Re: dhclient release a lease?

[Quartz]

Currently there is no facility in dhclient(8) to issue RELEASE
messages. I had no recollection of adding such a thing, and a
quick



confirmed there is no DHCPRELEASE related code.


Ergh. OK thanks, that's super annoying that it's not there.


Which
signal(s) are used elsewhere to trigger RELEASE? Goggle is not
coughing up an obvious answer. :-)


It varies, IIRC on at least on other linux or bsd distro sending HUP 
took a more literal approach ("hang up and leave") and sent a DHCP 
release before nuking its lease cache, and I'm pretty sure somewhere 
else you could send "SIGUSR2" or something.

dhclient release a lease?

[Quartz]

How do I get dhclient to release its DHCP lease?

I want to be clear that I'm not interested in having it RENEW the lease 
but RELEASE it- in other words send the signal to the DHCP server "I'm 
going bye-bye, go ahead and put this IP address back in your free pool".


Other versions of dhclient on other OSs have commandline arguments that 
activate this behavior, or will accept SIGHUP or some other variant 
signal, but I can't figure out how to make this happen on openbsd.

pkg question: dnsmasq alternatives?

[Quartz]

We have various OpenBSD machines acting as gateways for NAT LANs. We 
need a handful of services for these, mainly a dhcp server that can do 
mac-based fixed addressing, dns server that can attach and reverse names 
associated with these fixed addresses, dns black-holeing, the ability to 
intercept dns lookups on non-existent domains when the ISP replies with 
a spam server instead of nx, and PXE/tftp server.


We've been using dnsmasq for years since it provides a one-stop-shop for 
most of the stuff we need, and while we're fairly happy with it, I 
always like to ask around periodically to see if for any of the stuff we 
do a better way has come about.


So to cut to the chase, does anyone know of and/or have experience with 
other packages that do the sorts of things dnsmasq does that it might be 
worth switching to? (We're only looking at packages). One-stop-shop type 
programs are obviously preferred to managing a bunch of different stuff.


Thanks in advance.

Re: mini itx from intel

[Quartz]

FYI- My 2820 won't boot reliably headless without an HDMI dummy plug
attached (such as
http://www.amazon.com/CompuLab-fit-Headless-Display-Emulator/dp/B00FLZXGJ6),
even with the latest BIOS. These seem to be hit or miss in a headless
configuration, and not everyone has the HDMI boot failure issue, so
you may luck out.


I sent an email to the list a few days ago about a board we have that 
has issues booting without an hdmi display attached, but I didn't get 
any responses.


We don't have a boot 'failure' per se (the board technically boots fine 
with no display), rather if there's no screen attached during boot then 
it completely disables video and never recognizes a screen attached 
later, ie; you have to reboot to get video back.


Do these 'dummy plugs' help solve issues like that? And/or is there a 
way to 'kickstart' the video back in to life without having to reboot?

Re: redirect spkr to headphone jack?

[Quartz]

Could you show the output
of "mixerctl -v" ?



inputs.dac-0:1=126,126
inputs.dac-2:3=126,126
inputs.dac-4:5=126,126
inputs.dac-6:7=126,126
record.adc-2:3_mute=off  [ off on ]
record.adc-2:3=125,125
record.adc-0:1_mute=off  [ off on ]
record.adc-0:1=125,125
inputs.mix_source=line-in,mic2,hp,line  { line-in mic2 hp line }
inputs.mix_line-in=120,120
inputs.mix_mic2=120,120
inputs.mix_hp=120,120
inputs.mix_line=120,120
inputs.mix2_source=dac-0:1,mix  { dac-0:1 mix }
inputs.mix3_source=dac-2:3,mix  { dac-2:3 mix }
inputs.mix4_source=dac-4:5,mix  { dac-4:5 mix }
inputs.mix5_source=dac-6:7,mix  { dac-6:7 mix }
outputs.line_source=mix2  [ mix2 ]
outputs.line_mute=off  [ off on ]
outputs.line_dir=output  [ none output input ]
outputs.line_boost=off  [ off on ]
outputs.line_eapd=on  [ off on ]
outputs.line-in_source=mix3  [ mix2 mix3 mix4 mix5 mix8 ]
outputs.line-in_mute=off  [ off on ]
inputs.line-in=85,85
outputs.line-in_dir=input  [ none output input input-vr0 input-vr50 
input-vr80 input-vr100 ]

outputs.mic2_source=mix5  [ mix2 mix3 mix4 mix5 mix8 ]
outputs.mic2_mute=off  [ off on ]
inputs.mic2=85,85
outputs.mic2_dir=input-vr80  [ none output input input-vr0 input-vr50 
input-vr80 input-vr100 ]

outputs.mic2_boost=off  [ off on ]
outputs.spkr_source=mix8  [ mix2 mix3 mix4 mix5 mix8 ]
outputs.spkr_mute=on  [ off on ]
outputs.spkr_dir=output  [ none output input input-vr0 input-vr50 
input-vr80 input-vr100 ]

outputs.hp_source=mix4  [ mix2 mix3 mix4 mix5 mix8 ]
outputs.hp_mute=off  [ off on ]
inputs.hp=85,85
outputs.hp_dir=output  [ none output input input-vr0 input-vr50 
input-vr80 input-vr100 ]

outputs.hp_boost=off  [ off on ]
outputs.hp_eapd=on  [ off on ]
record.adc-0:1_source=line-in,mic2,hp,line,mix,mic  { line-in mic2 hp 
line mix mic }

record.adc-2:3_source=line-in,mic2,hp,line,mix  { line-in mic2 hp line mix }
inputs.dac-8:9=126,126
inputs.mix8_source=dac-8:9,mix  { dac-8:9 mix }
outputs.line_sense=plugged  [ unplugged plugged ]
outputs.line-in_sense=unplugged  [ unplugged plugged ]
outputs.spkr_muters=line,line-in  { line line-in }
outputs.master=128,128
outputs.master.mute=off  [ off on ]
outputs.master.slaves=dac-0:1,dac-4:5,line,spkr,hp,dac-8:9  { dac-0:1 
dac-2:3 dac-4:5 dac-6:7 line line-in mic2 spkr hp dac-8:9 }

record.volume=125,125
record.volume.mute=off  [ off on ]
record.volume.slaves=adc-2:3,adc-0:1  { adc-2:3 adc-0:1 line-in mic2 
spkr hp }

Re: redirect spkr to headphone jack?

[Quartz]

The pc-speakers and the sound card are different circuits.


Right, I know that. What I'm wondering is if there's some magic 
incantation for mixerctl or some other utility that will let output 
intended for the console speaker to be 'copied' or otherwise redirected 
to the headphone/line output.




OpenBSD console can only use the pc-speaker as the console beep and
there's no way to emulate it using the sound-card.


I'm not sure if 'emulation' is what I'm looking for. I mean, one way or 
another the system is sending a sine wave down that path that causes the 
motherboard speaker to beep (normally). Surely there's some way to make 
it send that signal to the chip running the jacks on the back, right? 
Maybe if not via a utility then via tweaking a custom kernel?




Could you show the output
of "mixerctl -v" ?


Sure, but gimme a few hours. I don't have the machine in front of me at 
the moment.

Re: OpenBSD Home Server: Hints and Advices

[Quartz]

It's gonna be behind a 3020j surge protector


A $20 spikebar will NOT protect this machine from a lightning strike 
that hits the pole in front of your house.




Take a different view: Mirrored drives and RAID are not really for data
protection, they're so you can keep operating in face of (some types of)
hardware failure.


Indeed, but in reality doesn't it do both?


Not unless you have a very narrow definition of 'data protection'. RAID 
won't protect you against bad software corrupting your files, or 
accidental 'rm -rf'




The files are currently strewn over a couple of machines all over the
house. I intended on deleting them once pushed to the server


A single copy of your files is not a "backup" no matter what definition 
of the word you're using.

HDMI video initialization issue

[Quartz]

We have a system with only HDMI and displayport video outputs. If the 
system is booted with no HDMI cable attached, and then the cable is 
attached after the system is up, video is completely nonfunctional until 
the system is rebooted. (We don't have any displayport displays or 
cables to test that side of things).


I know HDMI can be a pain a lot of times and that this is most likely 
some sort of bios issue and not OpenBSD's fault, but does anyone know if 
there's a way to reinitialize the video back into life after the machine 
is already up and running? (the system is totally functional besides 
video, we can ssh in and do whatever).

Re: OpenBSD Home Server: Hints and Advices

[Quartz]

Well, isn't your NAS
already a backup?


No. At least, not really. Any "online" backup (in other words, an 
actively running machine) is always subject to issues that could destroy 
your data. The power supply could go bad and fry your drives, software 
issues could cause silent corruption, and you could always accidentally 
just delete files. The only really good backup is an offline one, 
preferably stored in a fireproof safe.

redirect spkr to headphone jack?

[Quartz]

We have a system with NO physical internal speaker of any kind. Audio 
otherwise works from the headphone/line jack, playing wave files with 
aucat and messing with mixerctl all work as expected, but there are no 
'beeps' (can't get a terminal bell using echo, can't get anything from 
wsconsctl, nothing's muted in mixerctl). Is there an easy way to 
redirect the "pc-speaker" to output via the headphone/line jack?

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

[Quartz]

In what way? If you mean the hypervisor does not provide adequate separation
between VMs then that is not really an issue as I control the host and all
VMs. If any are compromised then I have bigger issues.


The most secure system should be the host, not the guest. A super secure 
guest inside a VM doesn't help much if the insecure host is compromised.

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

[Quartz]

At this point, the FreeBSD camp would point out that they have ZFS
for infinite flexibility in building multi-terabyte storage pools,



That said, both modern SSDs and multi-terabyte spinning
platters are handled quite well, thank you, by FFS2 on OpenBSD


As an aside, people sometimes confuse ZFS with XFS or GlusterFS or other 
stuff. ZFS is designed around extreme data reliability and integrity, 
not huge array size or high end performance. ZFS is an all-in-one 
disk+filesystem that incorporates partitions, multi-parity RAID, 
backups, and directory structure into one unified thing. It features 
raid-write-hole prevention, triple-redundant checksumming of both data 
and metadata, built-in block duplication, advanced journaling, atomic 
copy-on-write, and the ability to snapshot arbitrary parts of the system 
which can then be rolled back after a problem, among other things. ZFS 
is far more than something that 'just handles multi-terabyte pools'.


Now, whether a home user NEEDS all these reliability features is a 
different question, but if you decide you do, OpenBSD (along with most 
other *nixs) doesn't have anything remotely comparable.




That said for FreeBSD and ZFS you want at least 4GB of
ram anyways.


This is a common misconception. The ARC wants to cache your entire array 
in ram if it can, so it will expand to fill whatever's available. You 
can run ZFS with limited ram, you'll just see a performance hit if you 
try to do lots of random reads on things that aren't cached.

Re: FreeBSD or OpenBSD for my (server/router) purposes? (Total n00b)

[Quartz]

I have found in the
archives that in general you can recommend OpenBSD to anyone without
any background to start tinkering with. So, there might be no benefit
of a learning curve of FreeBSD -->  OpenBSD, as I, may have wrongly
guessed?


OpenBSD is about as easy to pick up as any other *nix, so long as you 
understand the fundamentals (ie; how to navigate a system using a 
command line, etc). The only thing that tends to throw people off is 
that OpenBSD uses a somewhat non-standard way of dividing disks up into 
partitions.


A lot of people use both systems regularly (myself included) and can 
offer their thoughts about their personal gripes for each, but you'll 
have to post using a non-disposable email address for people to reply to 
directly since no one wants to start an on-list flamewar over this stuff.


You might also want to subscribe/post this question to 
"freebsd-questi...@freebsd.org" (their equivalent list to 
"misc@openbsd.org")




What I'd like is a secure wireless router and a file server


In general, one of OpenBSD's main strengths is security whereas one of 
FreeBSD's main strengths is storage. For example, FreeBSD needs a lot 
more futzing to really lock down properly, and OpenBSD lacks things like 
ZFS (and the extreme reliability options it provides).




Can it handle both roles, router and
file server


Well it depends a lot on what you're considering "modest loads". If this 
is a home system serving half a dozen devices, only pushing a megabit or 
two of net data, and only hosting a single drive for file sharing with 
no fancy options, then basically any hardware that still boots will 
handle both roles. (Like literally, a Pentium II or III will work fine).




is it a good idea to have one device for these 2
roles in the first place?


Maybe. It depends a lot on your risk/cost assessment.

Personally I always advocate for a router/firewall to be a dedicated 
device and put all your other services hosted on other hardware inside 
your LAN. That way you can lock down the router for security but still 
let your other systems run whatever they need to without messing around. 
However, if you have money/size/power constraints then mixed solutions 
are sometimes the lesser of many evils.


OpenBSD and FreeBSD are both perfectly capable of serving both the 
router and file server roles if you don't need the advanced features of 
the other. Although if you do, and you really only want an all-in-one 
device, then you should probably sit down and try to decide if security 
or storage options are more important to you and start from there.


As a side note though, either way I would strongly advocate splitting 
out the wifi into an external WAP connected to the router via ethernet. 
Internal wifi cards always seem to be a pain on any *nix system- there 
are about a billion chipsets and drivers seem to like breaking for 
random reasons. Also, separate devices means you don't have to 
compromise for physical location- the WAP can go wherever it gets the 
best signal strength and the router can go where ever it's easiest to 
administrate and/or interface with your ISP.

Re: speedup shutdown

[Quartz]

I took that to mean:

1) run (presumably as root) 'time sh /etc/rc shutdown'
2) check 'ps -aux' to see what's still running
3) 'kill -HUP [PID]' for each of the remaining processes
4) check 'ps -aux' again
5) 'kill -TERM [PID]' for each of the remaining processes
6) check 'ps -aux' again


Yes.  Perhaps it isn't clear that I would *expect* stuff to still be
running at step 4, and thus for shutdown like this to take at least 5
seconds.



If the next step, the one you didn't describe the results of, killing
daemons with SIGTERM,


OK, maybe this is where the communication gap is. Sending HUP to sshd 
and syslogd and everything was effectively a no-op since they'd all just 
immediately restart. I looped between (3) and (4) for a bit then gave 
up. I assumed I was doing something wrong when by this point the state 
of the system was identical to (0).


Just to be doubly clear, is it expected behavior that at (4) everything 
will still be running?


(In the mean time, I'll try continuing on through (6) anyway and see 
what happens).

Re: speedup shutdown

[Quartz]

The two daemons you refer to, treat SIGHUP as a "please re-read your
configuration files and restart". This is semi-common. This happens to
also be the two daemons you are testing this with, causing some
confusino.



Not everything, but some things will still be running.


It wasn't just syslogd and sshd, -HUP also doesn't shut down any of the
pflogd/dhclient/cron stuff either. The only process it actually stops is
sndiod, all the others restart on their own.



After running commands #1, #3 and #5; almost everything should be
killed. Command #1 should take care of the vast majority of daemons
started at boot; #3 and #5 are to catch the ones that aren't.


Well, -TERM stops every PID I typed in (the four I didn't being init,
two ksh's and ps itself), so I'm not sure where that leave me. I guess
it's some kind of timing thing or race condition?


Also, FWIW, tapping the power button at this point yields a two second 
delay before it does anything (down from the previous ten). Not sure if 
that's useful information or not.

console color

[Quartz]

Can someone give be a brief rundown on how OpenBSD handles color on 
console? Commands like "echo -e '\033[32mfoo\033[0m'" produces dark 
green text as expected, but "echo -e '\033[92mfoo\033[0m'" comes out 
white instead of light green, and I can't seem to get vim to do syntax 
coloring at all (I've copied over configs that work on other machines, 
both t_Co=16 and t_Co=8, but everything always displays plain white). 
$TERM is the standard vt220. Am I doing something wrong, or does local 
console just have very limited color support?

Re: speedup shutdown

[Quartz]

The two daemons you refer to, treat SIGHUP as a "please re-read your
configuration files and restart".  This is semi-common.  This happens to
also be the two daemons you are testing this with, causing some confusino.



Not everything, but some things will still be running.


It wasn't just syslogd and sshd, -HUP also doesn't shut down any of the 
pflogd/dhclient/cron stuff either. The only process it actually stops is 
sndiod, all the others restart on their own.




After running commands #1, #3 and #5; almost everything should be
killed.  Command #1 should take care of the vast majority of daemons
started at boot; #3 and #5 are to catch the ones that aren't.


Well, -TERM stops every PID I typed in (the four I didn't being init, 
two ksh's and ps itself), so I'm not sure where that leave me. I guess 
it's some kind of timing thing or race condition?

Re: console color

[Quartz]

OK, thanks. After some searching based on this info and some messing 
around, it looks like 'export TERM=ansi' and setting t_Co=8 will get me 
limited colors in vim without screwing anything up.

Re: Cheap hardware for router, perhaps fileserver?

[Quartz]

is seeing as I'm unlikely to get any more than "up to" 76Mbps from my
ISP's fibre anyway,


Effectively any hardware that still boots will work as a home router. A 
500mhz Pentium III with 64mb ram can handle a 100mbps connection without 
breaking a sweat.


Decide what you want to do about a fileserver first, that's the deciding 
factor for hardware.




CuBox
armv7
without
having to be too inventive and using binary blobs from odd places for
bootloaders and whatnot


Do be aware that i386 and amd64 are the more tested platforms by a wide 
margin. The further you go into niche territory the more stuff will stop 
working and the more you'll have to mess around.




and what
good deals there are,



I spent rather more on a mini-ITX PC system with a loud fan


Again, home router duties require negligible horsepower. If you don't 
need much from the fileserver front you can probably build a machine 
from parts in your basement (can't beat free), or you could easily get 
away with a lower cost low power passively-cooled itx system.

Re: speedup shutdown

[Quartz]

So, slow /etc/rc.d/* script delaying the /etc/rc shutdown step?  Or do
you have some daemon which isn't killed by its rc.d script, nor by
SIGHUP, thus requiring SIGTERM and at least 10 seconds?


This is a test system and it's pretty stock right now. Aside from the 
standard services like pf and ntp the only installed pkg is I think 
dnsmasq. It's possible there's something wrong there but I'm not sure 
where I should start looking.

Re: update/upgrade

[Quartz]

You do that part on a bigger box, build releases there, and use
these to update the low power devices.


That doesn't really help the situation. These machines don't have 
identical setups so you'd still have to do a lot of manual merging 
and/or write and maintain a library of custom merge scripts for them.

Re: update/upgrade

[Quartz]

As it was already stated in @misc,


I don't think I got that message. (?)


mtier is probably as safe as relying on
openbsd code.


I'm not worried so much about safety in the sense of compromised code, 
but rather the practicalities of setting up a workflow that depends on 
something that can disappear at any time without notice. Their website 
has zero information about them as a company or who (if any) of them are 
also OpenBSD devs or what. It also looks like they only started a couple 
years ago.

Re: speedup shutdown

[Quartz]

For power off via button, init runs "sh /etc/rc shutdown", then sends
all processes a SIGHUP, then waits 5 seconds.  If there are any
processes still alive it'll send SIGTERM and wait another 5 seconds.
If any are still alive at that point it'll send'em all SIGKILL and
wait another 5 seconds.  It'll then tell the kernel to halt the
system.


Is there a way to watch this process as it's happening to see where the 
holdup is? Watching it in general wouldn't be a bad idea. I guess a 
large part of the issue is not so much that it takes 10 seconds, but 
that there's no confirmation or indication that it's actually doing 
anything. It just sits there like it ignored you and you can continue 
typing at the command line. There's no output or anything until the 
"syncing disks" line finally pops up.

Re: speedup shutdown

[Quartz]

Hmm? How about replicate the process and observe the results?


Well, I wasn't sure if that was the exact/entire process or just a summary.


"time

sh /etc/rc shutdown". See what's still running. kill -HUP everything
except init and your session and see what's still running 5 seconds
later.


OK I'll try that, thanks.


I'm missing something.

Logged in as root, 'sh /etc/rc shutdown' returns instantly and according 
'ps' everything's still running. Trying to then kill -HUP half the 
processes doesn't work (they just restart).

Re: update/upgrade

[Quartz]

"world" as you appear to be using it isn't an OpenBSDism,


 ugh. You're right, you're right... I'm also managing several 
FreeBSD projects and I'm getting things mixed up. Let me go through the 
man pages again and try to sort things out in my head.

Re: speedup shutdown

[Quartz]

Hmm?   How about replicate the process and observe the results?


Well, I wasn't sure if that was the exact/entire process or just a summary.


"time

sh /etc/rc shutdown".  See what's still running.  kill -HUP everything
except init and your session and see what's still running 5 seconds
later.


OK I'll try that, thanks.

Re: update/upgrade

[Quartz]

Does your embedded storage run NOR/NAND or something like SDHC Memory
Cards?

If your systems are running SDHC you can easily create clones with a
laptop&  the DD utility.


A couple of them do, but it doesn't matter in this case. The main issue 
with compiling is that it can effectively knock the system offline for 
hours which isn't acceptable. Any process that involves shutting the 
machine off or booting into a separate OS image has the same problem.


It's just a question of minimizing downtime.

Re: speedup shutdown

[Quartz]

"time sh /etc/rc shutdown". See what's still running. kill -HUP everything

except init and your session and see what's still running 5 seconds
later.


Hmm, you truncated the suggested steps...


You wrote:

"Hmm?   How about replicate the process and observe the results?  "time
sh /etc/rc shutdown".  See what's still running.  kill -HUP everything
except init and your session and see what's still running 5 seconds
later.  Then again with kill -TERM.  Whatever still standing is
slowing you down; for each one figure out whether and when it should
have died."

I took that to mean:

1) run (presumably as root) 'time sh /etc/rc shutdown'
2) check 'ps -aux' to see what's still running
3) 'kill -HUP [PID]' for each of the remaining processes
4) check 'ps -aux' again
5) 'kill -TERM [PID]' for each of the remaining processes
6) check 'ps -aux' again


I appear to be hung up near the beginning. 'sh /etc/rc shutdown' doesn't 
appear to do anything, since it returns instantly and the ps output from 
(2) is identical to ps output from before 'sh /etc/rc shutdown'. (3) 
"doesn't work" in the sense that it doesn't appear to actually stop 
[m]any services (presumably because I didn't do something correctly 
before this point).


Like I said, I'm missing something. There were a couple assumptions in 
there somewhere that I'm not picking up on. What exactly am I supposed 
to do in what order?

Re: update/upgrade

[Quartz]

You think the master builds are done on a machine that is identical to
yours at home?


Obviously not, but that doesn't have any bearing on what I said.



Build a -stable release on a same platform faster machine.  Now unpack
the .tgz files on the target machines, copy in /bsd, /bsd.rd, reboot.
ta-da, patched machine.  None of your configuration is touched by this
process.


Maybe I'm unclear on what building -stable actually does. Correct me if 
I'm wrong, but "world" encompasses a lot more than just the kernel and 
ramdisk, right? Simply replacing just those two alone isn't fully 
keeping on top of things.

Re: update/upgrade

[Quartz]

If availability is critical you might consider redundancy with CARP/pfsync.


It's not critical enough to be worth dealing that. Going down for like 
15 minutes is fine, but most of a day is not.


In a perfect world we're looking for an update mechanism similar in 
speed and ease to other OSs where you can run a one liner on the live 
system which automatically downloads and installs a few files and 
reboots. I'm trying to get as close to that as possible without having 
to create and maintain a whole home-grown custom procedure.


It looks like the M:tier thing is pretty close, my only concern is how 
long it'll last before the maintainers lose interest and the project 
gets abandoned.

update/upgrade

[Quartz]

We have a bunch of low power embedded devices that we'd like to keep 
reasonably up to date, but the disk space and cpu overhead of tracking 
-stable is kind of a nonstarter. Is there another/better way of doing 
things these days? (Other than applying dozens of patches manually).

Re: update/upgrade

[Quartz]

https://stable.mtier.org/


A cli update program that applies binary patches is pretty much perfect, 
but I'm not sure we want to rely on a 3rd party for that service. (And I 
know that a built-in update program is probably never going to happen).

Re: update/upgrade

[Quartz]

Snapshots?



Something like this?
http://www.bsdnow.tv/tutorials/stable-iso


Well, preferably something that doesn't require the machines to go 
offline for a while.

speedup shutdown

[Quartz]

I have a machine where tapping the front panel power button correctly 
halts and powers off the machine however there's a solid 10 second 
delay after I press the button before anything happens. Is there any way 
to speed this process up?

Re: rc.shutdown powerdown

[Quartz]

Powerdown went away in July 2014.


The FAQ needs to be updated then:

http://www.openbsd.org/faq/faq10.html

"rc.shutdown

/etc/rc.shutdown is a script that is run at shutdown. Anything you want 
done before the system shuts down should be added to this file. If you 
have apm, you can also set "powerdown=YES", which will give you the 
equivalent of "shutdown -p".

"

Re: rc.shutdown powerdown

[Quartz]

On Sep 20 4:36 PM, Fred wrote:

On 09/20/15 20:58, Quartz wrote:

Powerdown went away in July 2014.


The FAQ needs to be updated then:

http://www.openbsd.org/faq/faq10.html

"rc.shutdown

/etc/rc.shutdown is a script that is run at shutdown. Anything you want
done before the system shuts down should be added to this file. If you
have apm, you can also set "powerdown=YES", which will give you the
equivalent of "shutdown -p".
"



rc.shutdown is still needed if you need to run tasks before the
reboot(8), halt(8), or when init(8) is signalled to shut the system down.


I'm aware of what rc.shutdown is for. My issue is that the FAQ still 
suggests people add the poweroff parameter.

rc.shutdown powerdown

[Quartz]

Can someone explain in better detail what exactly the "powerdown=" line 
in rc.shutdown does? I have a few machines that range from full apm/acpi 
support to hardly none, but that line doesn't seem to affect anything on 
any of them, regardless what it's set to or if it's omitted completely.

Re: make bootable CD by bootable USB

[Quartz]

hi all .

i make bootable openbsd USB stick by ordinaly installatin .

if i can make bootable CD from this USB , it is very happy .

are there any methods ?

is linux's isolinux or so possible ?
is it very difficult to solve ?


Just for clarification, are you trying to make a customized 'live' 
OpenBSD CD that will boot into a fully functional state, or are you just 
trying to install OpenBSD from a CD onto a drive?

Re: pf vs mp

[Quartz]

I think you are
focusing on the thing that will probably give you less problems, the
CPU. These kind of systems tend to have problems with a lot of things,
*before* you ever get to the CPU.


Such as? These aren't going to be doing hardly any disk IO and they 
don't need fancy graphics, so assuming they have a good quality chipset 
handling the ethernet ports I can't think of much else that will really 
get in the way. Unless you're talking plan bad build quality or something.




Don't expect top notch performance
from them, specially under heavy loads.


I'm not, that's why I was trying to sort out the single vs multi core 
issue to try to get the best out of it we could.

Re: pf vs mp

[Quartz]

Is it not possible to buy two or three representative models and test them to
find out which of celeron, atom, or amd is fastest?


Well as restrictive as our requirements are, there are still a few 
too many options for that. I kinda wanted to narrow it down some more first.

Re: pf vs mp

[Quartz]

A small office isn't that much different from a home server.


It's not actually a small office, that's just the best analogy I could 
think of.




I
see, that more than really wanting to know if you'd be ok with mp,
you're seeking validation to go through with a single core.


Well... that's kind of the same thing though, isn't it? Hypothetically, 
if I have a single core with a speed of "1" vs say a dual core where 
each core has a speed of ".75", I'm getting the impression that the dual 
will end up being likely slower, given that pf is currently single 
threaded and the other stuff isn't accounting for much overhead. Even 
though the total computational power of the dual core would be 50% more, 
that extra power is effectively unusable.




If you're
only using pf, dhcpd and dns server, it will work. But don't expect it
to scale too well if your small office becomes a medium sized office.


Again, it's not actually an office, and it won't need to scale, at least 
not by much.

Re: pf vs mp

[Quartz]

Dhcp, no. DNS, yes.


Also, does a local DNS resolver really consume that much cpu that it 
would see any notable effect from having another core? I thought that 
was more a RAM thing.

Re: pf vs mp

[Quartz]

not
paying a context-switching tax during these simultaneous load events will
make a bigger difference than any other single factor.


I guess that's what I was getting at in my original poorly worded 
question: at what point do context switches negate the benefit of a 
faster single core (given a situation where the machine is only running 
a handful of services). I realize that's hard to answer without first 
providing extensive hardware and use case details though.

Re: pf vs mp

[Quartz]

but the short answer is to use the
multi-processor system. The single core will perform better when you care
nothing about your performance, the multi-core system will perform better
the only time you care at all about performance.


I think some information is getting lost here. I'm not comparing single 
vs multi core operation in a purely mathematical sense on identical 
hardware. I'm trying to decide between a setup that uses a relatively 
fast single core vs a setup that uses slower multi cores. In aggregate 
the multiple cores have more processing power than the fast single, but 
in isolation are notably slower. The workload is mainly pf, and given 
that pf is currently single threaded, I'm trying to figure out if the 
other stuff on the box causes enough overhead that going with slower 
multi cores will end up being faster in the end or not.

Re: pf vs mp

[Quartz]

I red all thoughts till now and my advice is if you are going to buy
a new hardware now (year 2015) take multi core CPU. The OpenBSD just
get better every day and if you follow tech@, source-changes@ and
misc@ you already know that our beloved OS soon or later will spread
load on all CPU/CORES (device drivers, TCP/IP stack, pf and so on).


That's a good point in general, but this is an embedded project and it's 
pretty much set once made, so future expansion or upgrades aren't really 
a selling point.

Re: pf vs mp

[Quartz]

I'm sorry I'm not familiar with either of the processor's you're
describing. In the vague terms you have given,


I haven't described any specific models yet, I'm being a little vague 
because I was looking more for general guidance than having the list 
debate the pros and cons of dozens of different specific motherboards. 
The sort of stuff we're looking at are various Intel Atoms, Celerons, 
modern Pentium lines (eg, N3700), and a variety of things from AMD. 
There's a wide range here, so I'm trying to figure out where we should 
start looking first.




I am 100% that the answer is
use the multicore setup.


OK

Re: pf vs mp

[Quartz]

On a more serious note, I don't see how one can actually buy faster
single-core performance for this purpose.  If the question was more
detailed, describing specific models of machines, we'd be able to
show it makes no financial sense.  The cheapest stuff is good enough.


As I said before, I think information is getting lost here in the 
discussion. The issue is we need something that fits within certain 
restrictive thermal/size/power/noise limits; these are all fanless 
setups and some might even be battery powered. The sort of questions I'm 
facing are like do we go for a single core Celeron or a multicore Atom 
or what. I understand that the gross performance of a top of the line 
Xeon or whatever will make this issue moot, but we can't afford 
something like that for this project.

Re: pf vs mp

[Quartz]

The recommendation
that people use SP kernels for networking is no longer valid.


Ah, thank you for mentioning this explicitly. I had a memory of this 
kicking around at the bottom of my subconscious. I knew there was 
something else about this issue but couldn't put my finger on it.

Re: pf vs mp

[Quartz]

Maybe this webpage would help you make an informed choice?

https://calomel.org/pf_config.html


That looks like a good reference for setting up pf and the right way to 
architect your pf.conf, but it doesn't appear to address any of the cpu 
threading issues I'm trying to figure out. Thanks though, I'll keep a 
copy of that in my files, it might help when we finally set this system up.

Re: pf vs mp

[Quartz]

The short answer is, unless you can guarantee that pf will have its own
core and no other process will race against it (you can't), then go for
the mp.


OK, so after more info you're switching to the mp side? If that's true 
then all the latest recommendations from this afternoon forwards are in 
favor of mp.

Re: pf vs mp

[Quartz]

As I said before, I think information is getting lost here in the
discussion. The issue is we need something that fits within certain
restrictive thermal/size/power/noise limits; these are all fanless
setups and some might even be battery powered.


And when I say "fanless" I mean *completely* fanless, there won't even 
be any fans in the chassis or power supply, so low TDP is super 
important, and that ends up meaning low performance. It's not clear to 
me yet how close to the margin we'll end up being.

Re: pf vs mp

[Quartz]

For an OpenBSD machine acting as a gateway/firewall/router with a
handful of related tasks (pf, dhcp server, etc) would mp yield anything?


Of course, yes. Just because PF doesn't get any benefits (yet) from MP,
it doesn't mean these other programs won't.


Sorry that was unclear wording on my part. This machine is 95% pf 
routing with some dhcp/dns on the side- AFAIK those won't account for 
much so if there's nothing else there wouldn't really be a benefit going 
multicore, right?

Re: pf vs mp

[Quartz]

are we talking home router here or something more specialized?


A little more specialized. It's a sort of embedded system and it needs 
to fit within some size/thermal/watts/noise constraints. It needs to 
serve something roughly equivalent to a small office.



now if i needed a gateway/firewall for say 50 machines it would be different.
dns, ntp, dhcp would all be moved to other machines on the network


This has to be one physical box.

pf vs mp

[Quartz]

Quick question: I need to make a decision between a faster single core 
and a slower multicore. The faq currently states that pf gets no 
improvement from mp. Is this still correct/current information? 
Presumably it would see no benefit from hyperthreading either, right?


For an OpenBSD machine acting as a gateway/firewall/router with a 
handful of related tasks (pf, dhcp server, etc) would mp yield anything?

Re: bluetooth keyboard [was:Re: Intel Edison]

[Quartz]

Just out of curiosity, are there any plans to support bluetooth at some 
point in the future?

Re: Intel Edison

[Quartz]

Dongle for wireless device doesn't work that way.
The dongle pretend to be the device and take care of all the communication.

From the OS point of view, using a wired usb keyboard or a wireless

keyboard using a dongle is the same thing.

Also, bluetooth keyboard doesn't provide dongle.


I wasn't referring to one of those RF-dongles from Logitech, but a usb 
gizmo that specifically creates a bluetooth 'network' that actual real 
bluetooth devices can connect to, for example 
http://www.amazon.com/dp/B007Q45EF4

Re: bluetooth keyboard [was:Re: Intel Edison]

[Quartz]

If the dongle is just a bluetooth radio and expects the host to take care of
parts of bluetooth (device peering etc), then OpenBSD can't use the keyboard.


OK, I think that answers it for me then. Thanks.

Re: bluetooth keyboard [was:Re: Intel Edison]

[Quartz]

:OpenBSD doesn't support bluetooth on any hardware.
:
:Does that also include usb-bluetooth dongles for wireless keyboards?
:

That includes all forms of bluetooth where it is presented to the OS.

If it fakes a keyboard, and shows up as a ukbd, then that driver will
be used.


Well I guess that was my question, perhaps worded badly.

Basically, let's say I buy a bluetooth keyboard. Let's say it's a fancy 
model and is nice enough to come with a generic usb-bluetooth 
nub/dongle thingy I can plug in if my computer doesn't already have 
bluetooth capabilities. I plug it in. Does the keyboard then present to 
the OS as a raw keyboard, or does it present as some kind of special 
bluetooth device?  I don't know what level of hardware abstraction is 
being used here.

Re: Intel Edison

[Quartz]

OpenBSD doesn't support bluetooth on any hardware.


Does that also include usb-bluetooth dongles for wireless keyboards?

Re: SuperMicro thin mini itx?

[Quartz]

Contact their support department.


I ended up doing that anyway earlier this morning. If I don't hear back from
them maybe I'll try calling tomorrow or something.


They're actually pretty good about answering questions on the phone,
even on the first call.


They did get back to me via email, and the answer is no. We'll have to 
look into substitutes next week I guess.

Re: SuperMicro thin mini itx?

[Quartz]

 From Supermicro website:
http://www.supermicro.nl/products/motherboard/ATOM/
http://www.supermicro.nl/products/embedded/embedded_motherboard.cfm


I know they sell Atom-based boards and various embedded boards, but just 
because it's Atom and/or embedded doesn't automatically mean it conforms 
to the thin-mini-itx standard.




X9SBAA-F


That one doesn't qualify either. Same issue with a high stack and no DC 
plug.

Re: SuperMicro thin mini itx?

[Quartz]

Why would you contact their marketing department?  That's silly.


Well because I assume that marketing encompasses sales, and the 
sales department kinda ought to know what products the company sells.




Contact their support department.


I ended up doing that anyway earlier this morning. If I don't hear back 
from them maybe I'll try calling tomorrow or something.

Re: SuperMicro thin mini itx?

[Quartz]

Try the X10SBA


Doesn't appear to fit the bill, unfortunately. That hdmi+displayport 
stack is too high, and while it has onboard DC12V it's missing the 
standardized plug on the back.


Given that no one else has responded, I'm assuming that SuperMicro just 
doesn't make boards in this form factor, which is disappointing given 
how many other embedded solutions they offer. We'll probably have to go 
with an Intel model or something. Oh well.

SuperMicro thin mini itx?

[Quartz]

We need to build some OpenBSD-based network devices that we'd strongly 
prefer to be based on SuperMicro hardware. Does anyone know offhand if 
they offer any products that conform to the Thin-Mini-ITX standard? 
Their website is unhelpful and so far their marketing email hasn't 
responded to inquiries.

Re: Repartitioning

[Quartz]

And... here's an about 25 minute long video tutorial on how to do what I
think you want. Yes I probably had better things to do, but nothing came
to mind that seemed more fun... :-)


Thank you so much! A full walkthrough always helps.



There are some comments inline on what happens and why.


Btw, you worry too much about your typing. Going slow is totally fine, 
anyone watching can just speed it up and/or skip around.




Unfortunately I don't know much about video formats and editing, so this
is straight from VirtualBox in webm format, whatever that is.


webm is a new(ish) format Google whipped up to try to skirt around some 
patents and avoid all the copyright crap revolving around other formats. 
It's been around for a few years now, so any half-assed player can 
handle it.




Feel free to ask me on or off list if you have any questions or run into
any problems!


1) Thank you for (accidentally) reminding me that unmounting /usr may 
stop some programs from working. I sometimes forget that core 
utilities like vim et al live in /usr/* on most systems.


2) I notice you use 'halt -p' directly, even in multi-user mode. Isn't 
it safer to use 'shutdown'?

Re: Current USB Wifi status

[Quartz]

it is actually not worth buying a new standalone access
point unless you can install specifically OpenBSD on it, and temporary
reuse of an old access point is sub-optimal now matter what you
(re)flash on it, most firmwares including third party are vulnerable
and suffer from the same reliability and hardware limitations.


There's a difference between a wifi *access point* and a wifi *router*.

You can't install much of anything on an access point, it's basically 
just a bridge. They only have one ethernet port on the back and like 
maybe a couple megs of ram if that, enough to handle basic 
password/encryption and not much else. They have about the same 
reliability issues as an unmanaged ethernet switch (ie; not a lot).


As for routers, depending on what you have, it's not too hard to reflash 
them into what is basically a wap. The crummy software is the source of 
99% of their problems, but if you replace that with a simple bridge 
firmware they clear right up. I've never seen even the shittiest of 
linksys units fail because of actual hardware issues.


As far as hardware limitations go, you're not going to be getting any 
more bandwidth out of a g/n/ac/whatever pci card vs the same class 
standalone device. The processor of the wap or flashed router won't be 
managing any states or anything, so there's not much of a difference there.


Personally I wouldn't recommend buying a wifi router to turn it into a 
wap, but that's because it's a waste of money. Repurposing an old one is 
fine, as is buying a new wap. I've seen plenty of people do this and 
these things have run flawlessly for years.

Re: Repartitioning

[Quartz]

Maybe I missed it, but if you supply the output of disklabel and df,
it would be easier to give advice.


The machine isn't in front of me right now, but the partition setup was 
using the 'wizard' defaults. In other words: /, /tmp, /var, /usr, 
/usr/X11R6, /usr/local, /usr/src, /usr/obj, and /home, in that order. 
All the usr's (except x11) and home are set for a couple gigs each but 
only using a few hundred megs collectively. /var is a few hundred megs 
and close to full.


Nuking src and obj will free up a lot, but I think it would make more 
sense to collapse all the usr stuff into just /usr, move home into where 
var currently is, and move var into the new space.

Re: Repartitioning

[Quartz]

... in that order.


This order could be not identical with the harddisk order. If I'm not
mistaken, watching install operation, I think the / partition is the
first followed by /home. Somebody correct me if I'm wrong.


I've looked at the layout on this machine a dozen times. Cross reference 
with man disklabel if you don't believe me.




One man already asked you for disklabel output.


That WAS the disklabel output (minus sizes and offsets).  When I next 
get a chance to ssh into it from somewhere else I'll copy the actual 
output, but the exact blocks shouldn't really matter for all this.

Re: Repartitioning

[Quartz]

You've stated you have a 10GB disk, and that this is 4.9.  The disklabel(8)
man page at 4.9 described the automatic layout at that time:


Yeah, that's what we have.


You have stated that /usr/src and /usr/obj are unused, /var is full, and
/usr/local (used for packages and some infrastructure components) is nearly
empty.


Yep.



The disklabel(8) tool is used to delete and create partitions.


So part of the reason I started this thread is that I want to be clear 
since OpenBSD has two different kinds of partitions. For what I'm 
doing, on an i386 platform, I don't need to mess with fdisk at all... Is 
that correct?




would allow you to grow /usr with growfs(8).


growfs is like other partition expanders in that can only expand 
forward and not backward, right? As in, I couldn't nuke src and obj 
and then use growfs to expand home into that space.


Assuming that's right, I'm probably going to make a new /var partition 
rather than expand an existing one.




so you may
need to do some backup / restore to external media,


Honestly, there's so much free unused space that I can directly copy 
everything to it's final destination right off the bat.




The best practice for
moving of FFS filesystems is through the use of dump(8)/restore(8).


I'm not sure that's what I want to be doing in my case. Especially when 
collapsing the /usr/* stuff down into just /usr, a simple cp or tar 
would be better, no?




FAQ 14 may also be helpful, as it lays out the basics of disk management.


Yeah I read all that first, but it doesn't answer a lot of specifics.

Re: Repartitioning

[Quartz]

Also, another question: this system keeps nothing in the user's home 
directories past a few dot files. /home is using less than 1m of space. 
Would it be safe from a security/reliability standpoint to just move the 
home folders directly into / ?

Re: Repartitioning

[Quartz]

How about taking some directory that is currently under /var (depending
on what you're doing with the machine, maybe log or www or mysql or
something?) and moving the contents to /usr/obj or /usr/src (or if
they're together on disk, remove /usr/obj and /usr/src and create a
new partition covering the space that was used by both)? (Then change
the mountpoint in /etc/fstab). If that gives you enough capacity,
that might be easier than some big shuffle-around.


That's kinda half-assing it for us, as that would still leave like three 
partitions around that are 95% empty consuming over a third of the disk. 
If I'm going to be redoing things, I might as well do it all at once.

Re: Current USB Wifi status

[Quartz]

So, Stuart's comment is still valid. I will stop looking for a USB
solution, and instead see if I can find a low power chassis with a PCI
slot. While more expensive, it is probably money well invested.


It might be worth buying/reusing a standalone access point (perhaps 
reflashing a linksys router or something) and connecting via ethernet 
cable. That way you have more flexibility in choosing locations: ie, the 
OpenBSD router can be somewhere that's convenient for interfacing with 
your ISP's equipment, and the wap can be somewhere with good reception. 
'course, then you have two boxes to deal with, so it's a trade off.

Re: Repartitioning

[Quartz]

(though when you start looking
at how much it costs to power the thing, it's still not free, and at
some point it might have been cheaper to replace it with something
else.


I don't think it really works that way for mechanical hard drives. At 
least, taking a quick look at the drive pile and comparing a few, 
there's an old 15gb ide that consumes .3 amps each for both rails, vs a 
couple 1tb sata drives that use .5 - .75 for both. Unless you're talking 
about replacing a mechanical with an SSD I don't think power consumption 
is really an issue. And depending on how expensive that SSD is compared 
to a bargain bin old mech, it may be a while before you catch up, 
especially if the machine isn't on 24/7.

Re: Repartitioning

[Quartz]

You could also make a raw image of the disk and run a copy of that image
in qemu on another computer, something which would give you a chance to
do some experimenting with growfs(8)  friends without having to risk
anything.


Oh, now that's a really good idea actually, I never thought of that. 
Would that also work for VirtualBox or some other VM? VB can be weird 
about disk images.

Re: Repartitioning

[Quartz]

- nuke usr/X11R6,



That will end up with five partitions: /, /tmp, /home, /usr, and /var


Also, this machine doesn't have X, FWIW.

Re: Repartitioning

[Quartz]

First of all, you have a machine that is running a very old version of
OpenBSD.  You have a lot of upgrades to do, and since you have other
issues (partitioning), you probably just want to reinstall and start
over using your current knowledge of your disk layout needs.


Well that's kind of the thing.
The machine is mainly used for messing around and testing stuff, so it 
has a bunch of random things installed that will be a pain to move over. 
Additionally, we occasionally use it to verify things against older 
OpenBSD specifically (like, 4.9 was still using Apache for example). 
Upgrading is certainly possible, it's just a question of which will 
cause more pain in the end- that or repartitioning.



Since you are working on a 10G hard disk, you might want to consider
replacing that just because of its age (I say, as glance over at my
crate of 20G and smaller HDs), and 10G disks are just plain slow
compared to modern disks.


That will be a problem eventually yes. This machine doesn't have a lot 
of disk activity though so so far the drive's been holding up. Speed 
isn't that big of a deal.



The general answer to your question, however, is the growfs command.
growfs will let you expand an off-line file system with additional space
immediately adjoining the end of the partition.


OK that's the general answer providing we replace the disk with a 
bigger one though, right? Is there a good way to use the same disk? 
Again, the issue is not that the disk is full, but that's it half empty 
and split up in a way that we can't really use the space.

Re: Repartitioning

[Quartz]

there is no easy way to shrink or move filesystems, only copying their
contents. depending on where /var is, your ability to grow it may be limited.


Disklabel puts /var as the third partition. I wasn't really expecting to 
be able to grow it directly. I think what I'd like to do is


- copy the contents of the /usr/local and /usr/X11R6 partitions over to 
dirs in /usr


- backup contents of /var somewhere else temporarily

- wipe /var partition and turn it into /home, and copy the old /home 
contents over


- nuke usr/X11R6, /usr/local, /usr/src, /usr/obj, and the old /home 
(they're all adjacent partitions)


- use that space to make a new /var

That will end up with five partitions: /, /tmp, /home, /usr, and /var

Repartitioning

[Quartz]

We have an older system running 4.9 that acts as a sort of 
dev/test/scratch machine for messing around. When it was set up it we 
threw a 10gb drive in there and did a generic install with all the 
defaults. Over time, as we've used this for various stuff, we've 
realized that that partitioning scheme turned out to be decidedly non 
optimal. /usr/obj and /usr/src are eating up a gig each but only have 
2kb of data on them (this machine has never compiled anything). /home 
and /usr/local are using less than 45mb combined. Meanwhile /var was 
only set up at a few hundred megs and is bursting at the seams. Over 
half the drive's capacity is being wasted.


I'm not super familiar with how OpenBSD does disks and all of the 
caveats. How easy would it be to nuke some of these partitions and 
recombine the space? Is it something that could be done with a couple 
fdisk commands or would it involve a lot of screwing around? I've looked 
though the manual regarding fdisk and disklabel but I'm still not sure I 
really understand how everything works together.

Re: Installed 5.7/amd64, now No acceptable DHCPOFFERS received.

[Quartz]

On first boot it gave me No
acceptable DHCPOFFERS received.


When you say first boot, do you mean booting the install media or 
booting the installed OS afterwards?


Usually, a complaint about an *acceptable* offer specifically means that 
your dhclient.config is requiring certain parameters that your ISP's 
dhcp server isn't providing. In other words, it's getting an offer but 
won't use it. Additionally, I've had problems before with certain ISPs 
where they do something such that setting a 'require' parameter of any 
sort causes dhclient to always complain the offer isn't acceptable. It's 
possible that your config got messed up after the upgrade or that 
coincidentally your ISP changed something on their end at the same time. 
If it's not already, try changing dhclient.conf to be just a simple 
request routers, subnet-mask, broadcast-address, domain-name-servers; 
and see if that works.


On the other hand, if that error popped up while booted from the install 
media, I'm not sure what that means. I've seen weird stuff like that 
when certain bios features mess with the networking, like VLANs or 
board-level VPN. That board does IPMI shared over one of the two 
ethernet ports, right? Try messing with the settings for that.

Re: Maybe OT: OpenSSH connection failure unless verbose

[Quartz]

Exactly. Probably ps -l (or maybe install and use pstree). Do you get
new processes with sshd as a parent?


I never get that. When ssh-ing into another machine I just get a single ssh
process that's a direct child of the bash for that tty, there's never an
sshd anywhere.


When you use ps -l you will only see processes with a controlling
terminal.


This assumes I'm running ps without any command line arguments.



But the PPID column relates each process to its parent
process. If you start at any arbitrary process and trace back to its
parent, and then to that process's parent, you will eventually find a
PPID for a process that did not show up in ps -l. That will probably
be the process id of sshd.


I know how ps works :)

On OSX, an outbound ssh connection spawns a single 'ssh' process, which 
is a child of bash. bash is a child of login. login is a child of 
Terminal. Terminal is a child of the launchd process for my account. 
That launchd process is a child of the master launchd process, PID 1. 
The (abbreviated) output of ps looks like this:


 TTY USER   RUSER  PPID  PID COMMAND
  ?? root   root  01 launchd
  ?? Quartz Quartz1  208 launchd
  ?? Quartz Quartz  208  241 Terminal
s000 root   Quartz  241  246 login
s000 Quartz Quartz  246  249 -bash
s000 Quartz Quartz  249 3212 ssh

On OSX, sshd is the receiving server side of the ssh connection. It 
only runs when I have an ssh connection INTO my machine, not when I'm 
connecting to someone else. The only other ssh related process is 
ssh-agent, but that's always running no matter what.




Or: ps -lx | grep 'ssh[d]'


Not sure what OS / version of grep you're using. On OSX this yields no 
output even when ssh processes are running. If I shorten the regex to 
just 'ssh' I see the ssh process and ssh-agent which I mentioned above.

Re: Maybe OT: OpenSSH connection failure unless verbose

[Quartz]

The point was to use ps on the *server* not on the client.



So I was thinking you should use ps *on that server* to
see if you could see signs of another connection attempt reaching it
and then for some reason failing to give you an interactive shell.


Ah ok. Yes I totally misunderstood you- I thought you meant check ps on 
the client to see if it was actually spawning an ssh process.




In other words, it might be that there's some race condition on the
server that you sometimes fail to reach, such that ssh -v slows things
down just enough to avoid the race.


That's possible. I'm not convinced it's on their end though, you'd think 
they'd have noticed by now ssh connections hanging all the time.




Of course, it's also possible that you're seeing network problems,


They do some weird stuff with their systems sometimes. Half their stuff 
is in house and the other half is cloud, and it's not always coherent. 
Additionally, there's always the possibility that I've somehow 
configured my firewalls in a weird way.




in
which case something like tcpdump would be a better source of clues
(assuming that you can trace all the way to the server on a good day).


Traceroute specifically doesn't yield much: outside of my ISP it bounces 
off over a dozen boxes with no host names before disappearing into a 
black hole (magic cloud issues I'm sure). Filtering with tcpdump can be 
annoying since what I filter for isn't always what comes back due to all 
the dns redirection. I do seem to be able to see at least most of the 
packets though I think.




If you are on an openbsd machine which is running sshd


OK. This works on their linux server.

Re: Maybe OT: OpenSSH connection failure unless verbose

[Quartz]

ktrace and tcpdump.


I should have mentioned that the laptop is using OpenSSH but it's OSX 
not OpenBSD. ktrace was replaced with I think dtrace on OSX a while ago, 
so I'll have to look into how to get that set up.


As for tcpdump, I'm not sure what I'd be looking for there. Most of the 
connection meat would be encrypted anyway though, wouldn't it?

Re: Maybe OT: OpenSSH connection failure unless verbose

[Quartz]

If you have one connection established to that server which is
functioning (perhaps with -v on the client ssh) can you get the
problem to occur with a second connection to that server?


That's a good question, I'm not actually sure if I've ever opened two 
connections to it at once. For better or worse today is a good day so 
I'll have to wait to test this.




If so, can you take a look at whether you are getting any fresh
processes from your second connection attempts when they stall? (The
question is: how far does a stalled attempt reach before it runs into
this problem?)


Not sure what you mean here about fresh processes, do you want me to 
look at the output of ps or something else?

Re: Maybe OT: OpenSSH connection failure unless verbose

[Quartz]

That's a good question, I'm not actually sure if I've ever opened two
connections to it at once. For better or worse today is a good day so I'll
have to wait to test this.


If you are only creating one ssh connection, does good day mean you
have succeeded just once?


No, I mean that I can ssh in without having to pass -v on the command 
line. In other words, it works the way it normally should.




Not sure what you mean here about fresh processes, do you want me to look
at the output of ps or something else?


Exactly. Probably ps -l (or maybe install and use pstree). Do you get
new processes with sshd as a parent?


I never get that. When ssh-ing into another machine I just get a single 
ssh process that's a direct child of the bash for that tty, there's 
never an sshd anywhere.

Re: Maybe OT: OpenSSH connection failure unless verbose

[Quartz]

good day:
ssh user@server = works just like it should


What about ssh -v user@server on a good day?


That works exactly as expected. ssh-ing in right now


And more specifically, if
you run ssh -v on both a good  day and a bad day, what does diff between
the two outputs show?


IIRC, not much... I think I did that before once or twice. It's been OK 
today so I'll have to wait to confirm.

Re: Maybe OT: OpenSSH connection failure unless verbose

[Quartz]

If you are only creating one ssh connection, does good day mean you
have succeeded just once?


No, I mean that I can ssh in without having to pass -v on the command
line. In other words, it works the way it normally should.


More specifically:

good day:
ssh user@server = works just like it should

bad day:
ssh user@server = no connection, no output... just hangs.
ssh -v user@server = prints the expected debug info and connects as it 
should (...usually. Sometimes I have to specify -vv)

Re: Maybe OT: OpenSSH connection failure unless verbose

[Quartz]

ktrace and tcpdump.


I should have mentioned that the laptop is using OpenSSH but it's OSX
not OpenBSD. ktrace was replaced with I think dtrace on OSX a while ago,
so I'll have to look into how to get that set up.

As for tcpdump, I'm not sure what I'd be looking for there. Most of the
connection meat would be encrypted anyway though, wouldn't it?


more generally, see where it's stopping.

the pattern of traffic should be roughly the same. two packets that way, one
packet this way, etc. perhaps you can determine if the client is waiting for
the server, or the server for the client, or if only packets of 1337 bytes
cause trouble, etc.


OK fair enough I guess. I'll have to record several sessions to 
different machines along with a broken session to the server, then 
compare the whole lot side by side. Knowing my luck it'll be fine for 
the next few days until I've forgotten and then go bad again.

Maybe OT: OpenSSH connection failure unless verbose

[Quartz]

I'm not sure if this is the right place to ask about this, but I can't 
seem to find an ssh-specific mailing list or web forum anywhere.



I have a bog standard setup between a laptop and a local university that 
uses a bog standard id_rsa key for password-less access; to the best of 
my knowledge there's nothing remotely unusual about the ssh 
configuration on the laptop (I'm less sure about the university server 
since I don't have access to its config).


About maybe 1/3 of the days I try to log into the server, the ssh 
connection hangs forever with no output UNLESS -v is specified on 
the command line, in which case it works totally fine. This is 
completely repeatable: no verbose, no worky (but only on bad days; on 
good days it works fine regardless). I've only ever experienced this 
problem with the connection to this one university, ssh otherwise works 
as expected connecting to every other machine.


Searching the web for info is worthless because the first thing 
everybody tells you to do when debugging a connection issue is enable 
verbose, which obviously doesn't help me here. Likewise, I can't even 
confirm if anyone else has even experienced this sort of failure before 
since searching for connection/failure/verbose related keywords yields 
nothing but self-help related noise. I have limited access to their 
server too- I don't have and can't get a password (it's key only), so I 
don't know where to even start figuring this out.


Any ideas?

Re: Intel Atom?

[Quartz]

Off-the-shelf yes, home no, it's just a specialized setup with some odd
requirements. We're fine with paying for good quality components but
there's no need to overpay for something that offers a bunch of stuff we
don't need, especially when we're going to be building several of these.
I'm just trying to find the best balance, and I'm hoping that
upper-mid-range Atoms are where it's at.


Well, did you solve it?


Not in two days :)

I'm still doing research and trying to figure out what's even worth 
looking at. I'll start ordering and receiving components over the next 
week or so, but it'll be the end of the month easy before we've decided 
on the right combination of parts and can start rolling things out to 
the next stage.




What's your useful idea to bring to other readers?


Not sure what you're asking here?



Do you have any experience related to this that we would like to read
on?


Well I mean I've been assembling systems since the late 90's, been using 
OpenBSD as the OS of choice for network appliances for roughly 10 years 
or so, and been very interested in small form factor computers for a 
while (I've been big on laptops from back when they were still kind of a 
waste of money). Not sure how different this is from any other tech guy 
though, but this list isn't the place for an auto-bio anyway. If you 
have specific questions I can try to answer.




Jumping topics like a recently released person, hopefully you were not
wasting everybody's time on the list.


Well, I'm sorry you think that starting a whopping two threads in a row 
is indicative of being mentally disabled and/or a criminal. The two main 
questions I had were pretty much answered, so it wasn't a waste of time 
for me at least.

Re: new (nasty) spam pattern

[Quartz]

Any cluebats?


Not sure if it will help your specific situation, but you could look 
into server side grey listing. This will cause your mail server to 
temporarily reject mail from them, forcing them to try again a couple 
hours later. Fly-by-night spam places almost never bother to resubmit, 
so it's pretty effective (it cut down my spam to under 5% literally 
overnight).


https://en.wikipedia.org/wiki/Greylisting

Re: Intel Atom?

[Quartz]

yet the original poster is
obviously looking for COTS consumer electronics general purpose
inexpensive mini-ITX mainboards for home router project.


Off-the-shelf yes, home no, it's just a specialized setup with some odd 
requirements. We're fine with paying for good quality components but 
there's no need to overpay for something that offers a bunch of stuff we 
don't need, especially when we're going to be building several of these. 
I'm just trying to find the best balance, and I'm hoping that 
upper-mid-range Atoms are where it's at.

Re: Intel Atom?

[Quartz]

ECC RAM always helps in the long term,


It helps yes, but for a router I wonder if it makes a significant 
difference.




if the board is collocated


It's in-house.



but I'd not have IMPI  serial BIOS (out
of band) access.


Both of those aren't necessary for this project.



If you want to use X,



Always consider a
spare monitor  keyboard attached / around the system just in case.


We don't need X, but do need local console / KVM.



It will need a case fan (or two for redundancy) because the CPU is
fanless and produces enough heat (about 15-20 W TDP) and even without a
Radeon added (20 W more) inside, the system can not rely on free air
convection in a tower / desktop small form factor (mini-ITX) case.



Don't use external brick / micro / pico type PSU units, those are not
offering any benefit over stock SFX/ATX form factor and are less than
reliable to say the least not mention interchangeable. The PSU is one
of the least reliable system blocks.


The reason I'm asking about Atoms ITXs in the first place is that 
physical size is a major constraint for this project and a micro ATX 
case or larger is a non-starter. It's even proving hard to find an 
SFX/TFX case that's compact enough (and isn't shit). We're pretty much 
looking at some sort of open mesh compact case design with a compact 
PSU, like a pico+MiniBox M350, Antec ISK110, or Silverstone PT13B + a 
thin-ITX motherboard with bult-in dc power. In such a cramped situation 
the low heat output of an Atom seems a better choice than a full sized 
Core. (See my other thread on this list about using NICs with multiple 
jacks).


Also, you're the first person I've seen who's said that pico's aren't 
reliable. We have one that's several years old that's still going 
strong. I'm curious what your experiences have been?




but you'll miss the chance to learn and use the advanced
capabilities or more reliable components on board.


That's not really an issue, we have and use Supermicro stuff all the 
time. In fact there's a couple old P8SCT-based 1U severs I'm trying to 
sell off as we speak.




and don't
buy used


That's a given.



There is absolutely no point in considering SSD for this system.


Maybe. This system also needs to act as a PXE boot server for a variety 
of clients, so it needs several gigs of storage space for all the 
images, and that storage needs to be fast enough that the clients can 
boot in a sane time frame. I'm not sure if random 16gb thumb drives will 
really cut it.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Quartz]

turning out rather difficult to find a case that's small enough to fit. I'd
really like to use an itx system with multiple onboard ethernet jacks and
cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure


A Lanner FW7525 or even an Alix APU don't seem to be much larger...


They're not, but they also lack a bunch of features we need.

This is a little off-topic, but I should clarify that although this 
device's primary purpose is a firewall+router, it also has to provide a 
handful of other network related services that set a few requirements 
vis a vis hardware. Pre-fab appliance type devices always seem to fail 
at least one of these requirements. They also don't address the separate 
NICs issue, so if it turns out that that's not a problem anyway, a 
mini-itx board would be a much better choice for our situation.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Quartz]

It is certainly possible theoretically but you'll have to go to very
great lengths to imagine a scenario where a remote attacker could
exploit such a flaw. It's next to impossible identify the make and
model of the NIC that holds an IP address (if it is even directly
bound to a NIC, CARP and other similar technologies get in the way if
used), the attacker would first have to aquire this information trough
other means.


Well, I'm not convinced that needing to identify the card first is 
really a requirement- I feel it's more likely an attacker using these 
techniques would just blast out a bunch of probes and figure it out 
based on what bounces back, similar concept to port knocking.


I wish I could find/remember where on openbsd.org this was mentioned and 
use the wayback machine or something, because it seemed like whoever 
wrote about it knew what they were talking about.

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

[Quartz]

These days you have bypass features in hardware that allow packets
to flow from one interface to another even if the firewall is turned
off.


Can you elaborate on this?

Also, that brings up another point wrt motherboards with multiple jacks; 
are bios attacks something to worry about?




Having said that, just throwing random chipsets into the mix is
probably not the right solution. You may actually be increasing your
attack surface.


That's always a possibility yes.



If this is a real concern for you,


The thing is I don't really know if this should be a realistic concern, 
that's why I'm asking. A motherboard with multiple ports would certainly 
be more convenient, but it's not worth it if it would compromise security.

Intel Atom?

[Quartz]

What's Intel Atom support like these days? I remember they used to be a 
little weird. Are they handled pretty much like any other x86 chip now 
or are some things still unsupported? Are they capable of handling pf on 
a saturated 100-base-t connection? How about gig-e?

Re: Intel Atom?

[Quartz]

I just posted a dmesg from a SuperMicro motherboard with 8-core Intel
Atom C2758.


Yeah, I've heard about that board. I think it's a tad overkill for our 
situation though :)




Depending on how you configure your disks the 8-core C2758 should be
able to saturate a single gig-e nic.


Our system will be mainly a router rather than a file server, so I'm 
mostly concerned with how well it would handle network-to-network rather 
than disk-to-network.


Lemme put it a different way: a 500mhz P3 can handle pf on a saturated 
100bt connection no sweat. I know Atoms are slower clock-for-clock, how 
do they compare (in general) and are there any OpenBSD specific concerns?

Re: Intel Atom?

[Quartz]

FWIW here's the DMESG from the system I just put in place.




pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x0bf3 rev 0x04



ehci0: timed out waiting for BIOS



xhci0 at pci2 dev 0 function 0 vendor Etron, unknown product 0x7052



ehci1: timed out waiting for BIOS



I admit I'm not great at reading DMESGs, but these are the sorts of 
things that worry me.

Re: Intel Atom?

[Quartz]

I just deployed an OpenBSD 5.7 firewall/router/dhcp/dns using this motherboard:

http://www.newegg.com/Product/Product.aspx?Item=N82E16813157417


As a side question, is that a female usb connector planted vertically 
right on the motherboard?




It uses the Intel Atom D2550 1.86GHz 2-Core chip and has dual 1000
Mbps Intel NICs on the motherboard.  I am running the amd64 binaries
on it and it's serving its purpose really well.


How hard have you pushed the network IO?

Re: Intel Atom?

[Quartz]

There's a huge range of Atom processors. Some are 32-bit only single-
core, there are models which are 64-bit capable and multi-core. There are
a wide range of clock speeds, cache sizes, and bus speeds.


I know, I was mainly looking for general opinion about support and 
performance. IIRC, back in ~08-09 when Atoms first came out there used 
to be issues with maybe DMA or something that caused some models to be 
way slower than specs would indicate, and I was wondering if that was 
mostly a thing of the past, or if ACPI/64bit/MP/whatever doesn't work 
right on certain model lines or something. Or basically any issue 
software or hardware that would make some models not be able to handle 
high traffic.