel &" in /etc/rc). 

Yes, I’m familiar with why it’s done.  I was mostly wondering if I broke 
something because I’ve not had this problem since I got these things (I don’t 
even know how long ago), and 6.5 just killed it.

> Unfortunately the Alix doesn't have much RAM and if you have pretty
> much anything other than a minimal set of daemons running it won't
> cope well.

I’m running nsd and unbound.  I can turn off smtpd. . . What I would be nice to 
do is delay starting daemons until relinking is done.  Regardless, I think I 
have my answer about why it’s falling over.

> You can disable the reordering by removing /var/db/kernel.SHA256
> but be aware that syspatch relies on the reorder_kernel mechanism in
> order to apply kernel patches. 

Good to know.  I’m going to do everything I can to avoid turning off relinking, 
because I want to go on the big boy rides! :-)

Sean

Alix 2d13 and OpenBSD 6.5 Problems

[Sean Kamath]

Hi.

I’m hoping someone either has a cluebat or some helpful suggestions beyond 
“reinstall”.

I had an alix 2d13 running OpenBSD 6.3.  I finally got around to upgrading to 
6.4 (via https://www.openbsd.org/faq/upgrade64.html), and that seemed to go 
just fine (I used the Upgrading Manually section, since I don’t have (easy) 
access to the console).

I let that run for a day, just to make sure all was well, and then attempted an 
upgrade to 6.5 (via https://www.openbsd.org/faq/upgrade65.html), again using 
the “Upgrading Manually” section.

This time, between smtpd and relinking the kernel, it appears my Alix board is 
quickly running out of memory.  Within a few seconds the sr rate is in the 20K 
range.  I stopped the ld for relinking, and killed SMTPD in order to finish the 
install (the makedev ALL, sysmerge, pkg_update -u bits), and that all ran fine. 
 But about 15-20 minutes after a reboot, the box just goes off the network, and 
there’s not much I can do.

I can download and reinstall 6.5, but was hoping to avoid that pain, but I just 
want to make sure 6.5 has no issues on the Alix boards. . .

Thanks!  I’d attach dmesg, but the box is dead again. . .  If anyone wants to 
dive into what’s going on, just let me know what info you want to see.

Sean

Re: How to synchronise 2 spamd instances

[Sean Kamath]

On May 26, 2019, at 04:41, Mik J  wrote:
> 
> Hello,
> 
> I'm coming back on this topic. I added the -K option
> # /usr/libexec/spamd -v -s 5 -S 5 -w 1 -G5:24:2400 -l 127.0.0.1 -h 
> myhost.mydomain.org -y vmx0 -Y myhost2.mydomain.org -K /etc/mail/spamd.key -n 
> ABCD
> # spamd: need key and certificate for TLS
> 
> So it seems it expects some kind of certificat/privatekey rather than a key
> 
> Does anyone uses the -K option successfully ?

Yes. :-). Looks like you forgot the '-C /etc/ssl/.crt’ option.  
Granted, this is on 6.3.

My full args are:

-h  -v -G 2:4:864 -y vio0 -Y  -K 
/etc/ssl/private/.key -C /etc/ssl/.crt

Works fine.

Sean

> So far I didn't manage to make the synchro to work. udp packets on port 8025 
> are not dropped.
> However spamd doesn't seem to send any 8025/udp packet at all.
> 
> Regards
> 
>Le mardi 23 avril 2019 à 02:57:31 UTC+2, Rudy Baker  
> a écrit :  
> 
> On Mon, Apr 22, 2019, 10:43 AM Thuban,  wrote:
> 
>> * Otto Moerbeek  le [21-04-2019 12:49:07 +0200]:
>>> On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote:
>>> 
 Hello,
 I read the man but it's not so clear to me
 https://man.openbsd.org/spamd#SYNCHRONISATION
 a) I chose unicast synchronisation but I don't know which port should
>> I open on the firewall ?
 Is it going to use the spamd-cfg service ?
>>> 
>>> It will use spamd-sync (udp port 8025)
>> 
>> Good to know, I was blocking this traffic. It might be interesting to
>> add a word about this in the manpage, what do you think?
>> 
> 
> tcpdump -nettti pflog0
> 
> That command tells you if anything is being blocked. I normally start
> there. You would have seen port 8025 being blocked right away
> 
>> 
>> 
> 

Re: Puffy Security smtpd out of date ( closed )

[Sean Kamath]

> On Mar 8, 2019, at 10:38, Geir Svalland  wrote:
> 
> It's a shame good work like 
> this is
> of no use anymore. According to my opinion, it's well written and easy 
> to follow.
> 
> /Hasse


So, I’ll take issue with the “well written” part of that.  It doesn’t do much 
in the way of explaining anything, just a lot of “put this here”, “put that 
there”.

I used https://frozen-geek.net/openbsd-email-server-1/ (and the second part) 
when I was migrating from Solaris (for reasons — I’ve had mailservers running 
on Solaris since about 1992, when it was SunOS) to OpenBSD (hosted on Vultr;  
I’ve been using OpenBSD since 2.6 or so, mostly for firewalls).  I would argue 
that this is better from the standpoint of explaining why things are the way 
they are (in the doc), with examples, and, even though it was a little out of 
date, I found it easy to understand the underlying concepts pretty easily 
(granted, as I’ve said, I’ve been running mail servers forever, but OpenBSD 
brings some interesting differences (mostly in PF-enabled routing of 
connections).

Of course, how to docs tend to be a personal thing…

Now to stop dragging my heals on upgrading from 6.3 -> 6.4. . .

Sean

Re: Need to swap partitions: /tmp amd /usr

[Sean Kamath]

A random shot in the dark, but sometimes it happens.  Perhaps unmount /usr/obj 
and/or /usr/src and confirm there is no existing files under either?  It’s 
rare, but sometimes happens, that we set things up one way, then change it 
later.  And mounting a filesystem on top of an existing directory tree is a 
great way to hide a whole bunch of files. :-(

I have zero reason to think that’s what’s going on, but short of running a 
bunch of DU’s to figure out where the space is. . .

Sean

> On Nov 4, 2017, at 8:45 PM, Jay Hart  wrote:
> 
>> On 2017/11/02 20:26, Jay Hart wrote:
 On 2017-10-30, Jay Hart  wrote:
> Good Evening Fellow OpenBSDers,
> 
> Below is currently how I have my disk laid out partition wise.  I have a 
> feeling I need to
>>> swap
> /tmp and /usr in order to gain additional space for /usr.
 
> /dev/wd0f  2.0G1.7G153M92%/usr
 
 That seems way too much for /usr. sysclean (in packages) will probably help
 you identify some old files to remove.
 
 
>>> 
>>> Stuart,
>>> 
>>> A ton of files were identified, assume based on your reply I can just 
>>> remove them with no
>>> issues?
>> 
>> Things that sysclean finds under /usr are generally ok, if you've done
>> a few OS updates you will have a bunch of old gcc-related files, perl
>> binare modules from past versions, dead manual pages, etc.
>> 
>> I would suggest loading into an editor, sorting, reviewing the list.
>> sysclean is aware of known ports files but there are some things like
>> optional config files that it can't know about, so watch out for those
>> (but usually not in /etc). If you're not confident you can tar them up
>> rather than removing outright.
>> 
>> 
> 
> Stuart,
> 
> Thanks for telling me about sysclean, I was not aware of this utility before. 
>  I've run sysclean
> and removed over 280 files/directories. and have improved free space quite a 
> bit, but still seem
> to think I've an issue with /usr.
> 
> Right now I have a clean 6.2 base system, but still have the source code tree 
> installed for 6.1. 
> Usually I just wipe /usr/src and /usr/obj, but I'm thinking I need to find a 
> better way to manage
> /usr space.  Can you instruct me a bit on what I should do with /usr (and all 
> subdirectories) upon
> upgrading from one version to another.
> 
> Here is my free space according to df after running sysclean and cleaning up 
> those files/directories:
> 
> Filesystem SizeUsed   Avail Capacity  Mounted on
> /dev/wd0a 1005M   63.4M891M 7%/
> /dev/wd0k 22.7G321M   21.3G 1%/home
> /dev/wd0d  3.9G   12.0K3.7G 0%/tmp
> /dev/wd0f  2.0G1.6G274M86%/usr
> /dev/wd0g 1005M183M771M19%/usr/X11R6
> /dev/wd0h  6.8G   27.1M6.4G 0%/usr/local
> /dev/wd0j  3.9G293M3.5G 8%/usr/obj
> /dev/wd0i  3.9G852M2.9G22%/usr/src
> /dev/wd0e  6.3G   28.1M6.0G 0%/var
> 
> TIA,
> 
> Jay

Re: How do you do "family remote support"?

[Sean Kamath]

> On Jul 11, 2017, at 2:42 PM, Niels Kobschätzki  wrote:
> 
> 
>> On 11. Jul 2017, at 23:33, Kurt H Maier  wrote:
>> 
>>> On Tue, Jul 11, 2017 at 05:22:29PM -0400, Rupert Gallagher wrote:
>>> Never heard of whatismyip.org?
>>> Sent from ProtonMail Mobile
>> 
>> Never heard of NAT?
> 
> Thank you all. I will probably get them into an OpenVPN-network and since 
> there are nice GUIs available on the Mac for that, they should be able to 
> connect (or I try to implement a launchd-service). I can give them always the 
> same IP and do not even have to check for that then. And then I use VNC with 
> the built-in VNC-server from MacOS.
> 
> Thanks again,
> 
> Niels
> 

Just to throw my US$0.02 in, I have three things set up:

1) vnc.myname.domain — I have static IPs, but you could use DynDNS to have a 
DNS name point to. . .
2) a static nat rule that takes the IP assigned to vnc.myname.domain and 
forwards port 5500 (the default listening VNC port) to. . 
3) a listening VNC viewer I run when I talk to my family members.

I have used (a variation) of this setup since the late 90s (with my grandmother 
— in her 80s, using one of the original iMacs; my mother — in her 70s now, with 
her goddamn PCs that make me want to scream (win XP -> 10); my sister-in-law — 
in her 60s.).  My sister-in-law’s is the most challenging.  Well, it was.  See, 
she used to ask me for help from work.  I could VPN in there and help her out.  
But then she started working a LOT more from home, and she didn’t like using 
VNC to connect to her PC, using RDP instead. . . Long story short, I set it up 
so she connects her Windows 10 laptop to my listening VNC server, where I can 
see her VPN to work, connect to her Windows 7 desktop, and run her Windows XP 
emulator so she can run Paradox for DOS.  You can’t make this shit up.

FML

Sean

PS Each person had a shortcut or whatever OS-equivilant thing to launch VNC 
server and connect to a listening VNC client. Occasionally they lose the 
shortcut, and I walk them through launching and connecting manually — it’s 
pretty easy, since they know how to type in a URL for the most part, and that’s 
about all they have to do.

Re: chmod of /usr/obj/usr.sbin/unbound/util

[Sean Kamath]

would “$(INSTALL) -d -m 775 util” be a less evil hack?

> On Feb 26, 2017, at 7:51 AM, Theo Buehler  wrote:
>
> On Sun, Feb 26, 2017 at 04:37:57PM +0100, Antoine Jacoutot wrote:
>> On Sun, Feb 26, 2017 at 04:30:38PM +0100, Theo Buehler wrote:
>>> On Sun, Feb 26, 2017 at 02:33:14PM +0100, Jan Stary wrote:
 Cleaning up /usr/obj/ before a kernel build
 as a regular user who's in the wobj group,
 I get the following

  rm: /usr/obj/usr.sbin/unbound/util/configparser.h: Permission denied
  rm: /usr/obj/usr.sbin/unbound/util/configparser.c: Permission denied
  rm: /usr/obj/usr.sbin/unbound/util/configlexer.c: Permission denied
  rm: /usr/obj/usr.sbin/unbound/util: Directory not empty
  rm: /usr/obj/usr.sbin/unbound: Directory not empty
  rm: /usr/obj/usr.sbin: Directory not empty


 $ find /usr/obj/ | xargs ls -ld
 drwxrwx---  3 build  wobj 512 Feb 26 14:19 /usr/obj/
 drwxrwx---  3 build  wobj2560 Feb 26 14:19 /usr/obj/usr.sbin
 drwxrwx---  3 build  wobj4096 Feb 26 14:19 /usr/obj/usr.sbin/unbound
 drwxr-xr-x  2 build  wobj 512 Feb 23 20:43
/usr/obj/usr.sbin/unbound/util
 -rw-rw  1 build  wobj  166639 Feb 23 20:43
/usr/obj/usr.sbin/unbound/util/configlexer.c
 -rw-rw  1 build  wobj  122438 Feb 23 20:43
/usr/obj/usr.sbin/unbound/util/configparser.c
 -rw-rw  1 build  wobj6016 Feb 23 20:43
/usr/obj/usr.sbin/unbound/util/configparser.h

 Everything is 770 build:wobj, except the single directory
 /usr/obj/usr.sbin/unbound/util which is 755 build:wobj.

 This is on four different -current machines.
 Is this intended?
>>
>> Aaarrg... no not this again!
>> ;-)
>>
>>> Of course it is not intended. It was discussed during the last hackathon
>>> and aja hunted the problem down to a quirk of install -d. We tried a fix
>>> in Makefile.bsd-wrapper, but it turned out to be racy, so I had to back
>>> it out: it could write to the src/ tree in some circumstances.
>>
>> It's the kind of stupid oddities that make you loose half a day and make
you
>> feel even more stupid than you are... best memory of Australia!
>
> same here :)
>
>>> This is what seems to be the least evil hack:
>>
>> If that actually improves things, OK aja.
>> That bug makes me sad...
>
> Indeed...
>
> Before I commit that, I would appreciate if Jan or jmc could confirm
> that it actually works for their 'make build' setup, too.
>
> This thing had way too many failed attempts already.
>
>>
>>> Index: usr.sbin/unbound/Makefile.in
>>> ===
>>> RCS file: /var/cvs/src/usr.sbin/unbound/Makefile.in,v
>>> retrieving revision 1.20
>>> diff -u -p -r1.20 Makefile.in
>>> --- usr.sbin/unbound/Makefile.in17 Feb 2017 18:53:31 -  1.20
>>> +++ usr.sbin/unbound/Makefile.in26 Feb 2017 15:04:38 -
>>> @@ -408,7 +408,7 @@ _unbound.la:libunbound_wrap.lo libunbou
>>>
>>> util/config_file.c: util/configparser.h
>>> util/configlexer.c:  $(srcdir)/util/configlexer.lex util/configparser.h
>>> -   @-if test ! -d util; then $(INSTALL) -d util; fi
>>> +   @-if test ! -d util; then mkdir -p util; fi
>>> if test "$(LEX)" != ":"; then \
>>> echo "#include \"config.h\"" > $@ ;\
>>> echo "#include \"util/configyyrename.h\"" >> $@ ;\
>>> @@ -416,7 +416,7 @@ util/configlexer.c:  $(srcdir)/util/conf
>>> fi
>>>
>>> util/configparser.c util/configparser.h:  $(srcdir)/util/configparser.y
>>> -   @-if test ! -d util; then $(INSTALL) -d util; fi
>>> +   @-if test ! -d util; then mkdir -p util; fi
>>> $(YACC) -d -o util/configparser.c $(srcdir)/util/configparser.y
>>>
>>> clean:
>>>
>>
>> --
>> Antoine

Re: tfdpd doesn't deliver pxeboot file

[Sean Kamath]

> On Oct 6, 2016, at 7:24 AM, Peer Janssen  wrote:
>
> But I realized that there must be something in the dhcpd options and/or
> something related to arp resolution, which I didn't grok. So I read some
> more RFCs about pxebooting in relation to dhcp and arp, but finally
> abandoned this problem for now, because it was taking way too much time
> for my current local situation.

So, I just happened across my notes for setting up a PXE server from scratch,
and thought I’d send this for the benefit of anyone trying to set up a PXE
server on OpenBSD 6.0.  Granted, this was written to boot an Alix.2d13 using a
VMware Fusion OpenBSD VM instance on a MacBook Pro, but it shows the important
steps for tftpd and dhcpd.

There are bunches of places on the web that talk about this (usually using a
Linux instance for setting up PXE), but I was amazed that I basically could go
from a freshly installed OBSD6.0 to PXE server in about 5 minutes (depending,
really, on how fast I typed).  I particularly like this set up for testing
builds (I build on the Mac in a VM, use the USB port on the Mac to talk to the
alix board’s console, and use the Mac ethernet port for installation).

And, again, these were my own notes, not really meant for publication, but I
wanted to show how simple it was to set up an OpenBSD PXE server.

Sean

#
# Setting up the PXE Server #
#

# These notes assume a FRESHLY installed OpenBSD 6.0 system, with no
modifications.
# Primary NIC is connected (bridged) to another network just to get the sets
loaded on it.

* Set up httpd — You need to do this unless you put a router/gateway on the
network.

/etc/httpd.conf:
chroot “/var/www"
server "default" {
listen on * port 80
}

* Add the sets to the httpd server

mkdir /var/www/htdocs/release
Populate /var/www/htdocs/release/OPENBSD_X_Y (from the release server)

* Set up dhcpd

/etc/dhcpd.conf:
subnet 192.168.100.0 netmask 255.255.255.0 {
option router 192.168.100.1;
range 192.168.100.32 192.168.100.127;
filename "pxeboot";
next-server 192.168.100.1;
}

* Set up tftpd

mkdir -p /path/to/tftpdir/etc
echo "set tty com0" > /path/to/tftpdir/etc/boot.conf
echo "boot bsd.rd" >> /path/to/tftpdir/etc/boot.conf
cp /path/to/www/htdpcs/release/OPENBSD_X_Y/bsd.rd /path/to/tftpdir
cp /path/to/www/htdpcs/release/OPENBSD_X_Y/pxeboot /path/to/tftpdir

* Set up vic1
* vic1 is an added NIC, Bridged to Ethernet.  The Ethernet port
* is plugged into a switch that the Alix is also plugged into

/etc/hostname.vic1:
inet 192.168.100.1 255.255.255.0 192.168.100.255 description "PXE Net"

chmod 640 /etc/hostname.vic1

* Enable httpd

rcctl enable httpd

* Enable dhcpd

rcctl enable dhcpd
rcctl set dhcpd flags vic1

* Turn on tftpd

rcctl enable tftpd
rcctl set tftpd flags /path/to/tftpdir

* Reboot VM (just to verify everything was set up correctly, not really
necessary;
* you can just bring vic1 up if instead (when you set it up))

* Boot the Alix board, set it to PXE boot (S on startup) and set the board
rate to 9600 or whatever speed you want.
* It should boot into bsd.rd

Re: tfdpd doesn't deliver pxeboot file

[Sean Kamath]

I’ve been working on transitioning to an all Alix 2d13 environment for my
home set up.  Using 6.0 base, I had no problems with PXE (DHCP or tftp) on my
Alix 2d13 machine.  The server in this case is running on a MacBook Pro with
VMware Fusion with a (just freshly built) 6.0 (Stable) install.  Despite the
bizarre setup (using the ethernet port of the Mac as a secondary interface to
the VM and using a primary interface that’s NATed out the wireless port of
the Mac), it Just Worked(tm).

So, i KNOW OBSD6.0 will provide PXE for an Alix 2d13.  The only part I don’t
know is if an Alix 3x can be a server.   But I don’t see why it couldn’t.

Sean

> On Sep 28, 2016, at 5:29 AM, Peer Janssen  wrote:
>
> Am 28.09.2016 um 13:27 schrieb Solène Rapenne:
>> Le 2016-09-28 12:45, Peer Janssen a écrit :
>>> TFTP pxeboot requests:
>>>
>>> 12:15:45.064076 192.168.0.81.2070 > alix.fritz.box.tftp: 24 RRQ
>>> "pxeboot"
>>>  : 4500 0034 0002  1411 24ea c0a8 0051  E..4..$Q
>>>  0010: c0a8 002c 0816 0045 0020 f181 0001 7078  ...,...E. px
>>>  0020: 6562 6f6f 7400 6f63 7465 7400 7473 697a  eboot.octet.tsiz
>>>  0030: 6500 3000e.0.
>>
>> The TFTP request from alix asks for a binary transfer
>>
>>> As a comparison, the reaction against the RRQ from the linux box:
>>>
>>> 12:38:12.807419 kubuntu-neu.fritz.box.36672 > alix.fritz.box.tftp: 19
>>> RRQ "pxeboot" (DF)
>>>  : 4500 002f eca9 4000 4011 cc78 c0a8 001f  E../..@.@..x
>>>  0010: c0a8 002c 8f40 0045 001b 75b7 0001 7078  ...,.@.E..u...px
>>>  0020: 6562 6f6f 7400 6e65 7461 7363 6969 00eboot.netascii.
>>>
>>>
>>
>> The TFTP request from your linux box asks for an ascii transfer
>>
>> There is a difference between the 2 tftp transfers that may explain
>> your problem
>>
>> Can you try the cli tftp and type "binary" before "get pxeboot" ?
>>
>> like the following :
>>
>> tftp 192.168.0.44
>> tftp> binary
>> tftp> get pxeboot
>>
>
> Good idea.
> This works fine. As well as with "localhost".
>
> # tftp localhost
> tftp> binary
> tftp> get pxeboot
> Received 81444 bytes in 0.0 seconds
> tftp> ascii
> tftp> get pxeboot
> Received 81965 bytes in 0.1 seconds
> tftp> #
>
> 13:54:47.936070 localhost.23896 > localhost.tftp: [udp sum ok] 16 RRQ
> "pxeboot" (ttl 64, id 51686, len 44)
>  : 4500 002c c9e6  4011 b2d8 7f00 0001  E..,@...
>  0010: 7f00 0001 5d58 0045 0018 9309 0001 7078  ]X.E..px
>  0020: 6562 6f6f 7400 6f63 7465 7400eboot.octet.
>
> 13:54:54.649378 localhost.23896 > localhost.tftp: [udp sum ok] 19 RRQ
> "pxeboot" (ttl 64, id 50915, len 47)
>  : 4500 002f c6e3  4011 b5d8 7f00 0001  E../@...
>  0010: 7f00 0001 5d58 0045 001b 2b39 0001 7078  ]X.E..+9..px
>  0020: 6562 6f6f 7400 6e65 7461 7363 6969 00eboot.netascii.
>
> # tftp 192.168.0.44
> tftp> binary
> tftp> get pxeboot
> Received 81444 bytes in 0.0 seconds
> tftp> ascii
> tftp> get pxeboot
> Received 81965 bytes in 0.1 seconds
> tftp> #
>
> 13:55:11.780098 alix.fritz.box.33038 > alix.fritz.box.tftp: [udp sum ok]
> 16 RRQ "pxeboot" (ttl 64, id 50778, len 44)
>  : 4500 002c c65a  4011 32be c0a8 002c  E..,.Z..@.2,
>  0010: c0a8 002c 810e 0045 0018 ebac 0001 7078  ...,...E..px
>  0020: 6562 6f6f 7400 6f63 7465 7400eboot.octet.
>
> 13:55:18.738183 alix.fritz.box.33038 > alix.fritz.box.tftp: [udp sum ok]
> 19 RRQ "pxeboot" (ttl 64, id 51568, len 47)
>  : 4500 002f c970  4011 2fa5 c0a8 002c  E../.p..@./,
>  0010: c0a8 002c 810e 0045 001b 83dc 0001 7078  ...,...E..px
>  0020: 6562 6f6f 7400 6e65 7461 7363 6969 00eboot.netascii.
>
>
> Maybe the additional options which the alix target (at IP .81) sends are
> what the server does not like.There we had:
>
> 12:16:05.039971 192.168.0.81.2074 > alix.fritz.box.tftp: 24 RRQ "pxeboot"
>
>  : 4500 0034 0006  1411 24e6 c0a8 0051  E..4..$Q
>  0010: c0a8 002c 081a 0045 0020 f17d 0001 7078  ...,...E. .}..px
>  0020: 6562 6f6f 7400 6f63 7465 7400 7473 697a  eboot.octet.tsiz
>  0030: 6500 3000e.0.
>
> 12:16:15.203886 192.168.0.81.2075 > alix.fritz.box.tftp: 29 RRQ "pxeboot"
>  : 4500 0039 0007  1411 24e0 c0a8 0051  E..9..$Q
>  0010: c0a8 002c 081b 0045 0025 619c 0001 7078  ...,...E.%a...px
>  0020: 6562 6f6f 7400 6f63 7465 7400 626c 6b73  eboot.octet.blks
>  0030: 697a 6500 3134 3536 00   ize.1456.
>
> =>
>
> Could it be that OpenBSD6.0's tftpd refuses to serve a binary tftp RRQ with
> tsize 0 or blksize 1456?
>
> Is there a way to tell the target how to build it's pxeboot request (maybe
> some dhcpd option which will get sent to it)?
>
> Peer
>
>
> --
> Peer Janssen - p...@pjk.de

Re: OpenBSD 6.0 and emacs-24.5p2-gtk2

[Sean Kamath]

This drove me nuts for a while to.  Then I found

pkg_add gsettings-desktop-schema

provided the missing schema entry/entries.

Sean

> On Sep 5, 2016, at 10:31 AM, Lyndon Nerenberg  wrote:
>
>> On Sep 5, 2016, at 10:16 AM, Peter Fraser  wrote:
>>
>> (emacs:17220): GLib-GIO-CRITICAL **: g_settings_schema_source_lookup:
>> assertion 'source != NULL' failed
>>
>> The failed assertion does not seem to cause any trouble, and I expect
>> gsettings is part of the answer,.
>> but I don't know what the answer is.
>
> It's a (mostly) bogus error message from GTK.  You'll see these from all
sorts
> of GTK-based programs. If the program doesn't crash, just ignore them.
You'll
> soon get in the habit of adding '2>/dev/null' when you run those from the
> command line.
>
> --lyndon
>
> [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]

Re: help with kshrc

[Sean Kamath]

> On Apr 18, 2016, at 10:03 PM, dan mclaughlin 
wrote:
>
> On Mon, 18 Apr 2016 16:42:56 +0200 Marko =?ISO-8859-1?Q?Cupa=3F?=
 wrote:
>> if  ($tty == ttyv3) then
>>  startxfce4 --with-ck-launch
>>  logout
>> endif
>>
>> How can I achieve the same with OpenBSD's default ksh and .kshrc?
>
> it's been more years than i can count since i've used either tcsh or
FreeBSD,
> but if you are trying to detect the current tty (which is what i am
assuming
> is what is in $tty), you can use ps (the variable '$$' is a reference to
the
> current shell's pid):
>
> $ ps -o pid,tt | sed -n "s/^$$ //p"
> p3
>
> now i don't know what v3 is, but the console ttys are ttyC? on OpenBSD, so
> if you want only the first window at the console,
>
>  if [[ $(ps -o pid,tt | sed -n "s/^$$ //p") = C0 ]];then
>startxfce4 --with-ck-launch
>exit
>  fi
>
> should do the trick. i also assume that 'logout' exits the shell, and thus
> logs you out, hence logout -> exit, which will exit the script (or in this
> case the shell since it's in the startup script).

/usr/bin/tty seems like a nice way to get the tty of the running process. ;-)

I set TTY=`tty` in my .profile.  Then I use ${TTY##?} a lot. :-)

I start X on boot, so I don’t use startx or equivalent.

Sean

Re: OT: True hardware UNIX terminal

[Sean Kamath]

Still using a Wyse (50?) on my Ultrasparc 80.

In college, we had these weird DEC PC’s that we used as VT100 compatible
terminals.

There were so many.  The VT100 was the prototype what XTerm emulated.

Sean

> On Mar 29, 2016, at 5:18 AM, Nick Holland 
wrote:
> Some things to search for:
> * DEC VT100  (a terminal that still influcences the standards today)
> * DEC VT52   (a terminal with an easier to understand command set)
> * ADM3A  (a terminal that was old when the DEC vt100 came out)
> * DECwriter  (printing terminal.  DECwriter II was a beautiful machine)
> * TI Silent 700 ("home oriented" printing terminal.  At the time, in the
> US, it was illegal to attach non-telephone company equipment to the
> telephone company's phone lines...)
> * ASCII  (the non-IBM standard character coding system)
> * EBCDIC (the IBM standard)
> * ASR33  (one of the earliest printing terminals.  And why we use
> "TTY" today in the Unix world!  If you wonder why unix commands are so
> short, imagine typing on this...)
> * Tektronix 4010 (In case you thought terminals were dull and graphics
> free...and I suspect a LOT of people who have been rolling their eyes at
> everything I've said up to now will have their eyes bug out a bit when
> they figure out how these things work)
>
> Anything more than that (and probably a lot less than that), probably
> best to ask me off list. :)  (and yes, I've glossed over and simplified
> a few things here)
>
> Nick.

Re: Show us your /etc/profile

[Sean Kamath]

On Aug 2, 2015, at 8:49 AM, li...@wrant.com wrote:

 never  
 thought of using a shell function in .profile till I read this thread.  
 
 ...
 
 Functions has always been impressive once you move past the alias
 shortcomings (can't handle arguments etc), so also worth a read the
 Functions section.


Functions have been amazingly useful and impressive for a very long time.  They 
are also not limited to ksh.  In fact, my introduction to this very useful 
aspect of shell programming was from Sun's rcS script, which has this:

# Simulates cat in sh so it doesn't need to be on the root filesystem.
#
shcat() {
while [ $# -ge 1 ]; do
while read i; do
echo $i
done  $1
shift
done
}


There have been times when I've been on systems in single user mode without 
filesystems, and knowing how to do some things we typically use external 
programs for in the shell can be a lifesaver, like echo * as a poor man's 
ls.

If your directory isn't *that* large, 'for i in *;  do echo $i; done | wc -l' 
works well.  Well, for some definition of 'well'.

My point is that shell functions allow you to do some fairly complex stuff, and 
if you're careful, you can avoid execs.  There are places the shell forks, 
however.  It can be a fun exercise to find them with profiling tools. :-)

Sean

Re: cp from 4 different home folders without overwriting files with different content

[Sean Kamath]

On Jun 28, 2015, at 7:28 PM, Aaron Poffenberger a...@hypernote.com wrote:
 IMO, you're over thinking it.
 
 Step 1) GET THE DATA OFF THE FAILING DRIVES.  Doing *anything* before
 that's done means you *want* to lose data.
 
 Step 2) okay, *now* that the data is safe, compare files between trees
 and delete duplicates
 
 Note that trying to dedup as it's copied will probably *increase* the
 number of times the data has to be read and thus increase the chance
 of lost data.
 
 
 Philip Guenther
 
 
 Agreed. Save your data first then merge.
 
 rsync (pkgs) will help you with both steps:

+1 on the save it first option.  But I disagree with rsync.  Ideally, you 
want one read per block, and that's it.

I've used dd_rescue (a modified dd that a) doesn't die on read failures, and b) 
uses a dual-blocksize option to try and recover as much data as possible) in 
the past to make image copies of drives.  I had one drive that would read for 
some period of time, heat up, then error.  I'd take the drive outside, let it 
cool down, read some of it, then rinse and repeat til I got the entire drive.

I tend to prefer image captures of failing drives, and keep the seeking and 
reading to a minimum.  You can always mount the image and pull files out of the 
filesystem.

I've also used r-studio for recovering files from filesystem images.  Works 
pretty good (though I have no idea if they support ufs).

I've also done things like:

* Make an image
* Huh, drive seems to still be working, use tar or whatever.
* Stare at drive and finally throw it out.

Drives aren't worth trying to salvage, in my opinion.

As for having N copies of files: You're just going to have to bite the bullet 
on that.  You have the following problems:

* Duplicate filenames, different data (think a file name foo, one of which is 
an image, one is text)
* Duplicate filenames, delta data (versions of files, primarily)
* Renamed files.

I've gotten fairly good over the year at doing these n-way merges (using tools 
like melt, the gnu diff -r option, etc).

My only real advice above back it up first is: DO NOT use the backup as your 
working copy.  You *will* cry when you realize you just nuked the wrong file -- 
and the HD was dying, and you can't get it back.

Good luck.

Re: Set PKG_PATH using Time Zone?

[Sean Kamath]

On Mar 26, 2015, at 1:39 PM, Dale Lindskog dale.linds...@gmail.com wrote:

 On Thu, 26 Mar 2015, L.R. D.S. wrote:
 
 Is really boring write the package repository everytime we install. 
 Why not set the repository using the Time Zone as a reference?
 For example, if you set Japan as your zone, then run
 export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/
 
 #!/usr/bin/perl -w
 use strict;
 
 chomp( my( $uname_r, $uname_m ) = ( `uname -r`, `uname -m` ) );
 chomp( my $zone = join( '/', ( split('/', `ls -l /etc/localtime`) )[-2,-1] ) 
 );
 
 my %mirror = (
  Canada/Mountain = ftp://ftp.openbsd.org/pub/OpenBSD;,
  # okay, I'm bored now... hopefully L.R. D.S. will help
 );
 
 print $mirror{$zone}/$uname_r/packages/$uname_m/;
 

Why not go whole hog and traceroute -I everything and see which is faster? :-P

BTW: ftp5.usa.openbsd.org seems to not be responding on HTTP, so I dropped them 
a note.  But then I found sonic has a mirror, that, though geographically 
further, is about 1/2 a ms faster (and two fewer hops).  So, it's not just 
going to other countries where this happens.

Sean

Re: Crash cart console adapters compatible with OpenBSD?

[Sean Kamath]

I've got about 10 of these where I work (Adder iPEPS: 
http://www.adder.com/products/adderlink-ipeps).

I got them because we needed to have a set of workstations to use for builds.

Basically, they work pretty well.  Sometimes they loose their brains, but for 
the most part they just work.  Some people complained about them losing 
calibration and/or other problem, but I never had any issues.

The model I got (about 5 years ago) were VGA.  Now they have more options:

http://www.adder.com/products/categories/dvi-and-usb-over-ip

Still and all, I rather like them.  You know, for when you're VPNed in from 
your phone and need to get on a console (which happened once, but not with the 
workstations. . .).

Sean

PS The run RealVNC's server, I believe.

PPS No, I'm not a shill, I just have them, and I use them, and find they're 
acceptable.


On Jan 15, 2015, at 9:27 AM, Jon Simola jsim...@gmail.com wrote:

 On Thu, Jan 15, 2015 at 8:38 AM, Alan McKay alan.mc...@gmail.com wrote:
 
 Hey folks,
 
 I'm looking for something like this that I can plug into a network
 debugging laptop to get console access to servers in a rack.  Ideally
 the laptop would run OpenBSD or in a pinch Linux.
 
 
 You could try looking for a KVM over IP that supports VNC.
 
 http://www.adder.com/products/categories/kvm-over-ip is one company I found
 doing a quick search. Absolutely no experience with them, not a
 recommendation, just an observation that such a thing exists. Also I'm
 scared to look for a price.
 
 -- 
 Jon

Re: Are nc -lu /dev/zero /dev/null a good throughput test?

[Sean Kamath]

On Jul 19, 2014, at 11:51 AM, Raimundo Santos rait...@gmail.com wrote:

 Hello all!
 
 I am testing OpenBSD 5.5 Release over XenServer 6.2 with HVM and qemu-dm
 wrapper to change the default r8139 to virtio, adapted from [1].
 
 So, to test the server private network throughput and other things related,
 I am using netcat. In this fashion:
 
 nc -lu 9000  /dev/zero  /dev/null
 
 nc -u 192.168.1.10 9000  /dev/zero  /dev/null

Are you counting all those zeros to make sure they all came through?

'cause TCP is guaranteed delivery, in order.  UDP guarantees nothing.

Sean


 Despite of pings showing 18ms of average time, it reached near 1Gbps of
 cross traffic (600Mbps in to and 300Mbps out from virtual router, at
 average) in the following configuration:
 
 . two virtual networks (int0 and int1 - internal networks)
 . one router between them
 . two vms for each network
 
 In int0, vms are servers (nc -l, as described before). In int1, vms are
 clients. Of course, there are no such terms when the connection starts,
 both ends are server and client at same time.
 
 Trying to start the same netcat idea, but in TCP mode, it only generate a
 few Mbps (mostly seem: 10Mbps of cross traffic, 5 in and 5 out) for each
 client/server. What could it be? No clues here, as a similar test with em
 on bare metal gave few Mbits less than UDP.

 
 And the main question: are this a good method to stress the virtual
 structure, or there are other good methods?
 
 Thank you for your time,
 Raimundo Santos
 
 
 [1] http://marc.info/?l=openbsd-miscm=135336071024634w=2

Re: open bsd router

[Sean Kamath]

On Oct 4, 2013, at 3:11 PM, Comète com...@daknet.org wrote:

 Yes, we use a lot of ALIX 2D13 as routers on many sites since 2 or 3 years 
 (nearly 20 ALIX boxes now). It works like a charm with a good compact flash 
 card, no problem at all ! And i've recently discovered they even included a 
 watchdog ;)
 
 Morgan

Ditto

I got all of mine with the cool red case. ;-)  All 2d13.

The P/S can have a wide voltage range, too.  I got my CF cards from PC Engines, 
they've all been great.

Sean

 Le 04/10/2013 23:45, Loïc BLOT a écrit :
 Hello,
 I also looked at ALIX board since a long time.
 Is there anybody using Alix 2d13 with OpenBSD ?
 Thanks in advance.
 --
 Best regards,
 Loïc BLOT,
 UNIX systems, security and network engineer
 http://www.unix-experience.fr
 Le vendredi 04 octobre 2013 à 15:05 +0200, Jan Stary a écrit :
 On Oct 04 07:16:57, inform...@gmx.net wrote:
  http://www.pcengines.ch/product.htm
  http://en.wikipedia.org/wiki/Raspberry_Pi
  No, I'm not working for PC Engines. But I'm a huge fan of their
  products :-)
 Just to praise PC Engines a little bit more:
 when my ALIX.1C stopped working for some reason,
 I sent it to PC Engines, who found that the board
 is completely OK - it was my power supply
 that was faulty (which I could then confirm).
 Before sending it back, they kindly suggested
 that ALIX.1E is a newer model that replaces
 the ALIX.1C, so if I don't object ...
 which I didn't.
 The shipping didn't even cost me anything,
 and they just replaced my old 1C with a new 1E.
 Not to mention the chocolate.
 In short, their customer service
 is as good as the boards.
 [demime 1.01d removed an attachment of type application/pgp-signature
 which had a name of signature.asc]

Re: remote management

[Sean Kamath]

On May 14, 2013, at 7:55 PM, Devin Reade g...@gno.org wrote:
 The AdderLink can be a bit expensive for small businesses and hobbiests
 in their recommended one-per-server configuration (approx USD 500),
 however if you don't have to have different access levels for different
 servers' consoles, and can put up with accessing the console of only
 one server at a time, then you can amortize this cost by putting a
 decent non-networked (but electronic) KVM switch between the AdderLink
 and multiple servers.  That price also seems comparable to similar 
 types of technology.
 
 And for the record, the DLink DKVM-8E does *not* constitue a 
 decent KVM switch; it's crap.
 
 It looks like AdderLink have DVI/HDMI versions of the iPEPS available,
 too, although I've not used them.
 
 Besides using encrypted network traffic and supporting a small number
 of login accounts, the AdderLink offers rudimentary source-IP-based
 access control.  It's still a good idea to use a segrated admin subnet
 if you can, just on general principles.

I can second the AdderLink's.  I've only got the VGA versions, as well, but 
will be getting the DVI/HDMI in the net purchase, whenever that happens.

The mouse can be funky at times, but it's easily fixed.  Sometimes the 
calibration doesn't work as expected.

But it's better than running to another building and whipping out a crash cart. 
:-)

Sean

PS Yes, a second, segregated admin subnet is a good thing (for a variety of 
reasons).

Re: How to set aliases in ksh

[Sean Kamath]

On Mar 17, 2013, at 8:54 PM, Robert Connolly rob...@secondfloor.ca wrote:

 Hi. I have tried using both ~/.kshrc and ~/.profile to set an alias such as:
 alias ls='ls -F'
 and it doesn't work automatically on login. The files are being sourced, 
 because my definition of PATH and PKG_PATH work. If I source the files 
 manually, with:
 . ~/.profile
 then the aliases work.
 
 So what am I doing wrong?
 
 Thanks
 

.profile:

export ENV=$HOME/.kshrc

.kshrc:

alias ls='ls -F'

I actually use this line instead:

. ~/.ksh-alias

and in .ksh-alias I put all my aliases.

Sean

Re: Running OpenBSD on Raspberry Pi

[Sean Kamath]

On Jan 3, 2013, at 11:08 AM, Gene gh5...@gmail.com wrote:

 On Tue, Jan 1, 2013 at 1:31 AM, Bruno Flückiger inform...@gmx.net wrote:
 
 My personal favorites are the boxes from this small company in Switzerland:
 
 http://www.pcengines.ch
 
 Regards,
 Bruno
 
 
 The ALIX hardware is incredible.  I own two of the ALIX boards (2d3
 and 2d13), the second one I picked up recently on eBay for $150 with
 case and power supply, I added a CF card for an additional ~$10.  I
 already have a serial cable on hand, but that would be at most another
 $10-$20 to procure.


I second the ALIX board being worthy.  I don't have as many as Mr Shupe, but I 
have more than a few.

Huh.  That seems like a deal for one of the Netgate versions, but pcengines.ch 
has the 2d13 board for US$104, case for ~US$9 (but no US Power Adapter. :-().  
When I bought mine, they shipped quickly (US$33, though).

Sean

Re: Running OpenBSD on Raspberry Pi

[Sean Kamath]

On Jan 4, 2013, at 5:10 PM, Johan Beisser j...@caustic.org wrote:

 On Fri, Jan 4, 2013 at 4:41 PM, Aaron Mason simplersolut...@gmail.com wrote:
 On Sat, Jan 5, 2013 at 7:58 AM, Dan Shechter dans...@gmail.com wrote:
 You have all failed to mention that the ALIX devices come with Swiss
 chocolates in the package!
 
 
 I've ordered direct from PCEngines before and never got that.
 
 Perhaps you should ask more pleasantly.
 

This just makes me want to order a carp peer for my little firewall. . . And 
I'll throw in a Pretty-Please-can-I-have-a-chocolate?

Sean

Re: Best postscript printer with network support?

[Sean Kamath]

On Dec 27, 2012, at 3:38 AM, David Diggles da...@elven.com.au wrote:

 I want to avoid HP.
 
 Why?
 
 I got a Jaserjet 8150DN second hand for $50. Works perfectly.
 

I totally second this.  I used to work at a company that competed directly with 
HP in the color printing space. Then we were acquired by Xerox, which I left.  
After 15 years of dealing with printers, I can tell you emphatically that the 
best way to go is to get a used enterprise printer.  I have an HP LaserJet 
4MP (well, not really a P, I got the postscript SIMM for it).  Been working 
like a champ for the 6 years I've had it.  My mother, meanwhile, has gone 
through *literally* a printer a year.  She tends to get these $100 All-in-One 
PoS printer/fax/scanner/car wash/toasters that she ends up calling me 
complaining she can't print to.  What you need is just a 
PostScript(tm)-compatible (HP's clone is fine, as is the genuine article), 
*non-ink*, networked printer.  I don't usually recommend wireless -- it's 
unnecessary cost, usually.

Sure, you might have to buy a kit for it (usually, it's the rollers -- very 
very rarely the fuser or other important part).

Here in the US, I bought mine off ebay, and it turned out the seller was across 
the bridge from me, so I went and picked it up to save shipping.  Sometimes 
companies have liquidation sales or they off-load their old junk to resellers 
like Goodwill (that's what we do where I work now) -- but that's harder to find.

One you have the above (well, network + PostScript(tm) compatibility), just 
about anything on the planet will be able to print to it.

I don't believe their is a best printer -- just ones that you'll like, and 
ones you'll curse yourself for believing would be the best.

Sean

PS As for hacking printers -- it's not just postscript. Any language that let's 
you save/restore from some form of storage and/or run arbitrary code has this 
issue.  PostScript(tm) is not the only printer language that let's the printer 
be upgraded over the network.  Unless you have a specific reason to open the 
printer to the outside world, don't.

Re: openbsd router performance (i know.. again)

[Sean Kamath]

On Sep 26, 2012, at 6:01 PM, Yusof Khalid - FreeBSD / OpenBSD
frysha...@gmail.com wrote:

 Hi list,

 Any happy ALIX user here ? I plan to deploy alix board on 2 of my client..
 currently serving as gateway/firewall/squid and a little bit of samba.

Search the mail archives for raves about Alix boards (and others).

Sean

Re: pfsense and or OpenBSD Home router.

[Sean Kamath]

[And now I'll CC the entire list. :-P)

On Sep 11, 2012, at 2:47 AM, Peter N. M. Hansteen wrote:

 On Tue, Sep 11, 2012 at 11:38:28AM +0200, Shaka Nkofo wrote:
 http://store.netgate.com/Desktop-Kits-C82.aspx

 I found this shop while looking for parts to build a home router. Has
 anyone been through this and can give me links to cheap parts within
Europe?

 For Alix, pcengines.ch could be a useful place to start.

 For those of us on even slimmer budgets, building infrastructure by dumpster
 diving works too.

I ended up buying direct from PC Engines for my alix 2d13's.  Even though I'm
in the US, it was cheaper than netgate (where I bought a bunch of the exact
same thing for work).  I ended up getting the red metal cases because they
were cheaper and in stock. ;-)

And as far as I'm concerned, these little alix boards rock.

Sean

Re: a live cd/dvd?

[Sean Kamath]

On May 13, 2012, at 12:30 PM, Eric Oyen wrote:

 ok,
 thats a bunch of information. However, for me, its the same as rocket
science
 as I am totally blind and would require sighted assistance just to get it
to
 either install a network card, or port to USB/Serial.  Unlike the rest of
you,
 using a computer with little or no accessibility on boot-up is immeasurably
 harder. even porting to a braille display device is not straight forward.
all
 I want is a way to make/execute a script to do the installation unattended
or
 port to an interface that can be read with another machine with
speech/braille
 already running.

 then again, it appears that it may be easier to get a $200 interface device
 that acts as the screen to the machine and outputs to either a network
 interface or a serial port. unfortunately, most blind folks cannot afford
 this, so having a stand-alone installer with speech or braille would be
very
 helpful.

 -eric

I believe I may have already replied somewhere about this, but I figger why
not, just for safe.

When I install my firewalls, I use a digi ts-2 (well, not a ts-4, since when
last I ordered a ts-2 I got a ts-4).  They can be had cheap on ebay:

http://www.ebay.com/itm/Digi-Portserver-TS-2-w-power-supply-Tested-Good-/1607
85148926

Of course, this is predicated on having an RS-232 interface (which the Alix
boards I use, and the Suns, have).  The beauty (and the ensuing security
implications) are that you can telnet to this box from ANYTHING and get to the
console of the device (be it a Sun or an Alix board, or whatever) and get just
straight text out of it.  Needless to say (and I realized I should say it),
you don't put the TS on your DMZ, and you do secure it (the Digi's do have
SSH).

To go the completely fee and unattended path requires doing something like
installing on a VM or something you can do easily, then building a
distribution with your own installer.  Most of that is straightforward, even
getting the partitioning preconfigured.

However, in my experience, it's just simpler to find tools to adapt to the
already provided process -- otherwise, you have to do the same thing over and
over again to get the same result.

Of course, more and move vendors are building RS-232 free systems, and despite
USB being a Universal Serial Bus, it is a pain in the ass to get a serial-usb
plug working in either direction (drivers drivers drivers.  Bah!).

I wish you luck in whatever avenue you choose.

Sean

Re: ethernet-to-serial support

[Sean Kamath]

On Feb 23, 2012, at 7:45 AM, Henning Brauer wrote:

 * Dewey Hylton dewey.hyl...@gmail.com [2012-02-23 15:21]:
 i used the digi equipment over a decade ago with both hpux and aix with
success. i'd really like to access these from my openbsd workstation and
laptop, though the documentation mentions support for just about everything
other than bsd.
 are any of these usable with bsd? and by that i mean can openbsd connect to
the serial ports via ethernet with cu or something similar?

 i dunno the digi stuff, but console servers usually provide access to
 the serial ports via telnet or ssh. in general you don't wanna expose
 these to the 'net, but it's good enough for a seperate vlan or the
 like to an openbsd box that you either run conserver on or just use to
 jump through.

I just hooked up a Digi TS4 to my Alix 2D13 so I can do some upgrades (in case
I pooch it and need a console; they're pretty cheap on ebay (I actually bought
a TS2 but got a TS4)).  Have another one hooked up to a Sun as well.  But
that's incoming, not outgoing.

If you want the device's serial port to appear as a serial port on an OpenBSD
box (i.e., /dev/...) you'll need some sort of driver.  Probably not THAT hard,
but. . . why?  You can just SSH or Telnet to a port on the server, and you're
talking to the serial port.  Unless you have an app that expects a serial port
device, there's no issue.

Sean

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: locate weirdness

[Sean Kamath]

On Jan 11, 2012, at 4:08 PM, L. V. Lammert wrote:

 On Wed, 11 Jan 2012, Philip Guenther wrote:

 Agreed, .. but if locate.update does NOT run as root, that would seem to
 indicate some problem other than permissions.

 If you're saying what I think you're saying, then I disagree and think
 your logic is backwards.
 What user do you think locate.updatedb is run as?

 If it does not run as root, then it isn't a permission issue as running as
 root provides all required permissions, eh?

eh?

if it does not run as root. . . running as root provides. . .??

To put it bluntly, if updatedb runs as root, it has all possible permissions.
If updatedb does NOT run as root, it does NOT have all possible permissions.


 I have never seen locate.updatedb fail when run as root (3.0 to 5.0,
 actually), .. but, then, it isn't exactly 'failing', it just isn't
 indexing anything except /home.

FWIW, I've never had a problem with locate since, oh, I think 2.6.  But the
point is, *IS* updatedb running as root?

 The only other possible hypothesis, is that it is running out of memory;
 one would expect some sort of error to be returned in that case and a
 blank database as a result, not one partially populated.

No, your logic is backward, as Philip has been gently pointing out.

So, to diagnose your problem (regardless of release -- this is diagnosing 101
here):

1) Find out *EXACTLY* how updatedb is being called, and run it, except don't
redirect errors to /dev/null or files or such.  Check for error messages
and/or exit codes
2) Since updatedb is a *SHELL SCRIPT*, try running it with -x (this breaks 1),
of course).

If the above is not enough for you to figure it out, email me off list and
I'll help.  But I don't have a 4.3 machine handy (I have a 4.6 and a 4.7
machine).

Sean

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: using ssh to forward the install console

[Sean Kamath]

On Dec 11, 2011, at 9:19 AM, Chris Bennett wrote:

 this is the setup I use to upgrade and install on my remote server.
 It works great. This would probably be a good purchase since you
 could use it again in the future on other, later systems.
 Chris Bennett

I use something similar:

http://us.adder.com/products/adderlink-ipeps

The run RealVNC on 'em, and cost a touch more, around $400.  You can have
multiple sessions, so up to 4 people can see the console at any given time.

I find they work well.

Sean

 On Sat, Dec 10, 2011 at 11:15:15PM -0600, Corey wrote:
 On 12/07/2011 01:47 PM, Eric Oyen wrote:
 hello group.

 I have an interesting (and fairly technical) question.

 the question is: how can I forward the install screen via ssh to another
 machine on my network? I ask this because I didn't see any specific
 instructions that applied. my issue right now is that I need a sighted
 assistant to read me the screen and help with  installing the base system
(and
 setting up ssh).

 I would like to run the install like from a serial port output (like the
old
 spark pizza boxes) but none of my current machines have a serial port to
do
 this on.

 comments? suggestions?

 -eric

 If you don't require the serial console, maybe you can use an IP KVM
 appliance?

 They still cost some money, but the cheapest one I've found is on
 sale for $200 US right now:


http://www.lantronix.com/it-management/kvm-over-ip/securelinx-spiderduo.html

 It's basically an embedded OS (Linux, probably) running on an ARM or
 something with a frame grabber for the video and USB and legacy
 keyboard and mouse ports. Gives you BIOS-level access to the box

Re: I don't get where the load comes from

[Sean Kamath]

On May 31, 2011, at 12:33 AM, Abel Abraham Camarillo Ojeda wrote:

 On Tue, May 31, 2011 at 2:24 AM, Francois Pussault
 fpussa...@contactoffice.fr wrote:

 load is not realy a cpu usage %.
 In facts it is sum of many % (cpu real load, memory, buffers, etc...)
 that explain why load can up over 5.0 for each cpu without any crash or
freeze
 of the host.

 we should consider load as a host ressources %... this is not real of
course
 but this is more real, than considering it as only cpu use.



 The load average numbers give the number of jobs in the run queue averaged
 over 1, 5, and 15 minutes

 from top(1).


As was mentioned earlier, no two systems agree on what load average is.

Making statements about it for a particular system should be based on the code
for that system.

Some systems count processes runnable if only the NFS back-end-storage were
available to page in the file.  Other systems say it's in a wait state.  The
former can easily lead to load averages in the 100s (or more) with a a CPU
idling at 99% (because everything's waiting on NFS).

Some systems don't even agree on what it means to average.

Load Averages generally suck as a metric for system business.  Look at
interrupts and CPU time -- they're what matter.  If you want to break out CPU
beyond system, user and idle, you can do that, too.

Sean

Re: [OT] OpenBSD on plugcomputers

[Sean Kamath]

On Feb 14, 2011, at 3:32 PM, Ron McDowell wrote:
 Or just get an Alix board http://www.pcengines.ch/alix3d3.htm [available
stateside from netgate.com] for projects like this.  AMD Geode CPU, common
VGA/USB keyboard input, i386 versions of most OSes work, I have 4.7 i386
running on one with a couple 500gb USB drives as a backup server.

I'll second that -- makes a great personal firewall.  Also, I bought mine
directly from pcengines.ch -- got it in like 3 days.  I was amazed.  Had to
get the P/S from netgate (though it will take anything from 5v-18v).  I loved
'em so much with OpenBSD on 'em I ended up buying a bunch for OOB connection
to servers. . .

Sean

Re: Printing (well anything) using lpd...

[Sean Kamath]

On Jan 30, 2011, at 12:06 PM, patrick keshishian wrote:
 It supports Postscript, and even has it's own lpd running so that you
 can FTP files to it to print.

 You keep saying and thinking that it supports post script. It does
 not. Otherwise feeding it a postscript file would print the document,
 not the postscript text/source.

A really minor nit: The printer *may* support PostScript, but only in a
specific fashion.

For example, many printers from the mid-90's only recognized the %!
immediately preceded by a ^D or a new connection (any data send between the
two (i.e., a ^D followed by a NL then a !%, or a new connection with a control
character sent before the %!, would switch it to PCL).  Likewise, some
printers default to a PCL queue with LDP unless you explicitly name the queue
you're printing to ps or postscript.

Debugging this crap is a pain in the ass, but not impossible.  If you want to
check your printers to confirm it prints postscript, send it these two lines:

%!
newpath clippath stroke showpage

These four commands were the smallest PostScript I could figure out to send to
a printer to print something without burning up tons of toner.  It should
produce a small line all the way around the page.

You can send that to the printer with FTP.  If it works as expected, then your
printer supports PostScript.  If it doesn't. . . Well, maybe you need to read
the docs on your printer to figure out how to send it PostScript.

Also, most printers will have a config page you can print out from the front
panel.  One thing that should show on the Config Page is the PostScript
version.  That's another way to tell if your printer supports PostScript.

Your printer might also accept connections on port 9100 -- you can literally
telnet to that port and type the above commands.

I don't know if OpenBSD's lpr command can connect to a remote server
directly, as Sun's can.  You can telnet to the LPD port and try and fake it,
but you have to know the magic NULL-prefixed commands.

Your best bet is to scour the documentation for your printer.

Good luck.

Sean

Re: Donations

[Sean Kamath]

On Dec 4, 2010, at 10:05 PM, Theo de Raadt wrote:

 On Dec 4, 2010, at 7:25 PM, Theo de Raadt wrote:
 If you don't know why I am sending this mail.. you are reading US
 managed news, and need to much much more informed

 It's in the US news.  Even the mainstream news on TV.  At least in Silicon
 Valley. ;-)

 No, it isn't in the US news.

Didn't realize you kept such a close eye on the US news.

 The US news is all about the messenger, to distract you from reading
 the message.

No, not really.  The left and right coast is usually a little better about
covering news.  And when a high-tech company is involved, the US news in a
very heavy high-tech area will, and does, cover it.  More than just the
typical pablum on national TV.

 If you think it is in the US news, you have a long way to go.

 guardian.co.uk/world is the best place to read the *message*.

I didn't see anything on the guardian, or the BBC, that was new to me.
Granted, I also read /. and digg and others and they have a lot of pointers to
the Register, Guardian, etc., so maybe I read it there.  But I also read the
local newspapers, and they cover the local stuff pretty thoroughly.

But don't assume that because I live in the US, with it's godforsaken pile of
Jesusland citizens and Banking-industry controlled politicians, that I'm not
informed.

Sean

PS. Banking rules my ass.  Bankers do whatever the hell they want, anywhere in
the world.  Look at Iceland.  Paypal is evil.  Bankers are the devil
incarnate.

Re: Donations

[Sean Kamath]

On Dec 4, 2010, at 7:25 PM, Theo de Raadt wrote:
 If you don't know why I am sending this mail.. you are reading US
 managed news, and need to much much more informed

It's in the US news.  Even the mainstream news on TV.  At least in Silicon
Valley. ;-)

Gotta love the cloud. . .

Sean

Re: nfsv4?

[Sean Kamath]

On Oct 29, 2010, at 7:43 AM, James A. Peltier wrote:
 As for SFTP or any other method that would duplicate data, I have already
discussed why it is not a possibility.  SSHFS *was and still is* a possibility
but it was ruled out because of our HPC needs.

I run something that could be considered (and is often referred to as) an HPC
cluster.  We leverage NFS heavily.  We'd melt our filers if they weren't
front-ended by NFS caches.

You can't seek() using sftp.  You can't lock a file using sftp. It's a bitch
to code in sftp support to every application that expects to operate on a
file. And it scales for shit: Suck down a file and wait for the whole thing?
Run sshfs on the cluster to a centralized sshfs-based fileserver?  I don't
think so.

We are using NFSv3.  We'd love to have delegations in NFSv4 because it would
significantly enhance the ability to locality-based locking/caching.

Thousands of machines sharing the same multi-petabyte dataset won't work with
sftp.  Or sshfs.

My point is not to suggest what the OpenBSD developers should or should not
implement.  That is there decision.  But it annoys me that people think sftp
(or any other non-block-based file transfer mechanism) is a replacement for
NFS.  It's not.

And it's not to suggest NFSv4 is the bees knees.  Some people may need/want
it.  Some may not.

Sean

PS I can't believe I got sucked into this thread.

Re: availability of Building Firewalls with OpenBSD and PF, 3rd ed.

[Sean Kamath]

On Oct 26, 2010, at 6:02 PM, Alexander Hall wrote:

 On 10/23/10 11:10, Matthias Ochs wrote:
 http://marc.info/?l=openbsd-miscm=127426139631321w=2

 404

 Not here and now anyway. Works fine from here.


The link to marc.info works, but the link on that page
(http://www.devguide.net/bfwoap3) doesn't.  devguide.net has a short note
saying something about time to move to a new CMS, back soon, so I presume that
the PDF is somewhere, but not at that link.  A little googling also returned
this link: http://www.devguide.net/books/bfwoap3 and it doesn't work either.

Sean

Re: Linux or OpenBSD

[Sean Kamath]

On Oct 23, 2010, at 12:33 PM, Jean-Francois wrote:

 Le Wednesday 22 September 2010 21:29:31, Rikky Taylor a icrit :
 I was after some general advice. I need to setup a routing firewall with 3
 interfaces, moderate traffic and a fair amount of NAT'ing in the rules.

 Given identical modern server hardware would I expect a performance
 difference between an OpenBSD/PF setup and a Linux/IPTables one?

 Rikky

 Hello,

 The question mentioned before is right, a little more description is
helping
 regarding your infrastructure.

 I'm loving OpenBSD as firewall, it performs well enough and is secure by
 default, so if you get rules right, you have very quickly something very
good
 for an affordable effort.

 Most importantly, you have a very well documented firewall through man
pages
 and faq, therefore a very small probability of human error, the ever
 persisting root of imperfection if I could say.

I agree with all of that.

Who cares how fast your firewall is if it's compromised?  This is not to say
PF/OpenBSD is slow, but my point is who wants a Ferrari that blows up
unexpectedly when you can have a perfectly reasonable car that never blows
up?

Security has many facets, but the two I deem most important are: How safe is
something from external control and how likely am I to fuck it up allowing
someone to take advantage of my system?  I can't do much about the former,
except to trust people who are smarter than me and have more experience than
I, and the latter I can only select that which I believe I won't fuck up.

The difference between PF maintenance and IPTables maintenance, in my
experience, is significant.  PF can seem a little harder at first, because it
requires a little bit of thought (at least that's how I felt grokking the new
PF match rules.  In the beginning of my PF experience, it was trivial to move
from ipf to pf.).  But once you get it, it's a richer toolset of options.
IPTables is just a freakin' huge, long blithering list of chained crap.  It
drives me nuts messing with consumer firewalls that run IPTables.  Writing PF
rules is like telling someone go to the store and get milk, and you might
have to explain that once.  Writing IPTables rules is like telling someone
stand up.  Then Walk to door.  Then Open door.  Keep going until you get
to put milk in fridge.  Oh, you might need to explain how to walk, too.

Sean

Re: Incorrect FAQ entry about ksh(1) does not appear to read my .profile

[Sean Kamath]

On Oct 3, 2010, at 2:52 PM, Amit Kulkarni wrote:

 Then why is it placed there in the FAQ entry? Somebody thought there's a
 relation there.

It's there because when you start an X terminal (xterm), you can tell xterm
(via X resource DB) if you want shells it starts to be login shells, and
that's what that resource setting is doing.  It is not a resource setting for
ksh.  Further, it's in the FAQ about why isn't my .profile being read for
the ksh because most people are completely unaware of what is going on when
they click that Terminal button.

.Xdefaults may or may not be read by X-based applications, and is often loaded
into the Resource DB of the X server on login (depending on the system --
everything does it differently).  At one point is was .Xresources (which may
be what X reads still -- I don't know anymore, I stopped thinking about xrdb
about 8 years ago).

The space is completely irrelevant, and this thread should die.

 IMHO, I think ksh should be able to read .profile by default

The rules of what ksh reads and when are based on ancient login mechanisms --
.profile was read only on login.  In the csh, .login was read on login, and
.cshrc was read on every invocation of csh.

ksh reads the file pointed to by the environment variable ENV on invocation.

Put things you want to happen when you log in (via SSH, for example) into
.profile, and also set ENV=$HOME/.kshrc into it.  Then put everything into
.kshrc that you want to invoke with all subshells.

It's no good to say I think ksh should do. . . because it ain't gonna
happen.  It would break all sorts of crap if it did.


Sean

PS Linux's pdksh sucks, and does all sorts of weird shit.  OpenBSD's ksh is
much more sane.


 On Sat, Oct 2, 2010 at 10:39 PM, Abel Abraham Camarillo Ojeda 
 acam...@verlet.org wrote:

 .Xdefaults has nothing to do with .profile ...

Re: Router components

[Sean Kamath]

On Oct 3, 2010, at 11:15 PM, David Higgs wrote:
 NONE OF IT WILL MATTER TO YOU.
 
 I'll google up some smaller systems (Soekris, ALIX, etc?)
 and see how they strike me.  Pointers here are even more welcome, as I
 am not as familiar with this end of the spectrum and want to avoid the
 aforementioned crappy super-low-power systems.

 Thanks for the input.

I just bought a Alix 2d13 board.  Then ended up buying about 7 of them for
work for OOB back-channel machines.

Insanely straightforward, and they Just Work(tm).

Sean

Re: request help with tip and serial port problem

[Sean Kamath]

On Jul 14, 2010, at 3:55 AM, J.C. Roberts wrote:

 On Tue, 13 Jul 2010 06:47:18 -0600 fred f...@blakemfg.com wrote:

 I restored the dialer group to /dev/tty01 and added the user to the
 dialer group as Nick suggested.  It still doesn't work but the
 response is different now.  I believe there is a cable problem now.
 The cable works with a Sun Ultra 10 but not with the PC running
 openbsd.

 Thank you for the help.

 Keeping with Nick's suggestion of not doing this as root or sudo,
 another option is to use /etc/fbtab to *temporarily* change ownership or
 permissions.

Traditional (read: ancient) BSDs (such as 4.1 and 4.2 -- I'm not talking about
*recent* BSDs, mind you, I'm talking about BSD4.1 and BSD4.2 running on a Vax
780) had tip setgid to group 'uucp', with the locking system (i.e., files in a
directory owned by uucp:uucp) used by all modem-using apps setgid uucp as well
(i.e., uucico, cu, tip), as well as providing some form of access control to
the modems (by ownership permissions on the device) so that j-random person
couldn't just talk to the modem (since you could make tip do things like dial
the modem when you connect, etc).  That way users could use the modems when
UUCP traffic was idle, and vice versa, and you didn't have to worry about
collisions.  Arguably the right thing to do is something similar, but that
would involve an audit of 'tip' and 'cu' and probably a redesign of the whole
damn thing.  Something to consider doing once the infant is in college and
I've retired...

This ends out history lesson for the day, and we return you to our normal
discourse (and hopefully not more of the recent spate of trolls).

Sean

Re: Processeur Atom ?

[Sean Kamath]

On Jun 10, 2010, at 12:28 PM, Teemu Rinta-aho wrote:

 On 06/10/2010 09:18 PM, E.T wrote:
 Hi all

 I would like to make a firewall / router running OpenBSD. I
 watch the ARM processors / Geode but they are less powerful and expensive
 for a complete solution. I also looked at the solution Soekris but is
 expensive compared to D510mo from Intel.

 Well it depends what size of a box etc. you want, but for example I have
 a Jetway NC92-330-LF mini-itx motherboard with a daughterboard of
 3 Intel gigabit NICs and everything works great with OpenBSD! :-)

I'm curious about the 'expensive' part of the OP.  What price for good little
firewall?  And what level of performance are you looking for?  I only need
5M/.7M for a small number of client machines and a couple of servers
(web/dns/mail).

I've been running my firewalls on old Sun IPX machines (upgraded to Cyclades
motherboards, and Fujitsu TurboSparc 170) for so long that I recently thought
I should move out of the 90s.  So I bought a PC Engines Alix 2d13 (same as a
2d3 but with a real time clock).  I spent a total of  $150US on it (including
2G CF card, case, power supply and motherboard).  Showed up in like three days
from Europe to CA, US.  Installation was little more than hooking up to a box
that could be a PXE server, and bam, Bob's your uncle, the OS installed in no
time (first time with the new installer -- VERY SLICK).

I haven't gotten the box installed as a firewall (planning on doing that
tonight, maybe tomorrow), but the only thing I've had an issue with so far is
the real time clock (I only got the 2d13 because the 2d3 was out of stock).

The Jetway referenced above seems to be about the same price (maybe a little
bit more expensive) than the Alix board.  I didn't go with an Atom board
because, well, PC Engines makes it clear they work with OpenBSD -- Money where
my mouth is and all that.  Not that I wouldn't have gone with the Jetway, I
hadn't stumbled on it.

Because the RTC isn't read correctly I had to switch ntpd to use -s to set the
time.  That's the only thing I've had to work around at all.  And I really
could care less about that. (and I've done NOTHING to try and fix it yet,
since I only noticed it on the last reboot last night.

dmesg follows.

Sean

PS I have to admit I'm befuddled why you'd want a frame buffer on a firewall
-- it's a firewall, not a desktop.  But whatever.  Do what you want, buy what
you want.  Hell, I used old desktops for over 10 years (granted, without using
the frame buffer)! I'm happy with how my stuff's working out.  And I buy the
CDs. :-)


OpenBSD 4.7 (GENERIC) #558: Wed Mar 17 20:46:15 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 499
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem  = 268009472 (255MB)
avail mem = 250978304 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe/0xa800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33
glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10, address
00:0d:b9:1d:89:e0
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address
00:0d:b9:1d:89:e1
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 15, address
00:0d:b9:1d:89:e2
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: SMI MODEL
wd0: 1-sector PIO, LBA, 1919MB, 3931200 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 12, version
1.0, legacy support
ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 

Re: licensing

[Sean Kamath]

On Apr 14, 2010, at 10:52 AM, Ted Roby ted.r...@gmail.com wrote:


On Wed, Apr 14, 2010 at 11:46 AM, Chris Dukes
pak...@pr.neotoma.org wrote:


On Wed, Apr 14, 2010 at 09:21:53AM -0600, Ted Roby wrote:

/* umpla...@cc.umanitoba.ca

*/

http://lmgtfy.com/?q=plawny+umanitoba

I think you'll find a good idea of who to write care of which
company.
--
Chris Dukes



Are you serious?

Nice usage of the previously mentioned lmgtfy.

You think it's valid information to supply a link that requires
I join their database before I have access to the information
I am looking for?



http://lmgtfy.com/?q=voytek+plawny

Yeah, you have to scroll down a little bit b can't help you thereb

Re: licensing

[Sean Kamath]

On Apr 14, 2010, at 11:40 AM, Ted Roby ted.r...@gmail.com wrote:


On Wed, Apr 14, 2010 at 12:34 PM, Sean Kamath kam...@geekoids.com
wrote:


On Apr 14, 2010, at 10:52 AM, Ted Roby ted.r...@gmail.com wrote:

On Wed, Apr 14, 2010 at 11:46 AM, Chris Dukes pak...@pr.neotoma.org

wrote:

On Wed, Apr 14, 2010 at 09:21:53AM -0600, Ted Roby wrote:



/* umpla...@cc.umanitoba.ca


*/

http://lmgtfy.com/?q=plawny+umanitoba



http://lmgtfy.com/?q=voytek+plawny

Yeah, you have to scroll down a little bit  can't help you there



You're going to propagate the absurdity with your own google search?
You assume Voytek Plawny is/was umplawny of cc.umanitoba.ca.


Which is it: you're ticked off the original lmgtfy reply pointed to a
pay site, or that we tried to point out if you cared *that* much about
finding the original auther, it shouldn't be that hard?

Sean

Re: licensing

[Sean Kamath]

On Apr 14, 2010, at 12:02 PM, Ted Roby ted.r...@gmail.com wrote:

Please tell me what I should do with his permission?

At best, he can let me host my own mud with his code.
At worst, he must rewrite his entire license in all the associated
files.


Now *that* is an interesting question. As the original author, they
should be able to rerelease the original code with a different license
or with none at all. And they don't even need to do the work!  They
could provide someone, perhaps yourself, with a release to make the
code free. Otherwise, how would companies that once licensed their
code release it under a BSD License (which has happened).

Hunting down authors of abandonware can and has been done before. And
has also resulted in permission to release the code as open source. So
it can very much be a worthwhile endeavor.

And sorry for the mispellings before. This time I'm not walking up the
stairs to lunchb. And fixing the to/cc line still sucks on mobile
devices.

Sean

Re: licensing

[Sean Kamath]

On Apr 14, 2010, at 1:16 PM, Ted Roby ted.r...@gmail.com wrote:

You blew off on this message board assuming I hadn't even
googled, or found our friend Voytek Plawny.


So?  Inquiring minds want to know!  *Is* he the guy at EA?  And more  
importantly, is he still a dick?


Sean

Re: licensing

[Sean Kamath]

On Apr 14, 2010, at 8:57 PM, Ted Roby wrote:
 I got more help from the first poster who suggested using
 Circle Mud instead. The problem is, I was quite attached to
 to this modified Rom code, and perhaps committed the
 error of getting my hopes up.

You just weren't sicto to/sic clear in your first post.  /dev/null here
couldn't figure out if you were just bitching about the idiocy of people's
random licenses (and believe me, I've been seeing stupid licenses on code
since 1984 on my school's Vax 785 run BSD4.1 -- it's gotten only marginally
better), or whining that you couldn't use this super-cool pile of code because
you couldn't contact the author.  You did not hint that you even *tried* to
contact him, them or whatever.  And then you reply to the first response,
bitching about what someone helpfully tries to suggest might aid you in
finding the author.  OK, I'm a shit for poking the bear.  But still, you could
have just said yeah, I tried that, and haven't heard back, but no, you gotta
put him in his place. . . Sheesh.

 NULL + NULL + NULL still equals nothing.

Properly chastised, I'm going back to lurking.

Sean

PS Theo does a *WAY* better job of bitch-slapping me, by the way.  But keep
trying!

PPS Normally I avoid poking fun at people's typos and misspellings.  But since
turnabout is fair play. . .

Re: HP/Dell RAID

[Sean Kamath]

Should. But doesn't? :-)

Sean

On Jan 11, 2010, at 5:54 PM, Henning Brauer lists-open...@bsws.de  
wrote:



* Steve Shockley steve.shock...@shockley.net [2010-01-12 01:36]:

The Compaq/HP Smart 5 and above controllers (ciss) should work well.


ciss and work well in one sentence without a negation involved?

--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: HD 'Analysis'

[Sean Kamath]

On May 7, 2009, at 4:50 PM, Tony Abernethy wrote:


 There are exotic ways of increasing risk by keeping the most of the
 not-failed-yet neighbors as supposedly good sectors.

Not with a modern disk.  The drives now essentially lie about where on  
the disk any given block is, you'll never know if block N is anywhere  
(physically) near block N-1 or N+1.

Starting about 15 years ago, the most reasonable check I could find  
was the 'verify' command in solaris' 'format' command (which I've yet  
to find/write a simple alternative to).  Anything else is just a waste  
of time.

What this did was basically write a block of random bits, then read  
and compare.  You need to do both, because some blocks are readable,  
but not writable, and vice versa. If you get a mismatch, the block was  
unreadable, and was (hopefully) remapped, so try again.  The OS  
usually logs read and write errors (soft and/or hard) and you'd have  
some idea of the relative 'health' of the disk.

Frankly, we would verify a disk if we hit a bad block, and if that  
remapped the bad block and produced no other errors over two passes,  
we'd keep using it (disks weren't that cheap then).  If we got another  
error, we'd replace the disk.  We got so many new disks that would  
encounter a bad block (and the OS would log the error) that we started  
verifying the disk when we got them to map out any bad blocks. . .

Sean

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: Survey on the usage of IPv6

[Sean Kamath]

On Jan 31, 2009, at 2:50 AM, Michiel van Baak wrote:


On 18:50, Fri 30 Jan 09, Claudio Jeker wrote:
For an IPv6 related paper we are currently working on, Claudio and  
I are
doing a small online survey on the use of IPv6 among OpenBSD  
developers

and users.

It would be nice if you could spare 10-15 minutes of your time and
answer the questions.  Please do that also if you don't use IPv6,
since that helps us evaluating how much it is used.

You find the survey online at

http://ilias.msys.ch/goto.php?target=svy_41client_id=ipv6

and you start the survey by pressing the button on the top left.


I answered Yes to do you use autoconfiguration because some of my
laptops/devices use this. Servers and my main laptop are statically
configured.

Just thought I should give you this extra info :)


Yeah, as a simple survey it's fine, but it can lead to slightly  
psychotic answers if you did some investigations into IPv6 at a job,  
then moved on, and your old ISP before you moved didn't offer IPv6 and  
after you move your new ISP supports it.  But I just went with a  
general history of my experience en toto. . .  I'd be happy to answer  
a more detailed survey.


Sean

Re: bash for root?

[Sean Kamath]

On Dec 1, 2008, at 4:55 AM, Nick Holland wrote:
Other than generating duplicate user number error reports from the  
nightly security check, the generally bad idea of duplicate user  
numbers, creating confusion and ambiguity that doesn't need to be  
there, the likelihood that you will have forgot the 'root' password  
when you need it and being a really silly way to solve a completely  
non-problem?  No reason at all.


Just sudo when you need to be root -- avoids ever logging in as root  
unless something's *REALLY* wrong.  You can keep your shell (or better  
yet, just run the command you need to run as root).


Sean

Re: Capture serial port output to a file

[Sean Kamath]

On Oct 29, 2008, at 2:13 AM, J.C. Roberts wrote:


On Tuesday 28 October 2008, Marc Balmer wrote:

* Bruce Bauer wrote:

Problem:
OpenBSD 4.2 on i386
Serial port /dev/cua00 connected to the console port on a firewall.
I need to catch all text output from the serial port to a file.
The process doing this must survive a loss of network.
The box is running headless.


I could suggest you run cu in a screen session.  I have used

cu ... | tee logfile

in the past, but there are possibly more elegant solutions



I've never tried using tee(1) but it is more elegant than using the
default solution provided by tip/cu/remote.


I use 'script'.  It gets EVERYTHING.  You have to do a little post- 
processing, but it works very well.


However, if you're saying that you want to capture all output on the  
firewall coming in to /dev/cua00, why not just open the device and  
read from it?  'tail -f /dev/cua00  logfile' would do this.  Assuming  
that you have the line dedicated to this and don't need to provide any  
input.


If you want to use 'cu', you could also investigate the 'record'  
variable. (~s record /path/to/logfile)


Sean

Re: Here's a trivial question. . .

[Sean Kamath]

On Jun 12, 2008, at 2:43 AM, Martin Toft wrote:

On Thu, Jun 12, 2008 at 02:29:41AM -0700, Sean Kamath wrote:

Why is sendmail in /usr/src/gnu/usr.sbin?

sendmail is patently not a GNU application, and has a modified
Berkeley license?

Just askin'.

Sean


http://marc.info/?l=openbsd-miscm=101014364523299w=2


Apologies.  I have no idea how I missed that in the archives.  Maybe  
my google-fu is weak.


gnu == encumbered.  I get it.

Sean

Here's a trivial question. . .

[Sean Kamath]

Why is sendmail in /usr/src/gnu/usr.sbin?

sendmail is patently not a GNU application, and has a modified  
Berkeley license?


Just askin'.

Sean